Re #1943: AES-GCM crypto support for SRTP
Special thanks to Alexander Traud for the patch. git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@5412 74dad513-b988-da41-8d7b-12977e46ad98
This commit is contained in:
parent
2180c8aed1
commit
a9f5f14b4f
14
aconfigure
14
aconfigure
|
@ -640,6 +640,7 @@ ac_no_opencore_amrnb
|
||||||
libcrypto_present
|
libcrypto_present
|
||||||
libssl_present
|
libssl_present
|
||||||
openssl_h_present
|
openssl_h_present
|
||||||
|
ac_ssl_has_aes_gcm
|
||||||
ac_no_ssl
|
ac_no_ssl
|
||||||
ac_webrtc_ldflags
|
ac_webrtc_ldflags
|
||||||
ac_webrtc_cflags
|
ac_webrtc_cflags
|
||||||
|
@ -7837,6 +7838,8 @@ if test "x$ac_cross_compile" != "x" -a "x$with_ssl" = "xno"; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
ac_ssl_has_aes_gcm=0
|
||||||
|
|
||||||
# Check whether --enable-ssl was given.
|
# Check whether --enable-ssl was given.
|
||||||
if test "${enable_ssl+set}" = set; then :
|
if test "${enable_ssl+set}" = set; then :
|
||||||
enableval=$enable_ssl;
|
enableval=$enable_ssl;
|
||||||
|
@ -7948,6 +7951,17 @@ fi
|
||||||
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL library found, SSL support enabled" >&5
|
||||||
$as_echo "OpenSSL library found, SSL support enabled" >&6; }
|
$as_echo "OpenSSL library found, SSL support enabled" >&6; }
|
||||||
|
|
||||||
|
# Check if SRTP should be compiled with OpenSSL
|
||||||
|
# support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
|
||||||
|
if test "x$ac_ssl_has_aes_gcm" = "x1"; then
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&5
|
||||||
|
$as_echo "OpenSSL has AES GCM support, SRTP will use OpenSSl version" >&6; }
|
||||||
|
else
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&5
|
||||||
|
$as_echo "OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos" >&6; }
|
||||||
|
fi
|
||||||
|
|
||||||
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||||||
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||||||
$as_echo "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h
|
$as_echo "#define PJ_HAS_SSL_SOCK 1" >>confdefs.h
|
||||||
|
|
|
@ -1575,6 +1575,7 @@ fi
|
||||||
|
|
||||||
dnl # Include SSL support
|
dnl # Include SSL support
|
||||||
AC_SUBST(ac_no_ssl)
|
AC_SUBST(ac_no_ssl)
|
||||||
|
AC_SUBST(ac_ssl_has_aes_gcm,0)
|
||||||
AC_ARG_ENABLE(ssl,
|
AC_ARG_ENABLE(ssl,
|
||||||
AS_HELP_STRING([--disable-ssl],
|
AS_HELP_STRING([--disable-ssl],
|
||||||
[Exclude SSL support the build (default: autodetect)])
|
[Exclude SSL support the build (default: autodetect)])
|
||||||
|
@ -1600,6 +1601,15 @@ AC_ARG_ENABLE(ssl,
|
||||||
AC_CHECK_LIB(ssl,SSL_library_init,[libssl_present=1 && LIBS="-lssl $LIBS"])
|
AC_CHECK_LIB(ssl,SSL_library_init,[libssl_present=1 && LIBS="-lssl $LIBS"])
|
||||||
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
if test "x$openssl_h_present" = "x1" -a "x$libssl_present" = "x1" -a "x$libcrypto_present" = "x1"; then
|
||||||
AC_MSG_RESULT([OpenSSL library found, SSL support enabled])
|
AC_MSG_RESULT([OpenSSL library found, SSL support enabled])
|
||||||
|
|
||||||
|
# Check if SRTP should be compiled with OpenSSL
|
||||||
|
# support, to enable cryptos such as AES GCM AC_CHECK_LIB(crypto,EVP_aes_128_gcm,[ac_ssl_has_aes_gcm=1])
|
||||||
|
if test "x$ac_ssl_has_aes_gcm" = "x1"; then
|
||||||
|
AC_MSG_RESULT([OpenSSL has AES GCM support, SRTP will use OpenSSl version])
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT([OpenSSL AES GCM support not found, SRTP will only support AES CM cryptos])
|
||||||
|
fi
|
||||||
|
|
||||||
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
# PJSIP_HAS_TLS_TRANSPORT setting follows PJ_HAS_SSL_SOCK
|
||||||
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
#AC_DEFINE(PJSIP_HAS_TLS_TRANSPORT, 1)
|
||||||
AC_DEFINE(PJ_HAS_SSL_SOCK, 1)
|
AC_DEFINE(PJ_HAS_SSL_SOCK, 1)
|
||||||
|
|
|
@ -952,6 +952,61 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Maximum number of SRTP cryptos.
|
||||||
|
*
|
||||||
|
* Default: 16
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_MAX_CRYPTOS
|
||||||
|
# define PJMEDIA_SRTP_MAX_CRYPTOS 16
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable AES_CM_256 cryptos in SRTP.
|
||||||
|
* Default: enabled.
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_HAS_AES_CM_256
|
||||||
|
# define PJMEDIA_SRTP_HAS_AES_CM_256 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable AES_CM_192 cryptos in SRTP
|
||||||
|
* Default: disabled.
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_HAS_AES_CM_192
|
||||||
|
# define PJMEDIA_SRTP_HAS_AES_CM_192 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable AES_CM_128 cryptos in SRTP.
|
||||||
|
* Default: enabled.
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_HAS_AES_CM_128
|
||||||
|
# define PJMEDIA_SRTP_HAS_AES_CM_128 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable AES_GCM_256 cryptos in SRTP.
|
||||||
|
* Default: disabled.
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_HAS_AES_GCM_256
|
||||||
|
# define PJMEDIA_SRTP_HAS_AES_GCM_256 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable AES_GCM_128 cryptos in SRTP.
|
||||||
|
* Default: disabled.
|
||||||
|
*/
|
||||||
|
#ifndef PJMEDIA_SRTP_HAS_AES_GCM_128
|
||||||
|
# define PJMEDIA_SRTP_HAS_AES_GCM_128 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Let the library handle libsrtp initialization and deinitialization.
|
* Let the library handle libsrtp initialization and deinitialization.
|
||||||
* Application may want to disable this and manually perform libsrtp
|
* Application may want to disable this and manually perform libsrtp
|
||||||
|
|
|
@ -155,7 +155,7 @@ typedef struct pjmedia_srtp_setting
|
||||||
/**
|
/**
|
||||||
* Specify individual crypto suite setting.
|
* Specify individual crypto suite setting.
|
||||||
*/
|
*/
|
||||||
pjmedia_srtp_crypto crypto[8];
|
pjmedia_srtp_crypto crypto[PJMEDIA_SRTP_MAX_CRYPTOS];
|
||||||
|
|
||||||
} pjmedia_srtp_setting;
|
} pjmedia_srtp_setting;
|
||||||
|
|
||||||
|
|
|
@ -84,35 +84,56 @@ typedef struct crypto_suite
|
||||||
sec_serv_t service;
|
sec_serv_t service;
|
||||||
} crypto_suite;
|
} crypto_suite;
|
||||||
|
|
||||||
/* Crypto suites as defined on RFC 4568 */
|
/* https://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xhtml */
|
||||||
static crypto_suite crypto_suites[] = {
|
static crypto_suite crypto_suites[] = {
|
||||||
/* plain RTP/RTCP (no cipher & no auth) */
|
/* plain RTP/RTCP (no cipher & no auth) */
|
||||||
{"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none},
|
{"NULL", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none},
|
||||||
|
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_256) && \
|
||||||
|
(PJMEDIA_SRTP_HAS_AES_GCM_256 != 0)
|
||||||
|
/* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
|
||||||
|
{"AEAD_AES_256_GCM", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
|
||||||
|
NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
|
||||||
|
/* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
|
||||||
|
{"AEAD_AES_256_GCM_8", AES_256_GCM, AES_256_GCM_KEYSIZE_WSALT,
|
||||||
|
NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
|
||||||
|
#endif
|
||||||
|
#if defined(PJMEDIA_SRTP_HAS_AES_CM_256) && \
|
||||||
|
(PJMEDIA_SRTP_HAS_AES_CM_256 != 0)
|
||||||
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||||
{"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10,
|
{"AES_256_CM_HMAC_SHA1_80", AES_ICM, 46, HMAC_SHA1, 20, 10, 10,
|
||||||
sec_serv_conf_and_auth},
|
sec_serv_conf_and_auth},
|
||||||
|
|
||||||
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
/* cipher AES_CM_256, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||||
{"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10,
|
{"AES_256_CM_HMAC_SHA1_32", AES_ICM, 46, HMAC_SHA1, 20, 4, 10,
|
||||||
sec_serv_conf_and_auth},
|
|
||||||
|
|
||||||
/* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 10 octets */
|
|
||||||
//{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
|
|
||||||
//sec_serv_conf_and_auth},
|
|
||||||
|
|
||||||
/* cipher AES_192_CM, auth HMAC_SHA1, auth tag len = 4 octets */
|
|
||||||
//{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
|
|
||||||
//sec_serv_conf_and_auth},
|
|
||||||
|
|
||||||
/* cipher AES_CM, auth HMAC_SHA1, auth tag len = 10 octets */
|
|
||||||
{"AES_CM_128_HMAC_SHA1_80", AES_128_ICM, 30, HMAC_SHA1, 20, 10, 10,
|
|
||||||
sec_serv_conf_and_auth},
|
sec_serv_conf_and_auth},
|
||||||
|
#endif
|
||||||
/* cipher AES_CM, auth HMAC_SHA1, auth tag len = 4 octets */
|
#if defined(PJMEDIA_SRTP_HAS_AES_CM_192) && \
|
||||||
{"AES_CM_128_HMAC_SHA1_32", AES_128_ICM, 30, HMAC_SHA1, 20, 4, 10,
|
(PJMEDIA_SRTP_HAS_AES_CM_192 != 0)
|
||||||
|
/* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||||
|
{"AES_192_CM_HMAC_SHA1_80", AES_ICM, 38, HMAC_SHA1, 20, 10, 10,
|
||||||
sec_serv_conf_and_auth},
|
sec_serv_conf_and_auth},
|
||||||
|
/* cipher AES_CM_192, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||||
|
{"AES_192_CM_HMAC_SHA1_32", AES_ICM, 38, HMAC_SHA1, 20, 4, 10,
|
||||||
|
sec_serv_conf_and_auth},
|
||||||
|
#endif
|
||||||
|
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128) && \
|
||||||
|
(PJMEDIA_SRTP_HAS_AES_GCM_128 != 0)
|
||||||
|
/* cipher AES_GCM, NULL auth, auth tag len = 16 octets */
|
||||||
|
{"AEAD_AES_128_GCM", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
|
||||||
|
NULL_AUTH, 0, 16, 16, sec_serv_conf_and_auth},
|
||||||
|
|
||||||
|
/* cipher AES_GCM, NULL auth, auth tag len = 8 octets */
|
||||||
|
{"AEAD_AES_128_GCM_8", AES_128_GCM, AES_128_GCM_KEYSIZE_WSALT,
|
||||||
|
NULL_AUTH, 0, 8, 8, sec_serv_conf_and_auth},
|
||||||
|
#endif
|
||||||
|
#if defined(PJMEDIA_SRTP_HAS_AES_CM_128) && \
|
||||||
|
(PJMEDIA_SRTP_HAS_AES_CM_128 != 0)
|
||||||
|
/* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 10 octets */
|
||||||
|
{"AES_CM_128_HMAC_SHA1_80", AES_ICM, 30, HMAC_SHA1, 20, 10, 10,
|
||||||
|
sec_serv_conf_and_auth},
|
||||||
|
/* cipher AES_CM_128, auth HMAC_SHA1, auth tag len = 4 octets */
|
||||||
|
{"AES_CM_128_HMAC_SHA1_32", AES_ICM, 30, HMAC_SHA1, 20, 4, 10,
|
||||||
|
sec_serv_conf_and_auth},
|
||||||
|
#endif
|
||||||
/*
|
/*
|
||||||
* F8_128_HMAC_SHA1_8 not supported by libsrtp?
|
* F8_128_HMAC_SHA1_8 not supported by libsrtp?
|
||||||
* {"F8_128_HMAC_SHA1_8", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}
|
* {"F8_128_HMAC_SHA1_8", NULL_CIPHER, 0, NULL_AUTH, 0, 0, 0, sec_serv_none}
|
||||||
|
|
|
@ -35,6 +35,22 @@ ifeq (@ac_external_srtp@,1)
|
||||||
# External SRTP
|
# External SRTP
|
||||||
else
|
else
|
||||||
DIRS += srtp
|
DIRS += srtp
|
||||||
|
|
||||||
|
ifeq (@ac_ssl_has_aes_gcm@,0)
|
||||||
|
CIPHERS_SRC = crypto/cipher/aes.o crypto/cipher/aes_icm.o \
|
||||||
|
crypto/cipher/aes_cbc.o
|
||||||
|
HASHES_SRC = crypto/hash/sha1.o crypto/hash/hmac.o \
|
||||||
|
# crypto/hash/tmmhv2.o
|
||||||
|
RNG_SRC = crypto/rng/rand_source.o crypto/rng/prng.o \
|
||||||
|
crypto/rng/ctr_prng.o
|
||||||
|
else
|
||||||
|
CIPHERS_SRC = crypto/cipher/aes_icm_ossl.o crypto/cipher/aes_gcm_ossl.o
|
||||||
|
HASHES_SRC = crypto/hash/hmac_ossl.o
|
||||||
|
RNG_SRC = crypto/rng/rand_source_ossl.o
|
||||||
|
SRTP_OTHER_CFLAGS = -DOPENSSL
|
||||||
|
endif
|
||||||
|
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq (@ac_pjmedia_resample@,libresample)
|
ifeq (@ac_pjmedia_resample@,libresample)
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
include ../../../build.mak
|
include ../../../build.mak
|
||||||
include ../../../build/common.mak
|
include ../../../build/common.mak
|
||||||
|
include ../os-$(OS_NAME).mak
|
||||||
|
|
||||||
export LIBDIR := ../../lib
|
export LIBDIR := ../../lib
|
||||||
|
|
||||||
|
@ -28,11 +29,9 @@ export _LDFLAGS := $(CC_LDFLAGS) $(OS_LDFLAGS) $(M_LDFLAGS) $(HOST_LDFLAGS) \
|
||||||
|
|
||||||
# libcrypt.a (the crypto engine)
|
# libcrypt.a (the crypto engine)
|
||||||
ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o \
|
ciphers = crypto/cipher/cipher.o crypto/cipher/null_cipher.o \
|
||||||
crypto/cipher/aes.o crypto/cipher/aes_icm.o \
|
$(CIPHERS_SRC)
|
||||||
crypto/cipher/aes_cbc.o
|
|
||||||
|
|
||||||
hashes = crypto/hash/null_auth.o crypto/hash/sha1.o \
|
hashes = crypto/hash/null_auth.o crypto/hash/auth.o $(HASHES_SRC)
|
||||||
crypto/hash/hmac.o crypto/hash/auth.o # crypto/hash/tmmhv2.o
|
|
||||||
|
|
||||||
replay = crypto/replay/rdb.o crypto/replay/rdbx.o \
|
replay = crypto/replay/rdb.o crypto/replay/rdbx.o \
|
||||||
crypto/replay/ut_sim.o
|
crypto/replay/ut_sim.o
|
||||||
|
@ -41,7 +40,7 @@ math = crypto/math/datatypes.o crypto/math/stat.o
|
||||||
|
|
||||||
ust = crypto/ust/ust.o
|
ust = crypto/ust/ust.o
|
||||||
|
|
||||||
rng = crypto/rng/rand_source.o crypto/rng/prng.o crypto/rng/ctr_prng.o
|
rng = $(RNG_SRC)
|
||||||
|
|
||||||
err = pjlib/srtp_err.o
|
err = pjlib/srtp_err.o
|
||||||
|
|
||||||
|
@ -54,7 +53,7 @@ cryptobj = $(ciphers) $(hashes) $(math) $(stat) $(kernel) $(replay)
|
||||||
|
|
||||||
export SRTP_SRCDIR = ../../srtp
|
export SRTP_SRCDIR = ../../srtp
|
||||||
export SRTP_OBJS = $(cryptobj) $(srtpobj)
|
export SRTP_OBJS = $(cryptobj) $(srtpobj)
|
||||||
export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS)
|
export SRTP_CFLAGS = -DHAVE_CONFIG_H $(_CFLAGS) $(SRTP_OTHER_CFLAGS)
|
||||||
export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS)
|
export SRTP_LDFLAGS = $(PJLIB_LDLIB) $(_LDFLAGS)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue