diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index ff0bb25f5..c3a79159c 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -23,7 +23,7 @@ jobs: fuzz-seconds: 300 language: c++ - name: Upload Crash - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: failure() && steps.build.outcome == 'success' with: name: artifacts diff --git a/.github/workflows/format_check.yml b/.github/workflows/format_check.yml index b584c6e24..838f34945 100644 --- a/.github/workflows/format_check.yml +++ b/.github/workflows/format_check.yml @@ -12,6 +12,6 @@ jobs: steps: - uses: actions/checkout@v2 - name: Install Clang Format - run: sudo apt install clang-format-12 + run: sudo apt install clang-format-14 - name: Run clang format run: ./format.sh -d diff --git a/CHANGES b/CHANGES index 81319a8f8..bcf425b03 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,11 @@ Changelog +2.7.0 + +#746 - Fix function signature mismatch for srtp_remove_stream + +#733 - Fix srtp_unprotect_rtcp_mki when RTP auth != RTCP + 2.6.0 #667 - remove use of pointers to 32bit values diff --git a/CMakeLists.txt b/CMakeLists.txt index 7d737e86b..a08247a86 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,6 +1,6 @@ cmake_minimum_required(VERSION 3.21) -project(libsrtp2 VERSION 2.6.0 LANGUAGES C) +project(libsrtp2 VERSION 2.7.0 LANGUAGES C) set(CMAKE_C_STANDARD 99) set(CMAKE_C_STANDARD_REQUIRED ON) diff --git a/configure b/configure index 7a415a09b..33e191a0d 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libsrtp2 2.6.0. +# Generated by GNU Autoconf 2.69 for libsrtp2 2.7.0. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libsrtp2' PACKAGE_TARNAME='libsrtp2' -PACKAGE_VERSION='2.6.0' -PACKAGE_STRING='libsrtp2 2.6.0' +PACKAGE_VERSION='2.7.0' +PACKAGE_STRING='libsrtp2 2.7.0' PACKAGE_BUGREPORT='https://github.com/cisco/libsrtp/issues' PACKAGE_URL='' @@ -1288,7 +1288,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libsrtp2 2.6.0 to adapt to many kinds of systems. +\`configure' configures libsrtp2 2.7.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1354,7 +1354,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libsrtp2 2.6.0:";; + short | recursive ) echo "Configuration of libsrtp2 2.7.0:";; esac cat <<\_ACEOF @@ -1467,7 +1467,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libsrtp2 configure 2.6.0 +libsrtp2 configure 2.7.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2020,7 +2020,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libsrtp2 $as_me 2.6.0, which was +It was created by libsrtp2 $as_me 2.7.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -6998,7 +6998,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libsrtp2 $as_me 2.6.0, which was +This file was extended by libsrtp2 $as_me 2.7.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7060,7 +7060,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libsrtp2 config.status 2.6.0 +libsrtp2 config.status 2.7.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 08623f257..519cb8309 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([libsrtp2], [2.6.0], [https://github.com/cisco/libsrtp/issues]) +AC_INIT([libsrtp2],[2.7.0],[https://github.com/cisco/libsrtp/issues]) dnl Must come before AC_PROG_CC EMPTY_CFLAGS="no" diff --git a/format.sh b/format.sh index b67828c93..ec3e64a72 100755 --- a/format.sh +++ b/format.sh @@ -7,7 +7,7 @@ # assumes git tree is clean when reporting status if [ -z "${CLANG_FORMAT}" ]; then - CLANG_FORMAT=clang-format-12 + CLANG_FORMAT=clang-format-14 fi a=`git ls-files '*.h' '*.c'` diff --git a/include/srtp.h b/include/srtp.h index 40b0c783f..73a38b3c8 100644 --- a/include/srtp.h +++ b/include/srtp.h @@ -631,7 +631,7 @@ srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy); * - [other] otherwise. * */ -srtp_err_status_t srtp_remove_stream(srtp_t session, unsigned int ssrc); +srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc); /** * @brief srtp_update() updates all streams in the session. diff --git a/meson.build b/meson.build index 81a232e61..4528a4528 100644 --- a/meson.build +++ b/meson.build @@ -1,4 +1,4 @@ -project('libsrtp2', 'c', version: '2.6.0', +project('libsrtp2', 'c', version: '2.7.0', meson_version: '>= 0.52.0', default_options: ['buildtype=debugoptimized']) @@ -154,7 +154,7 @@ elif crypto_library == 'nss' error('KDF support has not been implemented for NSS') endif elif crypto_library == 'mbedtls' - mbedtls_dep = dependency('mbedtls', required: false) + mbedtls_dep = dependency('mbedcrypto', required: false) if not mbedtls_dep.found() mbedtls_dep = cc.find_library('mbedcrypto', has_headers: ['mbedtls/aes.h'], required: true) endif diff --git a/srtp/srtp.c b/srtp/srtp.c index 82f4a8303..0c9b7cb98 100644 --- a/srtp/srtp.c +++ b/srtp/srtp.c @@ -1638,24 +1638,16 @@ static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, v128_xor(iv, &in, &salt); } -srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, - const uint8_t *hdr, - unsigned int pkt_octet_len, - unsigned int *mki_size) +static srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, + const uint8_t *hdr, + unsigned int pkt_octet_len, + unsigned int *mki_size, + unsigned int tag_len) { unsigned int base_mki_start_location = pkt_octet_len; unsigned int mki_start_location = 0; - unsigned int tag_len = 0; unsigned int i = 0; - // Determine the authentication tag size - if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || - stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { - tag_len = 0; - } else { - tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); - } - if (tag_len > base_mki_start_location) { *mki_size = 0; return NULL; @@ -1680,6 +1672,44 @@ srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, return NULL; } +static srtp_session_keys_t *srtp_get_session_keys_rtp( + srtp_stream_ctx_t *stream, + const uint8_t *hdr, + unsigned int pkt_octet_len, + unsigned int *mki_size) +{ + unsigned int tag_len = 0; + + // Determine the authentication tag size + if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || + stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { + tag_len = 0; + } else { + tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); + } + + return srtp_get_session_keys(stream, hdr, pkt_octet_len, mki_size, tag_len); +} + +static srtp_session_keys_t *srtp_get_session_keys_rtcp( + srtp_stream_ctx_t *stream, + const uint8_t *hdr, + unsigned int pkt_octet_len, + unsigned int *mki_size) +{ + unsigned int tag_len = 0; + + // Determine the authentication tag size + if (stream->session_keys[0].rtcp_cipher->algorithm == SRTP_AES_GCM_128 || + stream->session_keys[0].rtcp_cipher->algorithm == SRTP_AES_GCM_256) { + tag_len = 0; + } else { + tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtcp_auth); + } + + return srtp_get_session_keys(stream, hdr, pkt_octet_len, mki_size, tag_len); +} + static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx, uint32_t roc, srtp_xtd_seq_num_t *est, @@ -2583,8 +2613,8 @@ srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx, /* Determine if MKI is being used and what session keys should be used */ if (use_mki) { session_keys = - srtp_get_session_keys(stream, (const uint8_t *)hdr, - (unsigned int)*pkt_octet_len, &mki_size); + srtp_get_session_keys_rtp(stream, (const uint8_t *)hdr, + (unsigned int)*pkt_octet_len, &mki_size); if (session_keys == NULL) return srtp_err_status_bad_mki; @@ -4293,7 +4323,7 @@ srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, * Determine if MKI is being used and what session keys should be used */ if (use_mki) { - session_keys = srtp_get_session_keys( + session_keys = srtp_get_session_keys_rtcp( stream, (uint8_t *)hdr, (unsigned int)*pkt_octet_len, &mki_size); if (session_keys == NULL) diff --git a/test/srtp_driver.c b/test/srtp_driver.c index 7307e1629..ef2314776 100644 --- a/test/srtp_driver.c +++ b/test/srtp_driver.c @@ -4279,6 +4279,38 @@ const srtp_policy_t aes_256_hmac_policy = { NULL }; +const srtp_policy_t aes_256_hmac_32_policy = { + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_256, /* cipher type */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ + }, + { + /* SRTCP policy */ + SRTP_AES_ICM_256, /* cipher type */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 10, /* auth tag length in octets. + 80 bits per RFC 3711. */ + sec_serv_conf_and_auth /* security services flag */ + }, + NULL, + (srtp_master_key_t **)test_256_keys, + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ + NULL +}; + char ekt_test_policy = 'x'; const srtp_policy_t hmac_only_with_ekt_policy = { @@ -4333,6 +4365,7 @@ const srtp_policy_t *policy_array[] = { #endif &null_policy, &aes_256_hmac_policy, + &aes_256_hmac_32_policy, NULL }; // clang-format on