From de5891815932de36675e2f49faef3cbd7b479b96 Mon Sep 17 00:00:00 2001 From: Liong Sauw Ming Date: Mon, 8 Aug 2016 09:09:29 +0000 Subject: Re #1943: AES-GCM crypto support for SRTP Special thanks to Alexander Traud for the patch. git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@5412 74dad513-b988-da41-8d7b-12977e46ad98 --- aconfigure | 14 ++++++++ aconfigure.ac | 10 ++++++ pjmedia/include/pjmedia/config.h | 55 +++++++++++++++++++++++++++++ pjmedia/include/pjmedia/transport_srtp.h | 2 +- pjmedia/src/pjmedia/transport_srtp.c | 59 ++++++++++++++++++++++---------- third_party/build/os-auto.mak.in | 16 +++++++++ third_party/build/srtp/Makefile | 11 +++--- 7 files changed, 141 insertions(+), 26 deletions(-) diff --git a/aconfigure b/aconfigure index 23c8386d..d82fc108 100755 --- a/aconfigure +++ b/aconfigure @@ -640,6 +640,7 @@ ac_no_opencore_amrnb libcrypto_present libssl_present openssl_h_present +ac_ssl_has_aes_gcm ac_no_ssl ac_webrtc_ldflags ac_webrtc_cflags @@ -7837,6 +7838,8 @@ if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno"; then fi +ac_ssl_has_aes_gcm=0 + # Check whether --enable-ssl was given. if test "${enable_ssl+set}" = set; then : enableval=$enable_ssl; @@ -7948,6 +7951,17 @@ fi if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5 $as_echo "OpenSSL library found, SSL support enabled" >&6; } + + # Check if SRTP should be compiled with OpenSSL + # support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1]) + if test "x$ac_ssl_has_aes_gcm" = "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&5 +$as_echo "OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&5 +$as_echo "OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&6; } + fi + # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1) $as_echo "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h diff --git a/aconfigure.ac b/aconfigure.ac index 4ea4d498..795c6e4e 100644 --- a/aconfigure.ac +++ b/aconfigure.ac @@ -1575,6 +1575,7 @@ fi dnl # Include SSL support AC_SUBST(ac_no_ssl) +AC_SUBST(ac_ssl_has_aes_gcm,0) AC_ARG_ENABLE(ssl, AS_HELP_STRING([--disable-ssl], [Exclude SSL support the build (default: autodetect)]) @@ -1600,6 +1601,15 @@ AC_ARG_ENABLE(ssl, AC_CHECK_LIB(ssl,SSL_library_init,[libssl_present=1 && LIBS="-lssl $LIBS"]) if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then AC_MSG_RESULT([OpenSSL library found, SSL support enabled]) + + # Check if SRTP should be compiled with OpenSSL + # support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1]) + if test "x$ac_ssl_has_aes_gcm" = "x1"; then + AC_MSG_RESULT([OpenSSL has AES GCM support, SRTP will use OpenSSl version]) + else + AC_MSG_RESULT([OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos]) + fi + # PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK #AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1) AC_DEFINE(PJ_HAS_SSL_SOCK, 1) diff --git a/pjmedia/include/pjmedia/config.h b/pjmedia/include/pjmedia/config.h index cbcd08fb..a173af42 100644 --- a/pjmedia/include/pjmedia/config.h +++ b/pjmedia/include/pjmedia/config.h @@ -952,6 +952,61 @@ #endif +/** + * Maximum number of SRTP cryptos. + * + * Default: 16 + */ +#ifndef PJMEDIA_SRTP_MAX_CRYPTOS +# define PJMEDIA_SRTP_MAX_CRYPTOS 16 +#endif + + +/** + * Enable AES_CM_256 cryptos in SRTP. + * Default: enabled. + */ +#ifndef PJMEDIA_SRTP_HAS_AES_CM_256 +# define PJMEDIA_SRTP_HAS_AES_CM_256 1 +#endif + + +/** + * Enable AES_CM_192 cryptos in SRTP + * Default: disabled. + */ +#ifndef PJMEDIA_SRTP_HAS_AES_CM_192 +# define PJMEDIA_SRTP_HAS_AES_CM_192 0 +#endif + + +/** + * Enable AES_CM_128 cryptos in SRTP. + * Default: enabled. + */ +#ifndef PJMEDIA_SRTP_HAS_AES_CM_128 +# define PJMEDIA_SRTP_HAS_AES_CM_128 1 +#endif + + +/** + * Enable AES_GCM_256 cryptos in SRTP. + * Default: disabled. + */ +#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256 +# define PJMEDIA_SRTP_HAS_AES_GCM_256 0 +#endif + + +/** + * Enable AES_GCM_128 cryptos in SRTP. + * Default: disabled. + */ +#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128 +# define PJMEDIA_SRTP_HAS_AES_GCM_128 0 +#endif + + /** * Let the library handle libsrtp initialization and deinitialization. * Application may want to disable this and manually perform libsrtp diff --git a/pjmedia/include/pjmedia/transport_srtp.h b/pjmedia/include/pjmedia/transport_srtp.h index 910ec1d0..fe5337ac 100644 --- a/pjmedia/include/pjmedia/transport_srtp.h +++ b/pjmedia/include/pjmedia/transport_srtp.h @@ -155,7 +155,7 @@ typedef struct pjmedia_srtp_setting /** * Specify individual crypto suite setting. */ - pjmedia_srtp_crypto crypto[8]; + pjmedia_srtp_crypto crypto[PJMEDIA_SRTP_MAX_CRYPTOS]; } pjmedia_srtp_setting; diff --git a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c index c262f070..304d0a6f 100644 --- a/pjmedia/src/pjmedia/transport_srtp.c +++ b/pjmedia/src/pjmedia/transport_srtp.c @@ -84,35 +84,56 @@ typedef struct crypto_suite sec_serv_t service; } crypto_suite; -/* Crypto suites as defined on RFC 4568 */ +/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */ static crypto_suite crypto_suites[] = { /* plain RTP/RTCP (no cipher & no auth) */ {"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}, - +#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \ + (PJMEDIA_SRTP_HAS_AES_GCM_256 != 0) + /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */ + {"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT, + NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth}, + /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */ + {"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT, + NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth}, +#endif +#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \ + (PJMEDIA_SRTP_HAS_AES_CM_256 != 0) /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */ {"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10, sec_serv_conf_and_auth}, - /* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */ {"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10, - sec_serv_conf_and_auth}, - - /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */ - //{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10, - //sec_serv_conf_and_auth}, - - /* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */ - //{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10, - //sec_serv_conf_and_auth}, - - /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */ - {"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10, sec_serv_conf_and_auth}, - - /* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */ - {"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10, +#endif +#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \ + (PJMEDIA_SRTP_HAS_AES_CM_192 != 0) + /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */ + {"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10, sec_serv_conf_and_auth}, - + /* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */ + {"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10, + sec_serv_conf_and_auth}, +#endif +#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \ + (PJMEDIA_SRTP_HAS_AES_GCM_128 != 0) + /* cipher AES_GCM, NULL auth, auth tag len = 16 octets */ + {"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT, + NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth}, + + /* cipher AES_GCM, NULL auth, auth tag len = 8 octets */ + {"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT, + NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth}, +#endif +#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \ + (PJMEDIA_SRTP_HAS_AES_CM_128 != 0) + /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */ + {"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10, + sec_serv_conf_and_auth}, + /* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */ + {"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10, + sec_serv_conf_and_auth}, +#endif /* * F8_128_HMAC_SHA1_8 not supported by libsrtp? * {"F8_128_HMAC_SHA1_8", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none} diff --git a/third_party/build/os-auto.mak.in b/third_party/build/os-auto.mak.in index ef261f65..66653fa1 100644 --- a/third_party/build/os-auto.mak.in +++ b/third_party/build/os-auto.mak.in @@ -35,6 +35,22 @@ ifeq (@ac_external_srtp@,1) # External SRTP else DIRS += srtp + +ifeq (@ac_ssl_has_aes_gcm@,0) +CIPHERS_SRC = crypto/cipher/aes.o crypto/cipher/aes_icm.o \ + crypto/cipher/aes_cbc.o +HASHES_SRC = crypto/hash/sha1.o crypto/hash/hmac.o \ + # crypto/hash/tmmhv2.o +RNG_SRC = crypto/rng/rand_source.o crypto/rng/prng.o \ + crypto/rng/ctr_prng.o +else +CIPHERS_SRC = crypto/cipher/aes_icm_ossl.o crypto/cipher/aes_gcm_ossl.o +HASHES_SRC = crypto/hash/hmac_ossl.o +RNG_SRC = crypto/rng/rand_source_ossl.o +SRTP_OTHER_CFLAGS = -DOPENSSL +endif + + endif ifeq (@ac_pjmedia_resample@,libresample) diff --git a/third_party/build/srtp/Makefile b/third_party/build/srtp/Makefile index 7ef0f259..58d4fc58 100644 --- a/third_party/build/srtp/Makefile +++ b/third_party/build/srtp/Makefile @@ -1,5 +1,6 @@ include ../../../build.mak include ../../../build/common.mak +include ../os-$(OS_NAME).mak export LIBDIR := ../../lib @@ -28,11 +29,9 @@ export _LDFLAGS := $(CC_LDFLAGS) $(OS_LDFLAGS) $(M_LDFLAGS) $(HOST_LDFLAGS) \ # libcrypt.a (the crypto engine) ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o \ - crypto/cipher/aes.o crypto/cipher/aes_icm.o \ - crypto/cipher/aes_cbc.o + $(CIPHERS_SRC) -hashes = crypto/hash/null_auth.o crypto/hash/sha1.o \ - crypto/hash/hmac.o crypto/hash/auth.o # crypto/hash/tmmhv2.o +hashes = crypto/hash/null_auth.o crypto/hash/auth.o $(HASHES_SRC) replay = crypto/replay/rdb.o crypto/replay/rdbx.o \ crypto/replay/ut_sim.o @@ -41,7 +40,7 @@ math = crypto/math/datatypes.o crypto/math/stat.o ust = crypto/ust/ust.o -rng = crypto/rng/rand_source.o crypto/rng/prng.o crypto/rng/ctr_prng.o +rng = $(RNG_SRC) err = pjlib/srtp_err.o @@ -54,7 +53,7 @@ cryptobj = $(ciphers) $(hashes) $(math) $(stat) $(kernel) $(replay) export SRTP_SRCDIR = ../../srtp export SRTP_OBJS = $(cryptobj) $(srtpobj) -export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) +export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) $(SRTP_OTHER_CFLAGS) export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS) -- cgit v1.2.3