Adds support for AEAD_AES_256_GCM

pion · May 16, 2023 · 2b6bcfb · 2b6bcfb
1 parent 32e385b
commit 2b6bcfb
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 7 deletions.
diff --git a/context.go b/context.go
@@ -88,7 +88,7 @@ func CreateContext(masterKey, masterSalt []byte, profile ProtectionProfile, opts
 	}
 
 	switch profile {
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		c.cipher, err = newSrtpCipherAeadAesGcm(profile, masterKey, masterSalt)
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80:
 		c.cipher, err = newSrtpCipherAesCmHmacSha1(profile, masterKey, masterSalt)

diff --git a/protection_profile.go b/protection_profile.go
@@ -14,12 +14,15 @@ const (
 	ProtectionProfileAes128CmHmacSha1_80 ProtectionProfile = 0x0001
 	ProtectionProfileAes128CmHmacSha1_32 ProtectionProfile = 0x0002
 	ProtectionProfileAeadAes128Gcm       ProtectionProfile = 0x0007
+	ProtectionProfileAeadAes256Gcm       ProtectionProfile = 0x0008
 )
 
 func (p ProtectionProfile) keyLen() (int, error) {
 	switch p {
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80, ProtectionProfileAeadAes128Gcm:
 		return 16, nil
+	case ProtectionProfileAeadAes256Gcm:
+		return 32, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
 	}
@@ -29,7 +32,7 @@ func (p ProtectionProfile) saltLen() (int, error) {
 	switch p {
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80:
 		return 14, nil
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		return 12, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
@@ -42,7 +45,7 @@ func (p ProtectionProfile) rtpAuthTagLen() (int, error) {
 		return 10, nil
 	case ProtectionProfileAes128CmHmacSha1_32:
 		return 4, nil
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		return 0, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
@@ -53,7 +56,7 @@ func (p ProtectionProfile) rtcpAuthTagLen() (int, error) {
 	switch p {
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80:
 		return 10, nil
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		return 0, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
@@ -64,7 +67,7 @@ func (p ProtectionProfile) aeadAuthTagLen() (int, error) {
 	switch p {
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80:
 		return 0, nil
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		return 16, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)
@@ -75,7 +78,7 @@ func (p ProtectionProfile) authKeyLen() (int, error) {
 	switch p {
 	case ProtectionProfileAes128CmHmacSha1_32, ProtectionProfileAes128CmHmacSha1_80:
 		return 20, nil
-	case ProtectionProfileAeadAes128Gcm:
+	case ProtectionProfileAeadAes128Gcm, ProtectionProfileAeadAes256Gcm:
 		return 0, nil
 	default:
 		return 0, fmt.Errorf("%w: %#v", errNoSuchSRTPProfile, p)

diff --git a/srtp_cipher_aead_aes_gcm_test.go b/srtp_cipher_aead_aes_gcm_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestSrtpCipherAedAesGcm(t *testing.T) {
+func TestSrtpCipherAedAes128Gcm(t *testing.T) {
 	decryptedRTPPacket := []byte{
 		0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
 		0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
@@ -85,3 +85,80 @@ func TestSrtpCipherAedAesGcm(t *testing.T) {
 		})
 	})
 }
+
+func TestSrtpCipherAedAes256Gcm(t *testing.T) {
+	decryptedRTPPacket := []byte{
+		0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+		0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+		0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+		0xab, 0xab, 0xab, 0xab,
+	}
+	encryptedRTPPacket := []byte{
+		0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+		0xca, 0xfe, 0xba, 0xbe, 0x0b, 0x16, 0x5c, 0x30,
+		0xca, 0xa3, 0xae, 0xce, 0xc6, 0x18, 0x45, 0x92,
+		0x2e, 0x74, 0xb9, 0x7f, 0xb, 0x2b, 0x50, 0x03,
+		0x7a, 0x6c, 0x86, 0x8a, 0xa7, 0xf4, 0x39, 0xfd,
+		0xbc, 0x0e, 0x11, 0x67,
+	}
+	decryptedRtcpPacket := []byte{
+		0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+		0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+		0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+	}
+	encryptedRtcpPacket := []byte{
+		0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+		0xe8, 0x0e, 0x69, 0x88, 0x59, 0x1b, 0xaf, 0xc8,
+		0x28, 0x33, 0x5c, 0x29, 0x0a, 0x0f, 0xa9, 0x18,
+		0xf2, 0x84, 0xf2, 0x90, 0xa3, 0xaa, 0x4b, 0xe5,
+		0x35, 0xa4, 0x28, 0xc6, 0xa0, 0xd7, 0x1e, 0xef,
+		0x80, 0x00, 0x00, 0x01,
+	}
+
+	masterKey := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}
+	masterSalt := []byte{0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}
+
+	t.Run("Encrypt RTP", func(t *testing.T) {
+		ctx, err := CreateContext(masterKey, masterSalt, ProtectionProfileAeadAes256Gcm)
+		assert.NoError(t, err)
+
+		t.Run("New Allocation", func(t *testing.T) {
+			actualEncrypted, err := ctx.EncryptRTP(nil, decryptedRTPPacket, nil)
+			assert.NoError(t, err)
+			assert.Equal(t, encryptedRTPPacket, actualEncrypted)
+		})
+	})
+
+	t.Run("Decrypt RTP", func(t *testing.T) {
+		ctx, err := CreateContext(masterKey, masterSalt, ProtectionProfileAeadAes256Gcm)
+		assert.NoError(t, err)
+
+		t.Run("New Allocation", func(t *testing.T) {
+			actualDecrypted, err := ctx.DecryptRTP(nil, encryptedRTPPacket, nil)
+			assert.NoError(t, err)
+			assert.Equal(t, decryptedRTPPacket, actualDecrypted)
+		})
+	})
+
+	t.Run("Encrypt RTCP", func(t *testing.T) {
+		ctx, err := CreateContext(masterKey, masterSalt, ProtectionProfileAeadAes256Gcm)
+		assert.NoError(t, err)
+
+		t.Run("New Allocation", func(t *testing.T) {
+			actualEncrypted, err := ctx.EncryptRTCP(nil, decryptedRtcpPacket, nil)
+			assert.NoError(t, err)
+			assert.Equal(t, encryptedRtcpPacket, actualEncrypted)
+		})
+	})
+
+	t.Run("Decrypt RTCP", func(t *testing.T) {
+		ctx, err := CreateContext(masterKey, masterSalt, ProtectionProfileAeadAes256Gcm)
+		assert.NoError(t, err)
+
+		t.Run("New Allocation", func(t *testing.T) {
+			actualDecrypted, err := ctx.DecryptRTCP(nil, encryptedRtcpPacket, nil)
+			assert.NoError(t, err)
+			assert.Equal(t, decryptedRtcpPacket, actualDecrypted)
+		})
+	})
+}