Add support for GCM cipher suites from RFC 7714.

webrtc/pc/srtpfilter.cc

 /*
  *  Copyright 2009 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #include "webrtc/pc/srtpfilter.h"
 
 #include <string.h>
 
 #include <algorithm>
 
 #include "webrtc/base/base64.h"
+#include "webrtc/base/buffer.h"
 #include "webrtc/base/byteorder.h"
 #include "webrtc/base/checks.h"
 #include "webrtc/base/common.h"
 #include "webrtc/base/logging.h"
 #include "webrtc/base/stringencode.h"
 #include "webrtc/base/timeutils.h"
 #include "webrtc/media/base/rtputils.h"
 
 // Enable this line to turn on SRTP debugging
 // #define SRTP_DEBUG
@@ skipping 13 matching lines @@
 #endif  // ENABLE_EXTERNAL_AUTH
 #if !defined(NDEBUG)
 extern "C" debug_module_t mod_srtp;
 extern "C" debug_module_t mod_auth;
 extern "C" debug_module_t mod_cipher;
 extern "C" debug_module_t mod_stat;
 extern "C" debug_module_t mod_alloc;
 extern "C" debug_module_t mod_aes_icm;
 extern "C" debug_module_t mod_aes_hmac;
 #endif
-#else
-// SrtpFilter needs that constant.
-#define SRTP_MASTER_KEY_LEN 30
 #endif  // HAVE_SRTP
 
 namespace cricket {
 
-const int SRTP_MASTER_KEY_BASE64_LEN = SRTP_MASTER_KEY_LEN * 4 / 3;
-const int SRTP_MASTER_KEY_KEY_LEN = 16;
-const int SRTP_MASTER_KEY_SALT_LEN = 14;
-
 #ifndef HAVE_SRTP
 
 // This helper function is used on systems that don't (yet) have SRTP,
 // to log that the functions that require it won't do anything.
 namespace {
 bool SrtpNotAvailable(const char *func) {
   LOG(LS_ERROR) << func << ": SRTP is not available on your system.";
   return false;
 }
 }  // anonymous namespace
@@ skipping 324 matching lines @@
   // CryptoParams is unchanged.
   if (applied_send_params_.cipher_suite == send_params.cipher_suite &&
       applied_send_params_.key_params == send_params.key_params &&
       applied_recv_params_.cipher_suite == recv_params.cipher_suite &&
       applied_recv_params_.key_params == recv_params.key_params) {
     LOG(LS_INFO) << "Applying the same SRTP parameters again. No-op.";
 
     // We do not want to reset the ROC if the keys are the same. So just return.
     return true;
   }
+
+  int send_suite = rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite);
+  int recv_suite = rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite);
+  if (send_suite == rtc::SRTP_INVALID_CRYPTO_SUITE ||
+      recv_suite == rtc::SRTP_INVALID_CRYPTO_SUITE) {
+    LOG(LS_WARNING) << "Unknown crypto suite(s) received:"
+                    << " send cipher_suite " << send_params.cipher_suite
+                    << " recv cipher_suite " << recv_params.cipher_suite;
+    return false;
+  }
+
+  int send_key_len, send_salt_len;
+  int recv_key_len, recv_salt_len;
+  if (!rtc::GetSrtpKeyAndSaltLengths(send_suite, &send_key_len,
+                                     &send_salt_len) ||
+      !rtc::GetSrtpKeyAndSaltLengths(recv_suite, &recv_key_len,
+                                     &recv_salt_len)) {
+    LOG(LS_WARNING) << "Could not get lengths for crypto suite(s):"
+                    << " send cipher_suite " << send_params.cipher_suite
+                    << " recv cipher_suite " << recv_params.cipher_suite;
+    return false;
+  }
+
   // TODO(juberti): Zero these buffers after use.
   bool ret;
-  uint8_t send_key[SRTP_MASTER_KEY_LEN], recv_key[SRTP_MASTER_KEY_LEN];
-  ret = (ParseKeyParams(send_params.key_params, send_key, sizeof(send_key)) &&
-         ParseKeyParams(recv_params.key_params, recv_key, sizeof(recv_key)));
+  rtc::Buffer send_key(send_key_len + send_salt_len);
+  rtc::Buffer recv_key(recv_key_len + recv_salt_len);
+  ret = (ParseKeyParams(send_params.key_params, send_key.data(),
+                        send_key.size()) &&
+         ParseKeyParams(recv_params.key_params, recv_key.data(),
+                        recv_key.size()));
   if (ret) {
     CreateSrtpSessions();
     ret = (send_session_->SetSend(
-               rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite), send_key,
-               sizeof(send_key)) &&
+               rtc::SrtpCryptoSuiteFromName(send_params.cipher_suite),
+               send_key.data(), send_key.size()) &&
            recv_session_->SetRecv(
-               rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite), recv_key,
-               sizeof(recv_key)));
+               rtc::SrtpCryptoSuiteFromName(recv_params.cipher_suite),
+               recv_key.data(), recv_key.size()));
   }
   if (ret) {
     LOG(LS_INFO) << "SRTP activated with negotiated parameters:"
                  << " send cipher_suite " << send_params.cipher_suite
                  << " recv cipher_suite " << recv_params.cipher_suite;
     applied_send_params_ = send_params;
     applied_recv_params_ = recv_params;
   } else {
     LOG(LS_WARNING) << "Failed to apply negotiated SRTP parameters";
   }
   return ret;
 }
 
 bool SrtpFilter::ResetParams() {
   offer_params_.clear();
   state_ = ST_INIT;
   send_session_ = nullptr;
   recv_session_ = nullptr;
   send_rtcp_session_ = nullptr;
   recv_rtcp_session_ = nullptr;
   LOG(LS_INFO) << "SRTP reset to init state";
   return true;
 }
 
 bool SrtpFilter::ParseKeyParams(const std::string& key_params,
                                 uint8_t* key,
-                                int len) {
+                                size_t len) {
   // example key_params: "inline:YUJDZGVmZ2hpSktMbW9QUXJzVHVWd3l6MTIzNDU2"
 
   // Fail if key-method is wrong.
   if (key_params.find("inline:") != 0) {
     return false;
   }
 
   // Fail if base64 decode fails, or the key is the wrong size.
   std::string key_b64(key_params.substr(7)), key_str;
   if (!rtc::Base64::Decode(key_b64, rtc::Base64::DO_STRICT,
-                           &key_str, nullptr) ||
-      static_cast<int>(key_str.size()) != len) {
+                           &key_str, nullptr) || key_str.size() != len) {
     return false;
   }
 
   memcpy(key, key_str.c_str(), len);
   return true;
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // SrtpSession
 
@@ skipping 13 matching lines @@
   SignalSrtpError.repeat(srtp_stat_->SignalSrtpError);
 }
 
 SrtpSession::~SrtpSession() {
   if (session_) {
     srtp_set_user_data(session_, nullptr);
     srtp_dealloc(session_);
   }
 }
 
-bool SrtpSession::SetSend(int cs, const uint8_t* key, int len) {
+bool SrtpSession::SetSend(int cs, const uint8_t* key, size_t len) {
   return SetKey(ssrc_any_outbound, cs, key, len);
 }
 
-bool SrtpSession::SetRecv(int cs, const uint8_t* key, int len) {
+bool SrtpSession::SetRecv(int cs, const uint8_t* key, size_t len) {
   return SetKey(ssrc_any_inbound, cs, key, len);
 }
 
 bool SrtpSession::ProtectRtp(void* p, int in_len, int max_len, int* out_len) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   if (!session_) {
     LOG(LS_WARNING) << "Failed to protect SRTP packet: no SRTP Session";
     return false;
   }
 
@@ skipping 133 matching lines @@
   // Shift packet index, put into network byte order
   *index = static_cast<int64_t>(
       rtc::NetworkToHost64(rdbx_get_packet_index(&stream->rtp_rdbx) << 16));
   return true;
 }
 
 void SrtpSession::set_signal_silent_time(int signal_silent_time_in_ms) {
   srtp_stat_->set_signal_silent_time(signal_silent_time_in_ms);
 }
 
-bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, int len) {
+bool SrtpSession::SetKey(int type, int cs, const uint8_t* key, size_t len) {
   RTC_DCHECK(thread_checker_.CalledOnValidThread());
   if (session_) {
     LOG(LS_ERROR) << "Failed to create SRTP session: "
                   << "SRTP session already created";
     return false;
   }
 
   if (!Init()) {
     return false;
   }
 
   srtp_policy_t policy;
   memset(&policy, 0, sizeof(policy));
-
   if (cs == rtc::SRTP_AES128_CM_SHA1_80) {
     crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
     crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
   } else if (cs == rtc::SRTP_AES128_CM_SHA1_32) {
     crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp);   // rtp is 32,
     crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);  // rtcp still 80
+  } else if (cs == rtc::SRTP_AEAD_AES_128_GCM) {
+    crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp);
+    crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp);
+  } else if (cs == rtc::SRTP_AEAD_AES_256_GCM) {
+    crypto_policy_set_aes_gcm_256_16_auth(&policy.rtp);
+    crypto_policy_set_aes_gcm_256_16_auth(&policy.rtcp);
   } else {
     LOG(LS_WARNING) << "Failed to create SRTP session: unsupported"
                     << " cipher_suite " << cs;
     return false;
   }
 
-  if (!key || len != SRTP_MASTER_KEY_LEN) {
+  int expected_key_len;
+  int expected_salt_len;
+  if (!rtc::GetSrtpKeyAndSaltLengths(cs, &expected_key_len,
+      &expected_salt_len)) {
+    // This should never happen.
+    LOG(LS_WARNING) << "Failed to create SRTP session: unsupported"
+                    << " cipher_suite without length information" << cs;
+    return false;
+  }
+
+  if (!key ||
+      len != static_cast<size_t>(expected_key_len + expected_salt_len)) {
     LOG(LS_WARNING) << "Failed to create SRTP session: invalid key";
     return false;
   }
 
   policy.ssrc.type = static_cast<ssrc_type_t>(type);
   policy.ssrc.value = 0;
   policy.key = const_cast<uint8_t*>(key);
   // TODO(astor) parse window size from WSH session-param
   policy.window_size = 1024;
   policy.allow_repeat_tx = 1;
   // If external authentication option is enabled, supply custom auth module
   // id EXTERNAL_HMAC_SHA1 in the policy structure.
   // We want to set this option only for rtp packets.
   // By default policy structure is initialized to HMAC_SHA1.
 #if defined(ENABLE_EXTERNAL_AUTH)
   // Enable external HMAC authentication only for outgoing streams.
   if (type == ssrc_any_outbound) {
     policy.rtp.auth_type = EXTERNAL_HMAC_SHA1;

[mattdr-at-webrtc.org, 2016/07/14 20:39:51]

I had to read code near here for some other purpose, and thought of this CL.

This code summarily overrides the cipher policy's auth mechanism and replaces it
with this "external" HMAC-SHA1 implementation. Looking at the implementation
(look for external_hmac_compute, UpdateRtpAuthTag) I expect this does something
aggressively bad in the face of a different auth mechanism.

It also hints at code that rewrites packets after libsrtp has seen them (see
ApplyPacketOptions in rtputils.h).

... does any of that code actually run?

[mattdr-at-webrtc.org, 2016/07/14 20:43:22]

... and should this have come up in testing?

note that libsrtp uses "null auth" for aes-gcm:
https://github.com/cisco/libsrtp/blob/f97b18d7686b6e9a750e55f93dc4bc1153ddee5...

   }
 #endif
   policy.next = nullptr;
 
   int err = srtp_create(&session_, &policy);
   if (err != err_status_ok) {
     session_ = nullptr;
     LOG(LS_ERROR) << "Failed to create SRTP session, err=" << err;
     return false;
   }
@@ skipping 217 matching lines @@
   SrtpNotAvailable(__FUNCTION__);
 }
 
 void SrtpStat::HandleSrtpResult(const SrtpStat::FailureKey& key) {
   SrtpNotAvailable(__FUNCTION__);
 }
 
 #endif  // HAVE_SRTP
 
 }  // namespace cricket