netwerk/srtp/src/README@b8a032363ba2 (annotated)
netwerk/srtp/src/README
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | Secure RTP (SRTP) Reference Implementation |
| michael@0 | 2 | David A. McGrew |
| michael@0 | 3 | Cisco Systems, Inc. |
| michael@0 | 4 | mcgrew@cisco.com |
| michael@0 | 5 | |
| michael@0 | 6 | |
| michael@0 | 7 | This package provides an implementation of the Secure Real-time |
| michael@0 | 8 | Transport Protocol (SRTP), the Universal Security Transform (UST), and |
| michael@0 | 9 | a supporting cryptographic kernel. These mechanisms are documented in |
| michael@0 | 10 | the Internet Drafts in the doc/ subdirectory. The SRTP API is |
| michael@0 | 11 | documented in include/srtp.h, and the library is in libsrtp.a (after |
| michael@0 | 12 | compilation). An overview and reference manual is available in |
| michael@0 | 13 | doc/libsrtp.pdf. The PDF documentation is more up to date than this |
| michael@0 | 14 | file. |
| michael@0 | 15 | |
| michael@0 | 16 | |
| michael@0 | 17 | Installation: |
| michael@0 | 18 | |
| michael@0 | 19 | ./configure [ options ] # GNU autoconf script |
| michael@0 | 20 | make # or gmake if needed; use GNU make |
| michael@0 | 21 | |
| michael@0 | 22 | The configure script accepts the following options: |
| michael@0 | 23 | |
| michael@0 | 24 | --help provides a usage summary |
| michael@0 | 25 | --disable-debug compile without the runtime debugging system |
| michael@0 | 26 | --enable-syslog use syslog for error reporting |
| michael@0 | 27 | --disable-stdout use stdout for error reporting |
| michael@0 | 28 | --enable-console use /dev/console for error reporting |
| michael@0 | 29 | --gdoi use GDOI key management (disabled at present) |
| michael@0 | 30 | |
| michael@0 | 31 | By default, debbuging is enabled and stdout is used for debugging. |
| michael@0 | 32 | You can use the above configure options to have the debugging output |
| michael@0 | 33 | sent to syslog or the system console. Alternatively, you can define |
| michael@0 | 34 | ERR_REPORTING_FILE in include/conf.h to be any other file that can be |
| michael@0 | 35 | opened by libSRTP, and debug messages will be sent to it. |
| michael@0 | 36 | |
| michael@0 | 37 | This package has been tested on Mac OS X (powerpc-apple-darwin1.4), |
| michael@0 | 38 | Cygwin (i686-pc-cygwin), and Sparc (sparc-sun-solaris2.6). Previous |
| michael@0 | 39 | versions have been tested on Linux and OpenBSD on both x86 and sparc |
| michael@0 | 40 | platforms. |
| michael@0 | 41 | |
| michael@0 | 42 | A quick tour of this package: |
| michael@0 | 43 | |
| michael@0 | 44 | Makefile targets: all, clean, ... |
| michael@0 | 45 | README this file |
| michael@0 | 46 | CHANGES change log |
| michael@0 | 47 | VERSION version number of this package |
| michael@0 | 48 | LICENSE legal details (it's a BSD-like license) |
| michael@0 | 49 | crypto/ciphers/ ciphers (null, aes_icm, ...) |
| michael@0 | 50 | crypto/math/ crypto math routines |
| michael@0 | 51 | crypto/hash/ crypto hashing (hmac, tmmhv2, ...) |
| michael@0 | 52 | crypto/replay/ replay protection |
| michael@0 | 53 | doc/ documentation: rfcs, apis, and suchlike |
| michael@0 | 54 | include/ include files for all code in distribution |
| michael@0 | 55 | srtp/ secure real-time transport protocol implementation |
| michael@0 | 56 | tables/ apps for generating tables (useful in porting) |
| michael@0 | 57 | test/ test drivers |
| michael@0 | 58 | |
| michael@0 | 59 | |
| michael@0 | 60 | Applications |
| michael@0 | 61 | |
| michael@0 | 62 | Several test drivers and a simple and portable srtp application |
| michael@0 | 63 | are included in the test/ subdirectory. |
| michael@0 | 64 | |
| michael@0 | 65 | test driver function tested |
| michael@0 | 66 | ------------------------------------------------------------- |
| michael@0 | 67 | kernel_driver crypto kernel (ciphers, auth funcs, rng) |
| michael@0 | 68 | srtp_driver srtp in-memory tests (does not use the network) |
| michael@0 | 69 | rdbx_driver rdbx (extended replay database) |
| michael@0 | 70 | roc_driver extended sequence number functions |
| michael@0 | 71 | replay_driver replay database (n.b. not used in libsrtp) |
| michael@0 | 72 | cipher_driver ciphers |
| michael@0 | 73 | auth_driver hash functions |
| michael@0 | 74 | |
| michael@0 | 75 | The app rtpw is a simple rtp application which reads words from |
| michael@0 | 76 | /usr/dict/words and then sends them out one at a time using [s]rtp. |
| michael@0 | 77 | Manual srtp keying uses the -k option; automated key management |
| michael@0 | 78 | using gdoi will be added later. |
| michael@0 | 79 | |
| michael@0 | 80 | usage: rtpw [-d <debug>]* [-k <key> [-a][-e]] [-s | -r] dest_ip dest_port |
| michael@0 | 81 | or rtpw -l |
| michael@0 | 82 | |
| michael@0 | 83 | Either the -s (sender) or -r (receiver) option must be chosen. |
| michael@0 | 84 | |
| michael@0 | 85 | The values dest_ip, dest_port are the ip address and udp port to |
| michael@0 | 86 | which the dictionary will be sent, respectively. |
| michael@0 | 87 | |
| michael@0 | 88 | options: |
| michael@0 | 89 | |
| michael@0 | 90 | -s (s)rtp sender - causes app to send words |
| michael@0 | 91 | |
| michael@0 | 92 | -r (s)rtp receive - causes app to receve words |
| michael@0 | 93 | |
| michael@0 | 94 | -k <key> use srtp master key <key>, where the |
| michael@0 | 95 | key is a hexadecimal value (without the |
| michael@0 | 96 | leading "0x") |
| michael@0 | 97 | |
| michael@0 | 98 | -e encrypt/decrypt (for data confidentiality) |
| michael@0 | 99 | (requires use of -k option as well) |
| michael@0 | 100 | |
| michael@0 | 101 | -a message authentication |
| michael@0 | 102 | (requires use of -k option as well) |
| michael@0 | 103 | |
| michael@0 | 104 | -l list debug modules |
| michael@0 | 105 | |
| michael@0 | 106 | -d <debug> turn on debugging for module <debug> |
| michael@0 | 107 | |
| michael@0 | 108 | |
| michael@0 | 109 | In order to get random 30-byte values for use as key/salt pairs , you |
| michael@0 | 110 | can use the following bash function to format the output of |
| michael@0 | 111 | /dev/random (where that device is available). |
| michael@0 | 112 | |
| michael@0 | 113 | function randhex() { |
| michael@0 | 114 | cat /dev/random | od --read-bytes=32 --width=32 -x | awk '{ print $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 }' |
| michael@0 | 115 | } |
| michael@0 | 116 | |
| michael@0 | 117 | |
| michael@0 | 118 | An example of an SRTP session using two rtpw programs follows: |
| michael@0 | 119 | |
| michael@0 | 120 | set k=c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451 |
| michael@0 | 121 | |
| michael@0 | 122 | [sh1]$ test/rtpw -s -k $k -ea 0.0.0.0 9999 |
| michael@0 | 123 | Security services: confidentiality message authentication |
| michael@0 | 124 | set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451 |
| michael@0 | 125 | setting SSRC to 2078917053 |
| michael@0 | 126 | sending word: A |
| michael@0 | 127 | sending word: a |
| michael@0 | 128 | sending word: aa |
| michael@0 | 129 | sending word: aal |
| michael@0 | 130 | ... |
| michael@0 | 131 | |
| michael@0 | 132 | [sh2]$ test/rtpw -r -k $k -ea 0.0.0.0 9999 |
| michael@0 | 133 | security services: confidentiality message authentication |
| michael@0 | 134 | set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451 |
| michael@0 | 135 | 19 octets received from SSRC 2078917053 word: A |
| michael@0 | 136 | 19 octets received from SSRC 2078917053 word: a |
| michael@0 | 137 | 20 octets received from SSRC 2078917053 word: aa |
| michael@0 | 138 | 21 octets received from SSRC 2078917053 word: aal |
| michael@0 | 139 | ... |
| michael@0 | 140 | |
| michael@0 | 141 | Implementation Notes |
| michael@0 | 142 | |
| michael@0 | 143 | * The srtp_protect() function assumes that the buffer holding the |
| michael@0 | 144 | rtp packet has enough storage allocated that the authentication |
| michael@0 | 145 | tag can be written to the end of that packet. If this assumption |
| michael@0 | 146 | is not valid, memory corruption will ensue. |
| michael@0 | 147 | |
| michael@0 | 148 | * Automated tests for the crypto functions are provided through |
| michael@0 | 149 | the cipher_type_self_test() and auth_type_self_test() functions. |
| michael@0 | 150 | These functions should be used to test each port of this code |
| michael@0 | 151 | to a new platform. |
| michael@0 | 152 | |
| michael@0 | 153 | * Replay protection is contained in the crypto engine, and |
| michael@0 | 154 | tests for it are provided. |
| michael@0 | 155 | |
| michael@0 | 156 | * This implementation provides calls to initialize, protect, and |
| michael@0 | 157 | unprotect RTP packets, and makes as few as possible assumptions |
| michael@0 | 158 | about how these functions will be called. For example, the |
| michael@0 | 159 | caller is not expected to provide packets in order (though if |
| michael@0 | 160 | they're called more than 65k out of sequence, synchronization |
| michael@0 | 161 | will be lost). |
| michael@0 | 162 | |
| michael@0 | 163 | * The sequence number in the rtp packet is used as the low 16 bits |
| michael@0 | 164 | of the sender's local packet index. Note that RTP will start its |
| michael@0 | 165 | sequence number in a random place, and the SRTP layer just jumps |
| michael@0 | 166 | forward to that number at its first invocation. An earlier |
| michael@0 | 167 | version of this library used initial sequence numbers that are |
| michael@0 | 168 | less than 32,768; this trick is no longer required as the |
| michael@0 | 169 | rdbx_estimate_index(...) function has been made smarter. |
| michael@0 | 170 | |
| michael@0 | 171 | * The replay window is 128 bits in length, and is hard-coded to this |
| michael@0 | 172 | value for now. |
| michael@0 | 173 | |
| michael@0 | 174 |
