Re #1943: AES-GCM crypto support for SRTP

Special thanks to Alexander Traud for the patch.



git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@5412 74dad513-b988-da41-8d7b-12977e46ad98

3 files changed, 96 insertions, 20 deletions

diff --git a/pjmedia/include/pjmedia/config.h b/pjmedia/include/pjmedia/config.h
index cbcd08fb..a173af42 100644
--- a/pjmedia/include/pjmedia/config.h
+++ b/pjmedia/include/pjmedia/config.h
@@ -953,6 +953,61 @@
 
 
 /**
+ * Maximum number of SRTP cryptos.
+ *
+ * Default: 16
+ */
+#ifndef PJMEDIA_SRTP_MAX_CRYPTOS
+#   define PJMEDIA_SRTP_MAX_CRYPTOS		    16
+#endif
+
+
+/**
+ * Enable AES_CM_256 cryptos in SRTP.
+ * Default: enabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_256
+#   define PJMEDIA_SRTP_HAS_AES_CM_256	    	    1
+#endif
+
+
+/**
+ * Enable AES_CM_192 cryptos in SRTP
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_192
+#   define PJMEDIA_SRTP_HAS_AES_CM_192	    	    0
+#endif
+
+
+/**
+ * Enable AES_CM_128 cryptos in SRTP.
+ * Default: enabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_CM_128
+#   define PJMEDIA_SRTP_HAS_AES_CM_128    	    1
+#endif
+
+
+/**
+ * Enable AES_GCM_256 cryptos in SRTP.
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256
+#   define PJMEDIA_SRTP_HAS_AES_GCM_256	    	    0
+#endif
+
+
+/**
+ * Enable AES_GCM_128 cryptos in SRTP.
+ * Default: disabled.
+ */
+#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128
+#   define PJMEDIA_SRTP_HAS_AES_GCM_128    	    0
+#endif
+
+
+/**
  * Let the library handle libsrtp initialization and deinitialization.
  * Application may want to disable this and manually perform libsrtp
  * initialization and deinitialization when it needs to use libsrtp
diff --git a/pjmedia/include/pjmedia/transport_srtp.h b/pjmedia/include/pjmedia/transport_srtp.h
index 910ec1d0..fe5337ac 100644
--- a/pjmedia/include/pjmedia/transport_srtp.h
+++ b/pjmedia/include/pjmedia/transport_srtp.h
@@ -155,7 +155,7 @@ typedef struct pjmedia_srtp_setting
     /**
      * Specify individual crypto suite setting.
      */
-    pjmedia_srtp_crypto		crypto[8];
+    pjmedia_srtp_crypto		crypto[PJMEDIA_SRTP_MAX_CRYPTOS];
 
 } pjmedia_srtp_setting;
 
diff --git a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c
index c262f070..304d0a6f 100644
--- a/pjmedia/src/pjmedia/transport_srtp.c
+++ b/pjmedia/src/pjmedia/transport_srtp.c
@@ -84,35 +84,56 @@ typedef struct crypto_suite
     sec_serv_t		 service;
 } crypto_suite;
 
-/* Crypto suites as defined on RFC 4568 */
+/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */
 static crypto_suite crypto_suites[] = {
     /* plain RTP/RTCP (no cipher & no auth) */
     {"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none},
-
+#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \
+    (PJMEDIA_SRTP_HAS_AES_GCM_256 != 0)
+    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
+    {"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
+	NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
+    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
+    {"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
+	NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_256 != 0)
     /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
     {"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10,
 	sec_serv_conf_and_auth},
-
     /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
     {"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10,
-        sec_serv_conf_and_auth},
-
-    /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */
-    //{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
-	//sec_serv_conf_and_auth},
-
-    /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */
-    //{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
-	//sec_serv_conf_and_auth},
-
-    /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */
-    {"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10,
 	sec_serv_conf_and_auth},
-
-    /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */
-    {"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10,
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_192 != 0)
+    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */
+    {"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
 	sec_serv_conf_and_auth},
-
+    /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */
+    {"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
+	sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \
+    (PJMEDIA_SRTP_HAS_AES_GCM_128 != 0)
+    /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
+    {"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
+	NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
+
+    /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
+    {"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
+	NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
+#endif
+#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \
+    (PJMEDIA_SRTP_HAS_AES_CM_128 != 0)
+    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */
+    {"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10,
+	sec_serv_conf_and_auth},
+    /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */
+    {"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10,
+	sec_serv_conf_and_auth},
+#endif
     /*
      * F8_128_HMAC_SHA1_8 not supported by libsrtp?
      * {"F8_128_HMAC_SHA1_8", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}