#6 Add MKI support to libsrtp


The enclosed patch adds MKI support to libsrtp. The test suite has been updated so that it continues to work. However, there are no new tests that verifies the MKI implementation.

The API is changed to make it possible to specify more than one key. There is however currently no support for actually using more than one key. This change was made to reduce the number of times users of this library will have to update their code.

The patch also fixes two other issues:

srtp_unprotect() and srtp_unprotect_rtcp() didn't properly check that it didn't read past the supplied packet. It may have been possible to construct an evil packet that will cause a buffer overflow, but I have not fully analyzed this. It was easier to just add some defensive code. As a result, srtp_unprotect() and srtp_unprotect_rtcp() can now fail with err_status_parse_err. (Maybe a new error code should have been added instead?)

SRTCP was misspelled as "srtpc" in a comment.

Known issue:

SRTP_MAX_MKI_LEN has been added, and somewhat arbitrarily set at 128. This define is actually only used to compute a new and larger value for SRTP_MAX_TRAILER_LEN. Since the MKI can be of any size, and most sensible applications only use at most 4 bytes for it, it makes little sense to punish all applications with 128 bytes overhead. Maybe srtp_get_trailer_length() should be reinstated? It could return the proper value for a particular stream.


  • Per Cederqvist

    Per Cederqvist - 2007-05-25

    Add MKI support

    • suzaichuan

      suzaichuan - 2014-07-15

      I used the patch;but there is a coredump happened. the following is infos about coredump:
      Program terminated with signal 10, Bus error.

      0 0x0000005559abf18c in srtp_get_stream () from /usr/lib/libsrtp.so

      (gdb) bt

      0 0x0000005559abf18c in srtp_get_stream () from /usr/lib/libsrtp.so

      1 0x0000005559abdc70 in srtp_protect () from /usr/lib/libsrtp.so

      I checked;when callee answered ,it will core. (this is a sip call)

      it seems early media ok,but cannot answer the call. who can tell me why?
      by the way, how can I debug the libsrtp? I found syslog or stdout no any message even though adding enable syslog when compiling.

  • Jaap Keuter

    Jaap Keuter - 2007-12-17

    Logged In: YES
    Originator: NO

    This would do the trick. Send an RTP packet with extended header and the fake length will cause both the enc_start pointer to point past the buffer and the enc_octet_len to wrap to a large value.
    Fortunately the AES ICM cipher won't accept the large buffer (tested), AES CBC might (untested) and f8 mode isn't available.

    --- srtp/srtp/srtp.c 2006-07-18 21:45:46.000000000 +0200
    +++ srtp/srtp/srtp.c 2007-12-10 16:32:18.000000000 +0100
    @@ -696,0 +696,1 @@ srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) {
    if (hdr->x == 1) {
    srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
    enc_start += (ntohs(xtn_hdr->length) + 1);
    + xtn_hdr->length = 0xffff;
    enc_octet_len = (unsigned int)(*pkt_octet_len
    - ((enc_start - (uint32_t *)hdr) << 2));


Log in to post a comment.