1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
/**
* @file dtls_srtp/srtp.c Secure RTP
*
* Copyright (C) 2010 Creytiv.com
*/
#if defined (__GNUC__) && !defined (asm)
#define asm __asm__ /* workaround */
#endif
#include <srtp/srtp.h>
#include <re.h>
#include <baresip.h>
#include "dtls_srtp.h"
#define DEBUG_MODULE "dtls_srtp"
#define DEBUG_LEVEL 5
#include <re_dbg.h>
struct srtp_stream {
srtp_policy_t policy;
srtp_t srtp;
uint8_t key[SRTP_MAX_KEY_LEN];
};
/*
* See RFC 5764 figure 3:
*
* +----------------+
* | 127 < B < 192 -+--> forward to RTP
* | |
* packet --> | 19 < B < 64 -+--> forward to DTLS
* | |
* | B < 2 -+--> forward to STUN
* +----------------+
*
*/
static inline bool is_rtp_or_rtcp(const struct mbuf *mb)
{
uint8_t b;
if (mbuf_get_left(mb) < 1)
return false;
b = mbuf_buf(mb)[0];
return 127 < b && b < 192;
}
static inline bool is_rtcp_packet(const struct mbuf *mb)
{
uint8_t pt;
if (mbuf_get_left(mb) < 2)
return false;
pt = mbuf_buf(mb)[1] & 0x7f;
return 64 <= pt && pt <= 95;
}
static int errstatus_print(struct re_printf *pf, err_status_t e)
{
const char *s;
switch (e) {
case err_status_ok: s = "ok"; break;
case err_status_fail: s = "fail"; break;
case err_status_auth_fail: s = "auth_fail"; break;
case err_status_cipher_fail: s = "cipher_fail"; break;
case err_status_replay_fail: s = "replay_fail"; break;
default:
return re_hprintf(pf, "err=%d", e);
}
return re_hprintf(pf, "%s", s);
}
static void destructor(void *arg)
{
struct srtp_stream *s = arg;
if (s->srtp)
srtp_dealloc(s->srtp);
}
static bool send_handler(int *err, struct sa *dst, struct mbuf *mb, void *arg)
{
struct sock *sock = arg;
err_status_t e;
int len;
(void)dst;
if (!is_rtp_or_rtcp(mb))
return false;
len = (int)mbuf_get_left(mb);
if (mbuf_get_space(mb) < ((size_t)len + SRTP_MAX_TRAILER_LEN)) {
*err = mbuf_resize(mb, mb->pos + len + SRTP_MAX_TRAILER_LEN);
if (*err)
return true;
}
if (is_rtcp_packet(mb)) {
e = srtp_protect_rtcp(sock->tx->srtp, mbuf_buf(mb), &len);
}
else {
e = srtp_protect(sock->tx->srtp, mbuf_buf(mb), &len);
}
if (err_status_ok != e) {
DEBUG_WARNING("send: failed to protect %s-packet"
" with %d bytes (%H)\n",
is_rtcp_packet(mb) ? "RTCP" : "RTP",
len, errstatus_print, e);
*err = EPROTO;
return false;
}
mbuf_set_end(mb, mb->pos + len);
return false; /* continue processing */
}
static bool recv_handler(struct sa *src, struct mbuf *mb, void *arg)
{
struct sock *sock = arg;
err_status_t e;
int len;
(void)src;
if (!is_rtp_or_rtcp(mb))
return false;
len = (int)mbuf_get_left(mb);
if (is_rtcp_packet(mb)) {
e = srtp_unprotect_rtcp(sock->rx->srtp, mbuf_buf(mb), &len);
}
else {
e = srtp_unprotect(sock->rx->srtp, mbuf_buf(mb), &len);
}
if (e != err_status_ok) {
DEBUG_WARNING("recv: failed to unprotect %s-packet"
" with %d bytes (%H)\n",
is_rtcp_packet(mb) ? "RTCP" : "RTP",
len, errstatus_print, e);
return true; /* error - drop packet */
}
mbuf_set_end(mb, mb->pos + len);
return false; /* continue processing */
}
int srtp_stream_add(struct srtp_stream **sp, const char *profile,
const struct key *key, bool tx)
{
struct srtp_stream *s;
err_status_t e;
int err = 0;
if (!sp || !key || key->key_len > SRTP_MAX_KEY_LEN)
return EINVAL;
s = mem_zalloc(sizeof(*s), destructor);
if (!s)
return ENOMEM;
memcpy(s->key, key->key, key->key_len);
append_salt_to_key(s->key, (unsigned int)key->key_len,
(unsigned char *)key->salt,
(unsigned int)key->salt_len);
/* note: policy and key must be on the heap */
if (0 == str_casecmp(profile, "SRTP_AES128_CM_SHA1_80")) {
crypto_policy_set_aes_cm_128_hmac_sha1_80(&s->policy.rtp);
crypto_policy_set_aes_cm_128_hmac_sha1_80(&s->policy.rtcp);
}
else if (0 == str_casecmp(profile, "SRTP_AES128_CM_SHA1_32")) {
crypto_policy_set_aes_cm_128_hmac_sha1_32(&s->policy.rtp);
crypto_policy_set_aes_cm_128_hmac_sha1_32(&s->policy.rtcp);
}
else {
DEBUG_WARNING("unsupported profile: %s\n", profile);
err = ENOSYS;
goto out;
}
s->policy.ssrc.type = tx ? ssrc_any_outbound : ssrc_any_inbound;
s->policy.key = s->key;
s->policy.next = NULL;
e = srtp_create(&s->srtp, &s->policy);
if (err_status_ok != e) {
s->srtp = NULL;
DEBUG_WARNING("srtp_create() failed. e=%d\n", e);
err = ENOMEM;
goto out;
}
out:
if (err)
mem_deref(s);
else
*sp = s;
return err;
}
int srtp_install(struct sock *sock)
{
return udp_register_helper(&sock->uh_srtp, sock->app_sock,
LAYER_SRTP,
send_handler,
recv_handler,
sock);
}
|
