Re #1943: AES-GCM crypto support for SRTP
Special thanks to Alexander Traud for the patch. git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@5412 74dad513-b988-da41-8d7b-12977e46ad98
This commit is contained in:
parent
2180c8aed1
commit
a9f5f14b4f
14
aconfigure
14
aconfigure
|
@ -640,6 +640,7 @@ ac_no_opencore_amrnb
|
|||
libcrypto_present
|
||||
libssl_present
|
||||
openssl_h_present
|
||||
ac_ssl_has_aes_gcm
|
||||
ac_no_ssl
|
||||
ac_webrtc_ldflags
|
||||
ac_webrtc_cflags
|
||||
|
@ -7837,6 +7838,8 @@ if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno"; then
|
|||
fi
|
||||
|
||||
|
||||
ac_ssl_has_aes_gcm=0
|
||||
|
||||
# Check whether --enable-ssl was given.
|
||||
if test "${enable_ssl+set}" = set; then :
|
||||
enableval=$enable_ssl;
|
||||
|
@ -7948,6 +7951,17 @@ fi
|
|||
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5
|
||||
$as_echo "OpenSSL library found, SSL support enabled" >&6; }
|
||||
|
||||
# Check if SRTP should be compiled with OpenSSL
|
||||
# support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
|
||||
if test "x$ac_ssl_has_aes_gcm" = "x1"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&5
|
||||
$as_echo "OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&5
|
||||
$as_echo "OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&6; }
|
||||
fi
|
||||
|
||||
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||||
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||||
$as_echo "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h
|
||||
|
|
|
@ -1575,6 +1575,7 @@ fi
|
|||
|
||||
dnl # Include SSL support
|
||||
AC_SUBST(ac_no_ssl)
|
||||
AC_SUBST(ac_ssl_has_aes_gcm,0)
|
||||
AC_ARG_ENABLE(ssl,
|
||||
AS_HELP_STRING([--disable-ssl],
|
||||
[Exclude SSL support the build (default: autodetect)])
|
||||
|
@ -1600,6 +1601,15 @@ AC_ARG_ENABLE(ssl,
|
|||
AC_CHECK_LIB(ssl,SSL_library_init,[libssl_present=1 && LIBS="-lssl $LIBS"])
|
||||
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
||||
AC_MSG_RESULT([OpenSSL library found, SSL support enabled])
|
||||
|
||||
# Check if SRTP should be compiled with OpenSSL
|
||||
# support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
|
||||
if test "x$ac_ssl_has_aes_gcm" = "x1"; then
|
||||
AC_MSG_RESULT([OpenSSL has AES GCM support, SRTP will use OpenSSl version])
|
||||
else
|
||||
AC_MSG_RESULT([OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos])
|
||||
fi
|
||||
|
||||
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||||
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||||
AC_DEFINE(PJ_HAS_SSL_SOCK, 1)
|
||||
|
|
|
@ -952,6 +952,61 @@
|
|||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Maximum number of SRTP cryptos.
|
||||
*
|
||||
* Default: 16
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_MAX_CRYPTOS
|
||||
# define PJMEDIA_SRTP_MAX_CRYPTOS 16
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Enable AES_CM_256 cryptos in SRTP.
|
||||
* Default: enabled.
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_HAS_AES_CM_256
|
||||
# define PJMEDIA_SRTP_HAS_AES_CM_256 1
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Enable AES_CM_192 cryptos in SRTP
|
||||
* Default: disabled.
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_HAS_AES_CM_192
|
||||
# define PJMEDIA_SRTP_HAS_AES_CM_192 0
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Enable AES_CM_128 cryptos in SRTP.
|
||||
* Default: enabled.
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_HAS_AES_CM_128
|
||||
# define PJMEDIA_SRTP_HAS_AES_CM_128 1
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Enable AES_GCM_256 cryptos in SRTP.
|
||||
* Default: disabled.
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256
|
||||
# define PJMEDIA_SRTP_HAS_AES_GCM_256 0
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Enable AES_GCM_128 cryptos in SRTP.
|
||||
* Default: disabled.
|
||||
*/
|
||||
#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128
|
||||
# define PJMEDIA_SRTP_HAS_AES_GCM_128 0
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* Let the library handle libsrtp initialization and deinitialization.
|
||||
* Application may want to disable this and manually perform libsrtp
|
||||
|
|
|
@ -155,7 +155,7 @@ typedef struct pjmedia_srtp_setting
|
|||
/**
|
||||
* Specify individual crypto suite setting.
|
||||
*/
|
||||
pjmedia_srtp_crypto crypto[8];
|
||||
pjmedia_srtp_crypto crypto[PJMEDIA_SRTP_MAX_CRYPTOS];
|
||||
|
||||
} pjmedia_srtp_setting;
|
||||
|
||||
|
|
|
@ -84,35 +84,56 @@ typedef struct crypto_suite
|
|||
sec_serv_t service;
|
||||
} crypto_suite;
|
||||
|
||||
/* Crypto suites as defined on RFC 4568 */
|
||||
/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */
|
||||
static crypto_suite crypto_suites[] = {
|
||||
/* plain RTP/RTCP (no cipher & no auth) */
|
||||
{"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none},
|
||||
|
||||
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \
|
||||
(PJMEDIA_SRTP_HAS_AES_GCM_256 != 0)
|
||||
/* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
|
||||
{"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
|
||||
NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
|
||||
/* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
|
||||
{"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
|
||||
NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
|
||||
#endif
|
||||
#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \
|
||||
(PJMEDIA_SRTP_HAS_AES_CM_256 != 0)
|
||||
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
{"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
{"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
//{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
|
||||
//sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||
//{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
|
||||
//sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
{"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||
{"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10,
|
||||
#endif
|
||||
#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \
|
||||
(PJMEDIA_SRTP_HAS_AES_CM_192 != 0)
|
||||
/* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
/* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||
{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
#endif
|
||||
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \
|
||||
(PJMEDIA_SRTP_HAS_AES_GCM_128 != 0)
|
||||
/* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
|
||||
{"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
|
||||
NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
|
||||
|
||||
/* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
|
||||
{"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
|
||||
NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
|
||||
#endif
|
||||
#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \
|
||||
(PJMEDIA_SRTP_HAS_AES_CM_128 != 0)
|
||||
/* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||
{"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
/* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||
{"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10,
|
||||
sec_serv_conf_and_auth},
|
||||
#endif
|
||||
/*
|
||||
* F8_128_HMAC_SHA1_8 not supported by libsrtp?
|
||||
* {"F8_128_HMAC_SHA1_8", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}
|
||||
|
|
|
@ -35,6 +35,22 @@ ifeq (@ac_external_srtp@,1)
|
|||
# External SRTP
|
||||
else
|
||||
DIRS += srtp
|
||||
|
||||
ifeq (@ac_ssl_has_aes_gcm@,0)
|
||||
CIPHERS_SRC = crypto/cipher/aes.o crypto/cipher/aes_icm.o \
|
||||
crypto/cipher/aes_cbc.o
|
||||
HASHES_SRC = crypto/hash/sha1.o crypto/hash/hmac.o \
|
||||
# crypto/hash/tmmhv2.o
|
||||
RNG_SRC = crypto/rng/rand_source.o crypto/rng/prng.o \
|
||||
crypto/rng/ctr_prng.o
|
||||
else
|
||||
CIPHERS_SRC = crypto/cipher/aes_icm_ossl.o crypto/cipher/aes_gcm_ossl.o
|
||||
HASHES_SRC = crypto/hash/hmac_ossl.o
|
||||
RNG_SRC = crypto/rng/rand_source_ossl.o
|
||||
SRTP_OTHER_CFLAGS = -DOPENSSL
|
||||
endif
|
||||
|
||||
|
||||
endif
|
||||
|
||||
ifeq (@ac_pjmedia_resample@,libresample)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
include ../../../build.mak
|
||||
include ../../../build/common.mak
|
||||
include ../os-$(OS_NAME).mak
|
||||
|
||||
export LIBDIR := ../../lib
|
||||
|
||||
|
@ -28,11 +29,9 @@ export _LDFLAGS := $(CC_LDFLAGS) $(OS_LDFLAGS) $(M_LDFLAGS) $(HOST_LDFLAGS) \
|
|||
|
||||
# libcrypt.a (the crypto engine)
|
||||
ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o \
|
||||
crypto/cipher/aes.o crypto/cipher/aes_icm.o \
|
||||
crypto/cipher/aes_cbc.o
|
||||
$(CIPHERS_SRC)
|
||||
|
||||
hashes = crypto/hash/null_auth.o crypto/hash/sha1.o \
|
||||
crypto/hash/hmac.o crypto/hash/auth.o # crypto/hash/tmmhv2.o
|
||||
hashes = crypto/hash/null_auth.o crypto/hash/auth.o $(HASHES_SRC)
|
||||
|
||||
replay = crypto/replay/rdb.o crypto/replay/rdbx.o \
|
||||
crypto/replay/ut_sim.o
|
||||
|
@ -41,7 +40,7 @@ math = crypto/math/datatypes.o crypto/math/stat.o
|
|||
|
||||
ust = crypto/ust/ust.o
|
||||
|
||||
rng = crypto/rng/rand_source.o crypto/rng/prng.o crypto/rng/ctr_prng.o
|
||||
rng = $(RNG_SRC)
|
||||
|
||||
err = pjlib/srtp_err.o
|
||||
|
||||
|
@ -54,7 +53,7 @@ cryptobj = $(ciphers) $(hashes) $(math) $(stat) $(kernel) $(replay)
|
|||
|
||||
export SRTP_SRCDIR = ../../srtp
|
||||
export SRTP_OBJS = $(cryptobj) $(srtpobj)
|
||||
export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS)
|
||||
export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) $(SRTP_OTHER_CFLAGS)
|
||||
export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue