Fix packet length validation, new cipher tests

sirzooro · sirzooro · commit a3ec2e644ddf · 2024-07-07T17:27:03.000+02:00
This is v2 CP of two commits from master:

Fix packet length validation
Missing packet length validations could cause crash.

New SRTP cipher test suite
Moved tests from srtp_cipher_aead_aes_gcm_test.go to new file, cleaned
up their code to make it more DRY. Added tests for AES CM ciphers there
too.
This new cipher test suite will make it easier to add tests for new
SRTP features without lots of copy/paste.
diff --git a/errors.go b/errors.go
@@ -18,7 +18,8 @@ var (
 	errNoConfig                      = errors.New("no config provided")
 	errNoConn                        = errors.New("no conn provided")
 	errFailedToVerifyAuthTag         = errors.New("failed to verify auth tag")
-	errTooShortRTCP                  = errors.New("packet is too short to be rtcp packet")
+	errTooShortRTP                   = errors.New("packet is too short to be RTP packet")
+	errTooShortRTCP                  = errors.New("packet is too short to be RTCP packet")
 	errPayloadDiffers                = errors.New("payload differs")
 	errStartedChannelUsedIncorrectly = errors.New("started channel used incorrectly, should only be closed")
 	errBadIVLength                   = errors.New("bad iv length in xorBytesCTR")
diff --git a/protection_profile.go b/protection_profile.go
@@ -84,3 +84,18 @@ func (p ProtectionProfile) authKeyLen() (int, error) {
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
 	}
 }
+
+func (p ProtectionProfile) String() string {
+	switch p {
+	case ProtectionProfileAes128CmHmacSha1_80:
+		return "SRTP_AES128_CM_HMAC_SHA1_80"
+	case ProtectionProfileAes128CmHmacSha1_32:
+		return "SRTP_AES128_CM_HMAC_SHA1_32"
+	case ProtectionProfileAeadAes128Gcm:
+		return "SRTP_AEAD_AES_128_GCM"
+	case ProtectionProfileAeadAes256Gcm:
+		return "SRTP_AEAD_AES_256_GCM"
+	default:
+		return fmt.Sprintf("Unknown SRTP profile: %#v", p)
+	}
+}
diff --git a/srtcp.go b/srtcp.go
@@ -63,6 +63,10 @@ func (c *Context) DecryptRTCP(dst, encrypted []byte, header *rtcp.Header) ([]byt
 }
 
 func (c *Context) encryptRTCP(dst, decrypted []byte) ([]byte, error) {
+	if len(decrypted) < 8 {
+		return nil, fmt.Errorf("%w: %d", errTooShortRTCP, len(decrypted))
+	}
+
 	ssrc := binary.BigEndian.Uint32(decrypted[4:])
 	s := c.getSRTCPSSRCState(ssrc)
 
diff --git a/srtcp_test.go b/srtcp_test.go
@@ -594,3 +594,27 @@ func TestRTCPReplayDetectorFactory(t *testing.T) {
 	}
 	assert.Equal(1, cntFactory)
 }
+
+func TestDecryptInvalidSRTCP(t *testing.T) {
+	assert := assert.New(t)
+	key := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	salt := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	decryptContext, err := CreateContext(key, salt, ProtectionProfileAes128CmHmacSha1_80)
+	assert.NoError(err)
+
+	packet := []byte{0x8f, 0x48, 0xff, 0xff, 0xec, 0x77, 0xb0, 0x43, 0xf9, 0x04, 0x51, 0xff, 0xfb, 0xdf}
+	_, err = decryptContext.DecryptRTCP(nil, packet, nil)
+	assert.Error(err)
+}
+
+func TestEncryptInvalidRTCP(t *testing.T) {
+	assert := assert.New(t)
+	key := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	salt := []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
+	decryptContext, err := CreateContext(key, salt, ProtectionProfileAes128CmHmacSha1_80)
+	assert.NoError(err)
+
+	packet := []byte{0xbb, 0xbb, 0x0a, 0x2f}
+	_, err = decryptContext.EncryptRTCP(nil, packet, nil)
+	assert.Error(err)
+}
diff --git a/srtp.go b/srtp.go
@@ -9,6 +9,15 @@ import (
 )
 
 func (c *Context) decryptRTP(dst, ciphertext []byte, header *rtp.Header, headerLen int) ([]byte, error) {
+	authTagLen, err := c.cipher.rtpAuthTagLen()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ciphertext) < headerLen+authTagLen {
+		return nil, errTooShortRTP
+	}
+
 	s := c.getSRTPSSRCState(header.SSRC)
 
 	roc, diff, _ := s.nextRolloverCount(header.SequenceNumber)
@@ -21,10 +30,6 @@ func (c *Context) decryptRTP(dst, ciphertext []byte, header *rtp.Header, headerL
 		}
 	}
 
-	authTagLen, err := c.cipher.rtpAuthTagLen()
-	if err != nil {
-		return nil, err
-	}
 	dst = growBufferSize(dst, len(ciphertext)-authTagLen)
 
 	dst, err = c.cipher.decryptRTP(dst, ciphertext, header, headerLen, roc)
diff --git a/srtp_cipher_aead_aes_gcm_test.go b/srtp_cipher_aead_aes_gcm_test.go
diff --git a/srtp_cipher_aes_cm_hmac_sha1.go b/srtp_cipher_aes_cm_hmac_sha1.go
@@ -161,6 +161,9 @@ func (s *srtpCipherAesCmHmacSha1) decryptRTCP(out, encrypted []byte, index, ssrc
 		return nil, err
 	}
 	tailOffset := len(encrypted) - (authTagLen + srtcpIndexSize)
+	if tailOffset < 8 {
+		return nil, errTooShortRTCP
+	}
 	out = out[0:tailOffset]
 
 	expectedTag, err := s.generateSrtcpAuthTag(encrypted[:len(encrypted)-authTagLen])
diff --git a/srtp_cipher_test.go b/srtp_cipher_test.go
diff --git a/srtp_test.go b/srtp_test.go

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,10 @@ func (c Context) DecryptRTCP(dst, encrypted []byte, header rtcp.Header) ([]byt`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`func (c *Context) encryptRTCP(dst, decrypted []byte) ([]byte, error) {`
	`66`	`+ if len(decrypted) < 8 {`
	`67`	`+ return nil, fmt.Errorf("%w: %d", errTooShortRTCP, len(decrypted))`
	`68`	`+ }`
	`69`	`+`
`66`	`70`	`ssrc := binary.BigEndian.Uint32(decrypted[4:])`
`67`	`71`	`s := c.getSRTCPSSRCState(ssrc)`
`68`	`72`
Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,9 @@ func (s *srtpCipherAesCmHmacSha1) decryptRTCP(out, encrypted []byte, index, ssrc`
`161`	`161`	`return nil, err`
`162`	`162`	`}`
`163`	`163`	`tailOffset := len(encrypted) - (authTagLen + srtcpIndexSize)`
	`164`	`+ if tailOffset < 8 {`
	`165`	`+ return nil, errTooShortRTCP`
	`166`	`+ }`
`164`	`167`	`out = out[0:tailOffset]`
`165`	`168`
`166`	`169`	`expectedTag, err := s.generateSrtcpAuthTag(encrypted[:len(encrypted)-authTagLen])`