hcrypt_ctx_tx.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422
  1. /*
  2. * SRT - Secure, Reliable, Transport
  3. * Copyright (c) 2018 Haivision Systems Inc.
  4. *
  5. * This Source Code Form is subject to the terms of the Mozilla Public
  6. * License, v. 2.0. If a copy of the MPL was not distributed with this
  7. * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  8. *
  9. */
  10. /*****************************************************************************
  11. written by
  12. Haivision Systems Inc.
  13. 2011-06-23 (jdube)
  14. HaiCrypt initial implementation.
  15. 2014-03-11 (jdube)
  16. Adaptation for SRT.
  17. *****************************************************************************/
  18. #include <string.h> /* memcpy */
  19. #ifdef _WIN32
  20. #include <winsock2.h>
  21. #include <ws2tcpip.h>
  22. #include <win/wintime.h>
  23. #else
  24. #include <sys/time.h>
  25. #endif
  26. #include "hcrypt.h"
  27. int hcryptCtx_Tx_Init(hcrypt_Session *crypto, hcrypt_Ctx *ctx, const HaiCrypt_Cfg *cfg)
  28. {
  29. ctx->cfg.key_len = cfg->key_len;
  30. ctx->mode = (cfg->flags & HAICRYPT_CFG_F_GCM) ? HCRYPT_CTX_MODE_AESGCM : HCRYPT_CTX_MODE_AESCTR;
  31. ctx->status = HCRYPT_CTX_S_INIT;
  32. ctx->msg_info = crypto->msg_info;
  33. if (hcryptCtx_SetSecret(crypto, ctx, &cfg->secret)) {
  34. return(-1);
  35. }
  36. return(0);
  37. }
  38. int hcryptCtx_Tx_Rekey(hcrypt_Session *crypto, hcrypt_Ctx *ctx)
  39. {
  40. int iret;
  41. ASSERT(HCRYPT_CTX_S_SARDY <= ctx->status);
  42. /* Generate Salt */
  43. ctx->salt_len = HAICRYPT_SALT_SZ;
  44. if (0 > (iret = crypto->cryspr->prng(ctx->salt, (int)ctx->salt_len))) {
  45. HCRYPT_LOG(LOG_ERR, "PRNG(salt[%zd]) failed\n", ctx->salt_len);
  46. return(iret);
  47. }
  48. /* Generate SEK */
  49. ctx->sek_len = ctx->cfg.key_len;
  50. if (0 > (iret = crypto->cryspr->prng(ctx->sek, (int)ctx->sek_len))) {
  51. HCRYPT_LOG(LOG_ERR, "PRNG(sek[%zd] failed\n", ctx->sek_len);
  52. return(iret);
  53. }
  54. /* Set SEK in cryspr */
  55. if (crypto->cryspr->ms_setkey(crypto->cryspr_cb, ctx, ctx->sek, ctx->sek_len)) {
  56. HCRYPT_LOG(LOG_ERR, "cryspr setkey(sek[%zd]) failed\n", ctx->sek_len);
  57. return(-1);
  58. }
  59. HCRYPT_LOG(LOG_NOTICE, "rekeyed crypto context[%d]\n", (ctx->flags & HCRYPT_CTX_F_xSEK)/2);
  60. HCRYPT_PRINTKEY(ctx->sek, ctx->sek_len, "sek");
  61. /* Regenerate KEK if Password-based (uses newly generated salt and sek_len) */
  62. if (0 < ctx->cfg.pwd_len) {
  63. iret = hcryptCtx_GenSecret(crypto, ctx);
  64. if (iret < 0)
  65. return(iret);
  66. }
  67. /* Assemble the new Keying Material message */
  68. if (0 != (iret = hcryptCtx_Tx_AsmKM(crypto, ctx, NULL))) {
  69. return(iret);
  70. }
  71. if ((HCRYPT_CTX_S_KEYED <= ctx->alt->status)
  72. && hcryptMsg_KM_HasBothSek(ctx->alt->KMmsg_cache)) {
  73. /*
  74. * previous context KM announced in alternate (odd/even) KM,
  75. * reassemble it without our KM
  76. */
  77. hcryptCtx_Tx_AsmKM(crypto, ctx->alt, NULL);
  78. }
  79. /* Initialize the Media Stream message prefix cache */
  80. ctx->msg_info->resetCache(ctx->MSpfx_cache, HCRYPT_MSG_PT_MS, ctx->flags & HCRYPT_CTX_F_xSEK);
  81. ctx->pkt_cnt = 1;
  82. ctx->status = HCRYPT_CTX_S_KEYED;
  83. return(0);
  84. }
  85. int hcryptCtx_Tx_CloneKey(hcrypt_Session *crypto, hcrypt_Ctx *ctx, const hcrypt_Session* cryptoSrc)
  86. {
  87. int iret;
  88. ASSERT(HCRYPT_CTX_S_SARDY <= ctx->status);
  89. const hcrypt_Ctx* ctxSrc = cryptoSrc->ctx;
  90. if (!ctxSrc)
  91. {
  92. /* Probbly the context is not yet completely initialized, so
  93. * use blindly the first context from the pair
  94. */
  95. ctxSrc = &cryptoSrc->ctx_pair[0];
  96. }
  97. /* Copy SALT (instead of generating) */
  98. ctx->salt_len = ctxSrc->salt_len;
  99. memcpy(ctx->salt, ctxSrc->salt, ctx->salt_len);
  100. /* Copy SEK */
  101. ctx->sek_len = ctxSrc->sek_len;
  102. memcpy(ctx->sek, ctxSrc->sek, ctx->sek_len);
  103. /* Set SEK in cryspr */
  104. if (crypto->cryspr->ms_setkey(crypto->cryspr_cb, ctx, ctx->sek, ctx->sek_len)) {
  105. HCRYPT_LOG(LOG_ERR, "cryspr setkey(sek[%zd]) failed\n", ctx->sek_len);
  106. return(-1);
  107. }
  108. HCRYPT_LOG(LOG_NOTICE, "clone-keyed crypto context[%d]\n", (ctx->flags & HCRYPT_CTX_F_xSEK)/2);
  109. HCRYPT_PRINTKEY(ctx->sek, ctx->sek_len, "sek");
  110. /* Regenerate KEK if Password-based (uses newly generated salt and sek_len) */
  111. /* (note for CloneKey imp: it's expected that the same passphrase-salt pair
  112. shall generate the same KEK. GenSecret also prints the KEK */
  113. if (0 < ctx->cfg.pwd_len) {
  114. iret = hcryptCtx_GenSecret(crypto, ctx);
  115. if (iret < 0)
  116. return(iret);
  117. }
  118. /* Assemble the new Keying Material message */
  119. if (0 != (iret = hcryptCtx_Tx_AsmKM(crypto, ctx, NULL))) {
  120. return(iret);
  121. }
  122. if ((HCRYPT_CTX_S_KEYED <= ctx->alt->status)
  123. && hcryptMsg_KM_HasBothSek(ctx->alt->KMmsg_cache)) {
  124. /*
  125. * previous context KM announced in alternate (odd/even) KM,
  126. * reassemble it without our KM
  127. */
  128. hcryptCtx_Tx_AsmKM(crypto, ctx->alt, NULL);
  129. }
  130. /* Initialize the Media Stream message prefix cache */
  131. ctx->msg_info->resetCache(ctx->MSpfx_cache, HCRYPT_MSG_PT_MS, ctx->flags & HCRYPT_CTX_F_xSEK);
  132. ctx->pkt_cnt = 1;
  133. ctx->status = HCRYPT_CTX_S_KEYED;
  134. return(0);
  135. }
  136. /*
  137. * Refresh the alternate context from the current.
  138. * Regenerates the SEK but keep the salt, doing so also
  139. * preserve the KEK generated from secret password and salt.
  140. */
  141. int hcryptCtx_Tx_Refresh(hcrypt_Session *crypto)
  142. {
  143. hcrypt_Ctx *ctx = crypto->ctx;
  144. hcrypt_Ctx *new_ctx;
  145. int iret;
  146. ASSERT(NULL != ctx);
  147. ASSERT(HCRYPT_CTX_S_ACTIVE == ctx->status);
  148. /* Pick the alternative (inactive) context */
  149. new_ctx = ctx->alt;
  150. ASSERT(HCRYPT_CTX_S_SARDY <= new_ctx->status);
  151. /* Keep same KEK, configuration, and salt */
  152. // memcpy(&new_ctx->aes_kek, &ctx->aes_kek, sizeof(new_ctx->aes_kek));
  153. memcpy(&new_ctx->cfg, &ctx->cfg, sizeof(new_ctx->cfg));
  154. new_ctx->salt_len = ctx->salt_len;
  155. memcpy(new_ctx->salt, ctx->salt, HAICRYPT_SALT_SZ);
  156. /* Generate new SEK */
  157. new_ctx->sek_len = new_ctx->cfg.key_len;
  158. HCRYPT_LOG(LOG_DEBUG, "refresh/generate SEK. salt_len=%d sek_len=%d\n", (int)new_ctx->salt_len, (int)new_ctx->sek_len);
  159. if (0 > crypto->cryspr->prng(new_ctx->sek, (int)new_ctx->sek_len)) {
  160. HCRYPT_LOG(LOG_ERR, "PRNG(sek[%zd] failed\n", new_ctx->sek_len);
  161. return(-1);
  162. }
  163. /* Cryspr's dependent key */
  164. if (crypto->cryspr->ms_setkey(crypto->cryspr_cb, new_ctx, new_ctx->sek, new_ctx->sek_len)) {
  165. HCRYPT_LOG(LOG_ERR, "refresh cryspr setkey(sek[%d]) failed\n", new_ctx->sek_len);
  166. return(-1);
  167. }
  168. HCRYPT_PRINTKEY(new_ctx->sek, new_ctx->sek_len, "sek");
  169. /* Assemble the new KMmsg with new and current SEK */
  170. if (0 != (iret = hcryptCtx_Tx_AsmKM(crypto, new_ctx, ctx->sek))) {
  171. return(iret);
  172. }
  173. /* Initialize the message prefix cache */
  174. new_ctx->msg_info->resetCache(new_ctx->MSpfx_cache, HCRYPT_MSG_PT_MS, new_ctx->flags & HCRYPT_MSG_F_xSEK);
  175. new_ctx->pkt_cnt = 0;
  176. new_ctx->status = HCRYPT_CTX_S_KEYED;
  177. return(0);
  178. }
  179. /*
  180. * Prepare context switch
  181. * both odd & even keys announced
  182. */
  183. int hcryptCtx_Tx_PreSwitch(hcrypt_Session *crypto)
  184. {
  185. hcrypt_Ctx *ctx = crypto->ctx;
  186. ASSERT(NULL != ctx);
  187. ASSERT(HCRYPT_CTX_S_ACTIVE == ctx->status);
  188. ASSERT(HCRYPT_CTX_S_KEYED == ctx->alt->status);
  189. ctx->alt->flags |= HCRYPT_CTX_F_ANNOUNCE;
  190. ctx->alt->flags |= HCRYPT_CTX_F_TTSEND; //Send now
  191. /* Stop announcing current context if next one contains its key */
  192. if (hcryptMsg_KM_HasBothSek(ctx->alt->KMmsg_cache)) {
  193. ctx->flags &= ~HCRYPT_CTX_F_ANNOUNCE;
  194. }
  195. return(0);
  196. }
  197. int hcryptCtx_Tx_Switch(hcrypt_Session *crypto)
  198. {
  199. hcrypt_Ctx *ctx = crypto->ctx;
  200. ASSERT(HCRYPT_CTX_S_KEYED <= ctx->alt->status);
  201. ctx->status = HCRYPT_CTX_S_DEPRECATED;
  202. ctx->alt->status = HCRYPT_CTX_S_ACTIVE;
  203. ctx->alt->flags |= HCRYPT_CTX_F_ANNOUNCE; // Already cleared if new KM has both SEK
  204. crypto->ctx = ctx->alt;
  205. return(0);
  206. }
  207. int hcryptCtx_Tx_PostSwitch(hcrypt_Session *crypto)
  208. {
  209. hcrypt_Ctx *ctx = crypto->ctx;
  210. hcrypt_Ctx *old_ctx = ctx->alt;
  211. /* Stop announcing old context (if announced) */
  212. old_ctx->flags &= ~HCRYPT_CTX_F_ANNOUNCE;
  213. old_ctx->status = HCRYPT_CTX_S_SARDY;
  214. /* If current context KM announce both, reassemble it */
  215. if (hcryptMsg_KM_HasBothSek(ctx->KMmsg_cache)) {
  216. hcryptCtx_Tx_AsmKM(crypto, ctx, NULL);
  217. }
  218. return(0);
  219. }
  220. /* Assemble Keying Material message */
  221. int hcryptCtx_Tx_AsmKM(hcrypt_Session *crypto, hcrypt_Ctx *ctx, unsigned char *alt_sek)
  222. {
  223. unsigned char *km_msg;
  224. size_t msg_len;
  225. int sek_cnt = (NULL == alt_sek ? 1 : 2);
  226. unsigned char sek_buf[HAICRYPT_KEY_MAX_SZ * 2];
  227. unsigned char *seks;
  228. if (NULL == ctx) {
  229. HCRYPT_LOG(LOG_ERR, "%s", "crypto context undefined\n");
  230. return(-1);
  231. }
  232. msg_len = HCRYPT_MSG_KM_OFS_SALT
  233. + ctx->salt_len
  234. + (ctx->sek_len * sek_cnt)
  235. + HAICRYPT_WRAPKEY_SIGN_SZ;
  236. km_msg = &ctx->KMmsg_cache[0];
  237. ctx->KMmsg_len = 0;
  238. memset(km_msg, 0, msg_len);
  239. ctx->msg_info->resetCache(km_msg, HCRYPT_MSG_PT_KM,
  240. 2 == sek_cnt ? HCRYPT_MSG_F_xSEK : (ctx->flags & HCRYPT_MSG_F_xSEK));
  241. /* crypto->KMmsg_cache[4..7]: KEKI=0 */
  242. km_msg[HCRYPT_MSG_KM_OFS_CIPHER] = (ctx->mode == HCRYPT_CTX_MODE_AESGCM) ? HCRYPT_CIPHER_AES_GCM : HCRYPT_CIPHER_AES_CTR;
  243. km_msg[HCRYPT_MSG_KM_OFS_AUTH] = (ctx->mode == HCRYPT_CTX_MODE_AESGCM) ? HCRYPT_AUTH_AES_GCM : HCRYPT_AUTH_NONE;
  244. km_msg[HCRYPT_MSG_KM_OFS_SE] = (char) crypto->se;
  245. hcryptMsg_KM_SetSaltLen(km_msg, ctx->salt_len);
  246. hcryptMsg_KM_SetSekLen(km_msg, ctx->sek_len);
  247. memcpy(&km_msg[HCRYPT_MSG_KM_OFS_SALT], ctx->salt, ctx->salt_len);
  248. if (2 == sek_cnt) {
  249. /* Even SEK first in dual SEK KMmsg */
  250. if (HCRYPT_MSG_F_eSEK & ctx->flags) {
  251. memcpy(&sek_buf[0], ctx->sek, ctx->sek_len);
  252. memcpy(&sek_buf[ctx->sek_len], alt_sek, ctx->sek_len);
  253. } else {
  254. memcpy(&sek_buf[0], alt_sek, ctx->sek_len);
  255. memcpy(&sek_buf[ctx->sek_len], ctx->sek, ctx->sek_len);
  256. }
  257. seks = sek_buf;
  258. } else {
  259. seks = ctx->sek;
  260. }
  261. if (0 > crypto->cryspr->km_wrap(crypto->cryspr_cb,
  262. &km_msg[HCRYPT_MSG_KM_OFS_SALT + ctx->salt_len],
  263. seks, (unsigned int)(sek_cnt * ctx->sek_len))) {
  264. HCRYPT_LOG(LOG_ERR, "%s", "wrap key failed\n");
  265. return(-1);
  266. }
  267. ctx->KMmsg_len = msg_len;
  268. return(0);
  269. }
  270. int hcryptCtx_Tx_ManageKM(hcrypt_Session *crypto)
  271. {
  272. hcrypt_Ctx *ctx = crypto->ctx;
  273. ASSERT(NULL != ctx);
  274. HCRYPT_LOG(LOG_DEBUG, "KM[%d] KEY STATUS: pkt_cnt=%u against ref.rate=%u and pre.announce=%u\n",
  275. (ctx->alt->flags & HCRYPT_CTX_F_xSEK)/2,
  276. ctx->pkt_cnt, crypto->km.refresh_rate, crypto->km.pre_announce);
  277. if ((ctx->pkt_cnt > crypto->km.refresh_rate)
  278. || (ctx->pkt_cnt == 0)) { //rolled over
  279. /*
  280. * End of crypto period for current SEK,
  281. * switch to other (even/odd) SEK
  282. */
  283. HCRYPT_LOG(LOG_INFO, "KM[%d] Activated\n",
  284. (ctx->alt->flags & HCRYPT_CTX_F_xSEK)/2);
  285. hcryptCtx_Tx_Switch(crypto);
  286. } else
  287. if ((ctx->pkt_cnt > (crypto->km.refresh_rate - crypto->km.pre_announce))
  288. && !(ctx->alt->flags & HCRYPT_CTX_F_ANNOUNCE)) {
  289. /*
  290. * End of crypto period approach for this SEK,
  291. * prepare next SEK for announcement
  292. */
  293. hcryptCtx_Tx_Refresh(crypto);
  294. HCRYPT_LOG(LOG_INFO, "KM[%d] Pre-announced\n",
  295. (ctx->alt->flags & HCRYPT_CTX_F_xSEK)/2);
  296. hcryptCtx_Tx_PreSwitch(crypto);
  297. } else
  298. if ((ctx->alt->status == HCRYPT_CTX_S_DEPRECATED)
  299. && (ctx->pkt_cnt > crypto->km.pre_announce)) {
  300. /*
  301. * Deprecated SEK is no longer needed (for late packets),
  302. * decommission it
  303. */
  304. HCRYPT_LOG(LOG_INFO, "KM[%d] Deprecated\n",
  305. (ctx->alt->flags & HCRYPT_CTX_F_xSEK)/2);
  306. hcryptCtx_Tx_PostSwitch(crypto);
  307. }
  308. /* Check if it is time to send Keying Material */
  309. if (timerisset(&crypto->km.tx_period)) { /* tx_period=0.0 -> out-of-stream Keying Material distribution */
  310. struct timeval now, nxt_tx;
  311. gettimeofday(&now, NULL);
  312. timeradd(&crypto->km.tx_last, &crypto->km.tx_period, &nxt_tx);
  313. if (timercmp(&now, &nxt_tx, >)) {
  314. if (crypto->ctx_pair[0].flags & HCRYPT_CTX_F_ANNOUNCE) crypto->ctx_pair[0].flags |= HCRYPT_CTX_F_TTSEND;
  315. if (crypto->ctx_pair[1].flags & HCRYPT_CTX_F_ANNOUNCE) crypto->ctx_pair[1].flags |= HCRYPT_CTX_F_TTSEND;
  316. }
  317. }
  318. return(0);
  319. }
  320. int hcryptCtx_Tx_InjectKM(hcrypt_Session *crypto,
  321. void *out_p[], size_t out_len_p[], int maxout ATR_UNUSED)
  322. {
  323. int i, nbout = 0;
  324. ASSERT(maxout >= 2);
  325. for (i=0; i<2; i++) {
  326. if (crypto->ctx_pair[i].flags & HCRYPT_CTX_F_TTSEND) { /* Time To Send */
  327. HCRYPT_LOG(LOG_DEBUG, "Send KMmsg[%d] len=%zd\n", i,
  328. crypto->ctx_pair[i].KMmsg_len);
  329. /* Send Keying Material */
  330. out_p[nbout] = crypto->ctx_pair[i].KMmsg_cache;
  331. out_len_p[nbout] = crypto->ctx_pair[i].KMmsg_len;
  332. nbout++;
  333. crypto->ctx_pair[i].flags &= ~HCRYPT_CTX_F_TTSEND;
  334. }
  335. }
  336. if (nbout) {
  337. struct timeval now;
  338. gettimeofday(&now, NULL);
  339. crypto->km.tx_last = now;
  340. }
  341. return(nbout);
  342. }