falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49020 Commits
32 Branches
776MB
Tree: 8045c0167d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8045c0167d'
${ noResults }
FFmpeg/libavformat/srtp.c

423 lines
12KB
Raw Blame History 

  1. /*

  2.  * SRTP encryption/decryption

  3.  * Copyright (c) 2012 Martin Storsjo

  4.  *

  5.  * This file is part of FFmpeg.

  6.  *

  7.  * FFmpeg is free software; you can redistribute it and/or

  8.  * modify it under the terms of the GNU Lesser General Public

  9.  * License as published by the Free Software Foundation; either

  10.  * version 2.1 of the License, or (at your option) any later version.

  11.  *

  12.  * FFmpeg is distributed in the hope that it will be useful,

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  15.  * Lesser General Public License for more details.

  16.  *

  17.  * You should have received a copy of the GNU Lesser General Public

  18.  * License along with FFmpeg; if not, write to the Free Software

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  20.  */

  21. 

  22. #include "libavutil/base64.h"

  23. #include "libavutil/aes.h"

  24. #include "libavutil/hmac.h"

  25. #include "libavutil/intreadwrite.h"

  26. #include "libavutil/log.h"

  27. #include "rtp.h"

  28. #include "srtp.h"

  29. 

  30. void ff_srtp_free(struct SRTPContext *s)

  31. {

  32.     if (!s)

  33.         return;

  34.     av_freep(&s->aes);

  35.     if (s->hmac)

  36.         av_hmac_free(s->hmac);

  37.     s->hmac = NULL;

  38. }

  39. 

  40. static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,

  41.                             int outlen)

  42. {

  43.     int i, j, outpos;

  44.     for (i = 0, outpos = 0; outpos < outlen; i++) {

  45.         uint8_t keystream[16];

  46.         AV_WB16(&iv[14], i);

  47.         av_aes_crypt(aes, keystream, iv, 1, NULL, 0);

  48.         for (j = 0; j < 16 && outpos < outlen; j++, outpos++)

  49.             outbuf[outpos] ^= keystream[j];

  50.     }

  51. }

  52. 

  53. static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,

  54.                        uint8_t *out, int outlen)

  55. {

  56.     uint8_t input[16] = { 0 };

  57.     memcpy(input, salt, 14);

  58.     // Key derivation rate assumed to be zero

  59.     input[14 - 7] ^= label;

  60.     memset(out, 0, outlen);

  61.     encrypt_counter(aes, input, out, outlen);

  62. }

  63. 

  64. int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,

  65.                        const char *params)

  66. {

  67.     uint8_t buf[30];

  68. 

  69.     ff_srtp_free(s);

  70. 

  71.     // RFC 4568

  72.     if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80")) {

  73.         s->hmac_size = 10;

  74.     } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {

  75.         s->hmac_size = 4;

  76.     } else {

  77.         av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",

  78.                                      suite);

  79.         return AVERROR(EINVAL);

  80.     }

  81.     if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {

  82.         av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");

  83.         return AVERROR(EINVAL);

  84.     }

  85.     // MKI and lifetime not handled yet

  86.     s->aes  = av_aes_alloc();

  87.     s->hmac = av_hmac_alloc(AV_HMAC_SHA1);

  88.     if (!s->aes || !s->hmac)

  89.         return AVERROR(ENOMEM);

  90.     memcpy(s->master_key, buf, 16);

  91.     memcpy(s->master_salt, buf + 16, 14);

  92. 

  93.     // RFC 3711

  94.     av_aes_init(s->aes, s->master_key, 128, 0);

  95. 

  96.     derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));

  97.     derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));

  98.     derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));

  99. 

  100.     derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));

  101.     derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));

  102.     derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));

  103.     return 0;

  104. }

  105. 

  106. static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,

  107.                       uint32_t ssrc)

  108. {

  109.     uint8_t indexbuf[8];

  110.     int i;

  111.     memset(iv, 0, 16);

  112.     AV_WB32(&iv[4], ssrc);

  113.     AV_WB64(indexbuf, index);

  114.     for (i = 0; i < 8; i++) // index << 16

  115.         iv[6 + i] ^= indexbuf[i];

  116.     for (i = 0; i < 14; i++)

  117.         iv[i] ^= salt[i];

  118. }

  119. 

  120. int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)

  121. {

  122.     uint8_t iv[16] = { 0 }, hmac[20];

  123.     int len = *lenptr;

  124.     int ext, av_uninit(seq_largest);

  125.     uint32_t ssrc, av_uninit(roc);

  126.     uint64_t index;

  127.     int rtcp;

  128. 

  129.     // TODO: Missing replay protection

  130. 

  131.     if (len < s->hmac_size)

  132.         return AVERROR_INVALIDDATA;

  133. 

  134.     rtcp = RTP_PT_IS_RTCP(buf[1]);

  135. 

  136.     // Authentication HMAC

  137.     av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));

  138.     // If MKI is used, this should exclude the MKI as well

  139.     av_hmac_update(s->hmac, buf, len - s->hmac_size);

  140. 

  141.     if (!rtcp) {

  142.         int seq = AV_RB16(buf + 2);

  143.         uint32_t v;

  144.         uint8_t rocbuf[4];

  145. 

  146.         // RFC 3711 section 3.3.1, appendix A

  147.         seq_largest = s->seq_initialized ? s->seq_largest : seq;

  148.         v = roc = s->roc;

  149.         if (seq_largest < 32768) {

  150.             if (seq - seq_largest > 32768)

  151.                 v = roc - 1;

  152.         } else {

  153.             if (seq_largest - 32768 > seq)

  154.                 v = roc + 1;

  155.         }

  156.         if (v == roc) {

  157.             seq_largest = FFMAX(seq_largest, seq);

  158.         } else if (v == roc + 1) {

  159.             seq_largest = seq;

  160.             roc = v;

  161.         }

  162.         index = seq + (((uint64_t)v) << 16);

  163. 

  164.         AV_WB32(rocbuf, roc);

  165.         av_hmac_update(s->hmac, rocbuf, 4);

  166.     }

  167. 

  168.     av_hmac_final(s->hmac, hmac, sizeof(hmac));

  169.     if (memcmp(hmac, buf + len - s->hmac_size, s->hmac_size)) {

  170.         av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");

  171.         return AVERROR_INVALIDDATA;

  172.     }

  173. 

  174.     len -= s->hmac_size;

  175.     *lenptr = len;

  176. 

  177.     if (len < 12)

  178.         return AVERROR_INVALIDDATA;

  179. 

  180.     if (rtcp) {

  181.         uint32_t srtcp_index = AV_RB32(buf + len - 4);

  182.         len -= 4;

  183.         *lenptr = len;

  184. 

  185.         ssrc = AV_RB32(buf + 4);

  186.         index = srtcp_index & 0x7fffffff;

  187. 

  188.         buf += 8;

  189.         len -= 8;

  190.         if (!(srtcp_index & 0x80000000))

  191.             return 0;

  192.     } else {

  193.         s->seq_initialized = 1;

  194.         s->seq_largest     = seq_largest;

  195.         s->roc             = roc;

  196. 

  197.         ext  = buf[0] & 0x10;

  198.         ssrc = AV_RB32(buf + 8);

  199. 

  200.         buf += 12;

  201.         len -= 12;

  202. 

  203.         if (ext) {

  204.             if (len < 4)

  205.                 return AVERROR_INVALIDDATA;

  206.             ext = (AV_RB16(buf + 2) + 1) * 4;

  207.             if (len < ext)

  208.                 return AVERROR_INVALIDDATA;

  209.             len -= ext;

  210.             buf += ext;

  211.         }

  212.     }

  213. 

  214.     create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);

  215.     av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);

  216.     encrypt_counter(s->aes, iv, buf, len);

  217. 

  218.     return 0;

  219. }

  220. 

  221. int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,

  222.                     uint8_t *out, int outlen)

  223. {

  224.     uint8_t iv[16] = { 0 }, hmac[20];

  225.     uint64_t index;

  226.     uint32_t ssrc;

  227.     int rtcp;

  228.     uint8_t *buf;

  229. 

  230.     if (len + 14 > outlen)

  231.         return 0;

  232.     if (len < 12)

  233.         return 0;

  234. 

  235.     memcpy(out, in, len);

  236.     buf = out;

  237. 

  238.     rtcp = RTP_PT_IS_RTCP(buf[1]);

  239. 

  240.     if (rtcp) {

  241.         ssrc = AV_RB32(buf + 4);

  242.         index = s->rtcp_index++;

  243. 

  244.         buf += 8;

  245.         len -= 8;

  246.     } else {

  247.         int ext;

  248.         int seq = AV_RB16(buf + 2);

  249.         ssrc = AV_RB32(buf + 8);

  250. 

  251.         if (seq < s->seq_largest)

  252.             s->roc++;

  253.         s->seq_largest = seq;

  254.         index = seq + (((uint64_t)s->roc) << 16);

  255. 

  256.         ext = buf[0] & 0x10;

  257. 

  258.         buf += 12;

  259.         len -= 12;

  260. 

  261.         if (ext) {

  262.             if (len < 4)

  263.                 return AVERROR_INVALIDDATA;

  264.             ext = (AV_RB16(buf + 2) + 1) * 4;

  265.             if (len < ext)

  266.                 return AVERROR_INVALIDDATA;

  267.             len -= ext;

  268.             buf += ext;

  269.         }

  270.     }

  271. 

  272.     create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);

  273.     av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);

  274.     encrypt_counter(s->aes, iv, buf, len);

  275. 

  276.     if (rtcp) {

  277.         AV_WB32(buf + len, 0x80000000 | index);

  278.         len += 4;

  279.     }

  280. 

  281.     av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));

  282.     av_hmac_update(s->hmac, out, buf + len - out);

  283.     if (!rtcp) {

  284.         uint8_t rocbuf[4];

  285.         AV_WB32(rocbuf, s->roc);

  286.         av_hmac_update(s->hmac, rocbuf, 4);

  287.     }

  288.     av_hmac_final(s->hmac, hmac, sizeof(hmac));

  289. 

  290.     memcpy(buf + len, hmac, s->hmac_size);

  291.     len += s->hmac_size;

  292.     return buf + len - out;

  293. }

  294. 

  295. #ifdef TEST

  296. #include <stdio.h>

  297. 

  298. static const char *aes128_80_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";

  299. 

  300. static const uint8_t rtp_aes128_80[] = {

  301.     // RTP header

  302.     0x80, 0xe0, 0x12, 0x34,

  303.     0x12, 0x34, 0x56, 0x78,

  304.     0x12, 0x34, 0x56, 0x78,

  305.     // encrypted payload

  306.     0x62, 0x69, 0x76, 0xca, 0xc5,

  307.     // HMAC

  308.     0xa1, 0xac, 0x1b, 0xb4, 0xa0, 0x1c, 0xd5, 0x49, 0x28, 0x99,

  309. };

  310. 

  311. static const uint8_t rtcp_aes128_80[] = {

  312.     // RTCP header

  313.     0x81, 0xc9, 0x00, 0x07,

  314.     0x12, 0x34, 0x56, 0x78,

  315.     // encrypted payload

  316.     0x8a, 0xac, 0xdc, 0xa5,

  317.     0x4c, 0xf6, 0x78, 0xa6,

  318.     0x62, 0x8f, 0x24, 0xda,

  319.     0x6c, 0x09, 0x3f, 0xa9,

  320.     0x28, 0x7a, 0xb5, 0x7f,

  321.     0x1f, 0x0f, 0xc9, 0x35,

  322.     // RTCP index

  323.     0x80, 0x00, 0x00, 0x03,

  324.     // HMAC

  325.     0xe9, 0x3b, 0xc0, 0x5c, 0x0c, 0x06, 0x9f, 0xab, 0xc0, 0xde,

  326. };

  327. 

  328. static const char *aes128_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";

  329. 

  330. static const uint8_t rtp_aes128_32[] = {

  331.     // RTP header

  332.     0x80, 0xe0, 0x12, 0x34,

  333.     0x12, 0x34, 0x56, 0x78,

  334.     0x12, 0x34, 0x56, 0x78,

  335.     // encrypted payload

  336.     0x62, 0x69, 0x76, 0xca, 0xc5,

  337.     // HMAC

  338.     0xa1, 0xac, 0x1b, 0xb4,

  339. };

  340. 

  341. static const uint8_t rtcp_aes128_32[] = {

  342.     // RTCP header

  343.     0x81, 0xc9, 0x00, 0x07,

  344.     0x12, 0x34, 0x56, 0x78,

  345.     // encrypted payload

  346.     0x35, 0xe9, 0xb5, 0xff,

  347.     0x0d, 0xd1, 0xde, 0x70,

  348.     0x74, 0x10, 0xaa, 0x1b,

  349.     0xb2, 0x8d, 0xf0, 0x20,

  350.     0x02, 0x99, 0x6b, 0x1b,

  351.     0x0b, 0xd0, 0x47, 0x34,

  352.     // RTCP index

  353.     0x80, 0x00, 0x00, 0x04,

  354.     // HMAC

  355.     0x5b, 0xd2, 0xa9, 0x9d,

  356. };

  357. 

  358. static void print_data(const uint8_t *buf, int len)

  359. {

  360.     int i;

  361.     for (i = 0; i < len; i++)

  362.         printf("%02x", buf[i]);

  363.     printf("\n");

  364. }

  365. 

  366. static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,

  367.                         uint8_t *out)

  368. {

  369.     memcpy(out, in, len);

  370.     if (!ff_srtp_decrypt(srtp, out, &len)) {

  371.         print_data(out, len);

  372.         return len;

  373.     } else

  374.         return -1;

  375. }

  376. 

  377. static void test_encrypt(const uint8_t *data, int in_len, const char *suite,

  378.                          const char *key)

  379. {

  380.     struct SRTPContext enc = { 0 }, dec = { 0 };

  381.     int len;

  382.     char buf[1500];

  383.     ff_srtp_set_crypto(&enc, suite, key);

  384.     ff_srtp_set_crypto(&dec, suite, key);

  385.     len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));

  386.     if (!ff_srtp_decrypt(&dec, buf, &len)) {

  387.         if (len == in_len && !memcmp(buf, data, len))

  388.             printf("Decrypted content matches input\n");

  389.         else

  390.             printf("Decrypted content doesn't match input\n");

  391.     } else {

  392.         printf("Decryption failed\n");

  393.     }

  394.     ff_srtp_free(&enc);

  395.     ff_srtp_free(&dec);

  396. }

  397. 

  398. int main(void)

  399. {

  400.     static const char *aes128_80_suite = "AES_CM_128_HMAC_SHA1_80";

  401.     static const char *aes128_32_suite = "AES_CM_128_HMAC_SHA1_32";

  402.     static const char *test_key = "abcdefghijklmnopqrstuvwxyz1234567890ABCD";

  403.     uint8_t buf[1500];

  404.     struct SRTPContext srtp = { 0 };

  405.     int len;

  406.     ff_srtp_set_crypto(&srtp, aes128_80_suite, aes128_80_key);

  407.     len = test_decrypt(&srtp, rtp_aes128_80, sizeof(rtp_aes128_80), buf);

  408.     test_encrypt(buf, len, aes128_80_suite, test_key);

  409.     test_encrypt(buf, len, aes128_32_suite, test_key);

  410.     test_decrypt(&srtp, rtcp_aes128_80, sizeof(rtcp_aes128_80), buf);

  411.     test_encrypt(buf, len, aes128_80_suite, test_key);

  412.     test_encrypt(buf, len, aes128_32_suite, test_key);

  413.     ff_srtp_free(&srtp);

  414. 

  415.     memset(&srtp, 0, sizeof(srtp)); // Clear the context

  416.     ff_srtp_set_crypto(&srtp, aes128_32_suite, aes128_32_key);

  417.     test_decrypt(&srtp, rtp_aes128_32, sizeof(rtp_aes128_32), buf);

  418.     test_decrypt(&srtp, rtcp_aes128_32, sizeof(rtcp_aes128_32), buf);

  419.     ff_srtp_free(&srtp);

  420.     return 0;

  421. }

  422. #endif /* TEST */