falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49674 Commits
32 Branches
283MB
Tree: b5884db437
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b5884db437'
${ noResults }
FFmpeg/libavformat/srtp.c

472 lines
14KB
Raw Blame History 

  1. /*

  2.  * SRTP encryption/decryption

  3.  * Copyright (c) 2012 Martin Storsjo

  4.  *

  5.  * This file is part of FFmpeg.

  6.  *

  7.  * FFmpeg is free software; you can redistribute it and/or

  8.  * modify it under the terms of the GNU Lesser General Public

  9.  * License as published by the Free Software Foundation; either

  10.  * version 2.1 of the License, or (at your option) any later version.

  11.  *

  12.  * FFmpeg is distributed in the hope that it will be useful,

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  15.  * Lesser General Public License for more details.

  16.  *

  17.  * You should have received a copy of the GNU Lesser General Public

  18.  * License along with FFmpeg; if not, write to the Free Software

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  20.  */

  21. 

  22. #include "libavutil/base64.h"

  23. #include "libavutil/aes.h"

  24. #include "libavutil/hmac.h"

  25. #include "libavutil/intreadwrite.h"

  26. #include "libavutil/log.h"

  27. #include "rtp.h"

  28. #include "srtp.h"

  29. 

  30. void ff_srtp_free(struct SRTPContext *s)

  31. {

  32.     if (!s)

  33.         return;

  34.     av_freep(&s->aes);

  35.     if (s->hmac)

  36.         av_hmac_free(s->hmac);

  37.     s->hmac = NULL;

  38. }

  39. 

  40. static void encrypt_counter(struct AVAES *aes, uint8_t *iv, uint8_t *outbuf,

  41.                             int outlen)

  42. {

  43.     int i, j, outpos;

  44.     for (i = 0, outpos = 0; outpos < outlen; i++) {

  45.         uint8_t keystream[16];

  46.         AV_WB16(&iv[14], i);

  47.         av_aes_crypt(aes, keystream, iv, 1, NULL, 0);

  48.         for (j = 0; j < 16 && outpos < outlen; j++, outpos++)

  49.             outbuf[outpos] ^= keystream[j];

  50.     }

  51. }

  52. 

  53. static void derive_key(struct AVAES *aes, const uint8_t *salt, int label,

  54.                        uint8_t *out, int outlen)

  55. {

  56.     uint8_t input[16] = { 0 };

  57.     memcpy(input, salt, 14);

  58.     // Key derivation rate assumed to be zero

  59.     input[14 - 7] ^= label;

  60.     memset(out, 0, outlen);

  61.     encrypt_counter(aes, input, out, outlen);

  62. }

  63. 

  64. int ff_srtp_set_crypto(struct SRTPContext *s, const char *suite,

  65.                        const char *params)

  66. {

  67.     uint8_t buf[30];

  68. 

  69.     ff_srtp_free(s);

  70. 

  71.     // RFC 4568

  72.     if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80") ||

  73.         !strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_80")) {

  74.         s->rtp_hmac_size = s->rtcp_hmac_size = 10;

  75.     } else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {

  76.         s->rtp_hmac_size = s->rtcp_hmac_size = 4;

  77.     } else if (!strcmp(suite, "SRTP_AES128_CM_HMAC_SHA1_32")) {

  78.         // RFC 5764 section 4.1.2

  79.         s->rtp_hmac_size  = 4;

  80.         s->rtcp_hmac_size = 10;

  81.     } else {

  82.         av_log(NULL, AV_LOG_WARNING, "SRTP Crypto suite %s not supported\n",

  83.                                      suite);

  84.         return AVERROR(EINVAL);

  85.     }

  86.     if (av_base64_decode(buf, params, sizeof(buf)) != sizeof(buf)) {

  87.         av_log(NULL, AV_LOG_WARNING, "Incorrect amount of SRTP params\n");

  88.         return AVERROR(EINVAL);

  89.     }

  90.     // MKI and lifetime not handled yet

  91.     s->aes  = av_aes_alloc();

  92.     s->hmac = av_hmac_alloc(AV_HMAC_SHA1);

  93.     if (!s->aes || !s->hmac)

  94.         return AVERROR(ENOMEM);

  95.     memcpy(s->master_key, buf, 16);

  96.     memcpy(s->master_salt, buf + 16, 14);

  97. 

  98.     // RFC 3711

  99.     av_aes_init(s->aes, s->master_key, 128, 0);

  100. 

  101.     derive_key(s->aes, s->master_salt, 0x00, s->rtp_key, sizeof(s->rtp_key));

  102.     derive_key(s->aes, s->master_salt, 0x02, s->rtp_salt, sizeof(s->rtp_salt));

  103.     derive_key(s->aes, s->master_salt, 0x01, s->rtp_auth, sizeof(s->rtp_auth));

  104. 

  105.     derive_key(s->aes, s->master_salt, 0x03, s->rtcp_key, sizeof(s->rtcp_key));

  106.     derive_key(s->aes, s->master_salt, 0x05, s->rtcp_salt, sizeof(s->rtcp_salt));

  107.     derive_key(s->aes, s->master_salt, 0x04, s->rtcp_auth, sizeof(s->rtcp_auth));

  108.     return 0;

  109. }

  110. 

  111. static void create_iv(uint8_t *iv, const uint8_t *salt, uint64_t index,

  112.                       uint32_t ssrc)

  113. {

  114.     uint8_t indexbuf[8];

  115.     int i;

  116.     memset(iv, 0, 16);

  117.     AV_WB32(&iv[4], ssrc);

  118.     AV_WB64(indexbuf, index);

  119.     for (i = 0; i < 8; i++) // index << 16

  120.         iv[6 + i] ^= indexbuf[i];

  121.     for (i = 0; i < 14; i++)

  122.         iv[i] ^= salt[i];

  123. }

  124. 

  125. int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)

  126. {

  127.     uint8_t iv[16] = { 0 }, hmac[20];

  128.     int len = *lenptr;

  129.     int av_uninit(seq_largest);

  130.     uint32_t ssrc, av_uninit(roc);

  131.     uint64_t index;

  132.     int rtcp, hmac_size;

  133. 

  134.     // TODO: Missing replay protection

  135. 

  136.     if (len < 2)

  137.         return AVERROR_INVALIDDATA;

  138. 

  139.     rtcp = RTP_PT_IS_RTCP(buf[1]);

  140.     hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;

  141. 

  142.     if (len < hmac_size)

  143.         return AVERROR_INVALIDDATA;

  144. 

  145.     // Authentication HMAC

  146.     av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));

  147.     // If MKI is used, this should exclude the MKI as well

  148.     av_hmac_update(s->hmac, buf, len - hmac_size);

  149. 

  150.     if (!rtcp) {

  151.         int seq = AV_RB16(buf + 2);

  152.         uint32_t v;

  153.         uint8_t rocbuf[4];

  154. 

  155.         // RFC 3711 section 3.3.1, appendix A

  156.         seq_largest = s->seq_initialized ? s->seq_largest : seq;

  157.         v = roc = s->roc;

  158.         if (seq_largest < 32768) {

  159.             if (seq - seq_largest > 32768)

  160.                 v = roc - 1;

  161.         } else {

  162.             if (seq_largest - 32768 > seq)

  163.                 v = roc + 1;

  164.         }

  165.         if (v == roc) {

  166.             seq_largest = FFMAX(seq_largest, seq);

  167.         } else if (v == roc + 1) {

  168.             seq_largest = seq;

  169.             roc = v;

  170.         }

  171.         index = seq + (((uint64_t)v) << 16);

  172. 

  173.         AV_WB32(rocbuf, roc);

  174.         av_hmac_update(s->hmac, rocbuf, 4);

  175.     }

  176. 

  177.     av_hmac_final(s->hmac, hmac, sizeof(hmac));

  178.     if (memcmp(hmac, buf + len - hmac_size, hmac_size)) {

  179.         av_log(NULL, AV_LOG_WARNING, "HMAC mismatch\n");

  180.         return AVERROR_INVALIDDATA;

  181.     }

  182. 

  183.     len -= hmac_size;

  184.     *lenptr = len;

  185. 

  186.     if (len < 12)

  187.         return AVERROR_INVALIDDATA;

  188. 

  189.     if (rtcp) {

  190.         uint32_t srtcp_index = AV_RB32(buf + len - 4);

  191.         len -= 4;

  192.         *lenptr = len;

  193. 

  194.         ssrc = AV_RB32(buf + 4);

  195.         index = srtcp_index & 0x7fffffff;

  196. 

  197.         buf += 8;

  198.         len -= 8;

  199.         if (!(srtcp_index & 0x80000000))

  200.             return 0;

  201.     } else {

  202.         int ext, csrc;

  203.         s->seq_initialized = 1;

  204.         s->seq_largest     = seq_largest;

  205.         s->roc             = roc;

  206. 

  207.         csrc = buf[0] & 0x0f;

  208.         ext  = buf[0] & 0x10;

  209.         ssrc = AV_RB32(buf + 8);

  210. 

  211.         buf += 12;

  212.         len -= 12;

  213. 

  214.         buf += 4 * csrc;

  215.         len -= 4 * csrc;

  216.         if (len < 0)

  217.             return AVERROR_INVALIDDATA;

  218. 

  219.         if (ext) {

  220.             if (len < 4)

  221.                 return AVERROR_INVALIDDATA;

  222.             ext = (AV_RB16(buf + 2) + 1) * 4;

  223.             if (len < ext)

  224.                 return AVERROR_INVALIDDATA;

  225.             len -= ext;

  226.             buf += ext;

  227.         }

  228.     }

  229. 

  230.     create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);

  231.     av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);

  232.     encrypt_counter(s->aes, iv, buf, len);

  233. 

  234.     return 0;

  235. }

  236. 

  237. int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,

  238.                     uint8_t *out, int outlen)

  239. {

  240.     uint8_t iv[16] = { 0 }, hmac[20];

  241.     uint64_t index;

  242.     uint32_t ssrc;

  243.     int rtcp, hmac_size, padding;

  244.     uint8_t *buf;

  245. 

  246.     if (len < 8)

  247.         return AVERROR_INVALIDDATA;

  248. 

  249.     rtcp = RTP_PT_IS_RTCP(in[1]);

  250.     hmac_size = rtcp ? s->rtcp_hmac_size : s->rtp_hmac_size;

  251.     padding = hmac_size;

  252.     if (rtcp)

  253.         padding += 4; // For the RTCP index

  254. 

  255.     if (len + padding > outlen)

  256.         return 0;

  257. 

  258.     memcpy(out, in, len);

  259.     buf = out;

  260. 

  261.     if (rtcp) {

  262.         ssrc = AV_RB32(buf + 4);

  263.         index = s->rtcp_index++;

  264. 

  265.         buf += 8;

  266.         len -= 8;

  267.     } else {

  268.         int ext, csrc;

  269.         int seq = AV_RB16(buf + 2);

  270. 

  271.         if (len < 12)

  272.             return AVERROR_INVALIDDATA;

  273. 

  274.         ssrc = AV_RB32(buf + 8);

  275. 

  276.         if (seq < s->seq_largest)

  277.             s->roc++;

  278.         s->seq_largest = seq;

  279.         index = seq + (((uint64_t)s->roc) << 16);

  280. 

  281.         csrc = buf[0] & 0x0f;

  282.         ext = buf[0] & 0x10;

  283. 

  284.         buf += 12;

  285.         len -= 12;

  286. 

  287.         buf += 4 * csrc;

  288.         len -= 4 * csrc;

  289.         if (len < 0)

  290.             return AVERROR_INVALIDDATA;

  291. 

  292.         if (ext) {

  293.             if (len < 4)

  294.                 return AVERROR_INVALIDDATA;

  295.             ext = (AV_RB16(buf + 2) + 1) * 4;

  296.             if (len < ext)

  297.                 return AVERROR_INVALIDDATA;

  298.             len -= ext;

  299.             buf += ext;

  300.         }

  301.     }

  302. 

  303.     create_iv(iv, rtcp ? s->rtcp_salt : s->rtp_salt, index, ssrc);

  304.     av_aes_init(s->aes, rtcp ? s->rtcp_key : s->rtp_key, 128, 0);

  305.     encrypt_counter(s->aes, iv, buf, len);

  306. 

  307.     if (rtcp) {

  308.         AV_WB32(buf + len, 0x80000000 | index);

  309.         len += 4;

  310.     }

  311. 

  312.     av_hmac_init(s->hmac, rtcp ? s->rtcp_auth : s->rtp_auth, sizeof(s->rtp_auth));

  313.     av_hmac_update(s->hmac, out, buf + len - out);

  314.     if (!rtcp) {

  315.         uint8_t rocbuf[4];

  316.         AV_WB32(rocbuf, s->roc);

  317.         av_hmac_update(s->hmac, rocbuf, 4);

  318.     }

  319.     av_hmac_final(s->hmac, hmac, sizeof(hmac));

  320. 

  321.     memcpy(buf + len, hmac, hmac_size);

  322.     len += hmac_size;

  323.     return buf + len - out;

  324. }

  325. 

  326. #ifdef TEST

  327. #include <stdio.h>

  328. 

  329. static const char *aes128_80_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";

  330. 

  331. static const uint8_t rtp_aes128_80[] = {

  332.     // RTP header

  333.     0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,

  334.     // encrypted payload

  335.     0x62, 0x69, 0x76, 0xca, 0xc5,

  336.     // HMAC

  337.     0xa1, 0xac, 0x1b, 0xb4, 0xa0, 0x1c, 0xd5, 0x49, 0x28, 0x99,

  338. };

  339. 

  340. static const uint8_t rtcp_aes128_80[] = {

  341.     // RTCP header

  342.     0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,

  343.     // encrypted payload

  344.     0x8a, 0xac, 0xdc, 0xa5, 0x4c, 0xf6, 0x78, 0xa6, 0x62, 0x8f, 0x24, 0xda,

  345.     0x6c, 0x09, 0x3f, 0xa9, 0x28, 0x7a, 0xb5, 0x7f, 0x1f, 0x0f, 0xc9, 0x35,

  346.     // RTCP index

  347.     0x80, 0x00, 0x00, 0x03,

  348.     // HMAC

  349.     0xe9, 0x3b, 0xc0, 0x5c, 0x0c, 0x06, 0x9f, 0xab, 0xc0, 0xde,

  350. };

  351. 

  352. static const char *aes128_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";

  353. 

  354. static const uint8_t rtp_aes128_32[] = {

  355.     // RTP header

  356.     0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,

  357.     // encrypted payload

  358.     0x62, 0x69, 0x76, 0xca, 0xc5,

  359.     // HMAC

  360.     0xa1, 0xac, 0x1b, 0xb4,

  361. };

  362. 

  363. static const uint8_t rtcp_aes128_32[] = {

  364.     // RTCP header

  365.     0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,

  366.     // encrypted payload

  367.     0x35, 0xe9, 0xb5, 0xff, 0x0d, 0xd1, 0xde, 0x70, 0x74, 0x10, 0xaa, 0x1b,

  368.     0xb2, 0x8d, 0xf0, 0x20, 0x02, 0x99, 0x6b, 0x1b, 0x0b, 0xd0, 0x47, 0x34,

  369.     // RTCP index

  370.     0x80, 0x00, 0x00, 0x04,

  371.     // HMAC

  372.     0x5b, 0xd2, 0xa9, 0x9d,

  373. };

  374. 

  375. static const char *aes128_80_32_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn";

  376. 

  377. static const uint8_t rtp_aes128_80_32[] = {

  378.     // RTP header

  379.     0x80, 0xe0, 0x12, 0x34, 0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,

  380.     // encrypted payload

  381.     0x62, 0x69, 0x76, 0xca, 0xc5,

  382.     // HMAC

  383.     0xa1, 0xac, 0x1b, 0xb4,

  384. };

  385. 

  386. static const uint8_t rtcp_aes128_80_32[] = {

  387.     // RTCP header

  388.     0x81, 0xc9, 0x00, 0x07, 0x12, 0x34, 0x56, 0x78,

  389.     // encrypted payload

  390.     0xd6, 0xae, 0xc1, 0x58, 0x63, 0x70, 0xc9, 0x88, 0x66, 0x26, 0x1c, 0x53,

  391.     0xff, 0x5d, 0x5d, 0x2b, 0x0f, 0x8c, 0x72, 0x3e, 0xc9, 0x1d, 0x43, 0xf9,

  392.     // RTCP index

  393.     0x80, 0x00, 0x00, 0x05,

  394.     // HMAC

  395.     0x09, 0x16, 0xb4, 0x27, 0x9a, 0xe9, 0x92, 0x26, 0x4e, 0x10,

  396. };

  397. 

  398. static void print_data(const uint8_t *buf, int len)

  399. {

  400.     int i;

  401.     for (i = 0; i < len; i++)

  402.         printf("%02x", buf[i]);

  403.     printf("\n");

  404. }

  405. 

  406. static int test_decrypt(struct SRTPContext *srtp, const uint8_t *in, int len,

  407.                         uint8_t *out)

  408. {

  409.     memcpy(out, in, len);

  410.     if (!ff_srtp_decrypt(srtp, out, &len)) {

  411.         print_data(out, len);

  412.         return len;

  413.     } else

  414.         return -1;

  415. }

  416. 

  417. static void test_encrypt(const uint8_t *data, int in_len, const char *suite,

  418.                          const char *key)

  419. {

  420.     struct SRTPContext enc = { 0 }, dec = { 0 };

  421.     int len;

  422.     char buf[1500];

  423.     ff_srtp_set_crypto(&enc, suite, key);

  424.     ff_srtp_set_crypto(&dec, suite, key);

  425.     len = ff_srtp_encrypt(&enc, data, in_len, buf, sizeof(buf));

  426.     if (!ff_srtp_decrypt(&dec, buf, &len)) {

  427.         if (len == in_len && !memcmp(buf, data, len))

  428.             printf("Decrypted content matches input\n");

  429.         else

  430.             printf("Decrypted content doesn't match input\n");

  431.     } else {

  432.         printf("Decryption failed\n");

  433.     }

  434.     ff_srtp_free(&enc);

  435.     ff_srtp_free(&dec);

  436. }

  437. 

  438. int main(void)

  439. {

  440.     static const char *aes128_80_suite = "AES_CM_128_HMAC_SHA1_80";

  441.     static const char *aes128_32_suite = "AES_CM_128_HMAC_SHA1_32";

  442.     static const char *aes128_80_32_suite = "SRTP_AES128_CM_HMAC_SHA1_32";

  443.     static const char *test_key = "abcdefghijklmnopqrstuvwxyz1234567890ABCD";

  444.     uint8_t buf[1500];

  445.     struct SRTPContext srtp = { 0 };

  446.     int len;

  447.     ff_srtp_set_crypto(&srtp, aes128_80_suite, aes128_80_key);

  448.     len = test_decrypt(&srtp, rtp_aes128_80, sizeof(rtp_aes128_80), buf);

  449.     test_encrypt(buf, len, aes128_80_suite, test_key);

  450.     test_encrypt(buf, len, aes128_32_suite, test_key);

  451.     test_encrypt(buf, len, aes128_80_32_suite, test_key);

  452.     test_decrypt(&srtp, rtcp_aes128_80, sizeof(rtcp_aes128_80), buf);

  453.     test_encrypt(buf, len, aes128_80_suite, test_key);

  454.     test_encrypt(buf, len, aes128_32_suite, test_key);

  455.     test_encrypt(buf, len, aes128_80_32_suite, test_key);

  456.     ff_srtp_free(&srtp);

  457. 

  458.     memset(&srtp, 0, sizeof(srtp)); // Clear the context

  459.     ff_srtp_set_crypto(&srtp, aes128_32_suite, aes128_32_key);

  460.     test_decrypt(&srtp, rtp_aes128_32, sizeof(rtp_aes128_32), buf);

  461.     test_decrypt(&srtp, rtcp_aes128_32, sizeof(rtcp_aes128_32), buf);

  462.     ff_srtp_free(&srtp);

  463. 

  464.     memset(&srtp, 0, sizeof(srtp)); // Clear the context

  465.     ff_srtp_set_crypto(&srtp, aes128_80_32_suite, aes128_80_32_key);

  466.     test_decrypt(&srtp, rtp_aes128_80_32, sizeof(rtp_aes128_80_32), buf);

  467.     test_decrypt(&srtp, rtcp_aes128_80_32, sizeof(rtcp_aes128_80_32), buf);

  468.     ff_srtp_free(&srtp);

  469.     return 0;

  470. }

  471. #endif /* TEST */