Support selected RCC Transforms from RFC 4771

Roll-over Counter Carrying Transform specified in RFC 4771 defines way
to send Roll-over Counter in Authentication Tag of SRTP packet. This
allows late joiners to reliably discover current value of ROC.

RFC 4771 defines 3 RCC modes. This PR adds support for mode RCCm2 for
AES-CM and NULL profiles, and mode RCCm3 for AES-GCM (AEAD) profiles.

Modes RCCm1 and RCCm3 disables authentication tag so they decrease
security of AES-CM profiles. For AES-GCS profiles modes RCCm1 and RCCm2
would require to calculate SHA-1 MAC in addition to existing AEAD tag,
unnecessary causing extra CPU load and increasing SRTP packet size.

Author: sirzooro

context.go

@@ -43,6 +43,23 @@ type srtcpSSRCState struct {
 	replayDetector replaydetector.ReplayDetector
 }
 
+// RCCMode is the mode of Roll-over Counter Carrying Transform from RFC 4771.
+type RCCMode int
+
+const (
+	// RCCModeNone is the default mode.
+	RCCModeNone RCCMode = iota
+	// RCCMode1 is RCCm1 mode from RFC 4771. In this mode ROC and truncated auth tag is sent every R-th packet,
+	// and no auth tag in other ones. This mode is not supported by pion/srtp.
+	RCCMode1
+	// RCCMode2 is RCCm2 mode from RFC 4771. In this mode ROC and truncated auth tag is sent every R-th packet,
+	// and full auth tag in other ones. This mode is supported for AES-CM and NULL profiles only.
+	RCCMode2
+	// RCCMode3 is RCCm3 mode from RFC 4771. In this mode ROC is sent every R-th packet (without truncated auth tag),
+	// and no auth tag in other ones. This mode is supported for AES-GCM profiles only.
+	RCCMode3
+)
+
 // Context represents a SRTP cryptographic context.
 // Context can only be used for one-way operations.
 // it must either used ONLY for encryption or ONLY for decryption.
@@ -67,6 +84,11 @@ type Context struct {
 
 	encryptSRTP  bool
 	encryptSRTCP bool
+
+	rccMode         RCCMode
+	rocTransmitRate uint16
+
+	authTagRTPLen *int
 }
 
 // CreateContext creates a new SRTP Context.
@@ -102,6 +124,21 @@ func CreateContext(
 		}
 	}
 
+	if err = c.checkRCCMode(); err != nil {
+		return nil, err
+	}
+
+	if c.authTagRTPLen != nil {
+		var authKeyLen int
+		authKeyLen, err = c.profile.AuthKeyLen()
+		if err != nil {
+			return nil, err
+		}
+		if *c.authTagRTPLen > authKeyLen {
+			return nil, errTooLongSRTPAuthTag
+		}
+	}
+
 	c.cipher, err = c.createCipher(c.sendMKI, masterKey, masterSalt, c.encryptSRTP, c.encryptSRTCP)
 	if err != nil {
 		return nil, err
@@ -154,16 +191,21 @@ func (c *Context) createCipher(mki, masterKey, masterSalt []byte, encryptSRTP, e
 		return nil, fmt.Errorf("%w expected(%d) actual(%d)", errShortSrtpMasterSalt, saltLen, masterSaltLen)
 	}
 
+	profileWithArgs := protectionProfileWithArgs{
+		ProtectionProfile: c.profile,
+		authTagRTPLen:     c.authTagRTPLen,
+	}
+
 	switch c.profile {
 	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
-		return newSrtpCipherAeadAesGcm(c.profile, masterKey, masterSalt, mki, encryptSRTP, encryptSRTCP)
+		return newSrtpCipherAeadAesGcm(profileWithArgs, masterKey, masterSalt, mki, encryptSRTP, encryptSRTCP)
 	case ProtectionProfileAes128CmHmacSha1_32,
 		ProtectionProfileAes128CmHmacSha1_80,
 		ProtectionProfileAes256CmHmacSha1_32,
 		ProtectionProfileAes256CmHmacSha1_80:
-		return newSrtpCipherAesCmHmacSha1(c.profile, masterKey, masterSalt, mki, encryptSRTP, encryptSRTCP)
+		return newSrtpCipherAesCmHmacSha1(profileWithArgs, masterKey, masterSalt, mki, encryptSRTP, encryptSRTCP)
 	case ProtectionProfileNullHmacSha1_32, ProtectionProfileNullHmacSha1_80:
-		return newSrtpCipherAesCmHmacSha1(c.profile, masterKey, masterSalt, mki, false, false)
+		return newSrtpCipherAesCmHmacSha1(profileWithArgs, masterKey, masterSalt, mki, false, false)
 	default:
 		return nil, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, c.profile)
 	}
@@ -197,7 +239,7 @@ func (c *Context) SetSendMKI(mki []byte) error {
 }
 
 // https://tools.ietf.org/html/rfc3550#appendix-A.1
-func (s *srtpSSRCState) nextRolloverCount(sequenceNumber uint16) (roc uint32, diff int32, overflow bool) {
+func (s *srtpSSRCState) nextRolloverCount(sequenceNumber uint16) (roc uint32, diff int64, overflow bool) {
 	seq := int32(sequenceNumber)
 	localRoc := uint32(s.index >> 16)            //nolint:gosec // G115
 	localSeq := int32(s.index & (seqNumMax - 1)) //nolint:gosec // G115
@@ -232,17 +274,20 @@ func (s *srtpSSRCState) nextRolloverCount(sequenceNumber uint16) (roc uint32, di
 		}
 	}
 
-	return guessRoc, difference, (guessRoc == 0 && localRoc == maxROC)
+	return guessRoc, int64(difference), (guessRoc == 0 && localRoc == maxROC)
 }
 
-func (s *srtpSSRCState) updateRolloverCount(sequenceNumber uint16, difference int32) {
-	if !s.rolloverHasProcessed {
+func (s *srtpSSRCState) updateRolloverCount(sequenceNumber uint16, difference int64, hasRemoteRoc bool,
+	remoteRoc uint32,
+) {
+	switch {
+	case hasRemoteRoc:
+		s.index = (uint64(remoteRoc) << 16) | uint64(sequenceNumber)
+		s.rolloverHasProcessed = true
+	case !s.rolloverHasProcessed:
 		s.index |= uint64(sequenceNumber)
 		s.rolloverHasProcessed = true
-
-		return
-	}
-	if difference > 0 {
+	case difference > 0:
 		s.index += uint64(difference)
 	}
 }
@@ -309,3 +354,49 @@ func (c *Context) SetIndex(ssrc uint32, index uint32) {
 	s := c.getSRTCPSSRCState(ssrc)
 	s.srtcpIndex = index % (maxSRTCPIndex + 1)
 }
+
+//nolint:cyclop
+func (c *Context) checkRCCMode() error {
+	if c.rccMode == RCCModeNone {
+		return nil
+	}
+
+	if c.rocTransmitRate == 0 {
+		return errZeroRocTransmitRate
+	}
+
+	switch c.profile {
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
+		// AEAD profiles support RCCMode3 only
+		if c.rccMode != RCCMode3 {
+			return errUnsupportedRccMode
+		}
+
+	case ProtectionProfileAes128CmHmacSha1_32,
+		ProtectionProfileAes256CmHmacSha1_32,
+		ProtectionProfileNullHmacSha1_32:
+		if c.authTagRTPLen == nil {
+			// ROC completely replaces auth tag for _32 profiles. If you really want to use 4-byte
+			// SRTP auth tag with RCC, use SRTPAuthenticationTagLength(4) option.
+			return errTooShortSRTPAuthTag
+		}
+
+		fallthrough // Checks below are common for _32 and _80 profiles.
+
+	case ProtectionProfileAes128CmHmacSha1_80,
+		ProtectionProfileAes256CmHmacSha1_80,
+		ProtectionProfileNullHmacSha1_80:
+		// AES-CM and NULL profiles support RCCMode2 only
+		if c.rccMode != RCCMode2 {
+			return errUnsupportedRccMode
+		}
+		if c.authTagRTPLen != nil && *c.authTagRTPLen < 4 {
+			return errTooShortSRTPAuthTag
+		}
+
+	default:
+		return errUnsupportedRccMode
+	}
+
+	return nil
+}

context_test.go

@@ -142,3 +142,77 @@ func TestContextRemoveMKI(t *testing.T) {
 	err = ctx.RemoveMKI(mki3)
 	assert.Error(t, err)
 }
+
+func TestInvalidContextOptions(t *testing.T) {
+	profiles := []ProtectionProfile{
+		ProtectionProfileAes128CmHmacSha1_80,
+		ProtectionProfileAes128CmHmacSha1_32,
+		ProtectionProfileAes256CmHmacSha1_80,
+		ProtectionProfileAes256CmHmacSha1_32,
+		ProtectionProfileNullHmacSha1_80,
+		ProtectionProfileNullHmacSha1_32,
+		ProtectionProfileAeadAes128Gcm,
+		ProtectionProfileAeadAes256Gcm,
+	}
+
+	for _, profile := range profiles {
+		t.Run(profile.String(), func(t *testing.T) {
+			keyLen, err := profile.KeyLen()
+			assert.NoError(t, err)
+			saltLen, err := profile.SaltLen()
+			assert.NoError(t, err)
+			authTagLen, err := profile.AuthTagRTPLen()
+			assert.NoError(t, err)
+			authKeyLen, err := profile.AuthKeyLen()
+			assert.NoError(t, err)
+
+			masterKey := make([]byte, keyLen)
+			masterSalt := make([]byte, saltLen)
+			aeadAuthTagLen, err := profile.AEADAuthTagLen()
+			assert.NoError(t, err)
+
+			t.Run("InvalidRCCContextOptions", func(t *testing.T) {
+				authTagLenOpt := SRTPAuthenticationTagLength(authTagLen)
+
+				_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode1, 0),
+					authTagLenOpt)
+				assert.ErrorIs(t, err, errZeroRocTransmitRate)
+				_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode2, 0),
+					authTagLenOpt)
+				assert.ErrorIs(t, err, errZeroRocTransmitRate)
+				_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode3, 0),
+					authTagLenOpt)
+				assert.ErrorIs(t, err, errZeroRocTransmitRate)
+
+				_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode1, 10),
+					authTagLenOpt)
+				assert.ErrorIs(t, err, errUnsupportedRccMode)
+				if aeadAuthTagLen == 0 { // AES-CM
+					_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode3, 10),
+						authTagLenOpt)
+					assert.ErrorIs(t, err, errUnsupportedRccMode)
+
+					if authTagLen == 4 {
+						_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode2, 10))
+						assert.ErrorIs(t, err, errTooShortSRTPAuthTag)
+					}
+
+					for n := 0; n < 4; n++ {
+						_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode2, 10),
+							SRTPAuthenticationTagLength(n))
+						assert.ErrorIs(t, err, errTooShortSRTPAuthTag)
+					}
+				} else { // AEAD
+					_, err = CreateContext(masterKey, masterSalt, profile, RolloverCounterCarryingTransform(RCCMode2, 10),
+						authTagLenOpt)
+					assert.ErrorIs(t, err, errUnsupportedRccMode)
+				}
+			})
+
+			t.Run("InvalidSRTPAuthTagLen", func(t *testing.T) {
+				_, err = CreateContext(masterKey, masterSalt, profile, SRTPAuthenticationTagLength(authKeyLen+1))
+				assert.ErrorIs(t, err, errTooLongSRTPAuthTag)
+			})
+		})
+	}
+}

errors.go

@@ -31,11 +31,16 @@ var (
 	errMKIAlreadyInUse               = errors.New("MKI already in use")
 	errMKIIsNotEnabled               = errors.New("MKI is not enabled")
 	errInvalidMKILength              = errors.New("invalid MKI length")
+	errTooLongSRTPAuthTag            = errors.New("SRTP auth tag is too long")
+	errTooShortSRTPAuthTag           = errors.New("SRTP auth tag is too short")
 
 	errStreamNotInited     = errors.New("stream has not been inited, unable to close")
 	errStreamAlreadyClosed = errors.New("stream is already closed")
 	errStreamAlreadyInited = errors.New("stream is already inited")
 	errFailedTypeAssertion = errors.New("failed to cast child")
+
+	errZeroRocTransmitRate = errors.New("ROC transmit rate is zero")
+	errUnsupportedRccMode  = errors.New("unsupported RCC mode")
 )
 
 type duplicatedError struct {

option.go

@@ -104,6 +104,8 @@ func SRTPEncryption() ContextOption { // nolint:revive
 // SRTPNoEncryption disables SRTP encryption.
 // This option is useful when you want to use NullCipher for SRTP and keep authentication only.
 // It simplifies debugging and testing, but it is not recommended for production use.
+//
+// Note: you can also use SRTPAuthenticationTagLength(0) to disable authentication tag too.
 func SRTPNoEncryption() ContextOption { // nolint:revive
 	return func(c *Context) error {
 		c.encryptSRTP = false
@@ -131,3 +133,43 @@ func SRTCPNoEncryption() ContextOption {
 		return nil
 	}
 }
+
+// RolloverCounterCarryingTransform enables Rollover Counter Carrying Transform from RFC 4771.
+// ROC value is sent in Authentication Tag of SRTP packets every rocTransmitRate packets.
+//
+// RFC 4771 defines 3 RCC modes. pion/srtp supports mode RCCm2 for AES-CM and NULL profiles,
+// and mode RCCm3 for AES-GCM (AEAD) profiles.
+//
+// From RFC 4771: "[For modes RCCm1 and and RCCm3] the length of the MAC is shorter than the length
+// of the authentication tag. To achieve the same (or less) MAC forgery success probability on all
+// packets when using RCCm1 or RCCm2, as with the default integrity transform in RFC 3711,
+// the tag-length must be set to 14 octets, which means that the length of MAC_tr is 10 octets."
+//
+// Protection profiles ProtectionProfile*CmHmacSha1_32 uses 4-byte SRTP auth tag, so in RCCm2 mode
+// SRTP packets with ROC will not be integrity protected.
+//
+// You can increase the length of the authentication tag using SRTPAuthenticationTagLength option
+// to mitigate this issue.
+func RolloverCounterCarryingTransform(mode RCCMode, rocTransmitRate uint16) ContextOption {
+	return func(c *Context) error {
+		c.rccMode = mode
+		c.rocTransmitRate = rocTransmitRate
+
+		return nil
+	}
+}
+
+// SRTPAuthenticationTagLength sets length of SRTP authentication tag in bytes for AES-CM protection
+// profiles. Decreasing the length of the authentication tag is not recommended for production use,
+// as it decreases integrity protection.
+//
+// Zero value means that there is no authentication tag, what may be useful for debugging and testing.
+//
+// This option is ignored for AEAD profiles.
+func SRTPAuthenticationTagLength(authTagRTPLen int) ContextOption { // nolint:revive
+	return func(c *Context) error {
+		c.authTagRTPLen = &authTagRTPLen
+
+		return nil
+	}
+}

protection_profile_with_args.go

@@ -0,0 +1,21 @@
+// SPDX-FileCopyrightText: 2023 The Pion community <https://pion.ly>
+// SPDX-License-Identifier: MIT
+
+package srtp
+
+// protectionProfileWithArgs is a wrapper around ProtectionProfile that allows to
+// specify additional arguments for the profile.
+type protectionProfileWithArgs struct {
+	ProtectionProfile
+	authTagRTPLen *int
+}
+
+// AuthTagRTPLen returns length of RTP authentication tag in bytes for AES protection profiles.
+// For AEAD ones it returns zero.
+func (p protectionProfileWithArgs) AuthTagRTPLen() (int, error) {
+	if p.authTagRTPLen != nil {
+		return *p.authTagRTPLen, nil
+	}
+
+	return p.ProtectionProfile.AuthTagRTPLen()
+}

srtcp.go

@@ -10,6 +10,16 @@ import (
 	"github.com/pion/rtcp"
 )
 
+/*
+Simplified structure of SRTCP Packets:
+- RTCP Header
+- Payload
+- AEAD Auth Tag - used by AEAD profiles only
+- E flag and SRTCP Index
+- MKI (optional)
+- Auth Tag - used by non-AEAD profiles only
+*/
+
 const maxSRTCPIndex = 0x7FFFFFFF
 
 const srtcpHeaderSize = 8
@@ -42,7 +52,7 @@ func (c *Context) decryptRTCP(dst, encrypted []byte) ([]byte, error) {
 	cipher := c.cipher
 	if len(c.mkis) > 0 {
 		// Find cipher for MKI
-		actualMKI := c.cipher.getMKI(encrypted, false)
+		actualMKI := encrypted[len(encrypted)-mkiLen-authTagLen : len(encrypted)-authTagLen]
 		cipher, ok = c.mkis[string(actualMKI)]
 		if !ok {
 			return nil, ErrMKINotFound