/*
* aes_gcm_openssl_context_init(...) initializes the aes_gcm_context
* using the value in key[].
*
* the key is the secret key
*/
static srtp_err_status_t srtp_aes_gcm_openssl_context_init(void *cv,
const uint8_t *key)
{
srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
const EVP_CIPHER *evp;
c->dir = srtp_direction_any;
debug_print(srtp_mod_aes_gcm, "key: %s",
srtp_octet_string_hex_string(key, c->key_size));
switch (c->key_size) {
case SRTP_AES_256_KEY_LEN:
evp = EVP_aes_256_gcm();
break;
case SRTP_AES_128_KEY_LEN:
evp = EVP_aes_128_gcm();
break;
default:
return (srtp_err_status_bad_param);
break;
}
if (!EVP_CipherInit_ex(c->ctx, evp, NULL, key, NULL, 0)) {
return (srtp_err_status_init_fail);
}
return (srtp_err_status_ok);
}
static srtp_err_status_t srtp_hmac_compute (void *statev, const uint8_t *message,
int msg_octets, int tag_len, uint8_t *result)
{
HMAC_CTX *state = (HMAC_CTX *)statev;
uint8_t hash_value[SHA1_DIGEST_SIZE];
int i;
unsigned int len;
/* check tag length, return error if we can't provide the value expected */
if (tag_len > SHA1_DIGEST_SIZE) {
return srtp_err_status_bad_param;
}
/* hash message, copy output into H */
if (HMAC_Update(state, message, msg_octets) == 0)
return srtp_err_status_auth_fail;
if (HMAC_Final(state, hash_value, &len) == 0)
return srtp_err_status_auth_fail;
if (len < tag_len)
return srtp_err_status_auth_fail;
/* copy hash_value to *result */
for (i = 0; i < tag_len; i++) {
result[i] = hash_value[i];
}
debug_print(srtp_mod_hmac, "output: %s",
srtp_octet_string_hex_string(hash_value, tag_len));
return srtp_err_status_ok;
}
static srtp_err_status_t srtp_hmac_compute (srtp_hmac_ctx_t *state, const void *message,
int msg_octets, int tag_len, uint8_t *result)
{
uint32_t hash_value[5];
uint32_t H[5];
int i;
/* check tag length, return error if we can't provide the value expected */
if (tag_len > 20) {
return srtp_err_status_bad_param;
}
/* hash message, copy output into H */
srtp_hmac_update(state, (const uint8_t*)message, msg_octets);
srtp_sha1_final(&state->ctx, H);
/*
* note that we don't need to debug_print() the input, since the
* function hmac_update() already did that for us
*/
debug_print(srtp_mod_hmac, "intermediate state: %s",
srtp_octet_string_hex_string((uint8_t*)H, 20));
/* re-initialize hash context */
srtp_sha1_init(&state->ctx);
/* hash opad ^ key */
srtp_sha1_update(&state->ctx, (uint8_t*)state->opad, 64);
/* hash the result of the inner hash */
srtp_sha1_update(&state->ctx, (uint8_t*)H, 20);
/* the result is returned in the array hash_value[] */
srtp_sha1_final(&state->ctx, hash_value);
/* copy hash_value to *result */
for (i = 0; i < tag_len; i++) {
result[i] = ((uint8_t*)hash_value)[i];
}
debug_print(srtp_mod_hmac, "output: %s",
srtp_octet_string_hex_string((uint8_t*)hash_value, tag_len));
return srtp_err_status_ok;
}
static srtp_err_status_t srtp_hmac_update (srtp_hmac_ctx_t *state, const uint8_t *message, int msg_octets)
{
debug_print(srtp_mod_hmac, "input: %s",
srtp_octet_string_hex_string(message, msg_octets));
/* hash message into sha1 context */
srtp_sha1_update(&state->ctx, message, msg_octets);
return srtp_err_status_ok;
}
static srtp_err_status_t srtp_hmac_update (void *statev, const uint8_t *message, int msg_octets)
{
HMAC_CTX *state = (HMAC_CTX *)statev;
debug_print(srtp_mod_hmac, "input: %s",
srtp_octet_string_hex_string(message, msg_octets));
if (HMAC_Update(state, message, msg_octets) == 0)
return srtp_err_status_auth_fail;
return srtp_err_status_ok;
}
static srtp_err_status_t srtp_aes_icm_context_init (void *cv, const uint8_t *key)
{
srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
srtp_err_status_t status;
int base_key_len, copy_len;
if (c->key_size > 16 && c->key_size < 30) { /* Ismacryp */
base_key_len = 16;
} else if (c->key_size == 30 || c->key_size == 38 || c->key_size == 46) {
base_key_len = c->key_size - 14;
} else{
return srtp_err_status_bad_param;
}
/*
* set counter and initial values to 'offset' value, being careful not to
* go past the end of the key buffer
*/
v128_set_to_zero(&c->counter);
v128_set_to_zero(&c->offset);
copy_len = c->key_size - base_key_len;
/* force last two octets of the offset to be left zero (for srtp compatibility) */
if (copy_len > 14) {
copy_len = 14;
}
memcpy(&c->counter, key + base_key_len, copy_len);
memcpy(&c->offset, key + base_key_len, copy_len);
debug_print(srtp_mod_aes_icm,
"key: %s", srtp_octet_string_hex_string(key, base_key_len));
debug_print(srtp_mod_aes_icm,
"offset: %s", v128_hex_string(&c->offset));
/* expand key */
status = srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key);
if (status) {
v128_set_to_zero(&c->counter);
v128_set_to_zero(&c->offset);
return status;
}
/* indicate that the keystream_buffer is empty */
c->bytes_in_buffer = 0;
return srtp_err_status_ok;
}
/*
* aes_icm_openssl_context_init(...) initializes the aes_icm_context
* using the value in key[].
*
* the key is the secret key
*
* the salt is unpredictable (but not necessarily secret) data which
* randomizes the starting point in the keystream
*/
static srtp_err_status_t srtp_aes_icm_openssl_context_init (void* cv, const uint8_t *key)
{
srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
const EVP_CIPHER *evp;
/*
* set counter and initial values to 'offset' value, being careful not to
* go past the end of the key buffer
*/
v128_set_to_zero(&c->counter);
v128_set_to_zero(&c->offset);
memcpy(&c->counter, key + c->key_size, SRTP_SALT_SIZE);
memcpy(&c->offset, key + c->key_size, SRTP_SALT_SIZE);
/* force last two octets of the offset to zero (for srtp compatibility) */
c->offset.v8[SRTP_SALT_SIZE] = c->offset.v8[SRTP_SALT_SIZE + 1] = 0;
c->counter.v8[SRTP_SALT_SIZE] = c->counter.v8[SRTP_SALT_SIZE + 1] = 0;
debug_print(srtp_mod_aes_icm, "key: %s", srtp_octet_string_hex_string(key, c->key_size));
debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset));
switch (c->key_size) {
case SRTP_AES_256_KEYSIZE:
evp = EVP_aes_256_ctr();
break;
#ifndef SRTP_NO_AES192
case SRTP_AES_192_KEYSIZE:
evp = EVP_aes_192_ctr();
break;
#endif
case SRTP_AES_128_KEYSIZE:
evp = EVP_aes_128_ctr();
break;
default:
return srtp_err_status_bad_param;
break;
}
if (!EVP_EncryptInit_ex(c->ctx, evp,
NULL, key, NULL)) {
return srtp_err_status_fail;
} else {
return srtp_err_status_ok;
}
return srtp_err_status_ok;
}
static srtp_err_status_t srtp_hmac_init (srtp_hmac_ctx_t *state, const uint8_t *key, int key_len)
{
int i;
uint8_t ipad[64];
/*
* check key length - note that we don't support keys larger
* than 20 bytes yet
*/
if (key_len > 20) {
return srtp_err_status_bad_param;
}
/*
* set values of ipad and opad by exoring the key into the
* appropriate constant values
*/
for (i = 0; i < key_len; i++) {
ipad[i] = key[i] ^ 0x36;
state->opad[i] = key[i] ^ 0x5c;
}
/* set the rest of ipad, opad to constant values */
for (; i < 64; i++) {
ipad[i] = 0x36;
((uint8_t*)state->opad)[i] = 0x5c;
}
debug_print(srtp_mod_hmac, "ipad: %s", srtp_octet_string_hex_string(ipad, 64));
/* initialize sha1 context */
srtp_sha1_init(&state->init_ctx);
/* hash ipad ^ key */
srtp_sha1_update(&state->init_ctx, ipad, 64);
memcpy(&state->ctx, &state->init_ctx, sizeof(srtp_sha1_ctx_t));
return srtp_err_status_ok;
}
/*
* srtp_cipher_type_test(ct, test_data) tests a cipher of type ct against
* test cases provided in a list test_data of values of key, salt, iv,
* plaintext, and ciphertext that is known to be good
*/
srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srtp_cipher_test_case_t *test_data)
{
const srtp_cipher_test_case_t *test_case = test_data;
srtp_cipher_t *c;
srtp_err_status_t status;
uint8_t buffer[SELF_TEST_BUF_OCTETS];
uint8_t buffer2[SELF_TEST_BUF_OCTETS];
uint32_t tag_len;
unsigned int len;
int i, j, case_num = 0;
debug_print(srtp_mod_cipher, "running self-test for cipher %s",
ct->description);
/*
* check to make sure that we have at least one test case, and
* return an error if we don't - we need to be paranoid here
*/
if (test_case == NULL) {
return srtp_err_status_cant_check;
}
/*
* loop over all test cases, perform known-answer tests of both the
* encryption and decryption functions
*/
while (test_case != NULL) {
/* allocate cipher */
status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, test_case->tag_length_octets);
if (status) {
return status;
}
/*
* test the encrypt function
*/
debug_print(srtp_mod_cipher, "testing encryption", NULL);
/* initialize cipher */
status = srtp_cipher_init(c, test_case->key);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
/* copy plaintext into test buffer */
if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
srtp_cipher_dealloc(c);
return srtp_err_status_bad_param;
}
for (i = 0; i < test_case->plaintext_length_octets; i++) {
buffer[i] = test_case->plaintext[i];
}
debug_print(srtp_mod_cipher, "plaintext: %s",
srtp_octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* set the initialization vector */
status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, direction_encrypt);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
debug_print(srtp_mod_cipher, "IV: %s",
srtp_octet_string_hex_string(test_case->idx, 12));
/*
* Set the AAD
*/
status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "AAD: %s",
srtp_octet_string_hex_string(test_case->aad,
test_case->aad_length_octets));
}
/* encrypt */
len = test_case->plaintext_length_octets;
status = srtp_cipher_encrypt(c, buffer, &len);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
/*
* Get the GCM tag
*/
status = srtp_cipher_get_tag(c, buffer + len, &tag_len);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
len += tag_len;
}
debug_print(srtp_mod_cipher, "ciphertext: %s",
srtp_octet_string_hex_string(buffer,
test_case->ciphertext_length_octets));
/* compare the resulting ciphertext with that in the test case */
if (len != test_case->ciphertext_length_octets) {
return srtp_err_status_algo_fail;
}
status = srtp_err_status_ok;
for (i = 0; i < test_case->ciphertext_length_octets; i++) {
if (buffer[i] != test_case->ciphertext[i]) {
status = srtp_err_status_algo_fail;
debug_print(srtp_mod_cipher, "test case %d failed", case_num);
debug_print(srtp_mod_cipher, "(failure at byte %d)", i);
break;
}
}
if (status) {
debug_print(srtp_mod_cipher, "c computed: %s",
srtp_octet_string_hex_string(buffer,
2 * test_case->plaintext_length_octets));
debug_print(srtp_mod_cipher, "c expected: %s",
srtp_octet_string_hex_string(test_case->ciphertext,
2 * test_case->plaintext_length_octets));
srtp_cipher_dealloc(c);
return srtp_err_status_algo_fail;
}
/*
* test the decrypt function
*/
debug_print(srtp_mod_cipher, "testing decryption", NULL);
/* re-initialize cipher for decryption */
status = srtp_cipher_init(c, test_case->key);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
/* copy ciphertext into test buffer */
if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
srtp_cipher_dealloc(c);
return srtp_err_status_bad_param;
}
for (i = 0; i < test_case->ciphertext_length_octets; i++) {
buffer[i] = test_case->ciphertext[i];
}
debug_print(srtp_mod_cipher, "ciphertext: %s",
srtp_octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* set the initialization vector */
status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, direction_decrypt);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
/*
* Set the AAD
*/
status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "AAD: %s",
srtp_octet_string_hex_string(test_case->aad,
test_case->aad_length_octets));
}
/* decrypt */
len = test_case->ciphertext_length_octets;
status = srtp_cipher_decrypt(c, buffer, &len);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "plaintext: %s",
srtp_octet_string_hex_string(buffer,
test_case->plaintext_length_octets));
/* compare the resulting plaintext with that in the test case */
if (len != test_case->plaintext_length_octets) {
return srtp_err_status_algo_fail;
}
status = srtp_err_status_ok;
for (i = 0; i < test_case->plaintext_length_octets; i++) {
if (buffer[i] != test_case->plaintext[i]) {
status = srtp_err_status_algo_fail;
debug_print(srtp_mod_cipher, "test case %d failed", case_num);
debug_print(srtp_mod_cipher, "(failure at byte %d)", i);
}
}
if (status) {
debug_print(srtp_mod_cipher, "p computed: %s",
srtp_octet_string_hex_string(buffer,
2 * test_case->plaintext_length_octets));
debug_print(srtp_mod_cipher, "p expected: %s",
srtp_octet_string_hex_string(test_case->plaintext,
2 * test_case->plaintext_length_octets));
srtp_cipher_dealloc(c);
return srtp_err_status_algo_fail;
}
/* deallocate the cipher */
status = srtp_cipher_dealloc(c);
if (status) {
return status;
}
/*
* the cipher passed the test case, so move on to the next test
* case in the list; if NULL, we'l proceed to the next test
*/
test_case = test_case->next_test_case;
++case_num;
}
/* now run some random invertibility tests */
/* allocate cipher, using paramaters from the first test case */
test_case = test_data;
status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, test_case->tag_length_octets);
if (status) {
return status;
}
for (j = 0; j < NUM_RAND_TESTS; j++) {
unsigned length;
int plaintext_len;
uint8_t key[MAX_KEY_LEN];
uint8_t iv[MAX_KEY_LEN];
/* choose a length at random (leaving room for IV and padding) */
length = rand() % (SELF_TEST_BUF_OCTETS - 64);
debug_print(srtp_mod_cipher, "random plaintext length %d\n", length);
status = srtp_cipher_rand(buffer, length);
if (status) {
return status;
}
debug_print(srtp_mod_cipher, "plaintext: %s",
srtp_octet_string_hex_string(buffer, length));
/* copy plaintext into second buffer */
for (i = 0; (unsigned int)i < length; i++) {
buffer2[i] = buffer[i];
}
/* choose a key at random */
if (test_case->key_length_octets > MAX_KEY_LEN) {
return srtp_err_status_cant_check;
}
status = srtp_cipher_rand(key, test_case->key_length_octets);
if (status) {
return status;
}
/* chose a random initialization vector */
status = srtp_cipher_rand(iv, MAX_KEY_LEN);
if (status) {
return status;
}
/* initialize cipher */
status = srtp_cipher_init(c, key);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
/* set initialization vector */
status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, direction_encrypt);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
/*
* Set the AAD
*/
status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "AAD: %s",
srtp_octet_string_hex_string(test_case->aad,
test_case->aad_length_octets));
}
/* encrypt buffer with cipher */
plaintext_len = length;
status = srtp_cipher_encrypt(c, buffer, &length);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
/*
* Get the GCM tag
*/
status = srtp_cipher_get_tag(c, buffer + length, &tag_len);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
length += tag_len;
}
debug_print(srtp_mod_cipher, "ciphertext: %s",
srtp_octet_string_hex_string(buffer, length));
/*
* re-initialize cipher for decryption, re-set the iv, then
* decrypt the ciphertext
*/
status = srtp_cipher_init(c, key);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, direction_decrypt);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
if (c->algorithm == SRTP_AES_128_GCM || c->algorithm == SRTP_AES_256_GCM) {
/*
* Set the AAD
*/
status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "AAD: %s",
srtp_octet_string_hex_string(test_case->aad,
test_case->aad_length_octets));
}
status = srtp_cipher_decrypt(c, buffer, &length);
if (status) {
srtp_cipher_dealloc(c);
return status;
}
debug_print(srtp_mod_cipher, "plaintext[2]: %s",
srtp_octet_string_hex_string(buffer, length));
/* compare the resulting plaintext with the original one */
if (length != plaintext_len) {
return srtp_err_status_algo_fail;
}
status = srtp_err_status_ok;
for (i = 0; i < plaintext_len; i++) {
if (buffer[i] != buffer2[i]) {
status = srtp_err_status_algo_fail;
debug_print(srtp_mod_cipher, "random test case %d failed", case_num);
debug_print(srtp_mod_cipher, "(failure at byte %d)", i);
}
}
if (status) {
srtp_cipher_dealloc(c);
return srtp_err_status_algo_fail;
}
}
status = srtp_cipher_dealloc(c);
if (status) {
return status;
}
return srtp_err_status_ok;
}
