SRTP交叉编译与移植

1 SRTP源码下载

源码下载在github采用的库为libsrtp2.5.0:

weget https://github.com/cisco/libsrtp/archive/refs/tags/v2.5.0.tar.gz

2 SRTP交叉编译

新增交叉编译脚本,这里需要支持openssl。

./configure --host=arm-linux-androideabi --prefix=$(pwd)/object --enable-openssl crypto_LIBS="-L$(pwd)/../../third_party/openssl-1.1.0h/lib" crypto_CFLAGS="-I$(pwd)/../../third_party/openssl-1.1.0h/include" && make && make install

下面是交叉编译过程

tar -xvf libsrtp-2.5.0.tar.gz
cd libsrtp-2.5.0
touch config_android.sh
./config_android.sh
./

成果物主要包括头文件和静态库:
SRTP交叉编译与移植_第1张图片

3 SRTP移植

3.1 API封装设计

API设计采用handle的实现方式,init只需要进程初始化一次。srtp_app_alloc需要每次会话创建都进行一次初始化,需要传入srtp秘钥。protect和unprotect是实时进行加解密操作。

//srtp handle
typedef struct srtp_handle_t{
	int (*protect)(void *pthis, void *rtp, size_t *pkt_octet_len);
	int (*unprotect)(void *pthis, void *audio_dat, size_t *pkt_octet_len);
	void* priv;
}srtp_handle_t;

#ifdef __cplusplus
extern "C" {
#endif
// 初始化
int srtp_app_init();
void srtp_app_denit();
//会话创建
int srtp_app_alloc(srtp_handle_t **pthis, const char *srtp_dec, const char *srtp_enc);
void srtp_app_free(srtp_handle_t *pthis);

3.2 初始化实现

初始化和反初始化,只需要在开启进程初始化一次。

int srtp_app_init()
{
	int ret = srtp_init();
	if(ret < 0)
		return -1;
	
	return 0;
}

void srtp_app_denit()
{
    srtp_shutdown();
}

3.3 会话创建实现

会话创建和销毁,需要每次建立会话都要重新创建,每次的秘钥都需要采用协商的加密和解密秘钥。

static int srtp_app_set_crypto_suites(int profile, srtp_crypto_policy_t *rtp)
{
	if(rtp == NULL)
	{
		return -1;
	}
	
	switch (profile)
	{
		case rl_srtp_profile_aes128_cm_sha1_32:
		{
			srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(rtp);
			rl_log_debug("loc srtp_profile_aes128_cm_sha1_32");
			break;
		}
		case rl_srtp_profile_aes128_cm_sha1_80:
		{
			srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(rtp);
			rl_log_debug("loc srtp_profile_aes128_cm_sha1_80");
			break;
		}
		case rl_srtp_profile_aes256_cm_sha1_32:
		{
			srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(rtp);
			rl_log_debug("loc srtp_profile_aes256_cm_sha1_32");
			break;
		}			
		case rl_srtp_profile_aes256_cm_sha1_80:
		{
			srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(rtp);
			rl_log_debug("loc srtp_profile_aes256_cm_sha1_80");
			break;
		}
	
		default:
		{
			rl_log_debug("loc policy none");
			break;
		}
	}
	return 0;
	
}

static int srtp_app_start(void *pthis, const char *srtp_dec, const char *strp_enc)
{
	rl_log_debug("SRTP start");
	srtp_config_t srtp_config_loc;
	srtp_config_t srtp_config_dist;
	srtp_handle_t *p = (srtp_handle_t *)pthis;
	
	if((!pthis || !srtp_dec || !strp_enc || strlen(srtp_dec) == 0 || strlen(strp_enc) == 0))
		return -1;
	
	srtp_handle_priv_t* priv = p->priv;
	if (!priv)
		return -1;	
	
	int ret = srtp_parse_config(strp_enc, &srtp_config_loc);
	if ( ret < 0 )
	{
		return ret;
	}
	
	ret = srtp_parse_config(srtp_dec, &srtp_config_dist);
	if ( ret < 0 )
	{
		return ret;
	}

	priv->srtp_opt = 1;	
	
	memcpy(priv->srtp_params.key_loc, srtp_config_loc.key, 30);
	memcpy(priv->srtp_params.key_dist, srtp_config_dist.key, 30);
	
	srtp_app_set_crypto_suites(srtp_config_loc.profile, &priv->srtp_params.policy_loc.rtp);
	
	priv->srtp_params.policy_loc.key = priv->srtp_params.key_loc;
	priv->srtp_params.policy_loc.next = NULL;
	
	srtp_app_set_crypto_suites(srtp_config_dist.profile, &priv->srtp_params.policy_dist.rtp);
	
	priv->srtp_params.policy_dist.ssrc.type = ssrc_any_inbound;
	priv->srtp_params.policy_dist.key = priv->srtp_params.key_dist;
	priv->srtp_params.policy_dist.next = NULL;
	rl_log_debug("srtp_create ret=%i", srtp_create(&priv->srtp_params.scall_session, 
		&priv->srtp_params.policy_dist));

	return 0;
}

static void srtp_app_stop(void *pthis)
{
	srtp_handle_t *p = (srtp_handle_t *)pthis;
	if(!pthis)
		return;
	srtp_handle_priv_t* priv = p->priv;
	if (!priv)
		return;
	
	rl_log_debug("SRTP stop\n");
	if (priv->srtp_opt > 0)
	{
		priv->srtp_opt = 0;
		
		priv->srtp_params.prev_ssrc = 0;
		rl_memset(priv->srtp_params.key_loc, 0, sizeof(priv->srtp_params.key_loc));
		rl_memset(priv->srtp_params.key_dist, 0, sizeof(priv->srtp_params.key_dist));
		rl_log_debug("srtp_dealloc ret=%i", srtp_dealloc(priv->srtp_params.scall_session)); 
	}
}

int srtp_app_alloc(srtp_handle_t **pthis, const char *srtp_dec, const char *srtp_enc)
{
	if(!pthis)
		return -1;

	srtp_handle_t* p = (srtp_handle_t*)malloc(sizeof(srtp_handle_t));
	if (p == NULL)
	{
		rl_log_err("[%s-%d] malloc failed.",__FUNCTION__, __LINE__);
		return -1;
	}
	memset(p, 0, sizeof(srtp_handle_t));
	p->protect = srtp_app_protect;
	p->unprotect = srtp_app_unprotect;

	p->priv = (srtp_handle_priv_t *)malloc(sizeof(srtp_handle_priv_t));
	if(!p->priv)
	{
		free(p);
		return -1;
	}
	memset(p->priv , 0, sizeof(srtp_handle_priv_t));
	int ret = srtp_app_start(p, srtp_dec, srtp_enc);
	if (ret != 0)
	{
		srtp_app_free(p);
		return -1;
	}

	*pthis = p;
	
	return 0;

}

void srtp_app_free(srtp_handle_t *pthis)
{
	if(!pthis)
		return;
	
	srtp_app_stop(pthis);
	
	if (pthis->priv){
		free(pthis->priv);
		pthis->priv = NULL;
	}
		
	free(pthis);

}

3.4 加解密实现

加密和解密只需要传入rtp封装后的数据和长度即可进行加解密操作,操作后数据是直接替换原数据的。

static int srtp_app_protect(void *pthis, void *rtp, size_t *pkt_octet_len)
{	
	if(!pthis || !rtp || !pkt_octet_len)
		return -1;

	int ret = 0;
	unsigned int current_ssrc;
	srtp_handle_t *p = (srtp_handle_t *)pthis;
	srtp_handle_priv_t* priv = p->priv;
	if (!priv)
		return -1;
		
	srtp_t session = priv->srtp_params.scall_session;
	if(priv->srtp_opt)
	{		
		current_ssrc = *((unsigned int *)((char *)rtp + 8));
		current_ssrc = htonl(current_ssrc);
		if(priv->srtp_params.prev_ssrc != current_ssrc) 
		{
			if (priv->srtp_params.prev_ssrc > 0 )
			{
				srtp_app_remove_stream(priv->srtp_params.scall_session, priv->srtp_params.prev_ssrc);
			}
			priv->srtp_params.policy_loc.ssrc.type = ssrc_specific;
			priv->srtp_params.policy_loc.ssrc.value = current_ssrc;
			rl_log_debug("new ssrc 0x%x, %u", current_ssrc,current_ssrc);
			srtp_app_add_stream(priv->srtp_params.scall_session, &priv->srtp_params.policy_loc);

		    priv->srtp_params.prev_ssrc = current_ssrc;
	   	}

		ret = srtp_protect(priv->srtp_params.scall_session, rtp, (int *)pkt_octet_len);
		if(ret > 0)
		{
			rl_log_err("--srtp_protect problem ret=%i", ret);
			return -1;
		}
		
	}
	return 0;
}

static int srtp_app_unprotect(void *pthis, void *audio_dat, size_t *pkt_octet_len)
{
	if(!pthis || !audio_dat || !pkt_octet_len)
		return -1;

	int ret = 0;
	srtp_handle_t *p = (srtp_handle_t *)pthis;
	srtp_handle_priv_t* priv = p->priv;
	if (!priv)
		return -1;
	
	srtp_t session = priv->srtp_params.scall_session;
	 
	if(priv->srtp_opt)
	{
		ret = srtp_unprotect(priv->srtp_params.scall_session, audio_dat, (int *)pkt_octet_len);
		if(ret > 0)
		{
			/* If the decryption fail then d'nt give this packet to DSP throw the packets */
			rl_log_err("rtp_SRtpPlRecv srtp unencryption problems ret=%i", ret);
			return -1;
		}
	}
	return 0;
}

4 SRTP抓包分析

SRTP加密后可以通过wareshark抓包看到协议部分是显示SRTP,具体如下图所示。

其实wareshark是通过sip协商RTP/SAVP来显示srtp的标识,所以SDP协商一定要正确。

你可能感兴趣的:(音视频传输安全,音视频,安全,srtp)