webrtc_srtp/context/
srtp.rs

1use bytes::Bytes;
2use util::marshal::*;
3
4use super::*;
5use crate::error::Result;
6
7impl Context {
8    pub fn decrypt_rtp_with_header(
9        &mut self,
10        encrypted: &[u8],
11        header: &rtp::header::Header,
12    ) -> Result<Bytes> {
13        let auth_tag_len = self.cipher.rtp_auth_tag_len();
14        if encrypted.len() < header.marshal_size() + auth_tag_len {
15            return Err(Error::ErrTooShortRtp);
16        }
17
18        let state = self.get_srtp_ssrc_state(header.ssrc);
19        let (roc, diff, _) = state.next_rollover_count(header.sequence_number);
20        if let Some(replay_detector) = &mut state.replay_detector {
21            if !replay_detector.check(header.sequence_number as u64) {
22                return Err(Error::SrtpSsrcDuplicated(
23                    header.ssrc,
24                    header.sequence_number,
25                ));
26            }
27        }
28
29        let dst = self.cipher.decrypt_rtp(encrypted, header, roc)?;
30        {
31            let state = self.get_srtp_ssrc_state(header.ssrc);
32            if let Some(replay_detector) = &mut state.replay_detector {
33                replay_detector.accept();
34            }
35            state.update_rollover_count(header.sequence_number, diff);
36        }
37
38        Ok(dst)
39    }
40
41    /// DecryptRTP decrypts a RTP packet with an encrypted payload
42    pub fn decrypt_rtp(&mut self, encrypted: &[u8]) -> Result<Bytes> {
43        let mut buf = encrypted;
44        let header = rtp::header::Header::unmarshal(&mut buf)?;
45        self.decrypt_rtp_with_header(encrypted, &header)
46    }
47
48    pub fn encrypt_rtp_with_header(
49        &mut self,
50        payload: &[u8],
51        header: &rtp::header::Header,
52    ) -> Result<Bytes> {
53        let (roc, diff, ovf) = self
54            .get_srtp_ssrc_state(header.ssrc)
55            .next_rollover_count(header.sequence_number);
56        if ovf {
57            // ... when 2^48 SRTP packets or 2^31 SRTCP packets have been secured with the same key
58            // (whichever occurs before), the key management MUST be called to provide new master key(s)
59            // (previously stored and used keys MUST NOT be used again), or the session MUST be terminated.
60            // https://www.rfc-editor.org/rfc/rfc3711#section-9.2
61            return Err(Error::ErrExceededMaxPackets);
62        }
63
64        let dst = self.cipher.encrypt_rtp(payload, header, roc)?;
65
66        self.get_srtp_ssrc_state(header.ssrc)
67            .update_rollover_count(header.sequence_number, diff);
68
69        Ok(dst)
70    }
71
72    /// EncryptRTP marshals and encrypts an RTP packet, writing to the dst buffer provided.
73    /// If the dst buffer does not have the capacity to hold `len(plaintext) + 10` bytes, a new one will be allocated and returned.
74    pub fn encrypt_rtp(&mut self, plaintext: &[u8]) -> Result<Bytes> {
75        let mut buf = plaintext;
76        let header = rtp::header::Header::unmarshal(&mut buf)?;
77        self.encrypt_rtp_with_header(plaintext, &header)
78    }
79}