diff options
Diffstat (limited to 'netwerk/srtp')
83 files changed, 30815 insertions, 0 deletions
diff --git a/netwerk/srtp/src/LICENSE b/netwerk/srtp/src/LICENSE new file mode 100644 index 0000000000..af0a2ac312 --- /dev/null +++ b/netwerk/srtp/src/LICENSE @@ -0,0 +1,35 @@ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ diff --git a/netwerk/srtp/src/README.md b/netwerk/srtp/src/README.md new file mode 100644 index 0000000000..3f1e5bbfde --- /dev/null +++ b/netwerk/srtp/src/README.md @@ -0,0 +1,487 @@ +[![Build Status](https://travis-ci.org/cisco/libsrtp.svg?branch=master)](https://travis-ci.org/cisco/libsrtp) +[![Coverity Scan Build Status](https://scan.coverity.com/projects/14274/badge.svg)](https://scan.coverity.com/projects/cisco-libsrtp) + +<a name="introduction-to-libsrtp"></a> +# Introduction to libSRTP + +This package provides an implementation of the Secure Real-time +Transport Protocol (SRTP), the Universal Security Transform (UST), and +a supporting cryptographic kernel. The SRTP API is documented in include/srtp.h, +and the library is in libsrtp2.a (after compilation). + +This document describes libSRTP, the Open Source Secure RTP library +from Cisco Systems, Inc. RTP is the Real-time Transport Protocol, an +IETF standard for the transport of real-time data such as telephony, +audio, and video, defined by [RFC 3550](https://www.ietf.org/rfc/rfc3550.txt). +Secure RTP (SRTP) is an RTP profile for providing confidentiality to RTP data +and authentication to the RTP header and payload. SRTP is an IETF Standard, +defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt), and was developed +in the IETF Audio/Video Transport (AVT) Working Group. This library supports +all of the mandatory features of SRTP, but not all of the optional features. See +the [Supported Features](#supported-features) section for more detailed information. + +This document is also used to generate the documentation files in the /doc/ +folder where a more detailed reference to the libSRTP API and related functions +can be created (requires installing doxygen.). The reference material is created +automatically from comments embedded in some of the C header files. The +documentation is organized into modules in order to improve its clarity. These +modules do not directly correspond to files. An underlying cryptographic kernel +provides much of the basic functionality of libSRTP but is mostly undocumented +because it does its work behind the scenes. + +-------------------------------------------------------------------------------- + +<a name="contact"></a> +# Contact Us + +- [libsrtp@lists.packetizer.com](mailto:libsrtp@lists.packetizer.com) general mailing list for news / announcements / discussions. This is an open list, see +[https://lists.packetizer.com/mailman/listinfo/libsrtp](https://lists.packetizer.com/mailman/listinfo/libsrtp) for singing up. + +- [libsrtp-security@lists.packetizer.com](mailto:libsrtp-security@lists.packetizer.com) for disclosing security issues to the libsrtp maintenance team. This is a closed list but anyone can send to it. + + +-------------------------------------------------------------------------------- + +<a name="contents"></a> +## Contents + +- [Introduction to libSRTP](#introduction-to-libsrtp) + - [Contact Us](#contact) + - [Contents](#contents) +- [License and Disclaimer](#license-and-disclaimer) +- [libSRTP Overview](#libsrtp-overview) + - [Secure RTP Background](#secure-rtp-background) + - [Supported Features](#supported-features) + - [Implementation Notes](#implementation-notes) +- [Installing and Building libSRTP](#installing-and-building-libsrtp) + - [Changing Build Configuration](#changing-build-configuration) +- [Applications](#applications) + - [Example Code](#example-code) +- [Credits](#credits) +- [References](#references) + +-------------------------------------------------------------------------------- + +<a name="license-and-disclaimer"></a> +# License and Disclaimer + +libSRTP is distributed under the following license, which is included +in the source code distribution. It is reproduced in the manual in +case you got the library from another source. + +> Copyright (c) 2001-2017 Cisco Systems, Inc. All rights reserved. +> +> Redistribution and use in source and binary forms, with or without +> modification, are permitted provided that the following conditions +> are met: +> +> - Redistributions of source code must retain the above copyright +> notice, this list of conditions and the following disclaimer. +> - Redistributions in binary form must reproduce the above copyright +> notice, this list of conditions and the following disclaimer in +> the documentation and/or other materials provided with the distribution. +> - Neither the name of the Cisco Systems, Inc. nor the names of its +> contributors may be used to endorse or promote products derived +> from this software without specific prior written permission. +> +> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +> COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +> INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +> SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +> ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +> OF THE POSSIBILITY OF SUCH DAMAGE. + +-------------------------------------------------------------------------------- + +<a name="libsrtp-overview"></a> +# libSRTP Overview + +libSRTP provides functions for protecting RTP and RTCP. RTP packets +can be encrypted and authenticated (using the `srtp_protect()` +function), turning them into SRTP packets. Similarly, SRTP packets +can be decrypted and have their authentication verified (using the +`srtp_unprotect()` function), turning them into RTP packets. Similar +functions apply security to RTCP packets. + +The typedef `srtp_stream_t` points to a structure holding all of the +state associated with an SRTP stream, including the keys and +parameters for cipher and message authentication functions and the +anti-replay data. A particular `srtp_stream_t` holds the information +needed to protect a particular RTP and RTCP stream. This datatype +is intentionally opaque in order to better seperate the libSRTP +API from its implementation. + +Within an SRTP session, there can be multiple streams, each +originating from a particular sender. Each source uses a distinct +stream context to protect the RTP and RTCP stream that it is +originating. The typedef `srtp_t` points to a structure holding all of +the state associated with an SRTP session. There can be multiple +stream contexts associated with a single `srtp_t`. A stream context +cannot exist indepent from an `srtp_t`, though of course an `srtp_t` can +be created that contains only a single stream context. A device +participating in an SRTP session must have a stream context for each +source in that session, so that it can process the data that it +receives from each sender. + +In libSRTP, a session is created using the function `srtp_create()`. +The policy to be implemented in the session is passed into this +function as an `srtp_policy_t` structure. A single one of these +structures describes the policy of a single stream. These structures +can also be linked together to form an entire session policy. A linked +list of `srtp_policy_t` structures is equivalent to a session policy. +In such a policy, we refer to a single `srtp_policy_t` as an *element*. + +An `srtp_policy_t` strucutre contains two `crypto_policy_t` structures +that describe the cryptograhic policies for RTP and RTCP, as well as +the SRTP master key and the SSRC value. The SSRC describes what to +protect (e.g. which stream), and the `crypto_policy_t` structures +describe how to protect it. The key is contained in a policy element +because it simplifies the interface to the library. In many cases, it +is desirable to use the same cryptographic policies across all of the +streams in a session, but to use a distinct key for each stream. A +`crypto_policy_t` structure can be initialized by using either the +`crypto_policy_set_rtp_default()` or `crypto_policy_set_rtcp_default()` +functions, which set a crypto policy structure to the default policies +for RTP and RTCP protection, respectively. + +-------------------------------------------------------------------------------- + +<a name="secure-rtp-background"></a> +## Secure RTP Background + +In this section we review SRTP and introduce some terms that are used +in libSRTP. An RTP session is defined by a pair of destination +transport addresses, that is, a network address plus a pair of UDP +ports for RTP and RTCP. RTCP, the RTP control protocol, is used to +coordinate between the participants in an RTP session, e.g. to provide +feedback from receivers to senders. An *SRTP session* is +similarly defined; it is just an RTP session for which the SRTP +profile is being used. An SRTP session consists of the traffic sent +to the SRTP or SRTCP destination transport addresses. Each +participant in a session is identified by a synchronization source +(SSRC) identifier. Some participants may not send any SRTP traffic; +they are called receivers, even though they send out SRTCP traffic, +such as receiver reports. + +RTP allows multiple sources to send RTP and RTCP traffic during the +same session. The synchronization source identifier (SSRC) is used to +distinguish these sources. In libSRTP, we call the SRTP and SRTCP +traffic from a particular source a *stream*. Each stream has its own +SSRC, sequence number, rollover counter, and other data. A particular +choice of options, cryptographic mechanisms, and keys is called a +*policy*. Each stream within a session can have a distinct policy +applied to it. A session policy is a collection of stream policies. + +A single policy can be used for all of the streams in a given session, +though the case in which a single *key* is shared across multiple +streams requires care. When key sharing is used, the SSRC values that +identify the streams **must** be distinct. This requirement can be +enforced by using the convention that each SRTP and SRTCP key is used +for encryption by only a single sender. In other words, the key is +shared only across streams that originate from a particular device (of +course, other SRTP participants will need to use the key for +decryption). libSRTP supports this enforcement by detecting the case +in which a key is used for both inbound and outbound data. + +-------------------------------------------------------------------------------- + +<a name="supported-features"></a> +## Supported Features + +This library supports all of the mandatory-to-implement features of +SRTP (as defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt)). Some of these +features can be selected (or de-selected) at run time by setting an +appropriate policy; this is done using the structure `srtp_policy_t`. +Some other behaviors of the protocol can be adapted by defining an +approriate event handler for the exceptional events; see the SRTPevents +section in the generated documentation. + +Some options that are described in the SRTP specification are not +supported. This includes + +- key derivation rates other than zero, +- the cipher F8, +- the use of the packet index to select between master keys. + +The user should be aware that it is possible to misuse this libary, +and that the result may be that the security level it provides is +inadequate. If you are implementing a feature using this library, you +will want to read the Security Considerations section of [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt). +In addition, it is important that you read and understand the +terms outlined in the [License and Disclaimer](#license-and-disclaimer) section. + +-------------------------------------------------------------------------------- + +<a name="implementation-notes"></a> +## Implementation Notes + + * The `srtp_protect()` function assumes that the buffer holding the + rtp packet has enough storage allocated that the authentication + tag can be written to the end of that packet. If this assumption + is not valid, memory corruption will ensue. + + * Automated tests for the crypto functions are provided through + the `cipher_type_self_test()` and `auth_type_self_test()` functions. + These functions should be used to test each port of this code + to a new platform. + + * Replay protection is contained in the crypto engine, and + tests for it are provided. + + * This implementation provides calls to initialize, protect, and + unprotect RTP packets, and makes as few as possible assumptions + about how these functions will be called. For example, the + caller is not expected to provide packets in order (though if + they're called more than 65k out of sequence, synchronization + will be lost). + + * The sequence number in the rtp packet is used as the low 16 bits + of the sender's local packet index. Note that RTP will start its + sequence number in a random place, and the SRTP layer just jumps + forward to that number at its first invocation. An earlier + version of this library used initial sequence numbers that are + less than 32,768; this trick is no longer required as the + `rdbx_estimate_index(...)` function has been made smarter. + + * The replay window for (S)RTCP is hardcoded to 128 bits in length. + +-------------------------------------------------------------------------------- + +<a name="installing-and-building-libsrtp"></a> +# Installing and Building libSRTP + +To install libSRTP, download the latest release of the distribution +from [https://github.com/cisco/libsrtp/releases](https://github.com/cisco/libsrtp/releases). +You probably want to get the most recent release. Unpack the distribution and +extract the source files; the directory into which the source files +will go is named `libsrtp-A-B-C` where `A` is the version number, `B` is the +major release number and `C` is the minor release number. + +libSRTP uses the GNU `autoconf` and `make` utilities (BSD make will not work; if +both versions of make are on your platform, you can invoke GNU make as +`gmake`.). In the `libsrtp` directory, run the configure script and then +make: + +~~~.txt +./configure [ options ] +make +~~~ + +The configure script accepts the following options: + +Option | Description +-------------------------------|-------------------- +\-\-help \-h | Display help +\-\-enable-debug-logging | Enable debug logging in all modules +\-\-enable-log-stdout | Enable logging to stdout +\-\-enable-openssl | Enable OpenSSL crypto engine +\-\-enable-openssl-kdf | Enable OpenSSL KDF algorithm +\-\-with-log-file | Use file for logging +\-\-with-openssl-dir | Location of OpenSSL installation + +By default there is no log output, logging can be enabled to be output to stdout +or a given file using the configure options. + +This package has been tested on the following platforms: Mac OS X +(powerpc-apple-darwin1.4), Cygwin (i686-pc-cygwin), Solaris +(sparc-sun-solaris2.6), RedHat Linux 7.1 and 9 (i686-pc-linux), and +OpenBSD (sparc-unknown-openbsd2.7). + +-------------------------------------------------------------------------------- + +<a name="changing-build-configuration"></a> +## Changing Build Configuration + +To build the `./configure` script mentioned above, libSRTP relies on the +[automake](https://www.gnu.org/software/automake/) toolchain. Since +`./configure` is built from `configure.in` by automake, if you make changes in +how `./configure` works (e.g., to add a new library dependency), you will need +to rebuild `./configure` and commit the updated version. In addition to +automake itself, you will need to have the `pkgconfig` tools installed as well. + +For example, on macOS: + +``` +brew install automake pkgconfig +# Edit configure.in +autoremake -ivf +``` + +-------------------------------------------------------------------------------- + +<a name="applications"></a> +# Applications + +Several test drivers and a simple and portable srtp application are +included in the `test/` subdirectory. + +Test driver | Function tested +--------- | ------- +kernel_driver | crypto kernel (ciphers, auth funcs, rng) +srtp_driver | srtp in-memory tests (does not use the network) +rdbx_driver | rdbx (extended replay database) +roc_driver | extended sequence number functions +replay_driver | replay database +cipher_driver | ciphers +auth_driver | hash functions + +The app `rtpw` is a simple rtp application which reads words from +`/usr/dict/words` and then sends them out one at a time using [s]rtp. +Manual srtp keying uses the -k option; automated key management +using gdoi will be added later. + +usage: +~~~.txt +rtpw [[-d <debug>]* [-k|b <key> [-a][-e <key size>][-g]] [-s | -r] dest_ip dest_port] | [-l] +~~~ + +Either the -s (sender) or -r (receiver) option must be chosen. The +values `dest_ip`, `dest_port` are the IP address and UDP port to which +the dictionary will be sent, respectively. + +The options are: + +Option | Description +--------- | ------- + -s | (S)RTP sender - causes app to send words + -r | (S)RTP receive - causes app to receive words + -k <key> | use SRTP master key <key>, where the key is a hexadecimal (without the leading "0x") + -b <key> | same as -k but with base64 encoded key + -e <keysize> | encrypt/decrypt (for data confidentiality) (requires use of -k option as well) (use 128, 192, or 256 for keysize) + -g | use AES-GCM mode (must be used with -e) + -a | message authentication (requires use of -k option as well) + -l | list the available debug modules + -d <debug> | turn on debugging for module <debug> + +In order to get random 30-byte values for use as key/salt pairs , you +can use the following bash function to format the output of +`/dev/random` (where that device is available). + +~~~.txt +function randhex() { + cat /dev/random | od --read-bytes=32 --width=32 -x | awk '{ print $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 }' +} +~~~ + +An example of an SRTP session using two rtpw programs follows: + +~~~.txt +set k=c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451 + +[sh1]$ test/rtpw -s -k $k -e 128 -a 0.0.0.0 9999 +Security services: confidentiality message authentication +set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451 +setting SSRC to 2078917053 +sending word: A +sending word: a +sending word: aa +sending word: aal +... + +[sh2]$ test/rtpw -r -k $k -e 128 -a 0.0.0.0 9999 +security services: confidentiality message authentication +set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451 +19 octets received from SSRC 2078917053 word: A +19 octets received from SSRC 2078917053 word: a +20 octets received from SSRC 2078917053 word: aa +21 octets received from SSRC 2078917053 word: aal +... +~~~ + +-------------------------------------------------------------------------------- + +<a name="example-code"></a> +## Example Code + +This section provides a simple example of how to use libSRTP. The +example code lacks error checking, but is functional. Here we assume +that the value ssrc is already set to describe the SSRC of the stream +that we are sending, and that the functions `get_rtp_packet()` and +`send_srtp_packet()` are available to us. The former puts an RTP packet +into the buffer and returns the number of octets written to that +buffer. The latter sends the RTP packet in the buffer, given the +length as its second argument. + +~~~.c +srtp_t session; +srtp_policy_t policy; + +// Set key to predetermined value +uint8_t key[30] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D}; + +// initialize libSRTP +srtp_init(); + +// default policy values +memset(&policy, 0x0, sizeof(srtp_policy_t)); + +// set policy to describe a policy for an SRTP stream +crypto_policy_set_rtp_default(&policy.rtp); +crypto_policy_set_rtcp_default(&policy.rtcp); +policy.ssrc = ssrc; +policy.key = key; +policy.next = NULL; + +// allocate and initialize the SRTP session +srtp_create(&session, &policy); + +// main loop: get rtp packets, send srtp packets +while (1) { + char rtp_buffer[2048]; + unsigned len; + + len = get_rtp_packet(rtp_buffer); + srtp_protect(session, rtp_buffer, &len); + send_srtp_packet(rtp_buffer, len); +} +~~~ + +-------------------------------------------------------------------------------- + +<a name="credits"></a> +# Credits + +The original implementation and documentation of libSRTP was written +by David McGrew of Cisco Systems, Inc. in order to promote the use, +understanding, and interoperability of Secure RTP. Michael Jerris +contributed support for building under MSVC. Andris Pavenis +contributed many important fixes. Brian West contributed changes to +enable dynamic linking. Yves Shumann reported documentation bugs. +Randell Jesup contributed a working SRTCP implementation and other +fixes. Steve Underwood contributed x86_64 portability changes. We also give +thanks to Fredrik Thulin, Brian Weis, Mark Baugher, Jeff Chan, Bill +Simon, Douglas Smith, Bill May, Richard Preistley, Joe Tardo and +others for contributions, comments, and corrections. + +This reference material, when applicable, in this documenation was generated +using the doxygen utility for automatic documentation of source code. + +Copyright 2001-2005 by David A. McGrew, Cisco Systems, Inc. + +-------------------------------------------------------------------------------- + +<a name="references"></a> +# References + +SRTP and ICM References +September, 2005 + +Secure RTP is defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt). +The counter mode definition is in Section 4.1.1. + +SHA-1 is defined in [FIPS PUB 180-4](http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf). + +HMAC is defined in [RFC 2104](https://www.ietf.org/rfc/rfc2104.txt) +and HMAC-SHA1 test vectors are available +in [RFC 2202](https://www.ietf.org/rfc/rfc2202.txt). + +AES-GCM usage in SRTP is defined in [RFC 7714](https://www.ietf.org/html/rfc7714) diff --git a/netwerk/srtp/src/VERSION b/netwerk/srtp/src/VERSION new file mode 100644 index 0000000000..5432261487 --- /dev/null +++ b/netwerk/srtp/src/VERSION @@ -0,0 +1 @@ +2.2.0-pre diff --git a/netwerk/srtp/src/crypto/Makefile.in b/netwerk/srtp/src/crypto/Makefile.in new file mode 100644 index 0000000000..44f29ad2cf --- /dev/null +++ b/netwerk/srtp/src/crypto/Makefile.in @@ -0,0 +1,119 @@ +# Makefile for crypto test suite +# +# David A. McGrew +# Cisco Systems, Inc. + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +top_builddir = @top_builddir@ +VPATH = @srcdir@ + +CC = @CC@ +INCDIR = -Iinclude -I$(srcdir)/include -I$(top_srcdir)/include +DEFS = @DEFS@ +CPPFLAGS= @CPPFLAGS@ +CFLAGS = @CFLAGS@ +LIBS = @LIBS@ +LDFLAGS = @LDFLAGS@ -L. -L.. +COMPILE = $(CC) $(DEFS) $(INCDIR) $(CPPFLAGS) $(CFLAGS) +CRYPTOLIB = -lsrtp2 +CRYPTO_LIBDIR = @CRYPTO_LIBDIR@ + +RANLIB = @RANLIB@ + +# Specify how tests should find shared libraries on macOS and Linux +# +# macOS purges DYLD_LIBRARY_PATH when spawning subprocesses, so it's +# not possible to pass this in from the outside; we have to specify +# it for any subprocesses we call. No support for dynamic linked +# tests on Windows. +ifneq ($(strip $(CRYPTO_LIBDIR)),) + ifneq ($(OS),Windows_NT) + UNAME_S = $(shell uname -s) + ifeq ($(UNAME_S),Linux) + FIND_LIBRARIES = LD_LIBRARY_PATH=$(CRYPTO_LIBDIR) + endif + ifeq ($(UNAME_S),Darwin) + FIND_LIBRARIES = DYLD_LIBRARY_PATH=$(CRYPTO_LIBDIR) + endif + endif +endif + +# EXE defines the suffix on executables - it's .exe for cygwin, and +# null on linux, bsd, and OS X and other OSes. we define this so that +# `make clean` will work on the cygwin platform +EXE = @EXE@ +# Random source. +USE_EXTERNAL_CRYPTO = @USE_EXTERNAL_CRYPTO@ + +ifdef ARCH + DEFS += -D$(ARCH)=1 +endif + +ifdef sysname + DEFS += -D$(sysname)=1 +endif + +.PHONY: dummy all runtest clean superclean + +dummy : all runtest + +# test applications +ifneq (1, $(USE_EXTERNAL_CRYPTO)) +AES_CALC = test/aes_calc$(EXE) +endif + +testapp = test/cipher_driver$(EXE) test/datatypes_driver$(EXE) \ + test/stat_driver$(EXE) test/sha1_driver$(EXE) \ + test/kernel_driver$(EXE) $(AES_CALC) \ + test/env$(EXE) + +# data values used to test the aes_calc application for AES-128 +k128=000102030405060708090a0b0c0d0e0f +p128=00112233445566778899aabbccddeeff +c128=69c4e0d86a7b0430d8cdb78070b4c55a + + +# data values used to test the aes_calc application for AES-256 +k256=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +p256=00112233445566778899aabbccddeeff +c256=8ea2b7ca516745bfeafc49904b496089 + + +runtest: $(testapp) + $(FIND_LIBRARIES) test/env$(EXE) # print out information on the build environment + @echo "running crypto test applications..." +ifneq (1, $(USE_EXTERNAL_CRYPTO)) + $(FIND_LIBRARIES) test `test/aes_calc $(k128) $(p128)` = $(c128) + $(FIND_LIBRARIES) test `test/aes_calc $(k256) $(p256)` = $(c256) +endif + $(FIND_LIBRARIES) test/cipher_driver$(EXE) -v >/dev/null + $(FIND_LIBRARIES) test/datatypes_driver$(EXE) -v >/dev/null + $(FIND_LIBRARIES) test/stat_driver$(EXE) >/dev/null + $(FIND_LIBRARIES) test/sha1_driver$(EXE) -v >/dev/null + $(FIND_LIBRARIES) test/kernel_driver$(EXE) -v >/dev/null + @echo "crypto test applications passed." + + +# the rule for making object files and test apps + +%.o: %.c + $(COMPILE) -c $< -o $@ + +%$(EXE): %.c $(srcdir)/../test/getopt_s.c + $(COMPILE) $(LDFLAGS) $< $(srcdir)/../test/getopt_s.c -o $@ $(CRYPTOLIB) $(LIBS) + +all: $(testapp) + +# housekeeping functions + +clean: + rm -f $(testapp) *.o */*.o + for a in * .* */*; do if [ -f "$$a~" ] ; then rm $$a~; fi; done; + rm -f `find . -name "*.[ch]~*~"` + rm -rf latex + +superclean: clean + rm -f *core TAGS ktrace.out + +# EOF diff --git a/netwerk/srtp/src/crypto/cipher/aes.c b/netwerk/srtp/src/crypto/cipher/aes.c new file mode 100644 index 0000000000..c9cd774201 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes.c @@ -0,0 +1,2189 @@ +/* + * aes.c + * + * An implemnetation of the AES block cipher. + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "aes.h" +#include "err.h" + +/* + * we use the tables T0, T1, T2, T3, and T4 to compute AES, and + * the tables U0, U1, U2, and U4 to compute its inverse + * + * different tables are used on little-endian (Intel, VMS) and + * big-endian processors (everything else) + * + * these tables are computed using the program tables/aes_tables; use + * this program to generate different tables for porting or + * optimization on a different platform + */ + +#ifndef WORDS_BIGENDIAN +/* clang-format off */ +static const uint32_t T0[256] = { + 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, + 0xdf2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, + 0x50303060, 0x3010102, 0xa96767ce, 0x7d2b2b56, + 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, + 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, + 0x15fafaef, 0xeb5959b2, 0xc947478e, 0xbf0f0fb, + 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, + 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, + 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, + 0x5a36366c, 0x413f3f7e, 0x2f7f7f5, 0x4fcccc83, + 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x8f1f1f9, + 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, + 0xc040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, + 0x28181830, 0xa1969637, 0xf05050a, 0xb59a9a2f, + 0x907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, + 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, + 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, + 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, + 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, + 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, + 0xf55353a6, 0x68d1d1b9, 0x0, 0x2cededc1, + 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, + 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, + 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, + 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, + 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, + 0xcf45458a, 0x10f9f9e9, 0x6020204, 0x817f7ffe, + 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, + 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, + 0xad92923f, 0xbc9d9d21, 0x48383870, 0x4f5f5f1, + 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, + 0x30101020, 0x1affffe5, 0xef3f3fd, 0x6dd2d2bf, + 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, + 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, + 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, + 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, + 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, + 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, + 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, + 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, + 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, + 0xdb494992, 0xa06060c, 0x6c242448, 0xe45c5cb8, + 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, + 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, + 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, + 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, + 0xb46c6cd8, 0xfa5656ac, 0x7f4f4f3, 0x25eaeacf, + 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, + 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, + 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, + 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, + 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, + 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, + 0xd8484890, 0x5030306, 0x1f6f6f7, 0x120e0e1c, + 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, + 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, + 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, + 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, + 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, + 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, + 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, + 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, + 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, + 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T1[256] = { + 0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, + 0xf2f2ff0d, 0x6b6bd6bd, 0x6f6fdeb1, 0xc5c59154, + 0x30306050, 0x1010203, 0x6767cea9, 0x2b2b567d, + 0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, + 0xcaca8f45, 0x82821f9d, 0xc9c98940, 0x7d7dfa87, + 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b, + 0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, + 0x9c9c23bf, 0xa4a453f7, 0x7272e496, 0xc0c09b5b, + 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a, + 0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, + 0x3434685c, 0xa5a551f4, 0xe5e5d134, 0xf1f1f908, + 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f, + 0x404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, + 0x18183028, 0x969637a1, 0x5050a0f, 0x9a9a2fb5, + 0x7070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d, + 0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, + 0x909121b, 0x83831d9e, 0x2c2c5874, 0x1a1a342e, + 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb, + 0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, + 0x2929527b, 0xe3e3dd3e, 0x2f2f5e71, 0x84841397, + 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c, + 0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, + 0x6a6ad4be, 0xcbcb8d46, 0xbebe67d9, 0x3939724b, + 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a, + 0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, + 0x434386c5, 0x4d4d9ad7, 0x33336655, 0x85851194, + 0x45458acf, 0xf9f9e910, 0x2020406, 0x7f7ffe81, + 0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, + 0x5151a2f3, 0xa3a35dfe, 0x404080c0, 0x8f8f058a, + 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104, + 0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, + 0x10102030, 0xffffe51a, 0xf3f3fd0e, 0xd2d2bf6d, + 0xcdcd814c, 0xc0c1814, 0x13132635, 0xececc32f, + 0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, + 0xc4c49357, 0xa7a755f2, 0x7e7efc82, 0x3d3d7a47, + 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695, + 0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, + 0x22224466, 0x2a2a547e, 0x90903bab, 0x88880b83, + 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c, + 0xdedea779, 0x5e5ebce2, 0xb0b161d, 0xdbdbad76, + 0xe0e0db3b, 0x32326456, 0x3a3a744e, 0xa0a141e, + 0x494992db, 0x6060c0a, 0x2424486c, 0x5c5cb8e4, + 0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, + 0x919139a8, 0x959531a4, 0xe4e4d337, 0x7979f28b, + 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7, + 0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, + 0x6c6cd8b4, 0x5656acfa, 0xf4f4f307, 0xeaeacf25, + 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x8081018, + 0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, + 0x1c1c3824, 0xa6a657f1, 0xb4b473c7, 0xc6c69751, + 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21, + 0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, + 0x7070e090, 0x3e3e7c42, 0xb5b571c4, 0x6666ccaa, + 0x484890d8, 0x3030605, 0xf6f6f701, 0xe0e1c12, + 0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, + 0x86861791, 0xc1c19958, 0x1d1d3a27, 0x9e9e27b9, + 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233, + 0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, + 0x9b9b2db6, 0x1e1e3c22, 0x87871592, 0xe9e9c920, + 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a, + 0x8c8c038f, 0xa1a159f8, 0x89890980, 0xd0d1a17, + 0xbfbf65da, 0xe6e6d731, 0x424284c6, 0x6868d0b8, + 0x414182c3, 0x999929b0, 0x2d2d5a77, 0xf0f1e11, + 0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T2[256] = { + 0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, + 0xf2ff0df2, 0x6bd6bd6b, 0x6fdeb16f, 0xc59154c5, + 0x30605030, 0x1020301, 0x67cea967, 0x2b567d2b, + 0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, + 0xca8f45ca, 0x821f9d82, 0xc98940c9, 0x7dfa877d, + 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0, + 0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, + 0x9c23bf9c, 0xa453f7a4, 0x72e49672, 0xc09b5bc0, + 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26, + 0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, + 0x34685c34, 0xa551f4a5, 0xe5d134e5, 0xf1f908f1, + 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15, + 0x4080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, + 0x18302818, 0x9637a196, 0x50a0f05, 0x9a2fb59a, + 0x70e0907, 0x12243612, 0x801b9b80, 0xe2df3de2, + 0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, + 0x9121b09, 0x831d9e83, 0x2c58742c, 0x1a342e1a, + 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0, + 0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, + 0x29527b29, 0xe3dd3ee3, 0x2f5e712f, 0x84139784, + 0x53a6f553, 0xd1b968d1, 0x0, 0xedc12ced, + 0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, + 0x6ad4be6a, 0xcb8d46cb, 0xbe67d9be, 0x39724b39, + 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf, + 0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, + 0x4386c543, 0x4d9ad74d, 0x33665533, 0x85119485, + 0x458acf45, 0xf9e910f9, 0x2040602, 0x7ffe817f, + 0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, + 0x51a2f351, 0xa35dfea3, 0x4080c040, 0x8f058a8f, + 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5, + 0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, + 0x10203010, 0xffe51aff, 0xf3fd0ef3, 0xd2bf6dd2, + 0xcd814ccd, 0xc18140c, 0x13263513, 0xecc32fec, + 0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, + 0xc49357c4, 0xa755f2a7, 0x7efc827e, 0x3d7a473d, + 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573, + 0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, + 0x22446622, 0x2a547e2a, 0x903bab90, 0x880b8388, + 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14, + 0xdea779de, 0x5ebce25e, 0xb161d0b, 0xdbad76db, + 0xe0db3be0, 0x32645632, 0x3a744e3a, 0xa141e0a, + 0x4992db49, 0x60c0a06, 0x24486c24, 0x5cb8e45c, + 0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, + 0x9139a891, 0x9531a495, 0xe4d337e4, 0x79f28b79, + 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d, + 0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, + 0x6cd8b46c, 0x56acfa56, 0xf4f307f4, 0xeacf25ea, + 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x8101808, + 0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, + 0x1c38241c, 0xa657f1a6, 0xb473c7b4, 0xc69751c6, + 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f, + 0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, + 0x70e09070, 0x3e7c423e, 0xb571c4b5, 0x66ccaa66, + 0x4890d848, 0x3060503, 0xf6f701f6, 0xe1c120e, + 0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, + 0x86179186, 0xc19958c1, 0x1d3a271d, 0x9e27b99e, + 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311, + 0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, + 0x9b2db69b, 0x1e3c221e, 0x87159287, 0xe9c920e9, + 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf, + 0x8c038f8c, 0xa159f8a1, 0x89098089, 0xd1a170d, + 0xbf65dabf, 0xe6d731e6, 0x4284c642, 0x68d0b868, + 0x4182c341, 0x9929b099, 0x2d5a772d, 0xf1e110f, + 0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T3[256] = { + 0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, + 0xff0df2f2, 0xd6bd6b6b, 0xdeb16f6f, 0x9154c5c5, + 0x60503030, 0x2030101, 0xcea96767, 0x567d2b2b, + 0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, + 0x8f45caca, 0x1f9d8282, 0x8940c9c9, 0xfa877d7d, + 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0, + 0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, + 0x23bf9c9c, 0x53f7a4a4, 0xe4967272, 0x9b5bc0c0, + 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626, + 0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, + 0x685c3434, 0x51f4a5a5, 0xd134e5e5, 0xf908f1f1, + 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515, + 0x80c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, + 0x30281818, 0x37a19696, 0xa0f0505, 0x2fb59a9a, + 0xe090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2, + 0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, + 0x121b0909, 0x1d9e8383, 0x58742c2c, 0x342e1a1a, + 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0, + 0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, + 0x527b2929, 0xdd3ee3e3, 0x5e712f2f, 0x13978484, + 0xa6f55353, 0xb968d1d1, 0x0, 0xc12ceded, + 0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, + 0xd4be6a6a, 0x8d46cbcb, 0x67d9bebe, 0x724b3939, + 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf, + 0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, + 0x86c54343, 0x9ad74d4d, 0x66553333, 0x11948585, + 0x8acf4545, 0xe910f9f9, 0x4060202, 0xfe817f7f, + 0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, + 0xa2f35151, 0x5dfea3a3, 0x80c04040, 0x58a8f8f, + 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5, + 0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, + 0x20301010, 0xe51affff, 0xfd0ef3f3, 0xbf6dd2d2, + 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec, + 0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, + 0x9357c4c4, 0x55f2a7a7, 0xfc827e7e, 0x7a473d3d, + 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373, + 0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, + 0x44662222, 0x547e2a2a, 0x3bab9090, 0xb838888, + 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414, + 0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, + 0xdb3be0e0, 0x64563232, 0x744e3a3a, 0x141e0a0a, + 0x92db4949, 0xc0a0606, 0x486c2424, 0xb8e45c5c, + 0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, + 0x39a89191, 0x31a49595, 0xd337e4e4, 0xf28b7979, + 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d, + 0x18c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, + 0xd8b46c6c, 0xacfa5656, 0xf307f4f4, 0xcf25eaea, + 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808, + 0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, + 0x38241c1c, 0x57f1a6a6, 0x73c7b4b4, 0x9751c6c6, + 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f, + 0x96dd4b4b, 0x61dcbdbd, 0xd868b8b, 0xf858a8a, + 0xe0907070, 0x7c423e3e, 0x71c4b5b5, 0xccaa6666, + 0x90d84848, 0x6050303, 0xf701f6f6, 0x1c120e0e, + 0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, + 0x17918686, 0x9958c1c1, 0x3a271d1d, 0x27b99e9e, + 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111, + 0xd2bb6969, 0xa970d9d9, 0x7898e8e, 0x33a79494, + 0x2db69b9b, 0x3c221e1e, 0x15928787, 0xc920e9e9, + 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf, + 0x38f8c8c, 0x59f8a1a1, 0x9808989, 0x1a170d0d, + 0x65dabfbf, 0xd731e6e6, 0x84c64242, 0xd0b86868, + 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f, + 0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U0[256] = { + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, + 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5, + 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, + 0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d, + 0x2752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b, + 0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, + 0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e, + 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927, + 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, + 0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362, + 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9, + 0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, + 0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566, + 0x728ebb2, 0x3c2b52f, 0x9a7bc586, 0xa50837d3, + 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, + 0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e, + 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4, + 0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, + 0x39ec830b, 0xaaef6040, 0x69f715e, 0x51106ebd, + 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, + 0xb58d5491, 0x55dc471, 0x6fd40604, 0xff155060, + 0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967, + 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879, + 0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x0, + 0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c, + 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36, + 0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, + 0xb1670a0c, 0xfe75793, 0xd296eeb4, 0x9e919b1b, + 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c, + 0xaba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, + 0xb0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14, + 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3, + 0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, + 0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8, + 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684, + 0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, + 0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177, + 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947, + 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, + 0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498, + 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f, + 0xe49d3a2c, 0xd927850, 0x9bcc5f6a, 0x62467e54, + 0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382, + 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, + 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, + 0x97826cd, 0xf418596e, 0x1b79aec, 0xa89a4f83, + 0x656e95e6, 0x7ee6ffaa, 0x8cfbc21, 0xe6e815ef, + 0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, + 0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235, + 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, + 0x4a9804f1, 0xf7daec41, 0xe50cd7f, 0x2ff69117, + 0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4, + 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546, + 0x4ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, + 0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d, + 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb, + 0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, + 0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773, + 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478, + 0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, + 0x72c31d16, 0xc25e2bc, 0x8b493c28, 0x41950dff, + 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664, + 0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U1[256] = { + 0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, + 0x6bab3bcb, 0x459d1ff1, 0x58faacab, 0x3e34b93, + 0xfa302055, 0x6d76adf6, 0x76cc8891, 0x4c02f525, + 0xd7e54ffc, 0xcb2ac5d7, 0x44352680, 0xa362b58f, + 0x5ab1de49, 0x1bba2567, 0xeea4598, 0xc0fe5de1, + 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6, + 0x5f8f03e7, 0x9c921595, 0x7a6dbfeb, 0x595295da, + 0x83bed42d, 0x217458d3, 0x69e04929, 0xc8c98e44, + 0x89c2756a, 0x798ef478, 0x3e58996b, 0x71b927dd, + 0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, + 0x4adf6318, 0x311ae582, 0x33519760, 0x7f536245, + 0x7764b1e0, 0xae6bbb84, 0xa081fe1c, 0x2b08f994, + 0x68487058, 0xfd458f19, 0x6cde9487, 0xf87b52b7, + 0xd373ab23, 0x24b72e2, 0x8f1fe357, 0xab55662a, + 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x837d3a5, + 0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, + 0x1ccf8a2b, 0xb479a792, 0xf207f3f0, 0xe2694ea1, + 0xf4da65cd, 0xbe0506d5, 0x6234d11f, 0xfea6c48a, + 0x532e349d, 0x55f3a2a0, 0xe18a0532, 0xebf6a475, + 0xec830b39, 0xef6040aa, 0x9f715e06, 0x106ebd51, + 0x8a213ef9, 0x6dd963d, 0x53eddae, 0xbde64d46, + 0x8d5491b5, 0x5dc47105, 0xd406046f, 0x155060ff, + 0xfb981924, 0xe9bdd697, 0x434089cc, 0x9ed96777, + 0x42e8b0bd, 0x8b890788, 0x5b19e738, 0xeec879db, + 0xa7ca147, 0xf427ce9, 0x1e84f8c9, 0x0, + 0x86800983, 0xed2b3248, 0x70111eac, 0x725a6c4e, + 0xff0efdfb, 0x38850f56, 0xd5ae3d1e, 0x392d3627, + 0xd90f0a64, 0xa65c6821, 0x545b9bd1, 0x2e36243a, + 0x670a0cb1, 0xe757930f, 0x96eeb4d2, 0x919b1b9e, + 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16, + 0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, + 0xd090e0b, 0xc78bf2ad, 0xa8b62db9, 0xa91e14c8, + 0x19f15785, 0x775af4c, 0xdd99eebb, 0x607fa3fd, + 0x2601f79f, 0xf5725cbc, 0x3b6644c5, 0x7efb5b34, + 0x29438b76, 0xc623cbdc, 0xfcedb668, 0xf1e4b863, + 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420, + 0x244a857d, 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, + 0x2f9e1d4b, 0x30b2dcf3, 0x52860dec, 0xe3c177d0, + 0x16b32b6c, 0xb970a999, 0x489411fa, 0x64e94722, + 0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, + 0x4e4987c7, 0xd138d9c1, 0xa2ca8cfe, 0xbd49836, + 0x81f5a6cf, 0xde7aa528, 0x8eb7da26, 0xbfad3fa4, + 0x9d3a2ce4, 0x9278500d, 0xcc5f6a9b, 0x467e5462, + 0x138df6c2, 0xb8d890e8, 0xf7392e5e, 0xafc382f5, + 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3, + 0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, + 0x7826cd09, 0x18596ef4, 0xb79aec01, 0x9a4f83a8, + 0x6e95e665, 0xe6ffaa7e, 0xcfbc2108, 0xe815efe6, + 0x9be7bad9, 0x366f4ace, 0x99fead4, 0x7cb029d6, + 0xb2a431af, 0x233f2a31, 0x94a5c630, 0x66a235c0, + 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315, + 0x9804f14a, 0xdaec41f7, 0x50cd7f0e, 0xf691172f, + 0xd64d768d, 0xb0ef434d, 0x4daacc54, 0x496e4df, + 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, 0x5165467f, + 0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, + 0x1d67b35a, 0xd2db9252, 0x5610e933, 0x47d66d13, + 0x61d79a8c, 0xca1377a, 0x14f8598e, 0x3c13eb89, + 0x27a9ceee, 0xc961b735, 0xe51ce1ed, 0xb1477a3c, + 0xdfd29c59, 0x73f2553f, 0xce141879, 0x37c773bf, + 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886, + 0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, + 0xc31d1672, 0x25e2bc0c, 0x493c288b, 0x950dff41, + 0x1a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490, + 0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U2[256] = { + 0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, + 0xab3bcb6b, 0x9d1ff145, 0xfaacab58, 0xe34b9303, + 0x302055fa, 0x76adf66d, 0xcc889176, 0x2f5254c, + 0xe54ffcd7, 0x2ac5d7cb, 0x35268044, 0x62b58fa3, + 0xb1de495a, 0xba25671b, 0xea45980e, 0xfe5de1c0, + 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9, + 0x8f03e75f, 0x9215959c, 0x6dbfeb7a, 0x5295da59, + 0xbed42d83, 0x7458d321, 0xe0492969, 0xc98e44c8, + 0xc2756a89, 0x8ef47879, 0x58996b3e, 0xb927dd71, + 0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, + 0xdf63184a, 0x1ae58231, 0x51976033, 0x5362457f, + 0x64b1e077, 0x6bbb84ae, 0x81fe1ca0, 0x8f9942b, + 0x48705868, 0x458f19fd, 0xde94876c, 0x7b52b7f8, + 0x73ab23d3, 0x4b72e202, 0x1fe3578f, 0x55662aab, + 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508, + 0x2830f287, 0xbf23b2a5, 0x302ba6a, 0x16ed5c82, + 0xcf8a2b1c, 0x79a792b4, 0x7f3f0f2, 0x694ea1e2, + 0xda65cdf4, 0x506d5be, 0x34d11f62, 0xa6c48afe, + 0x2e349d53, 0xf3a2a055, 0x8a0532e1, 0xf6a475eb, + 0x830b39ec, 0x6040aaef, 0x715e069f, 0x6ebd5110, + 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd, + 0x5491b58d, 0xc471055d, 0x6046fd4, 0x5060ff15, + 0x981924fb, 0xbdd697e9, 0x4089cc43, 0xd967779e, + 0xe8b0bd42, 0x8907888b, 0x19e7385b, 0xc879dbee, + 0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x0, + 0x80098386, 0x2b3248ed, 0x111eac70, 0x5a6c4e72, + 0xefdfbff, 0x850f5638, 0xae3d1ed5, 0x2d362739, + 0xf0a64d9, 0x5c6821a6, 0x5b9bd154, 0x36243a2e, + 0xa0cb167, 0x57930fe7, 0xeeb4d296, 0x9b1b9e91, + 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a, + 0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, + 0x90e0b0d, 0x8bf2adc7, 0xb62db9a8, 0x1e14c8a9, + 0xf1578519, 0x75af4c07, 0x99eebbdd, 0x7fa3fd60, + 0x1f79f26, 0x725cbcf5, 0x6644c53b, 0xfb5b347e, + 0x438b7629, 0x23cbdcc6, 0xedb668fc, 0xe4b863f1, + 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011, + 0x4a857d24, 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, + 0x9e1d4b2f, 0xb2dcf330, 0x860dec52, 0xc177d0e3, + 0xb32b6c16, 0x70a999b9, 0x9411fa48, 0xe9472264, + 0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, + 0x4987c74e, 0x38d9c1d1, 0xca8cfea2, 0xd498360b, + 0xf5a6cf81, 0x7aa528de, 0xb7da268e, 0xad3fa4bf, + 0x3a2ce49d, 0x78500d92, 0x5f6a9bcc, 0x7e546246, + 0x8df6c213, 0xd890e8b8, 0x392e5ef7, 0xc382f5af, + 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312, + 0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, + 0x26cd0978, 0x596ef418, 0x9aec01b7, 0x4f83a89a, + 0x95e6656e, 0xffaa7ee6, 0xbc2108cf, 0x15efe6e8, + 0xe7bad99b, 0x6f4ace36, 0x9fead409, 0xb029d67c, + 0xa431afb2, 0x3f2a3123, 0xa5c63094, 0xa235c066, + 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8, + 0x4f14a98, 0xec41f7da, 0xcd7f0e50, 0x91172ff6, + 0x4d768dd6, 0xef434db0, 0xaacc544d, 0x96e4df04, + 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, 0x65467f51, + 0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0xbfb2e41, + 0x67b35a1d, 0xdb9252d2, 0x10e93356, 0xd66d1347, + 0xd79a8c61, 0xa1377a0c, 0xf8598e14, 0x13eb893c, + 0xa9ceee27, 0x61b735c9, 0x1ce1ede5, 0x477a3cb1, + 0xd29c59df, 0xf2553f73, 0x141879ce, 0xc773bf37, + 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db, + 0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, + 0x1d1672c3, 0xe2bc0c25, 0x3c288b49, 0xdff4195, + 0xa8397101, 0xc08deb3, 0xb4d89ce4, 0x566490c1, + 0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U3[256] = { + 0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, + 0x3bcb6bab, 0x1ff1459d, 0xacab58fa, 0x4b9303e3, + 0x2055fa30, 0xadf66d76, 0x889176cc, 0xf5254c02, + 0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, 0xb58fa362, + 0xde495ab1, 0x25671bba, 0x45980eea, 0x5de1c0fe, + 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3, + 0x3e75f8f, 0x15959c92, 0xbfeb7a6d, 0x95da5952, + 0xd42d83be, 0x58d32174, 0x492969e0, 0x8e44c8c9, + 0x756a89c2, 0xf478798e, 0x996b3e58, 0x27dd71b9, + 0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, + 0x63184adf, 0xe582311a, 0x97603351, 0x62457f53, + 0xb1e07764, 0xbb84ae6b, 0xfe1ca081, 0xf9942b08, + 0x70586848, 0x8f19fd45, 0x94876cde, 0x52b7f87b, + 0xab23d373, 0x72e2024b, 0xe3578f1f, 0x662aab55, + 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837, + 0x30f28728, 0x23b2a5bf, 0x2ba6a03, 0xed5c8216, + 0x8a2b1ccf, 0xa792b479, 0xf3f0f207, 0x4ea1e269, + 0x65cdf4da, 0x6d5be05, 0xd11f6234, 0xc48afea6, + 0x349d532e, 0xa2a055f3, 0x532e18a, 0xa475ebf6, + 0xb39ec83, 0x40aaef60, 0x5e069f71, 0xbd51106e, + 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6, + 0x91b58d54, 0x71055dc4, 0x46fd406, 0x60ff1550, + 0x1924fb98, 0xd697e9bd, 0x89cc4340, 0x67779ed9, + 0xb0bd42e8, 0x7888b89, 0xe7385b19, 0x79dbeec8, + 0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x0, + 0x9838680, 0x3248ed2b, 0x1eac7011, 0x6c4e725a, + 0xfdfbff0e, 0xf563885, 0x3d1ed5ae, 0x3627392d, + 0xa64d90f, 0x6821a65c, 0x9bd1545b, 0x243a2e36, + 0xcb1670a, 0x930fe757, 0xb4d296ee, 0x1b9e919b, + 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12, + 0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, + 0xe0b0d09, 0xf2adc78b, 0x2db9a8b6, 0x14c8a91e, + 0x578519f1, 0xaf4c0775, 0xeebbdd99, 0xa3fd607f, + 0xf79f2601, 0x5cbcf572, 0x44c53b66, 0x5b347efb, + 0x8b762943, 0xcbdcc623, 0xb668fced, 0xb863f1e4, + 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6, + 0x857d244a, 0xd2f83dbb, 0xae1132f9, 0xc76da129, + 0x1d4b2f9e, 0xdcf330b2, 0xdec5286, 0x77d0e3c1, + 0x2b6c16b3, 0xa999b970, 0x11fa4894, 0x472264e9, + 0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, + 0x87c74e49, 0xd9c1d138, 0x8cfea2ca, 0x98360bd4, + 0xa6cf81f5, 0xa528de7a, 0xda268eb7, 0x3fa4bfad, + 0x2ce49d3a, 0x500d9278, 0x6a9bcc5f, 0x5462467e, + 0xf6c2138d, 0x90e8b8d8, 0x2e5ef739, 0x82f5afc3, + 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225, + 0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, + 0xcd097826, 0x6ef41859, 0xec01b79a, 0x83a89a4f, + 0xe6656e95, 0xaa7ee6ff, 0x2108cfbc, 0xefe6e815, + 0xbad99be7, 0x4ace366f, 0xead4099f, 0x29d67cb0, + 0x31afb2a4, 0x2a31233f, 0xc63094a5, 0x35c066a2, + 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7, + 0xf14a9804, 0x41f7daec, 0x7f0e50cd, 0x172ff691, + 0x768dd64d, 0x434db0ef, 0xcc544daa, 0xe4df0496, + 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, 0x467f5165, + 0x9d04ea5e, 0x15d358c, 0xfa737487, 0xfb2e410b, + 0xb35a1d67, 0x9252d2db, 0xe9335610, 0x6d1347d6, + 0x9a8c61d7, 0x377a0ca1, 0x598e14f8, 0xeb893c13, + 0xceee27a9, 0xb735c961, 0xe1ede51c, 0x7a3cb147, + 0x9c59dfd2, 0x553f73f2, 0x1879ce14, 0x73bf37c7, + 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44, + 0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, + 0x1672c31d, 0xbc0c25e2, 0x288b493c, 0xff41950d, + 0x397101a8, 0x8deb30c, 0xd89ce4b4, 0x6490c156, + 0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8, +}; +/* clang-format on */ + +#else /* assume big endian */ +/* clang-format off */ +static const uint32_t T0[256] = { + 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, + 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, + 0x60303050, 0x2010103, 0xce6767a9, 0x562b2b7d, + 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, + 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87, + 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b, + 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, + 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b, + 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a, + 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, + 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108, + 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f, + 0x804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, + 0x30181828, 0x379696a1, 0xa05050f, 0x2f9a9ab5, + 0xe070709, 0x24121236, 0x1b80809b, 0xdfe2e23d, + 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, + 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e, + 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb, + 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, + 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497, + 0xa65353f5, 0xb9d1d168, 0x0, 0xc1eded2c, + 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, + 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b, + 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a, + 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, + 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594, + 0x8a4545cf, 0xe9f9f910, 0x4020206, 0xfe7f7f81, + 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, + 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x58f8f8a, + 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504, + 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, + 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d, + 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f, + 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, + 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47, + 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395, + 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, + 0x44222266, 0x542a2a7e, 0x3b9090ab, 0xb888883, + 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c, + 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, + 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e, + 0x924949db, 0xc06060a, 0x4824246c, 0xb85c5ce4, + 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, + 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b, + 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7, + 0x18d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, + 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25, + 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818, + 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, + 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651, + 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21, + 0x964b4bdd, 0x61bdbddc, 0xd8b8b86, 0xf8a8a85, + 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa, + 0x904848d8, 0x6030305, 0xf7f6f601, 0x1c0e0e12, + 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, + 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9, + 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133, + 0xd26969bb, 0xa9d9d970, 0x78e8e89, 0x339494a7, + 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920, + 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a, + 0x38c8c8f, 0x59a1a1f8, 0x9898980, 0x1a0d0d17, + 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8, + 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11, + 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T1[256] = { + 0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, + 0xdfff2f2, 0xbdd66b6b, 0xb1de6f6f, 0x5491c5c5, + 0x50603030, 0x3020101, 0xa9ce6767, 0x7d562b2b, + 0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, + 0x458fcaca, 0x9d1f8282, 0x4089c9c9, 0x87fa7d7d, + 0x15effafa, 0xebb25959, 0xc98e4747, 0xbfbf0f0, + 0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, + 0xbf239c9c, 0xf753a4a4, 0x96e47272, 0x5b9bc0c0, + 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626, + 0x5a6c3636, 0x417e3f3f, 0x2f5f7f7, 0x4f83cccc, + 0x5c683434, 0xf451a5a5, 0x34d1e5e5, 0x8f9f1f1, + 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515, + 0xc080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, + 0x28301818, 0xa1379696, 0xf0a0505, 0xb52f9a9a, + 0x90e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2, + 0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, + 0x1b120909, 0x9e1d8383, 0x74582c2c, 0x2e341a1a, + 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0, + 0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, + 0x7b522929, 0x3edde3e3, 0x715e2f2f, 0x97138484, + 0xf5a65353, 0x68b9d1d1, 0x0, 0x2cc1eded, + 0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, + 0xbed46a6a, 0x468dcbcb, 0xd967bebe, 0x4b723939, + 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf, + 0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, + 0xc5864343, 0xd79a4d4d, 0x55663333, 0x94118585, + 0xcf8a4545, 0x10e9f9f9, 0x6040202, 0x81fe7f7f, + 0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, + 0xf3a25151, 0xfe5da3a3, 0xc0804040, 0x8a058f8f, + 0xad3f9292, 0xbc219d9d, 0x48703838, 0x4f1f5f5, + 0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, + 0x30201010, 0x1ae5ffff, 0xefdf3f3, 0x6dbfd2d2, + 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec, + 0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, + 0x5793c4c4, 0xf255a7a7, 0x82fc7e7e, 0x477a3d3d, + 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373, + 0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, + 0x66442222, 0x7e542a2a, 0xab3b9090, 0x830b8888, + 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414, + 0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, + 0x3bdbe0e0, 0x56643232, 0x4e743a3a, 0x1e140a0a, + 0xdb924949, 0xa0c0606, 0x6c482424, 0xe4b85c5c, + 0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, + 0xa8399191, 0xa4319595, 0x37d3e4e4, 0x8bf27979, + 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d, + 0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, + 0xb4d86c6c, 0xfaac5656, 0x7f3f4f4, 0x25cfeaea, + 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808, + 0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, + 0x24381c1c, 0xf157a6a6, 0xc773b4b4, 0x5197c6c6, + 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f, + 0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, + 0x90e07070, 0x427c3e3e, 0xc471b5b5, 0xaacc6666, + 0xd8904848, 0x5060303, 0x1f7f6f6, 0x121c0e0e, + 0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, + 0x91178686, 0x5899c1c1, 0x273a1d1d, 0xb9279e9e, + 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111, + 0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, + 0xb62d9b9b, 0x223c1e1e, 0x92158787, 0x20c9e9e9, + 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf, + 0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, + 0xda65bfbf, 0x31d7e6e6, 0xc6844242, 0xb8d06868, + 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f, + 0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T2[256] = { + 0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, + 0xf20dfff2, 0x6bbdd66b, 0x6fb1de6f, 0xc55491c5, + 0x30506030, 0x1030201, 0x67a9ce67, 0x2b7d562b, + 0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, + 0xca458fca, 0x829d1f82, 0xc94089c9, 0x7d87fa7d, + 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0, + 0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, + 0x9cbf239c, 0xa4f753a4, 0x7296e472, 0xc05b9bc0, + 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26, + 0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, + 0x345c6834, 0xa5f451a5, 0xe534d1e5, 0xf108f9f1, + 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15, + 0x40c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, + 0x18283018, 0x96a13796, 0x50f0a05, 0x9ab52f9a, + 0x7090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2, + 0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, + 0x91b1209, 0x839e1d83, 0x2c74582c, 0x1a2e341a, + 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0, + 0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, + 0x297b5229, 0xe33edde3, 0x2f715e2f, 0x84971384, + 0x53f5a653, 0xd168b9d1, 0x0, 0xed2cc1ed, + 0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, + 0x6abed46a, 0xcb468dcb, 0xbed967be, 0x394b7239, + 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf, + 0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, + 0x43c58643, 0x4dd79a4d, 0x33556633, 0x85941185, + 0x45cf8a45, 0xf910e9f9, 0x2060402, 0x7f81fe7f, + 0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, + 0x51f3a251, 0xa3fe5da3, 0x40c08040, 0x8f8a058f, + 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5, + 0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, + 0x10302010, 0xff1ae5ff, 0xf30efdf3, 0xd26dbfd2, + 0xcd4c81cd, 0xc14180c, 0x13352613, 0xec2fc3ec, + 0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, + 0xc45793c4, 0xa7f255a7, 0x7e82fc7e, 0x3d477a3d, + 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673, + 0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, + 0x22664422, 0x2a7e542a, 0x90ab3b90, 0x88830b88, + 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814, + 0xde79a7de, 0x5ee2bc5e, 0xb1d160b, 0xdb76addb, + 0xe03bdbe0, 0x32566432, 0x3a4e743a, 0xa1e140a, + 0x49db9249, 0x60a0c06, 0x246c4824, 0x5ce4b85c, + 0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, + 0x91a83991, 0x95a43195, 0xe437d3e4, 0x798bf279, + 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d, + 0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, + 0x6cb4d86c, 0x56faac56, 0xf407f3f4, 0xea25cfea, + 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x8181008, + 0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, + 0x1c24381c, 0xa6f157a6, 0xb4c773b4, 0xc65197c6, + 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f, + 0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, + 0x7090e070, 0x3e427c3e, 0xb5c471b5, 0x66aacc66, + 0x48d89048, 0x3050603, 0xf601f7f6, 0xe121c0e, + 0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, + 0x86911786, 0xc15899c1, 0x1d273a1d, 0x9eb9279e, + 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211, + 0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, + 0x9bb62d9b, 0x1e223c1e, 0x87921587, 0xe920c9e9, + 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df, + 0x8c8f038c, 0xa1f859a1, 0x89800989, 0xd171a0d, + 0xbfda65bf, 0xe631d7e6, 0x42c68442, 0x68b8d068, + 0x41c38241, 0x99b02999, 0x2d775a2d, 0xf111e0f, + 0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t T3[256] = { + 0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, + 0xf2f20dff, 0x6b6bbdd6, 0x6f6fb1de, 0xc5c55491, + 0x30305060, 0x1010302, 0x6767a9ce, 0x2b2b7d56, + 0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, + 0xcaca458f, 0x82829d1f, 0xc9c94089, 0x7d7d87fa, + 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb, + 0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, + 0x9c9cbf23, 0xa4a4f753, 0x727296e4, 0xc0c05b9b, + 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c, + 0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, + 0x34345c68, 0xa5a5f451, 0xe5e534d1, 0xf1f108f9, + 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a, + 0x4040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, + 0x18182830, 0x9696a137, 0x5050f0a, 0x9a9ab52f, + 0x707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf, + 0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, + 0x9091b12, 0x83839e1d, 0x2c2c7458, 0x1a1a2e34, + 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b, + 0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, + 0x29297b52, 0xe3e33edd, 0x2f2f715e, 0x84849713, + 0x5353f5a6, 0xd1d168b9, 0x0, 0xeded2cc1, + 0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, + 0x6a6abed4, 0xcbcb468d, 0xbebed967, 0x39394b72, + 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85, + 0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, + 0x4343c586, 0x4d4dd79a, 0x33335566, 0x85859411, + 0x4545cf8a, 0xf9f910e9, 0x2020604, 0x7f7f81fe, + 0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, + 0x5151f3a2, 0xa3a3fe5d, 0x4040c080, 0x8f8f8a05, + 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1, + 0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, + 0x10103020, 0xffff1ae5, 0xf3f30efd, 0xd2d26dbf, + 0xcdcd4c81, 0xc0c1418, 0x13133526, 0xecec2fc3, + 0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, + 0xc4c45793, 0xa7a7f255, 0x7e7e82fc, 0x3d3d477a, + 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6, + 0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, + 0x22226644, 0x2a2a7e54, 0x9090ab3b, 0x8888830b, + 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28, + 0xdede79a7, 0x5e5ee2bc, 0xb0b1d16, 0xdbdb76ad, + 0xe0e03bdb, 0x32325664, 0x3a3a4e74, 0xa0a1e14, + 0x4949db92, 0x6060a0c, 0x24246c48, 0x5c5ce4b8, + 0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, + 0x9191a839, 0x9595a431, 0xe4e437d3, 0x79798bf2, + 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da, + 0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, + 0x6c6cb4d8, 0x5656faac, 0xf4f407f3, 0xeaea25cf, + 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x8081810, + 0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, + 0x1c1c2438, 0xa6a6f157, 0xb4b4c773, 0xc6c65197, + 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e, + 0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, + 0x707090e0, 0x3e3e427c, 0xb5b5c471, 0x6666aacc, + 0x4848d890, 0x3030506, 0xf6f601f7, 0xe0e121c, + 0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, + 0x86869117, 0xc1c15899, 0x1d1d273a, 0x9e9eb927, + 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322, + 0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, + 0x9b9bb62d, 0x1e1e223c, 0x87879215, 0xe9e920c9, + 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5, + 0x8c8c8f03, 0xa1a1f859, 0x89898009, 0xd0d171a, + 0xbfbfda65, 0xe6e631d7, 0x4242c684, 0x6868b8d0, + 0x4141c382, 0x9999b029, 0x2d2d775a, 0xf0f111e, + 0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U0[256] = { + 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, + 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393, + 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25, + 0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, + 0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1, + 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6, + 0x38f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, + 0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844, + 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd, + 0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, + 0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45, + 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94, + 0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, + 0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a, + 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5, + 0x302887f2, 0x23bfa5b2, 0x2036aba, 0xed16825c, + 0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1, + 0x65daf4cd, 0x605bed5, 0xd134621f, 0xc4a6fe8a, + 0x342e539d, 0xa2f355a0, 0x58ae132, 0xa4f6eb75, + 0xb83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051, + 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46, + 0x91548db5, 0x71c45d05, 0x406d46f, 0x605015ff, + 0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77, + 0xb0e842bd, 0x7898b88, 0xe7195b38, 0x79c8eedb, + 0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x0, + 0x9808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e, + 0xfd0efffb, 0xf853856, 0x3daed51e, 0x362d3927, + 0xa0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, + 0xc0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e, + 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16, + 0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, + 0xe090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8, + 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd, + 0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, + 0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163, + 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120, + 0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, + 0x1d9e2f4b, 0xdcb230f3, 0xd8652ec, 0x77c1e3d0, + 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422, + 0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, + 0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36, + 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4, + 0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, + 0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5, + 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3, + 0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, + 0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8, + 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6, + 0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, + 0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0, + 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815, + 0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, + 0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df, + 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f, + 0x9d5eea04, 0x18c355d, 0xfa877473, 0xfb0b412e, + 0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713, + 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89, + 0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, + 0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf, + 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86, + 0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, + 0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541, + 0x39a80171, 0x80cb3de, 0xd8b4e49c, 0x6456c190, + 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U1[256] = { + 0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, + 0xcb3bab6b, 0xf11f9d45, 0xabacfa58, 0x934be303, + 0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c, + 0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3, + 0x49deb15a, 0x6725ba1b, 0x9845ea0e, 0xe15dfec0, + 0x2c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9, + 0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259, + 0x2dd4be83, 0xd3587421, 0x2949e069, 0x448ec9c8, + 0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971, + 0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a, + 0x1863df4a, 0x82e51a31, 0x60975133, 0x4562537f, + 0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b, + 0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8, + 0x23ab73d3, 0xe2724b02, 0x57e31f8f, 0x2a6655ab, + 0x7b2eb28, 0x32fb5c2, 0x9a86c57b, 0xa5d33708, + 0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682, + 0x2b8acf1c, 0x92a779b4, 0xf0f307f2, 0xa14e69e2, + 0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe, + 0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb, + 0x390b83ec, 0xaa4060ef, 0x65e719f, 0x51bd6e10, + 0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd, + 0xb591548d, 0x571c45d, 0x6f0406d4, 0xff605015, + 0x241998fb, 0x97d6bde9, 0xcc894043, 0x7767d99e, + 0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee, + 0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x0, + 0x83098086, 0x48322bed, 0xac1e1170, 0x4e6c5a72, + 0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39, + 0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e, + 0xb10c0a67, 0xf9357e7, 0xd2b4ee96, 0x9e1b9b91, + 0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a, + 0xae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17, + 0xb0e090d, 0xadf28bc7, 0xb92db6a8, 0xc8141ea9, + 0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60, + 0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e, + 0x768b4329, 0xdccb23c6, 0x68b6edfc, 0x63b8e4f1, + 0xcad731dc, 0x10426385, 0x40139722, 0x2084c611, + 0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1, + 0x4b1d9e2f, 0xf3dcb230, 0xec0d8652, 0xd077c1e3, + 0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964, + 0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390, + 0xc787494e, 0xc1d938d1, 0xfe8ccaa2, 0x3698d40b, + 0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf, + 0xe42c3a9d, 0xd507892, 0x9b6a5fcc, 0x62547e46, + 0xc2f68d13, 0xe890d8b8, 0x5e2e39f7, 0xf582c3af, + 0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512, + 0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb, + 0x9cd2678, 0xf46e5918, 0x1ec9ab7, 0xa8834f9a, + 0x65e6956e, 0x7eaaffe6, 0x821bccf, 0xe6ef15e8, + 0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c, + 0xaf31a4b2, 0x312a3f23, 0x30c6a594, 0xc035a266, + 0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8, + 0x4af10498, 0xf741ecda, 0xe7fcd50, 0x2f1791f6, + 0x8d764dd6, 0x4d43efb0, 0x54ccaa4d, 0xdfe49604, + 0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551, + 0x49d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41, + 0x5ab3671d, 0x5292dbd2, 0x33e91056, 0x136dd647, + 0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c, + 0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1, + 0x599cd2df, 0x3f55f273, 0x791814ce, 0xbf73c737, + 0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db, + 0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340, + 0x72161dc3, 0xcbce225, 0x8b283c49, 0x41ff0d95, + 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1, + 0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U2[256] = { + 0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, + 0x6bcb3bab, 0x45f11f9d, 0x58abacfa, 0x3934be3, + 0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502, + 0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562, + 0x5a49deb1, 0x1b6725ba, 0xe9845ea, 0xc0e15dfe, + 0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3, + 0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552, + 0x832dd4be, 0x21d35874, 0x692949e0, 0xc8448ec9, + 0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9, + 0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce, + 0x4a1863df, 0x3182e51a, 0x33609751, 0x7f456253, + 0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908, + 0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b, + 0xd323ab73, 0x2e2724b, 0x8f57e31f, 0xab2a6655, + 0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x8a5d337, + 0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16, + 0x1c2b8acf, 0xb492a779, 0xf2f0f307, 0xe2a14e69, + 0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6, + 0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6, + 0xec390b83, 0xefaa4060, 0x9f065e71, 0x1051bd6e, + 0x8af93e21, 0x63d96dd, 0x5aedd3e, 0xbd464de6, + 0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050, + 0xfb241998, 0xe997d6bd, 0x43cc8940, 0x9e7767d9, + 0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8, + 0xa47a17c, 0xfe97c42, 0x1ec9f884, 0x0, + 0x86830980, 0xed48322b, 0x70ac1e11, 0x724e6c5a, + 0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d, + 0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436, + 0x67b10c0a, 0xe70f9357, 0x96d2b4ee, 0x919e1b9b, + 0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12, + 0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b, + 0xd0b0e09, 0xc7adf28b, 0xa8b92db6, 0xa9c8141e, + 0x198557f1, 0x74caf75, 0xddbbee99, 0x60fda37f, + 0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb, + 0x29768b43, 0xc6dccb23, 0xfc68b6ed, 0xf163b8e4, + 0xdccad731, 0x85104263, 0x22401397, 0x112084c6, + 0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729, + 0x2f4b1d9e, 0x30f3dcb2, 0x52ec0d86, 0xe3d077c1, + 0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9, + 0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233, + 0x4ec78749, 0xd1c1d938, 0xa2fe8cca, 0xb3698d4, + 0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad, + 0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e, + 0x13c2f68d, 0xb8e890d8, 0xf75e2e39, 0xaff582c3, + 0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25, + 0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b, + 0x7809cd26, 0x18f46e59, 0xb701ec9a, 0x9aa8834f, + 0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15, + 0x9bd9bae7, 0x36ce4a6f, 0x9d4ea9f, 0x7cd629b0, + 0xb2af31a4, 0x23312a3f, 0x9430c6a5, 0x66c035a2, + 0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7, + 0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791, + 0xd68d764d, 0xb04d43ef, 0x4d54ccaa, 0x4dfe496, + 0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665, + 0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b, + 0x1d5ab367, 0xd25292db, 0x5633e910, 0x47136dd6, + 0x618c9ad7, 0xc7a37a1, 0x148e59f8, 0x3c89eb13, + 0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47, + 0xdf599cd2, 0x733f55f2, 0xce791814, 0x37bf73c7, + 0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844, + 0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3, + 0xc372161d, 0x250cbce2, 0x498b283c, 0x9541ff0d, + 0x17139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456, + 0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U3[256] = { + 0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, + 0xab6bcb3b, 0x9d45f11f, 0xfa58abac, 0xe303934b, + 0x30fa5520, 0x766df6ad, 0xcc769188, 0x24c25f5, + 0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5, + 0xb15a49de, 0xba1b6725, 0xea0e9845, 0xfec0e15d, + 0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b, + 0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95, + 0xbe832dd4, 0x7421d358, 0xe0692949, 0xc9c8448e, + 0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27, + 0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d, + 0xdf4a1863, 0x1a3182e5, 0x51336097, 0x537f4562, + 0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x82b94f9, + 0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752, + 0x73d323ab, 0x4b02e272, 0x1f8f57e3, 0x55ab2a66, + 0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3, + 0x2887f230, 0xbfa5b223, 0x36aba02, 0x16825ced, + 0xcf1c2b8a, 0x79b492a7, 0x7f2f0f3, 0x69e2a14e, + 0xdaf4cd65, 0x5bed506, 0x34621fd1, 0xa6fe8ac4, + 0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4, + 0x83ec390b, 0x60efaa40, 0x719f065e, 0x6e1051bd, + 0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d, + 0x548db591, 0xc45d0571, 0x6d46f04, 0x5015ff60, + 0x98fb2419, 0xbde997d6, 0x4043cc89, 0xd99e7767, + 0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79, + 0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x0, + 0x80868309, 0x2bed4832, 0x1170ac1e, 0x5a724e6c, + 0xefffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736, + 0xfd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24, + 0xa67b10c, 0x57e70f93, 0xee96d2b4, 0x9b919e1b, + 0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c, + 0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12, + 0x90d0b0e, 0x8bc7adf2, 0xb6a8b92d, 0x1ea9c814, + 0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3, + 0x1269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b, + 0x4329768b, 0x23c6dccb, 0xedfc68b6, 0xe4f163b8, + 0x31dccad7, 0x63851042, 0x97224013, 0xc6112084, + 0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7, + 0x9e2f4b1d, 0xb230f3dc, 0x8652ec0d, 0xc1e3d077, + 0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247, + 0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22, + 0x494ec787, 0x38d1c1d9, 0xcaa2fe8c, 0xd40b3698, + 0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f, + 0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254, + 0x8d13c2f6, 0xd8b8e890, 0x39f75e2e, 0xc3aff582, + 0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf, + 0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb, + 0x267809cd, 0x5918f46e, 0x9ab701ec, 0x4f9aa883, + 0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef, + 0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629, + 0xa4b2af31, 0x3f23312a, 0xa59430c6, 0xa266c035, + 0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533, + 0x4984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17, + 0x4dd68d76, 0xefb04d43, 0xaa4d54cc, 0x9604dfe4, + 0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46, + 0x5eea049d, 0x8c355d01, 0x877473fa, 0xb412efb, + 0x671d5ab3, 0xdbd25292, 0x105633e9, 0xd647136d, + 0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb, + 0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a, + 0xd2df599c, 0xf2733f55, 0x14ce7918, 0xc737bf73, + 0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678, + 0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2, + 0x1dc37216, 0xe2250cbc, 0x3c498b28, 0xd9541ff, + 0xa8017139, 0xcb3de08, 0xb4e49cd8, 0x56c19064, + 0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0 +}; +/* clang-format on */ +#endif + +/* + * the following tables (aes_sbox, aes_inv_sbox, T4, U4) are + * endian-neutral + */ +/* clang-format off */ +static const uint8_t aes_sbox[256] = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, + 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, + 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, + 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, + 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, + 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, + 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, + 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, + 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, + 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, + 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, + 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, + 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, + 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, + 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, + 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, + 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, + 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, + 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, + 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, + 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, + 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, + 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, + 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, + 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, + 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, + 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, + 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, + 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, + 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, + 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +}; +/* clang-format on */ + +#ifndef CPU_RISC +/* clang-format off */ +static const uint8_t aes_inv_sbox[256] = { + 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, + 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, + 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, + 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, + 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, + 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, + 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, + 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, + 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, + 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, + 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, + 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, + 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, + 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, + 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, + 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, + 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, + 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, + 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, + 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, + 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, + 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, + 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, + 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, + 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, + 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, + 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, + 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, + 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, + 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, + 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, + 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d +}; +/* clang-format on */ +#endif /* ! CPU_RISC */ + +#ifdef CPU_RISC +/* clang-format off */ +static const uint32_t T4[256] = { + 0x63636363, 0x7c7c7c7c, 0x77777777, 0x7b7b7b7b, + 0xf2f2f2f2, 0x6b6b6b6b, 0x6f6f6f6f, 0xc5c5c5c5, + 0x30303030, 0x01010101, 0x67676767, 0x2b2b2b2b, + 0xfefefefe, 0xd7d7d7d7, 0xabababab, 0x76767676, + 0xcacacaca, 0x82828282, 0xc9c9c9c9, 0x7d7d7d7d, + 0xfafafafa, 0x59595959, 0x47474747, 0xf0f0f0f0, + 0xadadadad, 0xd4d4d4d4, 0xa2a2a2a2, 0xafafafaf, + 0x9c9c9c9c, 0xa4a4a4a4, 0x72727272, 0xc0c0c0c0, + 0xb7b7b7b7, 0xfdfdfdfd, 0x93939393, 0x26262626, + 0x36363636, 0x3f3f3f3f, 0xf7f7f7f7, 0xcccccccc, + 0x34343434, 0xa5a5a5a5, 0xe5e5e5e5, 0xf1f1f1f1, + 0x71717171, 0xd8d8d8d8, 0x31313131, 0x15151515, + 0x04040404, 0xc7c7c7c7, 0x23232323, 0xc3c3c3c3, + 0x18181818, 0x96969696, 0x05050505, 0x9a9a9a9a, + 0x07070707, 0x12121212, 0x80808080, 0xe2e2e2e2, + 0xebebebeb, 0x27272727, 0xb2b2b2b2, 0x75757575, + 0x09090909, 0x83838383, 0x2c2c2c2c, 0x1a1a1a1a, + 0x1b1b1b1b, 0x6e6e6e6e, 0x5a5a5a5a, 0xa0a0a0a0, + 0x52525252, 0x3b3b3b3b, 0xd6d6d6d6, 0xb3b3b3b3, + 0x29292929, 0xe3e3e3e3, 0x2f2f2f2f, 0x84848484, + 0x53535353, 0xd1d1d1d1, 0x00000000, 0xedededed, + 0x20202020, 0xfcfcfcfc, 0xb1b1b1b1, 0x5b5b5b5b, + 0x6a6a6a6a, 0xcbcbcbcb, 0xbebebebe, 0x39393939, + 0x4a4a4a4a, 0x4c4c4c4c, 0x58585858, 0xcfcfcfcf, + 0xd0d0d0d0, 0xefefefef, 0xaaaaaaaa, 0xfbfbfbfb, + 0x43434343, 0x4d4d4d4d, 0x33333333, 0x85858585, + 0x45454545, 0xf9f9f9f9, 0x02020202, 0x7f7f7f7f, + 0x50505050, 0x3c3c3c3c, 0x9f9f9f9f, 0xa8a8a8a8, + 0x51515151, 0xa3a3a3a3, 0x40404040, 0x8f8f8f8f, + 0x92929292, 0x9d9d9d9d, 0x38383838, 0xf5f5f5f5, + 0xbcbcbcbc, 0xb6b6b6b6, 0xdadadada, 0x21212121, + 0x10101010, 0xffffffff, 0xf3f3f3f3, 0xd2d2d2d2, + 0xcdcdcdcd, 0x0c0c0c0c, 0x13131313, 0xecececec, + 0x5f5f5f5f, 0x97979797, 0x44444444, 0x17171717, + 0xc4c4c4c4, 0xa7a7a7a7, 0x7e7e7e7e, 0x3d3d3d3d, + 0x64646464, 0x5d5d5d5d, 0x19191919, 0x73737373, + 0x60606060, 0x81818181, 0x4f4f4f4f, 0xdcdcdcdc, + 0x22222222, 0x2a2a2a2a, 0x90909090, 0x88888888, + 0x46464646, 0xeeeeeeee, 0xb8b8b8b8, 0x14141414, + 0xdededede, 0x5e5e5e5e, 0x0b0b0b0b, 0xdbdbdbdb, + 0xe0e0e0e0, 0x32323232, 0x3a3a3a3a, 0x0a0a0a0a, + 0x49494949, 0x06060606, 0x24242424, 0x5c5c5c5c, + 0xc2c2c2c2, 0xd3d3d3d3, 0xacacacac, 0x62626262, + 0x91919191, 0x95959595, 0xe4e4e4e4, 0x79797979, + 0xe7e7e7e7, 0xc8c8c8c8, 0x37373737, 0x6d6d6d6d, + 0x8d8d8d8d, 0xd5d5d5d5, 0x4e4e4e4e, 0xa9a9a9a9, + 0x6c6c6c6c, 0x56565656, 0xf4f4f4f4, 0xeaeaeaea, + 0x65656565, 0x7a7a7a7a, 0xaeaeaeae, 0x08080808, + 0xbabababa, 0x78787878, 0x25252525, 0x2e2e2e2e, + 0x1c1c1c1c, 0xa6a6a6a6, 0xb4b4b4b4, 0xc6c6c6c6, + 0xe8e8e8e8, 0xdddddddd, 0x74747474, 0x1f1f1f1f, + 0x4b4b4b4b, 0xbdbdbdbd, 0x8b8b8b8b, 0x8a8a8a8a, + 0x70707070, 0x3e3e3e3e, 0xb5b5b5b5, 0x66666666, + 0x48484848, 0x03030303, 0xf6f6f6f6, 0x0e0e0e0e, + 0x61616161, 0x35353535, 0x57575757, 0xb9b9b9b9, + 0x86868686, 0xc1c1c1c1, 0x1d1d1d1d, 0x9e9e9e9e, + 0xe1e1e1e1, 0xf8f8f8f8, 0x98989898, 0x11111111, + 0x69696969, 0xd9d9d9d9, 0x8e8e8e8e, 0x94949494, + 0x9b9b9b9b, 0x1e1e1e1e, 0x87878787, 0xe9e9e9e9, + 0xcececece, 0x55555555, 0x28282828, 0xdfdfdfdf, + 0x8c8c8c8c, 0xa1a1a1a1, 0x89898989, 0x0d0d0d0d, + 0xbfbfbfbf, 0xe6e6e6e6, 0x42424242, 0x68686868, + 0x41414141, 0x99999999, 0x2d2d2d2d, 0x0f0f0f0f, + 0xb0b0b0b0, 0x54545454, 0xbbbbbbbb, 0x16161616 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint32_t U4[256] = { + 0x52525252, 0x9090909, 0x6a6a6a6a, 0xd5d5d5d5, + 0x30303030, 0x36363636, 0xa5a5a5a5, 0x38383838, + 0xbfbfbfbf, 0x40404040, 0xa3a3a3a3, 0x9e9e9e9e, + 0x81818181, 0xf3f3f3f3, 0xd7d7d7d7, 0xfbfbfbfb, + 0x7c7c7c7c, 0xe3e3e3e3, 0x39393939, 0x82828282, + 0x9b9b9b9b, 0x2f2f2f2f, 0xffffffff, 0x87878787, + 0x34343434, 0x8e8e8e8e, 0x43434343, 0x44444444, + 0xc4c4c4c4, 0xdededede, 0xe9e9e9e9, 0xcbcbcbcb, + 0x54545454, 0x7b7b7b7b, 0x94949494, 0x32323232, + 0xa6a6a6a6, 0xc2c2c2c2, 0x23232323, 0x3d3d3d3d, + 0xeeeeeeee, 0x4c4c4c4c, 0x95959595, 0xb0b0b0b, + 0x42424242, 0xfafafafa, 0xc3c3c3c3, 0x4e4e4e4e, + 0x8080808, 0x2e2e2e2e, 0xa1a1a1a1, 0x66666666, + 0x28282828, 0xd9d9d9d9, 0x24242424, 0xb2b2b2b2, + 0x76767676, 0x5b5b5b5b, 0xa2a2a2a2, 0x49494949, + 0x6d6d6d6d, 0x8b8b8b8b, 0xd1d1d1d1, 0x25252525, + 0x72727272, 0xf8f8f8f8, 0xf6f6f6f6, 0x64646464, + 0x86868686, 0x68686868, 0x98989898, 0x16161616, + 0xd4d4d4d4, 0xa4a4a4a4, 0x5c5c5c5c, 0xcccccccc, + 0x5d5d5d5d, 0x65656565, 0xb6b6b6b6, 0x92929292, + 0x6c6c6c6c, 0x70707070, 0x48484848, 0x50505050, + 0xfdfdfdfd, 0xedededed, 0xb9b9b9b9, 0xdadadada, + 0x5e5e5e5e, 0x15151515, 0x46464646, 0x57575757, + 0xa7a7a7a7, 0x8d8d8d8d, 0x9d9d9d9d, 0x84848484, + 0x90909090, 0xd8d8d8d8, 0xabababab, 0x0, + 0x8c8c8c8c, 0xbcbcbcbc, 0xd3d3d3d3, 0xa0a0a0a, + 0xf7f7f7f7, 0xe4e4e4e4, 0x58585858, 0x5050505, + 0xb8b8b8b8, 0xb3b3b3b3, 0x45454545, 0x6060606, + 0xd0d0d0d0, 0x2c2c2c2c, 0x1e1e1e1e, 0x8f8f8f8f, + 0xcacacaca, 0x3f3f3f3f, 0xf0f0f0f, 0x2020202, + 0xc1c1c1c1, 0xafafafaf, 0xbdbdbdbd, 0x3030303, + 0x1010101, 0x13131313, 0x8a8a8a8a, 0x6b6b6b6b, + 0x3a3a3a3a, 0x91919191, 0x11111111, 0x41414141, + 0x4f4f4f4f, 0x67676767, 0xdcdcdcdc, 0xeaeaeaea, + 0x97979797, 0xf2f2f2f2, 0xcfcfcfcf, 0xcececece, + 0xf0f0f0f0, 0xb4b4b4b4, 0xe6e6e6e6, 0x73737373, + 0x96969696, 0xacacacac, 0x74747474, 0x22222222, + 0xe7e7e7e7, 0xadadadad, 0x35353535, 0x85858585, + 0xe2e2e2e2, 0xf9f9f9f9, 0x37373737, 0xe8e8e8e8, + 0x1c1c1c1c, 0x75757575, 0xdfdfdfdf, 0x6e6e6e6e, + 0x47474747, 0xf1f1f1f1, 0x1a1a1a1a, 0x71717171, + 0x1d1d1d1d, 0x29292929, 0xc5c5c5c5, 0x89898989, + 0x6f6f6f6f, 0xb7b7b7b7, 0x62626262, 0xe0e0e0e, + 0xaaaaaaaa, 0x18181818, 0xbebebebe, 0x1b1b1b1b, + 0xfcfcfcfc, 0x56565656, 0x3e3e3e3e, 0x4b4b4b4b, + 0xc6c6c6c6, 0xd2d2d2d2, 0x79797979, 0x20202020, + 0x9a9a9a9a, 0xdbdbdbdb, 0xc0c0c0c0, 0xfefefefe, + 0x78787878, 0xcdcdcdcd, 0x5a5a5a5a, 0xf4f4f4f4, + 0x1f1f1f1f, 0xdddddddd, 0xa8a8a8a8, 0x33333333, + 0x88888888, 0x7070707, 0xc7c7c7c7, 0x31313131, + 0xb1b1b1b1, 0x12121212, 0x10101010, 0x59595959, + 0x27272727, 0x80808080, 0xecececec, 0x5f5f5f5f, + 0x60606060, 0x51515151, 0x7f7f7f7f, 0xa9a9a9a9, + 0x19191919, 0xb5b5b5b5, 0x4a4a4a4a, 0xd0d0d0d, + 0x2d2d2d2d, 0xe5e5e5e5, 0x7a7a7a7a, 0x9f9f9f9f, + 0x93939393, 0xc9c9c9c9, 0x9c9c9c9c, 0xefefefef, + 0xa0a0a0a0, 0xe0e0e0e0, 0x3b3b3b3b, 0x4d4d4d4d, + 0xaeaeaeae, 0x2a2a2a2a, 0xf5f5f5f5, 0xb0b0b0b0, + 0xc8c8c8c8, 0xebebebeb, 0xbbbbbbbb, 0x3c3c3c3c, + 0x83838383, 0x53535353, 0x99999999, 0x61616161, + 0x17171717, 0x2b2b2b2b, 0x4040404, 0x7e7e7e7e, + 0xbabababa, 0x77777777, 0xd6d6d6d6, 0x26262626, + 0xe1e1e1e1, 0x69696969, 0x14141414, 0x63636363, + 0x55555555, 0x21212121, 0xc0c0c0c, 0x7d7d7d7d +}; +/* clang-format on */ +#endif /* CPU_RISC */ + +#define gf2_8_field_polynomial 0x1B +/* + * gf2_8_shift(z) returns the result of the GF(2^8) 'multiply by x' + * operation, using the field representation from AES; that is, the + * next gf2_8 value in the cyclic representation of that field. The + * value z should be an uint8_t. + */ +#define gf2_8_shift(z) \ + (((z)&128) ? (((z) << 1) ^ gf2_8_field_polynomial) : ((z) << 1)) + +/* aes internals */ + +static void aes_128_expand_encryption_key(const uint8_t *key, + srtp_aes_expanded_key_t *expanded_key) +{ + int i; + uint8_t rc; + + /* initialize round constant */ + rc = 1; + + expanded_key->num_rounds = 10; + + v128_copy_octet_string(&expanded_key->round[0], key); + +#if 0 + debug_print(srtp_mod_aes_icm, + "expanded key[0]: %s", v128_hex_string(&expanded_key->round[0])); +#endif + + /* loop over round keys */ + for (i = 1; i < 11; i++) { + /* munge first word of round key */ + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; + + expanded_key->round[i].v32[0] ^= expanded_key->round[i - 1].v32[0]; + + /* set remaining 32 bit words to the exor of the one previous with + * the one four words previous */ + + expanded_key->round[i].v32[1] = + expanded_key->round[i].v32[0] ^ expanded_key->round[i - 1].v32[1]; + + expanded_key->round[i].v32[2] = + expanded_key->round[i].v32[1] ^ expanded_key->round[i - 1].v32[2]; + + expanded_key->round[i].v32[3] = + expanded_key->round[i].v32[2] ^ expanded_key->round[i - 1].v32[3]; + +#if 0 + debug_print2(srtp_mod_aes_icm, + "expanded key[%d]: %s", i, v128_hex_string(&expanded_key->round[i])); +#endif + + /* modify round constant */ + rc = gf2_8_shift(rc); + } +} + +static void aes_256_expand_encryption_key(const unsigned char *key, + srtp_aes_expanded_key_t *expanded_key) +{ + int i; + uint8_t rc; + + /* initialize round constant */ + rc = 1; + + expanded_key->num_rounds = 14; + + v128_copy_octet_string(&expanded_key->round[0], key); + v128_copy_octet_string(&expanded_key->round[1], key + 16); + +#if 0 + debug_print(srtp_mod_aes_icm, + "expanded key[0]: %s", v128_hex_string(&expanded_key->round[0])); + debug_print(srtp_mod_aes_icm, + "expanded key[1]: %s", v128_hex_string(&expanded_key->round[1])); +#endif + + /* loop over rest of round keys */ + for (i = 2; i < 15; i++) { + /* munge first word of round key */ + if ((i & 1) == 0) { + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; + + /* modify round constant */ + rc = gf2_8_shift(rc); + } else { + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[13]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; + } + + expanded_key->round[i].v32[0] ^= expanded_key->round[i - 2].v32[0]; + + /* set remaining 32 bit words to the exor of the one previous with + * the one eight words previous */ + + expanded_key->round[i].v32[1] = + expanded_key->round[i].v32[0] ^ expanded_key->round[i - 2].v32[1]; + + expanded_key->round[i].v32[2] = + expanded_key->round[i].v32[1] ^ expanded_key->round[i - 2].v32[2]; + + expanded_key->round[i].v32[3] = + expanded_key->round[i].v32[2] ^ expanded_key->round[i - 2].v32[3]; + +#if 0 + debug_print2(srtp_mod_aes_icm, + "expanded key[%d]: %s", i, v128_hex_string(&expanded_key->round[i])); +#endif + } +} + +srtp_err_status_t srtp_aes_expand_encryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key) +{ + if (key_len == 16) { + aes_128_expand_encryption_key(key, expanded_key); + return srtp_err_status_ok; + } else if (key_len == 24) { + /* AES-192 not yet supported */ + return srtp_err_status_bad_param; + } else if (key_len == 32) { + aes_256_expand_encryption_key(key, expanded_key); + return srtp_err_status_ok; + } else { + return srtp_err_status_bad_param; + } +} + +srtp_err_status_t srtp_aes_expand_decryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key) +{ + int i; + srtp_err_status_t status; + int num_rounds = expanded_key->num_rounds; + + status = srtp_aes_expand_encryption_key(key, key_len, expanded_key); + if (status) { + return status; + } + + /* invert the order of the round keys */ + for (i = 0; i < num_rounds / 2; i++) { + v128_t tmp; + v128_copy(&tmp, &expanded_key->round[num_rounds - i]); + v128_copy(&expanded_key->round[num_rounds - i], + &expanded_key->round[i]); + v128_copy(&expanded_key->round[i], &tmp); + } + + /* + * apply the inverse mixColumn transform to the round keys (except + * for the first and the last) + * + * mixColumn is implemented by using the tables U0, U1, U2, U3, + * followed by the T4 table (which cancels out the use of the sbox + * in the U-tables) + */ + for (i = 1; i < num_rounds; i++) { +#ifdef CPU_RISC + uint32_t tmp; + +#ifdef WORDS_BIGENDIAN + /* clang-format off */ + tmp = expanded_key->round[i].v32[0]; + expanded_key->round[i].v32[0] = + U0[T4[(tmp >> 24) ] & 0xff] ^ + U1[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U2[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U3[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[1]; + expanded_key->round[i].v32[1] = + U0[T4[(tmp >> 24) ] & 0xff] ^ + U1[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U2[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U3[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[2]; + expanded_key->round[i].v32[2] = + U0[T4[(tmp >> 24) ] & 0xff] ^ + U1[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U2[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U3[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[3]; + expanded_key->round[i].v32[3] = + U0[T4[(tmp >> 24) ] & 0xff] ^ + U1[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U2[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U3[T4[(tmp) & 0xff] & 0xff]; +#else + tmp = expanded_key->round[i].v32[0]; + expanded_key->round[i].v32[0] = + U3[T4[(tmp >> 24) ] & 0xff] ^ + U2[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U1[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U0[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[1]; + expanded_key->round[i].v32[1] = + U3[T4[(tmp >> 24) ] & 0xff] ^ + U2[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U1[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U0[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[2]; + expanded_key->round[i].v32[2] = + U3[T4[(tmp >> 24) ] & 0xff] ^ + U2[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U1[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U0[T4[(tmp) & 0xff] & 0xff]; + + tmp = expanded_key->round[i].v32[3]; + expanded_key->round[i].v32[3] = + U3[T4[(tmp >> 24) ] & 0xff] ^ + U2[T4[(tmp >> 16) & 0xff] & 0xff] ^ + U1[T4[(tmp >> 8) & 0xff] & 0xff] ^ + U0[T4[(tmp) & 0xff] & 0xff]; +/* clang-format on */ +#endif /* WORDS_BIGENDIAN */ + +#else /* assume CPU_CISC */ + + uint32_t c0, c1, c2, c3; + + c0 = U0[aes_sbox[expanded_key->round[i].v8[0]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[1]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[2]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[3]]]; + + c1 = U0[aes_sbox[expanded_key->round[i].v8[4]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[5]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[6]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[7]]]; + + c2 = U0[aes_sbox[expanded_key->round[i].v8[8]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[9]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[10]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[11]]]; + + c3 = U0[aes_sbox[expanded_key->round[i].v8[12]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[13]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[14]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[15]]]; + + expanded_key->round[i].v32[0] = c0; + expanded_key->round[i].v32[1] = c1; + expanded_key->round[i].v32[2] = c2; + expanded_key->round[i].v32[3] = c3; + +#endif + } + + return srtp_err_status_ok; +} + +#ifdef CPU_CISC + +static inline void aes_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + + /* compute the columns of the output square in terms of the octets + of state, using the tables T0, T1, T2, T3 */ + + column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^ + T3[state->v8[15]]; + + column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^ + T3[state->v8[3]]; + + column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^ + T3[state->v8[7]]; + + column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^ + T3[state->v8[11]]; + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + + /* compute the columns of the output square in terms of the octets + of state, using the tables U0, U1, U2, U3 */ + + column0 = U0[state->v8[0]] ^ U1[state->v8[13]] ^ U2[state->v8[10]] ^ + U3[state->v8[7]]; + + column1 = U0[state->v8[4]] ^ U1[state->v8[1]] ^ U2[state->v8[14]] ^ + U3[state->v8[11]]; + + column2 = U0[state->v8[8]] ^ U1[state->v8[5]] ^ U2[state->v8[2]] ^ + U3[state->v8[15]]; + + column3 = U0[state->v8[12]] ^ U1[state->v8[9]] ^ U2[state->v8[6]] ^ + U3[state->v8[3]]; + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_final_round(v128_t *state, const v128_t *round_key) +{ + uint8_t tmp; + + /* byte substitutions and row shifts */ + /* first row - no shift */ + state->v8[0] = aes_sbox[state->v8[0]]; + state->v8[4] = aes_sbox[state->v8[4]]; + state->v8[8] = aes_sbox[state->v8[8]]; + state->v8[12] = aes_sbox[state->v8[12]]; + + /* second row - shift one left */ + tmp = aes_sbox[state->v8[1]]; + state->v8[1] = aes_sbox[state->v8[5]]; + state->v8[5] = aes_sbox[state->v8[9]]; + state->v8[9] = aes_sbox[state->v8[13]]; + state->v8[13] = tmp; + + /* third row - shift two left */ + tmp = aes_sbox[state->v8[10]]; + state->v8[10] = aes_sbox[state->v8[2]]; + state->v8[2] = tmp; + tmp = aes_sbox[state->v8[14]]; + state->v8[14] = aes_sbox[state->v8[6]]; + state->v8[6] = tmp; + + /* fourth row - shift three left */ + tmp = aes_sbox[state->v8[15]]; + state->v8[15] = aes_sbox[state->v8[11]]; + state->v8[11] = aes_sbox[state->v8[7]]; + state->v8[7] = aes_sbox[state->v8[3]]; + state->v8[3] = tmp; + + v128_xor_eq(state, round_key); +} + +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) +{ + uint8_t tmp; + + /* byte substitutions and row shifts */ + /* first row - no shift */ + state->v8[0] = aes_inv_sbox[state->v8[0]]; + state->v8[4] = aes_inv_sbox[state->v8[4]]; + state->v8[8] = aes_inv_sbox[state->v8[8]]; + state->v8[12] = aes_inv_sbox[state->v8[12]]; + + /* second row - shift one right */ + tmp = aes_inv_sbox[state->v8[13]]; + state->v8[13] = aes_inv_sbox[state->v8[9]]; + state->v8[9] = aes_inv_sbox[state->v8[5]]; + state->v8[5] = aes_inv_sbox[state->v8[1]]; + state->v8[1] = tmp; + + /* third row - shift two right */ + tmp = aes_inv_sbox[state->v8[2]]; + state->v8[2] = aes_inv_sbox[state->v8[10]]; + state->v8[10] = tmp; + tmp = aes_inv_sbox[state->v8[6]]; + state->v8[6] = aes_inv_sbox[state->v8[14]]; + state->v8[14] = tmp; + + /* fourth row - shift three right */ + tmp = aes_inv_sbox[state->v8[3]]; + state->v8[3] = aes_inv_sbox[state->v8[7]]; + state->v8[7] = aes_inv_sbox[state->v8[11]]; + state->v8[11] = aes_inv_sbox[state->v8[15]]; + state->v8[15] = tmp; + + v128_xor_eq(state, round_key); +} + +#elif CPU_RISC + +static inline void aes_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + +/* compute the columns of the output square in terms of the octets + of state, using the tables T0, T1, T2, T3 */ +#ifdef WORDS_BIGENDIAN + column0 = T0[state->v32[0] >> 24] ^ T1[(state->v32[1] >> 16) & 0xff] ^ + T2[(state->v32[2] >> 8) & 0xff] ^ T3[state->v32[3] & 0xff]; + + column1 = T0[state->v32[1] >> 24] ^ T1[(state->v32[2] >> 16) & 0xff] ^ + T2[(state->v32[3] >> 8) & 0xff] ^ T3[state->v32[0] & 0xff]; + + column2 = T0[state->v32[2] >> 24] ^ T1[(state->v32[3] >> 16) & 0xff] ^ + T2[(state->v32[0] >> 8) & 0xff] ^ T3[state->v32[1] & 0xff]; + + column3 = T0[state->v32[3] >> 24] ^ T1[(state->v32[0] >> 16) & 0xff] ^ + T2[(state->v32[1] >> 8) & 0xff] ^ T3[state->v32[2] & 0xff]; +#else + column0 = T0[state->v32[0] & 0xff] ^ T1[(state->v32[1] >> 8) & 0xff] ^ + T2[(state->v32[2] >> 16) & 0xff] ^ T3[state->v32[3] >> 24]; + + column1 = T0[state->v32[1] & 0xff] ^ T1[(state->v32[2] >> 8) & 0xff] ^ + T2[(state->v32[3] >> 16) & 0xff] ^ T3[state->v32[0] >> 24]; + + column2 = T0[state->v32[2] & 0xff] ^ T1[(state->v32[3] >> 8) & 0xff] ^ + T2[(state->v32[0] >> 16) & 0xff] ^ T3[state->v32[1] >> 24]; + + column3 = T0[state->v32[3] & 0xff] ^ T1[(state->v32[0] >> 8) & 0xff] ^ + T2[(state->v32[1] >> 16) & 0xff] ^ T3[state->v32[2] >> 24]; +#endif /* WORDS_BIGENDIAN */ + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + +/* compute the columns of the output square in terms of the octets + of state, using the tables U0, U1, U2, U3 */ + +#ifdef WORDS_BIGENDIAN + column0 = U0[state->v32[0] >> 24] ^ U1[(state->v32[3] >> 16) & 0xff] ^ + U2[(state->v32[2] >> 8) & 0xff] ^ U3[state->v32[1] & 0xff]; + + column1 = U0[state->v32[1] >> 24] ^ U1[(state->v32[0] >> 16) & 0xff] ^ + U2[(state->v32[3] >> 8) & 0xff] ^ U3[state->v32[2] & 0xff]; + + column2 = U0[state->v32[2] >> 24] ^ U1[(state->v32[1] >> 16) & 0xff] ^ + U2[(state->v32[0] >> 8) & 0xff] ^ U3[state->v32[3] & 0xff]; + + column3 = U0[state->v32[3] >> 24] ^ U1[(state->v32[2] >> 16) & 0xff] ^ + U2[(state->v32[1] >> 8) & 0xff] ^ U3[state->v32[0] & 0xff]; +#else + column0 = U0[state->v32[0] & 0xff] ^ U1[(state->v32[3] >> 8) & 0xff] ^ + U2[(state->v32[2] >> 16) & 0xff] ^ + U3[(state->v32[1] >> 24) & 0xff]; + + column1 = U0[state->v32[1] & 0xff] ^ U1[(state->v32[0] >> 8) & 0xff] ^ + U2[(state->v32[3] >> 16) & 0xff] ^ + U3[(state->v32[2] >> 24) & 0xff]; + + column2 = U0[state->v32[2] & 0xff] ^ U1[(state->v32[1] >> 8) & 0xff] ^ + U2[(state->v32[0] >> 16) & 0xff] ^ + U3[(state->v32[3] >> 24) & 0xff]; + + column3 = U0[state->v32[3] & 0xff] ^ U1[(state->v32[2] >> 8) & 0xff] ^ + U2[(state->v32[1] >> 16) & 0xff] ^ + U3[(state->v32[0] >> 24) & 0xff]; +#endif /* WORDS_BIGENDIAN */ + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_final_round(v128_t *state, const v128_t *round_key) +{ + uint32_t tmp0, tmp1, tmp2, tmp3; + +#ifdef WORDS_BIGENDIAN + /* clang-format off */ + tmp0 = (T4[(state->v32[0] >> 24)] & 0xff000000) ^ + (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (T4[(state->v32[1] >> 24)] & 0xff000000) ^ + (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (T4[(state->v32[2] >> 24)] & 0xff000000) ^ + (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (T4[(state->v32[3] >> 24)] & 0xff000000) ^ + (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +#else + tmp0 = (T4[(state->v32[3] >> 24)] & 0xff000000) ^ + (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (T4[(state->v32[0] >> 24)] & 0xff000000) ^ + (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (T4[(state->v32[1] >> 24)] & 0xff000000) ^ + (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (T4[(state->v32[2] >> 24)] & 0xff000000) ^ + (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +/* clang-format on */ +#endif /* WORDS_BIGENDIAN */ + + state->v32[0] = tmp0; + state->v32[1] = tmp1; + state->v32[2] = tmp2; + state->v32[3] = tmp3; +} + +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) +{ + uint32_t tmp0, tmp1, tmp2, tmp3; + +#ifdef WORDS_BIGENDIAN + /* clang-format off */ + tmp0 = (U4[(state->v32[0] >> 24)] & 0xff000000) ^ + (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (U4[(state->v32[1] >> 24)] & 0xff000000) ^ + (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (U4[(state->v32[2] >> 24)] & 0xff000000) ^ + (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (U4[(state->v32[3] >> 24)] & 0xff000000) ^ + (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +#else + tmp0 = (U4[(state->v32[1] >> 24)] & 0xff000000) ^ + (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (U4[(state->v32[2] >> 24)] & 0xff000000) ^ + (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (U4[(state->v32[3] >> 24)] & 0xff000000) ^ + (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (U4[(state->v32[0] >> 24)] & 0xff000000) ^ + (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +/* clang-format on */ +#endif /* WORDS_BIGENDIAN */ + + state->v32[0] = tmp0; + state->v32[1] = tmp1; + state->v32[2] = tmp2; + state->v32[3] = tmp3; +} + +#elif CPU_16 /* assume 16-bit word size on processor */ + +static inline void aes_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + /* compute the columns of the output square in terms of the octets + of state, using the tables T0, T1, T2, T3 */ + + column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^ + T3[state->v8[15]]; + + column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^ + T3[state->v8[3]]; + + column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^ + T3[state->v8[7]]; + + column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^ + T3[state->v8[11]]; + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) +{ + uint32_t column0, column1, column2, column3; + + /* compute the columns of the output square in terms of the octets + of state, using the tables U0, U1, U2, U3 */ + + column0 = U0[state->v8[0]] ^ U1[state->v8[5]] ^ U2[state->v8[10]] ^ + U3[state->v8[15]]; + + column1 = U0[state->v8[4]] ^ U1[state->v8[9]] ^ U2[state->v8[14]] ^ + U3[state->v8[3]]; + + column2 = U0[state->v8[8]] ^ U1[state->v8[13]] ^ U2[state->v8[2]] ^ + U3[state->v8[7]]; + + column3 = U0[state->v8[12]] ^ U1[state->v8[1]] ^ U2[state->v8[6]] ^ + U3[state->v8[11]]; + + state->v32[0] = column0 ^ round_key->v32[0]; + state->v32[1] = column1 ^ round_key->v32[1]; + state->v32[2] = column2 ^ round_key->v32[2]; + state->v32[3] = column3 ^ round_key->v32[3]; +} + +static inline void aes_final_round(v128_t *state, const v128_t *round_key) +{ + uint8_t tmp; + + /* byte substitutions and row shifts */ + /* first row - no shift */ + state->v8[0] = aes_sbox[state->v8[0]]; + state->v8[4] = aes_sbox[state->v8[4]]; + state->v8[8] = aes_sbox[state->v8[8]]; + state->v8[12] = aes_sbox[state->v8[12]]; + + /* second row - shift one left */ + tmp = aes_sbox[state->v8[1]]; + state->v8[1] = aes_sbox[state->v8[5]]; + state->v8[5] = aes_sbox[state->v8[9]]; + state->v8[9] = aes_sbox[state->v8[13]]; + state->v8[13] = tmp; + + /* third row - shift two left */ + tmp = aes_sbox[state->v8[10]]; + state->v8[10] = aes_sbox[state->v8[2]]; + state->v8[2] = tmp; + tmp = aes_sbox[state->v8[14]]; + state->v8[14] = aes_sbox[state->v8[6]]; + state->v8[6] = tmp; + + /* fourth row - shift three left */ + tmp = aes_sbox[state->v8[15]]; + state->v8[15] = aes_sbox[state->v8[11]]; + state->v8[11] = aes_sbox[state->v8[7]]; + state->v8[7] = aes_sbox[state->v8[3]]; + state->v8[3] = tmp; + + v128_xor_eq(state, round_key); +} + +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) +{ + uint8_t tmp; + + /* byte substitutions and row shifts */ + /* first row - no shift */ + state->v8[0] = aes_inv_sbox[state->v8[0]]; + state->v8[4] = aes_inv_sbox[state->v8[4]]; + state->v8[8] = aes_inv_sbox[state->v8[8]]; + state->v8[12] = aes_inv_sbox[state->v8[12]]; + + /* second row - shift one left */ + tmp = aes_inv_sbox[state->v8[1]]; + state->v8[1] = aes_inv_sbox[state->v8[5]]; + state->v8[5] = aes_inv_sbox[state->v8[9]]; + state->v8[9] = aes_inv_sbox[state->v8[13]]; + state->v8[13] = tmp; + + /* third row - shift two left */ + tmp = aes_inv_sbox[state->v8[10]]; + state->v8[10] = aes_inv_sbox[state->v8[2]]; + state->v8[2] = tmp; + tmp = aes_inv_sbox[state->v8[14]]; + state->v8[14] = aes_inv_sbox[state->v8[6]]; + state->v8[6] = tmp; + + /* fourth row - shift three left */ + tmp = aes_inv_sbox[state->v8[15]]; + state->v8[15] = aes_inv_sbox[state->v8[11]]; + state->v8[11] = aes_inv_sbox[state->v8[7]]; + state->v8[7] = aes_inv_sbox[state->v8[3]]; + state->v8[3] = tmp; + + v128_xor_eq(state, round_key); +} + +#endif /* CPU type */ + +void srtp_aes_encrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) +{ + /* add in the subkey */ + v128_xor_eq(plaintext, &exp_key->round[0]); + + /* now do the rounds */ + aes_round(plaintext, &exp_key->round[1]); + aes_round(plaintext, &exp_key->round[2]); + aes_round(plaintext, &exp_key->round[3]); + aes_round(plaintext, &exp_key->round[4]); + aes_round(plaintext, &exp_key->round[5]); + aes_round(plaintext, &exp_key->round[6]); + aes_round(plaintext, &exp_key->round[7]); + aes_round(plaintext, &exp_key->round[8]); + aes_round(plaintext, &exp_key->round[9]); + if (exp_key->num_rounds == 10) { + aes_final_round(plaintext, &exp_key->round[10]); + } else if (exp_key->num_rounds == 12) { + aes_round(plaintext, &exp_key->round[10]); + aes_round(plaintext, &exp_key->round[11]); + aes_final_round(plaintext, &exp_key->round[12]); + } else if (exp_key->num_rounds == 14) { + aes_round(plaintext, &exp_key->round[10]); + aes_round(plaintext, &exp_key->round[11]); + aes_round(plaintext, &exp_key->round[12]); + aes_round(plaintext, &exp_key->round[13]); + aes_final_round(plaintext, &exp_key->round[14]); + } +} + +void srtp_aes_decrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) +{ + /* add in the subkey */ + v128_xor_eq(plaintext, &exp_key->round[0]); + + /* now do the rounds */ + aes_inv_round(plaintext, &exp_key->round[1]); + aes_inv_round(plaintext, &exp_key->round[2]); + aes_inv_round(plaintext, &exp_key->round[3]); + aes_inv_round(plaintext, &exp_key->round[4]); + aes_inv_round(plaintext, &exp_key->round[5]); + aes_inv_round(plaintext, &exp_key->round[6]); + aes_inv_round(plaintext, &exp_key->round[7]); + aes_inv_round(plaintext, &exp_key->round[8]); + aes_inv_round(plaintext, &exp_key->round[9]); + if (exp_key->num_rounds == 10) { + aes_inv_final_round(plaintext, &exp_key->round[10]); + } else if (exp_key->num_rounds == 12) { + aes_inv_round(plaintext, &exp_key->round[10]); + aes_inv_round(plaintext, &exp_key->round[11]); + aes_inv_final_round(plaintext, &exp_key->round[12]); + } else if (exp_key->num_rounds == 14) { + aes_inv_round(plaintext, &exp_key->round[10]); + aes_inv_round(plaintext, &exp_key->round[11]); + aes_inv_round(plaintext, &exp_key->round[12]); + aes_inv_round(plaintext, &exp_key->round[13]); + aes_inv_final_round(plaintext, &exp_key->round[14]); + } +} diff --git a/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c b/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c new file mode 100644 index 0000000000..2be2ce932d --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c @@ -0,0 +1,597 @@ +/* + * aes_gcm_nss.c + * + * AES Galois Counter Mode + * + * Richard L. Barnes + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "aes_gcm.h" +#include "alloc.h" +#include "err.h" /* for srtp_debug */ +#include "crypto_types.h" +#include "cipher_types.h" +#include <nss.h> +#include <secerr.h> +#include <nspr.h> + +srtp_debug_module_t srtp_mod_aes_gcm = { + 0, /* debugging is off by default */ + "aes gcm nss" /* printable module name */ +}; + +/* + * For now we only support 8 and 16 octet tags. The spec allows for + * optional 12 byte tag, which may be supported in the future. + */ +#define GCM_IV_LEN 12 +#define GCM_AUTH_TAG_LEN 16 +#define GCM_AUTH_TAG_LEN_8 8 + +/* + * This function allocates a new instance of this crypto engine. + * The key_len parameter should be one of 28 or 44 for + * AES-128-GCM or AES-256-GCM respectively. Note that the + * key length includes the 14 byte salt value that is used when + * initializing the KDF. + */ +static srtp_err_status_t srtp_aes_gcm_nss_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + srtp_aes_gcm_ctx_t *gcm; + + debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d", + key_len); + debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen); + + /* + * Verify the key_len is valid for one of: AES-128/256 + */ + if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) { + return (srtp_err_status_bad_param); + } + + if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) { + return (srtp_err_status_bad_param); + } + + /* Initialize NSS */ + if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) { + return (srtp_err_status_cipher_fail); + } + + /* allocate memory a cipher of type aes_gcm */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return (srtp_err_status_alloc_fail); + } + + gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t)); + if (gcm == NULL) { + srtp_crypto_free(*c); + *c = NULL; + return (srtp_err_status_alloc_fail); + } + + /* set pointers */ + (*c)->state = gcm; + + /* setup cipher attributes */ + switch (key_len) { + case SRTP_AES_GCM_128_KEY_LEN_WSALT: + (*c)->type = &srtp_aes_gcm_128; + (*c)->algorithm = SRTP_AES_GCM_128; + gcm->key_size = SRTP_AES_128_KEY_LEN; + gcm->tag_size = tlen; + gcm->params.ulTagBits = 8 * tlen; + break; + case SRTP_AES_GCM_256_KEY_LEN_WSALT: + (*c)->type = &srtp_aes_gcm_256; + (*c)->algorithm = SRTP_AES_GCM_256; + gcm->key_size = SRTP_AES_256_KEY_LEN; + gcm->tag_size = tlen; + gcm->params.ulTagBits = 8 * tlen; + break; + default: + /* this should never hit, but to be sure... */ + return (srtp_err_status_bad_param); + } + + /* set key size and tag size*/ + (*c)->key_len = key_len; + + return (srtp_err_status_ok); +} + +/* + * This function deallocates a GCM session + */ +static srtp_err_status_t srtp_aes_gcm_nss_dealloc(srtp_cipher_t *c) +{ + srtp_aes_gcm_ctx_t *ctx; + + ctx = (srtp_aes_gcm_ctx_t *)c->state; + if (ctx) { + /* release NSS resources */ + if (ctx->key) { + PK11_FreeSymKey(ctx->key); + } + + /* zeroize the key material */ + octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t)); + srtp_crypto_free(ctx); + } + + /* free memory */ + srtp_crypto_free(c); + + return (srtp_err_status_ok); +} + +/* + * aes_gcm_nss_context_init(...) initializes the aes_gcm_context + * using the value in key[]. + * + * the key is the secret key + */ +static srtp_err_status_t srtp_aes_gcm_nss_context_init(void *cv, + const uint8_t *key) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + c->dir = srtp_direction_any; + + debug_print(srtp_mod_aes_gcm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); + + if (c->key) { + PK11_FreeSymKey(c->key); + c->key = NULL; + } + + PK11SlotInfo *slot = PK11_GetBestSlot(CKM_AES_GCM, NULL); + if (!slot) { + return (srtp_err_status_cipher_fail); + } + + SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size }; + c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap, + CKA_ENCRYPT, &key_item, NULL); + PK11_FreeSlot(slot); + + if (!c->key) { + return (srtp_err_status_cipher_fail); + } + + return (srtp_err_status_ok); +} + +/* + * aes_gcm_nss_set_iv(c, iv) sets the counter value to the exor of iv with + * the offset + */ +static srtp_err_status_t srtp_aes_gcm_nss_set_iv( + void *cv, + uint8_t *iv, + srtp_cipher_direction_t direction) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + if (direction != srtp_direction_encrypt && + direction != srtp_direction_decrypt) { + return (srtp_err_status_bad_param); + } + c->dir = direction; + + debug_print(srtp_mod_aes_gcm, "setting iv: %s", + srtp_octet_string_hex_string(iv, GCM_IV_LEN)); + + memcpy(c->iv, iv, GCM_IV_LEN); + + return (srtp_err_status_ok); +} + +/* + * This function processes the AAD + * + * Parameters: + * c Crypto context + * aad Additional data to process for AEAD cipher suites + * aad_len length of aad buffer + */ +static srtp_err_status_t srtp_aes_gcm_nss_set_aad(void *cv, + const uint8_t *aad, + uint32_t aad_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + debug_print(srtp_mod_aes_gcm, "setting AAD: %s", + srtp_octet_string_hex_string(aad, aad_len)); + + if (aad_len + c->aad_size > MAX_AD_SIZE) { + return srtp_err_status_bad_param; + } + + memcpy(c->aad + c->aad_size, aad, aad_len); + c->aad_size += aad_len; + + return (srtp_err_status_ok); +} + +static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv, + int encrypt, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + c->params.pIv = c->iv; + c->params.ulIvLen = GCM_IV_LEN; + c->params.ulIvBits = GCM_IV_LEN * 8; + c->params.pAAD = c->aad; + c->params.ulAADLen = c->aad_size; + + // Reset AAD + c->aad_size = 0; + + int rv; + SECItem param = { siBuffer, (unsigned char *)&c->params, + sizeof(CK_GCM_PARAMS) }; + if (encrypt) { + rv = PK11_Encrypt(c->key, CKM_AES_GCM, ¶m, buf, enc_len, + *enc_len + 16, buf, *enc_len); + } else { + rv = PK11_Decrypt(c->key, CKM_AES_GCM, ¶m, buf, enc_len, *enc_len, + buf, *enc_len); + } + + srtp_err_status_t status = (srtp_err_status_ok); + if (rv != SECSuccess) { + status = (srtp_err_status_cipher_fail); + } + + return status; +} + +/* + * This function encrypts a buffer using AES GCM mode + * + * XXX(rlb@ipv.sx): We're required to break off and cache the tag + * here, because the get_tag() method is separate and the tests expect + * encrypt() not to change the size of the plaintext. It might be + * good to update the calling API so that this is cleaner. + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_nss_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + // When we get a non-NULL buffer, we know that the caller is + // prepared to also take the tag. When we get a NULL buffer, + // even though there's no data, we need to give NSS a buffer + // where it can write the tag. We can't just use c->tag because + // memcpy has undefined behavior on overlapping ranges. + unsigned char tagbuf[16]; + unsigned char *non_null_buf = buf; + if (!non_null_buf && (*enc_len == 0)) { + non_null_buf = tagbuf; + } else if (!non_null_buf) { + return srtp_err_status_bad_param; + } + + srtp_err_status_t status = + srtp_aes_gcm_nss_do_crypto(cv, 1, non_null_buf, enc_len); + if (status != srtp_err_status_ok) { + return status; + } + + memcpy(c->tag, non_null_buf + (*enc_len - c->tag_size), c->tag_size); + *enc_len -= c->tag_size; + return srtp_err_status_ok; +} + +/* + * This function calculates and returns the GCM tag for a given context. + * This should be called after encrypting the data. The *len value + * is increased by the tag size. The caller must ensure that *buf has + * enough room to accept the appended tag. + * + * Parameters: + * c Crypto context + * buf data to encrypt + * len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_nss_get_tag(void *cv, + uint8_t *buf, + uint32_t *len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + *len = c->tag_size; + memcpy(buf, c->tag, c->tag_size); + return (srtp_err_status_ok); +} + +/* + * This function decrypts a buffer using AES GCM mode + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_nss_decrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_err_status_t status = srtp_aes_gcm_nss_do_crypto(cv, 0, buf, enc_len); + if (status != srtp_err_status_ok) { + int err = PR_GetError(); + if (err == SEC_ERROR_BAD_DATA) { + status = srtp_err_status_auth_fail; + } + } + + return status; +} + +/* + * Name of this crypto engine + */ +static const char srtp_aes_gcm_128_nss_description[] = "AES-128 GCM using NSS"; +static const char srtp_aes_gcm_256_nss_description[] = "AES-256 GCM using NSS"; + +/* + * KAT values for AES self-test. These + * values we're derived from independent test code + * using OpenSSL. + */ +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_gcm_test_case_0_iv[12] = { + 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, + 0xde, 0xca, 0xf8, 0x88 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] = { + 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, + 0xba, 0x63, 0x7b, 0x39 +}; + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = { + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xab, 0xad, 0xda, 0xd2 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = { + 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, + 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, + 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, + 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, + 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, + 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, + 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, + 0x3d, 0x58, 0xe0, 0x91, + /* the last 16 bytes are the tag */ + 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb, + 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47, +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = { + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_0_key, /* key */ + srtp_aes_gcm_test_case_0_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_0_plaintext, /* plaintext */ + 68, /* octets in ciphertext */ + srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_0_aad, /* AAD */ + GCM_AUTH_TAG_LEN_8, /* */ + NULL /* pointer to next testcase */ +}; + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = { + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_0_key, /* key */ + srtp_aes_gcm_test_case_0_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_0_plaintext, /* plaintext */ + 76, /* octets in ciphertext */ + srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_0_aad, /* AAD */ + GCM_AUTH_TAG_LEN, /* */ + &srtp_aes_gcm_test_case_0a /* pointer to next testcase */ +}; + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c, + 0xaf, 0xf5, 0x26, 0x9a, 0x21, 0xd5, 0x14, 0xb2, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_gcm_test_case_1_iv[12] = { + 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, + 0xde, 0xca, 0xf8, 0x88 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] = { + 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, + 0xba, 0x63, 0x7b, 0x39 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = { + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xab, 0xad, 0xda, 0xd2 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = { + 0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46, + 0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a, + 0x94, 0x82, 0xca, 0xab, 0x3e, 0x39, 0xd7, 0x86, + 0x1b, 0xc7, 0x93, 0xed, 0x75, 0x7f, 0x23, 0x5a, + 0xda, 0xfd, 0xd3, 0xe2, 0x0e, 0x80, 0x87, 0xa9, + 0x6d, 0xd7, 0xe2, 0x6a, 0x7d, 0x5f, 0xb4, 0x80, + 0xef, 0xef, 0xc5, 0x29, 0x12, 0xd1, 0xaa, 0x10, + 0x09, 0xc9, 0x86, 0xc1, + /* the last 16 bytes are the tag */ + 0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f, + 0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d, +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = { + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_1_key, /* key */ + srtp_aes_gcm_test_case_1_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_1_plaintext, /* plaintext */ + 68, /* octets in ciphertext */ + srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_1_aad, /* AAD */ + GCM_AUTH_TAG_LEN_8, /* */ + NULL /* pointer to next testcase */ +}; + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = { + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_1_key, /* key */ + srtp_aes_gcm_test_case_1_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_1_plaintext, /* plaintext */ + 76, /* octets in ciphertext */ + srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_1_aad, /* AAD */ + GCM_AUTH_TAG_LEN, /* */ + &srtp_aes_gcm_test_case_1a /* pointer to next testcase */ +}; + +/* + * This is the vector function table for this crypto engine. + */ +/* clang-format off */ +const srtp_cipher_type_t srtp_aes_gcm_128 = { + srtp_aes_gcm_nss_alloc, + srtp_aes_gcm_nss_dealloc, + srtp_aes_gcm_nss_context_init, + srtp_aes_gcm_nss_set_aad, + srtp_aes_gcm_nss_encrypt, + srtp_aes_gcm_nss_decrypt, + srtp_aes_gcm_nss_set_iv, + srtp_aes_gcm_nss_get_tag, + srtp_aes_gcm_128_nss_description, + &srtp_aes_gcm_test_case_0, + SRTP_AES_GCM_128 +}; +/* clang-format on */ + +/* + * This is the vector function table for this crypto engine. + */ +/* clang-format off */ +const srtp_cipher_type_t srtp_aes_gcm_256 = { + srtp_aes_gcm_nss_alloc, + srtp_aes_gcm_nss_dealloc, + srtp_aes_gcm_nss_context_init, + srtp_aes_gcm_nss_set_aad, + srtp_aes_gcm_nss_encrypt, + srtp_aes_gcm_nss_decrypt, + srtp_aes_gcm_nss_set_iv, + srtp_aes_gcm_nss_get_tag, + srtp_aes_gcm_256_nss_description, + &srtp_aes_gcm_test_case_1, + SRTP_AES_GCM_256 +}; +/* clang-format on */ diff --git a/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c b/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c new file mode 100644 index 0000000000..578cad5ee9 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c @@ -0,0 +1,582 @@ +/* + * aes_gcm_ossl.c + * + * AES Galois Counter Mode + * + * John A. Foley + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <openssl/evp.h> +#include "aes_gcm.h" +#include "alloc.h" +#include "err.h" /* for srtp_debug */ +#include "crypto_types.h" +#include "cipher_types.h" + +srtp_debug_module_t srtp_mod_aes_gcm = { + 0, /* debugging is off by default */ + "aes gcm" /* printable module name */ +}; + +/* + * For now we only support 8 and 16 octet tags. The spec allows for + * optional 12 byte tag, which may be supported in the future. + */ +#define GCM_AUTH_TAG_LEN 16 +#define GCM_AUTH_TAG_LEN_8 8 + +/* + * This function allocates a new instance of this crypto engine. + * The key_len parameter should be one of 28 or 44 for + * AES-128-GCM or AES-256-GCM respectively. Note that the + * key length includes the 14 byte salt value that is used when + * initializing the KDF. + */ +static srtp_err_status_t srtp_aes_gcm_openssl_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + srtp_aes_gcm_ctx_t *gcm; + + debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d", + key_len); + debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen); + + /* + * Verify the key_len is valid for one of: AES-128/256 + */ + if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) { + return (srtp_err_status_bad_param); + } + + if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) { + return (srtp_err_status_bad_param); + } + + /* allocate memory a cipher of type aes_gcm */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return (srtp_err_status_alloc_fail); + } + + gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t)); + if (gcm == NULL) { + srtp_crypto_free(*c); + *c = NULL; + return (srtp_err_status_alloc_fail); + } + + gcm->ctx = EVP_CIPHER_CTX_new(); + if (gcm->ctx == NULL) { + srtp_crypto_free(gcm); + srtp_crypto_free(*c); + *c = NULL; + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + (*c)->state = gcm; + + /* setup cipher attributes */ + switch (key_len) { + case SRTP_AES_GCM_128_KEY_LEN_WSALT: + (*c)->type = &srtp_aes_gcm_128; + (*c)->algorithm = SRTP_AES_GCM_128; + gcm->key_size = SRTP_AES_128_KEY_LEN; + gcm->tag_len = tlen; + break; + case SRTP_AES_GCM_256_KEY_LEN_WSALT: + (*c)->type = &srtp_aes_gcm_256; + (*c)->algorithm = SRTP_AES_GCM_256; + gcm->key_size = SRTP_AES_256_KEY_LEN; + gcm->tag_len = tlen; + break; + } + + /* set key size */ + (*c)->key_len = key_len; + + return (srtp_err_status_ok); +} + +/* + * This function deallocates a GCM session + */ +static srtp_err_status_t srtp_aes_gcm_openssl_dealloc(srtp_cipher_t *c) +{ + srtp_aes_gcm_ctx_t *ctx; + + ctx = (srtp_aes_gcm_ctx_t *)c->state; + if (ctx) { + EVP_CIPHER_CTX_free(ctx->ctx); + /* zeroize the key material */ + octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t)); + srtp_crypto_free(ctx); + } + + /* free memory */ + srtp_crypto_free(c); + + return (srtp_err_status_ok); +} + +/* + * aes_gcm_openssl_context_init(...) initializes the aes_gcm_context + * using the value in key[]. + * + * the key is the secret key + */ +static srtp_err_status_t srtp_aes_gcm_openssl_context_init(void *cv, + const uint8_t *key) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + const EVP_CIPHER *evp; + + c->dir = srtp_direction_any; + + debug_print(srtp_mod_aes_gcm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); + + switch (c->key_size) { + case SRTP_AES_256_KEY_LEN: + evp = EVP_aes_256_gcm(); + break; + case SRTP_AES_128_KEY_LEN: + evp = EVP_aes_128_gcm(); + break; + default: + return (srtp_err_status_bad_param); + break; + } + + if (!EVP_CipherInit_ex(c->ctx, evp, NULL, key, NULL, 0)) { + return (srtp_err_status_init_fail); + } + + return (srtp_err_status_ok); +} + +/* + * aes_gcm_openssl_set_iv(c, iv) sets the counter value to the exor of iv with + * the offset + */ +static srtp_err_status_t srtp_aes_gcm_openssl_set_iv( + void *cv, + uint8_t *iv, + srtp_cipher_direction_t direction) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + + if (direction != srtp_direction_encrypt && + direction != srtp_direction_decrypt) { + return (srtp_err_status_bad_param); + } + c->dir = direction; + + debug_print(srtp_mod_aes_gcm, "setting iv: %s", + srtp_octet_string_hex_string(iv, 12)); + + if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0)) { + return (srtp_err_status_init_fail); + } + + if (!EVP_CipherInit_ex(c->ctx, NULL, NULL, NULL, iv, + (c->dir == srtp_direction_encrypt ? 1 : 0))) { + return (srtp_err_status_init_fail); + } + + return (srtp_err_status_ok); +} + +/* + * This function processes the AAD + * + * Parameters: + * c Crypto context + * aad Additional data to process for AEAD cipher suites + * aad_len length of aad buffer + */ +static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv, + const uint8_t *aad, + uint32_t aad_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + int rv; + + debug_print(srtp_mod_aes_gcm, "setting AAD: %s", + srtp_octet_string_hex_string(aad, aad_len)); + + /* + * Set dummy tag, OpenSSL requires the Tag to be set before + * processing AAD + */ + + /* + * OpenSSL never write to address pointed by the last parameter of + * EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality, + * OpenSSL copy its content to the context), so we can make + * aad read-only in this function and all its wrappers. + */ + unsigned char dummy_tag[GCM_AUTH_TAG_LEN]; + memset(dummy_tag, 0x0, GCM_AUTH_TAG_LEN); + EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len, &dummy_tag); + + rv = EVP_Cipher(c->ctx, NULL, aad, aad_len); + if (rv != aad_len) { + return (srtp_err_status_algo_fail); + } else { + return (srtp_err_status_ok); + } +} + +/* + * This function encrypts a buffer using AES GCM mode + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_openssl_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) { + return (srtp_err_status_bad_param); + } + + /* + * Encrypt the data + */ + EVP_Cipher(c->ctx, buf, buf, *enc_len); + + return (srtp_err_status_ok); +} + +/* + * This function calculates and returns the GCM tag for a given context. + * This should be called after encrypting the data. The *len value + * is increased by the tag size. The caller must ensure that *buf has + * enough room to accept the appended tag. + * + * Parameters: + * c Crypto context + * buf data to encrypt + * len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_openssl_get_tag(void *cv, + uint8_t *buf, + uint32_t *len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + /* + * Calculate the tag + */ + EVP_Cipher(c->ctx, NULL, NULL, 0); + + /* + * Retreive the tag + */ + EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_GET_TAG, c->tag_len, buf); + + /* + * Increase encryption length by desired tag size + */ + *len = c->tag_len; + + return (srtp_err_status_ok); +} + +/* + * This function decrypts a buffer using AES GCM mode + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_gcm_openssl_decrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; + if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) { + return (srtp_err_status_bad_param); + } + + /* + * Set the tag before decrypting + */ + EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len, + buf + (*enc_len - c->tag_len)); + EVP_Cipher(c->ctx, buf, buf, *enc_len - c->tag_len); + + /* + * Check the tag + */ + if (EVP_Cipher(c->ctx, NULL, NULL, 0)) { + return (srtp_err_status_auth_fail); + } + + /* + * Reduce the buffer size by the tag length since the tag + * is not part of the original payload + */ + *enc_len -= c->tag_len; + + return (srtp_err_status_ok); +} + +/* + * Name of this crypto engine + */ +static const char srtp_aes_gcm_128_openssl_description[] = + "AES-128 GCM using openssl"; +static const char srtp_aes_gcm_256_openssl_description[] = + "AES-256 GCM using openssl"; + +/* + * KAT values for AES self-test. These + * values we're derived from independent test code + * using OpenSSL. + */ +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_gcm_test_case_0_iv[12] = { + 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, + 0xde, 0xca, 0xf8, 0x88 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] = { + 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, + 0xba, 0x63, 0x7b, 0x39 +}; + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = { + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xab, 0xad, 0xda, 0xd2 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = { + 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, + 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, + 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, + 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, + 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, + 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, + 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, + 0x3d, 0x58, 0xe0, 0x91, + /* the last 16 bytes are the tag */ + 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb, + 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47, +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = { + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_0_key, /* key */ + srtp_aes_gcm_test_case_0_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_0_plaintext, /* plaintext */ + 68, /* octets in ciphertext */ + srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_0_aad, /* AAD */ + GCM_AUTH_TAG_LEN_8, /* */ + NULL /* pointer to next testcase */ +}; + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = { + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_0_key, /* key */ + srtp_aes_gcm_test_case_0_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_0_plaintext, /* plaintext */ + 76, /* octets in ciphertext */ + srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_0_aad, /* AAD */ + GCM_AUTH_TAG_LEN, /* */ + &srtp_aes_gcm_test_case_0a /* pointer to next testcase */ +}; + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c, + 0xaf, 0xf5, 0x26, 0x9a, 0x21, 0xd5, 0x14, 0xb2, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_gcm_test_case_1_iv[12] = { + 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, + 0xde, 0xca, 0xf8, 0x88 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] = { + 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, + 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, + 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, + 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, + 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, + 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, + 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, + 0xba, 0x63, 0x7b, 0x39 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = { + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, + 0xab, 0xad, 0xda, 0xd2 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = { + 0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46, + 0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a, + 0x94, 0x82, 0xca, 0xab, 0x3e, 0x39, 0xd7, 0x86, + 0x1b, 0xc7, 0x93, 0xed, 0x75, 0x7f, 0x23, 0x5a, + 0xda, 0xfd, 0xd3, 0xe2, 0x0e, 0x80, 0x87, 0xa9, + 0x6d, 0xd7, 0xe2, 0x6a, 0x7d, 0x5f, 0xb4, 0x80, + 0xef, 0xef, 0xc5, 0x29, 0x12, 0xd1, 0xaa, 0x10, + 0x09, 0xc9, 0x86, 0xc1, + /* the last 16 bytes are the tag */ + 0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f, + 0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d, +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = { + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_1_key, /* key */ + srtp_aes_gcm_test_case_1_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_1_plaintext, /* plaintext */ + 68, /* octets in ciphertext */ + srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_1_aad, /* AAD */ + GCM_AUTH_TAG_LEN_8, /* */ + NULL /* pointer to next testcase */ +}; + +static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = { + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_gcm_test_case_1_key, /* key */ + srtp_aes_gcm_test_case_1_iv, /* packet index */ + 60, /* octets in plaintext */ + srtp_aes_gcm_test_case_1_plaintext, /* plaintext */ + 76, /* octets in ciphertext */ + srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ + 20, /* octets in AAD */ + srtp_aes_gcm_test_case_1_aad, /* AAD */ + GCM_AUTH_TAG_LEN, /* */ + &srtp_aes_gcm_test_case_1a /* pointer to next testcase */ +}; + +/* + * This is the vector function table for this crypto engine. + */ +const srtp_cipher_type_t srtp_aes_gcm_128 = { + srtp_aes_gcm_openssl_alloc, + srtp_aes_gcm_openssl_dealloc, + srtp_aes_gcm_openssl_context_init, + srtp_aes_gcm_openssl_set_aad, + srtp_aes_gcm_openssl_encrypt, + srtp_aes_gcm_openssl_decrypt, + srtp_aes_gcm_openssl_set_iv, + srtp_aes_gcm_openssl_get_tag, + srtp_aes_gcm_128_openssl_description, + &srtp_aes_gcm_test_case_0, + SRTP_AES_GCM_128 +}; + +/* + * This is the vector function table for this crypto engine. + */ +const srtp_cipher_type_t srtp_aes_gcm_256 = { + srtp_aes_gcm_openssl_alloc, + srtp_aes_gcm_openssl_dealloc, + srtp_aes_gcm_openssl_context_init, + srtp_aes_gcm_openssl_set_aad, + srtp_aes_gcm_openssl_encrypt, + srtp_aes_gcm_openssl_decrypt, + srtp_aes_gcm_openssl_set_iv, + srtp_aes_gcm_openssl_get_tag, + srtp_aes_gcm_256_openssl_description, + &srtp_aes_gcm_test_case_1, + SRTP_AES_GCM_256 +}; diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm.c b/netwerk/srtp/src/crypto/cipher/aes_icm.c new file mode 100644 index 0000000000..7551c75148 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes_icm.c @@ -0,0 +1,530 @@ +/* + * aes_icm.c + * + * AES Integer Counter Mode + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#define ALIGN_32 0 + +#include "aes_icm.h" +#include "alloc.h" +#include "cipher_types.h" + +srtp_debug_module_t srtp_mod_aes_icm = { + 0, /* debugging is off by default */ + "aes icm" /* printable module name */ +}; + +/* + * integer counter mode works as follows: + * + * 16 bits + * <-----> + * +------+------+------+------+------+------+------+------+ + * | nonce | pakcet index | ctr |---+ + * +------+------+------+------+------+------+------+------+ | + * | + * +------+------+------+------+------+------+------+------+ v + * | salt |000000|->(+) + * +------+------+------+------+------+------+------+------+ | + * | + * +---------+ + * | encrypt | + * +---------+ + * | + * +------+------+------+------+------+------+------+------+ | + * | keystream block |<--+ + * +------+------+------+------+------+------+------+------+ + * + * All fields are big-endian + * + * ctr is the block counter, which increments from zero for + * each packet (16 bits wide) + * + * packet index is distinct for each packet (48 bits wide) + * + * nonce can be distinct across many uses of the same key, or + * can be a fixed value per key, or can be per-packet randomness + * (64 bits) + * + */ + +static srtp_err_status_t srtp_aes_icm_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + srtp_aes_icm_ctx_t *icm; + + debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", + key_len); + + /* + * The check for key_len = 30/46 does not apply. Our usage + * of aes functions with key_len = values other than 30 + * has not broken anything. Don't know what would be the + * effect of skipping this check for srtp in general. + */ + if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { + return srtp_err_status_bad_param; + } + + /* allocate memory a cipher of type aes_icm */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return srtp_err_status_alloc_fail; + } + + icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); + if (icm == NULL) { + srtp_crypto_free(*c); + *c = NULL; + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + (*c)->state = icm; + + switch (key_len) { + case SRTP_AES_ICM_256_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_256; + (*c)->type = &srtp_aes_icm_256; + break; + default: + (*c)->algorithm = SRTP_AES_ICM_128; + (*c)->type = &srtp_aes_icm_128; + break; + } + + /* set key size */ + icm->key_size = key_len; + (*c)->key_len = key_len; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_aes_icm_dealloc(srtp_cipher_t *c) +{ + srtp_aes_icm_ctx_t *ctx; + + if (c == NULL) { + return srtp_err_status_bad_param; + } + + ctx = (srtp_aes_icm_ctx_t *)c->state; + if (ctx) { + /* zeroize the key material */ + octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t)); + srtp_crypto_free(ctx); + } + + /* free the cipher context */ + srtp_crypto_free(c); + + return srtp_err_status_ok; +} + +/* + * aes_icm_context_init(...) initializes the aes_icm_context + * using the value in key[]. + * + * the key is the secret key + * + * the salt is unpredictable (but not necessarily secret) data which + * randomizes the starting point in the keystream + */ + +static srtp_err_status_t srtp_aes_icm_context_init(void *cv, const uint8_t *key) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + srtp_err_status_t status; + int base_key_len, copy_len; + + if (c->key_size == SRTP_AES_ICM_128_KEY_LEN_WSALT || + c->key_size == SRTP_AES_ICM_256_KEY_LEN_WSALT) { + base_key_len = c->key_size - SRTP_SALT_LEN; + } else { + return srtp_err_status_bad_param; + } + + /* + * set counter and initial values to 'offset' value, being careful not to + * go past the end of the key buffer + */ + v128_set_to_zero(&c->counter); + v128_set_to_zero(&c->offset); + + copy_len = c->key_size - base_key_len; + /* force last two octets of the offset to be left zero (for srtp + * compatibility) */ + if (copy_len > SRTP_SALT_LEN) { + copy_len = SRTP_SALT_LEN; + } + + memcpy(&c->counter, key + base_key_len, copy_len); + memcpy(&c->offset, key + base_key_len, copy_len); + + debug_print(srtp_mod_aes_icm, "key: %s", + srtp_octet_string_hex_string(key, base_key_len)); + debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); + + /* expand key */ + status = + srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key); + if (status) { + v128_set_to_zero(&c->counter); + v128_set_to_zero(&c->offset); + return status; + } + + /* indicate that the keystream_buffer is empty */ + c->bytes_in_buffer = 0; + + return srtp_err_status_ok; +} + +/* + * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with + * the offset + */ + +static srtp_err_status_t srtp_aes_icm_set_iv(void *cv, + uint8_t *iv, + srtp_cipher_direction_t direction) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + v128_t nonce; + + /* set nonce (for alignment) */ + v128_copy_octet_string(&nonce, iv); + + debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce)); + + v128_xor(&c->counter, &c->offset, &nonce); + + debug_print(srtp_mod_aes_icm, "set_counter: %s", + v128_hex_string(&c->counter)); + + /* indicate that the keystream_buffer is empty */ + c->bytes_in_buffer = 0; + + return srtp_err_status_ok; +} + +/* + * aes_icm_advance(...) refills the keystream_buffer and + * advances the block index of the sicm_context forward by one + * + * this is an internal, hopefully inlined function + */ +static void srtp_aes_icm_advance(srtp_aes_icm_ctx_t *c) +{ + /* fill buffer with new keystream */ + v128_copy(&c->keystream_buffer, &c->counter); + srtp_aes_encrypt(&c->keystream_buffer, &c->expanded_key); + c->bytes_in_buffer = sizeof(v128_t); + + debug_print(srtp_mod_aes_icm, "counter: %s", + v128_hex_string(&c->counter)); + debug_print(srtp_mod_aes_icm, "ciphertext: %s", + v128_hex_string(&c->keystream_buffer)); + + /* clock counter forward */ + if (!++(c->counter.v8[15])) { + ++(c->counter.v8[14]); + } +} + +/* + * icm_encrypt deals with the following cases: + * + * bytes_to_encr < bytes_in_buffer + * - add keystream into data + * + * bytes_to_encr > bytes_in_buffer + * - add keystream into data until keystream_buffer is depleted + * - loop over blocks, filling keystream_buffer and then + * adding keystream into data + * - fill buffer then add in remaining (< 16) bytes of keystream + */ + +static srtp_err_status_t srtp_aes_icm_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + unsigned int bytes_to_encr = *enc_len; + unsigned int i; + uint32_t *b; + + /* check that there's enough segment left*/ + if ((bytes_to_encr + htons(c->counter.v16[7])) > 0xffff) { + return srtp_err_status_terminus; + } + + debug_print(srtp_mod_aes_icm, "block index: %d", htons(c->counter.v16[7])); + if (bytes_to_encr <= (unsigned int)c->bytes_in_buffer) { + /* deal with odd case of small bytes_to_encr */ + for (i = (sizeof(v128_t) - c->bytes_in_buffer); + i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++) { + *buf++ ^= c->keystream_buffer.v8[i]; + } + + c->bytes_in_buffer -= bytes_to_encr; + + /* return now to avoid the main loop */ + return srtp_err_status_ok; + + } else { + /* encrypt bytes until the remaining data is 16-byte aligned */ + for (i = (sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t); + i++) { + *buf++ ^= c->keystream_buffer.v8[i]; + } + + bytes_to_encr -= c->bytes_in_buffer; + c->bytes_in_buffer = 0; + } + + /* now loop over entire 16-byte blocks of keystream */ + for (i = 0; i < (bytes_to_encr / sizeof(v128_t)); i++) { + /* fill buffer with new keystream */ + srtp_aes_icm_advance(c); + +/* + * add keystream into the data buffer (this would be a lot faster + * if we could assume 32-bit alignment!) + */ + +#if ALIGN_32 + b = (uint32_t *)buf; + *b++ ^= c->keystream_buffer.v32[0]; + *b++ ^= c->keystream_buffer.v32[1]; + *b++ ^= c->keystream_buffer.v32[2]; + *b++ ^= c->keystream_buffer.v32[3]; + buf = (uint8_t *)b; +#else + if ((((uintptr_t)buf) & 0x03) != 0) { + *buf++ ^= c->keystream_buffer.v8[0]; + *buf++ ^= c->keystream_buffer.v8[1]; + *buf++ ^= c->keystream_buffer.v8[2]; + *buf++ ^= c->keystream_buffer.v8[3]; + *buf++ ^= c->keystream_buffer.v8[4]; + *buf++ ^= c->keystream_buffer.v8[5]; + *buf++ ^= c->keystream_buffer.v8[6]; + *buf++ ^= c->keystream_buffer.v8[7]; + *buf++ ^= c->keystream_buffer.v8[8]; + *buf++ ^= c->keystream_buffer.v8[9]; + *buf++ ^= c->keystream_buffer.v8[10]; + *buf++ ^= c->keystream_buffer.v8[11]; + *buf++ ^= c->keystream_buffer.v8[12]; + *buf++ ^= c->keystream_buffer.v8[13]; + *buf++ ^= c->keystream_buffer.v8[14]; + *buf++ ^= c->keystream_buffer.v8[15]; + } else { + b = (uint32_t *)buf; + *b++ ^= c->keystream_buffer.v32[0]; + *b++ ^= c->keystream_buffer.v32[1]; + *b++ ^= c->keystream_buffer.v32[2]; + *b++ ^= c->keystream_buffer.v32[3]; + buf = (uint8_t *)b; + } +#endif /* #if ALIGN_32 */ + } + + /* if there is a tail end of the data, process it */ + if ((bytes_to_encr & 0xf) != 0) { + /* fill buffer with new keystream */ + srtp_aes_icm_advance(c); + + for (i = 0; i < (bytes_to_encr & 0xf); i++) { + *buf++ ^= c->keystream_buffer.v8[i]; + } + + /* reset the keystream buffer size to right value */ + c->bytes_in_buffer = sizeof(v128_t) - i; + } else { + /* no tail, so just reset the keystream buffer size to zero */ + c->bytes_in_buffer = 0; + } + + return srtp_err_status_ok; +} + +static const char srtp_aes_icm_128_description[] = + "AES-128 integer counter mode"; +static const char srtp_aes_icm_256_description[] = + "AES-256 integer counter mode"; + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = { + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, + 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = { + 0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80, + 0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4, + 0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7, + 0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = { + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_128_test_case_0_key, /* key */ + srtp_aes_icm_128_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = { + 0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70, + 0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92, + 0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82, + 0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = { + 0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25, + 0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4, + 0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6, + 0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_256_test_case_0_key, /* key */ + srtp_aes_icm_256_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL, /* pointer to next testcase */ +}; + +/* + * note: the encrypt function is identical to the decrypt function + */ + +const srtp_cipher_type_t srtp_aes_icm_128 = { + srtp_aes_icm_alloc, /* */ + srtp_aes_icm_dealloc, /* */ + srtp_aes_icm_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_128_description, /* */ + &srtp_aes_icm_128_test_case_0, /* */ + SRTP_AES_ICM_128 /* */ +}; + +const srtp_cipher_type_t srtp_aes_icm_256 = { + srtp_aes_icm_alloc, /* */ + srtp_aes_icm_dealloc, /* */ + srtp_aes_icm_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_256_description, /* */ + &srtp_aes_icm_256_test_case_0, /* */ + SRTP_AES_ICM_256 /* */ +}; diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c b/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c new file mode 100644 index 0000000000..c64335f416 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c @@ -0,0 +1,550 @@ +/* + * aes_icm_nss.c + * + * AES Integer Counter Mode + * + * Richard L. Barnes + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "aes_icm_ext.h" +#include "crypto_types.h" +#include "err.h" /* for srtp_debug */ +#include "alloc.h" +#include "cipher_types.h" +#include <nss.h> + +srtp_debug_module_t srtp_mod_aes_icm = { + 0, /* debugging is off by default */ + "aes icm nss" /* printable module name */ +}; + +/* + * integer counter mode works as follows: + * + * 16 bits + * <-----> + * +------+------+------+------+------+------+------+------+ + * | nonce | packet index | ctr |---+ + * +------+------+------+------+------+------+------+------+ | + * | + * +------+------+------+------+------+------+------+------+ v + * | salt |000000|->(+) + * +------+------+------+------+------+------+------+------+ | + * | + * +---------+ + * | encrypt | + * +---------+ + * | + * +------+------+------+------+------+------+------+------+ | + * | keystream block |<--+ + * +------+------+------+------+------+------+------+------+ + * + * All fields are big-endian + * + * ctr is the block counter, which increments from zero for + * each packet (16 bits wide) + * + * packet index is distinct for each packet (48 bits wide) + * + * nonce can be distinct across many uses of the same key, or + * can be a fixed value per key, or can be per-packet randomness + * (64 bits) + * + */ + +/* + * This function allocates a new instance of this crypto engine. + * The key_len parameter should be one of 30, 38, or 46 for + * AES-128, AES-192, and AES-256 respectively. Note, this key_len + * value is inflated, as it also accounts for the 112 bit salt + * value. The tlen argument is for the AEAD tag length, which + * isn't used in counter mode. + */ +static srtp_err_status_t srtp_aes_icm_nss_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + srtp_aes_icm_ctx_t *icm; + + debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", + key_len); + + /* + * Verify the key_len is valid for one of: AES-128/192/256 + */ + if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { + return srtp_err_status_bad_param; + } + + /* Initialize NSS */ + if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) { + return (srtp_err_status_cipher_fail); + } + + /* allocate memory a cipher of type aes_icm */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return srtp_err_status_alloc_fail; + } + + icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); + if (icm == NULL) { + srtp_crypto_free(*c); + *c = NULL; + return srtp_err_status_alloc_fail; + } + + icm->key = NULL; + icm->ctx = NULL; + + /* set pointers */ + (*c)->state = icm; + + /* setup cipher parameters */ + switch (key_len) { + case SRTP_AES_ICM_128_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_128; + (*c)->type = &srtp_aes_icm_128; + icm->key_size = SRTP_AES_128_KEY_LEN; + break; + case SRTP_AES_ICM_192_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_192; + (*c)->type = &srtp_aes_icm_192; + icm->key_size = SRTP_AES_192_KEY_LEN; + break; + case SRTP_AES_ICM_256_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_256; + (*c)->type = &srtp_aes_icm_256; + icm->key_size = SRTP_AES_256_KEY_LEN; + break; + } + + /* set key size */ + (*c)->key_len = key_len; + + return srtp_err_status_ok; +} + +/* + * This function deallocates an instance of this engine + */ +static srtp_err_status_t srtp_aes_icm_nss_dealloc(srtp_cipher_t *c) +{ + srtp_aes_icm_ctx_t *ctx; + + ctx = (srtp_aes_icm_ctx_t *)c->state; + if (ctx) { + /* free any PK11 values that have been created */ + if (ctx->key) { + PK11_FreeSymKey(ctx->key); + ctx->key = NULL; + } + + if (ctx->ctx) { + PK11_DestroyContext(ctx->ctx, PR_TRUE); + ctx->ctx = NULL; + } + + /* zeroize everything */ + octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t)); + srtp_crypto_free(ctx); + } + + /* free memory */ + srtp_crypto_free(c); + + return (srtp_err_status_ok); +} + +/* + * aes_icm_nss_context_init(...) initializes the aes_icm_context + * using the value in key[]. + * + * the key is the secret key + * + * the salt is unpredictable (but not necessarily secret) data which + * randomizes the starting point in the keystream + */ +static srtp_err_status_t srtp_aes_icm_nss_context_init(void *cv, + const uint8_t *key) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + + /* + * set counter and initial values to 'offset' value, being careful not to + * go past the end of the key buffer + */ + v128_set_to_zero(&c->counter); + v128_set_to_zero(&c->offset); + memcpy(&c->counter, key + c->key_size, SRTP_SALT_LEN); + memcpy(&c->offset, key + c->key_size, SRTP_SALT_LEN); + + /* force last two octets of the offset to zero (for srtp compatibility) */ + c->offset.v8[SRTP_SALT_LEN] = c->offset.v8[SRTP_SALT_LEN + 1] = 0; + c->counter.v8[SRTP_SALT_LEN] = c->counter.v8[SRTP_SALT_LEN + 1] = 0; + + debug_print(srtp_mod_aes_icm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); + debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); + + if (c->key) { + PK11_FreeSymKey(c->key); + c->key = NULL; + } + + PK11SlotInfo *slot = PK11_GetBestSlot(CKM_AES_CTR, NULL); + if (!slot) { + return srtp_err_status_bad_param; + } + + SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size }; + c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap, + CKA_ENCRYPT, &keyItem, NULL); + PK11_FreeSlot(slot); + + if (!c->key) { + return srtp_err_status_cipher_fail; + } + + return (srtp_err_status_ok); +} + +/* + * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with + * the offset + */ +static srtp_err_status_t srtp_aes_icm_nss_set_iv(void *cv, + uint8_t *iv, + srtp_cipher_direction_t dir) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + v128_t nonce; + + /* set nonce (for alignment) */ + v128_copy_octet_string(&nonce, iv); + + debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce)); + + v128_xor(&c->counter, &c->offset, &nonce); + + debug_print(srtp_mod_aes_icm, "set_counter: %s", + v128_hex_string(&c->counter)); + + /* set up the PK11 context now that we have all the info */ + CK_AES_CTR_PARAMS param; + param.ulCounterBits = 16; + memcpy(param.cb, &c->counter, 16); + + if (!c->key) { + return srtp_err_status_bad_param; + } + + if (c->ctx) { + PK11_DestroyContext(c->ctx, PR_TRUE); + } + + SECItem paramItem = { siBuffer, (unsigned char *)¶m, + sizeof(CK_AES_CTR_PARAMS) }; + c->ctx = PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, c->key, + ¶mItem); + if (!c->ctx) { + return srtp_err_status_cipher_fail; + } + + return srtp_err_status_ok; +} + +/* + * This function encrypts a buffer using AES CTR mode + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_icm_nss_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + + if (!c->ctx) { + return srtp_err_status_bad_param; + } + + int rv = + PK11_CipherOp(c->ctx, buf, (int *)enc_len, *enc_len, buf, *enc_len); + + srtp_err_status_t status = (srtp_err_status_ok); + if (rv != SECSuccess) { + status = (srtp_err_status_cipher_fail); + } + + return status; +} + +/* + * Name of this crypto engine + */ +static const char srtp_aes_icm_128_nss_description[] = + "AES-128 counter mode using NSS"; +static const char srtp_aes_icm_192_nss_description[] = + "AES-192 counter mode using NSS"; +static const char srtp_aes_icm_256_nss_description[] = + "AES-256 counter mode using NSS"; + +/* + * KAT values for AES self-test. These + * values came from the legacy libsrtp code. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = { + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, + 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = { + 0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80, + 0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4, + 0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7, + 0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = { + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_128_test_case_0_key, /* key */ + srtp_aes_icm_128_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * KAT values for AES-192-CTR self-test. These + * values came from section 7 of RFC 6188. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_WSALT] = { + 0xea, 0xb2, 0x34, 0x76, 0x4e, 0x51, 0x7b, 0x2d, + 0x3d, 0x16, 0x0d, 0x58, 0x7d, 0x8c, 0x86, 0x21, + 0x97, 0x40, 0xf6, 0x5f, 0x99, 0xb6, 0xbc, 0xf7, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_192_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_ciphertext[32] = { + 0x35, 0x09, 0x6c, 0xba, 0x46, 0x10, 0x02, 0x8d, + 0xc1, 0xb5, 0x75, 0x03, 0x80, 0x4c, 0xe3, 0x7c, + 0x5d, 0xe9, 0x86, 0x29, 0x1d, 0xcc, 0xe1, 0x61, + 0xd5, 0x16, 0x5e, 0xc4, 0x56, 0x8f, 0x5c, 0x9a +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_192_test_case_0 = { + SRTP_AES_ICM_192_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_192_test_case_0_key, /* key */ + srtp_aes_icm_192_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_192_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * KAT values for AES-256-CTR self-test. These + * values came from section 7 of RFC 6188. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = { + 0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70, + 0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92, + 0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82, + 0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = { + 0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25, + 0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4, + 0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6, + 0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_256_test_case_0_key, /* key */ + srtp_aes_icm_256_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_128 = { + srtp_aes_icm_nss_alloc, /* */ + srtp_aes_icm_nss_dealloc, /* */ + srtp_aes_icm_nss_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_128_nss_description, /* */ + &srtp_aes_icm_128_test_case_0, /* */ + SRTP_AES_ICM_128 /* */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_192 = { + srtp_aes_icm_nss_alloc, /* */ + srtp_aes_icm_nss_dealloc, /* */ + srtp_aes_icm_nss_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_192_nss_description, /* */ + &srtp_aes_icm_192_test_case_0, /* */ + SRTP_AES_ICM_192 /* */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_256 = { + srtp_aes_icm_nss_alloc, /* */ + srtp_aes_icm_nss_dealloc, /* */ + srtp_aes_icm_nss_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_encrypt, /* */ + srtp_aes_icm_nss_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_256_nss_description, /* */ + &srtp_aes_icm_256_test_case_0, /* */ + SRTP_AES_ICM_256 /* */ +}; diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c b/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c new file mode 100644 index 0000000000..a9b14d3972 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c @@ -0,0 +1,540 @@ +/* + * aes_icm_ossl.c + * + * AES Integer Counter Mode + * + * John A. Foley + * Cisco Systems, Inc. + * + * 2/24/2012: This module was modified to use CiscoSSL for AES counter + * mode. Eddy Lem contributed the code to allow this. + * + * 12/20/2012: Added support for AES-192 and AES-256. + */ + +/* + * + * Copyright (c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <openssl/evp.h> +#include "aes_icm_ext.h" +#include "crypto_types.h" +#include "err.h" /* for srtp_debug */ +#include "alloc.h" +#include "cipher_types.h" + +srtp_debug_module_t srtp_mod_aes_icm = { + 0, /* debugging is off by default */ + "aes icm ossl" /* printable module name */ +}; + +/* + * integer counter mode works as follows: + * + * 16 bits + * <-----> + * +------+------+------+------+------+------+------+------+ + * | nonce | packet index | ctr |---+ + * +------+------+------+------+------+------+------+------+ | + * | + * +------+------+------+------+------+------+------+------+ v + * | salt |000000|->(+) + * +------+------+------+------+------+------+------+------+ | + * | + * +---------+ + * | encrypt | + * +---------+ + * | + * +------+------+------+------+------+------+------+------+ | + * | keystream block |<--+ + * +------+------+------+------+------+------+------+------+ + * + * All fields are big-endian + * + * ctr is the block counter, which increments from zero for + * each packet (16 bits wide) + * + * packet index is distinct for each packet (48 bits wide) + * + * nonce can be distinct across many uses of the same key, or + * can be a fixed value per key, or can be per-packet randomness + * (64 bits) + * + */ + +/* + * This function allocates a new instance of this crypto engine. + * The key_len parameter should be one of 30, 38, or 46 for + * AES-128, AES-192, and AES-256 respectively. Note, this key_len + * value is inflated, as it also accounts for the 112 bit salt + * value. The tlen argument is for the AEAD tag length, which + * isn't used in counter mode. + */ +static srtp_err_status_t srtp_aes_icm_openssl_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + srtp_aes_icm_ctx_t *icm; + + debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", + key_len); + + /* + * Verify the key_len is valid for one of: AES-128/192/256 + */ + if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { + return srtp_err_status_bad_param; + } + + /* allocate memory a cipher of type aes_icm */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return srtp_err_status_alloc_fail; + } + + icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); + if (icm == NULL) { + srtp_crypto_free(*c); + *c = NULL; + return srtp_err_status_alloc_fail; + } + + icm->ctx = EVP_CIPHER_CTX_new(); + if (icm->ctx == NULL) { + srtp_crypto_free(icm); + srtp_crypto_free(*c); + *c = NULL; + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + (*c)->state = icm; + + /* setup cipher parameters */ + switch (key_len) { + case SRTP_AES_ICM_128_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_128; + (*c)->type = &srtp_aes_icm_128; + icm->key_size = SRTP_AES_128_KEY_LEN; + break; + case SRTP_AES_ICM_192_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_192; + (*c)->type = &srtp_aes_icm_192; + icm->key_size = SRTP_AES_192_KEY_LEN; + break; + case SRTP_AES_ICM_256_KEY_LEN_WSALT: + (*c)->algorithm = SRTP_AES_ICM_256; + (*c)->type = &srtp_aes_icm_256; + icm->key_size = SRTP_AES_256_KEY_LEN; + break; + } + + /* set key size */ + (*c)->key_len = key_len; + + return srtp_err_status_ok; +} + +/* + * This function deallocates an instance of this engine + */ +static srtp_err_status_t srtp_aes_icm_openssl_dealloc(srtp_cipher_t *c) +{ + srtp_aes_icm_ctx_t *ctx; + + if (c == NULL) { + return srtp_err_status_bad_param; + } + + /* + * Free the EVP context + */ + ctx = (srtp_aes_icm_ctx_t *)c->state; + if (ctx != NULL) { + EVP_CIPHER_CTX_free(ctx->ctx); + /* zeroize the key material */ + octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t)); + srtp_crypto_free(ctx); + } + + /* free memory */ + srtp_crypto_free(c); + + return srtp_err_status_ok; +} + +/* + * aes_icm_openssl_context_init(...) initializes the aes_icm_context + * using the value in key[]. + * + * the key is the secret key + * + * the salt is unpredictable (but not necessarily secret) data which + * randomizes the starting point in the keystream + */ +static srtp_err_status_t srtp_aes_icm_openssl_context_init(void *cv, + const uint8_t *key) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + const EVP_CIPHER *evp; + + /* + * set counter and initial values to 'offset' value, being careful not to + * go past the end of the key buffer + */ + v128_set_to_zero(&c->counter); + v128_set_to_zero(&c->offset); + memcpy(&c->counter, key + c->key_size, SRTP_SALT_LEN); + memcpy(&c->offset, key + c->key_size, SRTP_SALT_LEN); + + /* force last two octets of the offset to zero (for srtp compatibility) */ + c->offset.v8[SRTP_SALT_LEN] = c->offset.v8[SRTP_SALT_LEN + 1] = 0; + c->counter.v8[SRTP_SALT_LEN] = c->counter.v8[SRTP_SALT_LEN + 1] = 0; + + debug_print(srtp_mod_aes_icm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); + debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); + + switch (c->key_size) { + case SRTP_AES_256_KEY_LEN: + evp = EVP_aes_256_ctr(); + break; + case SRTP_AES_192_KEY_LEN: + evp = EVP_aes_192_ctr(); + break; + case SRTP_AES_128_KEY_LEN: + evp = EVP_aes_128_ctr(); + break; + default: + return srtp_err_status_bad_param; + break; + } + + if (!EVP_EncryptInit_ex(c->ctx, evp, NULL, key, NULL)) { + return srtp_err_status_fail; + } else { + return srtp_err_status_ok; + } + + return srtp_err_status_ok; +} + +/* + * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with + * the offset + */ +static srtp_err_status_t srtp_aes_icm_openssl_set_iv( + void *cv, + uint8_t *iv, + srtp_cipher_direction_t dir) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + v128_t nonce; + + /* set nonce (for alignment) */ + v128_copy_octet_string(&nonce, iv); + + debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce)); + + v128_xor(&c->counter, &c->offset, &nonce); + + debug_print(srtp_mod_aes_icm, "set_counter: %s", + v128_hex_string(&c->counter)); + + if (!EVP_EncryptInit_ex(c->ctx, NULL, NULL, NULL, c->counter.v8)) { + return srtp_err_status_fail; + } else { + return srtp_err_status_ok; + } +} + +/* + * This function encrypts a buffer using AES CTR mode + * + * Parameters: + * c Crypto context + * buf data to encrypt + * enc_len length of encrypt buffer + */ +static srtp_err_status_t srtp_aes_icm_openssl_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) +{ + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; + int len = 0; + + debug_print(srtp_mod_aes_icm, "rs0: %s", v128_hex_string(&c->counter)); + + if (!EVP_EncryptUpdate(c->ctx, buf, &len, buf, *enc_len)) { + return srtp_err_status_cipher_fail; + } + *enc_len = len; + + if (!EVP_EncryptFinal_ex(c->ctx, buf, &len)) { + return srtp_err_status_cipher_fail; + } + *enc_len += len; + + return srtp_err_status_ok; +} + +/* + * Name of this crypto engine + */ +static const char srtp_aes_icm_128_openssl_description[] = + "AES-128 counter mode using openssl"; +static const char srtp_aes_icm_192_openssl_description[] = + "AES-192 counter mode using openssl"; +static const char srtp_aes_icm_256_openssl_description[] = + "AES-256 counter mode using openssl"; + +/* + * KAT values for AES self-test. These + * values came from the legacy libsrtp code. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = { + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, + 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = { + 0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80, + 0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4, + 0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7, + 0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = { + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_128_test_case_0_key, /* key */ + srtp_aes_icm_128_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * KAT values for AES-192-CTR self-test. These + * values came from section 7 of RFC 6188. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_WSALT] = { + 0xea, 0xb2, 0x34, 0x76, 0x4e, 0x51, 0x7b, 0x2d, + 0x3d, 0x16, 0x0d, 0x58, 0x7d, 0x8c, 0x86, 0x21, + 0x97, 0x40, 0xf6, 0x5f, 0x99, 0xb6, 0xbc, 0xf7, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_192_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_192_test_case_0_ciphertext[32] = { + 0x35, 0x09, 0x6c, 0xba, 0x46, 0x10, 0x02, 0x8d, + 0xc1, 0xb5, 0x75, 0x03, 0x80, 0x4c, 0xe3, 0x7c, + 0x5d, 0xe9, 0x86, 0x29, 0x1d, 0xcc, 0xe1, 0x61, + 0xd5, 0x16, 0x5e, 0xc4, 0x56, 0x8f, 0x5c, 0x9a +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_192_test_case_0 = { + SRTP_AES_ICM_192_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_192_test_case_0_key, /* key */ + srtp_aes_icm_192_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_192_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * KAT values for AES-256-CTR self-test. These + * values came from section 7 of RFC 6188. + */ +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = { + 0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70, + 0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92, + 0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82, + 0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd +}; +/* clang-format on */ + +/* clang-format off */ +static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = { + 0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25, + 0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4, + 0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6, + 0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac +}; +/* clang-format on */ + +static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_256_test_case_0_key, /* key */ + srtp_aes_icm_256_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_128 = { + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_128_openssl_description, /* */ + &srtp_aes_icm_128_test_case_0, /* */ + SRTP_AES_ICM_128 /* */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_192 = { + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_192_openssl_description, /* */ + &srtp_aes_icm_192_test_case_0, /* */ + SRTP_AES_ICM_192 /* */ +}; + +/* + * This is the function table for this crypto engine. + * note: the encrypt function is identical to the decrypt function + */ +const srtp_cipher_type_t srtp_aes_icm_256 = { + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_256_openssl_description, /* */ + &srtp_aes_icm_256_test_case_0, /* */ + SRTP_AES_ICM_256 /* */ +}; diff --git a/netwerk/srtp/src/crypto/cipher/cipher.c b/netwerk/srtp/src/crypto/cipher/cipher.c new file mode 100644 index 0000000000..19f00abc55 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/cipher.c @@ -0,0 +1,679 @@ +/* + * cipher.c + * + * cipher meta-functions + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "cipher.h" +#include "crypto_types.h" +#include "err.h" /* for srtp_debug */ +#include "alloc.h" /* for crypto_alloc(), crypto_free() */ + +srtp_debug_module_t srtp_mod_cipher = { + 0, /* debugging is off by default */ + "cipher" /* printable module name */ +}; + +srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct, + srtp_cipher_t **c, + int key_len, + int tlen) +{ + if (!ct || !ct->alloc) { + return (srtp_err_status_bad_param); + } + return ((ct)->alloc((c), (key_len), (tlen))); +} + +srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c) +{ + if (!c || !c->type) { + return (srtp_err_status_bad_param); + } + return (((c)->type)->dealloc(c)); +} + +srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + return (((c)->type)->init(((c)->state), (key))); +} + +srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c, + uint8_t *iv, + int direction) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + + return (((c)->type)->set_iv(((c)->state), iv, direction)); +} + +srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) +{ + /* zeroize the buffer */ + octet_string_set_to_zero(buffer, *num_octets_to_output); + + /* exor keystream into buffer */ + return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output)); +} + +srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + + return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output)); +} + +srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + + return (((c)->type)->decrypt(((c)->state), buffer, num_octets_to_output)); +} + +srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *tag_len) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + if (!((c)->type)->get_tag) { + return (srtp_err_status_no_such_op); + } + + return (((c)->type)->get_tag(((c)->state), buffer, tag_len)); +} + +srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, + const uint8_t *aad, + uint32_t aad_len) +{ + if (!c || !c->type || !c->state) { + return (srtp_err_status_bad_param); + } + if (!((c)->type)->set_aad) { + return (srtp_err_status_no_such_op); + } + + return (((c)->type)->set_aad(((c)->state), aad, aad_len)); +} + +/* some bookkeeping functions */ + +int srtp_cipher_get_key_length(const srtp_cipher_t *c) +{ + return c->key_len; +} + +/* + * A trivial platform independent random source. The random + * data is used for some of the cipher self-tests. + */ +static srtp_err_status_t srtp_cipher_rand(void *dest, uint32_t len) +{ +#if defined(HAVE_RAND_S) + uint8_t *dst = (uint8_t *)dest; + while (len) { + unsigned int val; + errno_t err = rand_s(&val); + + if (err != 0) + return srtp_err_status_fail; + + *dst++ = val & 0xff; + len--; + } +#else + /* Generic C-library (rand()) version */ + /* This is a random source of last resort */ + uint8_t *dst = (uint8_t *)dest; + while (len) { + int val = rand(); + /* rand() returns 0-32767 (ugh) */ + /* Is this a good enough way to get random bytes? + It is if it passes FIPS-140... */ + *dst++ = val & 0xff; + len--; + } +#endif + return srtp_err_status_ok; +} + +#define SELF_TEST_BUF_OCTETS 128 +#define NUM_RAND_TESTS 128 +#define MAX_KEY_LEN 64 +/* + * srtp_cipher_type_test(ct, test_data) tests a cipher of type ct against + * test cases provided in a list test_data of values of key, salt, iv, + * plaintext, and ciphertext that is known to be good + */ +srtp_err_status_t srtp_cipher_type_test( + const srtp_cipher_type_t *ct, + const srtp_cipher_test_case_t *test_data) +{ + const srtp_cipher_test_case_t *test_case = test_data; + srtp_cipher_t *c; + srtp_err_status_t status; + uint8_t buffer[SELF_TEST_BUF_OCTETS]; + uint8_t buffer2[SELF_TEST_BUF_OCTETS]; + uint32_t tag_len; + unsigned int len; + int i, j, case_num = 0; + unsigned k = 0; + + debug_print(srtp_mod_cipher, "running self-test for cipher %s", + ct->description); + + /* + * check to make sure that we have at least one test case, and + * return an error if we don't - we need to be paranoid here + */ + if (test_case == NULL) { + return srtp_err_status_cant_check; + } + + /* + * loop over all test cases, perform known-answer tests of both the + * encryption and decryption functions + */ + while (test_case != NULL) { + /* allocate cipher */ + status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, + test_case->tag_length_octets); + if (status) { + return status; + } + + /* + * test the encrypt function + */ + debug_print(srtp_mod_cipher, "testing encryption", NULL); + + /* initialize cipher */ + status = srtp_cipher_init(c, test_case->key); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + /* copy plaintext into test buffer */ + if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) { + srtp_cipher_dealloc(c); + return srtp_err_status_bad_param; + } + for (k = 0; k < test_case->plaintext_length_octets; k++) { + buffer[k] = test_case->plaintext[k]; + } + + debug_print(srtp_mod_cipher, "plaintext: %s", + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); + + /* set the initialization vector */ + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_encrypt); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + debug_print(srtp_mod_cipher, "IV: %s", + srtp_octet_string_hex_string(test_case->idx, 12)); + + /* + * Set the AAD + */ + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + debug_print(srtp_mod_cipher, "AAD: %s", + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); + } + + /* encrypt */ + len = test_case->plaintext_length_octets; + status = srtp_cipher_encrypt(c, buffer, &len); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + /* + * Get the GCM tag + */ + status = srtp_cipher_get_tag(c, buffer + len, &tag_len); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + len += tag_len; + } + + debug_print(srtp_mod_cipher, "ciphertext: %s", + srtp_octet_string_hex_string( + buffer, test_case->ciphertext_length_octets)); + + /* compare the resulting ciphertext with that in the test case */ + if (len != test_case->ciphertext_length_octets) { + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + status = srtp_err_status_ok; + for (k = 0; k < test_case->ciphertext_length_octets; k++) { + if (buffer[k] != test_case->ciphertext[k]) { + status = srtp_err_status_algo_fail; + debug_print(srtp_mod_cipher, "test case %d failed", case_num); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); + break; + } + } + if (status) { + debug_print(srtp_mod_cipher, "c computed: %s", + srtp_octet_string_hex_string( + buffer, 2 * test_case->plaintext_length_octets)); + debug_print(srtp_mod_cipher, "c expected: %s", + srtp_octet_string_hex_string( + test_case->ciphertext, + 2 * test_case->plaintext_length_octets)); + + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + + /* + * test the decrypt function + */ + debug_print(srtp_mod_cipher, "testing decryption", NULL); + + /* re-initialize cipher for decryption */ + status = srtp_cipher_init(c, test_case->key); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + /* copy ciphertext into test buffer */ + if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) { + srtp_cipher_dealloc(c); + return srtp_err_status_bad_param; + } + for (k = 0; k < test_case->ciphertext_length_octets; k++) { + buffer[k] = test_case->ciphertext[k]; + } + + debug_print(srtp_mod_cipher, "ciphertext: %s", + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); + + /* set the initialization vector */ + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_decrypt); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + /* + * Set the AAD + */ + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + debug_print(srtp_mod_cipher, "AAD: %s", + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); + } + + /* decrypt */ + len = test_case->ciphertext_length_octets; + status = srtp_cipher_decrypt(c, buffer, &len); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + debug_print(srtp_mod_cipher, "plaintext: %s", + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); + + /* compare the resulting plaintext with that in the test case */ + if (len != test_case->plaintext_length_octets) { + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + status = srtp_err_status_ok; + for (k = 0; k < test_case->plaintext_length_octets; k++) { + if (buffer[k] != test_case->plaintext[k]) { + status = srtp_err_status_algo_fail; + debug_print(srtp_mod_cipher, "test case %d failed", case_num); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); + } + } + if (status) { + debug_print(srtp_mod_cipher, "p computed: %s", + srtp_octet_string_hex_string( + buffer, 2 * test_case->plaintext_length_octets)); + debug_print(srtp_mod_cipher, "p expected: %s", + srtp_octet_string_hex_string( + test_case->plaintext, + 2 * test_case->plaintext_length_octets)); + + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + + /* deallocate the cipher */ + status = srtp_cipher_dealloc(c); + if (status) { + return status; + } + + /* + * the cipher passed the test case, so move on to the next test + * case in the list; if NULL, we'l proceed to the next test + */ + test_case = test_case->next_test_case; + ++case_num; + } + + /* now run some random invertibility tests */ + + /* allocate cipher, using paramaters from the first test case */ + test_case = test_data; + status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, + test_case->tag_length_octets); + if (status) { + return status; + } + + for (j = 0; j < NUM_RAND_TESTS; j++) { + unsigned int length; + unsigned int plaintext_len; + uint8_t key[MAX_KEY_LEN]; + uint8_t iv[MAX_KEY_LEN]; + + /* choose a length at random (leaving room for IV and padding) */ + length = rand() % (SELF_TEST_BUF_OCTETS - 64); + debug_print(srtp_mod_cipher, "random plaintext length %d\n", length); + status = srtp_cipher_rand(buffer, length); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + debug_print(srtp_mod_cipher, "plaintext: %s", + srtp_octet_string_hex_string(buffer, length)); + + /* copy plaintext into second buffer */ + for (i = 0; (unsigned int)i < length; i++) { + buffer2[i] = buffer[i]; + } + + /* choose a key at random */ + if (test_case->key_length_octets > MAX_KEY_LEN) { + srtp_cipher_dealloc(c); + return srtp_err_status_cant_check; + } + status = srtp_cipher_rand(key, test_case->key_length_octets); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + /* chose a random initialization vector */ + status = srtp_cipher_rand(iv, MAX_KEY_LEN); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + /* initialize cipher */ + status = srtp_cipher_init(c, key); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + /* set initialization vector */ + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_encrypt); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + /* + * Set the AAD + */ + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + debug_print(srtp_mod_cipher, "AAD: %s", + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); + } + + /* encrypt buffer with cipher */ + plaintext_len = length; + status = srtp_cipher_encrypt(c, buffer, &length); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + /* + * Get the GCM tag + */ + status = srtp_cipher_get_tag(c, buffer + length, &tag_len); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + length += tag_len; + } + debug_print(srtp_mod_cipher, "ciphertext: %s", + srtp_octet_string_hex_string(buffer, length)); + + /* + * re-initialize cipher for decryption, re-set the iv, then + * decrypt the ciphertext + */ + status = srtp_cipher_init(c, key); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_decrypt); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { + /* + * Set the AAD + */ + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + debug_print(srtp_mod_cipher, "AAD: %s", + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); + } + status = srtp_cipher_decrypt(c, buffer, &length); + if (status) { + srtp_cipher_dealloc(c); + return status; + } + + debug_print(srtp_mod_cipher, "plaintext[2]: %s", + srtp_octet_string_hex_string(buffer, length)); + + /* compare the resulting plaintext with the original one */ + if (length != plaintext_len) { + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + status = srtp_err_status_ok; + for (k = 0; k < plaintext_len; k++) { + if (buffer[k] != buffer2[k]) { + status = srtp_err_status_algo_fail; + debug_print(srtp_mod_cipher, "random test case %d failed", + case_num); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); + } + } + if (status) { + srtp_cipher_dealloc(c); + return srtp_err_status_algo_fail; + } + } + + status = srtp_cipher_dealloc(c); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +/* + * srtp_cipher_type_self_test(ct) performs srtp_cipher_type_test on ct's + * internal list of test data. + */ +srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct) +{ + return srtp_cipher_type_test(ct, ct->test_data); +} + +/* + * cipher_bits_per_second(c, l, t) computes (an estimate of) the + * number of bits that a cipher implementation can encrypt in a second + * + * c is a cipher (which MUST be allocated and initialized already), l + * is the length in octets of the test data to be encrypted, and t is + * the number of trials + * + * if an error is encountered, the value 0 is returned + */ +uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c, + int octets_in_buffer, + int num_trials) +{ + int i; + v128_t nonce; + clock_t timer; + unsigned char *enc_buf; + unsigned int len = octets_in_buffer; + + enc_buf = (unsigned char *)srtp_crypto_alloc(octets_in_buffer); + if (enc_buf == NULL) { + return 0; /* indicate bad parameters by returning null */ + } + /* time repeated trials */ + v128_set_to_zero(&nonce); + timer = clock(); + for (i = 0; i < num_trials; i++, nonce.v32[3] = i) { + if (srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt) != + srtp_err_status_ok) { + srtp_crypto_free(enc_buf); + return 0; + } + if (srtp_cipher_encrypt(c, enc_buf, &len) != srtp_err_status_ok) { + srtp_crypto_free(enc_buf); + return 0; + } + } + timer = clock() - timer; + + srtp_crypto_free(enc_buf); + + if (timer == 0) { + /* Too fast! */ + return 0; + } + + return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer; +} diff --git a/netwerk/srtp/src/crypto/cipher/null_cipher.c b/netwerk/srtp/src/crypto/cipher/null_cipher.c new file mode 100644 index 0000000000..659add0d47 --- /dev/null +++ b/netwerk/srtp/src/crypto/cipher/null_cipher.c @@ -0,0 +1,153 @@ +/* + * null_cipher.c + * + * A null cipher implementation. This cipher leaves the plaintext + * unchanged. + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "datatypes.h" +#include "null_cipher.h" +#include "err.h" /* for srtp_debug */ +#include "alloc.h" +#include "cipher_types.h" + +static srtp_err_status_t srtp_null_cipher_alloc(srtp_cipher_t **c, + int key_len, + int tlen) +{ + extern const srtp_cipher_type_t srtp_null_cipher; + + debug_print(srtp_mod_cipher, "allocating cipher with key length %d", + key_len); + + /* allocate memory a cipher of type null_cipher */ + *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); + if (*c == NULL) { + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + (*c)->algorithm = SRTP_NULL_CIPHER; + (*c)->type = &srtp_null_cipher; + (*c)->state = (void *)0x1; /* The null cipher does not maintain state */ + + /* set key size */ + (*c)->key_len = key_len; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_cipher_dealloc(srtp_cipher_t *c) +{ + extern const srtp_cipher_type_t srtp_null_cipher; + + /* zeroize entire state*/ + octet_string_set_to_zero(c, sizeof(srtp_cipher_t)); + + /* free memory of type null_cipher */ + srtp_crypto_free(c); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_cipher_init(void *cv, const uint8_t *key) +{ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + + debug_print(srtp_mod_cipher, "initializing null cipher", NULL); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_cipher_set_iv(void *cv, + uint8_t *iv, + srtp_cipher_direction_t dir) +{ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_cipher_encrypt(void *cv, + unsigned char *buf, + unsigned int *bytes_to_encr) +{ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + return srtp_err_status_ok; +} + +static const char srtp_null_cipher_description[] = "null cipher"; + +static const srtp_cipher_test_case_t srtp_null_cipher_test_0 = { + 0, /* octets in key */ + NULL, /* key */ + 0, /* packet index */ + 0, /* octets in plaintext */ + NULL, /* plaintext */ + 0, /* octets in plaintext */ + NULL, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ +}; + +/* + * note: the decrypt function is idential to the encrypt function + */ + +const srtp_cipher_type_t srtp_null_cipher = { + srtp_null_cipher_alloc, /* */ + srtp_null_cipher_dealloc, /* */ + srtp_null_cipher_init, /* */ + 0, /* set_aad */ + srtp_null_cipher_encrypt, /* */ + srtp_null_cipher_encrypt, /* */ + srtp_null_cipher_set_iv, /* */ + 0, /* get_tag */ + srtp_null_cipher_description, /* */ + &srtp_null_cipher_test_0, /* */ + SRTP_NULL_CIPHER /* */ +}; diff --git a/netwerk/srtp/src/crypto/hash/auth.c b/netwerk/srtp/src/crypto/hash/auth.c new file mode 100644 index 0000000000..f19327dc8e --- /dev/null +++ b/netwerk/srtp/src/crypto/hash/auth.c @@ -0,0 +1,187 @@ +/* + * auth.c + * + * some bookkeeping functions for authentication functions + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "auth.h" +#include "err.h" /* for srtp_debug */ +#include "datatypes.h" /* for octet_string */ + +/* the debug module for authentiation */ + +srtp_debug_module_t srtp_mod_auth = { + 0, /* debugging is off by default */ + "auth func" /* printable name for module */ +}; + +int srtp_auth_get_key_length(const srtp_auth_t *a) +{ + return a->key_len; +} + +int srtp_auth_get_tag_length(const srtp_auth_t *a) +{ + return a->out_len; +} + +int srtp_auth_get_prefix_length(const srtp_auth_t *a) +{ + return a->prefix_len; +} + +/* + * srtp_auth_type_test() tests an auth function of type ct against + * test cases provided in a list test_data of values of key, data, and tag + * that is known to be good + */ + +/* should be big enough for most occasions */ +#define SELF_TEST_TAG_BUF_OCTETS 32 + +srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, + const srtp_auth_test_case_t *test_data) +{ + const srtp_auth_test_case_t *test_case = test_data; + srtp_auth_t *a; + srtp_err_status_t status; + uint8_t tag[SELF_TEST_TAG_BUF_OCTETS]; + int i, case_num = 0; + + debug_print(srtp_mod_auth, "running self-test for auth function %s", + at->description); + + /* + * check to make sure that we have at least one test case, and + * return an error if we don't - we need to be paranoid here + */ + if (test_case == NULL) { + return srtp_err_status_cant_check; + } + + /* loop over all test cases */ + while (test_case != NULL) { + /* check test case parameters */ + if (test_case->tag_length_octets > SELF_TEST_TAG_BUF_OCTETS) { + return srtp_err_status_bad_param; + } + + /* allocate auth */ + status = srtp_auth_type_alloc(at, &a, test_case->key_length_octets, + test_case->tag_length_octets); + if (status) { + return status; + } + + /* initialize auth */ + status = srtp_auth_init(a, test_case->key); + if (status) { + srtp_auth_dealloc(a); + return status; + } + + /* zeroize tag then compute */ + octet_string_set_to_zero(tag, test_case->tag_length_octets); + status = srtp_auth_compute(a, test_case->data, + test_case->data_length_octets, tag); + if (status) { + srtp_auth_dealloc(a); + return status; + } + + debug_print(srtp_mod_auth, "key: %s", + srtp_octet_string_hex_string(test_case->key, + test_case->key_length_octets)); + debug_print(srtp_mod_auth, "data: %s", + srtp_octet_string_hex_string( + test_case->data, test_case->data_length_octets)); + debug_print( + srtp_mod_auth, "tag computed: %s", + srtp_octet_string_hex_string(tag, test_case->tag_length_octets)); + debug_print(srtp_mod_auth, "tag expected: %s", + srtp_octet_string_hex_string(test_case->tag, + test_case->tag_length_octets)); + + /* check the result */ + status = srtp_err_status_ok; + for (i = 0; i < test_case->tag_length_octets; i++) { + if (tag[i] != test_case->tag[i]) { + status = srtp_err_status_algo_fail; + debug_print(srtp_mod_auth, "test case %d failed", case_num); + debug_print(srtp_mod_auth, " (mismatch at octet %d)", i); + } + } + if (status) { + srtp_auth_dealloc(a); + return srtp_err_status_algo_fail; + } + + /* deallocate the auth function */ + status = srtp_auth_dealloc(a); + if (status) { + return status; + } + + /* + * the auth function passed the test case, so move on to the next test + * case in the list; if NULL, we'll quit and return an OK + */ + test_case = test_case->next_test_case; + ++case_num; + } + + return srtp_err_status_ok; +} + +/* + * srtp_auth_type_self_test(at) performs srtp_auth_type_test on at's internal + * list of test data. + */ + +srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at) +{ + return srtp_auth_type_test(at, at->test_data); +} diff --git a/netwerk/srtp/src/crypto/hash/hmac.c b/netwerk/srtp/src/crypto/hash/hmac.c new file mode 100644 index 0000000000..6e91468f36 --- /dev/null +++ b/netwerk/srtp/src/crypto/hash/hmac.c @@ -0,0 +1,283 @@ +/* + * hmac.c + * + * implementation of hmac srtp_auth_type_t + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "hmac.h" +#include "alloc.h" +#include "cipher_types.h" + +/* the debug module for authentiation */ + +srtp_debug_module_t srtp_mod_hmac = { + 0, /* debugging is off by default */ + "hmac sha-1" /* printable name for module */ +}; + +static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a, + int key_len, + int out_len) +{ + extern const srtp_auth_type_t srtp_hmac; + uint8_t *pointer; + + debug_print(srtp_mod_hmac, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_hmac, " tag length %d", + out_len); + + /* + * check key length - note that we don't support keys larger + * than 20 bytes yet + */ + if (key_len > 20) { + return srtp_err_status_bad_param; + } + + /* check output length - should be less than 20 bytes */ + if (out_len > 20) { + return srtp_err_status_bad_param; + } + + /* allocate memory for auth and srtp_hmac_ctx_t structures */ + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_hmac_ctx_t) + + sizeof(srtp_auth_t)); + if (pointer == NULL) { + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + *a = (srtp_auth_t *)pointer; + (*a)->type = &srtp_hmac; + (*a)->state = pointer + sizeof(srtp_auth_t); + (*a)->out_len = out_len; + (*a)->key_len = key_len; + (*a)->prefix_len = 0; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a) +{ + /* zeroize entire state*/ + octet_string_set_to_zero(a, sizeof(srtp_hmac_ctx_t) + sizeof(srtp_auth_t)); + + /* free memory */ + srtp_crypto_free(a); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_init(void *statev, + const uint8_t *key, + int key_len) +{ + srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; + int i; + uint8_t ipad[64]; + + /* + * check key length - note that we don't support keys larger + * than 20 bytes yet + */ + if (key_len > 20) { + return srtp_err_status_bad_param; + } + + /* + * set values of ipad and opad by exoring the key into the + * appropriate constant values + */ + for (i = 0; i < key_len; i++) { + ipad[i] = key[i] ^ 0x36; + state->opad[i] = key[i] ^ 0x5c; + } + /* set the rest of ipad, opad to constant values */ + for (; i < 64; i++) { + ipad[i] = 0x36; + ((uint8_t *)state->opad)[i] = 0x5c; + } + + debug_print(srtp_mod_hmac, "ipad: %s", + srtp_octet_string_hex_string(ipad, 64)); + + /* initialize sha1 context */ + srtp_sha1_init(&state->init_ctx); + + /* hash ipad ^ key */ + srtp_sha1_update(&state->init_ctx, ipad, 64); + memcpy(&state->ctx, &state->init_ctx, sizeof(srtp_sha1_ctx_t)); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_start(void *statev) +{ + srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; + + memcpy(&state->ctx, &state->init_ctx, sizeof(srtp_sha1_ctx_t)); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_update(void *statev, + const uint8_t *message, + int msg_octets) +{ + srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; + + debug_print(srtp_mod_hmac, "input: %s", + srtp_octet_string_hex_string(message, msg_octets)); + + /* hash message into sha1 context */ + srtp_sha1_update(&state->ctx, message, msg_octets); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) +{ + srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; + uint32_t hash_value[5]; + uint32_t H[5]; + int i; + + /* check tag length, return error if we can't provide the value expected */ + if (tag_len > 20) { + return srtp_err_status_bad_param; + } + + /* hash message, copy output into H */ + srtp_hmac_update(state, message, msg_octets); + srtp_sha1_final(&state->ctx, H); + + /* + * note that we don't need to debug_print() the input, since the + * function hmac_update() already did that for us + */ + debug_print(srtp_mod_hmac, "intermediate state: %s", + srtp_octet_string_hex_string((uint8_t *)H, 20)); + + /* re-initialize hash context */ + srtp_sha1_init(&state->ctx); + + /* hash opad ^ key */ + srtp_sha1_update(&state->ctx, (uint8_t *)state->opad, 64); + + /* hash the result of the inner hash */ + srtp_sha1_update(&state->ctx, (uint8_t *)H, 20); + + /* the result is returned in the array hash_value[] */ + srtp_sha1_final(&state->ctx, hash_value); + + /* copy hash_value to *result */ + for (i = 0; i < tag_len; i++) { + result[i] = ((uint8_t *)hash_value)[i]; + } + + debug_print(srtp_mod_hmac, "output: %s", + srtp_octet_string_hex_string((uint8_t *)hash_value, tag_len)); + + return srtp_err_status_ok; +} + +/* begin test case 0 */ +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_key[20] = { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_data[8] = { + 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */ +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_tag[20] = { + 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, + 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e, + 0xf1, 0x46, 0xbe, 0x00 +}; +/* clang-format on */ + +static const srtp_auth_test_case_t srtp_hmac_test_case_0 = { + 20, /* octets in key */ + srtp_hmac_test_case_0_key, /* key */ + 8, /* octets in data */ + srtp_hmac_test_case_0_data, /* data */ + 20, /* octets in tag */ + srtp_hmac_test_case_0_tag, /* tag */ + NULL /* pointer to next testcase */ +}; + +/* end test case 0 */ + +static const char srtp_hmac_description[] = + "hmac sha-1 authentication function"; + +/* + * srtp_auth_type_t hmac is the hmac metaobject + */ + +const srtp_auth_type_t srtp_hmac = { + srtp_hmac_alloc, /* */ + srtp_hmac_dealloc, /* */ + srtp_hmac_init, /* */ + srtp_hmac_compute, /* */ + srtp_hmac_update, /* */ + srtp_hmac_start, /* */ + srtp_hmac_description, /* */ + &srtp_hmac_test_case_0, /* */ + SRTP_HMAC_SHA1 /* */ +}; diff --git a/netwerk/srtp/src/crypto/hash/hmac_ossl.c b/netwerk/srtp/src/crypto/hash/hmac_ossl.c new file mode 100644 index 0000000000..8146438b05 --- /dev/null +++ b/netwerk/srtp/src/crypto/hash/hmac_ossl.c @@ -0,0 +1,273 @@ +/* + * hmac_ossl.c + * + * Implementation of hmac srtp_auth_type_t that leverages OpenSSL + * + * John A. Foley + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "auth.h" +#include "alloc.h" +#include "err.h" /* for srtp_debug */ +#include <openssl/evp.h> +#include <openssl/hmac.h> + +#define SHA1_DIGEST_SIZE 20 + +/* the debug module for authentiation */ + +srtp_debug_module_t srtp_mod_hmac = { + 0, /* debugging is off by default */ + "hmac sha-1 openssl" /* printable name for module */ +}; + +static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a, + int key_len, + int out_len) +{ + extern const srtp_auth_type_t srtp_hmac; + + debug_print(srtp_mod_hmac, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_hmac, " tag length %d", + out_len); + + /* check output length - should be less than 20 bytes */ + if (out_len > SHA1_DIGEST_SIZE) { + return srtp_err_status_bad_param; + } + +/* OpenSSL 1.1.0 made HMAC_CTX an opaque structure, which must be allocated + using HMAC_CTX_new. But this function doesn't exist in OpenSSL 1.0.x. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER + { + /* allocate memory for auth and HMAC_CTX structures */ + uint8_t *pointer; + HMAC_CTX *new_hmac_ctx; + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(HMAC_CTX) + + sizeof(srtp_auth_t)); + if (pointer == NULL) { + return srtp_err_status_alloc_fail; + } + *a = (srtp_auth_t *)pointer; + (*a)->state = pointer + sizeof(srtp_auth_t); + new_hmac_ctx = (HMAC_CTX *)((*a)->state); + + HMAC_CTX_init(new_hmac_ctx); + } + +#else + *a = (srtp_auth_t *)srtp_crypto_alloc(sizeof(srtp_auth_t)); + if (*a == NULL) { + return srtp_err_status_alloc_fail; + } + + (*a)->state = HMAC_CTX_new(); + if ((*a)->state == NULL) { + srtp_crypto_free(*a); + *a = NULL; + return srtp_err_status_alloc_fail; + } +#endif + + /* set pointers */ + (*a)->type = &srtp_hmac; + (*a)->out_len = out_len; + (*a)->key_len = key_len; + (*a)->prefix_len = 0; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a) +{ + HMAC_CTX *hmac_ctx; + + hmac_ctx = (HMAC_CTX *)a->state; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER + HMAC_CTX_cleanup(hmac_ctx); + + /* zeroize entire state*/ + octet_string_set_to_zero(a, sizeof(HMAC_CTX) + sizeof(srtp_auth_t)); + +#else + HMAC_CTX_free(hmac_ctx); + + /* zeroize entire state*/ + octet_string_set_to_zero(a, sizeof(srtp_auth_t)); +#endif + + /* free memory */ + srtp_crypto_free(a); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_start(void *statev) +{ + HMAC_CTX *state = (HMAC_CTX *)statev; + + if (HMAC_Init_ex(state, NULL, 0, NULL, NULL) == 0) + return srtp_err_status_auth_fail; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_init(void *statev, + const uint8_t *key, + int key_len) +{ + HMAC_CTX *state = (HMAC_CTX *)statev; + + if (HMAC_Init_ex(state, key, key_len, EVP_sha1(), NULL) == 0) + return srtp_err_status_auth_fail; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_update(void *statev, + const uint8_t *message, + int msg_octets) +{ + HMAC_CTX *state = (HMAC_CTX *)statev; + + debug_print(srtp_mod_hmac, "input: %s", + srtp_octet_string_hex_string(message, msg_octets)); + + if (HMAC_Update(state, message, msg_octets) == 0) + return srtp_err_status_auth_fail; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_hmac_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) +{ + HMAC_CTX *state = (HMAC_CTX *)statev; + uint8_t hash_value[SHA1_DIGEST_SIZE]; + int i; + unsigned int len; + + /* check tag length, return error if we can't provide the value expected */ + if (tag_len > SHA1_DIGEST_SIZE) { + return srtp_err_status_bad_param; + } + + /* hash message, copy output into H */ + if (HMAC_Update(state, message, msg_octets) == 0) + return srtp_err_status_auth_fail; + + if (HMAC_Final(state, hash_value, &len) == 0) + return srtp_err_status_auth_fail; + + if (len < tag_len) + return srtp_err_status_auth_fail; + + /* copy hash_value to *result */ + for (i = 0; i < tag_len; i++) { + result[i] = hash_value[i]; + } + + debug_print(srtp_mod_hmac, "output: %s", + srtp_octet_string_hex_string(hash_value, tag_len)); + + return srtp_err_status_ok; +} + +/* begin test case 0 */ +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_key[SHA1_DIGEST_SIZE] = { + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_data[8] = { + 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */ +}; +/* clang-format on */ + +/* clang-format off */ +static const uint8_t srtp_hmac_test_case_0_tag[SHA1_DIGEST_SIZE] = { + 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, + 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e, + 0xf1, 0x46, 0xbe, 0x00 +}; +/* clang-format on */ + +static const srtp_auth_test_case_t srtp_hmac_test_case_0 = { + sizeof(srtp_hmac_test_case_0_key), /* octets in key */ + srtp_hmac_test_case_0_key, /* key */ + sizeof(srtp_hmac_test_case_0_data), /* octets in data */ + srtp_hmac_test_case_0_data, /* data */ + sizeof(srtp_hmac_test_case_0_tag), /* octets in tag */ + srtp_hmac_test_case_0_tag, /* tag */ + NULL /* pointer to next testcase */ +}; + +/* end test case 0 */ + +static const char srtp_hmac_description[] = + "hmac sha-1 authentication function"; + +/* + * srtp_auth_type_t hmac is the hmac metaobject + */ + +const srtp_auth_type_t srtp_hmac = { + srtp_hmac_alloc, /* */ + srtp_hmac_dealloc, /* */ + srtp_hmac_init, /* */ + srtp_hmac_compute, /* */ + srtp_hmac_update, /* */ + srtp_hmac_start, /* */ + srtp_hmac_description, /* */ + &srtp_hmac_test_case_0, /* */ + SRTP_HMAC_SHA1 /* */ +}; diff --git a/netwerk/srtp/src/crypto/hash/null_auth.c b/netwerk/srtp/src/crypto/hash/null_auth.c new file mode 100644 index 0000000000..5194417caf --- /dev/null +++ b/netwerk/srtp/src/crypto/hash/null_auth.c @@ -0,0 +1,168 @@ +/* + * null_auth.c + * + * implements the do-nothing auth algorithm + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "null_auth.h" +#include "err.h" /* for srtp_debug */ +#include "alloc.h" +#include "cipher_types.h" + +static srtp_err_status_t srtp_null_auth_alloc(srtp_auth_t **a, + int key_len, + int out_len) +{ + extern const srtp_auth_type_t srtp_null_auth; + uint8_t *pointer; + + debug_print(srtp_mod_auth, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_auth, " tag length %d", + out_len); + + /* allocate memory for auth and srtp_null_auth_ctx_t structures */ + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_null_auth_ctx_t) + + sizeof(srtp_auth_t)); + if (pointer == NULL) { + return srtp_err_status_alloc_fail; + } + + /* set pointers */ + *a = (srtp_auth_t *)pointer; + (*a)->type = &srtp_null_auth; + (*a)->state = pointer + sizeof(srtp_auth_t); + (*a)->out_len = out_len; + (*a)->prefix_len = out_len; + (*a)->key_len = key_len; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_auth_dealloc(srtp_auth_t *a) +{ + extern const srtp_auth_type_t srtp_null_auth; + + /* zeroize entire state*/ + octet_string_set_to_zero(a, sizeof(srtp_null_auth_ctx_t) + + sizeof(srtp_auth_t)); + + /* free memory */ + srtp_crypto_free(a); + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_auth_init(void *statev, + const uint8_t *key, + int key_len) +{ + /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ + /* accept any length of key, and do nothing */ + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_auth_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) +{ + /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_auth_update(void *statev, + const uint8_t *message, + int msg_octets) +{ + /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_null_auth_start(void *statev) +{ + /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ + + return srtp_err_status_ok; +} + +/* + * srtp_auth_type_t - defines description, test case, and null_auth + * metaobject + */ + +/* begin test case 0 */ + +static const srtp_auth_test_case_t srtp_null_auth_test_case_0 = { + 0, /* octets in key */ + NULL, /* key */ + 0, /* octets in data */ + NULL, /* data */ + 0, /* octets in tag */ + NULL, /* tag */ + NULL /* pointer to next testcase */ +}; + +/* end test case 0 */ + +static const char srtp_null_auth_description[] = "null authentication function"; + +const srtp_auth_type_t srtp_null_auth = { + srtp_null_auth_alloc, /* */ + srtp_null_auth_dealloc, /* */ + srtp_null_auth_init, /* */ + srtp_null_auth_compute, /* */ + srtp_null_auth_update, /* */ + srtp_null_auth_start, /* */ + srtp_null_auth_description, /* */ + &srtp_null_auth_test_case_0, /* */ + SRTP_NULL_AUTH /* */ +}; diff --git a/netwerk/srtp/src/crypto/hash/sha1.c b/netwerk/srtp/src/crypto/hash/sha1.c new file mode 100644 index 0000000000..91ebd1e396 --- /dev/null +++ b/netwerk/srtp/src/crypto/hash/sha1.c @@ -0,0 +1,474 @@ +/* + * sha1.c + * + * an implementation of the Secure Hash Algorithm v.1 (SHA-1), + * specified in FIPS 180-1 + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "sha1.h" + +srtp_debug_module_t srtp_mod_sha1 = { + 0, /* debugging is off by default */ + "sha-1" /* printable module name */ +}; + +/* SN == Rotate left N bits */ +#define S1(X) ((X << 1) | (X >> 31)) +#define S5(X) ((X << 5) | (X >> 27)) +#define S30(X) ((X << 30) | (X >> 2)) + +#define f0(B, C, D) ((B & C) | (~B & D)) +#define f1(B, C, D) (B ^ C ^ D) +#define f2(B, C, D) ((B & C) | (B & D) | (C & D)) +#define f3(B, C, D) (B ^ C ^ D) + +/* + * nota bene: the variable K0 appears in the curses library, so we + * give longer names to these variables to avoid spurious warnings + * on systems that uses curses + */ + +uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */ +uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */ +uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */ +uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */ + +void srtp_sha1(const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5]) +{ + srtp_sha1_ctx_t ctx; + + srtp_sha1_init(&ctx); + srtp_sha1_update(&ctx, msg, octets_in_msg); + srtp_sha1_final(&ctx, hash_value); +} + +/* + * srtp_sha1_core(M, H) computes the core compression function, where M is + * the next part of the message (in network byte order) and H is the + * intermediate state { H0, H1, ...} (in host byte order) + * + * this function does not do any of the padding required in the + * complete SHA1 function + * + * this function is used in the SEAL 3.0 key setup routines + * (crypto/cipher/seal.c) + */ + +void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]) +{ + uint32_t H0; + uint32_t H1; + uint32_t H2; + uint32_t H3; + uint32_t H4; + uint32_t W[80]; + uint32_t A, B, C, D, E, TEMP; + int t; + + /* copy hash_value into H0, H1, H2, H3, H4 */ + H0 = hash_value[0]; + H1 = hash_value[1]; + H2 = hash_value[2]; + H3 = hash_value[3]; + H4 = hash_value[4]; + + /* copy/xor message into array */ + + W[0] = be32_to_cpu(M[0]); + W[1] = be32_to_cpu(M[1]); + W[2] = be32_to_cpu(M[2]); + W[3] = be32_to_cpu(M[3]); + W[4] = be32_to_cpu(M[4]); + W[5] = be32_to_cpu(M[5]); + W[6] = be32_to_cpu(M[6]); + W[7] = be32_to_cpu(M[7]); + W[8] = be32_to_cpu(M[8]); + W[9] = be32_to_cpu(M[9]); + W[10] = be32_to_cpu(M[10]); + W[11] = be32_to_cpu(M[11]); + W[12] = be32_to_cpu(M[12]); + W[13] = be32_to_cpu(M[13]); + W[14] = be32_to_cpu(M[14]); + W[15] = be32_to_cpu(M[15]); + TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; + W[16] = S1(TEMP); + TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; + W[17] = S1(TEMP); + TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; + W[18] = S1(TEMP); + TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; + W[19] = S1(TEMP); + TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; + W[20] = S1(TEMP); + TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; + W[21] = S1(TEMP); + TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; + W[22] = S1(TEMP); + TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; + W[23] = S1(TEMP); + TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; + W[24] = S1(TEMP); + TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; + W[25] = S1(TEMP); + TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; + W[26] = S1(TEMP); + TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; + W[27] = S1(TEMP); + TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; + W[28] = S1(TEMP); + TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; + W[29] = S1(TEMP); + TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; + W[30] = S1(TEMP); + TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; + W[31] = S1(TEMP); + + /* process the remainder of the array */ + for (t = 32; t < 80; t++) { + TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; + W[t] = S1(TEMP); + } + + A = H0; + B = H1; + C = H2; + D = H3; + E = H4; + + for (t = 0; t < 20; t++) { + TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 40; t++) { + TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 60; t++) { + TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 80; t++) { + TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + + hash_value[0] = H0 + A; + hash_value[1] = H1 + B; + hash_value[2] = H2 + C; + hash_value[3] = H3 + D; + hash_value[4] = H4 + E; + + return; +} + +void srtp_sha1_init(srtp_sha1_ctx_t *ctx) +{ + /* initialize state vector */ + ctx->H[0] = 0x67452301; + ctx->H[1] = 0xefcdab89; + ctx->H[2] = 0x98badcfe; + ctx->H[3] = 0x10325476; + ctx->H[4] = 0xc3d2e1f0; + + /* indicate that message buffer is empty */ + ctx->octets_in_buffer = 0; + + /* reset message bit-count to zero */ + ctx->num_bits_in_msg = 0; +} + +void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *msg, + int octets_in_msg) +{ + int i; + uint8_t *buf = (uint8_t *)ctx->M; + + /* update message bit-count */ + ctx->num_bits_in_msg += octets_in_msg * 8; + + /* loop over 16-word blocks of M */ + while (octets_in_msg > 0) { + if (octets_in_msg + ctx->octets_in_buffer >= 64) { + /* + * copy words of M into msg buffer until that buffer is full, + * converting them into host byte order as needed + */ + octets_in_msg -= (64 - ctx->octets_in_buffer); + for (i = ctx->octets_in_buffer; i < 64; i++) { + buf[i] = *msg++; + } + ctx->octets_in_buffer = 0; + + /* process a whole block */ + + debug_print(srtp_mod_sha1, "(update) running srtp_sha1_core()", + NULL); + + srtp_sha1_core(ctx->M, ctx->H); + + } else { + debug_print(srtp_mod_sha1, "(update) not running srtp_sha1_core()", + NULL); + + for (i = ctx->octets_in_buffer; + i < (ctx->octets_in_buffer + octets_in_msg); i++) { + buf[i] = *msg++; + } + ctx->octets_in_buffer += octets_in_msg; + octets_in_msg = 0; + } + } +} + +/* + * srtp_sha1_final(ctx, output) computes the result for ctx and copies it + * into the twenty octets located at *output + */ + +void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]) +{ + uint32_t A, B, C, D, E, TEMP; + uint32_t W[80]; + int i, t; + + /* + * process the remaining octets_in_buffer, padding and terminating as + * necessary + */ + { + int tail = ctx->octets_in_buffer % 4; + + /* copy/xor message into array */ + for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) { + W[i] = be32_to_cpu(ctx->M[i]); + } + + /* set the high bit of the octet immediately following the message */ + switch (tail) { + case (3): + W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffffff00) | 0x80; + W[i] = 0x0; + break; + case (2): + W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffff0000) | 0x8000; + W[i] = 0x0; + break; + case (1): + W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xff000000) | 0x800000; + W[i] = 0x0; + break; + case (0): + W[i] = 0x80000000; + break; + } + + /* zeroize remaining words */ + for (i++; i < 15; i++) { + W[i] = 0x0; + } + + /* + * if there is room at the end of the word array, then set the + * last word to the bit-length of the message; otherwise, set that + * word to zero and then we need to do one more run of the + * compression algo. + */ + if (ctx->octets_in_buffer < 56) { + W[15] = ctx->num_bits_in_msg; + } else if (ctx->octets_in_buffer < 60) { + W[15] = 0x0; + } + + /* process the word array */ + for (t = 16; t < 80; t++) { + TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; + W[t] = S1(TEMP); + } + + A = ctx->H[0]; + B = ctx->H[1]; + C = ctx->H[2]; + D = ctx->H[3]; + E = ctx->H[4]; + + for (t = 0; t < 20; t++) { + TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 40; t++) { + TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 60; t++) { + TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 80; t++) { + TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + + ctx->H[0] += A; + ctx->H[1] += B; + ctx->H[2] += C; + ctx->H[3] += D; + ctx->H[4] += E; + } + + debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core()", NULL); + + if (ctx->octets_in_buffer >= 56) { + debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core() again", + NULL); + + /* we need to do one final run of the compression algo */ + + /* + * set initial part of word array to zeros, and set the + * final part to the number of bits in the message + */ + for (i = 0; i < 15; i++) { + W[i] = 0x0; + } + W[15] = ctx->num_bits_in_msg; + + /* process the word array */ + for (t = 16; t < 80; t++) { + TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; + W[t] = S1(TEMP); + } + + A = ctx->H[0]; + B = ctx->H[1]; + C = ctx->H[2]; + D = ctx->H[3]; + E = ctx->H[4]; + + for (t = 0; t < 20; t++) { + TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 40; t++) { + TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 60; t++) { + TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + for (; t < 80; t++) { + TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; + } + + ctx->H[0] += A; + ctx->H[1] += B; + ctx->H[2] += C; + ctx->H[3] += D; + ctx->H[4] += E; + } + + /* copy result into output buffer */ + output[0] = be32_to_cpu(ctx->H[0]); + output[1] = be32_to_cpu(ctx->H[1]); + output[2] = be32_to_cpu(ctx->H[2]); + output[3] = be32_to_cpu(ctx->H[3]); + output[4] = be32_to_cpu(ctx->H[4]); + + /* indicate that message buffer in context is empty */ + ctx->octets_in_buffer = 0; + + return; +} diff --git a/netwerk/srtp/src/crypto/include/aes.h b/netwerk/srtp/src/crypto/include/aes.h new file mode 100644 index 0000000000..779c3ac744 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/aes.h @@ -0,0 +1,83 @@ +/* + * aes.h + * + * header file for the AES block cipher + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef AES_H +#define AES_H + +#include "datatypes.h" +#include "err.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* aes internals */ + +typedef struct { + v128_t round[15]; + int num_rounds; +} srtp_aes_expanded_key_t; + +srtp_err_status_t srtp_aes_expand_encryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key); + +srtp_err_status_t srtp_aes_expand_decryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key); + +void srtp_aes_encrypt(v128_t *plaintext, + const srtp_aes_expanded_key_t *exp_key); + +void srtp_aes_decrypt(v128_t *plaintext, + const srtp_aes_expanded_key_t *exp_key); + +#ifdef __cplusplus +} +#endif + +#endif /* AES_H */ diff --git a/netwerk/srtp/src/crypto/include/aes_gcm.h b/netwerk/srtp/src/crypto/include/aes_gcm.h new file mode 100644 index 0000000000..f59d04dbca --- /dev/null +++ b/netwerk/srtp/src/crypto/include/aes_gcm.h @@ -0,0 +1,87 @@ +/* + * aes_gcm.h + * + * Header for AES Galois Counter Mode. + * + * John A. Foley + * Cisco Systems, Inc. + * + */ +/* + * + * Copyright (c) 2013-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef AES_GCM_H +#define AES_GCM_H + +#include "cipher.h" +#include "srtp.h" +#include "datatypes.h" + +#ifdef OPENSSL + +#include <openssl/evp.h> +#include <openssl/aes.h> + +typedef struct { + int key_size; + int tag_len; + EVP_CIPHER_CTX *ctx; + srtp_cipher_direction_t dir; +} srtp_aes_gcm_ctx_t; + +#endif /* OPENSSL */ + +#ifdef NSS + +#include <pk11pub.h> + +#define MAX_AD_SIZE 2048 + +typedef struct { + int key_size; + int tag_size; + srtp_cipher_direction_t dir; + PK11SymKey *key; + uint8_t iv[12]; + uint8_t aad[MAX_AD_SIZE]; + int aad_size; + CK_GCM_PARAMS params; + uint8_t tag[16]; +} srtp_aes_gcm_ctx_t; + +#endif /* NSS */ + +#endif /* AES_GCM_H */ diff --git a/netwerk/srtp/src/crypto/include/aes_icm.h b/netwerk/srtp/src/crypto/include/aes_icm.h new file mode 100644 index 0000000000..8ded156a29 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/aes_icm.h @@ -0,0 +1,62 @@ +/* + * aes_icm.h + * + * Header for AES Integer Counter Mode. + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef AES_ICM_H +#define AES_ICM_H + +#include "aes.h" +#include "cipher.h" + +typedef struct { + v128_t counter; /* holds the counter value */ + v128_t offset; /* initial offset value */ + v128_t keystream_buffer; /* buffers bytes of keystream */ + srtp_aes_expanded_key_t expanded_key; /* the cipher key */ + int bytes_in_buffer; /* number of unused bytes in buffer */ + int key_size; /* AES key size + 14 byte SALT */ +} srtp_aes_icm_ctx_t; + +#endif /* AES_ICM_H */ diff --git a/netwerk/srtp/src/crypto/include/aes_icm_ext.h b/netwerk/srtp/src/crypto/include/aes_icm_ext.h new file mode 100644 index 0000000000..6518d40b06 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/aes_icm_ext.h @@ -0,0 +1,81 @@ +/* + * aes_icm.h + * + * Header for AES Integer Counter Mode. + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef AES_ICM_H +#define AES_ICM_H + +#include "cipher.h" +#include "datatypes.h" + +#ifdef OPENSSL + +#include <openssl/evp.h> +#include <openssl/aes.h> + +typedef struct { + v128_t counter; /* holds the counter value */ + v128_t offset; /* initial offset value */ + int key_size; + EVP_CIPHER_CTX *ctx; +} srtp_aes_icm_ctx_t; + +#endif /* OPENSSL */ + +#ifdef NSS + +#include <pk11pub.h> + +typedef struct { + v128_t counter; + v128_t offset; + int key_size; + uint8_t iv[16]; + PK11SymKey *key; + PK11Context *ctx; +} srtp_aes_icm_ctx_t; + +#endif /* NSS */ + +#endif /* AES_ICM_H */ diff --git a/netwerk/srtp/src/crypto/include/alloc.h b/netwerk/srtp/src/crypto/include/alloc.h new file mode 100644 index 0000000000..1fc041014d --- /dev/null +++ b/netwerk/srtp/src/crypto/include/alloc.h @@ -0,0 +1,76 @@ +/* + * alloc.h + * + * interface to memory allocation and deallocation, with optional debugging + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef CRYPTO_ALLOC_H +#define CRYPTO_ALLOC_H + +#include "datatypes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * srtp_crypto_alloc + * + * Allocates a block of memory of given size. The memory will be + * initialized to zero's. Free the memory with a call to srtp_crypto_free. + * + * returns pointer to memory on success or else NULL + */ +void *srtp_crypto_alloc(size_t size); + +/* + * srtp_crypto_free + * + * Frees the block of memory ptr previously allocated with + * srtp_crypto_alloc + */ +void srtp_crypto_free(void *ptr); + +#ifdef __cplusplus +} +#endif + +#endif /* CRYPTO_ALLOC_H */ diff --git a/netwerk/srtp/src/crypto/include/auth.h b/netwerk/srtp/src/crypto/include/auth.h new file mode 100644 index 0000000000..774ea1687b --- /dev/null +++ b/netwerk/srtp/src/crypto/include/auth.h @@ -0,0 +1,173 @@ +/* + * auth.h + * + * common interface to authentication functions + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_AUTH_H +#define SRTP_AUTH_H + +#include "srtp.h" +#include "crypto_types.h" /* for values of auth_type_id_t */ + +#ifdef __cplusplus +extern "C" { +#endif + +typedef const struct srtp_auth_type_t *srtp_auth_type_pointer; +typedef struct srtp_auth_t *srtp_auth_pointer_t; + +typedef srtp_err_status_t (*srtp_auth_alloc_func)(srtp_auth_pointer_t *ap, + int key_len, + int out_len); + +typedef srtp_err_status_t (*srtp_auth_init_func)(void *state, + const uint8_t *key, + int key_len); + +typedef srtp_err_status_t (*srtp_auth_dealloc_func)(srtp_auth_pointer_t ap); + +typedef srtp_err_status_t (*srtp_auth_compute_func)(void *state, + const uint8_t *buffer, + int octets_to_auth, + int tag_len, + uint8_t *tag); + +typedef srtp_err_status_t (*srtp_auth_update_func)(void *state, + const uint8_t *buffer, + int octets_to_auth); + +typedef srtp_err_status_t (*srtp_auth_start_func)(void *state); + +/* some syntactic sugar on these function types */ +#define srtp_auth_type_alloc(at, a, klen, outlen) \ + ((at)->alloc((a), (klen), (outlen))) + +#define srtp_auth_init(a, key) \ + (((a)->type)->init((a)->state, (key), ((a)->key_len))) + +#define srtp_auth_compute(a, buf, len, res) \ + (((a)->type)->compute((a)->state, (buf), (len), (a)->out_len, (res))) + +#define srtp_auth_update(a, buf, len) \ + (((a)->type)->update((a)->state, (buf), (len))) + +#define srtp_auth_start(a) (((a)->type)->start((a)->state)) + +#define srtp_auth_dealloc(c) (((c)->type)->dealloc(c)) + +/* functions to get information about a particular auth_t */ +int srtp_auth_get_key_length(const struct srtp_auth_t *a); + +int srtp_auth_get_tag_length(const struct srtp_auth_t *a); + +int srtp_auth_get_prefix_length(const struct srtp_auth_t *a); + +/* + * srtp_auth_test_case_t is a (list of) key/message/tag values that are + * known to be correct for a particular cipher. this data can be used + * to test an implementation in an on-the-fly self test of the + * correctness of the implementation. (see the srtp_auth_type_self_test() + * function below) + */ +typedef struct srtp_auth_test_case_t { + int key_length_octets; /* octets in key */ + const uint8_t *key; /* key */ + int data_length_octets; /* octets in data */ + const uint8_t *data; /* data */ + int tag_length_octets; /* octets in tag */ + const uint8_t *tag; /* tag */ + const struct srtp_auth_test_case_t + *next_test_case; /* pointer to next testcase */ +} srtp_auth_test_case_t; + +/* srtp_auth_type_t */ +typedef struct srtp_auth_type_t { + srtp_auth_alloc_func alloc; + srtp_auth_dealloc_func dealloc; + srtp_auth_init_func init; + srtp_auth_compute_func compute; + srtp_auth_update_func update; + srtp_auth_start_func start; + const char *description; + const srtp_auth_test_case_t *test_data; + srtp_auth_type_id_t id; +} srtp_auth_type_t; + +typedef struct srtp_auth_t { + const srtp_auth_type_t *type; + void *state; + int out_len; /* length of output tag in octets */ + int key_len; /* length of key in octets */ + int prefix_len; /* length of keystream prefix */ +} srtp_auth_t; + +/* + * srtp_auth_type_self_test() tests an auth_type against test cases + * provided in an array of values of key/message/tag that is known to + * be good + */ +srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at); + +/* + * srtp_auth_type_test() tests an auth_type against external test cases + * provided in an array of values of key/message/tag that is known to + * be good + */ +srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, + const srtp_auth_test_case_t *test_data); + +/* + * srtp_replace_auth_type(ct, id) + * + * replaces srtp's kernel's auth type implementation for the auth_type id + * with a new one passed in externally. The new auth type must pass all the + * existing auth_type's self tests as well as its own. + */ +srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *ct, + srtp_auth_type_id_t id); + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_AUTH_H */ diff --git a/netwerk/srtp/src/crypto/include/cipher.h b/netwerk/srtp/src/crypto/include/cipher.h new file mode 100644 index 0000000000..4f14e3560f --- /dev/null +++ b/netwerk/srtp/src/crypto/include/cipher.h @@ -0,0 +1,248 @@ +/* + * cipher.h + * + * common interface to ciphers + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_CIPHER_H +#define SRTP_CIPHER_H + +#include "srtp.h" +#include "crypto_types.h" /* for values of cipher_type_id_t */ + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * srtp_cipher_direction_t defines a particular cipher operation. + * + * A srtp_cipher_direction_t is an enum that describes a particular cipher + * operation, i.e. encryption or decryption. For some ciphers, this + * distinction does not matter, but for others, it is essential. + */ +typedef enum { + srtp_direction_encrypt, /**< encryption (convert plaintext to ciphertext) */ + srtp_direction_decrypt, /**< decryption (convert ciphertext to plaintext) */ + srtp_direction_any /**< encryption or decryption */ +} srtp_cipher_direction_t; + +/* + * the srtp_cipher_pointer_t definition is needed + * as srtp_cipher_t is not yet defined + */ +typedef struct srtp_cipher_t *srtp_cipher_pointer_t; + +/* + * a srtp_cipher_alloc_func_t allocates (but does not initialize) a + * srtp_cipher_t + */ +typedef srtp_err_status_t (*srtp_cipher_alloc_func_t)(srtp_cipher_pointer_t *cp, + int key_len, + int tag_len); + +/* + * a srtp_cipher_init_func_t [re-]initializes a cipher_t with a given key + */ +typedef srtp_err_status_t (*srtp_cipher_init_func_t)(void *state, + const uint8_t *key); + +/* a srtp_cipher_dealloc_func_t de-allocates a cipher_t */ +typedef srtp_err_status_t (*srtp_cipher_dealloc_func_t)( + srtp_cipher_pointer_t cp); + +/* + * a srtp_cipher_set_aad_func_t processes the AAD data for AEAD ciphers + */ +typedef srtp_err_status_t (*srtp_cipher_set_aad_func_t)(void *state, + const uint8_t *aad, + uint32_t aad_len); + +/* a srtp_cipher_encrypt_func_t encrypts data in-place */ +typedef srtp_err_status_t (*srtp_cipher_encrypt_func_t)( + void *state, + uint8_t *buffer, + unsigned int *octets_to_encrypt); + +/* a srtp_cipher_decrypt_func_t decrypts data in-place */ +typedef srtp_err_status_t (*srtp_cipher_decrypt_func_t)( + void *state, + uint8_t *buffer, + unsigned int *octets_to_decrypt); + +/* + * a srtp_cipher_set_iv_func_t function sets the current initialization vector + */ +typedef srtp_err_status_t (*srtp_cipher_set_iv_func_t)( + void *state, + uint8_t *iv, + srtp_cipher_direction_t direction); + +/* + * a cipher_get_tag_func_t function is used to get the authentication + * tag that was calculated by an AEAD cipher. + */ +typedef srtp_err_status_t (*srtp_cipher_get_tag_func_t)(void *state, + uint8_t *tag, + uint32_t *len); + +/* + * srtp_cipher_test_case_t is a (list of) key, salt, plaintext, ciphertext, + * and aad values that are known to be correct for a + * particular cipher. this data can be used to test an implementation + * in an on-the-fly self test of the correctness of the implementation. + * (see the srtp_cipher_type_self_test() function below) + */ +typedef struct srtp_cipher_test_case_t { + int key_length_octets; /* octets in key */ + const uint8_t *key; /* key */ + uint8_t *idx; /* packet index */ + unsigned int plaintext_length_octets; /* octets in plaintext */ + const uint8_t *plaintext; /* plaintext */ + unsigned int ciphertext_length_octets; /* octets in plaintext */ + const uint8_t *ciphertext; /* ciphertext */ + int aad_length_octets; /* octets in AAD */ + const uint8_t *aad; /* AAD */ + int tag_length_octets; /* Length of AEAD tag */ + const struct srtp_cipher_test_case_t + *next_test_case; /* pointer to next testcase */ +} srtp_cipher_test_case_t; + +/* srtp_cipher_type_t defines the 'metadata' for a particular cipher type */ +typedef struct srtp_cipher_type_t { + srtp_cipher_alloc_func_t alloc; + srtp_cipher_dealloc_func_t dealloc; + srtp_cipher_init_func_t init; + srtp_cipher_set_aad_func_t set_aad; + srtp_cipher_encrypt_func_t encrypt; + srtp_cipher_encrypt_func_t decrypt; + srtp_cipher_set_iv_func_t set_iv; + srtp_cipher_get_tag_func_t get_tag; + const char *description; + const srtp_cipher_test_case_t *test_data; + srtp_cipher_type_id_t id; +} srtp_cipher_type_t; + +/* + * srtp_cipher_t defines an instantiation of a particular cipher, with fixed + * key length, key and salt values + */ +typedef struct srtp_cipher_t { + const srtp_cipher_type_t *type; + void *state; + int key_len; + int algorithm; +} srtp_cipher_t; + +/* some bookkeeping functions */ +int srtp_cipher_get_key_length(const srtp_cipher_t *c); + +/* + * srtp_cipher_type_self_test() tests a cipher against test cases provided in + * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext + * that is known to be good + */ +srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct); + +/* + * srtp_cipher_type_test() tests a cipher against external test cases provided + * in + * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext + * that is known to be good + */ +srtp_err_status_t srtp_cipher_type_test( + const srtp_cipher_type_t *ct, + const srtp_cipher_test_case_t *test_data); + +/* + * srtp_cipher_bits_per_second(c, l, t) computes (an estimate of) the + * number of bits that a cipher implementation can encrypt in a second + * + * c is a cipher (which MUST be allocated and initialized already), l + * is the length in octets of the test data to be encrypted, and t is + * the number of trials + * + * if an error is encountered, then the value 0 is returned + */ +uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c, + int octets_in_buffer, + int num_trials); + +srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct, + srtp_cipher_t **c, + int key_len, + int tlen); +srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c); +srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key); +srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c, + uint8_t *iv, + int direction); +srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *tag_len); +srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, + const uint8_t *aad, + uint32_t aad_len); + +/* + * srtp_replace_cipher_type(ct, id) + * + * replaces srtp's existing cipher implementation for the cipher_type id + * with a new one passed in externally. The new cipher must pass all the + * existing cipher_type's self tests as well as its own. + */ +srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *ct, + srtp_cipher_type_id_t id); + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_CIPHER_H */ diff --git a/netwerk/srtp/src/crypto/include/cipher_types.h b/netwerk/srtp/src/crypto/include/cipher_types.h new file mode 100644 index 0000000000..18f0328fbb --- /dev/null +++ b/netwerk/srtp/src/crypto/include/cipher_types.h @@ -0,0 +1,84 @@ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef CIHPER_TYPES_H +#define CIHPER_TYPES_H + +#include "cipher.h" +#include "auth.h" + +/* + * cipher types that can be included in the kernel + */ + +extern const srtp_cipher_type_t srtp_null_cipher; +extern const srtp_cipher_type_t srtp_aes_icm_128; +extern const srtp_cipher_type_t srtp_aes_icm_256; +#ifdef GCM +extern const srtp_cipher_type_t srtp_aes_icm_192; +extern const srtp_cipher_type_t srtp_aes_gcm_128; +extern const srtp_cipher_type_t srtp_aes_gcm_256; +#endif + +/* + * auth func types that can be included in the kernel + */ + +extern const srtp_auth_type_t srtp_null_auth; +extern const srtp_auth_type_t srtp_hmac; + +/* + * other generic debug modules that can be included in the kernel + */ + +extern srtp_debug_module_t srtp_mod_auth; +extern srtp_debug_module_t srtp_mod_cipher; +extern srtp_debug_module_t srtp_mod_stat; +extern srtp_debug_module_t srtp_mod_alloc; + +/* debug modules for cipher types */ +extern srtp_debug_module_t srtp_mod_aes_icm; +#ifdef OPENSSL +extern srtp_debug_module_t srtp_mod_aes_gcm; +#endif +#ifdef NSS +extern srtp_debug_module_t srtp_mod_aes_gcm; +#endif + +/* debug modules for auth types */ +extern srtp_debug_module_t srtp_mod_hmac; + +#endif diff --git a/netwerk/srtp/src/crypto/include/crypto_kernel.h b/netwerk/srtp/src/crypto/include/crypto_kernel.h new file mode 100644 index 0000000000..1f8dfa7712 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/crypto_kernel.h @@ -0,0 +1,215 @@ +/* + * crypto_kernel.h + * + * header for the cryptographic kernel + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef CRYPTO_KERNEL +#define CRYPTO_KERNEL + +#include "cipher.h" +#include "auth.h" +#include "err.h" +#include "crypto_types.h" +#include "key.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * crypto_kernel_state_t defines the possible states: + * + * insecure - not yet initialized + * secure - initialized and passed self-tests + */ +typedef enum { + srtp_crypto_kernel_state_insecure, + srtp_crypto_kernel_state_secure +} srtp_crypto_kernel_state_t; + +/* + * linked list of cipher types + */ +typedef struct srtp_kernel_cipher_type { + srtp_cipher_type_id_t id; + const srtp_cipher_type_t *cipher_type; + struct srtp_kernel_cipher_type *next; +} srtp_kernel_cipher_type_t; + +/* + * linked list of auth types + */ +typedef struct srtp_kernel_auth_type { + srtp_auth_type_id_t id; + const srtp_auth_type_t *auth_type; + struct srtp_kernel_auth_type *next; +} srtp_kernel_auth_type_t; + +/* + * linked list of debug modules + */ +typedef struct srtp_kernel_debug_module { + srtp_debug_module_t *mod; + struct srtp_kernel_debug_module *next; +} srtp_kernel_debug_module_t; + +/* + * crypto_kernel_t is the data structure for the crypto kernel + * + * note that there is *exactly one* instance of this data type, + * a global variable defined in crypto_kernel.c + */ +typedef struct { + srtp_crypto_kernel_state_t state; /* current state of kernel */ + srtp_kernel_cipher_type_t *cipher_type_list; /* list of all cipher types */ + srtp_kernel_auth_type_t *auth_type_list; /* list of all auth func types */ + srtp_kernel_debug_module_t + *debug_module_list; /* list of all debug modules */ +} srtp_crypto_kernel_t; + +/* + * srtp_crypto_kernel_t external api + */ + +/* + * The function srtp_crypto_kernel_init() initialized the crypto kernel and + * runs the self-test operations on the random number generators and + * crypto algorithms. Possible return values are: + * + * srtp_err_status_ok initialization successful + * <other> init failure + * + * If any value other than srtp_err_status_ok is returned, the + * crypto_kernel MUST NOT be used. + */ +srtp_err_status_t srtp_crypto_kernel_init(void); + +/* + * The function srtp_crypto_kernel_shutdown() de-initializes the + * crypto_kernel, zeroizes keys and other cryptographic material, and + * deallocates any dynamically allocated memory. Possible return + * values are: + * + * srtp_err_status_ok shutdown successful + * <other> shutdown failure + * + */ +srtp_err_status_t srtp_crypto_kernel_shutdown(void); + +/* + * The function srtp_crypto_kernel_stats() checks the the crypto_kernel, + * running tests on the ciphers, auth funcs, and rng, and prints out a + * status report. Possible return values are: + * + * srtp_err_status_ok all tests were passed + * <other> a test failed + * + */ +srtp_err_status_t srtp_crypto_kernel_status(void); + +/* + * srtp_crypto_kernel_list_debug_modules() outputs a list of debugging modules + * + */ +srtp_err_status_t srtp_crypto_kernel_list_debug_modules(void); + +/* + * srtp_crypto_kernel_load_cipher_type() + * + */ +srtp_err_status_t srtp_crypto_kernel_load_cipher_type( + const srtp_cipher_type_t *ct, + srtp_cipher_type_id_t id); + +srtp_err_status_t srtp_crypto_kernel_load_auth_type(const srtp_auth_type_t *ct, + srtp_auth_type_id_t id); + +srtp_err_status_t srtp_crypto_kernel_load_debug_module( + srtp_debug_module_t *new_dm); + +/* + * srtp_crypto_kernel_alloc_cipher(id, cp, key_len); + * + * allocates a cipher of type id at location *cp, with key length + * key_len octets. Return values are: + * + * srtp_err_status_ok no problems + * srtp_err_status_alloc_fail an allocation failure occured + * srtp_err_status_fail couldn't find cipher with identifier 'id' + */ +srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, + srtp_cipher_pointer_t *cp, + int key_len, + int tag_len); + +/* + * srtp_crypto_kernel_alloc_auth(id, ap, key_len, tag_len); + * + * allocates an auth function of type id at location *ap, with key + * length key_len octets and output tag length of tag_len. Return + * values are: + * + * srtp_err_status_ok no problems + * srtp_err_status_alloc_fail an allocation failure occured + * srtp_err_status_fail couldn't find auth with identifier 'id' + */ +srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, + srtp_auth_pointer_t *ap, + int key_len, + int tag_len); + +/* + * srtp_crypto_kernel_set_debug_module(mod_name, v) + * + * sets dynamic debugging to the value v (0 for off, 1 for on) for the + * debug module with the name mod_name + * + * returns srtp_err_status_ok on success, srtp_err_status_fail otherwise + */ +srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *mod_name, + int v); + +#ifdef __cplusplus +} +#endif + +#endif /* CRYPTO_KERNEL */ diff --git a/netwerk/srtp/src/crypto/include/crypto_types.h b/netwerk/srtp/src/crypto/include/crypto_types.h new file mode 100644 index 0000000000..7fd3178b0b --- /dev/null +++ b/netwerk/srtp/src/crypto/include/crypto_types.h @@ -0,0 +1,116 @@ +/* + * crypto_types.h + * + * constants for cipher types and auth func types + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_CRYPTO_TYPES_H +#define SRTP_CRYPTO_TYPES_H + +/* + * The null cipher performs no encryption. + * + * The SRTP_NULL_CIPHER leaves its inputs unaltered, during both the + * encryption and decryption operations. This cipher can be chosen + * to indicate that no encryption is to be performed. + */ +#define SRTP_NULL_CIPHER 0 + +/* + * AES-128 Integer Counter Mode (AES ICM) + * + * AES-128 ICM is the variant of counter mode that is used by + * Secure RTP. This cipher uses a 16-octet key concatenated with a + * 14-octet offset (or salt) value. + */ +#define SRTP_AES_ICM_128 1 + +/* + * AES-192 Integer Counter Mode (AES ICM) + * + * AES-128 ICM is the variant of counter mode that is used by + * Secure RTP. This cipher uses a 24-octet key concatenated with a + * 14-octet offset (or salt) value. + */ +#define SRTP_AES_ICM_192 4 + +/* + * AES-256 Integer Counter Mode (AES ICM) + * + * AES-128 ICM is the variant of counter mode that is used by + * Secure RTP. This cipher uses a 32-octet key concatenated with a + * 14-octet offset (or salt) value. + */ +#define SRTP_AES_ICM_256 5 + +/* + * AES-128_GCM Galois Counter Mode (AES GCM) + * + * AES-128 GCM is the variant of galois counter mode that is used by + * Secure RTP. This cipher uses a 16-octet key. + */ +#define SRTP_AES_GCM_128 6 + +/* + * AES-256_GCM Galois Counter Mode (AES GCM) + * + * AES-256 GCM is the variant of galois counter mode that is used by + * Secure RTP. This cipher uses a 32-octet key. + */ +#define SRTP_AES_GCM_256 7 + +/* + * The null authentication function performs no authentication. + * + * The NULL_AUTH function does nothing, and can be selected to indicate + * that authentication should not be performed. + */ +#define SRTP_NULL_AUTH 0 + +/* + * HMAC-SHA1 + * + * SRTP_HMAC_SHA1 implements the Hash-based MAC using the NIST Secure + * Hash Algorithm version 1 (SHA1). + */ +#define SRTP_HMAC_SHA1 3 + +#endif /* SRTP_CRYPTO_TYPES_H */ diff --git a/netwerk/srtp/src/crypto/include/datatypes.h b/netwerk/srtp/src/crypto/include/datatypes.h new file mode 100644 index 0000000000..182cca25b9 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/datatypes.h @@ -0,0 +1,378 @@ +/* + * datatypes.h + * + * data types for bit vectors and finite fields + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef DATATYPES_H +#define DATATYPES_H + +#include "integers.h" /* definitions of uint32_t, et cetera */ +#include "alloc.h" + +#include <stdarg.h> + +#include <stdio.h> +#include <string.h> +#include <time.h> +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined HAVE_WINSOCK2_H +#include <winsock2.h> +#else +#error "Platform not recognized" +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* if DATATYPES_USE_MACROS is defined, then little functions are macros */ +#define DATATYPES_USE_MACROS + +typedef union { + uint8_t v8[2]; + uint16_t value; +} v16_t; + +typedef union { + uint8_t v8[4]; + uint16_t v16[2]; + uint32_t value; +} v32_t; + +typedef union { + uint8_t v8[8]; + uint16_t v16[4]; + uint32_t v32[2]; + uint64_t value; +} v64_t; + +typedef union { + uint8_t v8[16]; + uint16_t v16[8]; + uint32_t v32[4]; + uint64_t v64[2]; +} v128_t; + +typedef union { + uint8_t v8[32]; + uint16_t v16[16]; + uint32_t v32[8]; + uint64_t v64[4]; +} v256_t; + +/* some useful and simple math functions */ + +#define pow_2(X) ((unsigned int)1 << (X)) /* 2^X */ + +#define pow_minus_one(X) ((X) ? -1 : 1) /* (-1)^X */ + +/* + * octet_get_weight(x) returns the hamming weight (number of bits equal to + * one) in the octet x + */ + +int octet_get_weight(uint8_t octet); + +#define MAX_PRINT_STRING_LEN 1024 + +char *srtp_octet_string_hex_string(const void *str, int length); + +char *v128_bit_string(v128_t *x); + +char *v128_hex_string(v128_t *x); + +void v128_copy_octet_string(v128_t *x, const uint8_t s[16]); + +void v128_left_shift(v128_t *x, int shift_index); + +void v128_right_shift(v128_t *x, int shift_index); + +/* + * the following macros define the data manipulation functions + * + * If DATATYPES_USE_MACROS is defined, then these macros are used + * directly (and function call overhead is avoided). Otherwise, + * the macros are used through the functions defined in datatypes.c + * (and the compiler provides better warnings). + */ + +#define _v128_set_to_zero(x) \ + ((x)->v32[0] = 0, (x)->v32[1] = 0, (x)->v32[2] = 0, (x)->v32[3] = 0) + +#define _v128_copy(x, y) \ + ((x)->v32[0] = (y)->v32[0], (x)->v32[1] = (y)->v32[1], \ + (x)->v32[2] = (y)->v32[2], (x)->v32[3] = (y)->v32[3]) + +#define _v128_xor(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] ^ (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] ^ (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] ^ (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] ^ (y)->v32[3]) + +#define _v128_and(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] & (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] & (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] & (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] & (y)->v32[3]) + +#define _v128_or(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] | (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] | (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] | (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] | (y)->v32[3]) + +#define _v128_complement(x) \ + ((x)->v32[0] = ~(x)->v32[0], (x)->v32[1] = ~(x)->v32[1], \ + (x)->v32[2] = ~(x)->v32[2], (x)->v32[3] = ~(x)->v32[3]) + +/* ok for NO_64BIT_MATH if it can compare uint64_t's (even as structures) */ +#define _v128_is_eq(x, y) \ + (((x)->v64[0] == (y)->v64[0]) && ((x)->v64[1] == (y)->v64[1])) + +#ifdef NO_64BIT_MATH +#define _v128_xor_eq(z, x) \ + ((z)->v32[0] ^= (x)->v32[0], (z)->v32[1] ^= (x)->v32[1], \ + (z)->v32[2] ^= (x)->v32[2], (z)->v32[3] ^= (x)->v32[3]) +#else +#define _v128_xor_eq(z, x) \ + ((z)->v64[0] ^= (x)->v64[0], (z)->v64[1] ^= (x)->v64[1]) +#endif + +/* NOTE! This assumes an odd ordering! */ +/* This will not be compatible directly with math on some processors */ +/* bit 0 is first 32-bit word, low order bit. in little-endian, that's + the first byte of the first 32-bit word. In big-endian, that's + the 3rd byte of the first 32-bit word */ +/* The get/set bit code is used by the replay code ONLY, and it doesn't + really care which bit is which. AES does care which bit is which, but + doesn't use the 128-bit get/set or 128-bit shifts */ + +#define _v128_get_bit(x, bit) (((((x)->v32[(bit) >> 5]) >> ((bit)&31)) & 1)) + +#define _v128_set_bit(x, bit) \ + ((((x)->v32[(bit) >> 5]) |= ((uint32_t)1 << ((bit)&31)))) + +#define _v128_clear_bit(x, bit) \ + ((((x)->v32[(bit) >> 5]) &= ~((uint32_t)1 << ((bit)&31)))) + +#define _v128_set_bit_to(x, bit, value) \ + ((value) ? _v128_set_bit(x, bit) : _v128_clear_bit(x, bit)) + +#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ + +#define v128_set_to_zero(z) _v128_set_to_zero(z) +#define v128_copy(z, x) _v128_copy(z, x) +#define v128_xor(z, x, y) _v128_xor(z, x, y) +#define v128_and(z, x, y) _v128_and(z, x, y) +#define v128_or(z, x, y) _v128_or(z, x, y) +#define v128_complement(x) _v128_complement(x) +#define v128_is_eq(x, y) _v128_is_eq(x, y) +#define v128_xor_eq(x, y) _v128_xor_eq(x, y) +#define v128_get_bit(x, i) _v128_get_bit(x, i) +#define v128_set_bit(x, i) _v128_set_bit(x, i) +#define v128_clear_bit(x, i) _v128_clear_bit(x, i) +#define v128_set_bit_to(x, i, y) _v128_set_bit_to(x, i, y) + +#else + +void v128_set_to_zero(v128_t *x); + +int v128_is_eq(const v128_t *x, const v128_t *y); + +void v128_copy(v128_t *x, const v128_t *y); + +void v128_xor(v128_t *z, v128_t *x, v128_t *y); + +void v128_and(v128_t *z, v128_t *x, v128_t *y); + +void v128_or(v128_t *z, v128_t *x, v128_t *y); + +void v128_complement(v128_t *x); + +int v128_get_bit(const v128_t *x, int i); + +void v128_set_bit(v128_t *x, int i); + +void v128_clear_bit(v128_t *x, int i); + +void v128_set_bit_to(v128_t *x, int i, int y); + +#endif /* DATATYPES_USE_MACROS */ + +/* + * octet_string_is_eq(a, b, len) returns 1 if the length len strings a + * and b are not equal. It returns 0 otherwise. The running time of the + * comparison depends only on len, making this safe to use for (e.g.) + * verifying authentication tags. + */ + +int octet_string_is_eq(uint8_t *a, uint8_t *b, int len); + +/* + * A portable way to zero out memory as recommended by + * https://cryptocoding.net/index.php/Coding_rules#Clean_memory_of_secret_data + * This is used to zero memory when OPENSSL_cleanse() is not available. + */ +void srtp_cleanse(void *s, size_t len); + +/* + * Functions as a wrapper that delegates to either srtp_cleanse() or + * OPENSSL_cleanse() if available to zero memory. + */ +void octet_string_set_to_zero(void *s, size_t len); + +#if defined(HAVE_CONFIG_H) + +/* + * Convert big endian integers to CPU byte order. + */ +#ifdef WORDS_BIGENDIAN +/* Nothing to do. */ +#define be32_to_cpu(x) (x) +#define be64_to_cpu(x) (x) +#elif defined(HAVE_BYTESWAP_H) +/* We have (hopefully) optimized versions in byteswap.h */ +#include <byteswap.h> +#define be32_to_cpu(x) bswap_32((x)) +#define be64_to_cpu(x) bswap_64((x)) +#else /* WORDS_BIGENDIAN */ + +#if defined(__GNUC__) && defined(HAVE_X86) +/* Fall back. */ +static inline uint32_t be32_to_cpu(uint32_t v) +{ + /* optimized for x86. */ + asm("bswap %0" : "=r"(v) : "0"(v)); + return v; +} +#else /* HAVE_X86 */ +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined HAVE_WINSOCK2_H +#include <winsock2.h> +#endif /* HAVE_NETINET_IN_H */ +#define be32_to_cpu(x) ntohl((x)) +#endif /* HAVE_X86 */ + +static inline uint64_t be64_to_cpu(uint64_t v) +{ +#ifdef NO_64BIT_MATH + /* use the make64 functions to do 64-bit math */ + v = make64(htonl(low32(v)), htonl(high32(v))); +#else /* NO_64BIT_MATH */ + /* use the native 64-bit math */ + v = (uint64_t)((be32_to_cpu((uint32_t)(v >> 32))) | + (((uint64_t)be32_to_cpu((uint32_t)v)) << 32)); +#endif /* NO_64BIT_MATH */ + return v; +} + +#endif /* WORDS_BIGENDIAN */ + +#endif /* HAVE_CONFIG_H */ + +/* + * functions manipulating bitvector_t + * + * A bitvector_t consists of an array of words and an integer + * representing the number of significant bits stored in the array. + * The bits are packed as follows: the least significant bit is that + * of word[0], while the most significant bit is the nth most + * significant bit of word[m], where length = bits_per_word * m + n. + * + */ + +#define bits_per_word 32 +#define bytes_per_word 4 + +typedef struct { + uint32_t length; + uint32_t *word; +} bitvector_t; + +#define _bitvector_get_bit(v, bit_index) \ + (((((v)->word[((bit_index) >> 5)]) >> ((bit_index)&31)) & 1)) + +#define _bitvector_set_bit(v, bit_index) \ + ((((v)->word[((bit_index) >> 5)] |= ((uint32_t)1 << ((bit_index)&31))))) + +#define _bitvector_clear_bit(v, bit_index) \ + ((((v)->word[((bit_index) >> 5)] &= ~((uint32_t)1 << ((bit_index)&31))))) + +#define _bitvector_get_length(v) (((v)->length)) + +#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ + +#define bitvector_get_bit(v, bit_index) _bitvector_get_bit(v, bit_index) +#define bitvector_set_bit(v, bit_index) _bitvector_set_bit(v, bit_index) +#define bitvector_clear_bit(v, bit_index) _bitvector_clear_bit(v, bit_index) +#define bitvector_get_length(v) _bitvector_get_length(v) + +#else + +int bitvector_get_bit(const bitvector_t *v, int bit_index); + +void bitvector_set_bit(bitvector_t *v, int bit_index); + +void bitvector_clear_bit(bitvector_t *v, int bit_index); + +unsigned long bitvector_get_length(const bitvector_t *v); + +#endif + +int bitvector_alloc(bitvector_t *v, unsigned long length); + +void bitvector_dealloc(bitvector_t *v); + +void bitvector_set_to_zero(bitvector_t *x); + +void bitvector_left_shift(bitvector_t *x, int index); + +char *bitvector_bit_string(bitvector_t *x, char *buf, int len); + +#ifdef __cplusplus +} +#endif + +#endif /* DATATYPES_H */ diff --git a/netwerk/srtp/src/crypto/include/err.h b/netwerk/srtp/src/crypto/include/err.h new file mode 100644 index 0000000000..66a1023ec8 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/err.h @@ -0,0 +1,134 @@ +/* + * err.h + * + * error status codes + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef ERR_H +#define ERR_H + +#include <stdio.h> +#include <stdarg.h> +#include "srtp.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @defgroup Error Error Codes + * + * Error status codes are represented by the enumeration srtp_err_status_t. + * + * @{ + */ + +/** + * @} + */ + +typedef enum { + srtp_err_level_error, + srtp_err_level_warning, + srtp_err_level_info, + srtp_err_level_debug +} srtp_err_reporting_level_t; + +/* + * err_reporting_init prepares the error system. If + * ERR_REPORTING_STDOUT is defined, it will log to stdout. + * + */ + +srtp_err_status_t srtp_err_reporting_init(void); + +typedef void(srtp_err_report_handler_func_t)(srtp_err_reporting_level_t level, + const char *msg); + +srtp_err_status_t srtp_install_err_report_handler( + srtp_err_report_handler_func_t func); + +/* + * srtp_err_report reports a 'printf' formatted error + * string, followed by a an arg list. The level argument + * is one of srtp_err_reporting_level_t. + * + * Errors will be reported to stdout, if ERR_REPORTING_STDOUT + * is defined. + * + */ + +void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...); + +/* + * debug_module_t defines a debug module + */ + +typedef struct { + int on; /* 1 if debugging is on, 0 if it is off */ + const char *name; /* printable name for debug module */ +} srtp_debug_module_t; + +#ifdef ENABLE_DEBUG_LOGGING + +#define debug_print(mod, format, arg) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg) +#define debug_print2(mod, format, arg1, arg2) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, \ + arg1, arg2) + +#else + +#define debug_print(mod, format, arg) \ + if (mod.on) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg) +#define debug_print2(mod, format, arg1, arg2) \ + if (mod.on) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, \ + arg1, arg2) + +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* ERR_H */ diff --git a/netwerk/srtp/src/crypto/include/hmac.h b/netwerk/srtp/src/crypto/include/hmac.h new file mode 100644 index 0000000000..148818122c --- /dev/null +++ b/netwerk/srtp/src/crypto/include/hmac.h @@ -0,0 +1,58 @@ +/* + * hmac.h + * + * interface to hmac srtp_auth_type_t + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef HMAC_H +#define HMAC_H + +#include "auth.h" +#include "sha1.h" + +typedef struct { + uint8_t opad[64]; + srtp_sha1_ctx_t ctx; + srtp_sha1_ctx_t init_ctx; +} srtp_hmac_ctx_t; + +#endif /* HMAC_H */ diff --git a/netwerk/srtp/src/crypto/include/integers.h b/netwerk/srtp/src/crypto/include/integers.h new file mode 100644 index 0000000000..f2cd7c064d --- /dev/null +++ b/netwerk/srtp/src/crypto/include/integers.h @@ -0,0 +1,146 @@ +/* + * integers.h + * + * defines integer types (or refers to their definitions) + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef INTEGERS_H +#define INTEGERS_H + +/* use standard integer definitions, if they're available */ +#ifdef HAVE_STDLIB_H +#include <stdlib.h> +#endif +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif +#ifdef HAVE_INTTYPES_H +#include <inttypes.h> +#endif +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_SYS_INT_TYPES_H +#include <sys/int_types.h> /* this exists on Sun OS */ +#endif +#ifdef HAVE_MACHINE_TYPES_H +#include <machine/types.h> +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* Can we do 64 bit integers? */ +#if !defined(HAVE_UINT64_T) +#if SIZEOF_UNSIGNED_LONG == 8 +typedef unsigned long uint64_t; +#elif SIZEOF_UNSIGNED_LONG_LONG == 8 +typedef unsigned long long uint64_t; +#else +#define NO_64BIT_MATH 1 +#endif +#endif + +/* Reasonable defaults for 32 bit machines - you may need to + * edit these definitions for your own machine. */ +#ifndef HAVE_UINT8_T +typedef unsigned char uint8_t; +#endif +#ifndef HAVE_UINT16_T +typedef unsigned short int uint16_t; +#endif +#ifndef HAVE_UINT32_T +typedef unsigned int uint32_t; +#endif +#ifndef HAVE_INT32_T +typedef int int32_t; +#endif + +#if defined(NO_64BIT_MATH) && defined(HAVE_CONFIG_H) +typedef double uint64_t; +/* assert that sizeof(double) == 8 */ +extern uint64_t make64(uint32_t high, uint32_t low); +extern uint32_t high32(uint64_t value); +extern uint32_t low32(uint64_t value); +#endif + +/* These macros are to load and store 32-bit values from un-aligned + addresses. This is required for processors that do not allow unaligned + loads. */ +#ifdef ALIGNMENT_32BIT_REQUIRED +/* Note that if it's in a variable, you can memcpy it */ +#ifdef WORDS_BIGENDIAN +#define PUT_32(addr, value) \ + { \ + ((unsigned char *)(addr))[0] = (value >> 24); \ + ((unsigned char *)(addr))[1] = (value >> 16) & 0xff; \ + ((unsigned char *)(addr))[2] = (value >> 8) & 0xff; \ + ((unsigned char *)(addr))[3] = (value)&0xff; \ + } +#define GET_32(addr) \ + ((((unsigned char *)(addr))[0] << 24) | \ + (((unsigned char *)(addr))[1] << 16) | \ + (((unsigned char *)(addr))[2] << 8) | (((unsigned char *)(addr))[3])) +#else +#define PUT_32(addr, value) \ + { \ + ((unsigned char *)(addr))[3] = (value >> 24); \ + ((unsigned char *)(addr))[2] = (value >> 16) & 0xff; \ + ((unsigned char *)(addr))[1] = (value >> 8) & 0xff; \ + ((unsigned char *)(addr))[0] = (value)&0xff; \ + } +#define GET_32(addr) \ + ((((unsigned char *)(addr))[3] << 24) | \ + (((unsigned char *)(addr))[2] << 16) | \ + (((unsigned char *)(addr))[1] << 8) | (((unsigned char *)(addr))[0])) +#endif // WORDS_BIGENDIAN +#else +#define PUT_32(addr, value) *(((uint32_t *) (addr)) = (value) +#define GET_32(addr) (*(((uint32_t *) (addr))) +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* INTEGERS_H */ diff --git a/netwerk/srtp/src/crypto/include/key.h b/netwerk/srtp/src/crypto/include/key.h new file mode 100644 index 0000000000..3498114b05 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/key.h @@ -0,0 +1,88 @@ +/* + * key.h + * + * key usage limits enforcement + * + * David A. Mcgrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef KEY_H +#define KEY_H + +#include "rdbx.h" /* for srtp_xtd_seq_num_t */ +#include "err.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct srtp_key_limit_ctx_t *srtp_key_limit_t; + +typedef enum { + srtp_key_event_normal, + srtp_key_event_soft_limit, + srtp_key_event_hard_limit +} srtp_key_event_t; + +srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key, + const srtp_xtd_seq_num_t s); + +srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original, + srtp_key_limit_t *new_key); + +srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key); + +srtp_key_event_t srtp_key_limit_update(srtp_key_limit_t key); + +typedef enum { + srtp_key_state_normal, + srtp_key_state_past_soft_limit, + srtp_key_state_expired +} srtp_key_state_t; + +typedef struct srtp_key_limit_ctx_t { + srtp_xtd_seq_num_t num_left; + srtp_key_state_t state; +} srtp_key_limit_ctx_t; + +#ifdef __cplusplus +} +#endif + +#endif /* KEY_H */ diff --git a/netwerk/srtp/src/crypto/include/null_auth.h b/netwerk/srtp/src/crypto/include/null_auth.h new file mode 100644 index 0000000000..490dd7bc0f --- /dev/null +++ b/netwerk/srtp/src/crypto/include/null_auth.h @@ -0,0 +1,73 @@ +/* + * null-auth.h + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef NULL_AUTH_H +#define NULL_AUTH_H + +#include "auth.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct { + char foo; +} srtp_null_auth_ctx_t; + +#if 0 +srtp_err_status_t srtp_null_auth_alloc(srtp_auth_t **a, int key_len, int out_len); + +srtp_err_status_t srtp_null_auth_dealloc(srtp_auth_t *a); + +srtp_err_status_t srtp_null_auth_init(srtp_null_auth_ctx_t *state, const uint8_t *key, int key_len); + +srtp_err_status_t srtp_null_auth_compute(srtp_null_auth_ctx_t *state, uint8_t *message, int msg_octets, int tag_len, uint8_t *result); + +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* NULL_AUTH_H */ diff --git a/netwerk/srtp/src/crypto/include/null_cipher.h b/netwerk/srtp/src/crypto/include/null_cipher.h new file mode 100644 index 0000000000..5e8c91c134 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/null_cipher.h @@ -0,0 +1,57 @@ +/* + * null-cipher.h + * + * header file for the null cipher + * + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef NULL_CIPHER_H +#define NULL_CIPHER_H + +#include "datatypes.h" +#include "cipher.h" + +typedef struct { + char foo; /* empty, for now */ +} srtp_null_cipher_ctx_t; + +#endif /* NULL_CIPHER_H */ diff --git a/netwerk/srtp/src/crypto/include/rdb.h b/netwerk/srtp/src/crypto/include/rdb.h new file mode 100644 index 0000000000..98314c1f3e --- /dev/null +++ b/netwerk/srtp/src/crypto/include/rdb.h @@ -0,0 +1,125 @@ +/* + * replay-database.h + * + * interface for a replay database for packet security + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef REPLAY_DB_H +#define REPLAY_DB_H + +#include "integers.h" /* for uint32_t */ +#include "datatypes.h" /* for v128_t */ +#include "err.h" /* for srtp_err_status_t */ + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * if the ith least significant bit is one, then the packet index + * window_end-i is in the database + */ + +typedef struct { + uint32_t window_start; /* packet index of the first bit in bitmask */ + v128_t bitmask; +} srtp_rdb_t; + +#define rdb_bits_in_bitmask (8 * sizeof(v128_t)) + +/* + * srtp_rdb_init + * + * initalizes rdb + * + * returns srtp_err_status_ok on success, srtp_err_status_t_fail otherwise + */ +srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb); + +/* + * srtp_rdb_check + * + * checks to see if index appears in rdb + * + * returns srtp_err_status_fail if the index already appears in rdb, + * returns srtp_err_status_ok otherwise + */ +srtp_err_status_t srtp_rdb_check(const srtp_rdb_t *rdb, uint32_t rdb_index); + +/* + * srtp_rdb_add_index + * + * adds index to srtp_rdb_t (and does *not* check if index appears in db) + * + * returns srtp_err_status_ok on success, srtp_err_status_fail otherwise + * + */ +srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t rdb_index); + +/* + * the functions srtp_rdb_increment() and srtp_rdb_get_value() are for use by + * senders, not receivers - DO NOT use these functions on the same + * srtp_rdb_t upon which srtp_rdb_add_index is used! + */ + +/* + * srtp_rdb_increment(db) increments the sequence number in db, if it is + * not too high + * + * return values: + * + * srtp_err_status_ok no problem + * srtp_err_status_key_expired sequence number too high + * + */ +srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb); + +/* + * srtp_rdb_get_value(db) returns the current sequence number of db + */ +uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb); + +#ifdef __cplusplus +} +#endif + +#endif /* REPLAY_DB_H */ diff --git a/netwerk/srtp/src/crypto/include/rdbx.h b/netwerk/srtp/src/crypto/include/rdbx.h new file mode 100644 index 0000000000..2194178ee2 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/rdbx.h @@ -0,0 +1,209 @@ +/* + * rdbx.h + * + * replay database with extended packet indices, using a rollover counter + * + * David A. McGrew + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef RDBX_H +#define RDBX_H + +#include "datatypes.h" +#include "err.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* #define ROC_TEST */ + +#ifndef ROC_TEST + +typedef uint16_t srtp_sequence_number_t; /* 16 bit sequence number */ +typedef uint32_t srtp_rollover_counter_t; /* 32 bit rollover counter */ + +#else /* use small seq_num and roc datatypes for testing purposes */ + +typedef unsigned char srtp_sequence_number_t; /* 8 bit sequence number */ +typedef uint16_t srtp_rollover_counter_t; /* 16 bit rollover counter */ + +#endif + +#define seq_num_median (1 << (8 * sizeof(srtp_sequence_number_t) - 1)) +#define seq_num_max (1 << (8 * sizeof(srtp_sequence_number_t))) + +/* + * An rtp_xtd_seq_num_t is a 64-bit unsigned integer used as an 'extended' + * sequence number. + */ +typedef uint64_t srtp_xtd_seq_num_t; + +/* + * An srtp_rdbx_t is a replay database with extended range; it uses an + * xtd_seq_num_t and a bitmask of recently received indices. + */ +typedef struct { + srtp_xtd_seq_num_t index; + bitvector_t bitmask; +} srtp_rdbx_t; + +/* + * srtp_rdbx_init(rdbx_ptr, ws) + * + * initializes the rdbx pointed to by its argument with the window size ws, + * setting the rollover counter and sequence number to zero + */ +srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws); + +/* + * srtp_rdbx_dealloc(rdbx_ptr) + * + * frees memory associated with the rdbx + */ +srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx); + +/* + * srtp_rdbx_estimate_index(rdbx, guess, s) + * + * given an rdbx and a sequence number s (from a newly arrived packet), + * sets the contents of *guess to contain the best guess of the packet + * index to which s corresponds, and returns the difference between + * *guess and the locally stored synch info + */ +int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s); + +/* + * srtp_rdbx_check(rdbx, delta); + * + * srtp_rdbx_check(&r, delta) checks to see if the xtd_seq_num_t + * which is at rdbx->window_start + delta is in the rdb + * + */ +srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int difference); + +/* + * srtp_replay_add_index(rdbx, delta) + * + * adds the srtp_xtd_seq_num_t at rdbx->window_start + delta to replay_db + * (and does *not* check if that xtd_seq_num_t appears in db) + * + * this function should be called *only* after replay_check has + * indicated that the index does not appear in the rdbx, and a mutex + * should protect the rdbx between these calls if necessary. + */ +srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta); + +/* + * srtp_rdbx_set_roc(rdbx, roc) initalizes the srtp_rdbx_t at the location rdbx + * to have the rollover counter value roc. If that value is less than + * the current rollover counter value, then the function returns + * srtp_err_status_replay_old; otherwise, srtp_err_status_ok is returned. + * + */ +srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc); + +/* + * srtp_rdbx_get_packet_index(rdbx) returns the value of the rollover counter + * for + * the srtp_rdbx_t pointed to by rdbx + * + */ +srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx); + +/* + * srtp_xtd_seq_num_t functions - these are *internal* functions of rdbx, and + * shouldn't be used to manipulate rdbx internal values. use the rdbx + * api instead! + */ + +/* + * srtp_rdbx_get_ws(rdbx_ptr) + * + * gets the window size which was used to initialize the rdbx + */ +unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx); + +/* index_init(&pi) initializes a packet index pi (sets it to zero) */ +void srtp_index_init(srtp_xtd_seq_num_t *pi); + +/* index_advance(&pi, s) advances a xtd_seq_num_t forward by s */ +void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s); + +/* + * srtp_index_guess(local, guess, s) + * + * given a srtp_xtd_seq_num_t local (which represents the highest + * known-to-be-good index) and a sequence number s (from a newly + * arrived packet), sets the contents of *guess to contain the best + * guess of the packet index to which s corresponds, and returns the + * difference between *guess and *local + */ +int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s); + +/* + * srtp_rdbx_get_roc(rdbx) + * + * Get the current rollover counter + * + */ +uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx); + +/* + * srtp_rdbx_set_roc_seq(rdbx, roc, seq) initalizes the srtp_rdbx_t at the + * location rdbx to have the rollover counter value roc and packet sequence + * number seq. If the new rollover counter value is less than the current + * rollover counter value, then the function returns + * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned. + */ +srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx, + uint32_t roc, + uint16_t seq); + +#ifdef __cplusplus +} +#endif + +#endif /* RDBX_H */ diff --git a/netwerk/srtp/src/crypto/include/sha1.h b/netwerk/srtp/src/crypto/include/sha1.h new file mode 100644 index 0000000000..933c1466a3 --- /dev/null +++ b/netwerk/srtp/src/crypto/include/sha1.h @@ -0,0 +1,184 @@ +/* + * sha1.h + * + * interface to the Secure Hash Algorithm v.1 (SHA-1), specified in + * FIPS 180-1 + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SHA1_H +#define SHA1_H + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "err.h" +#ifdef OPENSSL +#include <openssl/evp.h> +#include <stdint.h> +#else +#include "datatypes.h" +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef OPENSSL + +/* + * srtp_sha1_init(&ctx) initializes the SHA1 context ctx + * + * srtp_sha1_update(&ctx, msg, len) hashes the len octets starting at msg + * into the SHA1 context + * + * srtp_sha1_final(&ctx, output) performs the final processing of the SHA1 + * context and writes the result to the 20 octets at output + * + * Return values are ignored on the EVP functions since all three + * of these functions return void. + * + */ + +/* OpenSSL 1.1.0 made EVP_MD_CTX an opaque structure, which must be allocated + using EVP_MD_CTX_new. But this function doesn't exist in OpenSSL 1.0.x. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER + +typedef EVP_MD_CTX srtp_sha1_ctx_t; + +static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx) +{ + EVP_MD_CTX_init(ctx); + EVP_DigestInit(ctx, EVP_sha1()); +} + +static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg) +{ + EVP_DigestUpdate(ctx, M, octets_in_msg); +} + +static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output) +{ + unsigned int len = 0; + + EVP_DigestFinal(ctx, (unsigned char *)output, &len); + EVP_MD_CTX_cleanup(ctx); +} + +#else + +typedef EVP_MD_CTX *srtp_sha1_ctx_t; + +static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx) +{ + *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(*ctx, EVP_sha1()); +} + +static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg) +{ + EVP_DigestUpdate(*ctx, M, octets_in_msg); +} + +static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output) +{ + unsigned int len = 0; + + EVP_DigestFinal(*ctx, (unsigned char *)output, &len); + EVP_MD_CTX_free(*ctx); +} +#endif + +#else + +typedef struct { + uint32_t H[5]; /* state vector */ + uint32_t M[16]; /* message buffer */ + int octets_in_buffer; /* octets of message in buffer */ + uint32_t num_bits_in_msg; /* total number of bits in message */ +} srtp_sha1_ctx_t; + +/* + * srtp_sha1_init(&ctx) initializes the SHA1 context ctx + * + * srtp_sha1_update(&ctx, msg, len) hashes the len octets starting at msg + * into the SHA1 context + * + * srtp_sha1_final(&ctx, output) performs the final processing of the SHA1 + * context and writes the result to the 20 octets at output + * + */ +void srtp_sha1_init(srtp_sha1_ctx_t *ctx); + +void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg); + +void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]); + +/* + * The srtp_sha1_core function is INTERNAL to SHA-1, but it is declared + * here because it is also used by the cipher SEAL 3.0 in its key + * setup algorithm. + */ + +/* + * srtp_sha1_core(M, H) computes the core sha1 compression function, where M is + * the next part of the message and H is the intermediate state {H0, + * H1, ...} + * + * this function does not do any of the padding required in the + * complete sha1 function + */ +void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]); + +#endif /* else OPENSSL */ + +#ifdef __cplusplus +} +#endif + +#endif /* SHA1_H */ diff --git a/netwerk/srtp/src/crypto/include/stat.h b/netwerk/srtp/src/crypto/include/stat.h new file mode 100644 index 0000000000..1894e041aa --- /dev/null +++ b/netwerk/srtp/src/crypto/include/stat.h @@ -0,0 +1,66 @@ +/* + * stats.h + * + * interface to statistical test functions + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright(c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef STAT_H +#define STAT_H + +#include "datatypes.h" /* for uint8_t */ +#include "err.h" /* for srtp_err_status_t */ + +#ifdef __cplusplus +extern "C" { +#endif + +srtp_err_status_t stat_test_monobit(uint8_t *data); + +srtp_err_status_t stat_test_poker(uint8_t *data); + +srtp_err_status_t stat_test_runs(uint8_t *data); + +#ifdef __cplusplus +} +#endif + +#endif /* STAT_H */ diff --git a/netwerk/srtp/src/crypto/kernel/alloc.c b/netwerk/srtp/src/crypto/kernel/alloc.c new file mode 100644 index 0000000000..dbe58266f4 --- /dev/null +++ b/netwerk/srtp/src/crypto/kernel/alloc.c @@ -0,0 +1,101 @@ +/* + * alloc.c + * + * memory allocation and deallocation + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "alloc.h" +#include "crypto_kernel.h" + +/* the debug module for memory allocation */ + +srtp_debug_module_t srtp_mod_alloc = { + 0, /* debugging is off by default */ + "alloc" /* printable name for module */ +}; + +/* + * Nota bene: the debugging statements for srtp_crypto_alloc() and + * srtp_crypto_free() have identical prefixes, which include the addresses + * of the memory locations on which they are operating. This fact can + * be used to locate memory leaks, by turning on memory debugging, + * grepping for 'alloc', then matching alloc and free calls by + * address. + */ + +#if defined(HAVE_STDLIB_H) + +void *srtp_crypto_alloc(size_t size) +{ + void *ptr; + + if (!size) { + return NULL; + } + + ptr = calloc(1, size); + + if (ptr) { + debug_print(srtp_mod_alloc, "(location: %p) allocated", ptr); + } else { + debug_print(srtp_mod_alloc, "allocation failed (asked for %d bytes)\n", + size); + } + + return ptr; +} + +void srtp_crypto_free(void *ptr) +{ + debug_print(srtp_mod_alloc, "(location: %p) freed", ptr); + + free(ptr); +} + +#else /* we need to define our own memory allocation routines */ + +#error no memory allocation defined yet + +#endif diff --git a/netwerk/srtp/src/crypto/kernel/crypto_kernel.c b/netwerk/srtp/src/crypto/kernel/crypto_kernel.c new file mode 100644 index 0000000000..df6af7da88 --- /dev/null +++ b/netwerk/srtp/src/crypto/kernel/crypto_kernel.c @@ -0,0 +1,561 @@ +/* + * crypto_kernel.c + * + * header for the cryptographic kernel + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "alloc.h" + +#include "crypto_kernel.h" +#include "cipher_types.h" + +/* the debug module for the crypto_kernel */ + +srtp_debug_module_t srtp_mod_crypto_kernel = { + 0, /* debugging is off by default */ + "crypto kernel" /* printable name for module */ +}; + +/* crypto_kernel is a global variable, the only one of its datatype */ + +srtp_crypto_kernel_t crypto_kernel = { + srtp_crypto_kernel_state_insecure, /* start off in insecure state */ + NULL, /* no cipher types yet */ + NULL, /* no auth types yet */ + NULL /* no debug modules yet */ +}; + +#define MAX_RNG_TRIALS 25 + +srtp_err_status_t srtp_crypto_kernel_init() +{ + srtp_err_status_t status; + + /* check the security state */ + if (crypto_kernel.state == srtp_crypto_kernel_state_secure) { + /* + * we're already in the secure state, but we've been asked to + * re-initialize, so we just re-run the self-tests and then return + */ + return srtp_crypto_kernel_status(); + } + + /* initialize error reporting system */ + status = srtp_err_reporting_init(); + if (status) { + return status; + } + + /* load debug modules */ + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_crypto_kernel); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_auth); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_cipher); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_stat); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_alloc); + if (status) { + return status; + } + + /* load cipher types */ + status = srtp_crypto_kernel_load_cipher_type(&srtp_null_cipher, + SRTP_NULL_CIPHER); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_128, + SRTP_AES_ICM_128); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_256, + SRTP_AES_ICM_256); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_aes_icm); + if (status) { + return status; + } +#ifdef GCM + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_192, + SRTP_AES_ICM_192); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_128, + SRTP_AES_GCM_128); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_256, + SRTP_AES_GCM_256); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_aes_gcm); + if (status) { + return status; + } +#endif + + /* load auth func types */ + status = srtp_crypto_kernel_load_auth_type(&srtp_null_auth, SRTP_NULL_AUTH); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_auth_type(&srtp_hmac, SRTP_HMAC_SHA1); + if (status) { + return status; + } + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_hmac); + if (status) { + return status; + } + + /* change state to secure */ + crypto_kernel.state = srtp_crypto_kernel_state_secure; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_status() +{ + srtp_err_status_t status; + srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list; + srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list; + + /* for each cipher type, describe and test */ + while (ctype != NULL) { + srtp_err_report(srtp_err_level_info, "cipher: %s\n", + ctype->cipher_type->description); + srtp_err_report(srtp_err_level_info, " self-test: "); + status = srtp_cipher_type_self_test(ctype->cipher_type); + if (status) { + srtp_err_report(srtp_err_level_error, "failed with error code %d\n", + status); + exit(status); + } + srtp_err_report(srtp_err_level_info, "passed\n"); + ctype = ctype->next; + } + + /* for each auth type, describe and test */ + while (atype != NULL) { + srtp_err_report(srtp_err_level_info, "auth func: %s\n", + atype->auth_type->description); + srtp_err_report(srtp_err_level_info, " self-test: "); + status = srtp_auth_type_self_test(atype->auth_type); + if (status) { + srtp_err_report(srtp_err_level_error, "failed with error code %d\n", + status); + exit(status); + } + srtp_err_report(srtp_err_level_info, "passed\n"); + atype = atype->next; + } + + srtp_crypto_kernel_list_debug_modules(); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_list_debug_modules() +{ + srtp_kernel_debug_module_t *dm = crypto_kernel.debug_module_list; + + /* describe each debug module */ + srtp_err_report(srtp_err_level_info, "debug modules loaded:\n"); + while (dm != NULL) { + srtp_err_report(srtp_err_level_info, " %s ", dm->mod->name); + if (dm->mod->on) { + srtp_err_report(srtp_err_level_info, "(on)\n"); + } else { + srtp_err_report(srtp_err_level_info, "(off)\n"); + } + dm = dm->next; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_shutdown() +{ + /* + * free dynamic memory used in crypto_kernel at present + */ + + /* walk down cipher type list, freeing memory */ + while (crypto_kernel.cipher_type_list != NULL) { + srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list; + crypto_kernel.cipher_type_list = ctype->next; + debug_print(srtp_mod_crypto_kernel, "freeing memory for cipher %s", + ctype->cipher_type->description); + srtp_crypto_free(ctype); + } + + /* walk down authetication module list, freeing memory */ + while (crypto_kernel.auth_type_list != NULL) { + srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list; + crypto_kernel.auth_type_list = atype->next; + debug_print(srtp_mod_crypto_kernel, + "freeing memory for authentication %s", + atype->auth_type->description); + srtp_crypto_free(atype); + } + + /* walk down debug module list, freeing memory */ + while (crypto_kernel.debug_module_list != NULL) { + srtp_kernel_debug_module_t *kdm = crypto_kernel.debug_module_list; + crypto_kernel.debug_module_list = kdm->next; + debug_print(srtp_mod_crypto_kernel, + "freeing memory for debug module %s", kdm->mod->name); + srtp_crypto_free(kdm); + } + + /* return to insecure state */ + crypto_kernel.state = srtp_crypto_kernel_state_insecure; + + return srtp_err_status_ok; +} + +static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type( + const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id, + int replace) +{ + srtp_kernel_cipher_type_t *ctype, *new_ctype; + srtp_err_status_t status; + + /* defensive coding */ + if (new_ct == NULL) { + return srtp_err_status_bad_param; + } + + if (new_ct->id != id) { + return srtp_err_status_bad_param; + } + + /* check cipher type by running self-test */ + status = srtp_cipher_type_self_test(new_ct); + if (status) { + return status; + } + + /* walk down list, checking if this type is in the list already */ + ctype = crypto_kernel.cipher_type_list; + while (ctype != NULL) { + if (id == ctype->id) { + if (!replace) { + return srtp_err_status_bad_param; + } + status = + srtp_cipher_type_test(new_ct, ctype->cipher_type->test_data); + if (status) { + return status; + } + new_ctype = ctype; + break; + } else if (new_ct == ctype->cipher_type) { + return srtp_err_status_bad_param; + } + ctype = ctype->next; + } + + /* if not found, put new_ct at the head of the list */ + if (ctype == NULL) { + /* allocate memory */ + new_ctype = (srtp_kernel_cipher_type_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_cipher_type_t)); + if (new_ctype == NULL) { + return srtp_err_status_alloc_fail; + } + new_ctype->next = crypto_kernel.cipher_type_list; + + /* set head of list to new cipher type */ + crypto_kernel.cipher_type_list = new_ctype; + } + + /* set fields */ + new_ctype->cipher_type = new_ct; + new_ctype->id = id; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_load_cipher_type( + const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id) +{ + return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 0); +} + +srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id) +{ + return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 1); +} + +srtp_err_status_t srtp_crypto_kernel_do_load_auth_type( + const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id, + int replace) +{ + srtp_kernel_auth_type_t *atype, *new_atype; + srtp_err_status_t status; + + /* defensive coding */ + if (new_at == NULL) { + return srtp_err_status_bad_param; + } + + if (new_at->id != id) { + return srtp_err_status_bad_param; + } + + /* check auth type by running self-test */ + status = srtp_auth_type_self_test(new_at); + if (status) { + return status; + } + + /* walk down list, checking if this type is in the list already */ + atype = crypto_kernel.auth_type_list; + while (atype != NULL) { + if (id == atype->id) { + if (!replace) { + return srtp_err_status_bad_param; + } + status = srtp_auth_type_test(new_at, atype->auth_type->test_data); + if (status) { + return status; + } + new_atype = atype; + break; + } else if (new_at == atype->auth_type) { + return srtp_err_status_bad_param; + } + atype = atype->next; + } + + /* if not found, put new_at at the head of the list */ + if (atype == NULL) { + /* allocate memory */ + new_atype = (srtp_kernel_auth_type_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_auth_type_t)); + if (new_atype == NULL) { + return srtp_err_status_alloc_fail; + } + + new_atype->next = crypto_kernel.auth_type_list; + /* set head of list to new auth type */ + crypto_kernel.auth_type_list = new_atype; + } + + /* set fields */ + new_atype->auth_type = new_at; + new_atype->id = id; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_load_auth_type( + const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id) +{ + return srtp_crypto_kernel_do_load_auth_type(new_at, id, 0); +} + +srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id) +{ + return srtp_crypto_kernel_do_load_auth_type(new_at, id, 1); +} + +const srtp_cipher_type_t *srtp_crypto_kernel_get_cipher_type( + srtp_cipher_type_id_t id) +{ + srtp_kernel_cipher_type_t *ctype; + + /* walk down list, looking for id */ + ctype = crypto_kernel.cipher_type_list; + while (ctype != NULL) { + if (id == ctype->id) { + return ctype->cipher_type; + } + ctype = ctype->next; + } + + /* haven't found the right one, indicate failure by returning NULL */ + return NULL; +} + +srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, + srtp_cipher_pointer_t *cp, + int key_len, + int tag_len) +{ + const srtp_cipher_type_t *ct; + + /* + * if the crypto_kernel is not yet initialized, we refuse to allocate + * any ciphers - this is a bit extra-paranoid + */ + if (crypto_kernel.state != srtp_crypto_kernel_state_secure) { + return srtp_err_status_init_fail; + } + + ct = srtp_crypto_kernel_get_cipher_type(id); + if (!ct) { + return srtp_err_status_fail; + } + + return ((ct)->alloc(cp, key_len, tag_len)); +} + +const srtp_auth_type_t *srtp_crypto_kernel_get_auth_type(srtp_auth_type_id_t id) +{ + srtp_kernel_auth_type_t *atype; + + /* walk down list, looking for id */ + atype = crypto_kernel.auth_type_list; + while (atype != NULL) { + if (id == atype->id) { + return atype->auth_type; + } + atype = atype->next; + } + + /* haven't found the right one, indicate failure by returning NULL */ + return NULL; +} + +srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, + srtp_auth_pointer_t *ap, + int key_len, + int tag_len) +{ + const srtp_auth_type_t *at; + + /* + * if the crypto_kernel is not yet initialized, we refuse to allocate + * any auth functions - this is a bit extra-paranoid + */ + if (crypto_kernel.state != srtp_crypto_kernel_state_secure) { + return srtp_err_status_init_fail; + } + + at = srtp_crypto_kernel_get_auth_type(id); + if (!at) { + return srtp_err_status_fail; + } + + return ((at)->alloc(ap, key_len, tag_len)); +} + +srtp_err_status_t srtp_crypto_kernel_load_debug_module( + srtp_debug_module_t *new_dm) +{ + srtp_kernel_debug_module_t *kdm, *new; + + /* defensive coding */ + if (new_dm == NULL || new_dm->name == NULL) { + return srtp_err_status_bad_param; + } + + /* walk down list, checking if this type is in the list already */ + kdm = crypto_kernel.debug_module_list; + while (kdm != NULL) { + if (strncmp(new_dm->name, kdm->mod->name, 64) == 0) { + return srtp_err_status_bad_param; + } + kdm = kdm->next; + } + + /* put new_dm at the head of the list */ + /* allocate memory */ + new = (srtp_kernel_debug_module_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_debug_module_t)); + if (new == NULL) { + return srtp_err_status_alloc_fail; + } + + /* set fields */ + new->mod = new_dm; + new->next = crypto_kernel.debug_module_list; + + /* set head of list to new cipher type */ + crypto_kernel.debug_module_list = new; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *name, int on) +{ + srtp_kernel_debug_module_t *kdm; + + /* walk down list, checking if this type is in the list already */ + kdm = crypto_kernel.debug_module_list; + while (kdm != NULL) { + if (strncmp(name, kdm->mod->name, 64) == 0) { + kdm->mod->on = on; + return srtp_err_status_ok; + } + kdm = kdm->next; + } + + return srtp_err_status_fail; +} diff --git a/netwerk/srtp/src/crypto/kernel/err.c b/netwerk/srtp/src/crypto/kernel/err.c new file mode 100644 index 0000000000..f443549e5a --- /dev/null +++ b/netwerk/srtp/src/crypto/kernel/err.c @@ -0,0 +1,108 @@ +/* + * err.c + * + * error status reporting functions + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "err.h" +#include "datatypes.h" +#include <string.h> + +/* srtp_err_file is the FILE to which errors are reported */ + +static FILE *srtp_err_file = NULL; + +srtp_err_status_t srtp_err_reporting_init() +{ +#ifdef ERR_REPORTING_STDOUT + srtp_err_file = stdout; +#elif defined(ERR_REPORTING_FILE) + /* open file for error reporting */ + srtp_err_file = fopen(ERR_REPORTING_FILE, "w"); + if (srtp_err_file == NULL) { + return srtp_err_status_init_fail; + } +#endif + + return srtp_err_status_ok; +} + +static srtp_err_report_handler_func_t *srtp_err_report_handler = NULL; + +srtp_err_status_t srtp_install_err_report_handler( + srtp_err_report_handler_func_t func) +{ + srtp_err_report_handler = func; + return srtp_err_status_ok; +} + +void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...) +{ + va_list args; + if (srtp_err_file != NULL) { + va_start(args, format); + vfprintf(srtp_err_file, format, args); + va_end(args); + } + if (srtp_err_report_handler != NULL) { + va_start(args, format); + char msg[512]; + if (vsnprintf(msg, sizeof(msg), format, args) > 0) { + /* strip trailing \n, callback should not have one */ + size_t l = strlen(msg); + if (l && msg[l - 1] == '\n') { + msg[l - 1] = '\0'; + } + srtp_err_report_handler(level, msg); + /* + * NOTE, need to be carefull, there is a potential that + * octet_string_set_to_zero() could + * call srtp_err_report() in the future, leading to recursion + */ + octet_string_set_to_zero(msg, sizeof(msg)); + } + va_end(args); + } +} diff --git a/netwerk/srtp/src/crypto/kernel/key.c b/netwerk/srtp/src/crypto/kernel/key.c new file mode 100644 index 0000000000..0466195046 --- /dev/null +++ b/netwerk/srtp/src/crypto/kernel/key.c @@ -0,0 +1,122 @@ +/* + * key.c + * + * key usage limits enforcement + * + * David A. Mcgrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "key.h" + +#define soft_limit 0x10000 + +srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key, + const srtp_xtd_seq_num_t s) +{ +#ifdef NO_64BIT_MATH + if (high32(s) == 0 && low32(s) < soft_limit) { + return srtp_err_status_bad_param; + } +#else + if (s < soft_limit) { + return srtp_err_status_bad_param; + } +#endif + key->num_left = s; + key->state = srtp_key_state_normal; + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original, + srtp_key_limit_t *new_key) +{ + if (original == NULL) { + return srtp_err_status_bad_param; + } + *new_key = original; + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key) +{ + if (key->state == srtp_key_state_expired) { + return srtp_err_status_key_expired; + } + return srtp_err_status_ok; +} + +srtp_key_event_t srtp_key_limit_update(srtp_key_limit_t key) +{ +#ifdef NO_64BIT_MATH + if (low32(key->num_left) == 0) { + // carry + key->num_left = + make64(high32(key->num_left) - 1, low32(key->num_left) - 1); + } else { + // no carry + key->num_left = make64(high32(key->num_left), low32(key->num_left) - 1); + } + if (high32(key->num_left) != 0 || low32(key->num_left) >= soft_limit) { + return srtp_key_event_normal; /* we're above the soft limit */ + } +#else + key->num_left--; + if (key->num_left >= soft_limit) { + return srtp_key_event_normal; /* we're above the soft limit */ + } +#endif + if (key->state == srtp_key_state_normal) { + /* we just passed the soft limit, so change the state */ + key->state = srtp_key_state_past_soft_limit; + } +#ifdef NO_64BIT_MATH + if (low32(key->num_left) == 0 && high32(key->num_left == 0)) +#else + if (key->num_left < 1) +#endif + { /* we just hit the hard limit */ + key->state = srtp_key_state_expired; + return srtp_key_event_hard_limit; + } + return srtp_key_event_soft_limit; +} diff --git a/netwerk/srtp/src/crypto/math/datatypes.c b/netwerk/srtp/src/crypto/math/datatypes.c new file mode 100644 index 0000000000..85c1cbf292 --- /dev/null +++ b/netwerk/srtp/src/crypto/math/datatypes.c @@ -0,0 +1,490 @@ +/* + * datatypes.c + * + * data types for finite fields and functions for input, output, and + * manipulation + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#ifdef OPENSSL +#include <openssl/crypto.h> +#endif + +#include "datatypes.h" + +static const int8_t octet_weight[256] = { + 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4, + 2, 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4, + 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, + 4, 5, 5, 6, 5, 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, + 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, + 4, 5, 5, 6, 5, 6, 6, 7, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, + 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8 +}; + +int octet_get_weight(uint8_t octet) +{ + return (int)octet_weight[octet]; +} + +/* + * bit_string is a buffer that is used to hold output strings, e.g. + * for printing. + */ + +/* the value MAX_PRINT_STRING_LEN is defined in datatypes.h */ + +char bit_string[MAX_PRINT_STRING_LEN]; + +uint8_t srtp_nibble_to_hex_char(uint8_t nibble) +{ + char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + return buf[nibble & 0xF]; +} + +char *srtp_octet_string_hex_string(const void *s, int length) +{ + const uint8_t *str = (const uint8_t *)s; + int i; + + /* double length, since one octet takes two hex characters */ + length *= 2; + + /* truncate string if it would be too long */ + if (length > MAX_PRINT_STRING_LEN) + length = MAX_PRINT_STRING_LEN - 2; + + for (i = 0; i < length; i += 2) { + bit_string[i] = srtp_nibble_to_hex_char(*str >> 4); + bit_string[i + 1] = srtp_nibble_to_hex_char(*str++ & 0xF); + } + bit_string[i] = 0; /* null terminate string */ + return bit_string; +} + +char *v128_hex_string(v128_t *x) +{ + int i, j; + + for (i = j = 0; i < 16; i++) { + bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] >> 4); + bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] & 0xF); + } + + bit_string[j] = 0; /* null terminate string */ + return bit_string; +} + +char *v128_bit_string(v128_t *x) +{ + int j, i; + uint32_t mask; + + for (j = i = 0; j < 4; j++) { + for (mask = 0x80000000; mask > 0; mask >>= 1) { + if (x->v32[j] & mask) + bit_string[i] = '1'; + else + bit_string[i] = '0'; + ++i; + } + } + bit_string[128] = 0; /* null terminate string */ + + return bit_string; +} + +void v128_copy_octet_string(v128_t *x, const uint8_t s[16]) +{ +#ifdef ALIGNMENT_32BIT_REQUIRED + if ((((uint32_t)&s[0]) & 0x3) != 0) +#endif + { + x->v8[0] = s[0]; + x->v8[1] = s[1]; + x->v8[2] = s[2]; + x->v8[3] = s[3]; + x->v8[4] = s[4]; + x->v8[5] = s[5]; + x->v8[6] = s[6]; + x->v8[7] = s[7]; + x->v8[8] = s[8]; + x->v8[9] = s[9]; + x->v8[10] = s[10]; + x->v8[11] = s[11]; + x->v8[12] = s[12]; + x->v8[13] = s[13]; + x->v8[14] = s[14]; + x->v8[15] = s[15]; + } +#ifdef ALIGNMENT_32BIT_REQUIRED + else { + v128_t *v = (v128_t *)&s[0]; + + v128_copy(x, v); + } +#endif +} + +#ifndef DATATYPES_USE_MACROS /* little functions are not macros */ + +void v128_set_to_zero(v128_t *x) +{ + _v128_set_to_zero(x); +} + +void v128_copy(v128_t *x, const v128_t *y) +{ + _v128_copy(x, y); +} + +void v128_xor(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_xor(z, x, y); +} + +void v128_and(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_and(z, x, y); +} + +void v128_or(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_or(z, x, y); +} + +void v128_complement(v128_t *x) +{ + _v128_complement(x); +} + +int v128_is_eq(const v128_t *x, const v128_t *y) +{ + return _v128_is_eq(x, y); +} + +int v128_xor_eq(v128_t *x, const v128_t *y) +{ + return _v128_xor_eq(x, y); +} + +int v128_get_bit(const v128_t *x, int i) +{ + return _v128_get_bit(x, i); +} + +void v128_set_bit(v128_t *x, int i) +{ + _v128_set_bit(x, i); +} + +void v128_clear_bit(v128_t *x, int i) +{ + _v128_clear_bit(x, i); +} + +void v128_set_bit_to(v128_t *x, int i, int y) +{ + _v128_set_bit_to(x, i, y); +} + +#endif /* DATATYPES_USE_MACROS */ + +void v128_right_shift(v128_t *x, int shift) +{ + const int base_index = shift >> 5; + const int bit_index = shift & 31; + int i, from; + uint32_t b; + + if (shift > 127) { + v128_set_to_zero(x); + return; + } + + if (bit_index == 0) { + /* copy each word from left size to right side */ + x->v32[4 - 1] = x->v32[4 - 1 - base_index]; + for (i = 4 - 1; i > base_index; i--) + x->v32[i - 1] = x->v32[i - 1 - base_index]; + + } else { + /* set each word to the "or" of the two bit-shifted words */ + for (i = 4; i > base_index; i--) { + from = i - 1 - base_index; + b = x->v32[from] << bit_index; + if (from > 0) + b |= x->v32[from - 1] >> (32 - bit_index); + x->v32[i - 1] = b; + } + } + + /* now wrap up the final portion */ + for (i = 0; i < base_index; i++) + x->v32[i] = 0; +} + +void v128_left_shift(v128_t *x, int shift) +{ + int i; + const int base_index = shift >> 5; + const int bit_index = shift & 31; + + if (shift > 127) { + v128_set_to_zero(x); + return; + } + + if (bit_index == 0) { + for (i = 0; i < 4 - base_index; i++) + x->v32[i] = x->v32[i + base_index]; + } else { + for (i = 0; i < 4 - base_index - 1; i++) + x->v32[i] = (x->v32[i + base_index] >> bit_index) ^ + (x->v32[i + base_index + 1] << (32 - bit_index)); + x->v32[4 - base_index - 1] = x->v32[4 - 1] >> bit_index; + } + + /* now wrap up the final portion */ + for (i = 4 - base_index; i < 4; i++) + x->v32[i] = 0; +} + +/* functions manipulating bitvector_t */ + +#ifndef DATATYPES_USE_MACROS /* little functions are not macros */ + +int bitvector_get_bit(const bitvector_t *v, int bit_index) +{ + return _bitvector_get_bit(v, bit_index); +} + +void bitvector_set_bit(bitvector_t *v, int bit_index) +{ + _bitvector_set_bit(v, bit_index); +} + +void bitvector_clear_bit(bitvector_t *v, int bit_index) +{ + _bitvector_clear_bit(v, bit_index); +} + +#endif /* DATATYPES_USE_MACROS */ + +int bitvector_alloc(bitvector_t *v, unsigned long length) +{ + unsigned long l; + + /* Round length up to a multiple of bits_per_word */ + length = + (length + bits_per_word - 1) & ~(unsigned long)((bits_per_word - 1)); + + l = length / bits_per_word * bytes_per_word; + + /* allocate memory, then set parameters */ + if (l == 0) { + v->word = NULL; + v->length = 0; + return -1; + } else { + v->word = (uint32_t *)srtp_crypto_alloc(l); + if (v->word == NULL) { + v->length = 0; + return -1; + } + } + v->length = length; + + /* initialize bitvector to zero */ + bitvector_set_to_zero(v); + + return 0; +} + +void bitvector_dealloc(bitvector_t *v) +{ + if (v->word != NULL) + srtp_crypto_free(v->word); + v->word = NULL; + v->length = 0; +} + +void bitvector_set_to_zero(bitvector_t *x) +{ + /* C99 guarantees that memset(0) will set the value 0 for uint32_t */ + memset(x->word, 0, x->length >> 3); +} + +char *bitvector_bit_string(bitvector_t *x, char *buf, int len) +{ + int j, i; + uint32_t mask; + + for (j = i = 0; j < (int)(x->length >> 5) && i < len - 1; j++) { + for (mask = 0x80000000; mask > 0; mask >>= 1) { + if (x->word[j] & mask) + buf[i] = '1'; + else + buf[i] = '0'; + ++i; + if (i >= len - 1) + break; + } + } + buf[i] = 0; /* null terminate string */ + + return buf; +} + +void bitvector_left_shift(bitvector_t *x, int shift) +{ + int i; + const int base_index = shift >> 5; + const int bit_index = shift & 31; + const int word_length = x->length >> 5; + + if (shift >= (int)x->length) { + bitvector_set_to_zero(x); + return; + } + + if (bit_index == 0) { + for (i = 0; i < word_length - base_index; i++) + x->word[i] = x->word[i + base_index]; + } else { + for (i = 0; i < word_length - base_index - 1; i++) + x->word[i] = (x->word[i + base_index] >> bit_index) ^ + (x->word[i + base_index + 1] << (32 - bit_index)); + x->word[word_length - base_index - 1] = + x->word[word_length - 1] >> bit_index; + } + + /* now wrap up the final portion */ + for (i = word_length - base_index; i < word_length; i++) + x->word[i] = 0; +} + +int octet_string_is_eq(uint8_t *a, uint8_t *b, int len) +{ + uint8_t *end = b + len; + uint8_t accumulator = 0; + + /* + * We use this somewhat obscure implementation to try to ensure the running + * time only depends on len, even accounting for compiler optimizations. + * The accumulator ends up zero iff the strings are equal. + */ + while (b < end) + accumulator |= (*a++ ^ *b++); + + /* Return 1 if *not* equal. */ + return accumulator != 0; +} + +void srtp_cleanse(void *s, size_t len) +{ + volatile unsigned char *p = (volatile unsigned char *)s; + while (len--) + *p++ = 0; +} + +void octet_string_set_to_zero(void *s, size_t len) +{ +#if defined(OPENSSL) && !defined(OPENSSL_CLEANSE_BROKEN) + OPENSSL_cleanse(s, len); +#else + srtp_cleanse(s, len); +#endif +} + +#ifdef TESTAPP_SOURCE + +static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz0123456789+/"; + +static int base64_block_to_octet_triple(char *out, char *in) +{ + unsigned char sextets[4] = { 0 }; + int j = 0; + int i; + + for (i = 0; i < 4; i++) { + char *p = strchr(b64chars, in[i]); + if (p != NULL) + sextets[i] = p - b64chars; + else + j++; + } + + out[0] = (sextets[0] << 2) | (sextets[1] >> 4); + if (j < 2) + out[1] = (sextets[1] << 4) | (sextets[2] >> 2); + if (j < 1) + out[2] = (sextets[2] << 6) | sextets[3]; + return j; +} + +int base64_string_to_octet_string(char *out, int *pad, char *in, int len) +{ + int k = 0; + int i = 0; + int j = 0; + if (len % 4 != 0) + return 0; + + while (i < len && j == 0) { + j = base64_block_to_octet_triple(out + k, in + i); + k += 3; + i += 4; + } + *pad = j; + return i; +} + +#endif diff --git a/netwerk/srtp/src/crypto/math/stat.c b/netwerk/srtp/src/crypto/math/stat.c new file mode 100644 index 0000000000..6dd332b0cf --- /dev/null +++ b/netwerk/srtp/src/crypto/math/stat.c @@ -0,0 +1,213 @@ +/* + * stats.c + * + * statistical tests + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "stat.h" + +srtp_debug_module_t srtp_mod_stat = { + 0, /* debugging is off by default */ + (char *)"stat test" /* printable module name */ +}; + +/* + * each test assumes that 20,000 bits (2500 octets) of data is + * provided as input + */ + +#define STAT_TEST_DATA_LEN 2500 + +srtp_err_status_t stat_test_monobit(uint8_t *data) +{ + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + uint16_t ones_count; + + ones_count = 0; + while (data < data_end) { + ones_count += octet_get_weight(*data); + data++; + } + + debug_print(srtp_mod_stat, "bit count: %d", ones_count); + + if ((ones_count < 9725) || (ones_count > 10275)) + return srtp_err_status_algo_fail; + + return srtp_err_status_ok; +} + +srtp_err_status_t stat_test_poker(uint8_t *data) +{ + int i; + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + double poker; + uint16_t f[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + + while (data < data_end) { + f[*data & 0x0f]++; /* increment freq. count for low nibble */ + f[(*data) >> 4]++; /* increment freq. count for high nibble */ + data++; + } + + poker = 0.0; + for (i = 0; i < 16; i++) + poker += (double)f[i] * f[i]; + + poker *= (16.0 / 5000.0); + poker -= 5000.0; + + debug_print(srtp_mod_stat, "poker test: %f\n", poker); + + if ((poker < 2.16) || (poker > 46.17)) + return srtp_err_status_algo_fail; + + return srtp_err_status_ok; +} + +/* + * runs[i] holds the number of runs of size (i-1) + */ + +srtp_err_status_t stat_test_runs(uint8_t *data) +{ + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + uint16_t runs[6] = { 0, 0, 0, 0, 0, 0 }; + uint16_t gaps[6] = { 0, 0, 0, 0, 0, 0 }; + uint16_t lo_value[6] = { 2315, 1114, 527, 240, 103, 103 }; + uint16_t hi_value[6] = { 2685, 1386, 723, 384, 209, 209 }; + int state = 0; + uint16_t mask; + int i; + + /* + * the state variable holds the number of bits in the + * current run (or gap, if negative) + */ + + while (data < data_end) { + /* loop over the bits of this byte */ + for (mask = 1; mask < 256; mask <<= 1) { + if (*data & mask) { + /* next bit is a one */ + if (state > 0) { + /* prefix is a run, so increment the run-count */ + state++; + + /* check for long runs */ + if (state > 25) { + debug_print(srtp_mod_stat, ">25 runs: %d", state); + return srtp_err_status_algo_fail; + } + + } else if (state < 0) { + /* prefix is a gap */ + if (state < -25) { + debug_print(srtp_mod_stat, ">25 gaps: %d", state); + return srtp_err_status_algo_fail; /* long-runs test + failed */ + } + if (state < -6) { + state = -6; /* group together gaps > 5 */ + } + gaps[-1 - state]++; /* increment gap count */ + state = 1; /* set state at one set bit */ + } else { + /* state is zero; this happens only at initialization */ + state = 1; + } + } else { + /* next bit is a zero */ + if (state > 0) { + /* prefix is a run */ + if (state > 25) { + debug_print(srtp_mod_stat, ">25 runs (2): %d", state); + return srtp_err_status_algo_fail; /* long-runs test + failed */ + } + if (state > 6) { + state = 6; /* group together runs > 5 */ + } + runs[state - 1]++; /* increment run count */ + state = -1; /* set state at one zero bit */ + } else if (state < 0) { + /* prefix is a gap, so increment gap-count (decrement state) + */ + state--; + + /* check for long gaps */ + if (state < -25) { + debug_print(srtp_mod_stat, ">25 gaps (2): %d", state); + return srtp_err_status_algo_fail; + } + + } else { + /* state is zero; this happens only at initialization */ + state = -1; + } + } + } + + /* move along to next octet */ + data++; + } + + if (srtp_mod_stat.on) { + debug_print(srtp_mod_stat, "runs test", NULL); + for (i = 0; i < 6; i++) + debug_print(srtp_mod_stat, " runs[]: %d", runs[i]); + for (i = 0; i < 6; i++) + debug_print(srtp_mod_stat, " gaps[]: %d", gaps[i]); + } + + /* check run and gap counts against the fixed limits */ + for (i = 0; i < 6; i++) + if ((runs[i] < lo_value[i]) || (runs[i] > hi_value[i]) || + (gaps[i] < lo_value[i]) || (gaps[i] > hi_value[i])) + return srtp_err_status_algo_fail; + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/crypto/replay/rdb.c b/netwerk/srtp/src/crypto/replay/rdb.c new file mode 100644 index 0000000000..ab1c7b55b6 --- /dev/null +++ b/netwerk/srtp/src/crypto/replay/rdb.c @@ -0,0 +1,137 @@ +/* + * rdb.c + * + * Implements a replay database for packet security + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "rdb.h" + +/* + * this implementation of a replay database works as follows: + * + * window_start is the index of the first packet in the window + * bitmask a bit-buffer, containing the most recently entered + * index as the leftmost bit + * + */ + +/* srtp_rdb_init initalizes rdb */ +srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb) +{ + v128_set_to_zero(&rdb->bitmask); + rdb->window_start = 0; + return srtp_err_status_ok; +} + +/* + * srtp_rdb_check checks to see if index appears in rdb + */ +srtp_err_status_t srtp_rdb_check(const srtp_rdb_t *rdb, uint32_t p_index) +{ + /* if the index appears after (or at very end of) the window, its good */ + if (p_index >= rdb->window_start + rdb_bits_in_bitmask) { + return srtp_err_status_ok; + } + + /* if the index appears before the window, its bad */ + if (p_index < rdb->window_start) { + return srtp_err_status_replay_old; + } + + /* otherwise, the index appears within the window, so check the bitmask */ + if (v128_get_bit(&rdb->bitmask, (p_index - rdb->window_start)) == 1) { + return srtp_err_status_replay_fail; + } + + /* otherwise, the index is okay */ + return srtp_err_status_ok; +} + +/* + * srtp_rdb_add_index adds index to srtp_rdb_t (and does *not* check if + * index appears in db) + * + * this function should be called only after srtp_rdb_check has + * indicated that the index does not appear in the rdb, e.g., a mutex + * should protect the rdb between these calls + */ +srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t p_index) +{ + unsigned int delta; + + if (p_index < rdb->window_start) + return srtp_err_status_replay_fail; + + delta = (p_index - rdb->window_start); + if (delta < rdb_bits_in_bitmask) { + /* if the p_index is within the window, set the appropriate bit */ + v128_set_bit(&rdb->bitmask, delta); + + } else { + delta -= rdb_bits_in_bitmask - 1; + + /* shift the window forward by delta bits*/ + v128_left_shift(&rdb->bitmask, delta); + v128_set_bit(&rdb->bitmask, rdb_bits_in_bitmask - 1); + rdb->window_start += delta; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb) +{ + if (rdb->window_start >= 0x7fffffff) { + return srtp_err_status_key_expired; + } + ++rdb->window_start; + return srtp_err_status_ok; +} + +uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb) +{ + return rdb->window_start; +} diff --git a/netwerk/srtp/src/crypto/replay/rdbx.c b/netwerk/srtp/src/crypto/replay/rdbx.c new file mode 100644 index 0000000000..40cba01a1f --- /dev/null +++ b/netwerk/srtp/src/crypto/replay/rdbx.c @@ -0,0 +1,386 @@ +/* + * rdbx.c + * + * a replay database with extended range, using a rollover counter + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "rdbx.h" + +/* + * from RFC 3711: + * + * A receiver reconstructs the index i of a packet with sequence + * number SEQ using the estimate + * + * i = 2^16 * v + SEQ, + * + * where v is chosen from the set { ROC-1, ROC, ROC+1 } such that i is + * closest to the value 2^16 * ROC + s_l. If the value r+1 is used, + * then the rollover counter r in the cryptographic context is + * incremented by one (if the packet containing s is authentic). + */ + +/* + * rdbx implementation notes + * + * A srtp_xtd_seq_num_t is essentially a sequence number for which some of + * the data on the wire are implicit. It logically consists of a + * rollover counter and a sequence number; the sequence number is the + * explicit part, and the rollover counter is the implicit part. + * + * Upon receiving a sequence_number (e.g. in a newly received SRTP + * packet), the complete srtp_xtd_seq_num_t can be estimated by using a + * local srtp_xtd_seq_num_t as a basis. This is done using the function + * srtp_index_guess(&local, &guess, seq_from_packet). This function + * returns the difference of the guess and the local value. The local + * srtp_xtd_seq_num_t can be moved forward to the guess using the function + * srtp_index_advance(&guess, delta), where delta is the difference. + * + * + * A srtp_rdbx_t consists of a srtp_xtd_seq_num_t and a bitmask. The index is + * highest sequence number that has been received, and the bitmask indicates + * which of the recent indicies have been received as well. The + * highest bit in the bitmask corresponds to the index in the bitmask. + */ + +void srtp_index_init(srtp_xtd_seq_num_t *pi) +{ +#ifdef NO_64BIT_MATH + *pi = make64(0, 0); +#else + *pi = 0; +#endif +} + +void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s) +{ +#ifdef NO_64BIT_MATH + /* a > ~b means a+b will generate a carry */ + /* s is uint16 here */ + *pi = make64(high32(*pi) + (s > ~low32(*pi) ? 1 : 0), low32(*pi) + s); +#else + *pi += s; +#endif +} + +/* + * srtp_index_guess(local, guess, s) + * + * given a srtp_xtd_seq_num_t local (which represents the last + * known-to-be-good received srtp_xtd_seq_num_t) and a sequence number s + * (from a newly arrived packet), sets the contents of *guess to + * contain the best guess of the packet index to which s corresponds, + * and returns the difference between *guess and *local + * + * nota bene - the output is a signed integer, DON'T cast it to a + * unsigned integer! + */ + +int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s) +{ +#ifdef NO_64BIT_MATH + uint32_t local_roc = ((high32(*local) << 16) | (low32(*local) >> 16)); + uint16_t local_seq = (uint16_t)(low32(*local)); +#else + uint32_t local_roc = (uint32_t)(*local >> 16); + uint16_t local_seq = (uint16_t)*local; +#endif + uint32_t guess_roc; + uint16_t guess_seq; + int32_t difference; + + if (local_seq < seq_num_median) { + if (s - local_seq > seq_num_median) { + guess_roc = local_roc - 1; + difference = s - local_seq - seq_num_max; + } else { + guess_roc = local_roc; + difference = s - local_seq; + } + } else { + if (local_seq - seq_num_median > s) { + guess_roc = local_roc + 1; + difference = s - local_seq + seq_num_max; + } else { + guess_roc = local_roc; + difference = s - local_seq; + } + } + guess_seq = s; + +/* Note: guess_roc is 32 bits, so this generates a 48-bit result! */ +#ifdef NO_64BIT_MATH + *guess = make64(guess_roc >> 16, (guess_roc << 16) | guess_seq); +#else + *guess = (((uint64_t)guess_roc) << 16) | guess_seq; +#endif + + return difference; +} + +/* + * rdbx + * + */ + +/* + * srtp_rdbx_init(&r, ws) initializes the srtp_rdbx_t pointed to by r with + * window size ws + */ +srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws) +{ + if (ws == 0) { + return srtp_err_status_bad_param; + } + + if (bitvector_alloc(&rdbx->bitmask, ws) != 0) { + return srtp_err_status_alloc_fail; + } + + srtp_index_init(&rdbx->index); + + return srtp_err_status_ok; +} + +/* + * srtp_rdbx_dealloc(&r) frees memory for the srtp_rdbx_t pointed to by r + */ +srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx) +{ + bitvector_dealloc(&rdbx->bitmask); + + return srtp_err_status_ok; +} + +/* + * srtp_rdbx_set_roc(rdbx, roc) initalizes the srtp_rdbx_t at the location rdbx + * to have the rollover counter value roc. If that value is less than + * the current rollover counter value, then the function returns + * srtp_err_status_replay_old; otherwise, srtp_err_status_ok is returned. + * + */ +srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc) +{ + bitvector_set_to_zero(&rdbx->bitmask); + +#ifdef NO_64BIT_MATH +#error not yet implemented +#else + + /* make sure that we're not moving backwards */ + if (roc < (rdbx->index >> 16)) { + return srtp_err_status_replay_old; + } + + rdbx->index &= 0xffff; /* retain lowest 16 bits */ + rdbx->index |= ((uint64_t)roc) << 16; /* set ROC */ +#endif + + return srtp_err_status_ok; +} + +/* + * srtp_rdbx_get_packet_index(rdbx) returns the value of the packet index + * for the srtp_rdbx_t pointed to by rdbx + * + */ +srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx) +{ + return rdbx->index; +} + +/* + * srtp_rdbx_get_window_size(rdbx) returns the value of the window size + * for the srtp_rdbx_t pointed to by rdbx + * + */ +unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx) +{ + return bitvector_get_length(&rdbx->bitmask); +} + +/* + * srtp_rdbx_check(&r, delta) checks to see if the srtp_xtd_seq_num_t + * which is at rdbx->index + delta is in the rdb + */ +srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int delta) +{ + if (delta > 0) { /* if delta is positive, it's good */ + return srtp_err_status_ok; + } else if ((int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta < 0) { + /* if delta is lower than the bitmask, it's bad */ + return srtp_err_status_replay_old; + } else if (bitvector_get_bit( + &rdbx->bitmask, + (int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta) == + 1) { + /* delta is within the window, so check the bitmask */ + return srtp_err_status_replay_fail; + } + /* otherwise, the index is okay */ + + return srtp_err_status_ok; +} + +/* + * srtp_rdbx_add_index adds the srtp_xtd_seq_num_t at rdbx->window_start + d to + * replay_db (and does *not* check if that srtp_xtd_seq_num_t appears in db) + * + * this function should be called only after replay_check has + * indicated that the index does not appear in the rdbx, e.g., a mutex + * should protect the rdbx between these calls if need be + */ +srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta) +{ + if (delta > 0) { + /* shift forward by delta */ + srtp_index_advance(&rdbx->index, delta); + bitvector_left_shift(&rdbx->bitmask, delta); + bitvector_set_bit(&rdbx->bitmask, + bitvector_get_length(&rdbx->bitmask) - 1); + } else { + /* delta is in window */ + bitvector_set_bit(&rdbx->bitmask, + bitvector_get_length(&rdbx->bitmask) - 1 + delta); + } + + /* note that we need not consider the case that delta == 0 */ + + return srtp_err_status_ok; +} + +/* + * srtp_rdbx_estimate_index(rdbx, guess, s) + * + * given an rdbx and a sequence number s (from a newly arrived packet), + * sets the contents of *guess to contain the best guess of the packet + * index to which s corresponds, and returns the difference between + * *guess and the locally stored synch info + */ +int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s) +{ +/* + * if the sequence number and rollover counter in the rdbx are + * non-zero, then use the srtp_index_guess(...) function, otherwise, just + * set the rollover counter to zero (since the srtp_index_guess(...) + * function might incorrectly guess that the rollover counter is + * 0xffffffff) + */ + +#ifdef NO_64BIT_MATH + /* seq_num_median = 0x8000 */ + if (high32(rdbx->index) > 0 || low32(rdbx->index) > seq_num_median) +#else + if (rdbx->index > seq_num_median) +#endif + { + return srtp_index_guess(&rdbx->index, guess, s); + } + +#ifdef NO_64BIT_MATH + *guess = make64(0, (uint32_t)s); +#else + *guess = s; +#endif + +#ifdef NO_64BIT_MATH + return s - (uint16_t)low32(rdbx->index); +#else + return s - (uint16_t)rdbx->index; +#endif +} + +/* + * srtp_rdbx_get_roc(rdbx) + * + * Get the current rollover counter + * + */ +uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx) +{ + uint32_t roc; + +#ifdef NO_64BIT_MATH + roc = ((high32(rdbx->index) << 16) | (low32(rdbx->index) >> 16)); +#else + roc = (uint32_t)(rdbx->index >> 16); +#endif + + return roc; +} + +/* + * srtp_rdbx_set_roc_seq(rdbx, roc, seq) initalizes the srtp_rdbx_t at the + * location rdbx to have the rollover counter value roc and packet sequence + * number seq. If the new rollover counter value is less than the current + * rollover counter value, then the function returns + * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned. + */ +srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx, + uint32_t roc, + uint16_t seq) +{ +#ifdef NO_64BIT_MATH +#error not yet implemented +#else + + /* make sure that we're not moving backwards */ + if (roc < (rdbx->index >> 16)) { + return srtp_err_status_replay_old; + } + + rdbx->index = seq; + rdbx->index |= ((uint64_t)roc) << 16; /* set ROC */ +#endif + + bitvector_set_to_zero(&rdbx->bitmask); + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/crypto/replay/ut_sim.c b/netwerk/srtp/src/crypto/replay/ut_sim.c new file mode 100644 index 0000000000..c621c0e9f2 --- /dev/null +++ b/netwerk/srtp/src/crypto/replay/ut_sim.c @@ -0,0 +1,104 @@ +/* + * ut_sim.c + * + * an unreliable transport simulator + * (for testing replay databases and suchlike) + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "ut_sim.h" + +int ut_compar(const void *a, const void *b) +{ + return rand() > (RAND_MAX / 2) ? -1 : 1; +} + +void ut_init(ut_connection *utc) +{ + int i; + utc->index = 0; + + for (i = 0; i < UT_BUF; i++) + utc->buffer[i] = i; + + qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); + + utc->index = UT_BUF - 1; +} + +uint32_t ut_next_index(ut_connection *utc) +{ + uint32_t tmp; + + tmp = utc->buffer[0]; + utc->index++; + utc->buffer[0] = utc->index; + + qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); + + return tmp; +} + +#ifdef UT_TEST + +#include <stdio.h> + +int main() +{ + uint32_t i, irecvd, idiff; + ut_connection utc; + + ut_init(&utc); + + for (i = 0; i < 1000; i++) { + irecvd = ut_next_index(&utc); + idiff = i - irecvd; + printf("%lu\t%lu\t%d\n", i, irecvd, idiff); + } + + return 0; +} + +#endif diff --git a/netwerk/srtp/src/crypto/test/aes_calc.c b/netwerk/srtp/src/crypto/test/aes_calc.c new file mode 100644 index 0000000000..b362fd57fc --- /dev/null +++ b/netwerk/srtp/src/crypto/test/aes_calc.c @@ -0,0 +1,157 @@ +/* + * aes_calc.c + * + * A simple AES calculator for generating AES encryption values + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* + + Example usage (with first NIST FIPS 197 test case): + + [sh]$ test/aes_calc 000102030405060708090a0b0c0d0e0f \ + 00112233445566778899aabbccddeeff -v + + plaintext: 00112233445566778899aabbccddeeff + key: 000102030405060708090a0b0c0d0e0f + ciphertext: 69c4e0d86a7b0430d8cdb78070b4c55a + + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "aes.h" +#include <stdio.h> +#include <string.h> +#include "util.h" + +void usage(char *prog_name) +{ + printf("usage: %s <key> <plaintext> [-v]\n", prog_name); + exit(255); +} + +#define AES_MAX_KEY_LEN 32 + +int main(int argc, char *argv[]) +{ + v128_t data; + uint8_t key[AES_MAX_KEY_LEN]; + srtp_aes_expanded_key_t exp_key; + int key_len, len; + int verbose = 0; + srtp_err_status_t status; + + if (argc == 3) { + /* we're not in verbose mode */ + verbose = 0; + } else if (argc == 4) { + if (strncmp(argv[3], "-v", 2) == 0) { + /* we're in verbose mode */ + verbose = 1; + } else { + /* unrecognized flag, complain and exit */ + usage(argv[0]); + } + } else { + /* we've been fed the wrong number of arguments - compain and exit */ + usage(argv[0]); + } + + /* read in key, checking length */ + if (strlen(argv[1]) > AES_MAX_KEY_LEN * 2) { + fprintf(stderr, "error: too many digits in key " + "(should be at most %d hexadecimal digits, found %u)\n", + AES_MAX_KEY_LEN * 2, (unsigned)strlen(argv[1])); + exit(1); + } + len = hex_string_to_octet_string((char *)key, argv[1], AES_MAX_KEY_LEN * 2); + /* check that hex string is the right length */ + if (len != 32 && len != 48 && len != 64) { + fprintf(stderr, "error: bad number of digits in key " + "(should be 32/48/64 hexadecimal digits, found %d)\n", + len); + exit(1); + } + key_len = len / 2; + + /* read in plaintext, checking length */ + if (strlen(argv[2]) > 16 * 2) { + fprintf(stderr, "error: too many digits in plaintext " + "(should be %d hexadecimal digits, found %u)\n", + 16 * 2, (unsigned)strlen(argv[2])); + exit(1); + } + len = hex_string_to_octet_string((char *)(&data), argv[2], 16 * 2); + /* check that hex string is the right length */ + if (len < 16 * 2) { + fprintf(stderr, "error: too few digits in plaintext " + "(should be %d hexadecimal digits, found %d)\n", + 16 * 2, len); + exit(1); + } + + if (verbose) { + /* print out plaintext */ + printf("plaintext:\t%s\n", + octet_string_hex_string((uint8_t *)&data, 16)); + } + + /* encrypt plaintext */ + status = srtp_aes_expand_encryption_key(key, key_len, &exp_key); + if (status) { + fprintf(stderr, "error: AES key expansion failed.\n"); + exit(1); + } + + srtp_aes_encrypt(&data, &exp_key); + + /* write ciphertext to output */ + if (verbose) { + printf("key:\t\t%s\n", octet_string_hex_string(key, key_len)); + printf("ciphertext:\t"); + } + printf("%s\n", v128_hex_string(&data)); + + return 0; +} diff --git a/netwerk/srtp/src/crypto/test/cipher_driver.c b/netwerk/srtp/src/crypto/test/cipher_driver.c new file mode 100644 index 0000000000..4959c90c02 --- /dev/null +++ b/netwerk/srtp/src/crypto/test/cipher_driver.c @@ -0,0 +1,604 @@ +/* + * cipher_driver.c + * + * A driver for the generic cipher type + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> /* for printf() */ +#include <stdlib.h> /* for rand() */ +#include "getopt_s.h" +#include "cipher.h" +#ifdef GCM +#include "aes_icm_ext.h" +#include "aes_gcm.h" +#else +#include "aes_icm.h" +#endif + +#define PRINT_DEBUG 0 + +void cipher_driver_test_throughput(srtp_cipher_t *c); + +srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct); + +/* + * cipher_driver_test_buffering(ct) tests the cipher's output + * buffering for correctness by checking the consistency of succesive + * calls + */ + +srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c); + +/* + * functions for testing cipher cache thrash + */ +srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, + int klen, + int num_cipher); + +void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher); + +uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], + int num_cipher, + unsigned octets_in_buffer, + int num_trials); + +srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[], + int num_cipher); + +srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***cipher_array, + int num_ciphers, + srtp_cipher_type_t *ctype, + int klen); + +void usage(char *prog_name) +{ + printf("usage: %s [ -t | -v | -a ]\n", prog_name); + exit(255); +} + +void check_status(srtp_err_status_t s) +{ + if (s) { + printf("error (code %d)\n", s); + exit(s); + } + return; +} + +/* + * null_cipher and srtp_aes_icm are the cipher meta-objects + * defined in the files in crypto/cipher subdirectory. these are + * declared external so that we can use these cipher types here + */ + +extern srtp_cipher_type_t srtp_null_cipher; +extern srtp_cipher_type_t srtp_aes_icm_128; +extern srtp_cipher_type_t srtp_aes_icm_256; +#ifdef GCM +extern srtp_cipher_type_t srtp_aes_icm_192; +extern srtp_cipher_type_t srtp_aes_gcm_128; +extern srtp_cipher_type_t srtp_aes_gcm_256; +#endif + +int main(int argc, char *argv[]) +{ + srtp_cipher_t *c = NULL; + srtp_err_status_t status; + /* clang-format off */ + unsigned char test_key[48] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + }; + /* clang-format on */ + int q; + unsigned do_timing_test = 0; + unsigned do_validation = 0; + unsigned do_array_timing_test = 0; + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "tva"); + if (q == -1) + break; + switch (q) { + case 't': + do_timing_test = 1; + break; + case 'v': + do_validation = 1; + break; + case 'a': + do_array_timing_test = 1; + break; + default: + usage(argv[0]); + } + } + + printf("cipher test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); + + if (!do_validation && !do_timing_test && !do_array_timing_test) + usage(argv[0]); + + /* arry timing (cache thrash) test */ + if (do_array_timing_test) { + int max_num_cipher = 1 << 16; /* number of ciphers in cipher_array */ + int num_cipher; + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput(&srtp_null_cipher, 0, + num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_128, SRTP_AES_ICM_128_KEY_LEN_WSALT, num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_256, SRTP_AES_ICM_256_KEY_LEN_WSALT, num_cipher); + +#ifdef GCM + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_192, SRTP_AES_ICM_192_KEY_LEN_WSALT, num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) { + cipher_driver_test_array_throughput( + &srtp_aes_gcm_128, SRTP_AES_GCM_128_KEY_LEN_WSALT, num_cipher); + } + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) { + cipher_driver_test_array_throughput( + &srtp_aes_gcm_256, SRTP_AES_GCM_256_KEY_LEN_WSALT, num_cipher); + } +#endif + } + + if (do_validation) { + cipher_driver_self_test(&srtp_null_cipher); + cipher_driver_self_test(&srtp_aes_icm_128); + cipher_driver_self_test(&srtp_aes_icm_256); +#ifdef GCM + cipher_driver_self_test(&srtp_aes_icm_192); + cipher_driver_self_test(&srtp_aes_gcm_128); + cipher_driver_self_test(&srtp_aes_gcm_256); +#endif + } + + /* do timing and/or buffer_test on srtp_null_cipher */ + status = srtp_cipher_type_alloc(&srtp_null_cipher, &c, 0, 0); + check_status(status); + + status = srtp_cipher_init(c, NULL); + check_status(status); + + if (do_timing_test) + cipher_driver_test_throughput(c); + if (do_validation) { + status = cipher_driver_test_buffering(c); + check_status(status); + } + status = srtp_cipher_dealloc(c); + check_status(status); + + /* run the throughput test on the aes_icm cipher (128-bit key) */ + status = srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, + SRTP_AES_ICM_128_KEY_LEN_WSALT, 0); + if (status) { + fprintf(stderr, "error: can't allocate cipher\n"); + exit(status); + } + + status = srtp_cipher_init(c, test_key); + check_status(status); + + if (do_timing_test) + cipher_driver_test_throughput(c); + + if (do_validation) { + status = cipher_driver_test_buffering(c); + check_status(status); + } + + status = srtp_cipher_dealloc(c); + check_status(status); + + /* repeat the tests with 256-bit keys */ + status = srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, + SRTP_AES_ICM_256_KEY_LEN_WSALT, 0); + if (status) { + fprintf(stderr, "error: can't allocate cipher\n"); + exit(status); + } + + status = srtp_cipher_init(c, test_key); + check_status(status); + + if (do_timing_test) + cipher_driver_test_throughput(c); + + if (do_validation) { + status = cipher_driver_test_buffering(c); + check_status(status); + } + + status = srtp_cipher_dealloc(c); + check_status(status); + +#ifdef GCM + /* run the throughput test on the aes_gcm_128 cipher */ + status = srtp_cipher_type_alloc(&srtp_aes_gcm_128, &c, + SRTP_AES_GCM_128_KEY_LEN_WSALT, 8); + if (status) { + fprintf(stderr, "error: can't allocate GCM 128 cipher\n"); + exit(status); + } + status = srtp_cipher_init(c, test_key); + check_status(status); + if (do_timing_test) { + cipher_driver_test_throughput(c); + } + + // GCM ciphers don't do buffering; they're "one shot" + + status = srtp_cipher_dealloc(c); + check_status(status); + + /* run the throughput test on the aes_gcm_256 cipher */ + status = srtp_cipher_type_alloc(&srtp_aes_gcm_256, &c, + SRTP_AES_GCM_256_KEY_LEN_WSALT, 16); + if (status) { + fprintf(stderr, "error: can't allocate GCM 256 cipher\n"); + exit(status); + } + status = srtp_cipher_init(c, test_key); + check_status(status); + if (do_timing_test) { + cipher_driver_test_throughput(c); + } + + // GCM ciphers don't do buffering; they're "one shot" + + status = srtp_cipher_dealloc(c); + check_status(status); +#endif + + return 0; +} + +void cipher_driver_test_throughput(srtp_cipher_t *c) +{ + int i; + int min_enc_len = 32; + int max_enc_len = 2048; /* should be a power of two */ + int num_trials = 1000000; + + printf("timing %s throughput, key length %d:\n", c->type->description, + c->key_len); + fflush(stdout); + for (i = min_enc_len; i <= max_enc_len; i = i * 2) + printf("msg len: %d\tgigabits per second: %f\n", i, + srtp_cipher_bits_per_second(c, i, num_trials) / 1e9); +} + +srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct) +{ + srtp_err_status_t status; + + printf("running cipher self-test for %s...", ct->description); + status = srtp_cipher_type_self_test(ct); + if (status) { + printf("failed with error code %d\n", status); + exit(status); + } + printf("passed\n"); + + return srtp_err_status_ok; +} + +/* + * cipher_driver_test_buffering(ct) tests the cipher's output + * buffering for correctness by checking the consistency of succesive + * calls + */ + +#define INITIAL_BUFLEN 1024 +srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c) +{ + int i, j, num_trials = 1000; + unsigned len, buflen = INITIAL_BUFLEN; + uint8_t buffer0[INITIAL_BUFLEN], buffer1[INITIAL_BUFLEN], *current, *end; + uint8_t idx[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34 }; + srtp_err_status_t status; + + printf("testing output buffering for cipher %s...", c->type->description); + + for (i = 0; i < num_trials; i++) { + /* set buffers to zero */ + for (j = 0; j < (int)buflen; j++) { + buffer0[j] = buffer1[j] = 0; + } + + /* initialize cipher */ + status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt); + if (status) + return status; + + /* generate 'reference' value by encrypting all at once */ + status = srtp_cipher_encrypt(c, buffer0, &buflen); + if (status) + return status; + + /* re-initialize cipher */ + status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt); + if (status) + return status; + + /* now loop over short lengths until buffer1 is encrypted */ + current = buffer1; + end = buffer1 + buflen; + while (current < end) { + /* choose a short length */ + len = rand() & 0x01f; + + /* make sure that len doesn't cause us to overreach the buffer */ + if (current + len > end) + len = end - current; + + status = srtp_cipher_encrypt(c, current, &len); + if (status) + return status; + + /* advance pointer into buffer1 to reflect encryption */ + current += len; + + /* if buffer1 is all encrypted, break out of loop */ + if (current == end) + break; + } + + /* compare buffers */ + for (j = 0; j < (int)buflen; j++) { + if (buffer0[j] != buffer1[j]) { +#if PRINT_DEBUG + printf("test case %d failed at byte %d\n", i, j); + printf("computed: %s\n", + octet_string_hex_string(buffer1, buflen)); + printf("expected: %s\n", + octet_string_hex_string(buffer0, buflen)); +#endif + return srtp_err_status_algo_fail; + } + } + } + + printf("passed\n"); + + return srtp_err_status_ok; +} + +/* + * The function cipher_test_throughput_array() tests the effect of CPU + * cache thrash on cipher throughput. + * + * cipher_array_alloc_init(ctype, array, num_ciphers) creates an array + * of srtp_cipher_t of type ctype + */ + +srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***ca, + int num_ciphers, + srtp_cipher_type_t *ctype, + int klen) +{ + int i, j; + srtp_err_status_t status; + uint8_t *key; + srtp_cipher_t **cipher_array; + /* pad klen allocation, to handle aes_icm reading 16 bytes for the + 14-byte salt */ + int klen_pad = ((klen + 15) >> 4) << 4; + + /* allocate array of pointers to ciphers */ + cipher_array = (srtp_cipher_t **)srtp_crypto_alloc(sizeof(srtp_cipher_t *) * + num_ciphers); + if (cipher_array == NULL) + return srtp_err_status_alloc_fail; + + /* set ca to location of cipher_array */ + *ca = cipher_array; + + /* allocate key */ + key = srtp_crypto_alloc(klen_pad); + if (key == NULL) { + srtp_crypto_free(cipher_array); + return srtp_err_status_alloc_fail; + } + + /* allocate and initialize an array of ciphers */ + for (i = 0; i < num_ciphers; i++) { + /* allocate cipher */ + status = srtp_cipher_type_alloc(ctype, cipher_array, klen, 16); + if (status) + return status; + + /* generate random key and initialize cipher */ + for (j = 0; j < klen; j++) + key[j] = (uint8_t)rand(); + for (; j < klen_pad; j++) + key[j] = 0; + status = srtp_cipher_init(*cipher_array, key); + if (status) + return status; + + /* printf("%dth cipher is at %p\n", i, *cipher_array); */ + /* printf("%dth cipher description: %s\n", i, */ + /* (*cipher_array)->type->description); */ + + /* advance cipher array pointer */ + cipher_array++; + } + + srtp_crypto_free(key); + + return srtp_err_status_ok; +} + +srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[], + int num_cipher) +{ + int i; + + for (i = 0; i < num_cipher; i++) { + srtp_cipher_dealloc(cipher_array[i]); + } + + srtp_crypto_free(cipher_array); + + return srtp_err_status_ok; +} + +/* + * cipher_array_bits_per_second(c, l, t) computes (an estimate of) the + * number of bits that a cipher implementation can encrypt in a second + * when distinct keys are used to encrypt distinct messages + * + * c is a cipher (which MUST be allocated an initialized already), l + * is the length in octets of the test data to be encrypted, and t is + * the number of trials + * + * if an error is encountered, the value 0 is returned + */ + +uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], + int num_cipher, + unsigned octets_in_buffer, + int num_trials) +{ + int i; + v128_t nonce; + clock_t timer; + unsigned char *enc_buf; + int cipher_index = rand() % num_cipher; + + /* Over-alloc, for NIST CBC padding */ + enc_buf = srtp_crypto_alloc(octets_in_buffer + 17); + if (enc_buf == NULL) + return 0; /* indicate bad parameters by returning null */ + + /* time repeated trials */ + v128_set_to_zero(&nonce); + timer = clock(); + for (i = 0; i < num_trials; i++, nonce.v32[3] = i) { + /* length parameter to srtp_cipher_encrypt is in/out -- out is total, + * padded + * length -- so reset it each time. */ + unsigned octets_to_encrypt = octets_in_buffer; + + /* encrypt buffer with cipher */ + srtp_cipher_set_iv(cipher_array[cipher_index], (uint8_t *)&nonce, + srtp_direction_encrypt); + srtp_cipher_encrypt(cipher_array[cipher_index], enc_buf, + &octets_to_encrypt); + + /* choose a cipher at random from the array*/ + cipher_index = (*((uint32_t *)enc_buf)) % num_cipher; + } + timer = clock() - timer; + + srtp_crypto_free(enc_buf); + + if (timer == 0) { + /* Too fast! */ + return 0; + } + + return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer; +} + +void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher) +{ + int i; + int min_enc_len = 16; + int max_enc_len = 2048; /* should be a power of two */ + int num_trials = 1000000; + + printf("timing %s throughput with key length %d, array size %d:\n", + (ca[0])->type->description, (ca[0])->key_len, num_cipher); + fflush(stdout); + for (i = min_enc_len; i <= max_enc_len; i = i * 4) + printf("msg len: %d\tgigabits per second: %f\n", i, + cipher_array_bits_per_second(ca, num_cipher, i, num_trials) / + 1e9); +} + +srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, + int klen, + int num_cipher) +{ + srtp_cipher_t **ca = NULL; + srtp_err_status_t status; + + status = cipher_array_alloc_init(&ca, num_cipher, ct, klen); + if (status) { + printf("error: cipher_array_alloc_init() failed with error code %d\n", + status); + return status; + } + + cipher_array_test_throughput(ca, num_cipher); + + cipher_array_delete(ca, num_cipher); + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/crypto/test/datatypes_driver.c b/netwerk/srtp/src/crypto/test/datatypes_driver.c new file mode 100644 index 0000000000..96379befe1 --- /dev/null +++ b/netwerk/srtp/src/crypto/test/datatypes_driver.c @@ -0,0 +1,256 @@ +/* + * datatypes_driver.c + * + * a test driver for crypto/math datatypes + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> /* for printf() */ +#include <string.h> /* for strlen() */ +#include "datatypes.h" +#include "util.h" + +void byte_order(void); + +void test_hex_string_funcs(void); + +void print_string(char *s); + +void test_bswap(void); + +void test_set_to_zero(void); + +int main(void) +{ + /* + * this program includes various and sundry tests for fundamental + * datatypes. it's a grab-bag of throwaway code, retained only in + * case of future problems + */ + + int i, j; + v128_t x; + char *r = "The Moving Finger writes; and, having writ,\n" + "Moves on: nor all thy Piety nor Wit\n" + "Shall lure it back to cancel half a Line,\n" + "Nor all thy Tears wash out a Word of it."; + char *s = "incomplet"; + + print_string(r); + print_string(s); + + byte_order(); + test_hex_string_funcs(); + + for (j = 0; j < 128; j++) { + v128_set_to_zero(&x); + /* x.v32[0] = (1 << j); */ + v128_set_bit(&x, j); + printf("%s\n", v128_bit_string(&x)); + v128_clear_bit(&x, j); + printf("%s\n", v128_bit_string(&x)); + } + + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + for (i = 0; i < 128; i++) { + v128_set_bit(&x, i); + } + printf("%s\n", v128_bit_string(&x)); + + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + v128_set_bit(&x, 0); + for (i = 0; i < 128; i++) { + printf("%s\n", v128_bit_string(&x)); + v128_right_shift(&x, 1); + } + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + v128_set_bit(&x, 127); + for (i = 0; i < 128; i++) { + printf("%s\n", v128_bit_string(&x)); + v128_left_shift(&x, 1); + } + printf("----------------------------------------------\n"); + for (i = 0; i < 128; i++) { + v128_set_to_zero(&x); + v128_set_bit(&x, 127); + v128_left_shift(&x, i); + printf("%s\n", v128_bit_string(&x)); + } + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + for (i = 0; i < 128; i += 2) { + v128_set_bit(&x, i); + } + printf("bit_string: { %s }\n", v128_bit_string(&x)); + printf("get_bit: { "); + for (i = 0; i < 128; i++) { + if (v128_get_bit(&x, i) == 1) + printf("1"); + else + printf("0"); + } + printf(" } \n"); + + test_bswap(); + test_set_to_zero(); + + return 0; +} + +/* byte_order() prints out byte ordering of datatypes */ + +void byte_order(void) +{ + int i; + v128_t e; +#if 0 + v16_t b; + v32_t c; + v64_t d; + + for (i=0; i < sizeof(b); i++) + b.octet[i] = i; + for (i=0; i < sizeof(c); i++) + c.octet[i] = i; + for (i=0; i < sizeof(d); i++) + d.octet[i] = i; + + printf("v128_t:\t%s\n", v128_hex_string(&e)); + printf("v64_t:\t%s\n", v64_hex_string(&d)); + printf("v32_t:\t%s\n", v32_hex_string(c)); + printf("v16_t:\t%s\n", v16_hex_string(b)); + + c.value = 0x01020304; + printf("v32_t:\t%s\n", v32_hex_string(c)); + b.value = 0x0102; + printf("v16_t:\t%s\n", v16_hex_string(b)); + + printf("uint16_t ordering:\n"); + + c.value = 0x00010002; + printf("v32_t:\t%x%x\n", c.v16[0], c.v16[1]); +#endif + + printf("byte ordering of crypto/math datatypes:\n"); + for (i = 0; i < sizeof(e); i++) + e.v8[i] = i; + printf("v128_t: %s\n", v128_hex_string(&e)); +} + +void test_hex_string_funcs(void) +{ + char hex1[] = "abadcafe"; + char hex2[] = "0123456789abcdefqqqqq"; + char raw[10]; + int len; + + len = hex_string_to_octet_string(raw, hex1, strlen(hex1)); + printf("computed length: %d\tstring: %s\n", len, + octet_string_hex_string(raw, len / 2)); + printf("expected length: %u\tstring: %s\n", (unsigned)strlen(hex1), hex1); + + len = hex_string_to_octet_string(raw, hex2, strlen(hex2)); + printf("computed length: %d\tstring: %s\n", len, + octet_string_hex_string(raw, len / 2)); + printf("expected length: %d\tstring: %s\n", 16, "0123456789abcdef"); +} + +void print_string(char *s) +{ + size_t i; + printf("%s\n", s); + printf("strlen(s) = %u\n", (unsigned)strlen(s)); + printf("{ "); + for (i = 0; i < strlen(s); i++) { + printf("0x%x, ", s[i]); + if (((i + 1) % 8) == 0) + printf("\n "); + } + printf("}\n"); +} + +void test_bswap(void) +{ + uint32_t x = 0x11223344; + uint64_t y = 0x1122334455667788LL; + + printf("before: %0x\nafter: %0x\n", x, (unsigned int)be32_to_cpu(x)); + printf("before: %0llx\nafter: %0llx\n", (unsigned long long)y, + (unsigned long long)be64_to_cpu(y)); + + y = 1234; + + printf("1234: %0llx\n", (unsigned long long)y); + printf("as octet string: %s\n", octet_string_hex_string((uint8_t *)&y, 8)); + y = be64_to_cpu(y); + printf("bswapped octet string: %s\n", + octet_string_hex_string((uint8_t *)&y, 8)); +} + +void test_set_to_zero(void) +{ +#define BUFFER_SIZE (16) + uint8_t buffer[BUFFER_SIZE]; + size_t i; + + for (i = 0; i < BUFFER_SIZE; i++) { + buffer[i] = i & 0xff; + } + printf("Buffer before: %s\n", octet_string_hex_string(buffer, BUFFER_SIZE)); + octet_string_set_to_zero(buffer, BUFFER_SIZE); + printf("Buffer after: %s\n", octet_string_hex_string(buffer, BUFFER_SIZE)); + for (i = 0; i < BUFFER_SIZE; i++) { + if (buffer[i]) { + fprintf(stderr, + "Buffer contents not zero at position %zu (is %d)\n", i, + buffer[i]); + abort(); + } + } +#undef BUFFER_SIZE +} diff --git a/netwerk/srtp/src/crypto/test/env.c b/netwerk/srtp/src/crypto/test/env.c new file mode 100644 index 0000000000..8c3f4edfac --- /dev/null +++ b/netwerk/srtp/src/crypto/test/env.c @@ -0,0 +1,89 @@ +/* + * env.c + * + * prints out a brief report on the build environment + * + * David McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include <stdio.h> +#include <string.h> /* for srtcmp() */ +#include "config.h" + +int main(void) +{ + int err_count = 0; + +#ifdef WORDS_BIGENDIAN + printf("CPU set to big-endian\t\t\t(WORDS_BIGENDIAN == 1)\n"); +#else + printf("CPU set to little-endian\t\t(WORDS_BIGENDIAN == 0)\n"); +#endif + +#ifdef CPU_RISC + printf("CPU set to RISC\t\t\t\t(CPU_RISC == 1)\n"); +#elif defined(CPU_CISC) + printf("CPU set to CISC\t\t\t\t(CPU_CISC == 1)\n"); +#else + printf( + "CPU set to an unknown type, probably due to a configuration error\n"); + err_count++; +#endif + +#ifdef CPU_ALTIVEC + printf("CPU set to ALTIVEC\t\t\t\t(CPU_ALTIVEC == 0)\n"); +#endif + +#ifndef NO_64BIT_MATH + printf("using native 64-bit type\t\t(NO_64_BIT_MATH == 0)\n"); +#else + printf("using built-in 64-bit math\t\t(NO_64_BIT_MATH == 1)\n"); +#endif + +#ifdef ERR_REPORTING_STDOUT + printf("using stdout for error reporting\t(ERR_REPORTING_STDOUT == 1)\n"); +#endif + + if (err_count) + printf("warning: configuration is probably in error " + "(found %d problems)\n", + err_count); + + return err_count; +} diff --git a/netwerk/srtp/src/crypto/test/kernel_driver.c b/netwerk/srtp/src/crypto/test/kernel_driver.c new file mode 100644 index 0000000000..d29405a971 --- /dev/null +++ b/netwerk/srtp/src/crypto/test/kernel_driver.c @@ -0,0 +1,127 @@ +/* + * kernel_driver.c + * + * a test driver for the crypto_kernel + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright(c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> /* for printf() */ +#include "getopt_s.h" +#include "crypto_kernel.h" + +void usage(char *prog_name) +{ + printf("usage: %s [ -v ][ -d debug_module ]*\n", prog_name); + exit(255); +} + +int main(int argc, char *argv[]) +{ + int q; + int do_validation = 0; + srtp_err_status_t status; + + if (argc == 1) + usage(argv[0]); + + /* initialize kernel - we need to do this before anything else */ + status = srtp_crypto_kernel_init(); + if (status) { + printf("error: srtp_crypto_kernel init failed\n"); + exit(1); + } + printf("srtp_crypto_kernel successfully initalized\n"); + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "vd:"); + if (q == -1) + break; + switch (q) { + case 'v': + do_validation = 1; + break; + case 'd': + status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (status) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + default: + usage(argv[0]); + } + } + + if (do_validation) { + printf("checking srtp_crypto_kernel status...\n"); + status = srtp_crypto_kernel_status(); + if (status) { + printf("failed\n"); + exit(1); + } + printf("srtp_crypto_kernel passed self-tests\n"); + } + + status = srtp_crypto_kernel_shutdown(); + if (status) { + printf("error: srtp_crypto_kernel shutdown failed\n"); + exit(1); + } + printf("srtp_crypto_kernel successfully shut down\n"); + + return 0; +} + +/* + * crypto_kernel_cipher_test() is a test of the cipher interface + * of the crypto_kernel + */ + +srtp_err_status_t crypto_kernel_cipher_test(void) +{ + /* not implemented yet! */ + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/crypto/test/sha1_driver.c b/netwerk/srtp/src/crypto/test/sha1_driver.c new file mode 100644 index 0000000000..c64b000f81 --- /dev/null +++ b/netwerk/srtp/src/crypto/test/sha1_driver.c @@ -0,0 +1,387 @@ +/* + * sha1_driver.c + * + * a test driver for SHA-1 + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include "sha1.h" +#include "util.h" + +#define SHA_PASS 0 +#define SHA_FAIL 1 + +#define MAX_HASH_DATA_LEN 1024 +#define MAX_HASH_OUT_LEN 20 + +typedef struct hash_test_case_t { + unsigned data_len; /* number of octets in data */ + unsigned hash_len; /* number of octets output by hash */ + uint8_t data[MAX_HASH_DATA_LEN]; /* message data */ + uint8_t hash[MAX_HASH_OUT_LEN]; /* expected hash output */ + struct hash_test_case_t *next_test_case; +} hash_test_case_t; + +hash_test_case_t *sha1_test_case_list; + +srtp_err_status_t hash_test_case_add(hash_test_case_t **list_ptr, + char *hex_data, + unsigned data_len, + char *hex_hash, + unsigned hash_len) +{ + hash_test_case_t *list_head = *list_ptr; + hash_test_case_t *test_case; + unsigned tmp_len; + + test_case = malloc(sizeof(hash_test_case_t)); + if (test_case == NULL) + return srtp_err_status_alloc_fail; + + tmp_len = hex_string_to_octet_string((char *)test_case->data, hex_data, + data_len * 2); + if (tmp_len != data_len * 2) { + free(test_case); + return srtp_err_status_parse_err; + } + + tmp_len = hex_string_to_octet_string((char *)test_case->hash, hex_hash, + hash_len * 2); + if (tmp_len != hash_len * 2) { + free(test_case); + return srtp_err_status_parse_err; + } + + test_case->data_len = data_len; + test_case->hash_len = hash_len; + + /* add the new test case to the head of the list */ + test_case->next_test_case = list_head; + *list_ptr = test_case; + + return srtp_err_status_ok; +} + +srtp_err_status_t sha1_test_case_validate(const hash_test_case_t *test_case) +{ + srtp_sha1_ctx_t ctx; + uint32_t hash_value[5]; + + if (test_case == NULL) + return srtp_err_status_bad_param; + + if (test_case->hash_len != 20) + return srtp_err_status_bad_param; + if (test_case->data_len > MAX_HASH_DATA_LEN) + return srtp_err_status_bad_param; + + srtp_sha1_init(&ctx); + srtp_sha1_update(&ctx, test_case->data, test_case->data_len); + srtp_sha1_final(&ctx, hash_value); + if (0 == memcmp(test_case->hash, hash_value, 20)) { +#if VERBOSE + printf("PASSED: reference value: %s\n", + octet_string_hex_string((const uint8_t *)test_case->hash, 20)); + printf("PASSED: computed value: %s\n", + octet_string_hex_string((const uint8_t *)hash_value, 20)); +#endif + return srtp_err_status_ok; + } + + printf("reference value: %s\n", + octet_string_hex_string((const uint8_t *)test_case->hash, 20)); + printf("computed value: %s\n", + octet_string_hex_string((const uint8_t *)hash_value, 20)); + + return srtp_err_status_algo_fail; +} + +struct hex_sha1_test_case_t { + unsigned bit_len; + char hex_data[MAX_HASH_DATA_LEN * 2]; + char hex_hash[40]; +}; + +srtp_err_status_t sha1_add_test_cases(void) +{ + int i; + srtp_err_status_t err; + + /* + * these test cases are taken from the "SHA-1 Sample Vectors" + * provided by NIST at http://csrc.nist.gov/cryptval/shs.html + */ + + struct hex_sha1_test_case_t tc[] = { + { 0, "", "da39a3ee5e6b4b0d3255bfef95601890afd80709" }, + { 8, "a8", "99f2aa95e36f95c2acb0eaf23998f030638f3f15" }, + { 16, "3000", "f944dcd635f9801f7ac90a407fbc479964dec024" }, + { 24, "42749e", "a444319e9b6cc1e8464c511ec0969c37d6bb2619" }, + { 32, "9fc3fe08", "16a0ff84fcc156fd5d3ca3a744f20a232d172253" }, + { 40, "b5c1c6f1af", "fec9deebfcdedaf66dda525e1be43597a73a1f93" }, + { 48, "e47571e5022e", "8ce051181f0ed5e9d0c498f6bc4caf448d20deb5" }, + { 56, "3e1b28839fb758", "67da53837d89e03bf652ef09c369a3415937cfd3" }, + { 64, "a81350cbb224cb90", "305e4ff9888ad855a78573cddf4c5640cce7e946" }, + { 72, "c243d167923dec3ce1", + "5902b77b3265f023f9bbc396ba1a93fa3509bde7" }, + { 80, "50ac18c59d6a37a29bf4", + "fcade5f5d156bf6f9af97bdfa9c19bccfb4ff6ab" }, + { 88, "98e2b611ad3b1cccf634f6", + "1d20fbe00533c10e3cbd6b27088a5de0c632c4b5" }, + { 96, "73fe9afb68e1e8712e5d4eec", + "7e1b7e0f7a8f3455a9c03e9580fd63ae205a2d93" }, + { 104, "9e701ed7d412a9226a2a130e66", + "706f0677146307b20bb0e8d6311e329966884d13" }, + { 112, "6d3ee90413b0a7cbf69e5e6144ca", + "a7241a703aaf0d53fe142f86bf2e849251fa8dff" }, + { 120, "fae24d56514efcb530fd4802f5e71f", + "400f53546916d33ad01a5e6df66822dfbdc4e9e6" }, + { 128, "c5a22dd6eda3fe2bdc4ddb3ce6b35fd1", + "fac8ab93c1ae6c16f0311872b984f729dc928ccd" }, + { 136, "d98cded2adabf08fda356445c781802d95", + "fba6d750c18da58f6e2aab10112b9a5ef3301b3b" }, + { 144, "bcc6d7087a84f00103ccb32e5f5487a751a2", + "29d27c2d44c205c8107f0351b05753ac708226b6" }, + { 152, "36ecacb1055434190dbbc556c48bafcb0feb0d", + "b971bfc1ebd6f359e8d74cb7ecfe7f898d0ba845" }, + { 160, "5ff9edb69e8f6bbd498eb4537580b7fba7ad31d0", + "96d08c430094b9fcc164ad2fb6f72d0a24268f68" }, + { 168, "c95b441d8270822a46a798fae5defcf7b26abace36", + "a287ea752a593d5209e287881a09c49fa3f0beb1" }, + { 176, "83104c1d8a55b28f906f1b72cb53f68cbb097b44f860", + "a06c713779cbd88519ed4a585ac0cb8a5e9d612b" }, + { 184, "755175528d55c39c56493d697b790f099a5ce741f7754b", + "bff7d52c13a3688132a1d407b1ab40f5b5ace298" }, + { 192, "088fc38128bbdb9fd7d65228b3184b3faac6c8715f07272f", + "c7566b91d7b6f56bdfcaa9781a7b6841aacb17e9" }, + { 200, "a4a586eb9245a6c87e3adf1009ac8a49f46c07e14185016895", + "ffa30c0b5c550ea4b1e34f8a60ec9295a1e06ac1" }, + { 208, "8e7c555270c006092c2a3189e2a526b873e2e269f0fb28245256", + "29e66ed23e914351e872aa761df6e4f1a07f4b81" }, + { 216, "a5f3bfa6bb0ba3b59f6b9cbdef8a558ec565e8aa3121f405e7f2f0", + "b28cf5e5b806a01491d41f69bd9248765c5dc292" }, + { 224, "589054f0d2bd3c2c85b466bfd8ce18e6ec3e0b87d944cd093ba36469", + "60224fb72c46069652cd78bcd08029ef64da62f3" }, + { 232, "a0abb12083b5bbc78128601bf1cbdbc0fdf4b862b24d899953d8da0ff3", + "b72c4a86f72608f24c05f3b9088ef92fba431df7" }, + { 240, "82143f4cea6fadbf998e128a8811dc75301cf1db4f079501ea568da68eeb", + "73779ad5d6b71b9b8328ef7220ff12eb167076ac" }, + { 248, "9f1231dd6df1ff7bc0b0d4f989d048672683ce35d956d2f57913046267e6f3", + "a09671d4452d7cf50015c914a1e31973d20cc1a0" }, + { 256, + "041c512b5eed791f80d3282f3a28df263bb1df95e1239a7650e5670fc2187919", + "e88cdcd233d99184a6fd260b8fca1b7f7687aee0" }, + { 264, + "17e81f6ae8c2e5579d69dafa6e070e7111461552d314b691e7a3e7a4feb3fae418", + "010def22850deb1168d525e8c84c28116cb8a269" }, + { 272, "d15976b23a1d712ad28fad04d805f572026b54dd64961fda94d5355a0cc9862" + "0cf77", + "aeaa40ba1717ed5439b1e6ea901b294ba500f9ad" }, + { 280, "09fce4d434f6bd32a44e04b848ff50ec9f642a8a85b37a264dc73f130f22838" + "443328f", + "c6433791238795e34f080a5f1f1723f065463ca0" }, + { 288, "f17af27d776ec82a257d8d46d2b46b639462c56984cc1be9c1222eadb8b2659" + "4a25c709d", + "e21e22b89c1bb944a32932e6b2a2f20d491982c3" }, + { 296, "b13ce635d6f8758143ffb114f2f601cb20b6276951416a2f94fbf4ad081779d" + "79f4f195b22", + "575323a9661f5d28387964d2ba6ab92c17d05a8a" }, + { 304, "5498793f60916ff1c918dde572cdea76da8629ba4ead6d065de3dfb48de94d2" + "34cc1c5002910", + "feb44494af72f245bfe68e86c4d7986d57c11db7" }, + { 312, "498a1e0b39fa49582ae688cd715c86fbaf8a81b8b11b4d1594c49c902d197c8" + "ba8a621fd6e3be5", + "cff2290b3648ba2831b98dde436a72f9ebf51eee" }, + { 320, "3a36ae71521f9af628b3e34dcb0d4513f84c78ee49f10416a98857150b8b15c" + "b5c83afb4b570376e", + "9b4efe9d27b965905b0c3dab67b8d7c9ebacd56c" }, + { 328, "dcc76b40ae0ea3ba253e92ac50fcde791662c5b6c948538cffc2d95e9de99ca" + "c34dfca38910db2678f", + "afedb0ff156205bcd831cbdbda43db8b0588c113" }, + { 336, "5b5ec6ec4fd3ad9c4906f65c747fd4233c11a1736b6b228b92e90cddabb0c7c" + "2fcf9716d3fad261dff33", + "8deb1e858f88293a5e5e4d521a34b2a4efa70fc4" }, + { 344, "df48a37b29b1d6de4e94717d60cdb4293fcf170bba388bddf7a9035a15d433f" + "20fd697c3e4c8b8c5f590ab", + "95cbdac0f74afa69cebd0e5c7defbc6faf0cbeaf" }, + { 352, "1f179b3b82250a65e1b0aee949e218e2f45c7a8dbfd6ba08de05c55acfc226b" + "48c68d7f7057e5675cd96fcfc", + "f0307bcb92842e5ae0cd4f4f14f3df7f877fbef2" }, + { 360, "ee3d72da3a44d971578972a8e6780ce64941267e0f7d0179b214fa97855e179" + "0e888e09fbe3a70412176cb3b54", + "7b13bb0dbf14964bd63b133ac85e22100542ef55" }, + { 368, "d4d4c7843d312b30f610b3682254c8be96d5f6684503f8fbfbcd15774fc1b08" + "4d3741afb8d24aaa8ab9c104f7258", + "c314d2b6cf439be678d2a74e890d96cfac1c02ed" }, + { 376, "32c094944f5936a190a0877fb9178a7bf60ceae36fd530671c5b38c5dbd5e6a" + "6c0d615c2ac8ad04b213cc589541cf6", + "4d0be361e410b47a9d67d8ce0bb6a8e01c53c078" }, + { 384, "e5d3180c14bf27a5409fa12b104a8fd7e9639609bfde6ee82bbf9648be2546d" + "29688a65e2e3f3da47a45ac14343c9c02", + "e5353431ffae097f675cbf498869f6fbb6e1c9f2" }, + { 392, "e7b6e4b69f724327e41e1188a37f4fe38b1dba19cbf5a7311d6e32f1038e97a" + "b506ee05aebebc1eed09fc0e357109818b9", + "b8720a7068a085c018ab18961de2765aa6cd9ac4" }, + { 400, "bc880cb83b8ac68ef2fedc2da95e7677ce2aa18b0e2d8b322701f67af7d5e7a" + "0d96e9e33326ccb7747cfff0852b961bfd475", + "b0732181568543ba85f2b6da602b4b065d9931aa" }, + { 408, "235ea9c2ba7af25400f2e98a47a291b0bccdaad63faa2475721fda5510cc7da" + "d814bce8dabb611790a6abe56030b798b75c944", + "9c22674cf3222c3ba921672694aafee4ce67b96b" }, + { 416, "07e3e29fed63104b8410f323b975fd9fba53f636af8c4e68a53fb202ca35dd9" + "ee07cb169ec5186292e44c27e5696a967f5e67709", + "d128335f4cecca9066cdae08958ce656ff0b4cfc" }, + { 424, "65d2a1dd60a517eb27bfbf530cf6a5458f9d5f4730058bd9814379547f34241" + "822bf67e6335a6d8b5ed06abf8841884c636a25733f", + "0b67c57ac578de88a2ae055caeaec8bb9b0085a0" }, + { 432, "dcc86b3bd461615bab739d8daafac231c0f462e819ad29f9f14058f3ab5b759" + "41d4241ea2f17ebb8a458831b37a9b16dead4a76a9b0e", + "c766f912a89d4ccda88e0cce6a713ef5f178b596" }, + { 440, "4627d54f0568dc126b62a8c35fb46a9ac5024400f2995e51635636e1afc4373" + "dbb848eb32df23914230560b82477e9c3572647a7f2bb92", + "9aa3925a9dcb177b15ccff9b78e70cf344858779" }, + { 448, "ba531affd4381168ef24d8b275a84d9254c7f5cc55fded53aa8024b2c5c5c8a" + "a7146fe1d1b83d62b70467e9a2e2cb67b3361830adbab28d7", + "4811fa30042fc076acf37c8e2274d025307e5943" }, + { 456, "8764dcbcf89dcf4282eb644e3d568bdccb4b13508bfa7bfe0ffc05efd1390be" + "22109969262992d377691eb4f77f3d59ea8466a74abf57b2ef4", + "6743018450c9730761ee2b130df9b91c1e118150" }, + { 464, "497d9df9ddb554f3d17870b1a31986c1be277bc44feff713544217a9f579623" + "d18b5ffae306c25a45521d2759a72c0459b58957255ab592f3be4", + "71ad4a19d37d92a5e6ef3694ddbeb5aa61ada645" }, + { 472, "72c3c2e065aefa8d9f7a65229e818176eef05da83f835107ba90ec2e95472e7" + "3e538f783b416c04654ba8909f26a12db6e5c4e376b7615e4a25819", + "a7d9dc68dacefb7d6116186048cb355cc548e11d" }, + { 480, "7cc9894454d0055ab5069a33984e2f712bef7e3124960d33559f5f3b81906bb" + "66fe64da13c153ca7f5cabc89667314c32c01036d12ecaf5f9a78de98", + "142e429f0522ba5abf5131fa81df82d355b96909" }, + { 488, "74e8404d5a453c5f4d306f2cfa338ca65501c840ddab3fb82117933483afd69" + "13c56aaf8a0a0a6b2a342fc3d9dc7599f4a850dfa15d06c61966d74ea59", + "ef72db70dcbcab991e9637976c6faf00d22caae9" }, + { 496, "46fe5ed326c8fe376fcc92dc9e2714e2240d3253b105adfbb256ff7a19bc409" + "75c604ad7c0071c4fd78a7cb64786e1bece548fa4833c04065fe593f6fb10", + "f220a7457f4588d639dc21407c942e9843f8e26b" }, + { 504, "836dfa2524d621cf07c3d2908835de859e549d35030433c796b81272fd8bc03" + "48e8ddbc7705a5ad1fdf2155b6bc48884ac0cd376925f069a37849c089c864" + "5", + "ddd2117b6e309c233ede85f962a0c2fc215e5c69" }, + { 512, "7e3a4c325cb9c52b88387f93d01ae86d42098f5efa7f9457388b5e74b6d28b2" + "438d42d8b64703324d4aa25ab6aad153ae30cd2b2af4d5e5c00a8a2d0220c61" + "16", + "a3054427cdb13f164a610b348702724c808a0dcc" } + }; + + for (i = 0; i < 65; i++) { + err = hash_test_case_add(&sha1_test_case_list, tc[i].hex_data, + tc[i].bit_len / 8, tc[i].hex_hash, 20); + if (err) { + printf("error adding hash test case (code %d)\n", err); + return err; + } + } + + return srtp_err_status_ok; +} + +srtp_err_status_t sha1_dealloc_test_cases(void) +{ + hash_test_case_t *t, *next; + + for (t = sha1_test_case_list; t != NULL; t = next) { + next = t->next_test_case; + free(t); + } + + sha1_test_case_list = NULL; + + return srtp_err_status_ok; +} + +srtp_err_status_t sha1_validate(void) +{ + hash_test_case_t *test_case; + srtp_err_status_t err; + + err = sha1_add_test_cases(); + if (err) { + printf("error adding SHA1 test cases (error code %d)\n", err); + return err; + } + + if (sha1_test_case_list == NULL) + return srtp_err_status_cant_check; + + test_case = sha1_test_case_list; + while (test_case != NULL) { + err = sha1_test_case_validate(test_case); + if (err) { + printf("error validating hash test case (error code %d)\n", err); + return err; + } + test_case = test_case->next_test_case; + } + + sha1_dealloc_test_cases(); + + return srtp_err_status_ok; +} + +int main(void) +{ + srtp_err_status_t err; + + printf("sha1 test driver\n"); + + err = sha1_validate(); + if (err) { + printf("SHA1 did not pass validation testing\n"); + return 1; + } + printf("SHA1 passed validation tests\n"); + + return 0; +} diff --git a/netwerk/srtp/src/crypto/test/stat_driver.c b/netwerk/srtp/src/crypto/test/stat_driver.c new file mode 100644 index 0000000000..7f835855ce --- /dev/null +++ b/netwerk/srtp/src/crypto/test/stat_driver.c @@ -0,0 +1,258 @@ +/* + * stat-driver.c + * + * test driver for the stat_test functions + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> /* for printf() */ + +#include "err.h" +#include "stat.h" +#include "srtp.h" + +#include "cipher.h" + +typedef struct { + void *state; +} random_source_t; + +srtp_err_status_t random_source_alloc(void); + +void err_check(srtp_err_status_t s) +{ + if (s) { + printf("error (code %d)\n", s); + exit(1); + } +} + +int main(int argc, char *argv[]) +{ + uint8_t buffer[2532]; + unsigned int buf_len = 2500; + int i, j; + extern srtp_cipher_type_t srtp_aes_icm_128; + extern srtp_cipher_type_t srtp_aes_icm_256; +#ifdef GCM + extern srtp_cipher_type_t srtp_aes_gcm_128; + extern srtp_cipher_type_t srtp_aes_gcm_256; +#endif + srtp_cipher_t *c; + /* clang-format off */ + uint8_t key[46] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 + }; + /* clang-format on */ + v128_t nonce; + int num_trials = 500; + int num_fail; + + printf("statistical tests driver\n"); + + v128_set_to_zero(&nonce); + for (i = 0; i < 2500; i++) + buffer[i] = 0; + + /* run tests */ + printf("running stat_tests on all-null buffer, expecting failure\n"); + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + for (i = 0; i < 2500; i++) + buffer[i] = rand(); + printf("running stat_tests on rand(), expecting success\n"); + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + printf("running stat_tests on AES-128-ICM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) + buffer[i] = 0; + err_check(srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, + SRTP_AES_ICM_128_KEY_LEN_WSALT, 0)); + err_check(srtp_cipher_init(c, key)); + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + printf("runs test (please be patient): "); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) + buffer[i] = 0; + nonce.v32[3] = i; + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + if (stat_test_runs(buffer)) { + num_fail++; + } + } + + printf("%d failures in %d tests\n", num_fail, num_trials); + printf("(nota bene: a small fraction of stat_test failures does not \n" + "indicate that the random source is invalid)\n"); + + err_check(srtp_cipher_dealloc(c)); + + printf("running stat_tests on AES-256-ICM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) + buffer[i] = 0; + err_check(srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, + SRTP_AES_ICM_256_KEY_LEN_WSALT, 0)); + err_check(srtp_cipher_init(c, key)); + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + printf("runs test (please be patient): "); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) + buffer[i] = 0; + nonce.v32[3] = i; + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + if (stat_test_runs(buffer)) { + num_fail++; + } + } + +#ifdef GCM + { + printf("running stat_tests on AES-128-GCM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_128, &c, + SRTP_AES_GCM_128_KEY_LEN_WSALT, 8)); + err_check(srtp_cipher_init(c, key)); + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + nonce.v32[3] = i; + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, + srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + buf_len = 2500; + if (stat_test_runs(buffer)) { + num_fail++; + } + } + + printf("running stat_tests on AES-256-GCM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_256, &c, + SRTP_AES_GCM_256_KEY_LEN_WSALT, 16)); + err_check(srtp_cipher_init(c, key)); + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + nonce.v32[3] = i; + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, + srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + buf_len = 2500; + if (stat_test_runs(buffer)) { + num_fail++; + } + } + } +#endif + + printf("%d failures in %d tests\n", num_fail, num_trials); + printf("(nota bene: a small fraction of stat_test failures does not \n" + "indicate that the random source is invalid)\n"); + + err_check(srtp_cipher_dealloc(c)); + + return 0; +} diff --git a/netwerk/srtp/src/include/config.h b/netwerk/srtp/src/include/config.h new file mode 100644 index 0000000000..75e05e897f --- /dev/null +++ b/netwerk/srtp/src/include/config.h @@ -0,0 +1,6 @@ +/* + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +/* empty file; config done via Makefile.in & configure.in */ diff --git a/netwerk/srtp/src/include/ekt.h b/netwerk/srtp/src/include/ekt.h new file mode 100644 index 0000000000..a289a53dab --- /dev/null +++ b/netwerk/srtp/src/include/ekt.h @@ -0,0 +1,181 @@ +/* + * ekt.h + * + * interface to Encrypted Key Transport for SRTP + * + * David McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* + * EKT implementation strategy + * + * use stream_template approach + * + * in srtp_unprotect, when a new stream appears, check if template has + * EKT defined, and if it does, then apply EKT processing + * + * question: will we want to allow key-sharing templates in addition + * to EKT templates? could define a new ssrc_type_t that's associated + * with an EKT, e.g. ssrc_any_ekt. + * + * + */ + +#ifndef SRTP_EKT_H +#define SRTP_EKT_H + +// left in commented out as reminder to not include private headers +//#include "srtp_priv.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define SRTP_EKT_CIPHER_DEFAULT 1 +#define SRTP_EKT_CIPHER_AES_128_ECB 1 +#define SRTP_EKT_CIPHER_AES_192_KEY_WRAP 2 +#define SRTP_EKT_CIPHER_AES_256_KEY_WRAP 3 + +typedef uint16_t srtp_ekt_spi_t; + +unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt); + +/* + * an srtp_policy_t structure can contain a pointer to an + * srtp_ekt_policy_t structure + * + * this structure holds all of the high level EKT information, and it + * is passed into libsrtp to indicate what policy should be in effect + */ + +typedef struct srtp_ekt_policy_ctx_t { + srtp_ekt_spi_t spi; /* security parameter index */ + uint8_t ekt_cipher_type; + uint8_t *ekt_key; + struct srtp_ekt_policy_ctx_t *next_ekt_policy; +} srtp_ekt_policy_ctx_t; + +/* + * an srtp_ekt_data_t structure holds the data corresponding to an ekt key, + * spi, and so on + */ + +typedef struct srtp_ekt_data_t { + srtp_ekt_spi_t spi; + uint8_t ekt_cipher_type; + srtp_aes_expanded_key_t ekt_enc_key; + srtp_aes_expanded_key_t ekt_dec_key; + struct ekt_data_t *next_ekt_data; +} srtp_ekt_data_t; + +/* + * an srtp_stream_ctx_t can contain an srtp_ekt_stream_ctx_t + * + * an srtp_ekt_stream_ctx_t structure holds all of the EKT information for + * a specific SRTP stream + */ + +typedef struct srtp_ekt_stream_ctx_t { + srtp_ekt_data_t *data; + uint16_t isn; /* initial sequence number */ + uint8_t encrypted_master_key[SRTP_MAX_KEY_LEN]; +} srtp_ekt_stream_ctx_t; + +srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, + srtp_ekt_policy_t policy); + +srtp_err_status_t srtp_ekt_stream_init(srtp_ekt_stream_t e, + srtp_ekt_spi_t spi, + void *ekt_key, + unsigned ekt_cipher_type); + +srtp_err_status_t srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t e, + srtp_ekt_policy_t p); + +srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, + const void *srtcp_hdr, + unsigned pkt_octet_len); + +void srtp_ekt_write_data(srtp_ekt_stream_t ekt, + uint8_t *base_tag, + unsigned base_tag_len, + int *packet_len, + srtp_xtd_seq_num_t pkt_index); + +/* + * We handle EKT by performing some additional steps before + * authentication (copying the auth tag into a temporary location, + * zeroizing the "base tag" field in the packet) + * + * With EKT, the tag_len parameter is actually the base tag + * length + */ +srtp_err_status_t srtp_ekt_tag_verification_preproces(uint8_t *pkt_tag, + uint8_t *pkt_tag_copy, + unsigned tag_len); + +srtp_err_status_t srtp_ekt_tag_verification_postproces(uint8_t *pkt_tag, + uint8_t *pkt_tag_copy, + unsigned tag_len); + +/* + * @brief EKT pre-processing for srtcp tag generation + * + * This function does the pre-processing of the SRTCP authentication + * tag format. When EKT is used, it consists of writing the Encrypted + * Master Key, the SRTP ROC, the Initial Sequence Number, and SPI + * fields. The Base Authentication Tag field is set to the all-zero + * value + * + * When EKT is not used, this function is a no-op. + * + */ +srtp_err_status_t srtp_stream_srtcp_auth_tag_generation_preprocess( + const srtp_stream_t *s, + uint8_t *pkt_tag, + unsigned pkt_octet_len); + +/* it's not clear that a tag_generation_postprocess function is needed */ +srtp_err_status_t srtcp_auth_tag_generation_postprocess(void); + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_EKT_H */ diff --git a/netwerk/srtp/src/include/getopt_s.h b/netwerk/srtp/src/include/getopt_s.h new file mode 100644 index 0000000000..53fb25ba71 --- /dev/null +++ b/netwerk/srtp/src/include/getopt_s.h @@ -0,0 +1,67 @@ +/* + * getopt.h + * + * interface to a minimal implementation of the getopt() function, + * written so that test applications that use that function can run on + * non-POSIX platforms + * + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GETOPT_S_H +#define GETOPT_S_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * getopt_s(), optarg_s, and optind_s are small, locally defined + * versions of the POSIX standard getopt() interface. + */ + +int getopt_s(int argc, char *const argv[], const char *optstring); + +extern char *optarg_s; /* defined in getopt.c */ + +extern int optind_s; /* defined in getopt.c */ + +#ifdef __cplusplus +} +#endif + +#endif /* GETOPT_S_H */ diff --git a/netwerk/srtp/src/include/srtp.h b/netwerk/srtp/src/include/srtp.h new file mode 100644 index 0000000000..1fdd6c3aff --- /dev/null +++ b/netwerk/srtp/src/include/srtp.h @@ -0,0 +1,1759 @@ +/* + * srtp.h + * + * interface to libsrtp + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_SRTP_H +#define SRTP_SRTP_H + +#include <stdint.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @defgroup SRTP Secure RTP + * + * @brief libSRTP provides functions for protecting RTP and RTCP. See + * Section @ref Overview for an introduction to the use of the library. + * + * @{ + */ + +/* + * SRTP_MASTER_KEY_LEN is the nominal master key length supported by libSRTP + */ + +#define SRTP_MASTER_KEY_LEN 30 + +/* + * SRTP_MAX_KEY_LEN is the maximum key length supported by libSRTP + */ +#define SRTP_MAX_KEY_LEN 64 + +/* + * SRTP_MAX_TAG_LEN is the maximum tag length supported by libSRTP + */ + +#define SRTP_MAX_TAG_LEN 16 + +/** + * SRTP_MAX_MKI_LEN is the maximum size the MKI could be which is + * 128 bytes + */ +#define SRTP_MAX_MKI_LEN 128 + +/** + * SRTP_MAX_TRAILER_LEN is the maximum length of the SRTP trailer + * (authentication tag and MKI) supported by libSRTP. This value is + * the maixmum number of octets that will be added to an RTP packet by + * srtp_protect(). + * + * @brief the maximum number of octets added by srtp_protect(). + */ +#define SRTP_MAX_TRAILER_LEN (SRTP_MAX_TAG_LEN + SRTP_MAX_MKI_LEN) + +/** + * SRTP_MAX_NUM_MASTER_KEYS is the maximum number of Master keys for + * MKI supported by libSRTP. + * + */ +#define SRTP_MAX_NUM_MASTER_KEYS 16 + +#define SRTP_SALT_LEN 14 + +/* + * SRTP_AEAD_SALT_LEN is the length of the SALT values used with + * GCM mode. GCM mode requires an IV. The SALT value is used + * as part of the IV formation logic applied to each RTP packet. + */ +#define SRTP_AEAD_SALT_LEN 12 + +#define SRTP_AES_128_KEY_LEN 16 +#define SRTP_AES_192_KEY_LEN 24 +#define SRTP_AES_256_KEY_LEN 32 + +#define SRTP_AES_ICM_128_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_128_KEY_LEN) +#define SRTP_AES_ICM_192_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_192_KEY_LEN) +#define SRTP_AES_ICM_256_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_256_KEY_LEN) + +#define SRTP_AES_GCM_128_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_128_KEY_LEN) +#define SRTP_AES_GCM_192_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_192_KEY_LEN) +#define SRTP_AES_GCM_256_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_256_KEY_LEN) + +/** + * @brief A srtp_cipher_type_id_t is an identifier for a particular cipher + * type. + * + * A srtp_cipher_type_id_t is an integer that represents a particular + * cipher type, e.g. the Advanced Encryption Standard (AES). A + * SRTP_NULL_CIPHER is avaliable; this cipher leaves the data unchanged, + * and can be selected to indicate that no encryption is to take + * place. + * + * @ingroup Ciphers + */ +typedef uint32_t srtp_cipher_type_id_t; + +/** + * @brief An srtp_auth_type_id_t is an identifier for a particular + * authentication + * function. + * + * An srtp_auth_type_id_t is an integer that represents a particular + * authentication function type, e.g. HMAC-SHA1. A SRTP_NULL_AUTH is + * avaliable; this authentication function performs no computation, + * and can be selected to indicate that no authentication is to take + * place. + * + * @ingroup Authentication + */ +typedef uint32_t srtp_auth_type_id_t; + +/** + * @brief srtp_err_status_t defines error codes. + * + * The enumeration srtp_err_status_t defines error codes. Note that the + * value of srtp_err_status_ok is equal to zero, which can simplify error + * checking somewhat. + * + */ +typedef enum { + srtp_err_status_ok = 0, /**< nothing to report */ + srtp_err_status_fail = 1, /**< unspecified failure */ + srtp_err_status_bad_param = 2, /**< unsupported parameter */ + srtp_err_status_alloc_fail = 3, /**< couldn't allocate memory */ + srtp_err_status_dealloc_fail = 4, /**< couldn't deallocate properly */ + srtp_err_status_init_fail = 5, /**< couldn't initialize */ + srtp_err_status_terminus = 6, /**< can't process as much data as */ + /**< requested */ + srtp_err_status_auth_fail = 7, /**< authentication failure */ + srtp_err_status_cipher_fail = 8, /**< cipher failure */ + srtp_err_status_replay_fail = 9, /**< replay check failed (bad index) */ + srtp_err_status_replay_old = 10, /**< replay check failed (index too */ + /**< old) */ + srtp_err_status_algo_fail = 11, /**< algorithm failed test routine */ + srtp_err_status_no_such_op = 12, /**< unsupported operation */ + srtp_err_status_no_ctx = 13, /**< no appropriate context found */ + srtp_err_status_cant_check = 14, /**< unable to perform desired */ + /**< validation */ + srtp_err_status_key_expired = 15, /**< can't use key any more */ + srtp_err_status_socket_err = 16, /**< error in use of socket */ + srtp_err_status_signal_err = 17, /**< error in use POSIX signals */ + srtp_err_status_nonce_bad = 18, /**< nonce check failed */ + srtp_err_status_read_fail = 19, /**< couldn't read data */ + srtp_err_status_write_fail = 20, /**< couldn't write data */ + srtp_err_status_parse_err = 21, /**< error parsing data */ + srtp_err_status_encode_err = 22, /**< error encoding data */ + srtp_err_status_semaphore_err = 23, /**< error while using semaphores */ + srtp_err_status_pfkey_err = 24, /**< error while using pfkey */ + srtp_err_status_bad_mki = 25, /**< error MKI present in packet is */ + /**< invalid */ + srtp_err_status_pkt_idx_old = 26, /**< packet index is too old to */ + /**< consider */ + srtp_err_status_pkt_idx_adv = 27 /**< packet index advanced, reset */ + /**< needed */ +} srtp_err_status_t; + +typedef struct srtp_ctx_t_ srtp_ctx_t; + +/** + * @brief srtp_sec_serv_t describes a set of security services. + * + * A srtp_sec_serv_t enumeration is used to describe the particular + * security services that will be applied by a particular crypto + * policy (or other mechanism). + */ +typedef enum { + sec_serv_none = 0, /**< no services */ + sec_serv_conf = 1, /**< confidentiality */ + sec_serv_auth = 2, /**< authentication */ + sec_serv_conf_and_auth = 3 /**< confidentiality and authentication */ +} srtp_sec_serv_t; + +/** + * @brief srtp_crypto_policy_t describes a particular crypto policy that + * can be applied to an SRTP stream. + * + * A srtp_crypto_policy_t describes a particular cryptographic policy that + * can be applied to an SRTP or SRTCP stream. An SRTP session policy + * consists of a list of these policies, one for each SRTP stream + * in the session. + */ +typedef struct srtp_crypto_policy_t { + srtp_cipher_type_id_t cipher_type; /**< An integer representing */ + /**< the type of cipher. */ + int cipher_key_len; /**< The length of the cipher key */ + /**< in octets. */ + srtp_auth_type_id_t auth_type; /**< An integer representing the */ + /**< authentication function. */ + int auth_key_len; /**< The length of the authentication */ + /**< function key in octets. */ + int auth_tag_len; /**< The length of the authentication */ + /**< tag in octets. */ + srtp_sec_serv_t sec_serv; /**< The flag indicating the security */ + /**< services to be applied. */ +} srtp_crypto_policy_t; + +/** + * @brief srtp_ssrc_type_t describes the type of an SSRC. + * + * An srtp_ssrc_type_t enumeration is used to indicate a type of SSRC. See + * @ref srtp_policy_t for more informataion. + */ +typedef enum { + ssrc_undefined = 0, /**< Indicates an undefined SSRC type. */ + ssrc_specific = 1, /**< Indicates a specific SSRC value */ + ssrc_any_inbound = 2, /**< Indicates any inbound SSRC value */ + /**< (i.e. a value that is used in the */ + /**< function srtp_unprotect()) */ + ssrc_any_outbound = 3 /**< Indicates any outbound SSRC value */ + /**< (i.e. a value that is used in the */ + /**< function srtp_protect()) */ +} srtp_ssrc_type_t; + +/** + * @brief An srtp_ssrc_t represents a particular SSRC value, or a `wildcard' + * SSRC. + * + * An srtp_ssrc_t represents a particular SSRC value (if its type is + * ssrc_specific), or a wildcard SSRC value that will match all + * outbound SSRCs (if its type is ssrc_any_outbound) or all inbound + * SSRCs (if its type is ssrc_any_inbound). + */ +typedef struct { + srtp_ssrc_type_t type; /**< The type of this particular SSRC */ + unsigned int value; /**< The value of this SSRC, if it is not a */ + /**< wildcard */ +} srtp_ssrc_t; + +/** + * @brief points to an EKT policy + */ +typedef struct srtp_ekt_policy_ctx_t *srtp_ekt_policy_t; + +/** + * @brief points to EKT stream data + */ +typedef struct srtp_ekt_stream_ctx_t *srtp_ekt_stream_t; + +/** + * @brief srtp_master_key_t represents a master key. There will + * be a Master Key Index and the Master Key associated with the + * Master Key Index. Need to also keep track of the Master Key + * Index Size to correctly read it from a packet. + */ +typedef struct srtp_master_key_t { + unsigned char *key; + unsigned char *mki_id; + unsigned int mki_size; +} srtp_master_key_t; + +/** + * @brief represents the policy for an SRTP session. + * + * A single srtp_policy_t struct represents the policy for a single + * SRTP stream, and a linked list of these elements represents the + * policy for an entire SRTP session. Each element contains the SRTP + * and SRTCP crypto policies for that stream, a pointer to the SRTP + * master key for that stream, the SSRC describing that stream, or a + * flag indicating a `wildcard' SSRC value, and a `next' field that + * holds a pointer to the next element in the list of policy elements, + * or NULL if it is the last element. + * + * The wildcard value SSRC_ANY_INBOUND matches any SSRC from an + * inbound stream that for which there is no explicit SSRC entry in + * another policy element. Similarly, the value SSRC_ANY_OUTBOUND + * will matches any SSRC from an outbound stream that does not appear + * in another policy element. Note that wildcard SSRCs &b cannot be + * used to match both inbound and outbound traffic. This restriction + * is intentional, and it allows libSRTP to ensure that no security + * lapses result from accidental re-use of SSRC values during key + * sharing. + * + * @warning The final element of the list @b must have its `next' pointer + * set to NULL. + */ + +typedef struct srtp_policy_t { + srtp_ssrc_t ssrc; /**< The SSRC value of stream, or the */ + /**< flags SSRC_ANY_INBOUND or */ + /**< SSRC_ANY_OUTBOUND if key sharing */ + /**< is used for this policy element. */ + srtp_crypto_policy_t rtp; /**< SRTP crypto policy. */ + srtp_crypto_policy_t rtcp; /**< SRTCP crypto policy. */ + unsigned char *key; /**< Pointer to the SRTP master key for */ + /**< this stream. */ + srtp_master_key_t **keys; /** Array of Master Key structures */ + unsigned long num_master_keys; /** Number of master keys */ + srtp_ekt_policy_t ekt; /**< Pointer to the EKT policy structure */ + /**< for this stream (if any) */ + unsigned long window_size; /**< The window size to use for replay */ + /**< protection. */ + int allow_repeat_tx; /**< Whether retransmissions of */ + /**< packets with the same sequence */ + /**< number are allowed. */ + /**< (Note that such repeated */ + /**< transmissions must have the same */ + /**< RTP payload, or a severe security */ + /**< weakness is introduced!) */ + int *enc_xtn_hdr; /**< List of header ids to encrypt. */ + int enc_xtn_hdr_count; /**< Number of entries in list of header */ + /**< ids. */ + struct srtp_policy_t *next; /**< Pointer to next stream policy. */ +} srtp_policy_t; + +/** + * @brief An srtp_t points to an SRTP session structure. + * + * The typedef srtp_t is a pointer to a structure that represents + * an SRTP session. This datatype is intentially opaque in + * order to separate the interface from the implementation. + * + * An SRTP session consists of all of the traffic sent to the RTP and + * RTCP destination transport addresses, using the RTP/SAVP (Secure + * Audio/Video Profile). A session can be viewed as a set of SRTP + * streams, each of which originates with a different participant. + */ +typedef srtp_ctx_t *srtp_t; + +/** + * @brief srtp_init() initializes the srtp library. + * + * @warning This function @b must be called before any other srtp + * functions. + */ +srtp_err_status_t srtp_init(void); + +/** + * @brief srtp_shutdown() de-initializes the srtp library. + * + * @warning No srtp functions may be called after calling this function. + */ +srtp_err_status_t srtp_shutdown(void); + +/** + * @brief srtp_protect() is the Secure RTP sender-side packet processing + * function. + * + * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP + * protection to the RTP packet rtp_hdr (which has length *len_ptr) using + * the SRTP context ctx. If srtp_err_status_ok is returned, then rtp_hdr + * points to the resulting SRTP packet and *len_ptr is the number of + * octets in that packet; otherwise, no assumptions should be made + * about the value of either data elements. + * + * The sequence numbers of the RTP packets presented to this function + * need not be consecutive, but they @b must be out of order by less + * than 2^15 = 32,768 packets. + * + * @warning This function assumes that it can write the authentication + * tag into the location in memory immediately following the RTP + * packet, and assumes that the RTP packet is aligned on a 32-bit + * boundary. + * + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN + * into the location in memory immediately following the RTP packet. + * Callers MUST ensure that this much writable memory is available in + * the buffer that holds the RTP packet. + * + * @param ctx is the SRTP context to use in processing the packet. + * + * @param rtp_hdr is a pointer to the RTP packet (before the call); after + * the function returns, it points to the srtp packet. + * + * @param len_ptr is a pointer to the length in octets of the complete + * RTP packet (header and body) before the function call, and of the + * complete SRTP packet after the call, if srtp_err_status_ok was returned. + * Otherwise, the value of the data to which it points is undefined. + * + * @return + * - srtp_err_status_ok no problems + * - srtp_err_status_replay_fail rtp sequence number was non-increasing + * - @e other failure in cryptographic mechanisms + */ +srtp_err_status_t srtp_protect(srtp_t ctx, void *rtp_hdr, int *len_ptr); + +/** + * @brief srtp_protect_mki() is the Secure RTP sender-side packet processing + * function that can utilize MKI. + * + * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP + * protection to the RTP packet rtp_hdr (which has length *len_ptr) using + * the SRTP context ctx. If srtp_err_status_ok is returned, then rtp_hdr + * points to the resulting SRTP packet and *len_ptr is the number of + * octets in that packet; otherwise, no assumptions should be made + * about the value of either data elements. + * + * The sequence numbers of the RTP packets presented to this function + * need not be consecutive, but they @b must be out of order by less + * than 2^15 = 32,768 packets. + * + * @warning This function assumes that it can write the authentication + * tag into the location in memory immediately following the RTP + * packet, and assumes that the RTP packet is aligned on a 32-bit + * boundary. + * + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN + * into the location in memory immediately following the RTP packet. + * Callers MUST ensure that this much writable memory is available in + * the buffer that holds the RTP packet. + * + * @param ctx is the SRTP context to use in processing the packet. + * + * @param rtp_hdr is a pointer to the RTP packet (before the call); after + * the function returns, it points to the srtp packet. + * + * @param pkt_octet_len is a pointer to the length in octets of the complete + * RTP packet (header and body) before the function call, and of the + * complete SRTP packet after the call, if srtp_err_status_ok was returned. + * Otherwise, the value of the data to which it points is undefined. + * + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will + * use the session keys identified by the mki_index + * + * @param mki_index integer value specifying which set of session keys should be + * used if use_mki is set to true. + * + * @return + * - srtp_err_status_ok no problems + * - srtp_err_status_replay_fail rtp sequence number was non-increasing + * - @e other failure in cryptographic mechanisms + */ +srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index); + +/** + * @brief srtp_unprotect() is the Secure RTP receiver-side packet + * processing function. + * + * The function call srtp_unprotect(ctx, srtp_hdr, len_ptr) verifies + * the Secure RTP protection of the SRTP packet pointed to by srtp_hdr + * (which has length *len_ptr), using the SRTP context ctx. If + * srtp_err_status_ok is returned, then srtp_hdr points to the resulting + * RTP packet and *len_ptr is the number of octets in that packet; + * otherwise, no assumptions should be made about the value of either + * data elements. + * + * The sequence numbers of the RTP packets presented to this function + * need not be consecutive, but they @b must be out of order by less + * than 2^15 = 32,768 packets. + * + * @warning This function assumes that the SRTP packet is aligned on a + * 32-bit boundary. + * + * @param ctx is the SRTP session which applies to the particular packet. + * + * @param srtp_hdr is a pointer to the header of the SRTP packet + * (before the call). after the function returns, it points to the + * rtp packet if srtp_err_status_ok was returned; otherwise, the value of + * the data to which it points is undefined. + * + * @param len_ptr is a pointer to the length in octets of the complete + * srtp packet (header and body) before the function call, and of the + * complete rtp packet after the call, if srtp_err_status_ok was returned. + * Otherwise, the value of the data to which it points is undefined. + * + * @return + * - srtp_err_status_ok if the RTP packet is valid. + * - srtp_err_status_auth_fail if the SRTP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet + * has already been processed and accepted). + * - [other] if there has been an error in the cryptographic mechanisms. + * + */ +srtp_err_status_t srtp_unprotect(srtp_t ctx, void *srtp_hdr, int *len_ptr); + +/** + * @brief srtp_unprotect_mki() is the Secure RTP receiver-side packet + * processing function that checks for MKI. + * + * The function call srtp_unprotect(ctx, srtp_hdr, len_ptr) verifies + * the Secure RTP protection of the SRTP packet pointed to by srtp_hdr + * (which has length *len_ptr), using the SRTP context ctx. If + * srtp_err_status_ok is returned, then srtp_hdr points to the resulting + * RTP packet and *len_ptr is the number of octets in that packet; + * otherwise, no assumptions should be made about the value of either + * data elements. + * + * The sequence numbers of the RTP packets presented to this function + * need not be consecutive, but they @b must be out of order by less + * than 2^15 = 32,768 packets. + * + * @warning This function assumes that the SRTP packet is aligned on a + * 32-bit boundary. + * + * @param ctx is the SRTP session which applies to the particular packet. + * + * @param srtp_hdr is a pointer to the header of the SRTP packet + * (before the call). after the function returns, it points to the + * rtp packet if srtp_err_status_ok was returned; otherwise, the value of + * the data to which it points is undefined. + * + * @param len_ptr is a pointer to the length in octets of the complete + * srtp packet (header and body) before the function call, and of the + * complete rtp packet after the call, if srtp_err_status_ok was returned. + * Otherwise, the value of the data to which it points is undefined. + * + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will + * use the session keys identified by the mki_index + * + * @return + * - srtp_err_status_ok if the RTP packet is valid. + * - srtp_err_status_auth_fail if the SRTP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet + * has already been processed and accepted). + * - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI id + * - [other] if there has been an error in the cryptographic mechanisms. + * + */ +srtp_err_status_t srtp_unprotect_mki(srtp_t ctx, + void *srtp_hdr, + int *len_ptr, + unsigned int use_mki); + +/** + * @brief srtp_create() allocates and initializes an SRTP session. + + * The function call srtp_create(session, policy) allocates and + * initializes an SRTP session context, applying the given policy. + * + * @param session is a pointer to the SRTP session to which the policy is + * to be added. + * + * @param policy is the srtp_policy_t struct that describes the policy + * for the session. The struct may be a single element, or it may be + * the head of a list, in which case each element of the list is + * processed. It may also be NULL, in which case streams should be added + * later using srtp_add_stream(). The final element of the list @b must + * have its `next' field set to NULL. + * + * @return + * - srtp_err_status_ok if creation succeded. + * - srtp_err_status_alloc_fail if allocation failed. + * - srtp_err_status_init_fail if initialization failed. + */ +srtp_err_status_t srtp_create(srtp_t *session, const srtp_policy_t *policy); + +/** + * @brief srtp_add_stream() allocates and initializes an SRTP stream + * within a given SRTP session. + * + * The function call srtp_add_stream(session, policy) allocates and + * initializes a new SRTP stream within a given, previously created + * session, applying the policy given as the other argument to that + * stream. + * + * @return values: + * - srtp_err_status_ok if stream creation succeded. + * - srtp_err_status_alloc_fail if stream allocation failed + * - srtp_err_status_init_fail if stream initialization failed. + */ +srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy); + +/** + * @brief srtp_remove_stream() deallocates an SRTP stream. + * + * The function call srtp_remove_stream(session, ssrc) removes + * the SRTP stream with the SSRC value ssrc from the SRTP session + * context given by the argument session. + * + * @param session is the SRTP session from which the stream + * will be removed. + * + * @param ssrc is the SSRC value of the stream to be removed + * in network byte order. + * + * @warning Wildcard SSRC values cannot be removed from a + * session. + * + * @return + * - srtp_err_status_ok if the stream deallocation succeded. + * - [other] otherwise. + * + */ +srtp_err_status_t srtp_remove_stream(srtp_t session, unsigned int ssrc); + +/** + * @brief srtp_update() udpates all streams in the session. + * + * The function call srtp_update(session, policy) updates + * all the streams in the session applying the given policy + * and key. The exsisting ROC value of all streams will be + * preserved. + * + * @param session is the SRTP session that contains the streams + * to be updated. + * + * @param policy is the srtp_policy_t struct that describes the policy + * for the session. The struct may be a single element, or it may be + * the head of a list, in which case each element of the list is + * processed. The final element of the list @b must + * have its `next' field set to NULL. + * + * @return + * - srtp_err_status_ok if stream creation succeded. + * - srtp_err_status_alloc_fail if stream allocation failed + * - srtp_err_status_init_fail if stream initialization failed. + * - [other] otherwise. + * + */ +srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy); + +/** + * @brief srtp_update_stream() udpates a SRTP stream. + * + * The function call srtp_update_stream(session, policy) updates + * the stream(s) in the session that match applying the given + * policy and key. The exsisting ROC value of all stream(s) will + * be preserved. + * + * @param session is the SRTP session that contains the streams + * to be updated. + * + * @param policy is the srtp_policy_t struct that describes the policy + * for the session. + * + * @return + * - srtp_err_status_ok if stream creation succeded. + * - srtp_err_status_alloc_fail if stream allocation failed + * - srtp_err_status_init_fail if stream initialization failed. + * - [other] otherwise. + * + */ +srtp_err_status_t srtp_update_stream(srtp_t session, + const srtp_policy_t *policy); + +/** + * @brief srtp_crypto_policy_set_rtp_default() sets a crypto policy + * structure to the SRTP default policy for RTP protection. + * + * @param p is a pointer to the policy structure to be set + * + * The function call crypto_policy_set_rtp_default(&p) sets the + * crypto_policy_t at location p to the SRTP default policy for RTP + * protection, as defined in the specification. This function is a + * convenience that helps to avoid dealing directly with the policy + * data structure. You are encouraged to initialize policy elements + * with this function call. Doing so may allow your code to be + * forward compatible with later versions of libSRTP that include more + * elements in the crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_rtcp_default() sets a crypto policy + * structure to the SRTP default policy for RTCP protection. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_rtcp_default(&p) sets the + * srtp_crypto_policy_t at location p to the SRTP default policy for RTCP + * protection, as defined in the specification. This function is a + * convenience that helps to avoid dealing directly with the policy + * data structure. You are encouraged to initialize policy elements + * with this function call. Doing so may allow your code to be + * forward compatible with later versions of libSRTP that include more + * elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() sets a crypto + * policy structure to the SRTP default policy for RTP protection. + * + * @param p is a pointer to the policy structure to be set + * + * The function srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() is a + * synonym for srtp_crypto_policy_set_rtp_default(). It conforms to the + * naming convention used in RFC 4568 (SDP Security Descriptions for + * Media Streams). + * + * @return void. + * + */ +#define srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(p) \ + srtp_crypto_policy_set_rtp_default(p) + +/** + * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32() sets a crypto + * policy structure to a short-authentication tag policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&p) + * sets the srtp_crypto_policy_t at location p to use policy + * AES_CM_128_HMAC_SHA1_32 as defined in RFC 4568. + * This policy uses AES-128 + * Counter Mode encryption and HMAC-SHA1 authentication, with an + * authentication tag that is only 32 bits long. This length is + * considered adequate only for protecting audio and video media that + * use a stateless playback function. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This crypto policy is intended for use in SRTP, but not in + * SRTCP. It is recommended that a policy that uses longer + * authentication tags be used for SRTCP. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_128_null_auth() sets a crypto + * policy structure to an encryption-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_128_null_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-128 Counter Mode), but to use no authentication method. This + * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5 + * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This policy is NOT RECOMMENDED for SRTP unless it is + * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see + * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_null_cipher_hmac_sha1_80() sets a crypto + * policy structure to an authentication-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&p) + * sets the srtp_crypto_policy_t at location p to use HMAC-SHA1 with an 80 + * bit authentication tag to provide message authentication, but to + * use no encryption. This policy is NOT RECOMMENDED for SRTP unless + * there is a requirement to forego encryption. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This policy is NOT RECOMMENDED for SRTP unless there is a + * requirement to forego encryption. + * + * @return void. + * + */ +void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_null_cipher_hmac_null() sets a crypto + * policy structure to use no encryption or authentication. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_null_cipher_hmac_null(&p) + * sets the srtp_crypto_policy_t at location p to use no encryption and + * no authentication. This policy should only be used for testing and + * troubleshootingl. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This policy is NOT RECOMMENDED for SRTP unless there is a + * requirement to forego encryption and authentication. + * + * @return void. + * + */ +void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80() sets a crypto + * policy structure to a encryption and authentication policy using AES-256 + * for RTP protection. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&p) + * sets the srtp_crypto_policy_t at location p to use policy + * AES_CM_256_HMAC_SHA1_80 as defined in RFC 6188. This policy uses AES-256 + * Counter Mode encryption and HMAC-SHA1 authentication, with an 80 bit + * authentication tag. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32() sets a crypto + * policy structure to a short-authentication tag policy using AES-256 + * encryption. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(&p) + * sets the srtp_crypto_policy_t at location p to use policy + * AES_CM_256_HMAC_SHA1_32 as defined in RFC 6188. This policy uses AES-256 + * Counter Mode encryption and HMAC-SHA1 authentication, with an + * authentication tag that is only 32 bits long. This length is + * considered adequate only for protecting audio and video media that + * use a stateless playback function. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This crypto policy is intended for use in SRTP, but not in + * SRTCP. It is recommended that a policy that uses longer + * authentication tags be used for SRTCP. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_256_null_auth() sets a crypto + * policy structure to an encryption-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_256_null_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-256 Counter Mode), but to use no authentication method. This + * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5 + * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @warning This policy is NOT RECOMMENDED for SRTP unless it is + * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see + * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80() sets a crypto + * policy structure to a encryption and authentication policy using AES-192 + * for RTP protection. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(&p) + * sets the crypto_policy_t at location p to use policy + * AES_CM_192_HMAC_SHA1_80 as defined in RFC 6188. This policy uses AES-192 + * Counter Mode encryption and HMAC-SHA1 authentication, with an 80 bit + * authentication tag. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32() sets a crypto + * policy structure to a short-authentication tag policy using AES-192 + * encryption. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(&p) + * sets the crypto_policy_t at location p to use policy + * AES_CM_192_HMAC_SHA1_32 as defined in RFC 6188. This policy uses AES-192 + * Counter Mode encryption and HMAC-SHA1 authentication, with an + * authentication tag that is only 32 bits long. This length is + * considered adequate only for protecting audio and video media that + * use a stateless playback function. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the crypto_policy_t datatype. + * + * @warning This crypto policy is intended for use in SRTP, but not in + * SRTCP. It is recommended that a policy that uses longer + * authentication tags be used for SRTCP. See Section 7.5 of RFC 3711 + * (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_cm_192_null_auth() sets a crypto + * policy structure to an encryption-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_cm_192_null_auth(&p) sets + * the crypto_policy_t at location p to use the SRTP default cipher + * (AES-192 Counter Mode), but to use no authentication method. This + * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5 + * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the crypto_policy_t datatype. + * + * @warning This policy is NOT RECOMMENDED for SRTP unless it is + * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see + * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_128_8_auth() sets a crypto + * policy structure to an AEAD encryption policy. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_128_8_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-128 Galois Counter Mode) with 8 octet auth tag. This + * policy applies confidentiality and authentication to both the + * RTP and RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_256_8_auth() sets a crypto + * policy structure to an AEAD encryption policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_256_8_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-256 Galois Counter Mode) with 8 octet auth tag. This + * policy applies confidentiality and authentication to both the + * RTP and RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_128_8_only_auth() sets a crypto + * policy structure to an AEAD authentication-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-128 Galois Counter Mode) with 8 octet auth tag. This policy + * applies confidentiality and authentication to the RTP packets, + * but only authentication to the RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_256_8_only_auth() sets a crypto + * policy structure to an AEAD authentication-only policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-256 Galois Counter Mode) with 8 octet auth tag. This policy + * applies confidentiality and authentication to the RTP packets, + * but only authentication to the RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_128_16_auth() sets a crypto + * policy structure to an AEAD encryption policy. + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_128_16_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-128 Galois Counter Mode) with 16 octet auth tag. This + * policy applies confidentiality and authentication to both the + * RTP and RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_crypto_policy_set_aes_gcm_256_16_auth() sets a crypto + * policy structure to an AEAD encryption policy + * + * @param p is a pointer to the policy structure to be set + * + * The function call srtp_crypto_policy_set_aes_gcm_256_16_auth(&p) sets + * the srtp_crypto_policy_t at location p to use the SRTP default cipher + * (AES-256 Galois Counter Mode) with 16 octet auth tag. This + * policy applies confidentiality and authentication to both the + * RTP and RTCP packets. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return void. + * + */ +void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p); + +/** + * @brief srtp_dealloc() deallocates storage for an SRTP session + * context. + * + * The function call srtp_dealloc(s) deallocates storage for the + * SRTP session context s. This function should be called no more + * than one time for each of the contexts allocated by the function + * srtp_create(). + * + * @param s is the srtp_t for the session to be deallocated. + * + * @return + * - srtp_err_status_ok if there no problems. + * - srtp_err_status_dealloc_fail a memory deallocation failure occured. + */ +srtp_err_status_t srtp_dealloc(srtp_t s); + +/* + * @brief identifies a particular SRTP profile + * + * An srtp_profile_t enumeration is used to identify a particular SRTP + * profile (that is, a set of algorithms and parameters). These profiles + * are defined for DTLS-SRTP: + * https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml + */ +typedef enum { + srtp_profile_reserved = 0, + srtp_profile_aes128_cm_sha1_80 = 1, + srtp_profile_aes128_cm_sha1_32 = 2, + srtp_profile_null_sha1_80 = 5, + srtp_profile_null_sha1_32 = 6, + srtp_profile_aead_aes_128_gcm = 7, + srtp_profile_aead_aes_256_gcm = 8, +} srtp_profile_t; + +/** + * @brief srtp_crypto_policy_set_from_profile_for_rtp() sets a crypto policy + * structure to the appropriate value for RTP based on an srtp_profile_t + * + * @param policy is a pointer to the policy structure to be set + * + * @param profile is an enumeration for the policy to be set + * + * The function call srtp_crypto_policy_set_rtp_default(&policy, profile) + * sets the srtp_crypto_policy_t at location policy to the policy for RTP + * protection, as defined by the srtp_profile_t profile. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return values + * - srtp_err_status_ok no problems were encountered + * - srtp_err_status_bad_param the profile is not supported + * + */ +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile); + +/** + * @brief srtp_crypto_policy_set_from_profile_for_rtcp() sets a crypto policy + * structure to the appropriate value for RTCP based on an srtp_profile_t + * + * @param policy is a pointer to the policy structure to be set + * + * @param profile is an enumeration for the policy to be set + * + * The function call srtp_crypto_policy_set_rtcp_default(&policy, profile) + * sets the srtp_crypto_policy_t at location policy to the policy for RTCP + * protection, as defined by the srtp_profile_t profile. + * + * This function is a convenience that helps to avoid dealing directly + * with the policy data structure. You are encouraged to initialize + * policy elements with this function call. Doing so may allow your + * code to be forward compatible with later versions of libSRTP that + * include more elements in the srtp_crypto_policy_t datatype. + * + * @return values + * - srtp_err_status_ok no problems were encountered + * - srtp_err_status_bad_param the profile is not supported + * + */ +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile); + +/** + * @brief returns the master key length for a given SRTP profile + */ +unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile); + +/** + * @brief returns the master salt length for a given SRTP profile + */ +unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile); + +/** + * @brief appends the salt to the key + * + * The function call srtp_append_salt_to_key(k, klen, s, slen) + * copies the string s to the location at klen bytes following + * the location k. + * + * @warning There must be at least bytes_in_salt + bytes_in_key bytes + * available at the location pointed to by key. + * + */ +void srtp_append_salt_to_key(unsigned char *key, + unsigned int bytes_in_key, + unsigned char *salt, + unsigned int bytes_in_salt); + +/** + * @} + */ + +/** + * @defgroup SRTCP Secure RTCP + * @ingroup SRTP + * + * @brief Secure RTCP functions are used to protect RTCP traffic. + * + * RTCP is the control protocol for RTP. libSRTP protects RTCP + * traffic in much the same way as it does RTP traffic. The function + * srtp_protect_rtcp() applies cryptographic protections to outbound + * RTCP packets, and srtp_unprotect_rtcp() verifies the protections on + * inbound RTCP packets. + * + * A note on the naming convention: srtp_protect_rtcp() has an srtp_t + * as its first argument, and thus has `srtp_' as its prefix. The + * trailing `_rtcp' indicates the protocol on which it acts. + * + * @{ + */ + +/** + * @brief srtp_protect_rtcp() is the Secure RTCP sender-side packet + * processing function. + * + * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies + * SRTCP protection to the RTCP packet rtcp_hdr (which has length + * *len_ptr) using the SRTP session context ctx. If srtp_err_status_ok is + * returned, then rtp_hdr points to the resulting SRTCP packet and + * *len_ptr is the number of octets in that packet; otherwise, no + * assumptions should be made about the value of either data elements. + * + * @warning This function assumes that it can write the authentication + * tag into the location in memory immediately following the RTCP + * packet, and assumes that the RTCP packet is aligned on a 32-bit + * boundary. + * + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 + * into the location in memory immediately following the RTCP packet. + * Callers MUST ensure that this much writable memory is available in + * the buffer that holds the RTCP packet. + * + * @param ctx is the SRTP context to use in processing the packet. + * + * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after + * the function returns, it points to the srtp packet. + * + * @param pkt_octet_len is a pointer to the length in octets of the + * complete RTCP packet (header and body) before the function call, + * and of the complete SRTCP packet after the call, if srtp_err_status_ok + * was returned. Otherwise, the value of the data to which it points + * is undefined. + * + * @return + * - srtp_err_status_ok if there were no problems. + * - [other] if there was a failure in + * the cryptographic mechanisms. + */ +srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len); + +/** + * @brief srtp_protect_rtcp_mki() is the Secure RTCP sender-side packet + * processing function that can utilize mki. + * + * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies + * SRTCP protection to the RTCP packet rtcp_hdr (which has length + * *len_ptr) using the SRTP session context ctx. If srtp_err_status_ok is + * returned, then rtp_hdr points to the resulting SRTCP packet and + * *len_ptr is the number of octets in that packet; otherwise, no + * assumptions should be made about the value of either data elements. + * + * @warning This function assumes that it can write the authentication + * tag into the location in memory immediately following the RTCP + * packet, and assumes that the RTCP packet is aligned on a 32-bit + * boundary. + * + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 + * into the location in memory immediately following the RTCP packet. + * Callers MUST ensure that this much writable memory is available in + * the buffer that holds the RTCP packet. + * + * @param ctx is the SRTP context to use in processing the packet. + * + * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after + * the function returns, it points to the srtp packet. + * + * @param pkt_octet_len is a pointer to the length in octets of the + * complete RTCP packet (header and body) before the function call, + * and of the complete SRTCP packet after the call, if srtp_err_status_ok + * was returned. Otherwise, the value of the data to which it points + * is undefined. + * + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will + * use the session keys identified by the mki_index + * + * @param mki_index integer value specifying which set of session kesy should be + * used if use_mki is set to true. + * + * @return + * - srtp_err_status_ok if there were no problems. + * - [other] if there was a failure in + * the cryptographic mechanisms. + */ +srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index); + +/** + * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet + * processing function. + * + * The function call srtp_unprotect_rtcp(ctx, srtp_hdr, len_ptr) + * verifies the Secure RTCP protection of the SRTCP packet pointed to + * by srtcp_hdr (which has length *len_ptr), using the SRTP session + * context ctx. If srtp_err_status_ok is returned, then srtcp_hdr points + * to the resulting RTCP packet and *len_ptr is the number of octets + * in that packet; otherwise, no assumptions should be made about the + * value of either data elements. + * + * @warning This function assumes that the SRTCP packet is aligned on a + * 32-bit boundary. + * + * @param ctx is a pointer to the srtp_t which applies to the + * particular packet. + * + * @param srtcp_hdr is a pointer to the header of the SRTCP packet + * (before the call). After the function returns, it points to the + * rtp packet if srtp_err_status_ok was returned; otherwise, the value of + * the data to which it points is undefined. + * + * @param pkt_octet_len is a pointer to the length in octets of the + * complete SRTCP packet (header and body) before the function call, + * and of the complete rtp packet after the call, if srtp_err_status_ok was + * returned. Otherwise, the value of the data to which it points is + * undefined. + * + * @return + * - srtp_err_status_ok if the RTCP packet is valid. + * - srtp_err_status_auth_fail if the SRTCP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has + * already been processed and accepted). + * - [other] if there has been an error in the cryptographic mechanisms. + * + */ +srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len); + +/** + * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet + * processing function. + * + * The function call srtp_unprotect_rtcp(ctx, srtp_hdr, len_ptr) + * verifies the Secure RTCP protection of the SRTCP packet pointed to + * by srtcp_hdr (which has length *len_ptr), using the SRTP session + * context ctx. If srtp_err_status_ok is returned, then srtcp_hdr points + * to the resulting RTCP packet and *len_ptr is the number of octets + * in that packet; otherwise, no assumptions should be made about the + * value of either data elements. + * + * @warning This function assumes that the SRTCP packet is aligned on a + * 32-bit boundary. + * + * @param ctx is a pointer to the srtp_t which applies to the + * particular packet. + * + * @param srtcp_hdr is a pointer to the header of the SRTCP packet + * (before the call). After the function returns, it points to the + * rtp packet if srtp_err_status_ok was returned; otherwise, the value of + * the data to which it points is undefined. + * + * @param pkt_octet_len is a pointer to the length in octets of the + * complete SRTCP packet (header and body) before the function call, + * and of the complete rtp packet after the call, if srtp_err_status_ok was + * returned. Otherwise, the value of the data to which it points is + * undefined. + * + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will use the session keys identified by the mki_index + * + * @return + * - srtp_err_status_ok if the RTCP packet is valid. + * - srtp_err_status_auth_fail if the SRTCP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has + * already been processed and accepted). + * - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI + * id + * - [other] if there has been an error in the + * cryptographic mechanisms. + * + */ +srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki); + +/** + * @} + */ + +/** + * @defgroup User data associated to a SRTP session. + * @ingroup SRTP + * + * @brief Store custom user data within a SRTP session. + * + * @{ + */ + +/** + * @brief srtp_set_user_data() stores the given pointer into the SRTP + * session for later retrieval. + * + * @param ctx is the srtp_t context in which the given data pointer is + * stored. + * + * @param data is a pointer to the custom information (struct, function, + * etc) associated with the SRTP session. + * + * @return void. + * + */ +void srtp_set_user_data(srtp_t ctx, void *data); + +/** + * @brief srtp_get_user_data() retrieves the pointer to the custom data + * previously stored with srtp_set_user_data(). + * + * This function is mostly useful for retrieving data associated to a + * SRTP session when an event fires. The user can then get such a custom + * data by calling this function with the session field of the + * srtp_event_data_t struct as argument. + * + * @param ctx is the srtp_t context in which the given data pointer was + * stored. + * + * @return void* pointer to the user data. + * + */ +void *srtp_get_user_data(srtp_t ctx); + +/** + * @} + */ + +/** + * @defgroup SRTPevents SRTP events and callbacks + * @ingroup SRTP + * + * @brief libSRTP can use a user-provided callback function to + * handle events. + * + * + * libSRTP allows a user to provide a callback function to handle + * events that need to be dealt with outside of the data plane (see + * the enum srtp_event_t for a description of these events). Dealing + * with these events is not a strict necessity; they are not + * security-critical, but the application may suffer if they are not + * handled. The function srtp_set_event_handler() is used to provide + * the callback function. + * + * A default event handler that merely reports on the events as they + * happen is included. It is also possible to set the event handler + * function to NULL, in which case all events will just be silently + * ignored. + * + * @{ + */ + +/** + * @brief srtp_event_t defines events that need to be handled + * + * The enum srtp_event_t defines events that need to be handled + * outside the `data plane', such as SSRC collisions and + * key expirations. + * + * When a key expires or the maximum number of packets has been + * reached, an SRTP stream will enter an `expired' state in which no + * more packets can be protected or unprotected. When this happens, + * it is likely that you will want to either deallocate the stream + * (using srtp_remove_stream()), and possibly allocate a new one. + * + * When an SRTP stream expires, the other streams in the same session + * are unaffected, unless key sharing is used by that stream. In the + * latter case, all of the streams in the session will expire. + */ +typedef enum { + event_ssrc_collision, /**< An SSRC collision occured. */ + event_key_soft_limit, /**< An SRTP stream reached the soft key */ + /**< usage limit and will expire soon. */ + event_key_hard_limit, /**< An SRTP stream reached the hard */ + /**< key usage limit and has expired. */ + event_packet_index_limit /**< An SRTP stream reached the hard */ + /**< packet limit (2^48 packets). */ +} srtp_event_t; + +/** + * @brief srtp_event_data_t is the structure passed as a callback to + * the event handler function + * + * The struct srtp_event_data_t holds the data passed to the event + * handler function. + */ +typedef struct srtp_event_data_t { + srtp_t session; /**< The session in which the event happend. */ + uint32_t ssrc; /**< The ssrc in host order of the stream in which */ + /**< the event happend */ + srtp_event_t event; /**< An enum indicating the type of event. */ +} srtp_event_data_t; + +/** + * @brief srtp_event_handler_func_t is the function prototype for + * the event handler. + * + * The typedef srtp_event_handler_func_t is the prototype for the + * event handler function. It has as its only argument an + * srtp_event_data_t which describes the event that needs to be handled. + * There can only be a single, global handler for all events in + * libSRTP. + */ +typedef void(srtp_event_handler_func_t)(srtp_event_data_t *data); + +/** + * @brief sets the event handler to the function supplied by the caller. + * + * The function call srtp_install_event_handler(func) sets the event + * handler function to the value func. The value NULL is acceptable + * as an argument; in this case, events will be ignored rather than + * handled. + * + * @param func is a pointer to a fuction that takes an srtp_event_data_t + * pointer as an argument and returns void. This function + * will be used by libSRTP to handle events. + */ +srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func); + +/** + * @brief Returns the version string of the library. + * + */ +const char *srtp_get_version_string(void); + +/** + * @brief Returns the numeric representation of the library version. + * + */ +unsigned int srtp_get_version(void); + +/** + * @brief srtp_set_debug_module(mod_name, v) + * + * sets dynamic debugging to the value v (0 for off, 1 for on) for the + * debug module with the name mod_name + * + * returns err_status_ok on success, err_status_fail otherwise + */ +srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v); + +/** + * @brief srtp_list_debug_modules() outputs a list of debugging modules + * + */ +srtp_err_status_t srtp_list_debug_modules(void); + +/** + * @brief srtp_log_level_t defines log levels. + * + * The enumeration srtp_log_level_t defines log levels reported + * in the srtp_log_handler_func_t. + * + */ +typedef enum { + srtp_log_level_error, /**< log level is reporting an error message */ + srtp_log_level_warning, /**< log level is reporting a warning message */ + srtp_log_level_info, /**< log level is reporting an info message */ + srtp_log_level_debug /**< log level is reporting a debug message */ +} srtp_log_level_t; + +/** + * @brief srtp_log_handler_func_t is the function prototype for + * the log handler. + * + * The typedef srtp_event_handler_func_t is the prototype for the + * event handler function. It has as srtp_log_level_t, log + * message and data as arguments. + * There can only be a single, global handler for all log messages in + * libSRTP. + */ +typedef void(srtp_log_handler_func_t)(srtp_log_level_t level, + const char *msg, + void *data); + +/** + * @brief sets the log handler to the function supplied by the caller. + * + * The function call srtp_install_log_handler(func) sets the log + * handler function to the value func. The value NULL is acceptable + * as an argument; in this case, log messages will be ignored. + * This function can be called before srtp_init() inorder to capture + * any logging during start up. + * + * @param func is a pointer to a fuction of type srtp_log_handler_func_t. + * This function will be used by libSRTP to output log messages. + * @param data is a user pointer that will be returned as the data argument in + * func. + */ +srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, + void *data); + +/** + * @brief srtp_get_protect_trailer_length(session, use_mki, mki_index, length) + * + * Determines the length of the amount of data Lib SRTP will add to the + * packet during the protect process. The length is returned in the length + * parameter + * + * returns err_status_ok on success, err_status_bad_mki if the MKI index is + * invalid + * + */ +srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length); + +/** + * @brief srtp_get_protect_rtcp_trailer_length(session, use_mki, mki_index, + * length) + * + * Determines the length of the amount of data Lib SRTP will add to the + * packet during the protect process. The length is returned in the length + * parameter + * + * returns err_status_ok on success, err_status_bad_mki if the MKI index is + * invalid + * + */ +srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length); + +/** + * @brief srtp_set_stream_roc(session, ssrc, roc) + * + * Set the roll-over-counter on a session for a given SSRC + * + * returns err_status_ok on success, srtp_err_status_bad_param if there is no + * stream found + * + */ +srtp_err_status_t srtp_set_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t roc); + +/** + * @brief srtp_get_stream_roc(session, ssrc, roc) + * + * Get the roll-over-counter on a session for a given SSRC + * + * returns err_status_ok on success, srtp_err_status_bad_param if there is no + * stream found + * + */ +srtp_err_status_t srtp_get_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t *roc); + +/** + * @} + */ + +/* in host order, so outside the #if */ +#define SRTCP_E_BIT 0x80000000 + +/* for byte-access */ +#define SRTCP_E_BYTE_BIT 0x80 +#define SRTCP_INDEX_MASK 0x7fffffff + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_SRTP_H */ diff --git a/netwerk/srtp/src/include/srtp_priv.h b/netwerk/srtp/src/include/srtp_priv.h new file mode 100644 index 0000000000..988efc4164 --- /dev/null +++ b/netwerk/srtp/src/include/srtp_priv.h @@ -0,0 +1,280 @@ +/* + * srtp_priv.h + * + * private internal data structures and functions for libSRTP + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_PRIV_H +#define SRTP_PRIV_H + +// Leave this as the top level import. Ensures the existence of defines +#include "config.h" + +#include "srtp.h" +#include "rdbx.h" +#include "rdb.h" +#include "integers.h" +#include "cipher.h" +#include "auth.h" +#include "aes.h" +#include "key.h" +#include "crypto_kernel.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define SRTP_VER_STRING PACKAGE_STRING +#define SRTP_VERSION PACKAGE_VERSION + +typedef struct srtp_stream_ctx_t_ srtp_stream_ctx_t; +typedef srtp_stream_ctx_t *srtp_stream_t; + +/* + * the following declarations are libSRTP internal functions + */ + +/* + * srtp_get_stream(ssrc) returns a pointer to the stream corresponding + * to ssrc, or NULL if no stream exists for that ssrc + */ +srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc); + +/* + * srtp_stream_init_keys(s, k) (re)initializes the srtp_stream_t s by + * deriving all of the needed keys using the KDF and the key k. + */ +srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, + srtp_master_key_t *master_key, + const unsigned int current_mki_index); + +/* + * srtp_stream_init_all_master_keys(s, k, m) (re)initializes the srtp_stream_t s + * by deriving all of the needed keys for all the master keys using the KDF and + * the keys from k. + */ +srtp_err_status_t srtp_steam_init_all_master_keys( + srtp_stream_ctx_t *srtp, + unsigned char *key, + srtp_master_key_t **keys, + const unsigned int max_master_keys); + +/* + * srtp_stream_init(s, p) initializes the srtp_stream_t s to + * use the policy at the location p + */ +srtp_err_status_t srtp_stream_init(srtp_stream_t srtp, const srtp_policy_t *p); + +/* + * libsrtp internal datatypes + */ +typedef enum direction_t { + dir_unknown = 0, + dir_srtp_sender = 1, + dir_srtp_receiver = 2 +} direction_t; + +/* + * srtp_session_keys_t will contain the encryption, hmac, salt keys + * for both SRTP and SRTCP. The session keys will also contain the + * MKI ID which is used to identify the session keys. + */ +typedef struct srtp_session_keys_t { + srtp_cipher_t *rtp_cipher; + srtp_cipher_t *rtp_xtn_hdr_cipher; + srtp_auth_t *rtp_auth; + srtp_cipher_t *rtcp_cipher; + srtp_auth_t *rtcp_auth; + uint8_t salt[SRTP_AEAD_SALT_LEN]; + uint8_t c_salt[SRTP_AEAD_SALT_LEN]; + uint8_t *mki_id; + unsigned int mki_size; + srtp_key_limit_ctx_t *limit; +} srtp_session_keys_t; + +/* + * an srtp_stream_t has its own SSRC, encryption key, authentication + * key, sequence number, and replay database + * + * note that the keys might not actually be unique, in which case the + * srtp_cipher_t and srtp_auth_t pointers will point to the same structures + */ +typedef struct srtp_stream_ctx_t_ { + uint32_t ssrc; + srtp_session_keys_t *session_keys; + unsigned int num_master_keys; + srtp_rdbx_t rtp_rdbx; + srtp_sec_serv_t rtp_services; + srtp_rdb_t rtcp_rdb; + srtp_sec_serv_t rtcp_services; + direction_t direction; + int allow_repeat_tx; + srtp_ekt_stream_t ekt; + int *enc_xtn_hdr; + int enc_xtn_hdr_count; + uint32_t pending_roc; + struct srtp_stream_ctx_t_ *next; /* linked list of streams */ +} strp_stream_ctx_t_; + +/* + * an srtp_ctx_t holds a stream list and a service description + */ +typedef struct srtp_ctx_t_ { + struct srtp_stream_ctx_t_ *stream_list; /* linked list of streams */ + struct srtp_stream_ctx_t_ *stream_template; /* act as template for other */ + /* streams */ + void *user_data; /* user custom data */ +} srtp_ctx_t_; + +/* + * srtp_hdr_t represents an RTP or SRTP header. The bit-fields in + * this structure should be declared "unsigned int" instead of + * "unsigned char", but doing so causes the MS compiler to not + * fully pack the bit fields. + * + * In this implementation, an srtp_hdr_t is assumed to be 32-bit aligned + * + * (note that this definition follows that of RFC 1889 Appendix A, but + * is not identical) + */ + +#ifndef WORDS_BIGENDIAN + +typedef struct { + unsigned char cc : 4; /* CSRC count */ + unsigned char x : 1; /* header extension flag */ + unsigned char p : 1; /* padding flag */ + unsigned char version : 2; /* protocol version */ + unsigned char pt : 7; /* payload type */ + unsigned char m : 1; /* marker bit */ + uint16_t seq; /* sequence number */ + uint32_t ts; /* timestamp */ + uint32_t ssrc; /* synchronization source */ +} srtp_hdr_t; + +#else /* BIG_ENDIAN */ + +typedef struct { + unsigned char version : 2; /* protocol version */ + unsigned char p : 1; /* padding flag */ + unsigned char x : 1; /* header extension flag */ + unsigned char cc : 4; /* CSRC count */ + unsigned char m : 1; /* marker bit */ + unsigned char pt : 7; /* payload type */ + uint16_t seq; /* sequence number */ + uint32_t ts; /* timestamp */ + uint32_t ssrc; /* synchronization source */ +} srtp_hdr_t; + +#endif + +typedef struct { + uint16_t profile_specific; /* profile-specific info */ + uint16_t length; /* number of 32-bit words in extension */ +} srtp_hdr_xtnd_t; + +/* + * srtcp_hdr_t represents a secure rtcp header + * + * in this implementation, an srtcp header is assumed to be 32-bit + * alinged + */ + +#ifndef WORDS_BIGENDIAN + +typedef struct { + unsigned char rc : 5; /* reception report count */ + unsigned char p : 1; /* padding flag */ + unsigned char version : 2; /* protocol version */ + unsigned char pt : 8; /* payload type */ + uint16_t len; /* length */ + uint32_t ssrc; /* synchronization source */ +} srtcp_hdr_t; + +typedef struct { + unsigned int index : 31; /* srtcp packet index in network order! */ + unsigned int e : 1; /* encrypted? 1=yes */ + /* optional mikey/etc go here */ + /* and then the variable-length auth tag */ +} srtcp_trailer_t; + +#else /* BIG_ENDIAN */ + +typedef struct { + unsigned char version : 2; /* protocol version */ + unsigned char p : 1; /* padding flag */ + unsigned char rc : 5; /* reception report count */ + unsigned char pt : 8; /* payload type */ + uint16_t len; /* length */ + uint32_t ssrc; /* synchronization source */ +} srtcp_hdr_t; + +typedef struct { + unsigned int e : 1; /* encrypted? 1=yes */ + unsigned int index : 31; /* srtcp packet index */ + /* optional mikey/etc go here */ + /* and then the variable-length auth tag */ +} srtcp_trailer_t; + +#endif + +/* + * srtp_handle_event(srtp, srtm, evnt) calls the event handling + * function, if there is one. + * + * This macro is not included in the documentation as it is + * an internal-only function. + */ + +#define srtp_handle_event(srtp, strm, evnt) \ + if (srtp_event_handler) { \ + srtp_event_data_t data; \ + data.session = srtp; \ + data.ssrc = ntohl(strm->ssrc); \ + data.event = evnt; \ + srtp_event_handler(&data); \ + } + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_PRIV_H */ diff --git a/netwerk/srtp/src/include/ut_sim.h b/netwerk/srtp/src/include/ut_sim.h new file mode 100644 index 0000000000..e678b5fdf7 --- /dev/null +++ b/netwerk/srtp/src/include/ut_sim.h @@ -0,0 +1,83 @@ +/* + * ut-sim.h + * + * an unreliable transport simulator + * (for testing replay databases and suchlike) + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef UT_SIM_H +#define UT_SIM_H + +#include "integers.h" /* for uint32_t */ + +#ifdef __cplusplus +extern "C" { +#endif + +#define UT_BUF 160 /* maximum amount of packet reorder */ + +typedef struct { + uint32_t index; + uint32_t buffer[UT_BUF]; +} ut_connection; + +/* + * ut_init(&u) initializes the ut_connection + * + * this function should always be the first one called on a new + * ut_connection + */ + +void ut_init(ut_connection *utc); + +/* + * ut_next_index(&u) returns the next index from the simulated + * unreliable connection + */ + +uint32_t ut_next_index(ut_connection *utc); + +#ifdef __cplusplus +} +#endif + +#endif /* UT_SIM_H */ diff --git a/netwerk/srtp/src/moz.build b/netwerk/srtp/src/moz.build new file mode 100644 index 0000000000..a2e5a6d3e5 --- /dev/null +++ b/netwerk/srtp/src/moz.build @@ -0,0 +1,76 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +UNIFIED_SOURCES += [ + 'crypto/cipher/aes_gcm_nss.c', + 'crypto/cipher/aes_icm_nss.c', + 'crypto/cipher/cipher.c', + 'crypto/cipher/null_cipher.c', + 'crypto/hash/auth.c', + 'crypto/hash/hmac.c', + 'crypto/hash/null_auth.c', + 'crypto/hash/sha1.c', + 'crypto/kernel/alloc.c', + 'crypto/kernel/crypto_kernel.c', + 'crypto/kernel/err.c', + 'crypto/kernel/key.c', + 'crypto/math/datatypes.c', + 'crypto/math/stat.c', + 'crypto/replay/rdb.c', + 'crypto/replay/rdbx.c', + 'crypto/replay/ut_sim.c', + 'srtp/ekt.c', + 'srtp/srtp.c', +] + +Library('nksrtp_s') + +include('/ipc/chromium/chromium-config.mozbuild') + +FINAL_LIBRARY = 'xul' + +LOCAL_INCLUDES += [ + 'crypto/include', + 'include', +] + +DEFINES['PACKAGE_STRING'] = '"libsrtp2 2.2.0-pre"' +DEFINES['PACKAGE_VERSION'] = '"2.2.0-pre"' + +# This is needed to enable the be32_to_cpu and be64_to_cpu +# macro's in datatypes.h +DEFINES['HAVE_CONFIG_H'] = 1 + +# We know stdint.h will define uint8/16/32/64_t, so we don't need +# to define SIZEOF_UNSIGNED_LONG/SIZEOF_UNSIGNED_LONG_LONG +for var in ('HAVE_STDLIB_H', 'HAVE_UINT8_T', 'HAVE_UINT16_T', + 'HAVE_INT32_T', 'HAVE_UINT32_T', 'HAVE_UINT64_T'): + DEFINES[var] = 1 + +# Enable AES-GCM cipher suite in libsrtp +DEFINES['GCM'] = 1 +# Let libsrtp use NSS instead of build-in crypto +DEFINES['NSS'] = 1 + +# XXX while arm is not a CISC architecture, the code guarded by CPU_RISC makes +# (at least) the AES ciphers fail their self-tests on ARM, so for now we're +# falling back to the (presumably) slower-on-this-architecture but working +# code path. https://bugzilla.mozilla.org/show_bug.cgi?id=822380 has been filed +# to make the right and more performant fix and push it back upstream. +if CONFIG['CPU_ARCH'] in ('arm', 'x86', 'x86_64', 'mips', 'mips64'): + DEFINES['CPU_CISC'] = 1 +else: + # best guess + DEFINES['CPU_RISC'] = 1 + +if CONFIG['CPU_ARCH'] in ('x86', 'x86_64'): + DEFINES['HAVE_X86'] = True + +if CONFIG['OS_TARGET'] == 'WINNT': + DEFINES['HAVE_WINSOCK2_H'] = True + DEFINES['inline'] = '__inline' +else: + DEFINES['HAVE_NETINET_IN_H'] = 1 diff --git a/netwerk/srtp/src/srtp/ekt.c b/netwerk/srtp/src/srtp/ekt.c new file mode 100644 index 0000000000..f09dc58580 --- /dev/null +++ b/netwerk/srtp/src/srtp/ekt.c @@ -0,0 +1,281 @@ +/* + * ekt.c + * + * Encrypted Key Transport for SRTP + * + * David McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "srtp_priv.h" +#include "err.h" +#include "ekt.h" + +extern srtp_debug_module_t mod_srtp; + +/* + * The EKT Authentication Tag format. + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * : Base Authentication Tag : + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * : Encrypted Master Key : + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Rollover Counter | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Initial Sequence Number | Security Parameter Index | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * + */ + +#define EKT_OCTETS_AFTER_BASE_TAG 24 +#define EKT_OCTETS_AFTER_EMK 8 +#define EKT_OCTETS_AFTER_ROC 4 +#define EKT_SPI_LEN 2 + +unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt) +{ + /* + * if the pointer ekt is NULL, then EKT is not in effect, so we + * indicate this by returning zero + */ + if (!ekt) + return 0; + + switch (ekt->data->ekt_cipher_type) { + case SRTP_EKT_CIPHER_AES_128_ECB: + return 16 + EKT_OCTETS_AFTER_EMK; + break; + default: + break; + } + return 0; +} + +static inline srtp_ekt_spi_t srtcp_packet_get_ekt_spi( + const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *spi_location; + + spi_location = packet_start + (pkt_octet_len - EKT_SPI_LEN); + + return *((const srtp_ekt_spi_t *)spi_location); +} + +static inline uint32_t srtcp_packet_get_ekt_roc(const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *roc_location; + + roc_location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_ROC); + + return *((const uint32_t *)roc_location); +} + +static inline const uint8_t *srtcp_packet_get_emk_location( + const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *location; + + location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_BASE_TAG); + + return location; +} + +srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, + srtp_ekt_policy_t policy) +{ + /* + * if the policy pointer is NULL, then EKT is not in use + * so we just set the EKT stream data pointer to NULL + */ + if (!policy) { + *stream_data = NULL; + return srtp_err_status_ok; + } + + /* TODO */ + *stream_data = NULL; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_ekt_stream_init_from_policy( + srtp_ekt_stream_t stream_data, + srtp_ekt_policy_t policy) +{ + if (!stream_data) + return srtp_err_status_ok; + + return srtp_err_status_ok; +} + +void aes_decrypt_with_raw_key(void *ciphertext, const void *key, int key_len) +{ +#ifndef GCM + // FIXME: need to get this working through the crypto module interface + srtp_aes_expanded_key_t expanded_key; + + srtp_aes_expand_decryption_key(key, key_len, &expanded_key); + srtp_aes_decrypt(ciphertext, &expanded_key); +#endif +} + +/* + * The function srtp_stream_init_from_ekt() initializes a stream using + * the EKT data from an SRTCP trailer. + */ + +srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, + const void *srtcp_hdr, + unsigned pkt_octet_len) +{ + srtp_err_status_t err; + const uint8_t *master_key; + srtp_policy_t srtp_policy; + uint32_t roc; + + /* + * NOTE: at present, we only support a single ekt_policy at a time. + */ + if (stream->ekt->data->spi != + srtcp_packet_get_ekt_spi(srtcp_hdr, pkt_octet_len)) + return srtp_err_status_no_ctx; + + if (stream->ekt->data->ekt_cipher_type != SRTP_EKT_CIPHER_AES_128_ECB) + return srtp_err_status_bad_param; + + /* decrypt the Encrypted Master Key field */ + master_key = srtcp_packet_get_emk_location(srtcp_hdr, pkt_octet_len); + /* FIX!? This decrypts the master key in-place, and never uses it */ + /* FIX!? It's also passing to ekt_dec_key (which is an aes_expanded_key_t) + * to a function which expects a raw (unexpanded) key */ + aes_decrypt_with_raw_key((void *)master_key, + &stream->ekt->data->ekt_dec_key, 16); + + /* set the SRTP ROC */ + roc = srtcp_packet_get_ekt_roc(srtcp_hdr, pkt_octet_len); + err = srtp_rdbx_set_roc(&stream->rtp_rdbx, roc); + if (err) + return err; + + err = srtp_stream_init(stream, &srtp_policy); + if (err) + return err; + + return srtp_err_status_ok; +} + +void srtp_ekt_write_data(srtp_ekt_stream_t ekt, + uint8_t *base_tag, + unsigned base_tag_len, + int *packet_len, + srtp_xtd_seq_num_t pkt_index) +{ + uint32_t roc; + uint16_t isn; + unsigned emk_len; + uint8_t *packet; + + /* if the pointer ekt is NULL, then EKT is not in effect */ + if (!ekt) { + debug_print(mod_srtp, "EKT not in use", NULL); + return; + } + + /* write zeros into the location of the base tag */ + octet_string_set_to_zero(base_tag, base_tag_len); + packet = base_tag + base_tag_len; + + /* copy encrypted master key into packet */ + emk_len = srtp_ekt_octets_after_base_tag(ekt); + memcpy(packet, ekt->encrypted_master_key, emk_len); + debug_print(mod_srtp, "writing EKT EMK: %s,", + srtp_octet_string_hex_string(packet, emk_len)); + packet += emk_len; + + /* copy ROC into packet */ + roc = (uint32_t)(pkt_index >> 16); + *((uint32_t *)packet) = be32_to_cpu(roc); + debug_print(mod_srtp, "writing EKT ROC: %s,", + srtp_octet_string_hex_string(packet, sizeof(roc))); + packet += sizeof(roc); + + /* copy ISN into packet */ + isn = (uint16_t)pkt_index; + *((uint16_t *)packet) = htons(isn); + debug_print(mod_srtp, "writing EKT ISN: %s,", + srtp_octet_string_hex_string(packet, sizeof(isn))); + packet += sizeof(isn); + + /* copy SPI into packet */ + *((uint16_t *)packet) = htons(ekt->data->spi); + debug_print(mod_srtp, "writing EKT SPI: %s,", + srtp_octet_string_hex_string(packet, sizeof(ekt->data->spi))); + + /* increase packet length appropriately */ + *packet_len += EKT_OCTETS_AFTER_EMK + emk_len; +} + +/* + * The function call srtcp_ekt_trailer(ekt, auth_len, auth_tag ) + * + * If the pointer ekt is NULL, then the other inputs are unaffected. + * + * auth_tag is a pointer to the pointer to the location of the + * authentication tag in the packet. If EKT is in effect, then the + * auth_tag pointer is set to the location + */ + +void srtcp_ekt_trailer(srtp_ekt_stream_t ekt, + unsigned *auth_len, + void **auth_tag, + void *tag_copy) +{ + /* + * if there is no EKT policy, then the other inputs are unaffected + */ + if (!ekt) + return; + + /* copy auth_tag into temporary location */ +} diff --git a/netwerk/srtp/src/srtp/srtp.c b/netwerk/srtp/src/srtp/srtp.c new file mode 100644 index 0000000000..5d9da7b2ec --- /dev/null +++ b/netwerk/srtp/src/srtp/srtp.c @@ -0,0 +1,4730 @@ +/* + * srtp.c + * + * the secure real-time transport protocol + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +// Leave this as the top level import. Ensures the existence of defines +#include "config.h" + +#include "srtp_priv.h" +#include "crypto_types.h" +#include "err.h" +#include "ekt.h" /* for SRTP Encrypted Key Transport */ +#include "alloc.h" /* for srtp_crypto_alloc() */ + +#ifdef GCM +#include "aes_gcm.h" /* for AES GCM mode */ +#endif + +#ifdef OPENSSL_KDF +#include <openssl/kdf.h> +#include "aes_icm_ext.h" +#endif + +#include <limits.h> +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined(HAVE_WINSOCK2_H) +#include <winsock2.h> +#endif + +/* the debug module for srtp */ +srtp_debug_module_t mod_srtp = { + 0, /* debugging is off by default */ + "srtp" /* printable name for module */ +}; + +#define octets_in_rtp_header 12 +#define uint32s_in_rtp_header 3 +#define octets_in_rtcp_header 8 +#define uint32s_in_rtcp_header 2 +#define octets_in_rtp_extn_hdr 4 + +static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr, + int *pkt_octet_len) +{ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; + + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; + + /* Check RTP header length */ + int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; + if (hdr->x == 1) + rtp_header_len += octets_in_rtp_extn_hdr; + + if (*pkt_octet_len < rtp_header_len) + return srtp_err_status_bad_param; + + /* Verifing profile length. */ + if (hdr->x == 1) { + srtp_hdr_xtnd_t *xtn_hdr = + (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + + hdr->cc); + int profile_len = ntohs(xtn_hdr->length); + rtp_header_len += profile_len * 4; + /* profile length counts the number of 32-bit words */ + if (*pkt_octet_len < rtp_header_len) + return srtp_err_status_bad_param; + } + return srtp_err_status_ok; +} + +const char *srtp_get_version_string() +{ + /* + * Simply return the autotools generated string + */ + return SRTP_VER_STRING; +} + +unsigned int srtp_get_version() +{ + unsigned int major = 0, minor = 0, micro = 0; + unsigned int rv = 0; + int parse_rv; + + /* + * Parse the autotools generated version + */ + parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, µ); + if (parse_rv != 3) { + /* + * We're expected to parse all 3 version levels. + * If not, then this must not be an official release. + * Return all zeros on the version + */ + return (0); + } + + /* + * We allow 8 bits for the major and minor, while + * allowing 16 bits for the micro. 16 bits for the micro + * may be beneficial for a continuous delivery model + * in the future. + */ + rv |= (major & 0xFF) << 24; + rv |= (minor & 0xFF) << 16; + rv |= micro & 0xFF; + return rv; +} + +srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream, + const srtp_stream_ctx_t *stream_template) +{ + srtp_err_status_t status; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; + srtp_session_keys_t *template_session_keys = NULL; + + /* + * we use a conservative deallocation strategy - if any deallocation + * fails, then we report that fact without trying to deallocate + * anything else + */ + if (stream->session_keys) { + for (i = 0; i < stream->num_master_keys; i++) { + session_keys = &stream->session_keys[i]; + + if (stream_template && + stream->num_master_keys == stream_template->num_master_keys) { + template_session_keys = &stream_template->session_keys[i]; + } else { + template_session_keys = NULL; + } + + /* + * deallocate cipher, if it is not the same as that in template + */ + if (template_session_keys && + session_keys->rtp_cipher == template_session_keys->rtp_cipher) { + /* do nothing */ + } else if (session_keys->rtp_cipher) { + status = srtp_cipher_dealloc(session_keys->rtp_cipher); + if (status) + return status; + } + + /* + * deallocate auth function, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtp_auth == template_session_keys->rtp_auth) { + /* do nothing */ + } else if (session_keys->rtp_auth) { + status = srtp_auth_dealloc(session_keys->rtp_auth); + if (status) + return status; + } + + if (template_session_keys && + session_keys->rtp_xtn_hdr_cipher == + template_session_keys->rtp_xtn_hdr_cipher) { + /* do nothing */ + } else if (session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); + if (status) + return status; + } + + /* + * deallocate rtcp cipher, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtcp_cipher == + template_session_keys->rtcp_cipher) { + /* do nothing */ + } else if (session_keys->rtcp_cipher) { + status = srtp_cipher_dealloc(session_keys->rtcp_cipher); + if (status) + return status; + } + + /* + * deallocate rtcp auth function, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtcp_auth == template_session_keys->rtcp_auth) { + /* do nothing */ + } else if (session_keys->rtcp_auth) { + status = srtp_auth_dealloc(session_keys->rtcp_auth); + if (status) + return status; + } + + /* + * zeroize the salt value + */ + octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); + octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); + + if (session_keys->mki_id) { + octet_string_set_to_zero(session_keys->mki_id, + session_keys->mki_size); + srtp_crypto_free(session_keys->mki_id); + session_keys->mki_id = NULL; + } + + /* + * deallocate key usage limit, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->limit == template_session_keys->limit) { + /* do nothing */ + } else if (session_keys->limit) { + srtp_crypto_free(session_keys->limit); + } + } + srtp_crypto_free(stream->session_keys); + } + + status = srtp_rdbx_dealloc(&stream->rtp_rdbx); + if (status) + return status; + + /* DAM - need to deallocate EKT here */ + + if (stream_template && + stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { + /* do nothing */ + } else if (stream->enc_xtn_hdr) { + srtp_crypto_free(stream->enc_xtn_hdr); + } + + /* deallocate srtp stream context */ + srtp_crypto_free(stream); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, + const srtp_policy_t *p) +{ + srtp_stream_ctx_t *str; + srtp_err_status_t stat; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; + + /* + * This function allocates the stream context, rtp and rtcp ciphers + * and auth functions, and key limit structure. If there is a + * failure during allocation, we free all previously allocated + * memory and return a failure code. The code could probably + * be improved, but it works and should be clear. + */ + + /* allocate srtp stream and set str_ptr */ + str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); + if (str == NULL) + return srtp_err_status_alloc_fail; + + *str_ptr = str; + + /* + *To keep backwards API compatible if someone is using multiple master + * keys then key should be set to NULL + */ + if (p->key != NULL) { + str->num_master_keys = 1; + } else { + str->num_master_keys = p->num_master_keys; + } + + str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( + sizeof(srtp_session_keys_t) * str->num_master_keys); + + if (str->session_keys == NULL) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; + } + + for (i = 0; i < str->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + + /* allocate cipher */ + stat = srtp_crypto_kernel_alloc_cipher( + p->rtp.cipher_type, &session_keys->rtp_cipher, + p->rtp.cipher_key_len, p->rtp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + + /* allocate auth function */ + stat = srtp_crypto_kernel_alloc_auth( + p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len, + p->rtp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + + /* + * ...and now the RTCP-specific initialization - first, allocate + * the cipher + */ + stat = srtp_crypto_kernel_alloc_cipher( + p->rtcp.cipher_type, &session_keys->rtcp_cipher, + p->rtcp.cipher_key_len, p->rtcp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + + /* allocate auth function */ + stat = srtp_crypto_kernel_alloc_auth( + p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len, + p->rtcp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + + session_keys->mki_id = NULL; + + /* allocate key limit structure */ + session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc( + sizeof(srtp_key_limit_ctx_t)); + if (session_keys->limit == NULL) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; + } + } + + /* allocate ekt data associated with stream */ + stat = srtp_ekt_alloc(&str->ekt, p->ekt); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + + if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { + srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; + int enc_xtn_hdr_cipher_key_len; + + str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count * + sizeof(p->enc_xtn_hdr[0])); + if (!str->enc_xtn_hdr) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; + } + memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, + p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); + str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; + + /* + * For GCM ciphers, the corresponding ICM cipher is used for header + * extensions encryption. + */ + switch (p->rtp.cipher_type) { + case SRTP_AES_GCM_128: + enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; + enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; + break; + case SRTP_AES_GCM_256: + enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; + enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + break; + default: + enc_xtn_hdr_cipher_type = p->rtp.cipher_type; + enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; + break; + } + + for (i = 0; i < str->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + + /* allocate cipher for extensions header encryption */ + stat = srtp_crypto_kernel_alloc_cipher( + enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher, + enc_xtn_hdr_cipher_key_len, 0); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + } + } else { + for (i = 0; i < str->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + session_keys->rtp_xtn_hdr_cipher = NULL; + } + + str->enc_xtn_hdr = NULL; + str->enc_xtn_hdr_count = 0; + } + + return srtp_err_status_ok; +} + +/* + * srtp_stream_clone(stream_template, new) allocates a new stream and + * initializes it using the cipher and auth of the stream_template + * + * the only unique data in a cloned stream is the replay database and + * the SSRC + */ + +srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template, + uint32_t ssrc, + srtp_stream_ctx_t **str_ptr) +{ + srtp_err_status_t status; + srtp_stream_ctx_t *str; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; + const srtp_session_keys_t *template_session_keys = NULL; + + debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc)); + + /* allocate srtp stream and set str_ptr */ + str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); + if (str == NULL) + return srtp_err_status_alloc_fail; + *str_ptr = str; + + str->num_master_keys = stream_template->num_master_keys; + str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( + sizeof(srtp_session_keys_t) * str->num_master_keys); + + if (str->session_keys == NULL) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return srtp_err_status_alloc_fail; + } + + for (i = 0; i < stream_template->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + template_session_keys = &stream_template->session_keys[i]; + + /* set cipher and auth pointers to those of the template */ + session_keys->rtp_cipher = template_session_keys->rtp_cipher; + session_keys->rtp_auth = template_session_keys->rtp_auth; + session_keys->rtp_xtn_hdr_cipher = + template_session_keys->rtp_xtn_hdr_cipher; + session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; + session_keys->rtcp_auth = template_session_keys->rtcp_auth; + session_keys->mki_size = template_session_keys->mki_size; + + if (template_session_keys->mki_size == 0) { + session_keys->mki_id = NULL; + } else { + session_keys->mki_id = + srtp_crypto_alloc(template_session_keys->mki_size); + + if (session_keys->mki_id == NULL) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return srtp_err_status_init_fail; + } + memcpy(session_keys->mki_id, template_session_keys->mki_id, + session_keys->mki_size); + } + /* Copy the salt values */ + memcpy(session_keys->salt, template_session_keys->salt, + SRTP_AEAD_SALT_LEN); + memcpy(session_keys->c_salt, template_session_keys->c_salt, + SRTP_AEAD_SALT_LEN); + + /* set key limit to point to that of the template */ + status = srtp_key_limit_clone(template_session_keys->limit, + &session_keys->limit); + if (status) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return status; + } + } + + /* initialize replay databases */ + status = srtp_rdbx_init( + &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); + if (status) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return status; + } + srtp_rdb_init(&str->rtcp_rdb); + str->allow_repeat_tx = stream_template->allow_repeat_tx; + + /* set ssrc to that provided */ + str->ssrc = ssrc; + + /* reset pending ROC */ + str->pending_roc = 0; + + /* set direction and security services */ + str->direction = stream_template->direction; + str->rtp_services = stream_template->rtp_services; + str->rtcp_services = stream_template->rtcp_services; + + /* set pointer to EKT data associated with stream */ + str->ekt = stream_template->ekt; + + /* copy information about extensions header encryption */ + str->enc_xtn_hdr = stream_template->enc_xtn_hdr; + str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; + + /* defensive coding */ + str->next = NULL; + return srtp_err_status_ok; +} + +/* + * key derivation functions, internal to libSRTP + * + * srtp_kdf_t is a key derivation context + * + * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher + * described by cipher_id, with the master key k with length in octets keylen. + * + * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key + * corresponding to label l and puts it into kl; the length + * of the key in octets is provided as keylen. this function + * should be called once for each subkey that is derived. + * + * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state + */ + +typedef enum { + label_rtp_encryption = 0x00, + label_rtp_msg_auth = 0x01, + label_rtp_salt = 0x02, + label_rtcp_encryption = 0x03, + label_rtcp_msg_auth = 0x04, + label_rtcp_salt = 0x05, + label_rtp_header_encryption = 0x06, + label_rtp_header_salt = 0x07 +} srtp_prf_label; + +#define MAX_SRTP_KEY_LEN 256 + +#if defined(OPENSSL) && defined(OPENSSL_KDF) +#define MAX_SRTP_AESKEY_LEN 32 +#define MAX_SRTP_SALT_LEN 14 + +/* + * srtp_kdf_t represents a key derivation function. The SRTP + * default KDF is the only one implemented at present. + */ +typedef struct { + uint8_t master_key[MAX_SRTP_AESKEY_LEN]; + uint8_t master_salt[MAX_SRTP_SALT_LEN]; + const EVP_CIPHER *evp; +} srtp_kdf_t; + +static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, + const uint8_t *key, + int key_len, + int salt_len) +{ + memset(kdf, 0x0, sizeof(srtp_kdf_t)); + + /* The NULL cipher has zero key length */ + if (key_len == 0) + return srtp_err_status_ok; + + if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { + return srtp_err_status_bad_param; + } + switch (key_len) { + case SRTP_AES_256_KEYSIZE: + kdf->evp = EVP_aes_256_ctr(); + break; + case SRTP_AES_192_KEYSIZE: + kdf->evp = EVP_aes_192_ctr(); + break; + case SRTP_AES_128_KEYSIZE: + kdf->evp = EVP_aes_128_ctr(); + break; + default: + return srtp_err_status_bad_param; + break; + } + memcpy(kdf->master_key, key, key_len); + memcpy(kdf->master_salt, key + key_len, salt_len); + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, + srtp_prf_label label, + uint8_t *key, + unsigned int length) +{ + int ret; + + /* The NULL cipher will not have an EVP */ + if (!kdf->evp) + return srtp_err_status_ok; + octet_string_set_to_zero(key, length); + + /* + * Invoke the OpenSSL SRTP KDF function + * This is useful if OpenSSL is in FIPS mode and FIP + * compliance is required for SRTP. + */ + ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, + (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); + if (ret == -1) { + return (srtp_err_status_algo_fail); + } + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) +{ + octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); + octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); + kdf->evp = NULL; + + return srtp_err_status_ok; +} + +#else /* if OPENSSL_KDF */ + +/* + * srtp_kdf_t represents a key derivation function. The SRTP + * default KDF is the only one implemented at present. + */ +typedef struct { + srtp_cipher_t *cipher; /* cipher used for key derivation */ +} srtp_kdf_t; + +static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, + const uint8_t *key, + int key_len) +{ + srtp_cipher_type_id_t cipher_id; + switch (key_len) { + case SRTP_AES_ICM_256_KEY_LEN_WSALT: + cipher_id = SRTP_AES_ICM_256; + break; + case SRTP_AES_ICM_192_KEY_LEN_WSALT: + cipher_id = SRTP_AES_ICM_192; + break; + case SRTP_AES_ICM_128_KEY_LEN_WSALT: + cipher_id = SRTP_AES_ICM_128; + break; + default: + return srtp_err_status_bad_param; + break; + } + + srtp_err_status_t stat; + stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0); + if (stat) + return stat; + + stat = srtp_cipher_init(kdf->cipher, key); + if (stat) { + srtp_cipher_dealloc(kdf->cipher); + return stat; + } + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, + srtp_prf_label label, + uint8_t *key, + unsigned int length) +{ + srtp_err_status_t status; + v128_t nonce; + + /* set eigth octet of nonce to <label>, set the rest of it to zero */ + v128_set_to_zero(&nonce); + nonce.v8[7] = label; + + status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce, + srtp_direction_encrypt); + if (status) + return status; + + /* generate keystream output */ + octet_string_set_to_zero(key, length); + status = srtp_cipher_encrypt(kdf->cipher, key, &length); + if (status) + return status; + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) +{ + srtp_err_status_t status; + status = srtp_cipher_dealloc(kdf->cipher); + if (status) + return status; + kdf->cipher = NULL; + return srtp_err_status_ok; +} +#endif /* else OPENSSL_KDF */ + +/* + * end of key derivation functions + */ + +/* Get the base key length corresponding to a given combined key+salt + * length for the given cipher. + * TODO: key and salt lengths should be separate fields in the policy. */ +static inline int base_key_length(const srtp_cipher_type_t *cipher, + int key_length) +{ + switch (cipher->id) { + case SRTP_AES_ICM_128: + case SRTP_AES_ICM_192: + case SRTP_AES_ICM_256: + /* The legacy modes are derived from + * the configured key length on the policy */ + return key_length - SRTP_SALT_LEN; + break; + case SRTP_AES_GCM_128: + return key_length - SRTP_AEAD_SALT_LEN; + break; + case SRTP_AES_GCM_256: + return key_length - SRTP_AEAD_SALT_LEN; + break; + default: + return key_length; + break; + } +} + +unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy) +{ + unsigned long i = 0; + + if (policy->key == NULL) { + if (policy->num_master_keys <= 0) + return 0; + + if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS) + return 0; + + for (i = 0; i < policy->num_master_keys; i++) { + if (policy->keys[i]->key == NULL) + return 0; + if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN) + return 0; + } + } + + return 1; +} + +srtp_session_keys_t *srtp_get_session_keys_with_mki_index( + srtp_stream_ctx_t *stream, + unsigned int use_mki, + unsigned int mki_index) +{ + if (use_mki) { + if (mki_index >= stream->num_master_keys) { + return NULL; + } + return &stream->session_keys[mki_index]; + } + + return &stream->session_keys[0]; +} + +unsigned int srtp_inject_mki(uint8_t *mki_tag_location, + srtp_session_keys_t *session_keys, + unsigned int use_mki) +{ + unsigned int mki_size = 0; + + if (use_mki) { + mki_size = session_keys->mki_size; + + if (mki_size != 0) { + // Write MKI into memory + memcpy(mki_tag_location, session_keys->mki_id, mki_size); + } + } + + return mki_size; +} + +srtp_err_status_t srtp_stream_init_all_master_keys( + srtp_stream_ctx_t *srtp, + unsigned char *key, + srtp_master_key_t **keys, + const unsigned int max_master_keys) +{ + unsigned int i = 0; + srtp_err_status_t status = srtp_err_status_ok; + srtp_master_key_t single_master_key; + + if (key != NULL) { + srtp->num_master_keys = 1; + single_master_key.key = key; + single_master_key.mki_id = NULL; + single_master_key.mki_size = 0; + status = srtp_stream_init_keys(srtp, &single_master_key, 0); + } else { + srtp->num_master_keys = max_master_keys; + + for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS; + i++) { + status = srtp_stream_init_keys(srtp, keys[i], i); + + if (status) { + return status; + } + } + } + + return status; +} + +srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, + srtp_master_key_t *master_key, + const unsigned int current_mki_index) +{ + srtp_err_status_t stat; + srtp_kdf_t kdf; + uint8_t tmp_key[MAX_SRTP_KEY_LEN]; + int kdf_keylen = 30, rtp_keylen, rtcp_keylen; + int rtp_base_key_len, rtp_salt_len; + int rtcp_base_key_len, rtcp_salt_len; + srtp_session_keys_t *session_keys = NULL; + unsigned char *key = master_key->key; + + /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ + /* TODO: kdf algorithm, master key length, and master salt length should + * be part of srtp_policy_t. + */ + session_keys = &srtp->session_keys[current_mki_index]; + +/* initialize key limit to maximum value */ +#ifdef NO_64BIT_MATH + { + uint64_t temp; + temp = make64(UINT_MAX, UINT_MAX); + srtp_key_limit_set(session_keys->limit, temp); + } +#else + srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL); +#endif + + if (master_key->mki_size != 0) { + session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size); + + if (session_keys->mki_id == NULL) { + return srtp_err_status_init_fail; + } + memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size); + } else { + session_keys->mki_id = NULL; + } + + session_keys->mki_size = master_key->mki_size; + + rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher); + rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher); + rtp_base_key_len = + base_key_length(session_keys->rtp_cipher->type, rtp_keylen); + rtp_salt_len = rtp_keylen - rtp_base_key_len; + + if (rtp_keylen > kdf_keylen) { + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ + } + + if (rtcp_keylen > kdf_keylen) { + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ + } + + debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); + debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); + debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); + debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); + debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); + + /* + * Make sure the key given to us is 'zero' appended. GCM + * mode uses a shorter master SALT (96 bits), but still relies on + * the legacy CTR mode KDF, which uses a 112 bit master SALT. + */ + memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); + memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); + +/* initialize KDF state */ +#if defined(OPENSSL) && defined(OPENSSL_KDF) + stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len, + rtp_salt_len); +#else + stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen); +#endif + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + /* generate encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key, + rtp_base_key_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + debug_print(mod_srtp, "cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtp_base_key_len)); + + /* + * if the cipher in the srtp context uses a salt, then we need + * to generate the salt value + */ + if (rtp_salt_len > 0) { + debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtp_salt, + tmp_key + rtp_base_key_len, rtp_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + memcpy(session_keys->salt, tmp_key + rtp_base_key_len, + SRTP_AEAD_SALT_LEN); + } + if (rtp_salt_len > 0) { + debug_print(mod_srtp, "cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtp_base_key_len, + rtp_salt_len)); + } + + /* initialize cipher */ + stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + if (session_keys->rtp_xtn_hdr_cipher) { + /* generate extensions header encryption key */ + int rtp_xtn_hdr_keylen; + int rtp_xtn_hdr_base_key_len; + int rtp_xtn_hdr_salt_len; + srtp_kdf_t tmp_kdf; + srtp_kdf_t *xtn_hdr_kdf; + + if (session_keys->rtp_xtn_hdr_cipher->type != + session_keys->rtp_cipher->type) { + /* + * With GCM ciphers, the header extensions are still encrypted using + * the corresponding ICM cipher. + * See https://tools.ietf.org/html/rfc7714#section-8.3 + */ + uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; + rtp_xtn_hdr_keylen = + srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher); + rtp_xtn_hdr_base_key_len = base_key_length( + session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen); + rtp_xtn_hdr_salt_len = + rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; + if (rtp_xtn_hdr_salt_len > rtp_salt_len) { + switch (session_keys->rtp_cipher->type->id) { + case SRTP_AES_GCM_128: + case SRTP_AES_GCM_256: + /* + * The shorter GCM salt is padded to the required ICM salt + * length. + */ + rtp_xtn_hdr_salt_len = rtp_salt_len; + break; + default: + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_bad_param; + } + } + memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); + memcpy(tmp_xtn_hdr_key, key, + (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len)); + xtn_hdr_kdf = &tmp_kdf; + +/* initialize KDF state */ +#if defined(OPENSSL) && defined(OPENSSL_KDF) + stat = + srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); +#else + stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, + kdf_keylen); +#endif + octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } else { + /* Reuse main KDF. */ + rtp_xtn_hdr_keylen = rtp_keylen; + rtp_xtn_hdr_base_key_len = rtp_base_key_len; + rtp_xtn_hdr_salt_len = rtp_salt_len; + xtn_hdr_kdf = &kdf; + } + + stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, + tmp_key, rtp_xtn_hdr_base_key_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + debug_print( + mod_srtp, "extensions cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); + + /* + * if the cipher in the srtp context uses a salt, then we need + * to generate the salt value + */ + if (rtp_xtn_hdr_salt_len > 0) { + debug_print(mod_srtp, + "found rtp_xtn_hdr_salt_len > 0, generating salt", + NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, + tmp_key + rtp_xtn_hdr_base_key_len, + rtp_xtn_hdr_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } + if (rtp_xtn_hdr_salt_len > 0) { + debug_print( + mod_srtp, "extensions cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, + rtp_xtn_hdr_salt_len)); + } + + /* initialize extensions header cipher */ + stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + if (xtn_hdr_kdf != &kdf) { + /* release memory for custom header extension encryption kdf */ + stat = srtp_kdf_clear(xtn_hdr_kdf); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } + } + + /* generate authentication key */ + stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key, + srtp_auth_get_key_length(session_keys->rtp_auth)); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + debug_print(mod_srtp, "auth key: %s", + srtp_octet_string_hex_string( + tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth))); + + /* initialize auth function */ + stat = srtp_auth_init(session_keys->rtp_auth, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + /* + * ...now initialize SRTCP keys + */ + + rtcp_base_key_len = + base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen); + rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; + debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); + + /* generate encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key, + rtcp_base_key_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + /* + * if the cipher in the srtp context uses a salt, then we need + * to generate the salt value + */ + if (rtcp_salt_len > 0) { + debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", + NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_salt, + tmp_key + rtcp_base_key_len, rtcp_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len, + SRTP_AEAD_SALT_LEN); + } + debug_print(mod_srtp, "rtcp cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len)); + if (rtcp_salt_len > 0) { + debug_print(mod_srtp, "rtcp cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len, + rtcp_salt_len)); + } + + /* initialize cipher */ + stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + /* generate authentication key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key, + srtp_auth_get_key_length(session_keys->rtcp_auth)); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + debug_print( + mod_srtp, "rtcp auth key: %s", + srtp_octet_string_hex_string( + tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth))); + + /* initialize auth function */ + stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + + /* clear memory then return */ + stat = srtp_kdf_clear(&kdf); + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + if (stat) + return srtp_err_status_init_fail; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp, + const srtp_policy_t *p) +{ + srtp_err_status_t err; + + debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value); + + /* initialize replay database */ + /* + * window size MUST be at least 64. MAY be larger. Values more than + * 2^15 aren't meaningful due to how extended sequence numbers are + * calculated. + * Let a window size of 0 imply the default value. + */ + + if (p->window_size != 0 && + (p->window_size < 64 || p->window_size >= 0x8000)) + return srtp_err_status_bad_param; + + if (p->window_size != 0) + err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size); + else + err = srtp_rdbx_init(&srtp->rtp_rdbx, 128); + if (err) + return err; + + /* set the SSRC value */ + srtp->ssrc = htonl(p->ssrc.value); + + /* reset pending ROC */ + srtp->pending_roc = 0; + + /* set the security service flags */ + srtp->rtp_services = p->rtp.sec_serv; + srtp->rtcp_services = p->rtcp.sec_serv; + + /* + * set direction to unknown - this flag gets checked in srtp_protect(), + * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and + * gets set appropriately if it is set to unknown. + */ + srtp->direction = dir_unknown; + + /* initialize SRTCP replay database */ + srtp_rdb_init(&srtp->rtcp_rdb); + + /* initialize allow_repeat_tx */ + /* guard against uninitialized memory: allow only 0 or 1 here */ + if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return srtp_err_status_bad_param; + } + srtp->allow_repeat_tx = p->allow_repeat_tx; + + /* DAM - no RTCP key limit at present */ + + /* initialize keys */ + err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys, + p->num_master_keys); + if (err) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return err; + } + + /* + * if EKT is in use, then initialize the EKT data associated with + * the stream + */ + err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt); + if (err) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return err; + } + + return srtp_err_status_ok; +} + +/* + * srtp_event_reporter is an event handler function that merely + * reports the events that are reported by the callbacks + */ + +void srtp_event_reporter(srtp_event_data_t *data) +{ + srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ", + data->ssrc); + + switch (data->event) { + case event_ssrc_collision: + srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n"); + break; + case event_key_soft_limit: + srtp_err_report(srtp_err_level_warning, + "\tkey usage soft limit reached\n"); + break; + case event_key_hard_limit: + srtp_err_report(srtp_err_level_warning, + "\tkey usage hard limit reached\n"); + break; + case event_packet_index_limit: + srtp_err_report(srtp_err_level_warning, + "\tpacket index limit reached\n"); + break; + default: + srtp_err_report(srtp_err_level_warning, + "\tunknown event reported to handler\n"); + } +} + +/* + * srtp_event_handler is a global variable holding a pointer to the + * event handler function; this function is called for any unexpected + * event that needs to be handled out of the SRTP data path. see + * srtp_event_t in srtp.h for more info + * + * it is okay to set srtp_event_handler to NULL, but we set + * it to the srtp_event_reporter. + */ + +static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; + +srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func) +{ + /* + * note that we accept NULL arguments intentionally - calling this + * function with a NULL arguments removes an event handler that's + * been previously installed + */ + + /* set global event handling function */ + srtp_event_handler = func; + return srtp_err_status_ok; +} + +/* + * Check if the given extension header id is / should be encrypted. + * Returns 1 if yes, otherwise 0. + */ +static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) +{ + int *enc_xtn_hdr = stream->enc_xtn_hdr; + int count = stream->enc_xtn_hdr_count; + + if (!enc_xtn_hdr || count <= 0) { + return 0; + } + + while (count > 0) { + if (*enc_xtn_hdr == id) { + return 1; + } + + enc_xtn_hdr++; + count--; + } + return 0; +} + +/* + * extensions header encryption RFC 6904 + */ +static srtp_err_status_t srtp_process_header_encryption( + srtp_stream_ctx_t *stream, + srtp_hdr_xtnd_t *xtn_hdr, + srtp_session_keys_t *session_keys) +{ + srtp_err_status_t status; + uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ + int keystream_pos; + uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr; + uint8_t *xtn_hdr_end = + xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t)); + + if (ntohs(xtn_hdr->profile_specific) == 0xbede) { + /* RFC 5285, section 4.2. One-Byte Header */ + while (xtn_hdr_data < xtn_hdr_end) { + uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; + unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; + uint32_t xlen_with_header = 1 + xlen; + xtn_hdr_data++; + + if (xtn_hdr_data + xlen > xtn_hdr_end) + return srtp_err_status_parse_err; + + if (xid == 15) { + /* found header 15, stop further processing. */ + break; + } + + status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, + keystream, &xlen_with_header); + if (status) + return srtp_err_status_cipher_fail; + + if (srtp_protect_extension_header(stream, xid)) { + keystream_pos = 1; + while (xlen > 0) { + *xtn_hdr_data ^= keystream[keystream_pos++]; + xtn_hdr_data++; + xlen--; + } + } else { + xtn_hdr_data += xlen; + } + + /* skip padding bytes. */ + while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { + xtn_hdr_data++; + } + } + } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) { + /* RFC 5285, section 4.3. Two-Byte Header */ + while (xtn_hdr_data + 1 < xtn_hdr_end) { + uint8_t xid = *xtn_hdr_data; + unsigned int xlen = *(xtn_hdr_data + 1); + uint32_t xlen_with_header = 2 + xlen; + xtn_hdr_data += 2; + + if (xtn_hdr_data + xlen > xtn_hdr_end) + return srtp_err_status_parse_err; + + status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, + keystream, &xlen_with_header); + if (status) + return srtp_err_status_cipher_fail; + + if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { + keystream_pos = 2; + while (xlen > 0) { + *xtn_hdr_data ^= keystream[keystream_pos++]; + xtn_hdr_data++; + xlen--; + } + } else { + xtn_hdr_data += xlen; + } + + /* skip padding bytes. */ + while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { + xtn_hdr_data++; + } + } + } else { + /* unsupported extension header format. */ + return srtp_err_status_parse_err; + } + + return srtp_err_status_ok; +} + +/* + * AEAD uses a new IV formation method. This function implements + * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714. + * The calculation is defined as, where (+) is the xor operation: + * + * + * 0 0 0 0 0 0 0 0 0 0 1 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 + * +--+--+--+--+--+--+--+--+--+--+--+--+ + * |00|00| SSRC | ROC | SEQ |---+ + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | Encryption Salt |->(+) + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | Initialization Vector |<--+ + * +--+--+--+--+--+--+--+--+--+--+--+--+* + * + * Input: *session_keys - pointer to SRTP stream context session keys, + * used to retrieve the SALT + * *iv - Pointer to receive the calculated IV + * *seq - The ROC and SEQ value to use for the + * IV calculation. + * *hdr - The RTP header, used to get the SSRC value + * + */ + +static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, + v128_t *iv, + srtp_xtd_seq_num_t *seq, + srtp_hdr_t *hdr) +{ + v128_t in; + v128_t salt; + +#ifdef NO_64BIT_MATH + uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16)); + uint16_t local_seq = (uint16_t)(low32(*seq)); +#else + uint32_t local_roc = (uint32_t)(*seq >> 16); + uint16_t local_seq = (uint16_t)*seq; +#endif + + memset(&in, 0, sizeof(v128_t)); + memset(&salt, 0, sizeof(v128_t)); + + in.v16[5] = htons(local_seq); + local_roc = htonl(local_roc); + memcpy(&in.v16[3], &local_roc, sizeof(local_roc)); + + /* + * Copy in the RTP SSRC value + */ + memcpy(&in.v8[2], &hdr->ssrc, 4); + debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in)); + + /* + * Get the SALT value from the context + */ + memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN); + debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt)); + + /* + * Finally, apply tyhe SALT to the input + */ + v128_xor(iv, &in, &salt); +} + +srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, + uint8_t *hdr, + const unsigned int *pkt_octet_len, + unsigned int *mki_size) +{ + unsigned int base_mki_start_location = *pkt_octet_len; + unsigned int mki_start_location = 0; + unsigned int tag_len = 0; + unsigned int i = 0; + + // Determine the authentication tag size + if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || + stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { + tag_len = 0; + } else { + tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); + } + + if (tag_len > base_mki_start_location) { + *mki_size = 0; + return NULL; + } + + base_mki_start_location -= tag_len; + + for (i = 0; i < stream->num_master_keys; i++) { + if (stream->session_keys[i].mki_size != 0 && + stream->session_keys[i].mki_size <= base_mki_start_location) { + *mki_size = stream->session_keys[i].mki_size; + mki_start_location = base_mki_start_location - *mki_size; + + if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id, + *mki_size) == 0) { + return &stream->session_keys[i]; + } + } + } + + *mki_size = 0; + return NULL; +} + +static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx, + uint32_t roc, + srtp_xtd_seq_num_t *est, + srtp_sequence_number_t seq, + int *delta) +{ +#ifdef NO_64BIT_MATH + uint32_t internal_pkt_idx_reduced; + uint32_t external_pkt_idx_reduced; + uint32_t internal_roc; + uint32_t roc_difference; +#endif + +#ifdef NO_64BIT_MATH + *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq); + *delta = low32(est) - rdbx->index; +#else + *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq; + *delta = (int)(*est - rdbx->index); +#endif + + if (*est > rdbx->index) { +#ifdef NO_64BIT_MATH + internal_roc = (uint32_t)(rdbx->index >> 16); + roc_difference = roc - internal_roc; + if (roc_difference > 1) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } + + internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF); + external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq); + + if (external_pkt_idx_reduced - internal_pkt_idx_reduced > + seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } +#else + if (*est - rdbx->index > seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } +#endif + } else if (*est < rdbx->index) { +#ifdef NO_64BIT_MATH + + internal_roc = (uint32_t)(rdbx->index >> 16); + roc_difference = internal_roc - roc; + if (roc_difference > 1) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } + + internal_pkt_idx_reduced = + (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF); + external_pkt_idx_reduced = (uint32_t)(seq); + + if (internal_pkt_idx_reduced - external_pkt_idx_reduced > + seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_old; + } +#else + if (rdbx->index - *est > seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_old; + } +#endif + } + + return srtp_err_status_ok; +} + +static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr, + srtp_stream_ctx_t *stream, + srtp_xtd_seq_num_t *est, + int *delta) +{ + srtp_err_status_t result = srtp_err_status_ok; + + if (stream->pending_roc) { + result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc, + est, ntohs(hdr->seq), delta); + } else { + /* estimate packet index from seq. num. in header */ + *delta = + srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq)); + } + +#ifdef NO_64BIT_MATH + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est), + low32(*est)); +#else + debug_print(mod_srtp, "estimated u_packet index: %016llx", *est); +#endif + return result; +} + +/* + * This function handles outgoing SRTP packets while in AEAD mode, + * which currently supports AES-GCM encryption. All packets are + * encrypted and authenticated. + */ +static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx, + srtp_stream_ctx_t *stream, + void *rtp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + int enc_octet_len = 0; /* number of octets in encrypted portion */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ + srtp_err_status_t status; + uint32_t tag_len; + v128_t iv; + unsigned int aad_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + unsigned int mki_size = 0; + uint8_t *mki_location = NULL; + + debug_print(mod_srtp, "function srtp_protect_aead", NULL); + + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. + */ + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + case srtp_key_event_soft_limit: + default: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + } + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * find starting point for encryption and length of data to be + * encrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + /* note: the passed size is without the auth tag */ + if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len)) + return srtp_err_status_parse_err; + enc_octet_len = + (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr)); + if (enc_octet_len < 0) + return srtp_err_status_parse_err; + + /* + * estimate the packet index using the start of the replay window + * and the sequence number from the header + */ + delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); + status = srtp_rdbx_check(&stream->rtp_rdbx, delta); + if (status) { + if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) { + return status; /* we've been asked to reuse an index */ + } + } else { + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + } + +#ifdef NO_64BIT_MATH + debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), + low32(est)); +#else + debug_print(mod_srtp, "estimated packet index: %016llx", est); +#endif + + /* + * AEAD uses a new IV formation method + */ + srtp_calc_aead_iv(session_keys, &iv, &est, hdr); +/* shift est, put into network byte order */ +#ifdef NO_64BIT_MATH + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + est = be64_to_cpu(est << 16); +#endif + + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; + iv.v64[1] = est; + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } + if (status) { + return srtp_err_status_cipher_fail; + } + + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } + + /* + * Set the AAD over the RTP header + */ + aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; + status = + srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + + /* Encrypt the payload */ + status = srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + (unsigned int *)&enc_octet_len); + if (status) { + return srtp_err_status_cipher_fail; + } + /* + * If we're doing GCM, we need to get the tag + * and append that to the output + */ + status = + srtp_cipher_get_tag(session_keys->rtp_cipher, + (uint8_t *)enc_start + enc_octet_len, &tag_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + + mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len; + mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); + + /* increase the packet length by the length of the auth tag */ + *pkt_octet_len += tag_len; + + /* increase the packet length by the length of the mki_size */ + *pkt_octet_len += mki_size; + + return srtp_err_status_ok; +} + +/* + * This function handles incoming SRTP packets while in AEAD mode, + * which currently supports AES-GCM encryption. All packets are + * encrypted and authenticated. Note, the auth tag is at the end + * of the packet stream and is automatically checked by GCM + * when decrypting the payload. + */ +static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx, + srtp_stream_ctx_t *stream, + int delta, + srtp_xtd_seq_num_t est, + void *srtp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int mki_size) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + v128_t iv; + srtp_err_status_t status; + int tag_len; + unsigned int aad_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + + debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); + +#ifdef NO_64BIT_MATH + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), + low32(est)); +#else + debug_print(mod_srtp, "estimated u_packet index: %016llx", est); +#endif + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * AEAD uses a new IV formation method + */ + srtp_calc_aead_iv(session_keys, &iv, &est, hdr); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; +#ifdef NO_64BIT_MATH + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + iv.v64[1] = be64_to_cpu(est << 16); +#endif + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } + if (status) { + return srtp_err_status_cipher_fail; + } + + /* + * find starting point for decryption and length of data to be + * decrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + if (!((uint8_t *)enc_start <= + (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) + return srtp_err_status_parse_err; + /* + * We pass the tag down to the cipher when doing GCM mode + */ + enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size - + ((uint8_t *)enc_start - (uint8_t *)hdr)); + + /* + * Sanity check the encrypted payload length against + * the tag size. It must always be at least as large + * as the tag length. + */ + if (enc_octet_len < (unsigned int)tag_len) { + return srtp_err_status_cipher_fail; + } + + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. + */ + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_soft_limit: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + default: + break; + } + + /* + * Set the AAD for AES-GCM, which is the RTP header + */ + aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; + status = + srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + + /* Decrypt the ciphertext. This also checks the auth tag based + * on the AAD we just specified above */ + status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + &enc_octet_len); + if (status) { + return status; + } + + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } + + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; + + /* + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here + */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) { + return status; + } + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* + * the message authentication function passed, so add the packet + * index into the replay database + */ + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + + /* decrease the packet length by the length of the auth tag */ + *pkt_octet_len -= tag_len; + + /* decrease the packet length by the length of the mki_size */ + *pkt_octet_len -= mki_size; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_protect(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len) +{ + return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0); +} + +srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + int enc_octet_len = 0; /* number of octets in encrypted portion */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + int tag_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + uint8_t *mki_location = NULL; + int advance_packet_index = 0; + + debug_print(mod_srtp, "function srtp_protect", NULL); + + /* we assume the hdr is 32-bit aligned to start */ + + /* Verify RTP header */ + status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); + if (status) + return status; + + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's a template key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + srtp_stream_ctx_t *new_stream; + + /* allocate and initialize a new stream */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set direction to outbound */ + new_stream->direction = dir_srtp_sender; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } + } + + /* + * verify that stream is for sending traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + */ + + if (stream->direction != dir_srtp_sender) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_sender; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + session_keys = + srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_protect_aead(ctx, stream, rtp_hdr, + (unsigned int *)pkt_octet_len, session_keys, + use_mki); + } + + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. + */ + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_soft_limit: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + default: + break; + } + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * find starting point for encryption and length of data to be + * encrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present + * + * if we're not providing confidentiality, set enc_start to NULL + */ + if (stream->rtp_services & sec_serv_conf) { + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + /* note: the passed size is without the auth tag */ + if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len)) + return srtp_err_status_parse_err; + enc_octet_len = + (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr)); + if (enc_octet_len < 0) + return srtp_err_status_parse_err; + } else { + enc_start = NULL; + } + + mki_location = (uint8_t *)hdr + *pkt_octet_len; + mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); + + /* + * if we're providing authentication, set the auth_start and auth_tag + * pointers to the proper locations; otherwise, set auth_start to NULL + * to indicate that no authentication is needed + */ + if (stream->rtp_services & sec_serv_auth) { + auth_start = (uint32_t *)hdr; + auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size; + } else { + auth_start = NULL; + auth_tag = NULL; + } + + /* + * estimate the packet index using the start of the replay window + * and the sequence number from the header + */ + status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); + + if (status && (status != srtp_err_status_pkt_idx_adv)) + return status; + + if (status == srtp_err_status_pkt_idx_adv) + advance_packet_index = 1; + + if (advance_packet_index) { + srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16), + (uint16_t)(est & 0xFFFF)); + stream->pending_roc = 0; + srtp_rdbx_add_index(&stream->rtp_rdbx, 0); + } else { + status = srtp_rdbx_check(&stream->rtp_rdbx, delta); + if (status) { + if (status != srtp_err_status_replay_fail || + !stream->allow_repeat_tx) + return status; /* we've been asked to reuse an index */ + } + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + } + +#ifdef NO_64BIT_MATH + debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), + low32(est)); +#else + debug_print(mod_srtp, "estimated packet index: %016llx", est); +#endif + + /* + * if we're using rindael counter mode, set nonce and seq + */ + if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; +#ifdef NO_64BIT_MATH + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + iv.v64[1] = be64_to_cpu(est << 16); +#endif + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } + } else { + v128_t iv; + +/* otherwise, set the index to est */ +#ifdef NO_64BIT_MATH + iv.v32[0] = 0; + iv.v32[1] = 0; +#else + iv.v64[0] = 0; +#endif + iv.v64[1] = be64_to_cpu(est); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } + } + if (status) + return srtp_err_status_cipher_fail; + +/* shift est, put into network byte order */ +#ifdef NO_64BIT_MATH + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + est = be64_to_cpu(est << 16); +#endif + + /* + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag + */ + if (auth_start) { + prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); + if (prefix_len) { + status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag, + &prefix_len); + if (status) + return srtp_err_status_cipher_fail; + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + } + } + + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = + srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + (unsigned int *)&enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } + + /* + * if we're authenticating, run authentication function and put result + * into the auth_tag + */ + if (auth_start) { + /* initialize auth func context */ + status = srtp_auth_start(session_keys->rtp_auth); + if (status) + return status; + + /* run auth func over packet */ + status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, + *pkt_octet_len); + if (status) + return status; + + /* run auth func over ROC, put result into auth_tag */ + debug_print(mod_srtp, "estimated packet index: %016llx", est); + status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, + auth_tag); + debug_print(mod_srtp, "srtp auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + } + + if (auth_tag) { + /* increase the packet length by the length of the auth tag */ + *pkt_octet_len += tag_len; + } + + if (use_mki) { + /* increate the packet length by the mki size */ + *pkt_octet_len += mki_size; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx, + void *srtp_hdr, + int *pkt_octet_len) +{ + return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0); +} + +srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx, + void *srtp_hdr, + int *pkt_octet_len, + unsigned int use_mki) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ + v128_t iv; + srtp_err_status_t status; + srtp_stream_ctx_t *stream; + uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; + uint32_t tag_len, prefix_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + int advance_packet_index = 0; + uint32_t roc_to_set = 0; + uint16_t seq_to_set = 0; + + debug_print(mod_srtp, "function srtp_unprotect", NULL); + + /* we assume the hdr is 32-bit aligned to start */ + + /* Verify RTP header */ + status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); + if (status) + return status; + + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + stream = ctx->stream_template; + debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", + ntohl(hdr->ssrc)); + +/* + * set estimated packet index to sequence number from header, + * and set delta equal to the same value + */ +#ifdef NO_64BIT_MATH + est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq)); + delta = low32(est); +#else + est = (srtp_xtd_seq_num_t)ntohs(hdr->seq); + delta = (int)est; +#endif + } else { + /* + * no stream corresponding to SSRC found, and we don't do + * key-sharing, so return an error + */ + return srtp_err_status_no_ctx; + } + } else { + status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); + + if (status && (status != srtp_err_status_pkt_idx_adv)) + return status; + + if (status == srtp_err_status_pkt_idx_adv) { + advance_packet_index = 1; + roc_to_set = (uint32_t)(est >> 16); + seq_to_set = (uint16_t)(est & 0xFFFF); + } + + /* check replay database */ + if (!advance_packet_index) { + status = srtp_rdbx_check(&stream->rtp_rdbx, delta); + if (status) + return status; + } + } + +#ifdef NO_64BIT_MATH + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), + low32(est)); +#else + debug_print(mod_srtp, "estimated u_packet index: %016llx", est); +#endif + + /* Determine if MKI is being used and what session keys should be used */ + if (use_mki) { + session_keys = srtp_get_session_keys( + stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len, + &mki_size); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + } else { + session_keys = &stream->session_keys[0]; + } + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, + (unsigned int *)pkt_octet_len, session_keys, + mki_size); + } + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * set the cipher's IV properly, depending on whatever cipher we + * happen to be using + */ + if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { + /* aes counter mode */ + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order */ +#ifdef NO_64BIT_MATH + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + iv.v64[1] = be64_to_cpu(est << 16); +#endif + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_decrypt); + } + } else { +/* no particular format - set the iv to the pakcet index */ +#ifdef NO_64BIT_MATH + iv.v32[0] = 0; + iv.v32[1] = 0; +#else + iv.v64[0] = 0; +#endif + iv.v64[1] = be64_to_cpu(est); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_decrypt); + } + } + if (status) + return srtp_err_status_cipher_fail; + +/* shift est, put into network byte order */ +#ifdef NO_64BIT_MATH + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + est = be64_to_cpu(est << 16); +#endif + + /* + * find starting point for decryption and length of data to be + * decrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present + * + * if we're not providing confidentiality, set enc_start to NULL + */ + if (stream->rtp_services & sec_serv_conf) { + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + if (!((uint8_t *)enc_start <= + (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) + return srtp_err_status_parse_err; + enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size - + ((uint8_t *)enc_start - (uint8_t *)hdr)); + } else { + enc_start = NULL; + } + + /* + * if we're providing authentication, set the auth_start and auth_tag + * pointers to the proper locations; otherwise, set auth_start to NULL + * to indicate that no authentication is needed + */ + if (stream->rtp_services & sec_serv_auth) { + auth_start = (uint32_t *)hdr; + auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; + } else { + auth_start = NULL; + auth_tag = NULL; + } + + /* + * if we expect message authentication, run the authentication + * function and compare the result with the value of the auth_tag + */ + if (auth_start) { + /* + * if we're using a universal hash, then we need to compute the + * keystream prefix for encrypting the universal hash output + * + * if the keystream prefix length is zero, then we know that + * the authenticator isn't using a universal hash function + */ + if (session_keys->rtp_auth->prefix_len != 0) { + prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); + status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag, + &prefix_len); + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(tmp_tag, prefix_len)); + if (status) + return srtp_err_status_cipher_fail; + } + + /* initialize auth func context */ + status = srtp_auth_start(session_keys->rtp_auth); + if (status) + return status; + + /* now compute auth function over packet */ + status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, + *pkt_octet_len - tag_len - mki_size); + + /* run auth func over ROC, then write tmp tag */ + status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, + tmp_tag); + + debug_print(mod_srtp, "computed auth tag: %s", + srtp_octet_string_hex_string(tmp_tag, tag_len)); + debug_print(mod_srtp, "packet auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + + if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) + return srtp_err_status_auth_fail; + } + + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. + */ + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_soft_limit: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + default: + break; + } + + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* extensions header encryption RFC 6904 */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } + + /* if we're decrypting, add keystream into ciphertext */ + if (enc_start) { + status = srtp_cipher_decrypt(session_keys->rtp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } + + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; + + /* + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here + */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* + * the message authentication function passed, so add the packet + * index into the replay database + */ + if (advance_packet_index) { + srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set); + stream->pending_roc = 0; + srtp_rdbx_add_index(&stream->rtp_rdbx, 0); + } else { + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + } + + /* decrease the packet length by the length of the auth tag */ + *pkt_octet_len -= tag_len; + + /* decrease the packet length by the mki size */ + *pkt_octet_len -= mki_size; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_init() +{ + srtp_err_status_t status; + + /* initialize crypto kernel */ + status = srtp_crypto_kernel_init(); + if (status) + return status; + + /* load srtp debug module into the kernel */ + status = srtp_crypto_kernel_load_debug_module(&mod_srtp); + if (status) + return status; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_shutdown() +{ + srtp_err_status_t status; + + /* shut down crypto kernel */ + status = srtp_crypto_kernel_shutdown(); + if (status) + return status; + + /* shutting down crypto kernel frees the srtp debug module as well */ + + return srtp_err_status_ok; +} + +/* + * The following code is under consideration for removal. See + * SRTP_MAX_TRAILER_LEN + */ +#if 0 + +/* + * srtp_get_trailer_length(&a) returns the number of octets that will + * be added to an RTP packet by the SRTP processing. This value + * is constant for a given srtp_stream_t (i.e. between initializations). + */ + +int +srtp_get_trailer_length(const srtp_stream_t s) { + return srtp_auth_get_tag_length(s->rtp_auth); +} + +#endif + +/* + * srtp_get_stream(ssrc) returns a pointer to the stream corresponding + * to ssrc, or NULL if no stream exists for that ssrc + * + * this is an internal function + */ + +srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc) +{ + srtp_stream_ctx_t *stream; + + /* walk down list until ssrc is found */ + stream = srtp->stream_list; + while (stream != NULL) { + if (stream->ssrc == ssrc) + return stream; + stream = stream->next; + } + + /* we haven't found our ssrc, so return a null */ + return NULL; +} + +srtp_err_status_t srtp_dealloc(srtp_t session) +{ + srtp_stream_ctx_t *stream; + srtp_err_status_t status; + + /* + * we take a conservative deallocation strategy - if we encounter an + * error deallocating a stream, then we stop trying to deallocate + * memory and just return an error + */ + + /* walk list of streams, deallocating as we go */ + stream = session->stream_list; + while (stream != NULL) { + srtp_stream_t next = stream->next; + status = srtp_stream_dealloc(stream, session->stream_template); + if (status) + return status; + stream = next; + } + + /* deallocate stream template, if there is one */ + if (session->stream_template != NULL) { + status = srtp_stream_dealloc(session->stream_template, NULL); + if (status) + return status; + } + + /* deallocate session context */ + srtp_crypto_free(session); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_stream_t tmp; + + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) + return srtp_err_status_bad_param; + + /* allocate stream */ + status = srtp_stream_alloc(&tmp, policy); + if (status) { + return status; + } + + /* initialize stream */ + status = srtp_stream_init(tmp, policy); + if (status) { + srtp_stream_dealloc(tmp, NULL); + return status; + } + + /* + * set the head of the stream list or the template to point to the + * stream that we've just alloced and init'ed, depending on whether + * or not it has a wildcard SSRC value or not + * + * if the template stream has already been set, then the policy is + * inconsistent, so we return a bad_param error code + */ + switch (policy->ssrc.type) { + case (ssrc_any_outbound): + if (session->stream_template) { + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } + session->stream_template = tmp; + session->stream_template->direction = dir_srtp_sender; + break; + case (ssrc_any_inbound): + if (session->stream_template) { + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } + session->stream_template = tmp; + session->stream_template->direction = dir_srtp_receiver; + break; + case (ssrc_specific): + tmp->next = session->stream_list; + session->stream_list = tmp; + break; + case (ssrc_undefined): + default: + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_create(srtp_t *session, /* handle for session */ + const srtp_policy_t *policy) +{ /* SRTP policy (list) */ + srtp_err_status_t stat; + srtp_ctx_t *ctx; + + /* sanity check arguments */ + if (session == NULL) + return srtp_err_status_bad_param; + + /* allocate srtp context and set ctx_ptr */ + ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t)); + if (ctx == NULL) + return srtp_err_status_alloc_fail; + *session = ctx; + + /* + * loop over elements in the policy list, allocating and + * initializing a stream for each element + */ + ctx->stream_template = NULL; + ctx->stream_list = NULL; + ctx->user_data = NULL; + while (policy != NULL) { + stat = srtp_add_stream(ctx, policy); + if (stat) { + /* clean up everything */ + srtp_dealloc(*session); + *session = NULL; + return stat; + } + + /* set policy to next item in list */ + policy = policy->next; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc) +{ + srtp_stream_ctx_t *stream, *last_stream; + srtp_err_status_t status; + + /* sanity check arguments */ + if (session == NULL) + return srtp_err_status_bad_param; + + /* find stream in list; complain if not found */ + last_stream = stream = session->stream_list; + while ((stream != NULL) && (ssrc != stream->ssrc)) { + last_stream = stream; + stream = stream->next; + } + if (stream == NULL) + return srtp_err_status_no_ctx; + + /* remove stream from the list */ + if (last_stream == stream) + /* stream was first in list */ + session->stream_list = stream->next; + else + last_stream->next = stream->next; + + /* deallocate the stream */ + status = srtp_stream_dealloc(stream, session->stream_template); + if (status) + return status; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy) +{ + srtp_err_status_t stat; + + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) { + return srtp_err_status_bad_param; + } + + while (policy != NULL) { + stat = srtp_update_stream(session, policy); + if (stat) { + return stat; + } + + /* set policy to next item in list */ + policy = policy->next; + } + return srtp_err_status_ok; +} + +static srtp_err_status_t update_template_streams(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_stream_t new_stream_template; + srtp_stream_t new_stream_list = NULL; + + if (session->stream_template == NULL) { + return srtp_err_status_bad_param; + } + + /* allocate new template stream */ + status = srtp_stream_alloc(&new_stream_template, policy); + if (status) { + return status; + } + + /* initialize new template stream */ + status = srtp_stream_init(new_stream_template, policy); + if (status) { + srtp_crypto_free(new_stream_template); + return status; + } + + /* for all old templated streams */ + for (;;) { + srtp_stream_t stream; + uint32_t ssrc; + srtp_xtd_seq_num_t old_index; + srtp_rdb_t old_rtcp_rdb; + + stream = session->stream_list; + while ((stream != NULL) && + (stream->session_keys[0].rtp_auth != + session->stream_template->session_keys[0].rtp_auth)) { + stream = stream->next; + } + if (stream == NULL) { + /* no more templated streams */ + break; + } + + /* save old extendard seq */ + ssrc = stream->ssrc; + old_index = stream->rtp_rdbx.index; + old_rtcp_rdb = stream->rtcp_rdb; + + /* remove stream */ + status = srtp_remove_stream(session, ssrc); + if (status) { + /* free new allocations */ + while (new_stream_list != NULL) { + srtp_stream_t next = new_stream_list->next; + srtp_stream_dealloc(new_stream_list, new_stream_template); + new_stream_list = next; + } + srtp_stream_dealloc(new_stream_template, NULL); + return status; + } + + /* allocate and initialize a new stream */ + status = srtp_stream_clone(new_stream_template, ssrc, &stream); + if (status) { + /* free new allocations */ + while (new_stream_list != NULL) { + srtp_stream_t next = new_stream_list->next; + srtp_stream_dealloc(new_stream_list, new_stream_template); + new_stream_list = next; + } + srtp_stream_dealloc(new_stream_template, NULL); + return status; + } + + /* add new stream to the head of the new_stream_list */ + stream->next = new_stream_list; + new_stream_list = stream; + + /* restore old extended seq */ + stream->rtp_rdbx.index = old_index; + stream->rtcp_rdb = old_rtcp_rdb; + } + /* dealloc old template */ + srtp_stream_dealloc(session->stream_template, NULL); + /* set new template */ + session->stream_template = new_stream_template; + /* add new list */ + if (new_stream_list) { + srtp_stream_t tail = new_stream_list; + while (tail->next) { + tail = tail->next; + } + tail->next = session->stream_list; + session->stream_list = new_stream_list; + } + return status; +} + +static srtp_err_status_t update_stream(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_xtd_seq_num_t old_index; + srtp_rdb_t old_rtcp_rdb; + srtp_stream_t stream; + + stream = srtp_get_stream(session, htonl(policy->ssrc.value)); + if (stream == NULL) { + return srtp_err_status_bad_param; + } + + /* save old extendard seq */ + old_index = stream->rtp_rdbx.index; + old_rtcp_rdb = stream->rtcp_rdb; + + status = srtp_remove_stream(session, htonl(policy->ssrc.value)); + if (status) { + return status; + } + + status = srtp_add_stream(session, policy); + if (status) { + return status; + } + + stream = srtp_get_stream(session, htonl(policy->ssrc.value)); + if (stream == NULL) { + return srtp_err_status_fail; + } + + /* restore old extended seq */ + stream->rtp_rdbx.index = old_index; + stream->rtcp_rdb = old_rtcp_rdb; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_update_stream(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; + + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) + return srtp_err_status_bad_param; + + switch (policy->ssrc.type) { + case (ssrc_any_outbound): + case (ssrc_any_inbound): + status = update_template_streams(session, policy); + break; + case (ssrc_specific): + status = update_stream(session, policy); + break; + case (ssrc_undefined): + default: + return srtp_err_status_bad_param; + } + + return status; +} + +/* + * The default policy - provides a convenient way for callers to use + * the default security policy + * + * The default policy is defined in RFC 3711 + * (Section 5. Default and mandatory-to-implement Transforms) + * + */ + +/* + * NOTE: cipher_key_len is really key len (128 bits) plus salt len + * (112 bits) + */ +/* There are hard-coded 16's for base_key_len in the key generation code */ + +void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ + + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* 160 bit key */ + p->auth_tag_len = 4; /* 32 bit tag */ + p->sec_serv = sec_serv_conf_and_auth; +} + +void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ + + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; +} + +void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + */ + + p->cipher_type = SRTP_NULL_CIPHER; + p->cipher_key_len = 0; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; + p->auth_tag_len = 10; + p->sec_serv = sec_serv_auth; +} + +void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) +{ + /* + * Should only be used for testing + */ + + p->cipher_type = SRTP_NULL_CIPHER; + p->cipher_key_len = 0; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_none; +} + +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + */ + + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ + + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +/* + * AES-256 with no authentication. + */ +void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; +} + +#ifdef GCM +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + */ + + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ + + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} + +/* + * AES-192 with no authentication. + */ +void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; +} + +/* + * AES-128 GCM mode with 8 octet auth tag. + */ +void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; +} + +/* + * AES-256 GCM mode with 8 octet auth tag. + */ +void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; +} + +/* + * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. + */ +void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ +} + +/* + * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. + */ +void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ +} + +/* + * AES-128 GCM mode with 16 octet auth tag. + */ +void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 16; /* 16 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; +} + +/* + * AES-256 GCM mode with 16 octet auth tag. + */ +void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 16; /* 16 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; +} + +#endif + +/* + * secure rtcp functions + */ + +/* + * AEAD uses a new IV formation method. This function implements + * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714. + * The calculation is defined as, where (+) is the xor operation: + * + * 0 1 2 3 4 5 6 7 8 9 10 11 + * +--+--+--+--+--+--+--+--+--+--+--+--+ + * |00|00| SSRC |00|00|0+SRTCP Idx|---+ + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | Encryption Salt |->(+) + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | + * +--+--+--+--+--+--+--+--+--+--+--+--+ | + * | Initialization Vector |<--+ + * +--+--+--+--+--+--+--+--+--+--+--+--+* + * + * Input: *session_keys - pointer to SRTP stream context session keys, + * used to retrieve the SALT + * *iv - Pointer to recieve the calculated IV + * seq_num - The SEQ value to use for the IV calculation. + * *hdr - The RTP header, used to get the SSRC value + * + * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param + * if seq_num is invalid + * + */ +static srtp_err_status_t srtp_calc_aead_iv_srtcp( + srtp_session_keys_t *session_keys, + v128_t *iv, + uint32_t seq_num, + srtcp_hdr_t *hdr) +{ + v128_t in; + v128_t salt; + + memset(&in, 0, sizeof(v128_t)); + memset(&salt, 0, sizeof(v128_t)); + + in.v16[0] = 0; + memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */ + in.v16[3] = 0; + + /* + * The SRTCP index (seq_num) spans bits 0 through 30 inclusive. + * The most significant bit should be zero. + */ + if (seq_num & 0x80000000UL) { + return srtp_err_status_bad_param; + } + in.v32[2] = htonl(seq_num); + + debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); + + /* + * Get the SALT value from the context + */ + memcpy(salt.v8, session_keys->c_salt, 12); + debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); + + /* + * Finally, apply the SALT to the input + */ + v128_xor(iv, &in, &salt); + + return srtp_err_status_ok; +} + +/* + * This code handles AEAD ciphers for outgoing RTCP. We currently support + * AES-GCM mode with 128 or 256 bit keys. + */ +static srtp_err_status_t srtp_protect_rtcp_aead( + srtp_t ctx, + srtp_stream_ctx_t *stream, + void *rtcp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *trailer_p; /* pointer to start of trailer */ + uint32_t trailer; /* trailer value */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + uint32_t tag_len; + uint32_t seq_num; + v128_t iv; + uint32_t tseq; + unsigned int mki_size = 0; + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + /* + * set encryption start and encryption length - if we're not + * providing confidentiality, set enc_start to NULL + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; + + /* NOTE: hdr->length is not usable - it refers to only the first + * RTCP report in the compound packet! + */ + trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len + tag_len); + + if (stream->rtcp_services & sec_serv_conf) { + trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ + } else { + enc_start = NULL; + enc_octet_len = 0; + /* 0 is network-order independant */ + trailer = 0x00000000; /* set encrypt bit */ + } + + mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len + + sizeof(srtcp_trailer_t), + session_keys, use_mki); + + /* + * set the auth_tag pointer to the proper location, which is after + * the payload, but before the trailer + * (note that srtpc *always* provides authentication, unlike srtp) + */ + /* Note: This would need to change for optional mikey data */ + auth_tag = (uint8_t *)hdr + *pkt_octet_len; + + /* + * check sequence number for overruns, and copy it into the packet + * if its value isn't too big + */ + status = srtp_rdb_increment(&stream->rtcp_rdb); + if (status) { + return status; + } + seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); + trailer |= htonl(seq_num); + debug_print(mod_srtp, "srtcp index: %x", seq_num); + + memcpy(trailer_p, &trailer, sizeof(trailer)); + + /* + * Calculate and set the IV + */ + status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); + if (status) { + return srtp_err_status_cipher_fail; + } + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (status) { + return srtp_err_status_cipher_fail; + } + + /* + * Set the AAD for GCM mode + */ + if (enc_start) { + /* + * If payload encryption is enabled, then the AAD consist of + * the RTCP header and the seq# at the end of the packet + */ + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + octets_in_rtcp_header); + if (status) { + return (srtp_err_status_cipher_fail); + } + } else { + /* + * Since payload encryption is not enabled, we must authenticate + * the entire packet as described in RFC 7714 (Section 9.3. Data + * Types in Unencrypted SRTCP Compound Packets) + */ + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + *pkt_octet_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + } + /* + * Process the sequence# as AAD + */ + tseq = trailer; + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, + sizeof(srtcp_trailer_t)); + if (status) { + return (srtp_err_status_cipher_fail); + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) { + return srtp_err_status_cipher_fail; + } + /* + * Get the tag and append that to the output + */ + status = srtp_cipher_get_tag(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tag_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + enc_octet_len += tag_len; + } else { + /* + * Even though we're not encrypting the payload, we need + * to run the cipher to get the auth tag. + */ + unsigned int nolen = 0; + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen); + if (status) { + return srtp_err_status_cipher_fail; + } + /* + * Get the tag and append that to the output + */ + status = srtp_cipher_get_tag(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tag_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + enc_octet_len += tag_len; + } + + /* increase the packet length by the length of the auth tag and seq_num*/ + *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); + + /* increase the packet by the mki_size */ + *pkt_octet_len += mki_size; + + return srtp_err_status_ok; +} + +/* + * This function handles incoming SRTCP packets while in AEAD mode, + * which currently supports AES-GCM encryption. Note, the auth tag is + * at the end of the packet stream and is automatically checked by GCM + * when decrypting the payload. + */ +static srtp_err_status_t srtp_unprotect_rtcp_aead( + srtp_t ctx, + srtp_stream_ctx_t *stream, + void *srtcp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *trailer_p; /* pointer to start of trailer */ + uint32_t trailer; /* trailer value */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + int tag_len; + unsigned int tmp_len; + uint32_t seq_num; + v128_t iv; + uint32_t tseq; + unsigned int mki_size = 0; + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + if (use_mki) { + mki_size = session_keys->mki_size; + } + + /* + * set encryption start, encryption length, and trailer + */ + /* index & E (encryption) bit follow normal data. hdr->len is the number of + * words (32-bit) in the normal packet minus 1 + */ + /* This should point trailer to the word past the end of the normal data. */ + /* This would need to be modified for optional mikey data */ + trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len - + sizeof(srtcp_trailer_t) - mki_size); + memcpy(&trailer, trailer_p, sizeof(trailer)); + + /* + * We pass the tag down to the cipher when doing GCM mode + */ + enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + + sizeof(srtcp_trailer_t) + mki_size); + auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size - + sizeof(srtcp_trailer_t); + + if (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) { + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + } else { + enc_octet_len = 0; + enc_start = NULL; /* this indicates that there's no encryption */ + } + + /* + * check the sequence number for replays + */ + /* this is easier than dealing with bitfield access */ + seq_num = ntohl(trailer) & SRTCP_INDEX_MASK; + debug_print(mod_srtp, "srtcp index: %x", seq_num); + status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); + if (status) { + return status; + } + + /* + * Calculate and set the IV + */ + status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); + if (status) { + return srtp_err_status_cipher_fail; + } + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (status) { + return srtp_err_status_cipher_fail; + } + + /* + * Set the AAD for GCM mode + */ + if (enc_start) { + /* + * If payload encryption is enabled, then the AAD consist of + * the RTCP header and the seq# at the end of the packet + */ + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + octets_in_rtcp_header); + if (status) { + return (srtp_err_status_cipher_fail); + } + } else { + /* + * Since payload encryption is not enabled, we must authenticate + * the entire packet as described in RFC 7714 (Section 9.3. Data + * Types in Unencrypted SRTCP Compound Packets) + */ + status = srtp_cipher_set_aad( + session_keys->rtcp_cipher, (uint8_t *)hdr, + (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size)); + if (status) { + return (srtp_err_status_cipher_fail); + } + } + + /* + * Process the sequence# as AAD + */ + tseq = trailer; + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, + sizeof(srtcp_trailer_t)); + if (status) { + return (srtp_err_status_cipher_fail); + } + + /* if we're decrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) { + return status; + } + } else { + /* + * Still need to run the cipher to check the tag + */ + tmp_len = tag_len; + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tmp_len); + if (status) { + return status; + } + } + + /* decrease the packet length by the length of the auth tag and seq_num*/ + *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size); + + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; + + /* + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here + */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) { + return status; + } + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* we've passed the authentication check, so add seq_num to the rdb */ + srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len) +{ + return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0); +} + +srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + uint32_t *trailer_p; /* pointer to start of trailer */ + uint32_t trailer; /* trailer value */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + int tag_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; + uint32_t seq_num; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + + /* we assume the hdr is 32-bit aligned to start */ + + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtcp_header) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + srtp_stream_ctx_t *new_stream; + + /* allocate and initialize a new stream */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } + } + + /* + * verify that stream is for sending traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + */ + if (stream->direction != dir_srtp_sender) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_sender; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + session_keys = + srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, + (unsigned int *)pkt_octet_len, + session_keys, use_mki); + } + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + /* + * set encryption start and encryption length - if we're not + * providing confidentiality, set enc_start to NULL + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; + + /* all of the packet, except the header, gets encrypted */ + /* + * NOTE: hdr->length is not usable - it refers to only the first RTCP report + * in the compound packet! + */ + trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len); + + if (stream->rtcp_services & sec_serv_conf) { + trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ + } else { + enc_start = NULL; + enc_octet_len = 0; + /* 0 is network-order independant */ + trailer = 0x00000000; /* set encrypt bit */ + } + + mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + + sizeof(srtcp_trailer_t), + session_keys, use_mki); + + /* + * set the auth_start and auth_tag pointers to the proper locations + * (note that srtpc *always* provides authentication, unlike srtp) + */ + /* Note: This would need to change for optional mikey data */ + auth_start = (uint32_t *)hdr; + auth_tag = + (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size; + + /* perform EKT processing if needed */ + srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, + srtp_rdbx_get_packet_index(&stream->rtp_rdbx)); + + /* + * check sequence number for overruns, and copy it into the packet + * if its value isn't too big + */ + status = srtp_rdb_increment(&stream->rtcp_rdb); + if (status) + return status; + seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); + trailer |= htonl(seq_num); + debug_print(mod_srtp, "srtcp index: %x", seq_num); + + memcpy(trailer_p, &trailer, sizeof(trailer)); + + /* + * if we're using rindael counter mode, set nonce and seq + */ + if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order! */ + iv.v32[2] = htonl(seq_num >> 16); + iv.v32[3] = htonl(seq_num << 16); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + + } else { + v128_t iv; + + /* otherwise, just set the index to seq_num */ + iv.v32[0] = 0; + iv.v32[1] = 0; + iv.v32[2] = 0; + iv.v32[3] = htonl(seq_num); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + } + if (status) + return srtp_err_status_cipher_fail; + + /* + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag + */ + + /* if auth_start is non-null, then put keystream into tag */ + if (auth_start) { + /* put keystream prefix into auth_tag */ + prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); + status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, + &prefix_len); + + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + + if (status) + return srtp_err_status_cipher_fail; + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } + + /* initialize auth func context */ + srtp_auth_start(session_keys->rtcp_auth); + + /* + * run auth func over packet (including trailer), and write the + * result at auth_tag + */ + status = + srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, + (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag); + debug_print(mod_srtp, "srtcp auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + + /* increase the packet length by the length of the auth tag and seq_num*/ + *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); + + /* increase the packet by the mki_size */ + *pkt_octet_len += mki_size; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len) +{ + return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0); +} + +srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + uint32_t *trailer_p; /* pointer to start of trailer */ + uint32_t trailer; /* trailer value */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; + uint8_t tag_copy[SRTP_MAX_TAG_LEN]; + srtp_err_status_t status; + unsigned int auth_len; + int tag_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; + uint32_t seq_num; + int e_bit_in_packet; /* whether the E-bit was found in the packet */ + int sec_serv_confidentiality; /* whether confidentiality was requested */ + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + + /* we assume the hdr is 32-bit aligned to start */ + + if (*pkt_octet_len < 0) + return srtp_err_status_bad_param; + + /* + * check that the length value is sane; we'll check again once we + * know the tag length, but we at least want to know that it is + * a positive value + */ + if ((unsigned int)(*pkt_octet_len) < + octets_in_rtcp_header + sizeof(srtcp_trailer_t)) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + stream = ctx->stream_template; + + /* + * check to see if stream_template has an EKT data structure, in + * which case we initialize the template using the EKT policy + * referenced by that data (which consists of decrypting the + * master key from the EKT field) + * + * this function initializes a *provisional* stream, and this + * stream should not be accepted until and unless the packet + * passes its authentication check + */ + if (stream->ekt != NULL) { + status = srtp_stream_init_from_ekt(stream, srtcp_hdr, + *pkt_octet_len); + if (status) + return status; + } + + debug_print(mod_srtp, + "srtcp using provisional stream (SSRC: 0x%08x)", + ntohl(hdr->ssrc)); + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } + } + + /* + * Determine if MKI is being used and what session keys should be used + */ + if (use_mki) { + session_keys = srtp_get_session_keys( + stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len, + &mki_size); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + } else { + session_keys = &stream->session_keys[0]; + } + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + /* check the packet length - it must contain at least a full RTCP + header, an auth tag (if applicable), and the SRTCP encrypted flag + and 31-bit index value */ + if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size + + sizeof(srtcp_trailer_t))) { + return srtp_err_status_bad_param; + } + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, + (unsigned int *)pkt_octet_len, + session_keys, mki_size); + } + + sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || + stream->rtcp_services == sec_serv_conf_and_auth; + + /* + * set encryption start, encryption length, and trailer + */ + enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len + + mki_size + sizeof(srtcp_trailer_t)); + /* + *index & E (encryption) bit follow normal data. hdr->len is the number of + * words (32-bit) in the normal packet minus 1 + */ + /* This should point trailer to the word past the end of the normal data. */ + /* This would need to be modified for optional mikey data */ + trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len - + (tag_len + mki_size + sizeof(srtcp_trailer_t))); + memcpy(&trailer, trailer_p, sizeof(trailer)); + + e_bit_in_packet = + (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; + if (e_bit_in_packet != sec_serv_confidentiality) { + return srtp_err_status_cant_check; + } + if (sec_serv_confidentiality) { + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + } else { + enc_octet_len = 0; + enc_start = NULL; /* this indicates that there's no encryption */ + } + + /* + * set the auth_start and auth_tag pointers to the proper locations + * (note that srtcp *always* uses authentication, unlike srtp) + */ + auth_start = (uint32_t *)hdr; + + /* + * The location of the auth tag in the packet needs to know MKI + * could be present. The data needed to calculate the Auth tag + * must not include the MKI + */ + auth_len = *pkt_octet_len - tag_len - mki_size; + auth_tag = (uint8_t *)hdr + auth_len + mki_size; + + /* + * if EKT is in use, then we make a copy of the tag from the packet, + * and then zeroize the location of the base tag + * + * we first re-position the auth_tag pointer so that it points to + * the base tag + */ + if (stream->ekt) { + auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt); + memcpy(tag_copy, auth_tag, tag_len); + octet_string_set_to_zero(auth_tag, tag_len); + auth_tag = tag_copy; + auth_len += tag_len; + } + + /* + * check the sequence number for replays + */ + /* this is easier than dealing with bitfield access */ + seq_num = ntohl(trailer) & SRTCP_INDEX_MASK; + debug_print(mod_srtp, "srtcp index: %x", seq_num); + status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); + if (status) + return status; + + /* + * if we're using aes counter mode, set nonce and seq + */ + if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order! */ + iv.v32[2] = htonl(seq_num >> 16); + iv.v32[3] = htonl(seq_num << 16); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + + } else { + v128_t iv; + + /* otherwise, just set the index to seq_num */ + iv.v32[0] = 0; + iv.v32[1] = 0; + iv.v32[2] = 0; + iv.v32[3] = htonl(seq_num); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + } + if (status) + return srtp_err_status_cipher_fail; + + /* initialize auth func context */ + srtp_auth_start(session_keys->rtcp_auth); + + /* run auth func over packet, put result into tmp_tag */ + status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, + auth_len, tmp_tag); + debug_print(mod_srtp, "srtcp computed tag: %s", + srtp_octet_string_hex_string(tmp_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + + /* compare the tag just computed with the one in the packet */ + debug_print(mod_srtp, "srtcp tag from packet: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) + return srtp_err_status_auth_fail; + + /* + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag + */ + prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); + if (prefix_len) { + status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, + &prefix_len); + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + if (status) + return srtp_err_status_cipher_fail; + } + + /* if we're decrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } + + /* decrease the packet length by the length of the auth tag and seq_num */ + *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); + + /* decrease the packet length by the length of the mki_size */ + *pkt_octet_len -= mki_size; + + /* + * if EKT is in effect, subtract the EKT data out of the packet + * length + */ + *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt); + + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; + + /* + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here + */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* we've passed the authentication check, so add seq_num to the rdb */ + srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); + + return srtp_err_status_ok; +} + +/* + * user data within srtp_t context + */ + +void srtp_set_user_data(srtp_t ctx, void *data) +{ + ctx->user_data = data; +} + +void *srtp_get_user_data(srtp_t ctx) +{ + return ctx->user_data; +} + +/* + * dtls keying for srtp + */ + +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile) +{ + /* set SRTP policy from the SRTP profile in the key set */ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); + break; + case srtp_profile_null_sha1_80: + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; +#ifdef GCM + case srtp_profile_aead_aes_128_gcm: + srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); + break; + case srtp_profile_aead_aes_256_gcm: + srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); + break; +#endif + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: + default: + return srtp_err_status_bad_param; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile) +{ + /* set SRTP policy from the SRTP profile in the key set */ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + /* We do not honor the 32-bit auth tag request since + * this is not compliant with RFC 3711 */ + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; +#ifdef GCM + case srtp_profile_aead_aes_128_gcm: + srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); + break; + case srtp_profile_aead_aes_256_gcm: + srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); + break; +#endif + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: + default: + return srtp_err_status_bad_param; + } + + return srtp_err_status_ok; +} + +void srtp_append_salt_to_key(uint8_t *key, + unsigned int bytes_in_key, + uint8_t *salt, + unsigned int bytes_in_salt) +{ + memcpy(key + bytes_in_key, salt, bytes_in_salt); +} + +unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile) +{ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aes128_cm_sha1_32: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_null_sha1_80: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aead_aes_128_gcm: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aead_aes_256_gcm: + return SRTP_AES_256_KEY_LEN; + break; + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: + default: + return 0; /* indicate error by returning a zero */ + } +} + +unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile) +{ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + return SRTP_SALT_LEN; + break; + case srtp_profile_aes128_cm_sha1_32: + return SRTP_SALT_LEN; + break; + case srtp_profile_null_sha1_80: + return SRTP_SALT_LEN; + break; + case srtp_profile_aead_aes_128_gcm: + return SRTP_AEAD_SALT_LEN; + break; + case srtp_profile_aead_aes_256_gcm: + return SRTP_AEAD_SALT_LEN; + break; + /* the following profiles are not (yet) supported */ + case srtp_profile_null_sha1_32: + default: + return 0; /* indicate error by returning a zero */ + } +} + +srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream, + uint32_t is_rtp, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + *length = 0; + + srtp_session_keys_t *session_key; + + if (use_mki) { + if (mki_index >= stream->num_master_keys) { + return srtp_err_status_bad_mki; + } + session_key = &stream->session_keys[mki_index]; + + *length += session_key->mki_size; + + } else { + session_key = &stream->session_keys[0]; + } + if (is_rtp) { + *length += srtp_auth_get_tag_length(session_key->rtp_auth); + } else { + *length += srtp_auth_get_tag_length(session_key->rtcp_auth); + *length += sizeof(srtcp_trailer_t); + } + + return srtp_err_status_ok; +} + +srtp_err_status_t get_protect_trailer_length(srtp_t session, + uint32_t is_rtp, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + srtp_stream_ctx_t *stream; + + if (session == NULL) { + return srtp_err_status_bad_param; + } + + if (session->stream_template == NULL && session->stream_list == NULL) { + return srtp_err_status_bad_param; + } + + *length = 0; + + stream = session->stream_template; + + if (stream != NULL) { + stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index, + length); + } + + stream = session->stream_list; + + while (stream != NULL) { + uint32_t temp_length; + if (stream_get_protect_trailer_length(stream, is_rtp, use_mki, + mki_index, &temp_length) == + srtp_err_status_ok) { + if (temp_length > *length) { + *length = temp_length; + } + } + stream = stream->next; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + return get_protect_trailer_length(session, 1, use_mki, mki_index, length); +} + +srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + return get_protect_trailer_length(session, 0, use_mki, mki_index, length); +} + +/* + * SRTP debug interface + */ +srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v) +{ + return srtp_crypto_kernel_set_debug_module(mod_name, v); +} + +srtp_err_status_t srtp_list_debug_modules(void) +{ + return srtp_crypto_kernel_list_debug_modules(); +} + +/* + * srtp_log_handler is a global variable holding a pointer to the + * log handler function; this function is called for any log + * output. + */ + +static srtp_log_handler_func_t *srtp_log_handler = NULL; +static void *srtp_log_handler_data = NULL; + +void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg) +{ + if (srtp_log_handler) { + srtp_log_level_t log_level = srtp_log_level_error; + switch (level) { + case srtp_err_level_error: + log_level = srtp_log_level_error; + break; + case srtp_err_level_warning: + log_level = srtp_log_level_warning; + break; + case srtp_err_level_info: + log_level = srtp_log_level_info; + break; + case srtp_err_level_debug: + log_level = srtp_log_level_debug; + break; + } + + srtp_log_handler(log_level, msg, srtp_log_handler_data); + } +} + +srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, + void *data) +{ + /* + * note that we accept NULL arguments intentionally - calling this + * function with a NULL arguments removes a log handler that's + * been previously installed + */ + + if (srtp_log_handler) { + srtp_install_err_report_handler(NULL); + } + srtp_log_handler = func; + srtp_log_handler_data = data; + if (srtp_log_handler) { + srtp_install_err_report_handler(srtp_err_handler); + } + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_set_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t roc) +{ + srtp_stream_t stream; + + stream = srtp_get_stream(session, htonl(ssrc)); + if (stream == NULL) + return srtp_err_status_bad_param; + + stream->pending_roc = roc; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_get_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t *roc) +{ + srtp_stream_t stream; + + stream = srtp_get_stream(session, htonl(ssrc)); + if (stream == NULL) + return srtp_err_status_bad_param; + + *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx); + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/test/cutest.h b/netwerk/srtp/src/test/cutest.h new file mode 100644 index 0000000000..f46626d395 --- /dev/null +++ b/netwerk/srtp/src/test/cutest.h @@ -0,0 +1,713 @@ +/* + * CUTest -- C/C++ Unit Test facility + * <http://github.com/mity/cutest> + * + * Copyright (c) 2013-2017 Martin Mitas + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +#ifndef CUTEST_H__ +#define CUTEST_H__ + +/************************ + *** Public interface *** + ************************/ + +/* By default, <cutest.h> provides the main program entry point (function + * main()). However, if the test suite is composed of multiple source files + * which include <cutest.h>, then this causes a problem of multiple main() + * definitions. To avoid this problem, #define macro TEST_NO_MAIN in all + * compilation units but one. + */ + +/* Macro to specify list of unit tests in the suite. + * The unit test implementation MUST provide list of unit tests it implements + * with this macro: + * + * TEST_LIST = { + * { "test1_name", test1_func_ptr }, + * { "test2_name", test2_func_ptr }, + * ... + * { 0 } + * }; + * + * The list specifies names of each test (must be unique) and pointer to + * a function implementing it. The function does not take any arguments + * and has no return values, i.e. every test function has tp be compatible + * with this prototype: + * + * void test_func(void); + */ +#define TEST_LIST const struct test__ test_list__[] + +/* Macros for testing whether an unit test succeeds or fails. These macros + * can be used arbitrarily in functions implementing the unit tests. + * + * If any condition fails throughout execution of a test, the test fails. + * + * TEST_CHECK takes only one argument (the condition), TEST_CHECK_ allows + * also to specify an error message to print out if the condition fails. + * (It expects printf-like format string and its parameters). The macros + * return non-zero (condition passes) or 0 (condition fails). + * + * That can be useful when more conditions should be checked only if some + * preceding condition passes, as illustrated in this code snippet: + * + * SomeStruct* ptr = allocate_some_struct(); + * if(TEST_CHECK(ptr != NULL)) { + * TEST_CHECK(ptr->member1 < 100); + * TEST_CHECK(ptr->member2 > 200); + * } + */ +#define TEST_CHECK_(cond, ...) \ + test_check__((cond), __FILE__, __LINE__, __VA_ARGS__) +#define TEST_CHECK(cond) test_check__((cond), __FILE__, __LINE__, "%s", #cond) + +/********************** + *** Implementation *** + **********************/ + +/* The unit test files should not rely on anything below. */ + +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#if defined(unix) || defined(__unix__) || defined(__unix) || defined(__APPLE__) +#define CUTEST_UNIX__ 1 +#include <errno.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <signal.h> +#endif + +#if defined(_WIN32) || defined(__WIN32__) || defined(__WINDOWS__) +#define CUTEST_WIN__ 1 +#include <windows.h> +#include <io.h> +#endif + +#ifdef __cplusplus +#include <exception> +#endif + +/* Note our global private identifiers end with '__' to mitigate risk of clash + * with the unit tests implementation. */ + +#ifdef __cplusplus +extern "C" { +#endif + +struct test__ { + const char *name; + void (*func)(void); +}; + +extern const struct test__ test_list__[]; + +int test_check__(int cond, const char *file, int line, const char *fmt, ...); + +#ifndef TEST_NO_MAIN + +static char *test_argv0__ = NULL; +static int test_count__ = 0; +static int test_no_exec__ = 0; +static int test_no_summary__ = 0; +static int test_skip_mode__ = 0; + +static int test_stat_failed_units__ = 0; +static int test_stat_run_units__ = 0; + +static const struct test__ *test_current_unit__ = NULL; +static int test_current_already_logged__ = 0; +static int test_verbose_level__ = 2; +static int test_current_failures__ = 0; +static int test_colorize__ = 0; + +#define CUTEST_COLOR_DEFAULT__ 0 +#define CUTEST_COLOR_GREEN__ 1 +#define CUTEST_COLOR_RED__ 2 +#define CUTEST_COLOR_DEFAULT_INTENSIVE__ 3 +#define CUTEST_COLOR_GREEN_INTENSIVE__ 4 +#define CUTEST_COLOR_RED_INTENSIVE__ 5 + +static size_t test_print_in_color__(int color, const char *fmt, ...) +{ + va_list args; + char buffer[256]; + size_t n; + + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + buffer[sizeof(buffer) - 1] = '\0'; + + if (!test_colorize__) { + return printf("%s", buffer); + } + +#if defined CUTEST_UNIX__ + { + const char *col_str; + switch (color) { + case CUTEST_COLOR_GREEN__: + col_str = "\033[0;32m"; + break; + case CUTEST_COLOR_RED__: + col_str = "\033[0;31m"; + break; + case CUTEST_COLOR_GREEN_INTENSIVE__: + col_str = "\033[1;32m"; + break; + case CUTEST_COLOR_RED_INTENSIVE__: + col_str = "\033[1;30m"; + break; + case CUTEST_COLOR_DEFAULT_INTENSIVE__: + col_str = "\033[1m"; + break; + default: + col_str = "\033[0m"; + break; + } + printf("%s", col_str); + n = printf("%s", buffer); + printf("\033[0m"); + return n; + } +#elif defined CUTEST_WIN__ + { + HANDLE h; + CONSOLE_SCREEN_BUFFER_INFO info; + WORD attr; + + h = GetStdHandle(STD_OUTPUT_HANDLE); + GetConsoleScreenBufferInfo(h, &info); + + switch (color) { + case CUTEST_COLOR_GREEN__: + attr = FOREGROUND_GREEN; + break; + case CUTEST_COLOR_RED__: + attr = FOREGROUND_RED; + break; + case CUTEST_COLOR_GREEN_INTENSIVE__: + attr = FOREGROUND_GREEN | FOREGROUND_INTENSITY; + break; + case CUTEST_COLOR_RED_INTENSIVE__: + attr = FOREGROUND_RED | FOREGROUND_INTENSITY; + break; + case CUTEST_COLOR_DEFAULT_INTENSIVE__: + attr = FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_RED | + FOREGROUND_INTENSITY; + break; + default: + attr = 0; + break; + } + if (attr != 0) + SetConsoleTextAttribute(h, attr); + n = printf("%s", buffer); + SetConsoleTextAttribute(h, info.wAttributes); + return n; + } +#else + n = printf("%s", buffer); + return n; +#endif +} + +int test_check__(int cond, const char *file, int line, const char *fmt, ...) +{ + const char *result_str; + int result_color; + int verbose_level; + + if (cond) { + result_str = "ok"; + result_color = CUTEST_COLOR_GREEN__; + verbose_level = 3; + } else { + if (!test_current_already_logged__ && test_current_unit__ != NULL) { + printf("[ "); + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED"); + printf(" ]\n"); + } + result_str = "failed"; + result_color = CUTEST_COLOR_RED__; + verbose_level = 2; + test_current_failures__++; + test_current_already_logged__++; + } + + if (test_verbose_level__ >= verbose_level) { + size_t n = 0; + va_list args; + + printf(" "); + + if (file != NULL) + n += printf("%s:%d: Check ", file, line); + + va_start(args, fmt); + n += vprintf(fmt, args); + va_end(args); + + printf("... "); + test_print_in_color__(result_color, result_str); + printf("\n"); + test_current_already_logged__++; + } + + return (cond != 0); +} + +static void test_list_names__(void) +{ + const struct test__ *test; + + printf("Unit tests:\n"); + for (test = &test_list__[0]; test->func != NULL; test++) + printf(" %s\n", test->name); +} + +static const struct test__ *test_by_name__(const char *name) +{ + const struct test__ *test; + + for (test = &test_list__[0]; test->func != NULL; test++) { + if (strcmp(test->name, name) == 0) + return test; + } + + return NULL; +} + +/* Call directly the given test unit function. */ +static int test_do_run__(const struct test__ *test) +{ + test_current_unit__ = test; + test_current_failures__ = 0; + test_current_already_logged__ = 0; + + if (test_verbose_level__ >= 3) { + test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "Test %s:\n", + test->name); + test_current_already_logged__++; + } else if (test_verbose_level__ >= 1) { + size_t n; + char spaces[32]; + + n = test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, + "Test %s... ", test->name); + memset(spaces, ' ', sizeof(spaces)); + if (n < sizeof(spaces)) + printf("%.*s", (int)(sizeof(spaces) - n), spaces); + } else { + test_current_already_logged__ = 1; + } + +#ifdef __cplusplus + try { +#endif + + /* This is good to do for case the test unit e.g. crashes. */ + fflush(stdout); + fflush(stderr); + + test->func(); + +#ifdef __cplusplus + } catch (std::exception &e) { + const char *what = e.what(); + if (what != NULL) + test_check__(0, NULL, 0, "Threw std::exception: %s", what); + else + test_check__(0, NULL, 0, "Threw std::exception"); + } catch (...) { + test_check__(0, NULL, 0, "Threw an exception"); + } +#endif + + if (test_verbose_level__ >= 3) { + switch (test_current_failures__) { + case 0: + test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, + " All conditions have passed.\n\n"); + break; + case 1: + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, + " One condition has FAILED.\n\n"); + break; + default: + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, + " %d conditions have FAILED.\n\n", + test_current_failures__); + break; + } + } else if (test_verbose_level__ >= 1 && test_current_failures__ == 0) { + printf("[ "); + test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, "OK"); + printf(" ]\n"); + } + + test_current_unit__ = NULL; + return (test_current_failures__ == 0) ? 0 : -1; +} + +#if defined(CUTEST_UNIX__) || defined(CUTEST_WIN__) +/* Called if anything goes bad in cutest, or if the unit test ends in other + * way then by normal returning from its function (e.g. exception or some + * abnormal child process termination). */ +static void test_error__(const char *fmt, ...) +{ + va_list args; + + if (test_verbose_level__ == 0) + return; + + if (test_verbose_level__ <= 2 && !test_current_already_logged__ && + test_current_unit__ != NULL) { + printf("[ "); + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED"); + printf(" ]\n"); + } + + if (test_verbose_level__ >= 2) { + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, " Error: "); + va_start(args, fmt); + vprintf(fmt, args); + va_end(args); + printf("\n"); + } +} +#endif + +/* Trigger the unit test. If possible (and not suppressed) it starts a child + * process who calls test_do_run__(), otherwise it calls test_do_run__() + * directly. */ +static void test_run__(const struct test__ *test) +{ + int failed = 1; + + test_current_unit__ = test; + test_current_already_logged__ = 0; + + if (!test_no_exec__) { +#if defined(CUTEST_UNIX__) + + pid_t pid; + int exit_code; + + pid = fork(); + if (pid == (pid_t)-1) { + test_error__("Cannot fork. %s [%d]", strerror(errno), errno); + failed = 1; + } else if (pid == 0) { + /* Child: Do the test. */ + failed = (test_do_run__(test) != 0); + exit(failed ? 1 : 0); + } else { + /* Parent: Wait until child terminates and analyze its exit code. */ + waitpid(pid, &exit_code, 0); + if (WIFEXITED(exit_code)) { + switch (WEXITSTATUS(exit_code)) { + case 0: + failed = 0; + break; /* test has passed. */ + case 1: /* noop */ + break; /* "normal" failure. */ + default: + test_error__("Unexpected exit code [%d]", + WEXITSTATUS(exit_code)); + } + } else if (WIFSIGNALED(exit_code)) { + char tmp[32]; + const char *signame; + switch (WTERMSIG(exit_code)) { + case SIGINT: + signame = "SIGINT"; + break; + case SIGHUP: + signame = "SIGHUP"; + break; + case SIGQUIT: + signame = "SIGQUIT"; + break; + case SIGABRT: + signame = "SIGABRT"; + break; + case SIGKILL: + signame = "SIGKILL"; + break; + case SIGSEGV: + signame = "SIGSEGV"; + break; + case SIGILL: + signame = "SIGILL"; + break; + case SIGTERM: + signame = "SIGTERM"; + break; + default: + sprintf(tmp, "signal %d", WTERMSIG(exit_code)); + signame = tmp; + break; + } + test_error__("Test interrupted by %s", signame); + } else { + test_error__("Test ended in an unexpected way [%d]", exit_code); + } + } + +#elif defined(CUTEST_WIN__) + + char buffer[512] = { 0 }; + STARTUPINFOA startupInfo = { 0 }; + PROCESS_INFORMATION processInfo; + DWORD exitCode; + + /* Windows has no fork(). So we propagate all info into the child + * through a command line arguments. */ + _snprintf(buffer, sizeof(buffer) - 1, + "%s --no-exec --no-summary --verbose=%d --color=%s -- \"%s\"", + test_argv0__, test_verbose_level__, + test_colorize__ ? "always" : "never", test->name); + startupInfo.cb = sizeof(STARTUPINFO); + if (CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, + &startupInfo, &processInfo)) { + WaitForSingleObject(processInfo.hProcess, INFINITE); + GetExitCodeProcess(processInfo.hProcess, &exitCode); + CloseHandle(processInfo.hThread); + CloseHandle(processInfo.hProcess); + failed = (exitCode != 0); + } else { + test_error__("Cannot create unit test subprocess [%ld].", + GetLastError()); + failed = 1; + } + +#else + + /* A platform where we don't know how to run child process. */ + failed = (test_do_run__(test) != 0); + +#endif + + } else { + /* Child processes suppressed through --no-exec. */ + failed = (test_do_run__(test) != 0); + } + + test_current_unit__ = NULL; + + test_stat_run_units__++; + if (failed) + test_stat_failed_units__++; +} + +#if defined(CUTEST_WIN__) +/* Callback for SEH events. */ +static LONG CALLBACK test_exception_filter__(EXCEPTION_POINTERS *ptrs) +{ + test_error__("Unhandled SEH exception %08lx at %p.", + ptrs->ExceptionRecord->ExceptionCode, + ptrs->ExceptionRecord->ExceptionAddress); + fflush(stdout); + fflush(stderr); + return EXCEPTION_EXECUTE_HANDLER; +} +#endif + +static void test_help__(void) +{ + printf("Usage: %s [options] [test...]\n", test_argv0__); + printf("Run the specified unit tests; or if the option '--skip' is used, " + "run all\n"); + printf("tests in the suite but those listed. By default, if no tests are " + "specified\n"); + printf("on the command line, all unit tests in the suite are run.\n"); + printf("\n"); + printf("Options:\n"); + printf( + " -s, --skip Execute all unit tests but the listed ones\n"); + printf(" --no-exec Do not execute unit tests as child " + "processes\n"); + printf( + " --no-summary Suppress printing of test results summary\n"); + printf(" -l, --list List unit tests in the suite and exit\n"); + printf(" -v, --verbose Enable more verbose output\n"); + printf(" --verbose=LEVEL Set verbose level to LEVEL:\n"); + printf(" 0 ... Be silent\n"); + printf(" 1 ... Output one line per test (and " + "summary)\n"); + printf(" 2 ... As 1 and failed conditions (this " + "is default)\n"); + printf(" 3 ... As 1 and all conditions (and " + "extended summary)\n"); + printf(" --color=WHEN Enable colorized output (WHEN is one of " + "'auto', 'always', 'never')\n"); + printf(" -h, --help Display this help and exit\n"); + printf("\n"); + test_list_names__(); +} + +int main(int argc, char **argv) +{ + const struct test__ **tests = NULL; + int i, j, n = 0; + int seen_double_dash = 0; + + test_argv0__ = argv[0]; + +#if defined CUTEST_UNIX__ + test_colorize__ = isatty(STDOUT_FILENO); +#elif defined CUTEST_WIN__ + test_colorize__ = _isatty(_fileno(stdout)); +#else + test_colorize__ = 0; +#endif + + /* Parse options */ + for (i = 1; i < argc; i++) { + if (seen_double_dash || argv[i][0] != '-') { + tests = (const struct test__ **)realloc( + (void *)tests, (n + 1) * sizeof(const struct test__ *)); + if (tests == NULL) { + fprintf(stderr, "Out of memory.\n"); + exit(2); + } + tests[n] = test_by_name__(argv[i]); + if (tests[n] == NULL) { + fprintf(stderr, "%s: Unrecognized unit test '%s'\n", argv[0], + argv[i]); + fprintf(stderr, "Try '%s --list' for list of unit tests.\n", + argv[0]); + exit(2); + } + n++; + } else if (strcmp(argv[i], "--") == 0) { + seen_double_dash = 1; + } else if (strcmp(argv[i], "--help") == 0 || + strcmp(argv[i], "-h") == 0) { + test_help__(); + exit(0); + } else if (strcmp(argv[i], "--verbose") == 0 || + strcmp(argv[i], "-v") == 0) { + test_verbose_level__++; + } else if (strncmp(argv[i], "--verbose=", 10) == 0) { + test_verbose_level__ = atoi(argv[i] + 10); + } else if (strcmp(argv[i], "--color=auto") == 0) { + /* noop (set from above) */ + } else if (strcmp(argv[i], "--color=always") == 0 || + strcmp(argv[i], "--color") == 0) { + test_colorize__ = 1; + } else if (strcmp(argv[i], "--color=never") == 0) { + test_colorize__ = 0; + } else if (strcmp(argv[i], "--skip") == 0 || + strcmp(argv[i], "-s") == 0) { + test_skip_mode__ = 1; + } else if (strcmp(argv[i], "--no-exec") == 0) { + test_no_exec__ = 1; + } else if (strcmp(argv[i], "--no-summary") == 0) { + test_no_summary__ = 1; + } else if (strcmp(argv[i], "--list") == 0 || + strcmp(argv[i], "-l") == 0) { + test_list_names__(); + exit(0); + } else { + fprintf(stderr, "%s: Unrecognized option '%s'\n", argv[0], argv[i]); + fprintf(stderr, "Try '%s --help' for more information.\n", argv[0]); + exit(2); + } + } + +#if defined(CUTEST_WIN__) + SetUnhandledExceptionFilter(test_exception_filter__); +#endif + + /* Count all test units */ + test_count__ = 0; + for (i = 0; test_list__[i].func != NULL; i++) + test_count__++; + + /* Run the tests */ + if (n == 0) { + /* Run all tests */ + for (i = 0; test_list__[i].func != NULL; i++) + test_run__(&test_list__[i]); + } else if (!test_skip_mode__) { + /* Run the listed tests */ + for (i = 0; i < n; i++) + test_run__(tests[i]); + } else { + /* Run all tests except those listed */ + for (i = 0; test_list__[i].func != NULL; i++) { + int want_skip = 0; + for (j = 0; j < n; j++) { + if (tests[j] == &test_list__[i]) { + want_skip = 1; + break; + } + } + if (!want_skip) + test_run__(&test_list__[i]); + } + } + + /* Write a summary */ + if (!test_no_summary__ && test_verbose_level__ >= 1) { + test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "\nSummary:\n"); + + if (test_verbose_level__ >= 3) { + printf(" Count of all unit tests: %4d\n", test_count__); + printf(" Count of run unit tests: %4d\n", + test_stat_run_units__); + printf(" Count of failed unit tests: %4d\n", + test_stat_failed_units__); + printf(" Count of skipped unit tests: %4d\n", + test_count__ - test_stat_run_units__); + } + + if (test_stat_failed_units__ == 0) { + test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, + " SUCCESS: All unit tests have passed.\n"); + } else { + test_print_in_color__( + CUTEST_COLOR_RED_INTENSIVE__, + " FAILED: %d of %d unit tests have failed.\n", + test_stat_failed_units__, test_stat_run_units__); + } + } + + if (tests != NULL) + free((void *)tests); + + return (test_stat_failed_units__ == 0) ? 0 : 1; +} + +#endif /* #ifndef TEST_NO_MAIN */ + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* #ifndef CUTEST_H__ */ diff --git a/netwerk/srtp/src/test/dtls_srtp_driver.c b/netwerk/srtp/src/test/dtls_srtp_driver.c new file mode 100644 index 0000000000..4f4d0a39b3 --- /dev/null +++ b/netwerk/srtp/src/test/dtls_srtp_driver.c @@ -0,0 +1,261 @@ +/* + * dtls_srtp_driver.c + * + * test driver for DTLS-SRTP functions + * + * David McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include <stdio.h> /* for printf() */ +#include "getopt_s.h" /* for local getopt() */ +#include "srtp_priv.h" + +srtp_err_status_t test_dtls_srtp(void); + +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc); + +void usage(char *prog_name) +{ + printf("usage: %s [ -t ][ -c ][ -v ][-d <debug_module> ]* [ -l ]\n" + " -d <mod> turn on debugging module <mod>\n" + " -l list debugging modules\n", + prog_name); + exit(1); +} + +int main(int argc, char *argv[]) +{ + unsigned do_list_mods = 0; + int q; + srtp_err_status_t err; + + printf("dtls_srtp_driver\n"); + + /* initialize srtp library */ + err = srtp_init(); + if (err) { + printf("error: srtp init failed with error code %d\n", err); + exit(1); + } + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "ld:"); + if (q == -1) + break; + switch (q) { + case 'l': + do_list_mods = 1; + break; + case 'd': + err = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (err) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + default: + usage(argv[0]); + } + } + + if (do_list_mods) { + err = srtp_crypto_kernel_list_debug_modules(); + if (err) { + printf("error: list of debug modules failed\n"); + exit(1); + } + } + + printf("testing dtls_srtp..."); + err = test_dtls_srtp(); + if (err) { + printf("\nerror (code %d)\n", err); + exit(1); + } + printf("passed\n"); + + /* shut down srtp library */ + err = srtp_shutdown(); + if (err) { + printf("error: srtp shutdown failed with error code %d\n", err); + exit(1); + } + + return 0; +} + +srtp_err_status_t test_dtls_srtp(void) +{ + srtp_hdr_t *test_packet; + int test_packet_len = 80; + srtp_t s; + srtp_policy_t policy; + uint8_t key[SRTP_MAX_KEY_LEN]; + uint8_t salt[SRTP_MAX_KEY_LEN]; + unsigned int key_len, salt_len; + srtp_profile_t profile; + srtp_err_status_t err; + + memset(&policy, 0x0, sizeof(srtp_policy_t)); + + /* create a 'null' SRTP session */ + err = srtp_create(&s, NULL); + if (err) + return err; + + /* + * verify that packet-processing functions behave properly - we + * expect that these functions will return srtp_err_status_no_ctx + */ + test_packet = srtp_create_test_packet(80, 0xa5a5a5a5); + if (test_packet == NULL) + return srtp_err_status_alloc_fail; + + err = srtp_protect(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_protect() (got code %d)\n", err); + return srtp_err_status_fail; + } + + err = srtp_unprotect(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_unprotect() (got code %d)\n", err); + return srtp_err_status_fail; + } + + err = srtp_protect_rtcp(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_protect_rtcp() (got code %d)\n", + err); + return srtp_err_status_fail; + } + + err = srtp_unprotect_rtcp(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_unprotect_rtcp() (got code %d)\n", + err); + return srtp_err_status_fail; + } + + /* + * set keys to known values for testing + */ + profile = srtp_profile_aes128_cm_sha1_80; + key_len = srtp_profile_get_master_key_length(profile); + salt_len = srtp_profile_get_master_salt_length(profile); + memset(key, 0xff, key_len); + memset(salt, 0xee, salt_len); + srtp_append_salt_to_key(key, key_len, salt, salt_len); + policy.key = key; + + /* initialize SRTP policy from profile */ + err = srtp_crypto_policy_set_from_profile_for_rtp(&policy.rtp, profile); + if (err) + return err; + err = srtp_crypto_policy_set_from_profile_for_rtcp(&policy.rtcp, profile); + if (err) + return err; + policy.ssrc.type = ssrc_any_inbound; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + err = srtp_add_stream(s, &policy); + if (err) + return err; + + err = srtp_dealloc(s); + if (err) + return err; + + free(test_packet); + + return srtp_err_status_ok; +} + +/* + * srtp_create_test_packet(len, ssrc) returns a pointer to a + * (malloced) example RTP packet whose data field has the length given + * by pkt_octet_len and the SSRC value ssrc. The total length of the + * packet is twelve octets longer, since the header is at the + * beginning. There is room at the end of the packet for a trailer, + * and the four octets following the packet are filled with 0xff + * values to enable testing for overwrites. + * + * note that the location of the test packet can (and should) be + * deallocated with the free() call once it is no longer needed. + */ + +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc) +{ + int i; + uint8_t *buffer; + srtp_hdr_t *hdr; + int bytes_in_hdr = 12; + + /* allocate memory for test packet */ + hdr = malloc(pkt_octet_len + bytes_in_hdr + SRTP_MAX_TRAILER_LEN + 4); + if (!hdr) + return NULL; + + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 0; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ + + buffer = (uint8_t *)hdr; + buffer += bytes_in_hdr; + + /* set RTP data to 0xab */ + for (i = 0; i < pkt_octet_len; i++) + *buffer++ = 0xab; + + /* set post-data value to 0xffff to enable overrun checking */ + for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) + *buffer++ = 0xff; + + return hdr; +} diff --git a/netwerk/srtp/src/test/getopt_s.c b/netwerk/srtp/src/test/getopt_s.c new file mode 100644 index 0000000000..e0bd7f77ed --- /dev/null +++ b/netwerk/srtp/src/test/getopt_s.c @@ -0,0 +1,109 @@ +/* + * getopt.c + * + * a minimal implementation of the getopt() function, written so that + * test applications that use that function can run on non-POSIX + * platforms + * + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include <stdlib.h> /* for NULL */ + +int optind_s = 0; + +char *optarg_s; + +#define GETOPT_FOUND_WITHOUT_ARGUMENT 2 +#define GETOPT_FOUND_WITH_ARGUMENT 1 +#define GETOPT_NOT_FOUND 0 + +static int getopt_check_character(char c, const char *string) +{ + unsigned int max_string_len = 128; + + while (*string != 0) { + if (max_string_len == 0) { + return GETOPT_NOT_FOUND; + } + max_string_len--; + if (*string++ == c) { + if (*string == ':') { + return GETOPT_FOUND_WITH_ARGUMENT; + } else { + return GETOPT_FOUND_WITHOUT_ARGUMENT; + } + } + } + return GETOPT_NOT_FOUND; +} + +int getopt_s(int argc, char *const argv[], const char *optstring) +{ + while (optind_s + 1 < argc) { + char *string; + + /* move 'string' on to next argument */ + optind_s++; + string = argv[optind_s]; + + if (string == NULL) + return '?'; /* NULL argument string */ + + if (string[0] != '-') + return -1; /* found an unexpected character */ + + switch (getopt_check_character(string[1], optstring)) { + case GETOPT_FOUND_WITH_ARGUMENT: + if (optind_s + 1 < argc) { + optind_s++; + optarg_s = argv[optind_s]; + return string[1]; + } else { + return '?'; /* argument missing */ + } + case GETOPT_FOUND_WITHOUT_ARGUMENT: + return string[1]; + case GETOPT_NOT_FOUND: + default: + return '?'; /* didn't find expected character */ + break; + } + } + + return -1; +} diff --git a/netwerk/srtp/src/test/rdbx_driver.c b/netwerk/srtp/src/test/rdbx_driver.c new file mode 100644 index 0000000000..3da6503719 --- /dev/null +++ b/netwerk/srtp/src/test/rdbx_driver.c @@ -0,0 +1,360 @@ +/* + * rdbx_driver.c + * + * driver for the rdbx implementation (replay database with extended range) + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> /* for printf() */ +#include "getopt_s.h" /* for local getopt() */ + +#include "rdbx.h" + +#ifdef ROC_TEST +#error "srtp_rdbx_t won't work with ROC_TEST - bitmask same size as seq_median" +#endif + +#include "ut_sim.h" + +srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws); + +double rdbx_check_adds_per_second(int num_trials, unsigned long ws); + +void usage(char *prog_name) +{ + printf("usage: %s [ -t | -v ]\n", prog_name); + exit(255); +} + +int main(int argc, char *argv[]) +{ + double rate; + srtp_err_status_t status; + int q; + unsigned do_timing_test = 0; + unsigned do_validation = 0; + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "tv"); + if (q == -1) + break; + switch (q) { + case 't': + do_timing_test = 1; + break; + case 'v': + do_validation = 1; + break; + default: + usage(argv[0]); + } + } + + printf("rdbx (replay database w/ extended range) test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); + + if (!do_validation && !do_timing_test) + usage(argv[0]); + + if (do_validation) { + printf("testing srtp_rdbx_t (ws=128)...\n"); + + status = test_replay_dbx(1 << 12, 128); + if (status) { + printf("failed\n"); + exit(1); + } + printf("passed\n"); + + printf("testing srtp_rdbx_t (ws=1024)...\n"); + + status = test_replay_dbx(1 << 12, 1024); + if (status) { + printf("failed\n"); + exit(1); + } + printf("passed\n"); + } + + if (do_timing_test) { + rate = rdbx_check_adds_per_second(1 << 18, 128); + printf("rdbx_check/replay_adds per second (ws=128): %e\n", rate); + rate = rdbx_check_adds_per_second(1 << 18, 1024); + printf("rdbx_check/replay_adds per second (ws=1024): %e\n", rate); + } + + return 0; +} + +void print_rdbx(srtp_rdbx_t *rdbx) +{ + char buf[2048]; + printf("rdbx: {%llu, %s}\n", (unsigned long long)(rdbx->index), + bitvector_bit_string(&rdbx->bitmask, buf, sizeof(buf))); +} + +/* + * rdbx_check_add(rdbx, idx) checks a known-to-be-good idx against + * rdbx, then adds it. if a failure is detected (i.e., the check + * indicates that the value is already in rdbx) then + * srtp_err_status_algo_fail is returned. + * + */ + +srtp_err_status_t rdbx_check_add(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + + delta = srtp_index_guess(&rdbx->index, &est, idx); + + if (srtp_rdbx_check(rdbx, delta) != srtp_err_status_ok) { + printf("replay_check failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + + /* + * in practice, we'd authenticate the packet containing idx, using + * the estimated value est, at this point + */ + + if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { + printf("rdbx_add_index failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + + return srtp_err_status_ok; +} + +/* + * rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx) + * + * checks that a sequence number idx is in the replay database + * and thus will be rejected + */ + +srtp_err_status_t rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + srtp_err_status_t status; + + delta = srtp_index_guess(&rdbx->index, &est, idx); + + status = srtp_rdbx_check(rdbx, delta); + if (status == srtp_err_status_ok) { + printf("delta: %d ", delta); + printf("replay_check failed at index %u (false positive)\n", idx); + return srtp_err_status_algo_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t rdbx_check_add_unordered(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + srtp_err_status_t rstat; + + delta = srtp_index_guess(&rdbx->index, &est, idx); + + rstat = srtp_rdbx_check(rdbx, delta); + if ((rstat != srtp_err_status_ok) && + (rstat != srtp_err_status_replay_old)) { + printf("replay_check_add_unordered failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + if (rstat == srtp_err_status_replay_old) { + return srtp_err_status_ok; + } + if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { + printf("rdbx_add_index failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws) +{ + srtp_rdbx_t rdbx; + uint32_t idx, ircvd; + ut_connection utc; + srtp_err_status_t status; + int num_fp_trials; + + status = srtp_rdbx_init(&rdbx, ws); + if (status) { + printf("replay_init failed with error code %d\n", status); + exit(1); + } + + /* + * test sequential insertion + */ + printf("\ttesting sequential insertion..."); + for (idx = 0; (int)idx < num_trials; idx++) { + status = rdbx_check_add(&rdbx, idx); + if (status) + return status; + } + printf("passed\n"); + + /* + * test for false positives by checking all of the index + * values which we've just added + * + * note that we limit the number of trials here, since allowing the + * rollover counter to roll over would defeat this test + */ + num_fp_trials = num_trials % 0x10000; + if (num_fp_trials == 0) { + printf("warning: no false positive tests performed\n"); + } + printf("\ttesting for false positives..."); + for (idx = 0; (int)idx < num_fp_trials; idx++) { + status = rdbx_check_expect_failure(&rdbx, idx); + if (status) + return status; + } + printf("passed\n"); + + /* re-initialize */ + srtp_rdbx_dealloc(&rdbx); + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + return srtp_err_status_init_fail; + } + + /* + * test non-sequential insertion + * + * this test covers only fase negatives, since the values returned + * by ut_next_index(...) are distinct + */ + ut_init(&utc); + + printf("\ttesting non-sequential insertion..."); + for (idx = 0; (int)idx < num_trials; idx++) { + ircvd = ut_next_index(&utc); + status = rdbx_check_add_unordered(&rdbx, ircvd); + if (status) + return status; + status = rdbx_check_expect_failure(&rdbx, ircvd); + if (status) + return status; + } + printf("passed\n"); + + /* re-initialize */ + srtp_rdbx_dealloc(&rdbx); + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + return srtp_err_status_init_fail; + } + + /* + * test insertion with large gaps. + * check for false positives for each insertion. + */ + printf("\ttesting insertion with large gaps..."); + for (idx = 0, ircvd = 0; (int)idx < num_trials; + idx++, ircvd += (1 << (rand() % 12))) { + status = rdbx_check_add(&rdbx, ircvd); + if (status) + return status; + status = rdbx_check_expect_failure(&rdbx, ircvd); + if (status) + return status; + } + printf("passed\n"); + + srtp_rdbx_dealloc(&rdbx); + + return srtp_err_status_ok; +} + +#include <time.h> /* for clock() */ +#include <stdlib.h> /* for random() */ + +double rdbx_check_adds_per_second(int num_trials, unsigned long ws) +{ + uint32_t i; + int delta; + srtp_rdbx_t rdbx; + srtp_xtd_seq_num_t est; + clock_t timer; + int failures; /* count number of failures */ + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + exit(1); + } + + failures = 0; + timer = clock(); + for (i = 0; (int)i < num_trials; i++) { + delta = srtp_index_guess(&rdbx.index, &est, i); + + if (srtp_rdbx_check(&rdbx, delta) != srtp_err_status_ok) + ++failures; + else if (srtp_rdbx_add_index(&rdbx, delta) != srtp_err_status_ok) + ++failures; + } + timer = clock() - timer; + if (timer < 1) { + timer = 1; + } + + printf("number of failures: %d \n", failures); + + srtp_rdbx_dealloc(&rdbx); + + return (double)CLOCKS_PER_SEC * num_trials / timer; +} diff --git a/netwerk/srtp/src/test/replay_driver.c b/netwerk/srtp/src/test/replay_driver.c new file mode 100644 index 0000000000..a88224684f --- /dev/null +++ b/netwerk/srtp/src/test/replay_driver.c @@ -0,0 +1,283 @@ +/* + * replay_driver.c + * + * A driver for the replay_database implementation + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> + +#include "rdb.h" +#include "ut_sim.h" + +/* + * num_trials defines the number of trials that are used in the + * validation functions below + */ + +unsigned num_trials = 1 << 16; + +srtp_err_status_t test_rdb_db(void); + +double rdb_check_adds_per_second(void); + +int main(void) +{ + srtp_err_status_t err; + + printf("testing anti-replay database (srtp_rdb_t)...\n"); + err = test_rdb_db(); + if (err) { + printf("failed\n"); + exit(1); + } + printf("done\n"); + + printf("rdb_check/rdb_adds per second: %e\n", rdb_check_adds_per_second()); + + return 0; +} + +void print_rdb(srtp_rdb_t *rdb) +{ + printf("rdb: {%u, %s}\n", rdb->window_start, + v128_bit_string(&rdb->bitmask)); +} + +srtp_err_status_t rdb_check_add(srtp_rdb_t *rdb, uint32_t idx) +{ + if (srtp_rdb_check(rdb, idx) != srtp_err_status_ok) { + printf("rdb_check failed at index %u\n", idx); + return srtp_err_status_fail; + } + if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { + printf("rdb_add_index failed at index %u\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t rdb_check_expect_failure(srtp_rdb_t *rdb, uint32_t idx) +{ + srtp_err_status_t err; + + err = srtp_rdb_check(rdb, idx); + if ((err != srtp_err_status_replay_old) && + (err != srtp_err_status_replay_fail)) { + printf("rdb_check failed at index %u (false positive)\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t rdb_check_add_unordered(srtp_rdb_t *rdb, uint32_t idx) +{ + srtp_err_status_t rstat; + + /* printf("index: %u\n", idx); */ + rstat = srtp_rdb_check(rdb, idx); + if ((rstat != srtp_err_status_ok) && + (rstat != srtp_err_status_replay_old)) { + printf("rdb_check_add_unordered failed at index %u\n", idx); + return rstat; + } + if (rstat == srtp_err_status_replay_old) { + return srtp_err_status_ok; + } + if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { + printf("rdb_add_index failed at index %u\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t test_rdb_db() +{ + srtp_rdb_t rdb; + uint32_t idx, ircvd; + ut_connection utc; + srtp_err_status_t err; + + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_init_fail; + } + + /* test sequential insertion */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_add(&rdb, idx); + if (err) + return err; + } + + /* test for false positives */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_expect_failure(&rdb, idx); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test non-sequential insertion */ + ut_init(&utc); + + for (idx = 0; idx < num_trials; idx++) { + ircvd = ut_next_index(&utc); + err = rdb_check_add_unordered(&rdb, ircvd); + if (err) + return err; + err = rdb_check_expect_failure(&rdb, ircvd); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test insertion with large gaps */ + for (idx = 0, ircvd = 0; idx < num_trials; + idx++, ircvd += (1 << (rand() % 10))) { + err = rdb_check_add(&rdb, ircvd); + if (err) + return err; + err = rdb_check_expect_failure(&rdb, ircvd); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test loss of first 513 packets */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_add(&rdb, idx + 513); + if (err) + return err; + } + + /* test for false positives */ + for (idx = 0; idx < num_trials + 513; idx++) { + err = rdb_check_expect_failure(&rdb, idx); + if (err) + return err; + } + + /* test for key expired */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + rdb.window_start = 0x7ffffffe; + if (srtp_rdb_increment(&rdb) != srtp_err_status_ok) { + printf("srtp_rdb_increment of 0x7ffffffe failed\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { + printf("rdb valiue was not 0x7fffffff\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_increment(&rdb) != srtp_err_status_key_expired) { + printf("srtp_rdb_increment of 0x7fffffff did not return " + "srtp_err_status_key_expired\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { + printf("rdb valiue was not 0x7fffffff\n"); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; +} + +#include <time.h> /* for clock() */ +#include <stdlib.h> /* for random() */ + +#define REPLAY_NUM_TRIALS 10000000 + +double rdb_check_adds_per_second(void) +{ + uint32_t i; + srtp_rdb_t rdb; + clock_t timer; + int failures = 0; /* count number of failures */ + + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + exit(1); + } + + timer = clock(); + for (i = 0; i < REPLAY_NUM_TRIALS; i += 3) { + if (srtp_rdb_check(&rdb, i + 2) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i + 2) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_check(&rdb, i + 1) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i + 1) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_check(&rdb, i) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i) != srtp_err_status_ok) + ++failures; + } + timer = clock() - timer; + + return (double)CLOCKS_PER_SEC * REPLAY_NUM_TRIALS / timer; +} diff --git a/netwerk/srtp/src/test/roc_driver.c b/netwerk/srtp/src/test/roc_driver.c new file mode 100644 index 0000000000..439862039a --- /dev/null +++ b/netwerk/srtp/src/test/roc_driver.c @@ -0,0 +1,170 @@ +/* + * roc_driver.c + * + * test driver for rollover counter replay implementation + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> + +/* + * defining ROC_TEST causes small datatypes to be used in + * srtp_xtd_seq_num_t - this allows the functions to be exhaustively tested. + */ +#if ROC_NEEDS_TO_BE_TESTED +#define ROC_TEST +#endif + +#include "rdbx.h" +#include "ut_sim.h" + +srtp_err_status_t roc_test(int num_trials); + +int main(void) +{ + srtp_err_status_t status; + + printf("rollover counter test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); + + printf("testing index functions..."); + status = roc_test(1 << 18); + if (status) { + printf("failed\n"); + exit(status); + } + printf("passed\n"); + return 0; +} + +#define ROC_VERBOSE 0 + +srtp_err_status_t roc_test(int num_trials) +{ + srtp_xtd_seq_num_t local, est, ref; + ut_connection utc; + int i, num_bad_est = 0; + int delta; + uint32_t ircvd; + double failure_rate; + + srtp_index_init(&local); + srtp_index_init(&ref); + srtp_index_init(&est); + + printf("\n\ttesting sequential insertion..."); + for (i = 0; i < 2048; i++) { + srtp_index_guess(&local, &est, (uint16_t)ref); +#if ROC_VERBOSE + printf("%lld, %lld, %d\n", ref, est, i); +#endif + if (ref != est) { +#if ROC_VERBOSE + printf(" *bad estimate*\n"); +#endif + ++num_bad_est; + } + srtp_index_advance(&ref, 1); + } + failure_rate = (double)num_bad_est / num_trials; + if (failure_rate > 0.01) { + printf("error: failure rate too high (%d bad estimates in %d trials)\n", + num_bad_est, num_trials); + return srtp_err_status_algo_fail; + } + printf("done\n"); + + printf("\ttesting non-sequential insertion..."); + srtp_index_init(&local); + srtp_index_init(&ref); + srtp_index_init(&est); + ut_init(&utc); + + for (i = 0; i < num_trials; i++) { + /* get next seq num from unreliable transport simulator */ + ircvd = ut_next_index(&utc); + + /* set ref to value of ircvd */ + ref = ircvd; + + /* estimate index based on low bits of ircvd */ + delta = srtp_index_guess(&local, &est, (uint16_t)ref); +#if ROC_VERBOSE + printf("ref: %lld, local: %lld, est: %lld, ircvd: %d, delta: %d\n", ref, + local, est, ircvd, delta); +#endif + + if (local + delta != est) { + printf(" *bad delta*: local %llu + delta %d != est %llu\n", + (unsigned long long)local, delta, (unsigned long long)est); + return srtp_err_status_algo_fail; + } + + /* now update local srtp_xtd_seq_num_t as necessary */ + if (delta > 0) + srtp_index_advance(&local, delta); + + if (ref != est) { +#if ROC_VERBOSE + printf(" *bad estimate*\n"); +#endif + /* record failure event */ + ++num_bad_est; + + /* reset local value to correct value */ + local = ref; + } + } + failure_rate = (double)num_bad_est / num_trials; + if (failure_rate > 0.01) { + printf("error: failure rate too high (%d bad estimates in %d trials)\n", + num_bad_est, num_trials); + return srtp_err_status_algo_fail; + } + printf("done\n"); + + return srtp_err_status_ok; +} diff --git a/netwerk/srtp/src/test/rtp.c b/netwerk/srtp/src/test/rtp.c new file mode 100644 index 0000000000..f60a9b11b2 --- /dev/null +++ b/netwerk/srtp/src/test/rtp.c @@ -0,0 +1,227 @@ +/* + * rtp.c + * + * library functions for the real-time transport protocol + * + * David A. McGrew + * Cisco Systems, Inc. + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "rtp.h" + +#include <stdio.h> +#include <string.h> + +#include <sys/types.h> +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#define PRINT_DEBUG 0 /* set to 1 to print out debugging data */ +#define VERBOSE_DEBUG 0 /* set to 1 to print out more data */ + +int rtp_sendto(rtp_sender_t sender, const void *msg, int len) +{ + int octets_sent; + srtp_err_status_t stat; + int pkt_len = len + RTP_HEADER_LEN; + + /* marshal data */ + strncpy(sender->message.body, msg, len); + + /* update header */ + sender->message.header.seq = ntohs(sender->message.header.seq) + 1; + sender->message.header.seq = htons(sender->message.header.seq); + sender->message.header.ts = ntohl(sender->message.header.ts) + 1; + sender->message.header.ts = htonl(sender->message.header.ts); + + /* apply srtp */ + stat = srtp_protect(sender->srtp_ctx, &sender->message.header, &pkt_len); + if (stat) { +#if PRINT_DEBUG + fprintf(stderr, "error: srtp protection failed with code %d\n", stat); +#endif + return -1; + } +#if VERBOSE_DEBUG + srtp_print_packet(&sender->message.header, pkt_len); +#endif + octets_sent = + sendto(sender->socket, (void *)&sender->message, pkt_len, 0, + (struct sockaddr *)&sender->addr, sizeof(struct sockaddr_in)); + + if (octets_sent != pkt_len) { +#if PRINT_DEBUG + fprintf(stderr, "error: couldn't send message %s", (char *)msg); + perror(""); +#endif + } + + return octets_sent; +} + +int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len) +{ + int octets_recvd; + srtp_err_status_t stat; + + octets_recvd = recvfrom(receiver->socket, (void *)&receiver->message, *len, + 0, (struct sockaddr *)NULL, 0); + + if (octets_recvd == -1) { + *len = 0; + return -1; + } + + /* verify rtp header */ + if (receiver->message.header.version != 2) { + *len = 0; + return -1; + } + +#if PRINT_DEBUG + fprintf(stderr, "%d octets received from SSRC %u\n", octets_recvd, + receiver->message.header.ssrc); +#endif +#if VERBOSE_DEBUG + srtp_print_packet(&receiver->message.header, octets_recvd); +#endif + + /* apply srtp */ + stat = srtp_unprotect(receiver->srtp_ctx, &receiver->message.header, + &octets_recvd); + if (stat) { + fprintf(stderr, "error: srtp unprotection failed with code %d%s\n", + stat, + stat == srtp_err_status_replay_fail + ? " (replay check failed)" + : stat == srtp_err_status_auth_fail ? " (auth check failed)" + : ""); + return -1; + } + strncpy(msg, receiver->message.body, octets_recvd); + + return octets_recvd; +} + +int rtp_sender_init(rtp_sender_t sender, + int sock, + struct sockaddr_in addr, + unsigned int ssrc) +{ + /* set header values */ + sender->message.header.ssrc = htonl(ssrc); + sender->message.header.ts = 0; + sender->message.header.seq = (uint16_t)rand(); + sender->message.header.m = 0; + sender->message.header.pt = 0x1; + sender->message.header.version = 2; + sender->message.header.p = 0; + sender->message.header.x = 0; + sender->message.header.cc = 0; + + /* set other stuff */ + sender->socket = sock; + sender->addr = addr; + + return 0; +} + +int rtp_receiver_init(rtp_receiver_t rcvr, + int sock, + struct sockaddr_in addr, + unsigned int ssrc) +{ + /* set header values */ + rcvr->message.header.ssrc = htonl(ssrc); + rcvr->message.header.ts = 0; + rcvr->message.header.seq = 0; + rcvr->message.header.m = 0; + rcvr->message.header.pt = 0x1; + rcvr->message.header.version = 2; + rcvr->message.header.p = 0; + rcvr->message.header.x = 0; + rcvr->message.header.cc = 0; + + /* set other stuff */ + rcvr->socket = sock; + rcvr->addr = addr; + + return 0; +} + +int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy) +{ + return srtp_create(&sender->srtp_ctx, policy); +} + +int rtp_sender_deinit_srtp(rtp_sender_t sender) +{ + return srtp_dealloc(sender->srtp_ctx); +} + +int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy) +{ + return srtp_create(&sender->srtp_ctx, policy); +} + +int rtp_receiver_deinit_srtp(rtp_receiver_t sender) +{ + return srtp_dealloc(sender->srtp_ctx); +} + +rtp_sender_t rtp_sender_alloc(void) +{ + return (rtp_sender_t)malloc(sizeof(rtp_sender_ctx_t)); +} + +void rtp_sender_dealloc(rtp_sender_t rtp_ctx) +{ + free(rtp_ctx); +} + +rtp_receiver_t rtp_receiver_alloc(void) +{ + return (rtp_receiver_t)malloc(sizeof(rtp_receiver_ctx_t)); +} + +void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx) +{ + free(rtp_ctx); +} diff --git a/netwerk/srtp/src/test/rtp.h b/netwerk/srtp/src/test/rtp.h new file mode 100644 index 0000000000..37921a665c --- /dev/null +++ b/netwerk/srtp/src/test/rtp.h @@ -0,0 +1,155 @@ +/* + * rtp.h + * + * rtp interface for srtp reference implementation + * + * David A. McGrew + * Cisco Systems, Inc. + * + * data types: + * + * rtp_msg_t an rtp message (the data that goes on the wire) + * rtp_sender_t sender side socket and rtp info + * rtp_receiver_t receiver side socket and rtp info + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef SRTP_RTP_H +#define SRTP_RTP_H + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#include "srtp_priv.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * RTP_HEADER_LEN indicates the size of an RTP header + */ +#define RTP_HEADER_LEN 12 + +/* + * RTP_MAX_BUF_LEN defines the largest RTP packet in the rtp.c implementation + */ +#define RTP_MAX_BUF_LEN 16384 + +typedef srtp_hdr_t rtp_hdr_t; + +typedef struct { + srtp_hdr_t header; + char body[RTP_MAX_BUF_LEN]; +} rtp_msg_t; + +typedef struct rtp_sender_ctx_t { + rtp_msg_t message; + int socket; + srtp_ctx_t *srtp_ctx; + struct sockaddr_in addr; /* reciever's address */ +} rtp_sender_ctx_t; + +typedef struct rtp_receiver_ctx_t { + rtp_msg_t message; + int socket; + srtp_ctx_t *srtp_ctx; + struct sockaddr_in addr; /* receiver's address */ +} rtp_receiver_ctx_t; + +typedef struct rtp_sender_ctx_t *rtp_sender_t; + +typedef struct rtp_receiver_ctx_t *rtp_receiver_t; + +int rtp_sendto(rtp_sender_t sender, const void *msg, int len); + +int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len); + +int rtp_receiver_init(rtp_receiver_t rcvr, + int sock, + struct sockaddr_in addr, + unsigned int ssrc); + +int rtp_sender_init(rtp_sender_t sender, + int sock, + struct sockaddr_in addr, + unsigned int ssrc); + +/* + * srtp_sender_init(...) initializes an rtp_sender_t + */ + +int srtp_sender_init( + rtp_sender_t rtp_ctx, /* structure to be init'ed */ + struct sockaddr_in name, /* socket name */ + srtp_sec_serv_t security_services, /* sec. servs. to be used */ + unsigned char *input_key /* master key/salt in hex */ + ); + +int srtp_receiver_init( + rtp_receiver_t rtp_ctx, /* structure to be init'ed */ + struct sockaddr_in name, /* socket name */ + srtp_sec_serv_t security_services, /* sec. servs. to be used */ + unsigned char *input_key /* master key/salt in hex */ + ); + +int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy); + +int rtp_sender_deinit_srtp(rtp_sender_t sender); + +int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy); + +int rtp_receiver_deinit_srtp(rtp_receiver_t sender); + +rtp_sender_t rtp_sender_alloc(void); + +void rtp_sender_dealloc(rtp_sender_t rtp_ctx); + +rtp_receiver_t rtp_receiver_alloc(void); + +void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx); + +#ifdef __cplusplus +} +#endif + +#endif /* SRTP_RTP_H */ diff --git a/netwerk/srtp/src/test/rtp_decoder.c b/netwerk/srtp/src/test/rtp_decoder.c new file mode 100644 index 0000000000..d718a2b3ad --- /dev/null +++ b/netwerk/srtp/src/test/rtp_decoder.c @@ -0,0 +1,574 @@ +/* + * rtp_decoder.c + * + * decoder structures and functions for SRTP pcap decoder + * + * Example: + * $ wget --no-check-certificate \ + * https://raw.githubusercontent.com/gteissier/srtp-decrypt/master/marseillaise-srtp.pcap + * $ ./test/rtp_decoder -a -t 10 -e 128 -b \ + * aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz \ + * < ~/marseillaise-srtp.pcap \ + * | text2pcap -t "%M:%S." -u 10000,10000 - - \ + * > ./marseillaise-rtp.pcap + * + * There is also a different way of setting up key size and tag size + * based upon RFC 4568 crypto suite specification, i.e.: + * + * $ ./test/rtp_decoder -s AES_CM_128_HMAC_SHA1_80 -b \ + * aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz ... + * + * Audio can be extracted using extractaudio utility from the RTPproxy + * package: + * + * $ extractaudio -A ./marseillaise-rtp.pcap ./marseillaise-out.wav + * + * Bernardo Torres <bernardo@torresautomacao.com.br> + * + * Some structure and code from https://github.com/gteissier/srtp-decrypt + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#include "getopt_s.h" /* for local getopt() */ +#include <assert.h> /* for assert() */ + +#include <pcap.h> +#include "rtp_decoder.h" +#include "util.h" + +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#define MAX_KEY_LEN 96 +#define MAX_FILTER 256 + +struct srtp_crypto_suite { + const char *can_name; + int key_size; + int tag_size; +}; + +static struct srtp_crypto_suite srtp_crypto_suites[] = { + {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 }, +#if 0 + {.can_name = "F8_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4}, +#endif + {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 }, + {.can_name = "AES_CM_128_HMAC_SHA1_80", .key_size = 128, .tag_size = 10 }, + {.can_name = NULL } +}; + +int main(int argc, char *argv[]) +{ + char errbuf[PCAP_ERRBUF_SIZE]; + bpf_u_int32 pcap_net = 0; + pcap_t *pcap_handle; +#if BEW + struct sockaddr_in local; +#endif + srtp_sec_serv_t sec_servs = sec_serv_none; + int c; + struct srtp_crypto_suite scs, *i_scsp; + scs.key_size = 128; + scs.tag_size = 8; + int gcm_on = 0; + char *input_key = NULL; + int b64_input = 0; + char key[MAX_KEY_LEN]; + struct bpf_program fp; + char filter_exp[MAX_FILTER] = ""; + rtp_decoder_t dec; + srtp_policy_t policy; + srtp_err_status_t status; + int len; + int expected_len; + int do_list_mods = 0; + + fprintf(stderr, "Using %s [0x%x]\n", srtp_get_version_string(), + srtp_get_version()); + + /* initialize srtp library */ + status = srtp_init(); + if (status) { + fprintf(stderr, + "error: srtp initialization failed with error code %d\n", + status); + exit(1); + } + + /* check args */ + while (1) { + c = getopt_s(argc, argv, "b:k:gt:ae:ld:f:s:"); + if (c == -1) { + break; + } + switch (c) { + case 'b': + b64_input = 1; + /* fall thru */ + case 'k': + input_key = optarg_s; + break; + case 'e': + scs.key_size = atoi(optarg_s); + if (scs.key_size != 128 && scs.key_size != 256) { + fprintf(stderr, + "error: encryption key size must be 128 or 256 (%d)\n", + scs.key_size); + exit(1); + } + input_key = malloc(scs.key_size); + sec_servs |= sec_serv_conf; + break; + case 't': + scs.tag_size = atoi(optarg_s); + break; + case 'a': + sec_servs |= sec_serv_auth; + break; + case 'g': + gcm_on = 1; + sec_servs |= sec_serv_auth; + break; + case 'd': + status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (status) { + fprintf(stderr, "error: set debug module (%s) failed\n", + optarg_s); + exit(1); + } + break; + case 'f': + if (strlen(optarg_s) > MAX_FILTER) { + fprintf(stderr, "error: filter bigger than %d characters\n", + MAX_FILTER); + exit(1); + } + fprintf(stderr, "Setting filter as %s\n", optarg_s); + strcpy(filter_exp, optarg_s); + break; + case 'l': + do_list_mods = 1; + break; + case 's': + for (i_scsp = &srtp_crypto_suites[0]; i_scsp->can_name != NULL; + i_scsp++) { + if (strcasecmp(i_scsp->can_name, optarg_s) == 0) { + break; + } + } + if (i_scsp->can_name == NULL) { + fprintf(stderr, "Unknown/unsupported crypto suite name %s\n", + optarg_s); + exit(1); + } + scs = *i_scsp; + input_key = malloc(scs.key_size); + sec_servs |= sec_serv_conf | sec_serv_auth; + break; + default: + usage(argv[0]); + } + } + + if (gcm_on && scs.tag_size != 8 && scs.tag_size != 16) { + fprintf(stderr, "error: GCM tag size must be 8 or 16 (%d)\n", + scs.tag_size); + // exit(1); + } + + if (do_list_mods) { + status = srtp_crypto_kernel_list_debug_modules(); + if (status) { + fprintf(stderr, "error: list of debug modules failed\n"); + exit(1); + } + return 0; + } + + if ((sec_servs && !input_key) || (!sec_servs && input_key)) { + /* + * a key must be provided if and only if security services have + * been requested + */ + if (input_key == NULL) { + fprintf(stderr, "key not provided\n"); + } + if (!sec_servs) { + fprintf(stderr, "no secservs\n"); + } + fprintf(stderr, "provided\n"); + usage(argv[0]); + } + + /* report security services selected on the command line */ + fprintf(stderr, "security services: "); + if (sec_servs & sec_serv_conf) + fprintf(stderr, "confidentiality "); + if (sec_servs & sec_serv_auth) + fprintf(stderr, "message authentication"); + if (sec_servs == sec_serv_none) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + /* set up the srtp policy and master key */ + if (sec_servs) { + /* + * create policy structure, using the default mechanisms but + * with only the security services requested on the command line, + * using the right SSRC value + */ + switch (sec_servs) { + case sec_serv_conf_and_auth: + if (gcm_on) { +#ifdef OPENSSL + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); + break; + } +#else + fprintf(stderr, "error: GCM mode only supported when using the " + "OpenSSL crypto engine.\n"); + return 0; +#endif + } else { + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_conf: + if (gcm_on) { + fprintf( + stderr, + "error: GCM mode must always be used with auth enabled\n"); + return -1; + } else { + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_auth: + if (gcm_on) { +#ifdef OPENSSL + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_only_auth( + &policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_only_auth( + &policy.rtcp); + break; + } +#else + printf("error: GCM mode only supported when using the OpenSSL " + "crypto engine.\n"); + return 0; +#endif + } else { + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + } + break; + default: + fprintf(stderr, "error: unknown security service requested\n"); + return -1; + } + + policy.key = (uint8_t *)key; + policy.ekt = NULL; + policy.next = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.rtp.sec_serv = sec_servs; + policy.rtcp.sec_serv = + sec_servs; // sec_serv_none; /* we don't do RTCP anyway */ + fprintf(stderr, "setting tag len %d\n", scs.tag_size); + policy.rtp.auth_tag_len = scs.tag_size; + + if (gcm_on && scs.tag_size != 8) { + fprintf(stderr, "setted tag len %d\n", scs.tag_size); + policy.rtp.auth_tag_len = scs.tag_size; + } + + /* + * read key from hexadecimal or base64 on command line into an octet + * string + */ + if (b64_input) { + int pad; + expected_len = policy.rtp.cipher_key_len * 4 / 3; + len = base64_string_to_octet_string(key, &pad, input_key, + expected_len); + if (pad != 0) { + fprintf(stderr, "error: padding in base64 unexpected\n"); + exit(1); + } + } else { + expected_len = policy.rtp.cipher_key_len * 2; + len = hex_string_to_octet_string(key, input_key, expected_len); + } + /* check that hex string is the right length */ + if (len < expected_len) { + fprintf(stderr, "error: too few digits in key/salt " + "(should be %d digits, found %d)\n", + expected_len, len); + exit(1); + } + if (strlen(input_key) > policy.rtp.cipher_key_len * 2) { + fprintf(stderr, "error: too many digits in key/salt " + "(should be %d hexadecimal digits, found %u)\n", + policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key)); + exit(1); + } + + fprintf(stderr, "set master key/salt to %s/", + octet_string_hex_string(key, 16)); + fprintf(stderr, "%s\n", octet_string_hex_string(key + 16, 14)); + + } else { + fprintf(stderr, + "error: neither encryption or authentication were selected"); + exit(1); + } + + pcap_handle = pcap_open_offline("-", errbuf); + + if (!pcap_handle) { + fprintf(stderr, "libpcap failed to open file '%s'\n", errbuf); + exit(1); + } + assert(pcap_handle != NULL); + if ((pcap_compile(pcap_handle, &fp, filter_exp, 1, pcap_net)) == -1) { + fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, + pcap_geterr(pcap_handle)); + return (2); + } + if (pcap_setfilter(pcap_handle, &fp) == -1) { + fprintf(stderr, "couldn't install filter %s: %s\n", filter_exp, + pcap_geterr(pcap_handle)); + return (2); + } + dec = rtp_decoder_alloc(); + if (dec == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + fprintf(stderr, "Starting decoder\n"); + rtp_decoder_init(dec, policy); + + pcap_loop(pcap_handle, 0, rtp_decoder_handle_pkt, (u_char *)dec); + + rtp_decoder_deinit_srtp(dec); + rtp_decoder_dealloc(dec); + + status = srtp_shutdown(); + if (status) { + fprintf(stderr, "error: srtp shutdown failed with error code %d\n", + status); + exit(1); + } + + return 0; +} + +void usage(char *string) +{ + fprintf( + stderr, + "usage: %s [-d <debug>]* [[-k][-b] <key> [-a][-e]]\n" + "or %s -l\n" + "where -a use message authentication\n" + " -e <key size> use encryption (use 128 or 256 for key size)\n" + " -g Use AES-GCM mode (must be used with -e)\n" + " -t <tag size> Tag size to use (in GCM mode use 8 or 16)\n" + " -k <key> sets the srtp master key given in hexadecimal\n" + " -b <key> sets the srtp master key given in base64\n" + " -l list debug modules\n" + " -f \"<pcap filter>\" to filter only the desired SRTP packets\n" + " -d <debug> turn on debugging for module <debug>\n" + " -s \"<srtp-crypto-suite>\" to set both key and tag size based\n" + " on RFC4568-style crypto suite specification\n", + string, string); + exit(1); +} + +rtp_decoder_t rtp_decoder_alloc(void) +{ + return (rtp_decoder_t)malloc(sizeof(rtp_decoder_ctx_t)); +} + +void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx) +{ + free(rtp_ctx); +} + +srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder, + unsigned int ssrc) +{ + decoder->policy.ssrc.value = htonl(ssrc); + return srtp_create(&decoder->srtp_ctx, &decoder->policy); +} + +int rtp_decoder_deinit_srtp(rtp_decoder_t decoder) +{ + return srtp_dealloc(decoder->srtp_ctx); +} + +int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy) +{ + dcdr->rtp_offset = DEFAULT_RTP_OFFSET; + dcdr->srtp_ctx = NULL; + dcdr->start_tv.tv_usec = 0; + dcdr->start_tv.tv_sec = 0; + dcdr->frame_nr = -1; + dcdr->policy = policy; + dcdr->policy.ssrc.type = ssrc_specific; + return 0; +} + +/* + * decodes key as base64 + */ + +void hexdump(const void *ptr, size_t size) +{ + int i, j; + const unsigned char *cptr = ptr; + + for (i = 0; i < size; i += 16) { + fprintf(stdout, "%04x ", i); + for (j = 0; j < 16 && i + j < size; j++) { + fprintf(stdout, "%02x ", cptr[i + j]); + } + fprintf(stdout, "\n"); + } +} + +void rtp_decoder_handle_pkt(u_char *arg, + const struct pcap_pkthdr *hdr, + const u_char *bytes) +{ + rtp_decoder_t dcdr = (rtp_decoder_t)arg; + int pktsize; + struct timeval delta; + int octets_recvd; + srtp_err_status_t status; + dcdr->frame_nr++; + + if ((dcdr->start_tv.tv_sec == 0) && (dcdr->start_tv.tv_usec == 0)) { + dcdr->start_tv = hdr->ts; + } + + if (hdr->caplen < dcdr->rtp_offset) { + return; + } + const void *rtp_packet = bytes + dcdr->rtp_offset; + + memcpy((void *)&dcdr->message, rtp_packet, hdr->caplen - dcdr->rtp_offset); + pktsize = hdr->caplen - dcdr->rtp_offset; + octets_recvd = pktsize; + + if (octets_recvd == -1) { + return; + } + + /* verify rtp header */ + if (dcdr->message.header.version != 2) { + return; + } + if (dcdr->srtp_ctx == NULL) { + status = rtp_decoder_init_srtp(dcdr, dcdr->message.header.ssrc); + if (status) { + exit(1); + } + } + status = srtp_unprotect(dcdr->srtp_ctx, &dcdr->message, &octets_recvd); + if (status) { + return; + } + timersub(&hdr->ts, &dcdr->start_tv, &delta); + fprintf(stdout, "%02ld:%02ld.%06ld\n", delta.tv_sec / 60, delta.tv_sec % 60, + (long)delta.tv_usec); + hexdump(&dcdr->message, octets_recvd); +} + +void rtp_print_error(srtp_err_status_t status, char *message) +{ + // clang-format off + fprintf(stderr, + "error: %s %d%s\n", message, status, + status == srtp_err_status_replay_fail ? " (replay check failed)" : + status == srtp_err_status_bad_param ? " (bad param)" : + status == srtp_err_status_no_ctx ? " (no context)" : + status == srtp_err_status_cipher_fail ? " (cipher failed)" : + status == srtp_err_status_key_expired ? " (key expired)" : + status == srtp_err_status_auth_fail ? " (auth check failed)" : ""); + // clang-format on +} diff --git a/netwerk/srtp/src/test/rtp_decoder.h b/netwerk/srtp/src/test/rtp_decoder.h new file mode 100644 index 0000000000..c8c31dd773 --- /dev/null +++ b/netwerk/srtp/src/test/rtp_decoder.h @@ -0,0 +1,105 @@ +/* + * rtp_decoder.h + * + * decoder structures and functions for SRTP pcap decoder + * + * Bernardo Torres <bernardo@torresautomacao.com.br> + * + * Some structure and code from https://github.com/gteissier/srtp-decrypt + * + */ +/* + * + * Copyright (c) 2001-2017 Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef RTP_DECODER_H +#define RTP_DECODER_H + +#include "srtp_priv.h" +#include "rtp.h" + +#define DEFAULT_RTP_OFFSET 42 + +typedef struct rtp_decoder_ctx_t { + srtp_policy_t policy; + srtp_ctx_t *srtp_ctx; + int rtp_offset; + struct timeval start_tv; + int frame_nr; + rtp_msg_t message; +} rtp_decoder_ctx_t; + +typedef struct rtp_decoder_ctx_t *rtp_decoder_t; + +/* + * error to string + */ +void rtp_print_error(srtp_err_status_t status, char *message); + +/* + * prints the output of a random buffer in hexadecimal + */ +void hexdump(const void *ptr, size_t size); + +/* + * the function usage() prints an error message describing how this + * program should be called, then calls exit() + */ +void usage(char *prog_name); + +/* + * transforms base64 key into octet + */ +char *decode_sdes(char *in, char *out); + +/* + * pcap handling + */ +void rtp_decoder_handle_pkt(u_char *arg, + const struct pcap_pkthdr *hdr, + const u_char *bytes); + +rtp_decoder_t rtp_decoder_alloc(void); + +void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx); + +int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy); + +srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder, + unsigned int ssrc); + +int rtp_decoder_deinit_srtp(rtp_decoder_t decoder); + +#endif /* RTP_DECODER_H */ diff --git a/netwerk/srtp/src/test/rtpw.c b/netwerk/srtp/src/test/rtpw.c new file mode 100644 index 0000000000..901816e46d --- /dev/null +++ b/netwerk/srtp/src/test/rtpw.c @@ -0,0 +1,701 @@ +/* + * rtpw.c + * + * rtp word sender/receiver + * + * David A. McGrew + * Cisco Systems, Inc. + * + * This app is a simple RTP application intended only for testing + * libsrtp. It reads one word at a time from words.txt (or + * whatever file is specified as DICT_FILE or with -w), and sends one word out + * each USEC_RATE microseconds. Secure RTP protections can be + * applied. See the usage() function for more details. + * + */ + +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include "getopt_s.h" /* for local getopt() */ + +#include <stdio.h> /* for printf, fprintf */ +#include <stdlib.h> /* for atoi() */ +#include <errno.h> +#include <signal.h> /* for signal() */ + +#include <string.h> /* for strncpy() */ +#include <time.h> /* for usleep() */ + +#ifdef HAVE_UNISTD_H +#include <unistd.h> /* for close() */ +#elif defined(_MSC_VER) +#include <io.h> /* for _close() */ +#define close _close +#endif +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined HAVE_WINSOCK2_H +#include <winsock2.h> +#include <ws2tcpip.h> +#define RTPW_USE_WINSOCK2 1 +#endif +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + +#include "srtp.h" +#include "rtp.h" +#include "util.h" + +#define DICT_FILE "words.txt" +#define USEC_RATE (5e5) +#define MAX_WORD_LEN 128 +#define ADDR_IS_MULTICAST(a) IN_MULTICAST(htonl(a)) +#define MAX_KEY_LEN 96 + +#ifndef HAVE_USLEEP +#ifdef HAVE_WINDOWS_H +#define usleep(us) Sleep((us) / 1000) +#else +#define usleep(us) sleep((us) / 1000000) +#endif +#endif + +/* + * the function usage() prints an error message describing how this + * program should be called, then calls exit() + */ + +void usage(char *prog_name); + +/* + * leave_group(...) de-registers from a multicast group + */ + +void leave_group(int sock, struct ip_mreq mreq, char *name); + +/* + * setup_signal_handler() sets up a signal handler to trigger + * cleanups after an interrupt + */ +int setup_signal_handler(char *name); + +/* + * handle_signal(...) handles interrupt signal to trigger cleanups + */ + +volatile int interrupted = 0; + +/* + * program_type distinguishes the [s]rtp sender and receiver cases + */ + +typedef enum { sender, receiver, unknown } program_type; + +int main(int argc, char *argv[]) +{ + char *dictfile = DICT_FILE; + FILE *dict; + char word[MAX_WORD_LEN]; + int sock, ret; + struct in_addr rcvr_addr; + struct sockaddr_in name; + struct ip_mreq mreq; +#if BEW + struct sockaddr_in local; +#endif + program_type prog_type = unknown; + srtp_sec_serv_t sec_servs = sec_serv_none; + unsigned char ttl = 5; + int c; + int key_size = 128; + int tag_size = 8; + int gcm_on = 0; + char *input_key = NULL; + int b64_input = 0; + char *address = NULL; + char key[MAX_KEY_LEN]; + unsigned short port = 0; + rtp_sender_t snd; + srtp_policy_t policy; + srtp_err_status_t status; + int len; + int expected_len; + int do_list_mods = 0; + uint32_t ssrc = 0xdeadbeef; /* ssrc value hardcoded for now */ +#ifdef RTPW_USE_WINSOCK2 + WORD wVersionRequested = MAKEWORD(2, 0); + WSADATA wsaData; + + ret = WSAStartup(wVersionRequested, &wsaData); + if (ret != 0) { + fprintf(stderr, "error: WSAStartup() failed: %d\n", ret); + exit(1); + } +#endif + + memset(&policy, 0x0, sizeof(srtp_policy_t)); + + printf("Using %s [0x%x]\n", srtp_get_version_string(), srtp_get_version()); + + if (setup_signal_handler(argv[0]) != 0) { + exit(1); + } + + /* initialize srtp library */ + status = srtp_init(); + if (status) { + printf("error: srtp initialization failed with error code %d\n", + status); + exit(1); + } + + /* check args */ + while (1) { + c = getopt_s(argc, argv, "b:k:rsgt:ae:ld:w:"); + if (c == -1) { + break; + } + switch (c) { + case 'b': + b64_input = 1; + /* fall thru */ + case 'k': + input_key = optarg_s; + break; + case 'e': + key_size = atoi(optarg_s); + if (key_size != 128 && key_size != 256) { + printf("error: encryption key size must be 128 or 256 (%d)\n", + key_size); + exit(1); + } + sec_servs |= sec_serv_conf; + break; + case 't': + tag_size = atoi(optarg_s); + if (tag_size != 8 && tag_size != 16) { + printf("error: GCM tag size must be 8 or 16 (%d)\n", tag_size); + exit(1); + } + break; + case 'a': + sec_servs |= sec_serv_auth; + break; + case 'g': + gcm_on = 1; + sec_servs |= sec_serv_auth; + break; + case 'r': + prog_type = receiver; + break; + case 's': + prog_type = sender; + break; + case 'd': + status = srtp_set_debug_module(optarg_s, 1); + if (status) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + case 'l': + do_list_mods = 1; + break; + case 'w': + dictfile = optarg_s; + break; + default: + usage(argv[0]); + } + } + + if (prog_type == unknown) { + if (do_list_mods) { + status = srtp_list_debug_modules(); + if (status) { + printf("error: list of debug modules failed\n"); + exit(1); + } + return 0; + } else { + printf("error: neither sender [-s] nor receiver [-r] specified\n"); + usage(argv[0]); + } + } + + if ((sec_servs && !input_key) || (!sec_servs && input_key)) { + /* + * a key must be provided if and only if security services have + * been requested + */ + usage(argv[0]); + } + + if (argc != optind_s + 2) { + /* wrong number of arguments */ + usage(argv[0]); + } + + /* get address from arg */ + address = argv[optind_s++]; + + /* get port from arg */ + port = atoi(argv[optind_s++]); + +/* set address */ +#ifdef HAVE_INET_ATON + if (0 == inet_aton(address, &rcvr_addr)) { + fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], + address); + exit(1); + } + if (rcvr_addr.s_addr == INADDR_NONE) { + fprintf(stderr, "%s: address error", argv[0]); + exit(1); + } +#else + rcvr_addr.s_addr = inet_addr(address); + if (0xffffffff == rcvr_addr.s_addr) { + fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], + address); + exit(1); + } +#endif + + /* open socket */ + sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (sock < 0) { + int err; +#ifdef RTPW_USE_WINSOCK2 + err = WSAGetLastError(); +#else + err = errno; +#endif + fprintf(stderr, "%s: couldn't open socket: %d\n", argv[0], err); + exit(1); + } + + memset(&name, 0, sizeof(struct sockaddr_in)); + name.sin_addr = rcvr_addr; + name.sin_family = PF_INET; + name.sin_port = htons(port); + + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + if (prog_type == sender) { + ret = setsockopt(sock, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, + sizeof(ttl)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to set TTL for multicast group", + argv[0]); + perror(""); + exit(1); + } + } + + mreq.imr_multiaddr.s_addr = rcvr_addr.s_addr; + mreq.imr_interface.s_addr = htonl(INADDR_ANY); + ret = setsockopt(sock, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, + sizeof(mreq)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to join multicast group", argv[0]); + perror(""); + exit(1); + } + } + + /* report security services selected on the command line */ + printf("security services: "); + if (sec_servs & sec_serv_conf) + printf("confidentiality "); + if (sec_servs & sec_serv_auth) + printf("message authentication"); + if (sec_servs == sec_serv_none) + printf("none"); + printf("\n"); + + /* set up the srtp policy and master key */ + if (sec_servs) { + /* + * create policy structure, using the default mechanisms but + * with only the security services requested on the command line, + * using the right SSRC value + */ + switch (sec_servs) { + case sec_serv_conf_and_auth: + if (gcm_on) { +#ifdef GCM + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); + break; + } +#else + printf("error: GCM mode only supported when using the OpenSSL " + "or NSS crypto engine.\n"); + return 0; +#endif + } else { + switch (key_size) { + case 128: + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_conf: + if (gcm_on) { + printf( + "error: GCM mode must always be used with auth enabled\n"); + return -1; + } else { + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_auth: + if (gcm_on) { +#ifdef GCM + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_only_auth( + &policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_only_auth( + &policy.rtcp); + break; + } +#else + printf("error: GCM mode only supported when using the OpenSSL " + "crypto engine.\n"); + return 0; +#endif + } else { + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + } + break; + default: + printf("error: unknown security service requested\n"); + return -1; + } + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = ssrc; + policy.key = (uint8_t *)key; + policy.ekt = NULL; + policy.next = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.rtp.sec_serv = sec_servs; + policy.rtcp.sec_serv = sec_serv_none; /* we don't do RTCP anyway */ + + if (gcm_on && tag_size != 8) { + policy.rtp.auth_tag_len = tag_size; + } + + /* + * read key from hexadecimal or base64 on command line into an octet + * string + */ + if (b64_input) { + int pad; + expected_len = (policy.rtp.cipher_key_len * 4) / 3; + len = base64_string_to_octet_string(key, &pad, input_key, + expected_len); + if (pad != 0) { + fprintf(stderr, "error: padding in base64 unexpected\n"); + exit(1); + } + } else { + expected_len = policy.rtp.cipher_key_len * 2; + len = hex_string_to_octet_string(key, input_key, expected_len); + } + /* check that hex string is the right length */ + if (len < expected_len) { + fprintf(stderr, "error: too few digits in key/salt " + "(should be %d digits, found %d)\n", + expected_len, len); + exit(1); + } + if ((int)strlen(input_key) > policy.rtp.cipher_key_len * 2) { + fprintf(stderr, "error: too many digits in key/salt " + "(should be %d hexadecimal digits, found %u)\n", + policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key)); + exit(1); + } + + printf("set master key/salt to %s/", octet_string_hex_string(key, 16)); + printf("%s\n", octet_string_hex_string(key + 16, 14)); + + } else { + /* + * we're not providing security services, so set the policy to the + * null policy + * + * Note that this policy does not conform to the SRTP + * specification, since RTCP authentication is required. However, + * the effect of this policy is to turn off SRTP, so that this + * application is now a vanilla-flavored RTP application. + */ + srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtp); + srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtcp); + policy.key = (uint8_t *)key; + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = ssrc; + policy.window_size = 0; + policy.allow_repeat_tx = 0; + policy.ekt = NULL; + policy.next = NULL; + } + + if (prog_type == sender) { +#if BEW + /* bind to local socket (to match crypto policy, if need be) */ + memset(&local, 0, sizeof(struct sockaddr_in)); + local.sin_addr.s_addr = htonl(INADDR_ANY); + local.sin_port = htons(port); + ret = bind(sock, (struct sockaddr *)&local, sizeof(struct sockaddr_in)); + if (ret < 0) { + fprintf(stderr, "%s: bind failed\n", argv[0]); + perror(""); + exit(1); + } +#endif /* BEW */ + + /* initialize sender's rtp and srtp contexts */ + snd = rtp_sender_alloc(); + if (snd == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + rtp_sender_init(snd, sock, name, ssrc); + status = rtp_sender_init_srtp(snd, &policy); + if (status) { + fprintf(stderr, "error: srtp_create() failed with code %d\n", + status); + exit(1); + } + + /* open dictionary */ + dict = fopen(dictfile, "r"); + if (dict == NULL) { + fprintf(stderr, "%s: couldn't open file %s\n", argv[0], dictfile); + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } + exit(1); + } + + /* read words from dictionary, then send them off */ + while (!interrupted && fgets(word, MAX_WORD_LEN, dict) != NULL) { + len = strlen(word) + 1; /* plus one for null */ + + if (len > MAX_WORD_LEN) + printf("error: word %s too large to send\n", word); + else { + rtp_sendto(snd, word, len); + printf("sending word: %s", word); + } + usleep(USEC_RATE); + } + + rtp_sender_deinit_srtp(snd); + rtp_sender_dealloc(snd); + + fclose(dict); + } else { /* prog_type == receiver */ + rtp_receiver_t rcvr; + + if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0) { + close(sock); + fprintf(stderr, "%s: socket bind error\n", argv[0]); + perror(NULL); + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } + exit(1); + } + + rcvr = rtp_receiver_alloc(); + if (rcvr == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + rtp_receiver_init(rcvr, sock, name, ssrc); + status = rtp_receiver_init_srtp(rcvr, &policy); + if (status) { + fprintf(stderr, "error: srtp_create() failed with code %d\n", + status); + exit(1); + } + + /* get next word and loop */ + while (!interrupted) { + len = MAX_WORD_LEN; + if (rtp_recvfrom(rcvr, word, &len) > -1) + printf("\tword: %s\n", word); + } + + rtp_receiver_deinit_srtp(rcvr); + rtp_receiver_dealloc(rcvr); + } + + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } + +#ifdef RTPW_USE_WINSOCK2 + ret = closesocket(sock); +#else + ret = close(sock); +#endif + if (ret < 0) { + fprintf(stderr, "%s: Failed to close socket", argv[0]); + perror(""); + } + + status = srtp_shutdown(); + if (status) { + printf("error: srtp shutdown failed with error code %d\n", status); + exit(1); + } + +#ifdef RTPW_USE_WINSOCK2 + WSACleanup(); +#endif + + return 0; +} + +void usage(char *string) +{ + printf("usage: %s [-d <debug>]* [-k <key> [-a][-e]] " + "[-s | -r] dest_ip dest_port\n" + "or %s -l\n" + "where -a use message authentication\n" + " -e <key size> use encryption (use 128 or 256 for key size)\n" + " -g Use AES-GCM mode (must be used with -e)\n" + " -t <tag size> Tag size to use in GCM mode (use 8 or 16)\n" + " -k <key> sets the srtp master key given in hexadecimal\n" + " -b <key> sets the srtp master key given in base64\n" + " -s act as rtp sender\n" + " -r act as rtp receiver\n" + " -l list debug modules\n" + " -d <debug> turn on debugging for module <debug>\n" + " -w <wordsfile> use <wordsfile> for input, rather than %s\n", + string, string, DICT_FILE); + exit(1); +} + +void leave_group(int sock, struct ip_mreq mreq, char *name) +{ + int ret; + + ret = setsockopt(sock, IPPROTO_IP, IP_DROP_MEMBERSHIP, (void *)&mreq, + sizeof(mreq)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to leave multicast group", name); + perror(""); + } +} + +void handle_signal(int signum) +{ + interrupted = 1; + /* Reset handler explicitly, in case we don't have sigaction() (and signal() + has BSD semantics), or we don't have SA_RESETHAND */ + signal(signum, SIG_DFL); +} + +int setup_signal_handler(char *name) +{ +#if HAVE_SIGACTION + struct sigaction act; + memset(&act, 0, sizeof(act)); + + act.sa_handler = handle_signal; + sigemptyset(&act.sa_mask); +#if defined(SA_RESETHAND) + act.sa_flags = SA_RESETHAND; +#else + act.sa_flags = 0; +#endif + /* Note that we're not setting SA_RESTART; we want recvfrom to return + * EINTR when we signal the receiver. */ + + if (sigaction(SIGTERM, &act, NULL) != 0) { + fprintf(stderr, "%s: error setting up signal handler", name); + perror(""); + return -1; + } +#else + if (signal(SIGTERM, handle_signal) == SIG_ERR) { + fprintf(stderr, "%s: error setting up signal handler", name); + perror(""); + return -1; + } +#endif + return 0; +} diff --git a/netwerk/srtp/src/test/rtpw_test.sh b/netwerk/srtp/src/test/rtpw_test.sh new file mode 100755 index 0000000000..158a39312d --- /dev/null +++ b/netwerk/srtp/src/test/rtpw_test.sh @@ -0,0 +1,176 @@ +#!/bin/sh +# +# usage: rtpw_test <rtpw_commands> +# +# tests the rtpw sender and receiver functions +# +# Copyright (c) 2001-2017, Cisco Systems, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# Neither the name of the Cisco Systems, Inc. nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# + +case $(uname -s) in + *CYGWIN*|*MINGW*) + EXE=".exe" + ;; + *Linux*) + EXE="" + export LD_LIBRARY_PATH=$CRYPTO_LIBDIR + ;; + *Darwin*) + EXE="" + export DYLD_LIBRARY_PATH=$CRYPTO_LIBDIR + ;; +esac + +RTPW=./rtpw$EXE +DEST_PORT=9999 +DURATION=3 + +key=Ky7cUDT2GnI0XKWYbXv9AYmqbcLsqzL9mvdN9t/G + +ARGS="-b $key -a -e 128" + +# First, we run "killall" to get rid of all existing rtpw processes. +# This step also enables this script to clean up after itself; if this +# script is interrupted after the rtpw processes are started but before +# they are killed, those processes will linger. Re-running the script +# will get rid of them. + +killall rtpw 2>/dev/null + +if test -x $RTPW; then + +echo $0 ": starting rtpw receiver process... " + +$RTPW $* $ARGS -r 0.0.0.0 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting rtpw sender process..." + +$RTPW $* $ARGS -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + + +key=033490ba9e82994fc21013395739038992b2edc5034f61a72345ca598d7bfd0189aa6dc2ecab32fd9af74df6dfc6 + +ARGS="-k $key -a -e 256" + +echo $0 ": starting rtpw receiver process... " + +$RTPW $* $ARGS -r 0.0.0.0 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting rtpw sender process..." + +$RTPW $* $ARGS -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + +echo $0 ": done (test passed)" + +else + +echo "error: can't find executable" $RTPW +exit 1 + +fi + +# EOF + + diff --git a/netwerk/srtp/src/test/rtpw_test_gcm.sh b/netwerk/srtp/src/test/rtpw_test_gcm.sh new file mode 100755 index 0000000000..644255e1a1 --- /dev/null +++ b/netwerk/srtp/src/test/rtpw_test_gcm.sh @@ -0,0 +1,260 @@ +#!/bin/sh +# +# usage: rtpw_test <rtpw_commands> +# +# tests the rtpw sender and receiver functions +# +# Copyright (c) 2001-2017, Cisco Systems, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# Neither the name of the Cisco Systems, Inc. nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# + +case $(uname -s) in + *CYGWIN*|*MINGW*) + EXE=".exe" + ;; + *Linux*) + EXE="" + export LD_LIBRARY_PATH=$CRYPTO_LIBDIR + ;; + *Darwin*) + EXE="" + export DYLD_LIBRARY_PATH=$CRYPTO_LIBDIR + ;; +esac + +RTPW=./rtpw$EXE +DEST_PORT=9999 +DURATION=3 + +# First, we run "killall" to get rid of all existing rtpw processes. +# This step also enables this script to clean up after itself; if this +# script is interrupted after the rtpw processes are started but before +# they are killed, those processes will linger. Re-running the script +# will get rid of them. + +killall rtpw 2>/dev/null + +if test -x $RTPW; then + +GCMARGS128="-k 01234567890123456789012345678901234567890123456789012345 -g -e 128" +echo $0 ": starting GCM mode 128-bit rtpw receiver process... " + +exec $RTPW $* $GCMARGS128 -r 127.0.0.1 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting GCM 128-bit rtpw sender process..." + +exec $RTPW $* $GCMARGS128 -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + +GCMARGS128="-k 01234567890123456789012345678901234567890123456789012345 -g -t 16 -e 128" +echo $0 ": starting GCM mode 128-bit (16 byte tag) rtpw receiver process... " + +exec $RTPW $* $GCMARGS128 -r 127.0.0.1 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting GCM 128-bit (16 byte tag) rtpw sender process..." + +exec $RTPW $* $GCMARGS128 -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + + +GCMARGS256="-k 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 -g -e 256" +echo $0 ": starting GCM mode 256-bit rtpw receiver process... " + +exec $RTPW $* $GCMARGS256 -r 127.0.0.1 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting GCM 256-bit rtpw sender process..." + +exec $RTPW $* $GCMARGS256 -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + +GCMARGS256="-k a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 -g -t 16 -e 256" +echo $0 ": starting GCM mode 256-bit (16 byte tag) rtpw receiver process... " + +exec $RTPW $* $GCMARGS256 -r 127.0.0.1 $DEST_PORT & + +receiver_pid=$! + +echo $0 ": receiver PID = $receiver_pid" + +sleep 1 + +# verify that the background job is running +ps -e | grep -q $receiver_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 254 +fi + +echo $0 ": starting GCM 256-bit (16 byte tag) rtpw sender process..." + +exec $RTPW $* $GCMARGS256 -s 127.0.0.1 $DEST_PORT & + +sender_pid=$! + +echo $0 ": sender PID = $sender_pid" + +# verify that the background job is running +ps -e | grep -q $sender_pid +retval=$? +echo $retval +if [ $retval != 0 ]; then + echo $0 ": error" + exit 255 +fi + +sleep $DURATION + +kill $receiver_pid +kill $sender_pid + +wait $receiver_pid 2>/dev/null +wait $sender_pid 2>/dev/null + +echo $0 ": done (test passed)" + +else + +echo "error: can't find executable" $RTPW +exit 1 + +fi + +# EOF + + diff --git a/netwerk/srtp/src/test/srtp_driver.c b/netwerk/srtp/src/test/srtp_driver.c new file mode 100644 index 0000000000..a7234539f7 --- /dev/null +++ b/netwerk/srtp/src/test/srtp_driver.c @@ -0,0 +1,3837 @@ +/* + * srtp_driver.c + * + * a test driver for libSRTP + * + * David A. McGrew + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2001-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include <string.h> /* for memcpy() */ +#include <time.h> /* for clock() */ +#include <stdlib.h> /* for malloc(), free() */ +#include <stdio.h> /* for print(), fflush() */ +#include "getopt_s.h" /* for local getopt() */ + +#include "srtp_priv.h" +#include "util.h" + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#elif defined HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#define PRINT_REFERENCE_PACKET 1 + +srtp_err_status_t srtp_validate(void); + +#ifdef GCM +srtp_err_status_t srtp_validate_gcm(void); +#endif + +srtp_err_status_t srtp_validate_encrypted_extensions_headers(void); + +#ifdef GCM +srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm(void); +#endif + +srtp_err_status_t srtp_validate_aes_256(void); + +srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list); + +srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list); + +srtp_err_status_t srtp_test_empty_payload(void); + +#ifdef GCM +srtp_err_status_t srtp_test_empty_payload_gcm(void); +#endif + +srtp_err_status_t srtp_test_remove_stream(void); + +srtp_err_status_t srtp_test_update(void); + +srtp_err_status_t srtp_test_protect_trailer_length(void); + +srtp_err_status_t srtp_test_protect_rtcp_trailer_length(void); + +srtp_err_status_t srtp_test_get_roc(void); + +srtp_err_status_t srtp_test_set_receiver_roc(void); + +srtp_err_status_t srtp_test_set_sender_roc(void); + +double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy); + +double srtp_rejections_per_second(int msg_len_octets, + const srtp_policy_t *policy); + +void srtp_do_timing(const srtp_policy_t *policy); + +void srtp_do_rejection_timing(const srtp_policy_t *policy); + +srtp_err_status_t srtp_test(const srtp_policy_t *policy, + int extension_header, + int mki_index); + +srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index); + +srtp_err_status_t srtp_session_print_policy(srtp_t srtp); + +srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy); + +char *srtp_packet_to_string(srtp_hdr_t *hdr, int packet_len); + +double mips_estimate(int num_trials, int *ignore); + +#define TEST_MKI_ID_SIZE 4 + +extern uint8_t test_key[46]; +extern uint8_t test_key_2[46]; +extern uint8_t test_mki_id[TEST_MKI_ID_SIZE]; +extern uint8_t test_mki_id_2[TEST_MKI_ID_SIZE]; + +// clang-format off +srtp_master_key_t master_key_1 = { + test_key, + test_mki_id, + TEST_MKI_ID_SIZE +}; + +srtp_master_key_t master_key_2 = { + test_key_2, + test_mki_id_2, + TEST_MKI_ID_SIZE +}; + +srtp_master_key_t *test_keys[2] = { + &master_key_1, + &master_key_2 +}; +// clang-format on + +void usage(char *prog_name) +{ + printf("usage: %s [ -t ][ -c ][ -v ][ -o ][-d <debug_module> ]* [ -l ]\n" + " -t run timing test\n" + " -r run rejection timing test\n" + " -c run codec timing test\n" + " -v run validation tests\n" + " -o output logging to stdout\n" + " -d <mod> turn on debugging module <mod>\n" + " -l list debugging modules\n", + prog_name); + exit(1); +} + +void log_handler(srtp_log_level_t level, const char *msg, void *data) +{ + char level_char = '?'; + switch (level) { + case srtp_log_level_error: + level_char = 'e'; + break; + case srtp_log_level_warning: + level_char = 'w'; + break; + case srtp_log_level_info: + level_char = 'i'; + break; + case srtp_log_level_debug: + level_char = 'd'; + break; + } + printf("SRTP-LOG [%c]: %s\n", level_char, msg); +} + +/* + * The policy_array is a null-terminated array of policy structs. it + * is declared at the end of this file + */ + +extern const srtp_policy_t *policy_array[]; + +/* the wildcard_policy is declared below; it has a wildcard ssrc */ + +extern const srtp_policy_t wildcard_policy; + +/* + * mod_driver debug module - debugging module for this test driver + * + * we use the crypto_kernel debugging system in this driver, which + * makes the interface uniform and increases portability + */ + +srtp_debug_module_t mod_driver = { + 0, /* debugging is off by default */ + "driver" /* printable name for module */ +}; + +int main(int argc, char *argv[]) +{ + int q; + unsigned do_timing_test = 0; + unsigned do_rejection_test = 0; + unsigned do_codec_timing = 0; + unsigned do_validation = 0; + unsigned do_list_mods = 0; + unsigned do_log_stdout = 0; + srtp_err_status_t status; + + /* + * verify that the compiler has interpreted the header data + * structure srtp_hdr_t correctly + */ + if (sizeof(srtp_hdr_t) != 12) { + printf("error: srtp_hdr_t has incorrect size" + "(size is %ld bytes, expected 12)\n", + (long)sizeof(srtp_hdr_t)); + exit(1); + } + + /* initialize srtp library */ + status = srtp_init(); + if (status) { + printf("error: srtp init failed with error code %d\n", status); + exit(1); + } + + /* load srtp_driver debug module */ + status = srtp_crypto_kernel_load_debug_module(&mod_driver); + if (status) { + printf("error: load of srtp_driver debug module failed " + "with error code %d\n", + status); + exit(1); + } + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "trcvold:"); + if (q == -1) { + break; + } + switch (q) { + case 't': + do_timing_test = 1; + break; + case 'r': + do_rejection_test = 1; + break; + case 'c': + do_codec_timing = 1; + break; + case 'v': + do_validation = 1; + break; + case 'o': + do_log_stdout = 1; + break; + case 'l': + do_list_mods = 1; + break; + case 'd': + status = srtp_set_debug_module(optarg_s, 1); + if (status) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + default: + usage(argv[0]); + } + } + + if (!do_validation && !do_timing_test && !do_codec_timing && + !do_list_mods && !do_rejection_test) { + usage(argv[0]); + } + + if (do_log_stdout) { + status = srtp_install_log_handler(log_handler, NULL); + if (status) { + printf("error: install log handler failed\n"); + exit(1); + } + } + + if (do_list_mods) { + status = srtp_list_debug_modules(); + if (status) { + printf("error: list of debug modules failed\n"); + exit(1); + } + } + + if (do_validation) { + const srtp_policy_t **policy = policy_array; + srtp_policy_t *big_policy; + + /* loop over policy array, testing srtp and srtcp for each policy */ + while (*policy != NULL) { + printf("testing srtp_protect and srtp_unprotect\n"); + if (srtp_test(*policy, 0, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_protect and srtp_unprotect with encrypted " + "extensions headers\n"); + if (srtp_test(*policy, 1, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp\n"); + if (srtcp_test(*policy, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI " + "index set to 0\n"); + if (srtp_test(*policy, 0, 0) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI " + "index set to 1\n"); + if (srtp_test(*policy, 0, 1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI " + "index set to 0\n"); + if (srtcp_test(*policy, 0) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI " + "index set to 1\n"); + if (srtcp_test(*policy, 1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + policy++; + } + + /* create a big policy list and run tests on it */ + status = srtp_create_big_policy(&big_policy); + if (status) { + printf("unexpected failure with error code %d\n", status); + exit(1); + } + printf("testing srtp_protect and srtp_unprotect with big policy\n"); + if (srtp_test(big_policy, 0, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect and srtp_unprotect with big policy and " + "encrypted extensions headers\n"); + if (srtp_test(big_policy, 1, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + status = srtp_dealloc_big_policy(big_policy); + if (status) { + printf("unexpected failure with error code %d\n", status); + exit(1); + } + + /* run test on wildcard policy */ + printf("testing srtp_protect and srtp_unprotect on " + "wildcard ssrc policy\n"); + if (srtp_test(&wildcard_policy, 0, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + printf("testing srtp_protect and srtp_unprotect on " + "wildcard ssrc policy and encrypted extensions headers\n"); + if (srtp_test(&wildcard_policy, 1, -1) == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + + /* + * run validation test against the reference packets - note + * that this test only covers the default policy + */ + printf("testing srtp_protect and srtp_unprotect against " + "reference packet\n"); + if (srtp_validate() == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + +#ifdef GCM + printf("testing srtp_protect and srtp_unprotect against " + "reference packet using GCM\n"); + if (srtp_validate_gcm() == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } +#endif + + printf("testing srtp_protect and srtp_unprotect against " + "reference packet with encrypted extensions headers\n"); + if (srtp_validate_encrypted_extensions_headers() == srtp_err_status_ok) + printf("passed\n\n"); + else { + printf("failed\n"); + exit(1); + } + +#ifdef GCM + printf("testing srtp_protect and srtp_unprotect against " + "reference packet with encrypted extension headers (GCM)\n"); + if (srtp_validate_encrypted_extensions_headers_gcm() == + srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } +#endif + + /* + * run validation test against the reference packets for + * AES-256 + */ + printf("testing srtp_protect and srtp_unprotect against " + "reference packet (AES-256)\n"); + if (srtp_validate_aes_256() == srtp_err_status_ok) { + printf("passed\n\n"); + } else { + printf("failed\n"); + exit(1); + } + + /* + * test packets with empty payload + */ + printf("testing srtp_protect and srtp_unprotect against " + "packet with empty payload\n"); + if (srtp_test_empty_payload() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } +#ifdef GCM + printf("testing srtp_protect and srtp_unprotect against " + "packet with empty payload (GCM)\n"); + if (srtp_test_empty_payload_gcm() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } +#endif + + /* + * test the function srtp_remove_stream() + */ + printf("testing srtp_remove_stream()..."); + if (srtp_test_remove_stream() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + /* + * test the function srtp_update() + */ + printf("testing srtp_update()..."); + if (srtp_test_update() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + /* + * test the functions srtp_get_protect_trailer_length + * and srtp_get_protect_rtcp_trailer_length + */ + printf("testing srtp_get_protect_trailer_length()..."); + if (srtp_test_protect_trailer_length() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_get_protect_rtcp_trailer_length()..."); + if (srtp_test_protect_rtcp_trailer_length() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_test_get_roc()..."); + if (srtp_test_get_roc() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_test_set_receiver_roc()..."); + if (srtp_test_set_receiver_roc() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + + printf("testing srtp_test_set_sender_roc()..."); + if (srtp_test_set_sender_roc() == srtp_err_status_ok) { + printf("passed\n"); + } else { + printf("failed\n"); + exit(1); + } + } + + if (do_timing_test) { + const srtp_policy_t **policy = policy_array; + + /* loop over policies, run timing test for each */ + while (*policy != NULL) { + srtp_print_policy(*policy); + srtp_do_timing(*policy); + policy++; + } + } + + if (do_rejection_test) { + const srtp_policy_t **policy = policy_array; + + /* loop over policies, run rejection timing test for each */ + while (*policy != NULL) { + srtp_print_policy(*policy); + srtp_do_rejection_timing(*policy); + policy++; + } + } + + if (do_codec_timing) { + srtp_policy_t policy; + int ignore; + double mips_value = mips_estimate(1000000000, &ignore); + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xdecafbad; + policy.key = test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + printf("mips estimate: %e\n", mips_value); + + printf("testing srtp processing time for voice codecs:\n"); + printf("codec\t\tlength (octets)\t\tsrtp instructions/second\n"); + printf("G.711\t\t%d\t\t\t%e\n", 80, + (double)mips_value * (80 * 8) / + srtp_bits_per_second(80, &policy) / .01); + printf("G.711\t\t%d\t\t\t%e\n", 160, + (double)mips_value * (160 * 8) / + srtp_bits_per_second(160, &policy) / .02); + printf("G.726-32\t%d\t\t\t%e\n", 40, + (double)mips_value * (40 * 8) / + srtp_bits_per_second(40, &policy) / .01); + printf("G.726-32\t%d\t\t\t%e\n", 80, + (double)mips_value * (80 * 8) / + srtp_bits_per_second(80, &policy) / .02); + printf("G.729\t\t%d\t\t\t%e\n", 10, + (double)mips_value * (10 * 8) / + srtp_bits_per_second(10, &policy) / .01); + printf("G.729\t\t%d\t\t\t%e\n", 20, + (double)mips_value * (20 * 8) / + srtp_bits_per_second(20, &policy) / .02); + printf("Wideband\t%d\t\t\t%e\n", 320, + (double)mips_value * (320 * 8) / + srtp_bits_per_second(320, &policy) / .01); + printf("Wideband\t%d\t\t\t%e\n", 640, + (double)mips_value * (640 * 8) / + srtp_bits_per_second(640, &policy) / .02); + } + + status = srtp_shutdown(); + if (status) { + printf("error: srtp shutdown failed with error code %d\n", status); + exit(1); + } + + return 0; +} + +/* + * srtp_create_test_packet(len, ssrc) returns a pointer to a + * (malloced) example RTP packet whose data field has the length given + * by pkt_octet_len and the SSRC value ssrc. The total length of the + * packet is twelve octets longer, since the header is at the + * beginning. There is room at the end of the packet for a trailer, + * and the four octets following the packet are filled with 0xff + * values to enable testing for overwrites. + * + * note that the location of the test packet can (and should) be + * deallocated with the free() call once it is no longer needed. + */ + +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, + uint32_t ssrc, + int *pkt_len) +{ + int i; + uint8_t *buffer; + srtp_hdr_t *hdr; + int bytes_in_hdr = 12; + + /* allocate memory for test packet */ + hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr + + SRTP_MAX_TRAILER_LEN + 4); + if (!hdr) { + return NULL; + } + + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 0; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ + + buffer = (uint8_t *)hdr; + buffer += bytes_in_hdr; + + /* set RTP data to 0xab */ + for (i = 0; i < pkt_octet_len; i++) { + *buffer++ = 0xab; + } + + /* set post-data value to 0xffff to enable overrun checking */ + for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) { + *buffer++ = 0xff; + } + + *pkt_len = bytes_in_hdr + pkt_octet_len; + + return hdr; +} + +static srtp_hdr_t *srtp_create_test_packet_extended(int pkt_octet_len, + uint32_t ssrc, + uint16_t seq, + uint32_t ts, + int *pkt_len) +{ + srtp_hdr_t *hdr; + + hdr = srtp_create_test_packet(pkt_octet_len, ssrc, pkt_len); + if (hdr == NULL) + return hdr; + + hdr->seq = htons(seq); + hdr->ts = htonl(ts); + return hdr; +} + +srtp_hdr_t *srtp_create_test_packet_ext_hdr(int pkt_octet_len, + uint32_t ssrc, + int *pkt_len) +{ + int i; + uint8_t *buffer; + srtp_hdr_t *hdr; + int bytes_in_hdr = 12; + uint8_t extension_header[12] = { /* one-byte header */ + 0xbe, 0xde, + /* size */ + 0x00, 0x02, + /* id 1, length 1 (i.e. 2 bytes) */ + 0x11, + /* payload */ + 0xca, 0xfe, + /* padding */ + 0x00, + /* id 2, length 0 (i.e. 1 byte) */ + 0x20, + /* payload */ + 0xba, + /* padding */ + 0x00, 0x00 + }; + + /* allocate memory for test packet */ + hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr + + sizeof(extension_header) + SRTP_MAX_TRAILER_LEN + + 4); + if (!hdr) + return NULL; + + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 1; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ + + buffer = (uint8_t *)hdr; + buffer += bytes_in_hdr; + + memcpy(buffer, extension_header, sizeof(extension_header)); + buffer += sizeof(extension_header); + + /* set RTP data to 0xab */ + for (i = 0; i < pkt_octet_len; i++) + *buffer++ = 0xab; + + /* set post-data value to 0xffff to enable overrun checking */ + for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) + *buffer++ = 0xff; + + *pkt_len = bytes_in_hdr + sizeof(extension_header) + pkt_octet_len; + + return hdr; +} + +void srtp_do_timing(const srtp_policy_t *policy) +{ + int len; + + /* + * note: the output of this function is formatted so that it + * can be used in gnuplot. '#' indicates a comment, and "\r\n" + * terminates a record + */ + + printf("# testing srtp throughput:\r\n"); + printf("# mesg length (octets)\tthroughput (megabits per second)\r\n"); + + for (len = 16; len <= 2048; len *= 2) { + printf("%d\t\t\t%f\r\n", len, + srtp_bits_per_second(len, policy) / 1.0E6); + } + + /* these extra linefeeds let gnuplot know that a dataset is done */ + printf("\r\n\r\n"); +} + +void srtp_do_rejection_timing(const srtp_policy_t *policy) +{ + int len; + + /* + * note: the output of this function is formatted so that it + * can be used in gnuplot. '#' indicates a comment, and "\r\n" + * terminates a record + */ + + printf("# testing srtp rejection throughput:\r\n"); + printf("# mesg length (octets)\trejections per second\r\n"); + + for (len = 8; len <= 2048; len *= 2) { + printf("%d\t\t\t%e\r\n", len, srtp_rejections_per_second(len, policy)); + } + + /* these extra linefeeds let gnuplot know that a dataset is done */ + printf("\r\n\r\n"); +} + +#define MAX_MSG_LEN 1024 + +double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy) +{ + srtp_t srtp; + srtp_hdr_t *mesg; + int i; + clock_t timer; + int num_trials = 100000; + int input_len, len; + uint32_t ssrc; + srtp_err_status_t status; + + /* + * allocate and initialize an srtp session + */ + status = srtp_create(&srtp, policy); + if (status) { + printf("error: srtp_create() failed with error code %d\n", status); + exit(1); + } + + /* + * if the ssrc is unspecified, use a predetermined one + */ + if (policy->ssrc.type != ssrc_specific) { + ssrc = 0xdeadbeef; + } else { + ssrc = policy->ssrc.value; + } + + /* + * create a test packet + */ + mesg = srtp_create_test_packet(msg_len_octets, ssrc, &input_len); + if (mesg == NULL) { + return 0.0; /* indicate failure by returning zero */ + } + timer = clock(); + for (i = 0; i < num_trials; i++) { + len = input_len; + /* srtp protect message */ + status = srtp_protect(srtp, mesg, &len); + if (status) { + printf("error: srtp_protect() failed with error code %d\n", status); + exit(1); + } + + /* increment message number */ + { + /* hack sequence to avoid problems with macros for htons/ntohs on + * some systems */ + short new_seq = ntohs(mesg->seq) + 1; + mesg->seq = htons(new_seq); + } + } + timer = clock() - timer; + + free(mesg); + + status = srtp_dealloc(srtp); + if (status) { + printf("error: srtp_dealloc() failed with error code %d\n", status); + exit(1); + } + + return (double)(msg_len_octets)*8 * num_trials * CLOCKS_PER_SEC / timer; +} + +double srtp_rejections_per_second(int msg_len_octets, + const srtp_policy_t *policy) +{ + srtp_ctx_t *srtp; + srtp_hdr_t *mesg; + int i; + int len; + clock_t timer; + int num_trials = 1000000; + uint32_t ssrc = policy->ssrc.value; + srtp_err_status_t status; + + /* + * allocate and initialize an srtp session + */ + status = srtp_create(&srtp, policy); + if (status) { + printf("error: srtp_create() failed with error code %d\n", status); + exit(1); + } + + mesg = srtp_create_test_packet(msg_len_octets, ssrc, &len); + if (mesg == NULL) { + return 0.0; /* indicate failure by returning zero */ + } + srtp_protect(srtp, (srtp_hdr_t *)mesg, &len); + + timer = clock(); + for (i = 0; i < num_trials; i++) { + len = msg_len_octets; + srtp_unprotect(srtp, (srtp_hdr_t *)mesg, &len); + } + timer = clock() - timer; + + free(mesg); + + status = srtp_dealloc(srtp); + if (status) { + printf("error: srtp_dealloc() failed with error code %d\n", status); + exit(1); + } + + return (double)num_trials * CLOCKS_PER_SEC / timer; +} + +void err_check(srtp_err_status_t s) +{ + if (s == srtp_err_status_ok) { + return; + } else { + fprintf(stderr, "error: unexpected srtp failure (code %d)\n", s); + } + exit(1); +} + +srtp_err_status_t srtp_test_call_protect(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int mki_index) +{ + if (mki_index == -1) { + return srtp_protect(srtp_sender, hdr, len); + } else { + return srtp_protect_mki(srtp_sender, hdr, len, 1, mki_index); + } +} + +srtp_err_status_t srtp_test_call_protect_rtcp(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int mki_index) +{ + if (mki_index == -1) { + return srtp_protect_rtcp(srtp_sender, hdr, len); + } else { + return srtp_protect_rtcp_mki(srtp_sender, hdr, len, 1, mki_index); + } +} + +srtp_err_status_t srtp_test_call_unprotect(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int use_mki) +{ + if (use_mki == -1) { + return srtp_unprotect(srtp_sender, hdr, len); + } else { + return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki); + } +} + +srtp_err_status_t srtp_test_call_unprotect_rtcp(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int use_mki) +{ + if (use_mki == -1) { + return srtp_unprotect_rtcp(srtp_sender, hdr, len); + } else { + return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki); + } +} + +srtp_err_status_t srtp_test(const srtp_policy_t *policy, + int extension_header, + int mki_index) +{ + int i; + srtp_t srtp_sender; + srtp_t srtp_rcvr; + srtp_err_status_t status = srtp_err_status_ok; + srtp_hdr_t *hdr, *hdr2; + uint8_t hdr_enc[64]; + uint8_t *pkt_end; + int msg_len_octets, msg_len_enc, msg_len; + int len, len2; + uint32_t tag_length; + uint32_t ssrc; + srtp_policy_t *rcvr_policy; + srtp_policy_t tmp_policy; + int header = 1; + int use_mki = 0; + + if (mki_index >= 0) + use_mki = 1; + + if (extension_header) { + memcpy(&tmp_policy, policy, sizeof(srtp_policy_t)); + tmp_policy.enc_xtn_hdr = &header; + tmp_policy.enc_xtn_hdr_count = 1; + err_check(srtp_create(&srtp_sender, &tmp_policy)); + } else { + err_check(srtp_create(&srtp_sender, policy)); + } + + /* print out policy */ + err_check(srtp_session_print_policy(srtp_sender)); + + /* + * initialize data buffer, using the ssrc in the policy unless that + * value is a wildcard, in which case we'll just use an arbitrary + * one + */ + if (policy->ssrc.type != ssrc_specific) { + ssrc = 0xdecafbad; + } else { + ssrc = policy->ssrc.value; + } + msg_len_octets = 28; + if (extension_header) { + hdr = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len); + hdr2 = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len2); + } else { + hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len); + hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2); + } + + /* save original msg len */ + msg_len = len; + + if (hdr == NULL) { + free(hdr2); + return srtp_err_status_alloc_fail; + } + if (hdr2 == NULL) { + free(hdr); + return srtp_err_status_alloc_fail; + } + + debug_print(mod_driver, "before protection:\n%s", + srtp_packet_to_string(hdr, len)); + +#if PRINT_REFERENCE_PACKET + debug_print(mod_driver, "reference packet before protection:\n%s", + octet_string_hex_string((uint8_t *)hdr, len)); +#endif + err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index)); + + debug_print(mod_driver, "after protection:\n%s", + srtp_packet_to_string(hdr, len)); +#if PRINT_REFERENCE_PACKET + debug_print(mod_driver, "after protection:\n%s", + octet_string_hex_string((uint8_t *)hdr, len)); +#endif + + /* save protected message and length */ + memcpy(hdr_enc, hdr, len); + msg_len_enc = len; + + /* + * check for overrun of the srtp_protect() function + * + * The packet is followed by a value of 0xfffff; if the value of the + * data following the packet is different, then we know that the + * protect function is overwriting the end of the packet. + */ + err_check(srtp_get_protect_trailer_length(srtp_sender, use_mki, mki_index, + &tag_length)); + pkt_end = (uint8_t *)hdr + msg_len + tag_length; + for (i = 0; i < 4; i++) { + if (pkt_end[i] != 0xff) { + fprintf(stdout, "overwrite in srtp_protect() function " + "(expected %x, found %x in trailing octet %d)\n", + 0xff, ((uint8_t *)hdr)[i], i); + free(hdr); + free(hdr2); + return srtp_err_status_algo_fail; + } + } + + /* + * if the policy includes confidentiality, check that ciphertext is + * different than plaintext + * + * Note that this check will give false negatives, with some small + * probability, especially if the packets are short. For that + * reason, we skip this check if the plaintext is less than four + * octets long. + */ + if ((policy->rtp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) { + printf("testing that ciphertext is distinct from plaintext..."); + status = srtp_err_status_algo_fail; + for (i = 12; i < msg_len_octets + 12; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { + status = srtp_err_status_ok; + } + } + if (status) { + printf("failed\n"); + free(hdr); + free(hdr2); + return status; + } + printf("passed\n"); + } + + /* + * if the policy uses a 'wildcard' ssrc, then we need to make a copy + * of the policy that changes the direction to inbound + * + * we always copy the policy into the rcvr_policy, since otherwise + * the compiler would fret about the constness of the policy + */ + rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); + if (rcvr_policy == NULL) { + free(hdr); + free(hdr2); + return srtp_err_status_alloc_fail; + } + if (extension_header) { + memcpy(rcvr_policy, &tmp_policy, sizeof(srtp_policy_t)); + if (tmp_policy.ssrc.type == ssrc_any_outbound) { + rcvr_policy->ssrc.type = ssrc_any_inbound; + } + } else { + memcpy(rcvr_policy, policy, sizeof(srtp_policy_t)); + if (policy->ssrc.type == ssrc_any_outbound) { + rcvr_policy->ssrc.type = ssrc_any_inbound; + } + } + + err_check(srtp_create(&srtp_rcvr, rcvr_policy)); + + err_check(srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki)); + + debug_print(mod_driver, "after unprotection:\n%s", + srtp_packet_to_string(hdr, len)); + + /* verify that the unprotected packet matches the origial one */ + for (i = 0; i < len; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { + fprintf(stdout, "mismatch at octet %d\n", i); + status = srtp_err_status_algo_fail; + } + } + if (status) { + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } + + /* + * if the policy includes authentication, then test for false positives + */ + if (policy->rtp.sec_serv & sec_serv_auth) { + char *data = ((char *)hdr) + (extension_header ? 24 : 12); + + printf("testing for false positives in replay check..."); + + /* unprotect a second time - should fail with a replay error */ + status = + srtp_test_call_unprotect(srtp_rcvr, hdr, &msg_len_enc, use_mki); + if (status != srtp_err_status_replay_fail) { + printf("failed with error code %d\n", status); + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } else { + printf("passed\n"); + } + + printf("testing for false positives in auth check..."); + + /* increment sequence number in header */ + hdr->seq++; + + /* apply protection */ + err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index)); + + /* flip bits in packet */ + data[0] ^= 0xff; + + /* unprotect, and check for authentication failure */ + status = srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki); + if (status != srtp_err_status_auth_fail) { + printf("failed\n"); + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } else { + printf("passed\n"); + } + } + + err_check(srtp_dealloc(srtp_sender)); + err_check(srtp_dealloc(srtp_rcvr)); + + free(hdr); + free(hdr2); + free(rcvr_policy); + return srtp_err_status_ok; +} + +srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index) +{ + int i; + srtp_t srtcp_sender; + srtp_t srtcp_rcvr; + srtp_err_status_t status = srtp_err_status_ok; + srtp_hdr_t *hdr, *hdr2; + uint8_t hdr_enc[64]; + uint8_t *pkt_end; + int msg_len_octets, msg_len_enc, msg_len; + int len, len2; + uint32_t tag_length; + uint32_t ssrc; + srtp_policy_t *rcvr_policy; + int use_mki = 0; + + if (mki_index >= 0) + use_mki = 1; + + err_check(srtp_create(&srtcp_sender, policy)); + + /* print out policy */ + err_check(srtp_session_print_policy(srtcp_sender)); + + /* + * initialize data buffer, using the ssrc in the policy unless that + * value is a wildcard, in which case we'll just use an arbitrary + * one + */ + if (policy->ssrc.type != ssrc_specific) { + ssrc = 0xdecafbad; + } else { + ssrc = policy->ssrc.value; + } + msg_len_octets = 28; + hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len); + /* save message len */ + msg_len = len; + + if (hdr == NULL) { + return srtp_err_status_alloc_fail; + } + hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2); + if (hdr2 == NULL) { + free(hdr); + return srtp_err_status_alloc_fail; + } + + debug_print(mod_driver, "before protection:\n%s", + srtp_packet_to_string(hdr, len)); + +#if PRINT_REFERENCE_PACKET + debug_print(mod_driver, "reference packet before protection:\n%s", + octet_string_hex_string((uint8_t *)hdr, len)); +#endif + err_check(srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index)); + + debug_print(mod_driver, "after protection:\n%s", + srtp_packet_to_string(hdr, len)); +#if PRINT_REFERENCE_PACKET + debug_print(mod_driver, "after protection:\n%s", + octet_string_hex_string((uint8_t *)hdr, len)); +#endif + + /* save protected message and length */ + memcpy(hdr_enc, hdr, len); + msg_len_enc = len; + + /* + * check for overrun of the srtp_protect() function + * + * The packet is followed by a value of 0xfffff; if the value of the + * data following the packet is different, then we know that the + * protect function is overwriting the end of the packet. + */ + srtp_get_protect_rtcp_trailer_length(srtcp_sender, use_mki, mki_index, + &tag_length); + pkt_end = (uint8_t *)hdr + msg_len + tag_length; + for (i = 0; i < 4; i++) { + if (pkt_end[i] != 0xff) { + fprintf(stdout, "overwrite in srtp_protect_rtcp() function " + "(expected %x, found %x in trailing octet %d)\n", + 0xff, ((uint8_t *)hdr)[i], i); + free(hdr); + free(hdr2); + return srtp_err_status_algo_fail; + } + } + + /* + * if the policy includes confidentiality, check that ciphertext is + * different than plaintext + * + * Note that this check will give false negatives, with some small + * probability, especially if the packets are short. For that + * reason, we skip this check if the plaintext is less than four + * octets long. + */ + if ((policy->rtcp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) { + printf("testing that ciphertext is distinct from plaintext..."); + status = srtp_err_status_algo_fail; + for (i = 12; i < msg_len_octets + 12; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { + status = srtp_err_status_ok; + } + } + if (status) { + printf("failed\n"); + free(hdr); + free(hdr2); + return status; + } + printf("passed\n"); + } + + /* + * if the policy uses a 'wildcard' ssrc, then we need to make a copy + * of the policy that changes the direction to inbound + * + * we always copy the policy into the rcvr_policy, since otherwise + * the compiler would fret about the constness of the policy + */ + rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); + if (rcvr_policy == NULL) { + free(hdr); + free(hdr2); + return srtp_err_status_alloc_fail; + } + memcpy(rcvr_policy, policy, sizeof(srtp_policy_t)); + if (policy->ssrc.type == ssrc_any_outbound) { + rcvr_policy->ssrc.type = ssrc_any_inbound; + } + + err_check(srtp_create(&srtcp_rcvr, rcvr_policy)); + + err_check(srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &len, use_mki)); + + debug_print(mod_driver, "after unprotection:\n%s", + srtp_packet_to_string(hdr, len)); + + /* verify that the unprotected packet matches the origial one */ + for (i = 0; i < len; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { + fprintf(stdout, "mismatch at octet %d\n", i); + status = srtp_err_status_algo_fail; + } + } + if (status) { + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } + + /* + * if the policy includes authentication, then test for false positives + */ + if (policy->rtp.sec_serv & sec_serv_auth) { + char *data = ((char *)hdr) + 12; + + printf("testing for false positives in replay check..."); + + /* unprotect a second time - should fail with a replay error */ + status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &msg_len_enc, + use_mki); + if (status != srtp_err_status_replay_fail) { + printf("failed with error code %d\n", status); + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } else { + printf("passed\n"); + } + + printf("testing for false positives in auth check..."); + + /* increment sequence number in header */ + hdr->seq++; + + /* apply protection */ + err_check( + srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index)); + + /* flip bits in packet */ + data[0] ^= 0xff; + + /* unprotect, and check for authentication failure */ + status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &len, use_mki); + if (status != srtp_err_status_auth_fail) { + printf("failed\n"); + free(hdr); + free(hdr2); + free(rcvr_policy); + return status; + } else { + printf("passed\n"); + } + } + + err_check(srtp_dealloc(srtcp_sender)); + err_check(srtp_dealloc(srtcp_rcvr)); + + free(hdr); + free(hdr2); + free(rcvr_policy); + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_session_print_policy(srtp_t srtp) +{ + char *serv_descr[4] = { "none", "confidentiality", "authentication", + "confidentiality and authentication" }; + char *direction[3] = { "unknown", "outbound", "inbound" }; + srtp_stream_t stream; + srtp_session_keys_t *session_keys = NULL; + + /* sanity checking */ + if (srtp == NULL) { + return srtp_err_status_fail; + } + + /* if there's a template stream, print it out */ + if (srtp->stream_template != NULL) { + stream = srtp->stream_template; + session_keys = &stream->session_keys[0]; + printf("# SSRC: any %s\r\n" + "# rtp cipher: %s\r\n" + "# rtp auth: %s\r\n" + "# rtp services: %s\r\n" + "# rtcp cipher: %s\r\n" + "# rtcp auth: %s\r\n" + "# rtcp services: %s\r\n" + "# window size: %lu\r\n" + "# tx rtx allowed:%s\r\n", + direction[stream->direction], + session_keys->rtp_cipher->type->description, + session_keys->rtp_auth->type->description, + serv_descr[stream->rtp_services], + session_keys->rtcp_cipher->type->description, + session_keys->rtcp_auth->type->description, + serv_descr[stream->rtcp_services], + srtp_rdbx_get_window_size(&stream->rtp_rdbx), + stream->allow_repeat_tx ? "true" : "false"); + + printf("# Encrypted extension headers: "); + if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) { + int *enc_xtn_hdr = stream->enc_xtn_hdr; + int count = stream->enc_xtn_hdr_count; + while (count > 0) { + printf("%d ", *enc_xtn_hdr); + enc_xtn_hdr++; + count--; + } + printf("\n"); + } else { + printf("none\n"); + } + } + + /* loop over streams in session, printing the policy of each */ + stream = srtp->stream_list; + while (stream != NULL) { + if (stream->rtp_services > sec_serv_conf_and_auth) { + return srtp_err_status_bad_param; + } + session_keys = &stream->session_keys[0]; + + printf("# SSRC: 0x%08x\r\n" + "# rtp cipher: %s\r\n" + "# rtp auth: %s\r\n" + "# rtp services: %s\r\n" + "# rtcp cipher: %s\r\n" + "# rtcp auth: %s\r\n" + "# rtcp services: %s\r\n" + "# window size: %lu\r\n" + "# tx rtx allowed:%s\r\n", + stream->ssrc, session_keys->rtp_cipher->type->description, + session_keys->rtp_auth->type->description, + serv_descr[stream->rtp_services], + session_keys->rtcp_cipher->type->description, + session_keys->rtcp_auth->type->description, + serv_descr[stream->rtcp_services], + srtp_rdbx_get_window_size(&stream->rtp_rdbx), + stream->allow_repeat_tx ? "true" : "false"); + + printf("# Encrypted extension headers: "); + if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) { + int *enc_xtn_hdr = stream->enc_xtn_hdr; + int count = stream->enc_xtn_hdr_count; + while (count > 0) { + printf("%d ", *enc_xtn_hdr); + enc_xtn_hdr++; + count--; + } + printf("\n"); + } else { + printf("none\n"); + } + + /* advance to next stream in the list */ + stream = stream->next; + } + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_t session; + + status = srtp_create(&session, policy); + if (status) { + return status; + } + status = srtp_session_print_policy(session); + if (status) { + return status; + } + status = srtp_dealloc(session); + if (status) { + return status; + } + return srtp_err_status_ok; +} + +/* + * srtp_print_packet(...) is for debugging only + * it prints an RTP packet to the stdout + * + * note that this function is *not* threadsafe + */ + +#include <stdio.h> + +#define MTU 2048 + +char packet_string[MTU]; + +char *srtp_packet_to_string(srtp_hdr_t *hdr, int pkt_octet_len) +{ + int octets_in_rtp_header = 12; + uint8_t *data = ((uint8_t *)hdr) + octets_in_rtp_header; + int hex_len = pkt_octet_len - octets_in_rtp_header; + + /* sanity checking */ + if ((hdr == NULL) || (pkt_octet_len > MTU)) { + return NULL; + } + + /* write packet into string */ + sprintf(packet_string, "(s)rtp packet: {\n" + " version:\t%d\n" + " p:\t\t%d\n" + " x:\t\t%d\n" + " cc:\t\t%d\n" + " m:\t\t%d\n" + " pt:\t\t%x\n" + " seq:\t\t%x\n" + " ts:\t\t%x\n" + " ssrc:\t%x\n" + " data:\t%s\n" + "} (%d octets in total)\n", + hdr->version, hdr->p, hdr->x, hdr->cc, hdr->m, hdr->pt, hdr->seq, + hdr->ts, hdr->ssrc, octet_string_hex_string(data, hex_len), + pkt_octet_len); + + return packet_string; +} + +/* + * mips_estimate() is a simple function to estimate the number of + * instructions per second that the host can perform. note that this + * function can be grossly wrong; you may want to have a manual sanity + * check of its output! + * + * the 'ignore' pointer is there to convince the compiler to not just + * optimize away the function + */ + +double mips_estimate(int num_trials, int *ignore) +{ + clock_t t; + volatile int i, sum; + + sum = 0; + t = clock(); + for (i = 0; i < num_trials; i++) { + sum += i; + } + t = clock() - t; + if (t < 1) { + t = 1; + } + + /* printf("%d\n", sum); */ + *ignore = sum; + + return (double)num_trials * CLOCKS_PER_SEC / t; +} + +/* + * srtp_validate() verifies the correctness of libsrtp by comparing + * some computed packets against some pre-computed reference values. + * These packets were made with the default SRTP policy. + */ + +srtp_err_status_t srtp_validate() +{ + // clang-format off + uint8_t srtp_plaintext_ref[28] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab + }; + uint8_t srtp_plaintext[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtp_ciphertext[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0x4e, 0x55, 0xdc, 0x4c, + 0xe7, 0x99, 0x78, 0xd8, 0x8c, 0xa4, 0xd2, 0x15, + 0x94, 0x9d, 0x24, 0x02, 0xb7, 0x8d, 0x6a, 0xcc, + 0x99, 0xea, 0x17, 0x9b, 0x8d, 0xbb + }; + uint8_t rtcp_plaintext_ref[24] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + }; + uint8_t rtcp_plaintext[38] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtcp_ciphertext[38] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0x71, 0x28, 0x03, 0x5b, 0xe4, 0x87, 0xb9, 0xbd, + 0xbe, 0xf8, 0x90, 0x41, 0xf9, 0x77, 0xa5, 0xa8, + 0x80, 0x00, 0x00, 0x01, 0x99, 0x3e, 0x08, 0xcd, + 0x54, 0xd6, 0xc1, 0x23, 0x07, 0x98 + }; + // clang-format on + + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) { + return status; + } + + /* + * protect plaintext, then compare with ciphertext + */ + len = 28; + status = srtp_protect(srtp_snd, srtp_plaintext, &len); + if (status || (len != 38)) { + return srtp_err_status_fail; + } + + debug_print(mod_driver, "ciphertext:\n %s", + octet_string_hex_string(srtp_plaintext, len)); + debug_print(mod_driver, "ciphertext reference:\n %s", + octet_string_hex_string(srtp_ciphertext, len)); + + if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) { + return srtp_err_status_fail; + } + + /* + * protect plaintext rtcp, then compare with srtcp ciphertext + */ + len = 24; + status = srtp_protect_rtcp(srtp_snd, rtcp_plaintext, &len); + if (status || (len != 38)) { + return srtp_err_status_fail; + } + + debug_print(mod_driver, "srtcp ciphertext:\n %s", + octet_string_hex_string(rtcp_plaintext, len)); + debug_print(mod_driver, "srtcp ciphertext reference:\n %s", + octet_string_hex_string(srtcp_ciphertext, len)); + + if (octet_string_is_eq(rtcp_plaintext, srtcp_ciphertext, len)) { + return srtp_err_status_fail; + } + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) { + return status; + } + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len); + if (status || (len != 28)) { + return status; + } + + if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) { + return srtp_err_status_fail; + } + + /* + * unprotect srtcp ciphertext, then compare with rtcp plaintext + */ + len = 38; + status = srtp_unprotect_rtcp(srtp_recv, srtcp_ciphertext, &len); + if (status || (len != 24)) { + return status; + } + + if (octet_string_is_eq(srtcp_ciphertext, rtcp_plaintext_ref, len)) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(srtp_snd); + if (status) { + return status; + } + + status = srtp_dealloc(srtp_recv); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +#ifdef GCM +/* + * srtp_validate_gcm() verifies the correctness of libsrtp by comparing + * an computed packet against the known ciphertext for the plaintext. + */ +srtp_err_status_t srtp_validate_gcm() +{ + // clang-format off + unsigned char test_key_gcm[28] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, + 0xa8, 0xa9, 0xaa, 0xab + }; + uint8_t rtp_plaintext_ref[28] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab + }; + uint8_t rtp_plaintext[44] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtp_ciphertext[44] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xc5, 0x00, 0x2e, 0xde, + 0x04, 0xcf, 0xdd, 0x2e, 0xb9, 0x11, 0x59, 0xe0, + 0x88, 0x0a, 0xa0, 0x6e, 0xd2, 0x97, 0x68, 0x26, + 0xf7, 0x96, 0xb2, 0x01, 0xdf, 0x31, 0x31, 0xa1, + 0x27, 0xe8, 0xa3, 0x92 + }; + uint8_t rtcp_plaintext_ref[24] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + }; + uint8_t rtcp_plaintext[44] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtcp_ciphertext[44] = { + 0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe, + 0xc9, 0x8b, 0x8b, 0x5d, 0xf0, 0x39, 0x2a, 0x55, + 0x85, 0x2b, 0x6c, 0x21, 0xac, 0x8e, 0x70, 0x25, + 0xc5, 0x2c, 0x6f, 0xbe, 0xa2, 0xb3, 0xb4, 0x46, + 0xea, 0x31, 0x12, 0x3b, 0xa8, 0x8c, 0xe6, 0x1e, + 0x80, 0x00, 0x00, 0x01 + }; + // clang-format on + + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key_gcm; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) { + return status; + } + + /* + * protect plaintext rtp, then compare with srtp ciphertext + */ + len = 28; + status = srtp_protect(srtp_snd, rtp_plaintext, &len); + if (status || (len != 44)) { + return srtp_err_status_fail; + } + + debug_print(mod_driver, "srtp ciphertext:\n %s", + octet_string_hex_string(rtp_plaintext, len)); + debug_print(mod_driver, "srtp ciphertext reference:\n %s", + octet_string_hex_string(srtp_ciphertext, len)); + + if (octet_string_is_eq(rtp_plaintext, srtp_ciphertext, len)) { + return srtp_err_status_fail; + } + + /* + * protect plaintext rtcp, then compare with srtcp ciphertext + */ + len = 24; + status = srtp_protect_rtcp(srtp_snd, rtcp_plaintext, &len); + if (status || (len != 44)) { + return srtp_err_status_fail; + } + + debug_print(mod_driver, "srtcp ciphertext:\n %s", + octet_string_hex_string(rtcp_plaintext, len)); + debug_print(mod_driver, "srtcp ciphertext reference:\n %s", + octet_string_hex_string(srtcp_ciphertext, len)); + + if (octet_string_is_eq(rtcp_plaintext, srtcp_ciphertext, len)) { + return srtp_err_status_fail; + } + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) { + return status; + } + + /* + * unprotect srtp ciphertext, then compare with rtp plaintext + */ + len = 44; + status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len); + if (status || (len != 28)) { + return status; + } + + if (octet_string_is_eq(srtp_ciphertext, rtp_plaintext_ref, len)) { + return srtp_err_status_fail; + } + + /* + * unprotect srtcp ciphertext, then compare with rtcp plaintext + */ + len = 44; + status = srtp_unprotect_rtcp(srtp_recv, srtcp_ciphertext, &len); + if (status || (len != 24)) { + return status; + } + + if (octet_string_is_eq(srtcp_ciphertext, rtcp_plaintext_ref, len)) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(srtp_snd); + if (status) { + return status; + } + + status = srtp_dealloc(srtp_recv); + if (status) { + return status; + } + + return srtp_err_status_ok; +} +#endif + +/* + * Test vectors taken from RFC 6904, Appendix A + */ +srtp_err_status_t srtp_validate_encrypted_extensions_headers() +{ + // clang-format off + unsigned char test_key_ext_headers[30] = { + 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, + 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, + 0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 + }; + uint8_t srtp_plaintext_ref[56] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27, + 0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46, + 0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab + }; + uint8_t srtp_plaintext[66] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27, + 0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46, + 0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00 + }; + uint8_t srtp_ciphertext[66] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x58, 0x8A, 0x92, 0x70, 0xF4, 0xE1, 0x5E, + 0x1C, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x95, 0x46, + 0xA9, 0x94, 0xF0, 0xBC, 0x54, 0x78, 0x97, 0x00, + 0x4e, 0x55, 0xdc, 0x4c, 0xe7, 0x99, 0x78, 0xd8, + 0x8c, 0xa4, 0xd2, 0x15, 0x94, 0x9d, 0x24, 0x02, + 0x5a, 0x46, 0xb3, 0xca, 0x35, 0xc5, 0x35, 0xa8, + 0x91, 0xc7 + }; + // clang-format on + + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + int headers[3] = { 1, 3, 4 }; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key_ext_headers; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.enc_xtn_hdr = headers; + policy.enc_xtn_hdr_count = sizeof(headers) / sizeof(headers[0]); + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) + return status; + + /* + * protect plaintext, then compare with ciphertext + */ + len = sizeof(srtp_plaintext_ref); + status = srtp_protect(srtp_snd, srtp_plaintext, &len); + if (status || (len != sizeof(srtp_plaintext))) + return srtp_err_status_fail; + + debug_print(mod_driver, "ciphertext:\n %s", + srtp_octet_string_hex_string(srtp_plaintext, len)); + debug_print(mod_driver, "ciphertext reference:\n %s", + srtp_octet_string_hex_string(srtp_ciphertext, len)); + + if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) + return srtp_err_status_fail; + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) + return status; + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len); + if (status) { + return status; + } else if (len != sizeof(srtp_plaintext_ref)) { + return srtp_err_status_fail; + } + + if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) + return srtp_err_status_fail; + + status = srtp_dealloc(srtp_snd); + if (status) + return status; + + status = srtp_dealloc(srtp_recv); + if (status) + return status; + + return srtp_err_status_ok; +} + +#ifdef GCM + +/* + * Headers of test vectors taken from RFC 6904, Appendix A + */ +srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm() +{ + // clang-format off + unsigned char test_key_ext_headers[30] = { + 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, + 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, + 0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 + }; + uint8_t srtp_plaintext_ref[56] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27, + 0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46, + 0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab + }; + uint8_t srtp_plaintext[64] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27, + 0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46, + 0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtp_ciphertext[64] = { + 0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06, + 0x17, 0x12, 0xe0, 0x20, 0x5b, 0xfa, 0x94, 0x9b, + 0x1C, 0x22, 0x00, 0x00, 0xC8, 0x30, 0xbb, 0x46, + 0x73, 0x27, 0x78, 0xd9, 0x92, 0x9a, 0xab, 0x00, + 0x0e, 0xca, 0x0c, 0xf9, 0x5e, 0xe9, 0x55, 0xb2, + 0x6c, 0xd3, 0xd2, 0x88, 0xb4, 0x9f, 0x6c, 0xa9, + 0xf4, 0xb1, 0xb7, 0x59, 0x71, 0x9e, 0xb5, 0xbc + }; + // clang-format on + + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + int headers[3] = { 1, 3, 4 }; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key_ext_headers; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.enc_xtn_hdr = headers; + policy.enc_xtn_hdr_count = sizeof(headers) / sizeof(headers[0]); + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) + return status; + + /* + * protect plaintext, then compare with ciphertext + */ + len = sizeof(srtp_plaintext_ref); + status = srtp_protect(srtp_snd, srtp_plaintext, &len); + if (status || (len != sizeof(srtp_plaintext))) + return srtp_err_status_fail; + + debug_print(mod_driver, "ciphertext:\n %s", + srtp_octet_string_hex_string(srtp_plaintext, len)); + debug_print(mod_driver, "ciphertext reference:\n %s", + srtp_octet_string_hex_string(srtp_ciphertext, len)); + + if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) + return srtp_err_status_fail; + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) + return status; + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len); + if (status) { + return status; + } else if (len != sizeof(srtp_plaintext_ref)) { + return srtp_err_status_fail; + } + + if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) + return srtp_err_status_fail; + + status = srtp_dealloc(srtp_snd); + if (status) + return status; + + status = srtp_dealloc(srtp_recv); + if (status) + return status; + + return srtp_err_status_ok; +} +#endif + +/* + * srtp_validate_aes_256() verifies the correctness of libsrtp by comparing + * some computed packets against some pre-computed reference values. + * These packets were made with the AES-CM-256/HMAC-SHA-1-80 policy. + */ + +srtp_err_status_t srtp_validate_aes_256() +{ + // clang-format off + unsigned char aes_256_test_key[46] = { + 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, + 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, + 0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1, + 0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6, + + 0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9, + 0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2 + }; + uint8_t srtp_plaintext_ref[28] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab + }; + uint8_t srtp_plaintext[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, + 0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + uint8_t srtp_ciphertext[38] = { + 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, + 0xca, 0xfe, 0xba, 0xbe, 0xf1, 0xd9, 0xde, 0x17, + 0xff, 0x25, 0x1f, 0xf1, 0xaa, 0x00, 0x77, 0x74, + 0xb0, 0xb4, 0xb4, 0x0d, 0xa0, 0x8d, 0x9d, 0x9a, + 0x5b, 0x3a, 0x55, 0xd8, 0x87, 0x3b + }; + // clang-format on + + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = aes_256_test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) { + return status; + } + + /* + * protect plaintext, then compare with ciphertext + */ + len = 28; + status = srtp_protect(srtp_snd, srtp_plaintext, &len); + if (status || (len != 38)) { + return srtp_err_status_fail; + } + + debug_print(mod_driver, "ciphertext:\n %s", + octet_string_hex_string(srtp_plaintext, len)); + debug_print(mod_driver, "ciphertext reference:\n %s", + octet_string_hex_string(srtp_ciphertext, len)); + + if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) { + return srtp_err_status_fail; + } + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) { + return status; + } + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len); + if (status || (len != 28)) { + return status; + } + + if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(srtp_snd); + if (status) { + return status; + } + + status = srtp_dealloc(srtp_recv); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list) +{ + extern const srtp_policy_t *policy_array[]; + srtp_policy_t *p, *tmp; + int i = 0; + uint32_t ssrc = 0; + + /* sanity checking */ + if ((list == NULL) || (policy_array[0] == NULL)) { + return srtp_err_status_bad_param; + } + + /* + * loop over policy list, mallocing a new list and copying values + * into it (and incrementing the SSRC value as we go along) + */ + tmp = NULL; + while (policy_array[i] != NULL) { + p = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); + if (p == NULL) { + return srtp_err_status_bad_param; + } + memcpy(p, policy_array[i], sizeof(srtp_policy_t)); + p->ssrc.type = ssrc_specific; + p->ssrc.value = ssrc++; + p->next = tmp; + tmp = p; + i++; + } + *list = p; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list) +{ + srtp_policy_t *p, *next; + + for (p = list; p != NULL; p = next) { + next = p->next; + free(p); + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_empty_payload() +{ + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + srtp_hdr_t *mesg; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) { + return status; + } + + mesg = srtp_create_test_packet(0, policy.ssrc.value, &len); + if (mesg == NULL) { + return srtp_err_status_fail; + } + + status = srtp_protect(srtp_snd, mesg, &len); + if (status) { + return status; + } else if (len != 12 + 10) { + return srtp_err_status_fail; + } + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) { + return status; + } + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, mesg, &len); + if (status) { + return status; + } else if (len != 12) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(srtp_snd); + if (status) { + return status; + } + + status = srtp_dealloc(srtp_recv); + if (status) { + return status; + } + + free(mesg); + + return srtp_err_status_ok; +} + +#ifdef GCM +srtp_err_status_t srtp_test_empty_payload_gcm() +{ + srtp_t srtp_snd, srtp_recv; + srtp_err_status_t status; + int len; + srtp_policy_t policy; + srtp_hdr_t *mesg; + + /* + * create a session with a single stream using the default srtp + * policy and with the SSRC value 0xcafebabe + */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&srtp_snd, &policy); + if (status) { + return status; + } + + mesg = srtp_create_test_packet(0, policy.ssrc.value, &len); + if (mesg == NULL) { + return srtp_err_status_fail; + } + + status = srtp_protect(srtp_snd, mesg, &len); + if (status) { + return status; + } else if (len != 12 + 8) { + return srtp_err_status_fail; + } + + /* + * create a receiver session context comparable to the one created + * above - we need to do this so that the replay checking doesn't + * complain + */ + status = srtp_create(&srtp_recv, &policy); + if (status) { + return status; + } + + /* + * unprotect ciphertext, then compare with plaintext + */ + status = srtp_unprotect(srtp_recv, mesg, &len); + if (status) { + return status; + } else if (len != 12) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(srtp_snd); + if (status) { + return status; + } + + status = srtp_dealloc(srtp_recv); + if (status) { + return status; + } + + free(mesg); + + return srtp_err_status_ok; +} +#endif // GCM + +srtp_err_status_t srtp_test_remove_stream() +{ + srtp_err_status_t status; + srtp_policy_t *policy_list, policy; + srtp_t session; + srtp_stream_t stream; + + /* + * srtp_get_stream() is a libSRTP internal function that we declare + * here so that we can use it to verify the correct operation of the + * library + */ + extern srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc); + + status = srtp_create_big_policy(&policy_list); + if (status) { + return status; + } + + status = srtp_create(&session, policy_list); + if (status) { + return status; + } + + /* + * check for false positives by trying to remove a stream that's not + * in the session + */ + status = srtp_remove_stream(session, htonl(0xaaaaaaaa)); + if (status != srtp_err_status_no_ctx) { + return srtp_err_status_fail; + } + + /* + * check for false negatives by removing stream 0x1, then + * searching for streams 0x0 and 0x2 + */ + status = srtp_remove_stream(session, htonl(0x1)); + if (status != srtp_err_status_ok) { + return srtp_err_status_fail; + } + stream = srtp_get_stream(session, htonl(0x0)); + if (stream == NULL) { + return srtp_err_status_fail; + } + stream = srtp_get_stream(session, htonl(0x2)); + if (stream == NULL) { + return srtp_err_status_fail; + } + + status = srtp_dealloc(session); + if (status != srtp_err_status_ok) { + return status; + } + + status = srtp_dealloc_big_policy(policy_list); + if (status != srtp_err_status_ok) { + return status; + } + + /* Now test adding and removing a single stream */ + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + status = srtp_create(&session, NULL); + if (status != srtp_err_status_ok) { + return status; + } + + status = srtp_add_stream(session, &policy); + if (status != srtp_err_status_ok) { + return status; + } + + status = srtp_remove_stream(session, htonl(0xcafebabe)); + if (status != srtp_err_status_ok) { + return status; + } + + status = srtp_dealloc(session); + if (status != srtp_err_status_ok) { + return status; + } + + return srtp_err_status_ok; +} + +// clang-format off +unsigned char test_alt_key[46] = { + 0xe5, 0x19, 0x6f, 0x01, 0x5e, 0xf1, 0x9b, 0xe1, + 0xd7, 0x47, 0xa7, 0x27, 0x07, 0xd7, 0x47, 0x33, + 0x01, 0xc2, 0x35, 0x4d, 0x59, 0x6a, 0xf7, 0x84, + 0x96, 0x98, 0xeb, 0xaa, 0xac, 0xf6, 0xa1, 0x45, + 0xc7, 0x15, 0xe2, 0xea, 0xfe, 0x55, 0x67, 0x96, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 +}; +// clang-format on + +/* + * srtp_test_update() verifies updating/rekeying exsisting streams. + * As stated in https://tools.ietf.org/html/rfc3711#section-3.3.1 + * the value of the ROC must not be reset after a rekey, this test + * atempts to prove that srtp_update does not reset the ROC. + */ + +srtp_err_status_t srtp_test_update() +{ + srtp_err_status_t status; + uint32_t ssrc = 0x12121212; + int msg_len_octets = 32; + int protected_msg_len_octets; + srtp_hdr_t *msg; + srtp_t srtp_snd, srtp_recv; + srtp_policy_t policy; + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; + + /* create a send and recive ctx with defualt profile and test_key */ + status = srtp_create(&srtp_recv, &policy); + if (status) + return status; + + policy.ssrc.type = ssrc_any_inbound; + status = srtp_create(&srtp_snd, &policy); + if (status) + return status; + + /* protect and unprotect two msg's that will cause the ROC to be equal to 1 + */ + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(65535); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(1); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + /* update send ctx with same test_key t verify update works*/ + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; + status = srtp_update(srtp_snd, &policy); + if (status) + return status; + + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(2); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + /* update send ctx to use test_alt_key */ + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_alt_key; + status = srtp_update(srtp_snd, &policy); + if (status) + return status; + + /* create and protect msg with new key and ROC still equal to 1 */ + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(3); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + /* verify that recive ctx will fail to unprotect as it still uses test_key + */ + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status == srtp_err_status_ok) + return srtp_err_status_fail; + + /* create a new recvieve ctx with test_alt_key but since it is new it will + * have ROC equal to 1 + * and therefore should fail to unprotected */ + { + srtp_t srtp_recv_roc_0; + + policy.ssrc.type = ssrc_any_inbound; + policy.key = test_alt_key; + status = srtp_create(&srtp_recv_roc_0, &policy); + if (status) + return status; + + status = + srtp_unprotect(srtp_recv_roc_0, msg, &protected_msg_len_octets); + if (status == srtp_err_status_ok) + return srtp_err_status_fail; + + status = srtp_dealloc(srtp_recv_roc_0); + if (status) + return status; + } + + /* update recive ctx to use test_alt_key */ + policy.ssrc.type = ssrc_any_inbound; + policy.key = test_alt_key; + status = srtp_update(srtp_recv, &policy); + if (status) + return status; + + /* verify that can still unprotect, therfore key is updated and ROC value is + * preserved */ + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + status = srtp_dealloc(srtp_snd); + if (status) + return status; + + status = srtp_dealloc(srtp_recv); + if (status) + return status; + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_setup_protect_trailer_streams( + srtp_t *srtp_send, + srtp_t *srtp_send_mki, + srtp_t *srtp_send_aes_gcm, + srtp_t *srtp_send_aes_gcm_mki) +{ + srtp_err_status_t status; + srtp_policy_t policy; + srtp_policy_t policy_mki; + +#ifdef GCM + srtp_policy_t policy_aes_gcm; + srtp_policy_t policy_aes_gcm_mki; +#endif // GCM + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; + + memset(&policy_mki, 0, sizeof(policy_mki)); + srtp_crypto_policy_set_rtp_default(&policy_mki.rtp); + srtp_crypto_policy_set_rtcp_default(&policy_mki.rtcp); + policy_mki.ekt = NULL; + policy_mki.window_size = 128; + policy_mki.allow_repeat_tx = 0; + policy_mki.next = NULL; + policy_mki.ssrc.type = ssrc_any_outbound; + policy_mki.key = NULL; + policy_mki.keys = test_keys; + policy_mki.num_master_keys = 2; + +#ifdef GCM + memset(&policy_aes_gcm, 0, sizeof(policy_aes_gcm)); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtp); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtcp); + policy_aes_gcm.ekt = NULL; + policy_aes_gcm.window_size = 128; + policy_aes_gcm.allow_repeat_tx = 0; + policy_aes_gcm.next = NULL; + policy_aes_gcm.ssrc.type = ssrc_any_outbound; + policy_aes_gcm.key = test_key; + + memset(&policy_aes_gcm_mki, 0, sizeof(policy_aes_gcm_mki)); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtp); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtcp); + policy_aes_gcm_mki.ekt = NULL; + policy_aes_gcm_mki.window_size = 128; + policy_aes_gcm_mki.allow_repeat_tx = 0; + policy_aes_gcm_mki.next = NULL; + policy_aes_gcm_mki.ssrc.type = ssrc_any_outbound; + policy_aes_gcm_mki.key = NULL; + policy_aes_gcm_mki.keys = test_keys; + policy_aes_gcm_mki.num_master_keys = 2; +#endif // GCM + + /* create a send ctx with defualt profile and test_key */ + status = srtp_create(srtp_send, &policy); + if (status) + return status; + + status = srtp_create(srtp_send_mki, &policy_mki); + if (status) + return status; + +#ifdef GCM + status = srtp_create(srtp_send_aes_gcm, &policy_aes_gcm); + if (status) + return status; + + status = srtp_create(srtp_send_aes_gcm_mki, &policy_aes_gcm_mki); + if (status) + return status; +#endif // GCM + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_protect_trailer_length() +{ + srtp_t srtp_send; + srtp_t srtp_send_mki; + srtp_t srtp_send_aes_gcm; + srtp_t srtp_send_aes_gcm_mki; + uint32_t length = 0; + srtp_err_status_t status; + + srtp_test_setup_protect_trailer_streams( + &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); + + status = srtp_get_protect_trailer_length(srtp_send, 0, 0, &length); + if (status) + return status; + + /* TAG Length: 10 bytes */ + if (length != 10) + return srtp_err_status_fail; + + status = srtp_get_protect_trailer_length(srtp_send_mki, 1, 1, &length); + if (status) + return status; + + /* TAG Length: 10 bytes + MKI length: 4 bytes*/ + if (length != 14) + return srtp_err_status_fail; + +#ifdef GCM + status = srtp_get_protect_trailer_length(srtp_send_aes_gcm, 0, 0, &length); + if (status) + return status; + + /* TAG Length: 16 bytes */ + if (length != 16) + return srtp_err_status_fail; + + status = + srtp_get_protect_trailer_length(srtp_send_aes_gcm_mki, 1, 1, &length); + if (status) + return status; + + /* TAG Length: 16 bytes + MKI length: 4 bytes*/ + if (length != 20) + return srtp_err_status_fail; +#endif // GCM + + srtp_dealloc(srtp_send); + srtp_dealloc(srtp_send_mki); +#ifdef GCM + srtp_dealloc(srtp_send_aes_gcm); + srtp_dealloc(srtp_send_aes_gcm_mki); +#endif + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_protect_rtcp_trailer_length() +{ + srtp_t srtp_send; + srtp_t srtp_send_mki; + srtp_t srtp_send_aes_gcm; + srtp_t srtp_send_aes_gcm_mki; + uint32_t length = 0; + srtp_err_status_t status; + + srtp_test_setup_protect_trailer_streams( + &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); + + status = srtp_get_protect_rtcp_trailer_length(srtp_send, 0, 0, &length); + if (status) + return status; + + /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes*/ + if (length != 14) + return srtp_err_status_fail; + + status = srtp_get_protect_rtcp_trailer_length(srtp_send_mki, 1, 1, &length); + if (status) + return status; + + /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ + if (length != 18) + return srtp_err_status_fail; + +#ifdef GCM + status = + srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm, 0, 0, &length); + if (status) + return status; + + /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes*/ + if (length != 20) + return srtp_err_status_fail; + + status = srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm_mki, 1, 1, + &length); + if (status) + return status; + + /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ + if (length != 24) + return srtp_err_status_fail; +#endif // GCM + + srtp_dealloc(srtp_send); + srtp_dealloc(srtp_send_mki); +#ifdef GCM + srtp_dealloc(srtp_send_aes_gcm); + srtp_dealloc(srtp_send_aes_gcm_mki); +#endif + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_get_roc() +{ + srtp_err_status_t status; + srtp_policy_t policy; + srtp_t session; + srtp_hdr_t *pkt; + uint32_t i; + uint32_t roc; + uint32_t ts; + uint16_t seq; + + int msg_len_octets = 32; + int protected_msg_len_octets; + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.window_size = 128; + + /* Create a sender session */ + status = srtp_create(&session, &policy); + if (status) { + return status; + } + + /* Set start sequence so we roll over */ + seq = 65535; + ts = 0; + + for (i = 0; i < 2; i++) { + pkt = srtp_create_test_packet_extended(msg_len_octets, + policy.ssrc.value, seq, ts, + &protected_msg_len_octets); + status = srtp_protect(session, pkt, &protected_msg_len_octets); + free(pkt); + if (status) { + return status; + } + + status = srtp_get_stream_roc(session, policy.ssrc.value, &roc); + if (status) { + return status; + } + + if (roc != i) { + return srtp_err_status_fail; + } + + seq++; + ts++; + } + + /* Cleanup */ + status = srtp_dealloc(session); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +static srtp_err_status_t test_set_receiver_roc(uint32_t packets, + uint32_t roc_to_set) +{ + srtp_err_status_t status; + + srtp_policy_t sender_policy; + srtp_t sender_session; + + srtp_policy_t receiver_policy; + srtp_t receiver_session; + + srtp_hdr_t *pkt_1; + unsigned char *recv_pkt_1; + + srtp_hdr_t *pkt_2; + unsigned char *recv_pkt_2; + + uint32_t i; + uint32_t ts; + uint16_t seq; + + int msg_len_octets = 32; + int protected_msg_len_octets_1; + int protected_msg_len_octets_2; + + /* Create sender */ + memset(&sender_policy, 0, sizeof(sender_policy)); + srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); + sender_policy.ssrc.type = ssrc_specific; + sender_policy.ssrc.value = 0xcafebabe; + sender_policy.key = test_key; + sender_policy.window_size = 128; + + status = srtp_create(&sender_session, &sender_policy); + if (status) { + return status; + } + + /* Create and protect packets */ + seq = 0; + ts = 0; + for (i = 0; i < packets; i++) { + srtp_hdr_t *tmp_pkt; + int tmp_len; + + tmp_pkt = srtp_create_test_packet_extended( + msg_len_octets, sender_policy.ssrc.value, seq, ts, &tmp_len); + status = srtp_protect(sender_session, tmp_pkt, &tmp_len); + free(tmp_pkt); + if (status) { + return status; + } + + seq++; + ts++; + } + + /* Create the first packet to decrypt and test for ROC change */ + pkt_1 = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets_1); + status = srtp_protect(sender_session, pkt_1, &protected_msg_len_octets_1); + if (status) { + return status; + } + + /* Create the second packet to decrypt and test for ROC change */ + seq++; + ts++; + pkt_2 = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets_2); + status = srtp_protect(sender_session, pkt_2, &protected_msg_len_octets_2); + if (status) { + return status; + } + + /* Create the receiver */ + memset(&receiver_policy, 0, sizeof(receiver_policy)); + srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); + receiver_policy.ssrc.type = ssrc_specific; + receiver_policy.ssrc.value = sender_policy.ssrc.value; + receiver_policy.key = test_key; + receiver_policy.window_size = 128; + + status = srtp_create(&receiver_session, &receiver_policy); + if (status) { + return status; + } + + /* Make a copy of the first sent protected packet */ + recv_pkt_1 = malloc(protected_msg_len_octets_1); + if (recv_pkt_1 == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt_1, pkt_1, protected_msg_len_octets_1); + + /* Make a copy of the second sent protected packet */ + recv_pkt_2 = malloc(protected_msg_len_octets_2); + if (recv_pkt_2 == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt_2, pkt_2, protected_msg_len_octets_2); + + /* Set the ROC to the wanted value */ + status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, + roc_to_set); + if (status) { + return status; + } + + /* Unprotect the first packet */ + status = srtp_unprotect(receiver_session, recv_pkt_1, + &protected_msg_len_octets_1); + if (status) { + return status; + } + + /* Unprotect the second packet */ + status = srtp_unprotect(receiver_session, recv_pkt_2, + &protected_msg_len_octets_2); + if (status) { + return status; + } + + /* Cleanup */ + status = srtp_dealloc(sender_session); + if (status) { + return status; + } + + status = srtp_dealloc(receiver_session); + if (status) { + return status; + } + + free(pkt_1); + free(recv_pkt_1); + free(pkt_2); + free(recv_pkt_2); + + return srtp_err_status_ok; +} + +static srtp_err_status_t test_set_sender_roc(uint16_t seq, uint32_t roc_to_set) +{ + srtp_err_status_t status; + + srtp_policy_t sender_policy; + srtp_t sender_session; + + srtp_policy_t receiver_policy; + srtp_t receiver_session; + + srtp_hdr_t *pkt; + unsigned char *recv_pkt; + + uint32_t ts; + + int msg_len_octets = 32; + int protected_msg_len_octets; + + /* Create sender */ + memset(&sender_policy, 0, sizeof(sender_policy)); + srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); + sender_policy.ssrc.type = ssrc_specific; + sender_policy.ssrc.value = 0xcafebabe; + sender_policy.key = test_key; + sender_policy.window_size = 128; + + status = srtp_create(&sender_session, &sender_policy); + if (status) { + return status; + } + + /* Set the ROC before encrypting the first packet */ + status = srtp_set_stream_roc(sender_session, sender_policy.ssrc.value, + roc_to_set); + if (status != srtp_err_status_ok) { + return status; + } + + /* Create the packet to decrypt */ + ts = 0; + pkt = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets); + status = srtp_protect(sender_session, pkt, &protected_msg_len_octets); + if (status) { + return status; + } + + /* Create the receiver */ + memset(&receiver_policy, 0, sizeof(receiver_policy)); + srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); + receiver_policy.ssrc.type = ssrc_specific; + receiver_policy.ssrc.value = sender_policy.ssrc.value; + receiver_policy.key = test_key; + receiver_policy.window_size = 128; + + status = srtp_create(&receiver_session, &receiver_policy); + if (status) { + return status; + } + + /* Make a copy of the sent protected packet */ + recv_pkt = malloc(protected_msg_len_octets); + if (recv_pkt == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt, pkt, protected_msg_len_octets); + + /* Set the ROC to the wanted value */ + status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, + roc_to_set); + if (status) { + return status; + } + + status = + srtp_unprotect(receiver_session, recv_pkt, &protected_msg_len_octets); + if (status) { + return status; + } + + /* Cleanup */ + status = srtp_dealloc(sender_session); + if (status) { + return status; + } + + status = srtp_dealloc(receiver_session); + if (status) { + return status; + } + + free(pkt); + free(recv_pkt); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_set_receiver_roc() +{ + int packets; + uint32_t roc; + srtp_err_status_t status; + + /* First test does not rollover */ + packets = 1; + roc = 0; + + status = test_set_receiver_roc(packets - 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 60000, roc); + if (status) { + return status; + } + + /* Second test should rollover */ + packets = 65535; + roc = 0; + + status = test_set_receiver_roc(packets - 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets, roc); + if (status) { + return status; + } + + /* Now the rollover counter should be 1 */ + roc = 1; + status = test_set_receiver_roc(packets + 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 60000, roc); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_test_set_sender_roc() +{ + uint32_t roc; + uint16_t seq; + srtp_err_status_t status; + + seq = 43210; + roc = 0; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 65535; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xffff; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xffff00; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xfffffff0; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +/* + * srtp policy definitions - these definitions are used above + */ + +// clang-format off +unsigned char test_key[46] = { + 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, + 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, + 0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6, 0xc1, 0x73, + 0xc3, 0x17, 0xf2, 0xda, 0xbe, 0x35, 0x77, 0x93, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 +}; + +unsigned char test_key_2[46] = { + 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, + 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, + 0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1, + 0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6, + 0xc3, 0x17, 0xf2, 0xda, 0xbe, 0x35, 0x77, 0x93, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 +}; + +unsigned char test_mki_id[TEST_MKI_ID_SIZE] = { + 0xe1, 0xf9, 0x7a, 0x0d +}; + +unsigned char test_mki_id_2[TEST_MKI_ID_SIZE] = { + 0xf3, 0xa1, 0x46, 0x71 +}; +// clang-format on + +const srtp_policy_t default_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +const srtp_policy_t aes_only_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_conf /* security services flag */ + }, + { + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_conf /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +const srtp_policy_t hmac_only_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* Number of Master keys associated with the policy */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +#ifdef GCM +const srtp_policy_t aes128_gcm_8_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_128, /* cipher type */ + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_GCM_128, /* cipher type */ + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +const srtp_policy_t aes128_gcm_8_cauth_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_128, /* cipher type */ + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_GCM_128, /* cipher type */ + SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +const srtp_policy_t aes256_gcm_8_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_256, /* cipher type */ + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_GCM_256, /* cipher type */ + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +const srtp_policy_t aes256_gcm_8_cauth_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_256, /* cipher type */ + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_GCM_256, /* cipher type */ + SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 8, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; +#endif + +const srtp_policy_t null_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_none /* security services flag */ + }, + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_none /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +// clang-format off +unsigned char test_256_key[46] = { + 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, + 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, + 0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1, + 0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6, + + 0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9, + 0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2 +}; + +unsigned char test_256_key_2[46] = { + 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, + 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, + 0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb, + 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6, 0xc1, 0x73, + 0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9, + 0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2 +}; + +srtp_master_key_t master_256_key_1 = { + test_256_key, + test_mki_id, + TEST_MKI_ID_SIZE +}; + +srtp_master_key_t master_256_key_2 = { + test_256_key_2, + test_mki_id_2, + TEST_MKI_ID_SIZE +}; + +srtp_master_key_t *test_256_keys[2] = { + &master_key_1, + &master_key_2 +}; +// clang-format on + +const srtp_policy_t aes_256_hmac_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_256, /* cipher type */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_ICM_256, /* cipher type */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_256_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +// clang-format off +uint8_t ekt_test_key[16] = { + 0x77, 0x26, 0x9d, 0xac, 0x16, 0xa3, 0x28, 0xca, + 0x8e, 0xc9, 0x68, 0x4b, 0xcc, 0xc4, 0xd2, 0x1b +}; +// clang-format on + +#include "ekt.h" + +// clang-format off +srtp_ekt_policy_ctx_t ekt_test_policy = { + 0xa5a5, /* SPI */ + SRTP_EKT_CIPHER_AES_128_ECB, + ekt_test_key, + NULL +}; +// clang-format on + +const srtp_policy_t hmac_only_with_ekt_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + { + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_keys, + 2, /* indicates the number of Master keys */ + &ekt_test_policy, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + +/* + * an array of pointers to the policies listed above + * + * This array is used to test various aspects of libSRTP for + * different cryptographic policies. The order of the elements + * matters - the timing test generates output that can be used + * in a plot (see the gnuplot script file 'timing'). If you + * add to this list, you should do it at the end. + */ + +// clang-format off +const srtp_policy_t *policy_array[] = { + &hmac_only_policy, + &aes_only_policy, + &default_policy, +#ifdef GCM + &aes128_gcm_8_policy, + &aes128_gcm_8_cauth_policy, + &aes256_gcm_8_policy, + &aes256_gcm_8_cauth_policy, +#endif + &null_policy, + &aes_256_hmac_policy, + &hmac_only_with_ekt_policy, + NULL +}; +// clang-format on + +const srtp_policy_t wildcard_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + test_key, + NULL, + 0, + NULL, + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; diff --git a/netwerk/srtp/src/test/test_srtp.c b/netwerk/srtp/src/test/test_srtp.c new file mode 100644 index 0000000000..cdc9b5d5b7 --- /dev/null +++ b/netwerk/srtp/src/test/test_srtp.c @@ -0,0 +1,185 @@ +/* + * test_srtp.c + * + * Unit tests for internal srtp functions + * + * Cisco Systems, Inc. + * + */ + +/* + * + * Copyright (c) 2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* + * Test specific. + */ +#include "cutest.h" + +/* + * libSRTP specific. + */ +#include "../srtp/srtp.c" // Get access to static functions + +/* + * Standard library. + */ + +/* + * Forward declarations for all tests. + */ + +void srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output(void); +void srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param(void); +void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number(void); + +/* + * NULL terminated array of tests. + * The first item in the array is a char[] which give some information about + * what is being tested and is displayed to the user during runtime, the second + * item is the test function. + */ + +TEST_LIST = { { "srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output()", + srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output }, + { "srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param()", + srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param }, + { "srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number()", + srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number }, + { NULL } /* End of tests */ }; + +/* + * Implementation. + */ + +void srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output() +{ + // Preconditions + srtp_session_keys_t session_keys; + v128_t init_vector; + srtcp_hdr_t header; + uint32_t sequence_num; + + // Postconditions + srtp_err_status_t status; + const v128_t zero_vector; + memset((v128_t *)&zero_vector, 0, sizeof(v128_t)); + + // Given + memset(&session_keys, 0, sizeof(srtp_session_keys_t)); + memset(&init_vector, 0, sizeof(v128_t)); + memset(&header, 0, sizeof(srtcp_hdr_t)); + sequence_num = 0x0UL; + + // When + status = srtp_calc_aead_iv_srtcp(&session_keys, &init_vector, sequence_num, + &header); + + // Then + TEST_CHECK(status == srtp_err_status_ok); + TEST_CHECK(memcmp(&zero_vector, &init_vector, sizeof(v128_t)) == 0); +} + +void srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param() +{ + // Preconditions + srtp_session_keys_t session_keys; + v128_t init_vector; + srtcp_hdr_t header; + uint32_t sequence_num; + + // Postconditions + srtp_err_status_t status; + + // Given + memset(&session_keys, 0, sizeof(srtp_session_keys_t)); + memset(&init_vector, 0, sizeof(v128_t)); + memset(&header, 0, sizeof(srtcp_hdr_t)); + sequence_num = 0x7FFFFFFFUL + 0x1UL; + + // When + status = srtp_calc_aead_iv_srtcp(&session_keys, &init_vector, sequence_num, + &header); + + // Then + TEST_CHECK(status == srtp_err_status_bad_param); +} + +/* + * Regression test for issue #256: + * Srtcp IV calculation incorrectly masks high bit of sequence number for + * little-endian platforms. + * Ensure that for each valid sequence number where the most significant bit is + * high that we get an expected and unique IV. + */ +void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number() +{ +#define SAMPLE_COUNT (3) + // Preconditions + // Test each significant bit high in each full byte. + srtp_session_keys_t session_keys; + srtcp_hdr_t header; + v128_t output_iv[SAMPLE_COUNT]; + memset(&output_iv, 0, SAMPLE_COUNT * sizeof(v128_t)); + uint32_t sequence_num[SAMPLE_COUNT]; + sequence_num[0] = 0xFF; + sequence_num[1] = 0xFF00; + sequence_num[2] = 0xFF0000; + + // Postconditions + v128_t final_iv[SAMPLE_COUNT]; + memset(&final_iv, 0, SAMPLE_COUNT * sizeof(v128_t)); + final_iv[0].v8[11] = 0xFF; + final_iv[1].v8[10] = 0xFF; + final_iv[2].v8[9] = 0xFF; + + // Given + memset(&session_keys, 0, sizeof(srtp_session_keys_t)); + memset(&header, 0, sizeof(srtcp_hdr_t)); + + // When + size_t i = 0; + for (i = 0; i < SAMPLE_COUNT; i++) { + TEST_CHECK(srtp_calc_aead_iv_srtcp(&session_keys, &output_iv[i], + sequence_num[i], + &header) == srtp_err_status_ok); + } + + // Then all IVs are as expected + for (i = 0; i < SAMPLE_COUNT; i++) { + TEST_CHECK(memcmp(&final_iv[i], &output_iv[i], sizeof(v128_t)) == 0); + } +#undef SAMPLE_COUNT +} diff --git a/netwerk/srtp/src/test/util.c b/netwerk/srtp/src/test/util.c new file mode 100644 index 0000000000..4465e90ccd --- /dev/null +++ b/netwerk/srtp/src/test/util.c @@ -0,0 +1,211 @@ +/* + * util.c + * + * Utilities used by the test apps + * + * John A. Foley + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2014-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "util.h" + +#include <string.h> +#include <stdint.h> + +/* include space for null terminator */ +char bit_string[MAX_PRINT_STRING_LEN + 1]; + +static inline int hex_char_to_nibble(uint8_t c) +{ + switch (c) { + case ('0'): + return 0x0; + case ('1'): + return 0x1; + case ('2'): + return 0x2; + case ('3'): + return 0x3; + case ('4'): + return 0x4; + case ('5'): + return 0x5; + case ('6'): + return 0x6; + case ('7'): + return 0x7; + case ('8'): + return 0x8; + case ('9'): + return 0x9; + case ('a'): + return 0xa; + case ('A'): + return 0xa; + case ('b'): + return 0xb; + case ('B'): + return 0xb; + case ('c'): + return 0xc; + case ('C'): + return 0xc; + case ('d'): + return 0xd; + case ('D'): + return 0xd; + case ('e'): + return 0xe; + case ('E'): + return 0xe; + case ('f'): + return 0xf; + case ('F'): + return 0xf; + default: + return -1; /* this flags an error */ + } + /* NOTREACHED */ + return -1; /* this keeps compilers from complaining */ +} + +uint8_t nibble_to_hex_char(uint8_t nibble) +{ + char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + + return buf[nibble & 0xF]; +} + +/* + * hex_string_to_octet_string converts a hexadecimal string + * of length 2 * len to a raw octet string of length len + */ +int hex_string_to_octet_string(char *raw, char *hex, int len) +{ + uint8_t x; + int tmp; + int hex_len; + + hex_len = 0; + while (hex_len < len) { + tmp = hex_char_to_nibble(hex[0]); + if (tmp == -1) { + return hex_len; + } + x = (tmp << 4); + hex_len++; + tmp = hex_char_to_nibble(hex[1]); + if (tmp == -1) { + return hex_len; + } + x |= (tmp & 0xff); + hex_len++; + *raw++ = x; + hex += 2; + } + return hex_len; +} + +char *octet_string_hex_string(const void *s, int length) +{ + const uint8_t *str = (const uint8_t *)s; + int i; + + /* double length, since one octet takes two hex characters */ + length *= 2; + + /* truncate string if it would be too long */ + if (length > MAX_PRINT_STRING_LEN) { + length = MAX_PRINT_STRING_LEN; + } + + for (i = 0; i < length; i += 2) { + bit_string[i] = nibble_to_hex_char(*str >> 4); + bit_string[i + 1] = nibble_to_hex_char(*str++ & 0xF); + } + bit_string[i] = 0; /* null terminate string */ + return bit_string; +} + +static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz0123456789+/"; + +static int base64_block_to_octet_triple(char *out, char *in) +{ + unsigned char sextets[4] = { 0 }; + int j = 0; + int i; + + for (i = 0; i < 4; i++) { + char *p = strchr(b64chars, in[i]); + if (p != NULL) { + sextets[i] = p - b64chars; + } else { + j++; + } + } + + out[0] = (sextets[0] << 2) | (sextets[1] >> 4); + if (j < 2) { + out[1] = (sextets[1] << 4) | (sextets[2] >> 2); + } + if (j < 1) { + out[2] = (sextets[2] << 6) | sextets[3]; + } + return j; +} + +int base64_string_to_octet_string(char *out, int *pad, char *in, int len) +{ + int k = 0; + int i = 0; + int j = 0; + + if (len % 4 != 0) { + return 0; + } + + while (i < len && j == 0) { + j = base64_block_to_octet_triple(out + k, in + i); + k += 3; + i += 4; + } + *pad = j; + return i; +} diff --git a/netwerk/srtp/src/test/util.h b/netwerk/srtp/src/test/util.h new file mode 100644 index 0000000000..d04b279b3a --- /dev/null +++ b/netwerk/srtp/src/test/util.h @@ -0,0 +1,53 @@ +/* + * util.h + * + * Utilities used by the test apps + * + * John A. Foley + * Cisco Systems, Inc. + */ +/* + * + * Copyright (c) 2014-2017, Cisco Systems, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * Neither the name of the Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifndef SRTP_TEST_UTIL_H +#define SRTP_TEST_UTIL_H + +#define MAX_PRINT_STRING_LEN 1024 + +int hex_string_to_octet_string(char *raw, char *hex, int len); +char *octet_string_hex_string(const void *s, int length); +int base64_string_to_octet_string(char *raw, int *pad, char *base64, int len); + +#endif diff --git a/netwerk/srtp/src/test/words.txt b/netwerk/srtp/src/test/words.txt new file mode 100644 index 0000000000..fe99c2d465 --- /dev/null +++ b/netwerk/srtp/src/test/words.txt @@ -0,0 +1,250 @@ +abducing +acidheads +acidness +actons +admixtures +affidavit +agelastic +alated +alimentary +alleviated +allseed +annexure +arragonite +atonements +autacoid +axe +axon +ayres +beathing +blazonry +bottom +braising +brehon +brindisi +broadcasts +buds +bulnbulns +bushcraft +calamander +calipee +casing +caveat +chaffings +citifies +clappers +claques +clavate +colonial +colonials +commonalty +compares +consequent +consumed +contango +courtierly +creamery +cruddiest +cue +cultish +cumin +cyclus +dahlias +dentitions +derailers +devitrify +dibs +diphysite +disjunes +drolleries +dubitated +dupion +earliness +eductor +elenctic +empresses +entames +epaulettes +epicanthic +epochal +estated +eurhythmic +exfoliated +extremity +fayence +figgery +flaming +foes +forelays +forewings +forfeits +fratches +gardened +gentile +glumpish +glyph +goatherd +grow +gulden +gumming +hackling +hanapers +hared +hatters +hectare +hedger +heel +heterodox +hidden +histologic +howe +inglobe +inliers +inuredness +iotacism +japed +jelled +jiffy +jollies +judgeship +karite +kart +kenophobia +kittens +lactarian +lancets +leasable +leep +leming +licorice +listing +lividly +lobectomy +lysosome +madders +maderizing +manacle +mangels +marshiest +maulstick +meliorates +mercy +mikados +monarchise +moultings +mucro +munnions +mystic +myxoedemic +nointing +nong +nonsense +ochidore +octuor +officering +opaqued +oragious +outtell +oxeye +pads +palamae +pansophy +parazoa +pepsines +perimetric +pheasant +phonotypy +pitarah +plaintful +poinders +poke +politer +poonces +populism +pouty +praedial +presence +prompter +pummelled +punishing +quippish +radicality +radiuses +rebuffing +recorded +redips +regulators +replay +retrocedes +rigors +risen +rootstocks +rotenone +rudenesses +ruggedest +runabout +ruthfully +sagacious +scapes +sclera +sclerotium +scumbering +secondi +serial +shampoo +showed +sights +sirenised +sized +slave +socle +solidness +some +spetches +spiels +squiring +staminode +stay +stewpot +stunsails +subhumid +subprogram +supawn +surplusage +swimming +swineherd +tabun +talliths +taroks +tensed +thinnings +three +tipper +toko +tomahawks +tombolos +torpefy +torulae +touns +travails +tsarist +unbeseems +unblamably +unbooked +unnailed +updates +valorise +viability +virtue +vulturns +vulvate +warran +weakness +westernise +whingeings +wrenching +written +yak +yate +yaupon +zendiks diff --git a/netwerk/srtp/srtp_update.log b/netwerk/srtp/srtp_update.log new file mode 100644 index 0000000000..3ebbbfcbe1 --- /dev/null +++ b/netwerk/srtp/srtp_update.log @@ -0,0 +1,3 @@ +srtp updated from CVS on Fri Sep 21 14:51:37 EDT 2012 +srtp updated to revision 8f38517394a45678cd4468febf69f75722f35d00 from git on Wed Nov 22 14:15:32 PST 2017 +srtp updated to revision bb0412ee84ebe3d2916b45b19de72fabb183d9db from git on Tue Sep 11 21:51:05 PDT 2018 diff --git a/netwerk/srtp/update_srtp.sh b/netwerk/srtp/update_srtp.sh new file mode 100644 index 0000000000..61fa7c4518 --- /dev/null +++ b/netwerk/srtp/update_srtp.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# assume $1 is the directory with a git checkout of the libsrtp source +# +# srtp source is available at: https://github.com/cisco/libsrtp/ +# +# also assumes we've made *NO* changes to the SRTP sources! If we do, we have to merge by +# hand after this process, or use a more complex one. +# +# For example, one could update an srtp library import head, and merge back to default. Or keep a +# separate repo with this in it, and pull from there to m-c and merge. +if [ "$1" ] ; then + DATE=`date` + REVISION=`(cd $1; git log --pretty=oneline | head -1 | cut -c 1-40)` + cp -rf $1/srtp $1/crypto $1/include $1/test $1/LICENSE $1/README.md netwerk/srtp/src + + hg addremove netwerk/srtp/src --include "netwerk/srtp/src/VERSION" --include "netwerk/srtp/src/LICENSE" --include "netwerk/srtp/src/README.md" --include "**.c" --include "**.h" --similarity 90 + + echo "srtp updated to revision $REVISION from git on $DATE" >> netwerk/srtp/srtp_update.log + echo "srtp updated to revision $REVISION from git on $DATE" + echo "WARNING: reapply any local patches!" +else + echo "usage: $0 path_to_srtp_directory" + echo "run from the root of your m-c clone" +fi |