Fix packet length validation, new cipher tests

This is v2 CP of two commits from master: Fix packet length validation Missing packet length validations could cause crash. New SRTP cipher test suite Moved tests from srtp_cipher_aead_aes_gcm_test.go to new file, cleaned up their code to make it more DRY. Added tests for AES CM ciphers there too. This new cipher test suite will make it easier to add tests for new SRTP features without lots of copy/paste.
pion · Jul 7, 2024 · a3ec2e6 · a3ec2e6
1 parent f598d3b
commit a3ec2e6
Show file tree

Hide file tree

Showing 9 changed files with 256 additions and 169 deletions.
diff --git a/errors.go b/errors.go
@@ -18,7 +18,8 @@ var (
 	errNoConfig                      = errors.New("no config provided")
 	errNoConn                        = errors.New("no conn provided")
 	errFailedToVerifyAuthTag         = errors.New("failed to verify auth tag")
-	errTooShortRTCP                  = errors.New("packet is too short to be rtcp packet")
+	errTooShortRTP                   = errors.New("packet is too short to be RTP packet")
+	errTooShortRTCP                  = errors.New("packet is too short to be RTCP packet")
 	errPayloadDiffers                = errors.New("payload differs")
 	errStartedChannelUsedIncorrectly = errors.New("started channel used incorrectly, should only be closed")
 	errBadIVLength                   = errors.New("bad iv length in xorBytesCTR")

diff --git a/protection_profile.go b/protection_profile.go
@@ -84,3 +84,18 @@ func (p ProtectionProfile) authKeyLen() (int, error) {
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
 	}
 }
+
+func (p ProtectionProfile) String() string {
+	switch p {
+	case ProtectionProfileAes128CmHmacSha1_80:
+		return "SRTP_AES128_CM_HMAC_SHA1_80"
+	case ProtectionProfileAes128CmHmacSha1_32:
+		return "SRTP_AES128_CM_HMAC_SHA1_32"
+	case ProtectionProfileAeadAes128Gcm:
+		return "SRTP_AEAD_AES_128_GCM"
+	case ProtectionProfileAeadAes256Gcm:
+		return "SRTP_AEAD_AES_256_GCM"
+	default:
+		return fmt.Sprintf("Unknown SRTP profile: %#v", p)
+	}
+}
diff --git a/srtcp.go b/srtcp.go
@@ -63,6 +63,10 @@ func (c *Context) DecryptRTCP(dst, encrypted []byte, header *rtcp.Header) ([]byt
 }
 
 func (c *Context) encryptRTCP(dst, decrypted []byte) ([]byte, error) {
+	if len(decrypted) < 8 {
+		return nil, fmt.Errorf("%w: %d", errTooShortRTCP, len(decrypted))
+	}
+
 	ssrc := binary.BigEndian.Uint32(decrypted[4:])
 	s := c.getSRTCPSSRCState(ssrc)
 

diff --git a/srtcp_test.go b/srtcp_test.go
@@ -594,3 +594,27 @@ func TestRTCPReplayDetectorFactory(t *testing.T) {
 	}
 	assert.Equal(1, cntFactory)
 }
+
+func TestDecryptInvalidSRTCP(t *testing.T) {
+	assert := assert.New(t)
+	key := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	salt := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	decryptContext, err := CreateContext(key, salt, ProtectionProfileAes128CmHmacSha1_80)
+	assert.NoError(err)
+
+	packet := []byte{0x8f, 0x48, 0xff, 0xff, 0xec, 0x77, 0xb0, 0x43, 0xf9, 0x04, 0x51, 0xff, 0xfb, 0xdf}
+	_, err = decryptContext.DecryptRTCP(nil, packet, nil)
+	assert.Error(err)
+}
+
+func TestEncryptInvalidRTCP(t *testing.T) {
+	assert := assert.New(t)
+	key := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	salt := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	decryptContext, err := CreateContext(key, salt, ProtectionProfileAes128CmHmacSha1_80)
+	assert.NoError(err)
+
+	packet := []byte{0xbb, 0xbb, 0x0a, 0x2f}
+	_, err = decryptContext.EncryptRTCP(nil, packet, nil)
+	assert.Error(err)
+}
diff --git a/srtp.go b/srtp.go
@@ -9,6 +9,15 @@ import (
 )
 
 func (c *Context) decryptRTP(dst, ciphertext []byte, header *rtp.Header, headerLen int) ([]byte, error) {
+	authTagLen, err := c.cipher.rtpAuthTagLen()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ciphertext) < headerLen+authTagLen {
+		return nil, errTooShortRTP
+	}
+
 	s := c.getSRTPSSRCState(header.SSRC)
 
 	roc, diff, _ := s.nextRolloverCount(header.SequenceNumber)
@@ -21,10 +30,6 @@ func (c *Context) decryptRTP(dst, ciphertext []byte, header *rtp.Header, headerL
 		}
 	}
 
-	authTagLen, err := c.cipher.rtpAuthTagLen()
-	if err != nil {
-		return nil, err
-	}
 	dst = growBufferSize(dst, len(ciphertext)-authTagLen)
 
 	dst, err = c.cipher.decryptRTP(dst, ciphertext, header, headerLen, roc)

diff --git a/srtp_cipher_aead_aes_gcm_test.go b/srtp_cipher_aead_aes_gcm_test.go
diff --git a/srtp_cipher_aes_cm_hmac_sha1.go b/srtp_cipher_aes_cm_hmac_sha1.go
@@ -161,6 +161,9 @@ func (s *srtpCipherAesCmHmacSha1) decryptRTCP(out, encrypted []byte, index, ssrc
 		return nil, err
 	}
 	tailOffset := len(encrypted) - (authTagLen + srtcpIndexSize)
+	if tailOffset < 8 {
+		return nil, errTooShortRTCP
+	}
 	out = out[0:tailOffset]
 
 	expectedTag, err := s.generateSrtcpAuthTag(encrypted[:len(encrypted)-authTagLen])