Merge pull request #6888 from SparkiDev/srtp_kdf

SRTP/SRTCP KDF: add implementation
2023-11-07 10:11:43 -07:00 · 2023-11-07 10:11:43 -07:00 · 8921a720a1
parent a6de9cd06f 8c3e1dbf48
commit 8921a720a1
9 changed files with 951 additions and 5 deletions
--- a/configure.ac
+++ b/configure.ac
@ -3547,6 +3547,22 @@ then
  AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF"
 fi

+# SRTP-KDF
+AC_ARG_ENABLE([srtp-kdf],
+    [AS_HELP_STRING([--enable-srtp-kdf],[Enable SRTP-KDF support (default: disabled)])],
+    [ ENABLED_SRTP_KDF=$enableval ],
+    [ ENABLED_SRTP_KDF=no ]
+    )
+if test "$ENABLED_SRTP" = "yes"
+then
+  ENABLED_SRTP_KDF="yes"
+fi
+if test "$ENABLED_SRTP_KDF" = "yes"
+then
+  AM_CFLAGS="$AM_CFLAGS -DWC_SRTP_KDF -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT"
+fi
+
+
 # DSA
 AC_ARG_ENABLE([dsa],
    [AS_HELP_STRING([--enable-dsa],[Enable DSA (default: disabled)])],
@ -9583,6 +9599,7 @@ echo "   * wolfCrypt Only:             $ENABLED_CRYPTONLY"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * HPKE:                       $ENABLED_HPKE"
 echo "   * X9.63 KDF:                  $ENABLED_X963KDF"
+echo "   * SRTP-KDF:                   $ENABLED_SRTP_KDF"
 echo "   * PSK:                        $ENABLED_PSK"
 echo "   * Poly1305:                   $ENABLED_POLY1305"
 echo "   * LEANPSK:                    $ENABLED_LEANPSK"
--- a/doc/dox_comments/header_files/doxygen_groups.h
+++ b/doc/dox_comments/header_files/doxygen_groups.h
@ -206,6 +206,7 @@
    \defgroup RSA Algorithms - RSA
    \defgroup SHA Algorithms - SHA 128/224/256/384/512
    \defgroup SipHash Algorithm - SipHash
+    \defgroup SrtpKdf Algorithm - SRTP KDF
    \defgroup SRP Algorithms - SRP

    \defgroup ASN ASN.1
--- a/doc/dox_comments/header_files/doxygen_pages.h
+++ b/doc/dox_comments/header_files/doxygen_pages.h
@ -57,6 +57,7 @@
        <li>\ref RSA</li>
        <li>\ref SHA</li>
        <li>\ref SipHash</li>
+        <li>\ref SrtpKdf</li>
        <li>\ref SRP</li>
    </ul>
 */
--- a/doc/dox_comments/header_files/kdf.h
+++ b/doc/dox_comments/header_files/kdf.h
@ -0,0 +1,126 @@
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function derives keys using SRTP KDF algorithm.
+
+    \return 0 Returned upon successful key derviation.
+    \return BAD_FUNC_ARG Returned when key or salt is NULL
+    \return BAD_FUNC_ARG Returned when key length is not 16, 24 or 32.
+    \return BAD_FUNC_ARG Returned when saltSz is larger than 14.
+    \return BAD_FUNC_ARG Returned when kdrIdx is less than -1 or larger than 24.
+    \return MEMORY_E on dynamic memory allocation failure.
+
+    \param [in] key Key to use with encryption.
+    \param [in] keySz Size of key in bytes.
+    \param [in] salt Random non-secret value.
+    \param [in] saltSz Size of random in bytes.
+    \param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise kdr = 2^kdrIdx.
+    \param [in] index Index value to XOR in.
+    \param [out] key1 First key. Label value of 0x00.
+    \param [in] key1Sz Size of first key in bytes.
+    \param [out] key2 Second key. Label value of 0x01.
+    \param [in] key2Sz Size of second key in bytes.
+    \param [out] key3 Third key. Label value of 0x02.
+    \param [in] key3Sz Size of third key in bytes.
+
+
+    _Example_
+    \code
+    unsigned char key[16] = { ... };
+    unsigned char salt[14] = { ... };
+    unsigned char index[6] = { ... };
+    unsigned char keyE[16];
+    unsigned char keyA[20];
+    unsigned char keyS[14];
+    int kdrIdx = 0; // Use all of index
+    int ret;
+
+    ret = wc_SRTP_KDF(key, sizeof(key), salt, sizeof(salt), kdrIdx, index,
+        keyE, sizeof(keyE), keyA, sizeof(keyA), keyS, sizeof(keyS));
+    if (ret != 0) {
+        WOLFSSL_MSG("wc_SRTP_KDF failed");
+    }
+    \endcode
+
+    \sa wc_SRTCP_KDF
+    \sa wc_SRTP_KDF_kdr_to_idx
+*/
+int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz);
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function derives keys using SRTCP KDF algorithm.
+
+    \return 0 Returned upon successful key derviation.
+    \return BAD_FUNC_ARG Returned when key or salt is NULL
+    \return BAD_FUNC_ARG Returned when key length is not 16, 24 or 32.
+    \return BAD_FUNC_ARG Returned when saltSz is larger than 14.
+    \return BAD_FUNC_ARG Returned when kdrIdx is less than -1 or larger than 24.
+    \return MEMORY_E on dynamic memory allocation failure.
+
+    \param [in] key Key to use with encryption.
+    \param [in] keySz Size of key in bytes.
+    \param [in] salt Random non-secret value.
+    \param [in] saltSz Size of random in bytes.
+    \param [in] kdrIdx Key derivation rate. kdr = 0 when -1, otherwise kdr = 2^kdrIdx.
+    \param [in] index Index value to XOR in.
+    \param [out] key1 First key. Label value of 0x00.
+    \param [in] key1Sz Size of first key in bytes.
+    \param [out] key2 Second key. Label value of 0x01.
+    \param [in] key2Sz Size of second key in bytes.
+    \param [out] key3 Third key. Label value of 0x02.
+    \param [in] key3Sz Size of third key in bytes.
+
+
+    _Example_
+    \code
+    unsigned char key[16] = { ... };
+    unsigned char salt[14] = { ... };
+    unsigned char index[4] = { ... };
+    unsigned char keyE[16];
+    unsigned char keyA[20];
+    unsigned char keyS[14];
+    int kdrIdx = 0; // Use all of index
+    int ret;
+
+    ret = wc_SRTCP_KDF(key, sizeof(key), salt, sizeof(salt), kdrIdx, index,
+        keyE, sizeof(keyE), keyA, sizeof(keyA), keyS, sizeof(keyS));
+    if (ret != 0) {
+        WOLFSSL_MSG("wc_SRTP_KDF failed");
+    }
+    \endcode
+
+    \sa wc_SRTP_KDF
+    \sa wc_SRTP_KDF_kdr_to_idx
+*/
+int wc_SRTCP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz);
+
+/*!
+    \ingroup SrtpKdf
+
+    \brief This function converts a kdr value to an index to use in SRTP/SRTCP KDF API.
+
+    \return Key derivation rate as an index.
+
+    \param [in] kdr Key derivation rate to convert.
+
+    _Example_
+    \code
+    word32 kdr = 0x00000010;
+    int kdrIdx;
+    int ret;
+
+    kdrIdx = wc_SRTP_KDF_kdr_to_idx(kdr);
+    \endcode
+
+    \sa wc_SRTP_KDF
+    \sa wc_SRTCP_KDF
+*/
+int wc_SRTP_KDF_kdr_to_idx(word32 kdr);
+
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@ -127,6 +127,7 @@
 #ifdef WOLFSSL_SIPHASH
    #include <wolfssl/wolfcrypt/siphash.h>
 #endif
+  #include <wolfssl/wolfcrypt/kdf.h>
 #ifndef NO_PWDBASED
    #include <wolfssl/wolfcrypt/pwdbased.h>
 #endif
@ -534,6 +535,9 @@
 #define BENCH_PBKDF2             0x00000100
 #define BENCH_SIPHASH            0x00000200

+/* KDF algorithms */
+#define BENCH_SRTP_KDF           0x00000001
+
 /* Asymmetric algorithms. */
 #define BENCH_RSA_KEYGEN         0x00000001
 #define BENCH_RSA                0x00000002
@ -619,6 +623,8 @@ static word32 bench_cipher_algs = 0;
 static word32 bench_digest_algs = 0;
 /* MAC algorithms to benchmark. */
 static word32 bench_mac_algs = 0;
+/* KDF algorithms to benchmark. */
+static word32 bench_kdf_algs = 0;
 /* Asymmetric algorithms to benchmark. */
 static word32 bench_asym_algs = 0;
 /* Post-Quantum Asymmetric algorithms to benchmark. */
@ -797,9 +803,18 @@ static const bench_alg bench_mac_opt[] = {
    #ifndef NO_PWDBASED
    { "-pbkdf2",             BENCH_PBKDF2            },
    #endif
+#endif
    #ifdef WOLFSSL_SIPHASH
    { "-siphash",            BENCH_SIPHASH           },
    #endif
+    { NULL, 0 }
+};
+
+/* All recognized KDF algorithm choosing command line options. */
+static const bench_alg bench_kdf_opt[] = {
+    { "-kdf",                0xffffffff              },
+#ifdef WC_SRTP_KDF
+    { "-srtp-kdf",           BENCH_SRTP_KDF          },
 #endif
    { NULL, 0 }
 };
@ -1646,6 +1661,7 @@ static void benchmark_static_init(int force)
        bench_cipher_algs = 0;
        bench_digest_algs = 0;
        bench_mac_algs = 0;
+        bench_kdf_algs = 0;
        bench_asym_algs = 0;
        bench_pq_asym_algs = 0;
        bench_other_algs = 0;
@ -2785,12 +2801,18 @@ static void* benchmarks_do(void* args)
            bench_pbkdf2();
        }
    #endif
-    #ifdef WOLFSSL_SIPHASH
-        if (bench_all || (bench_mac_algs & BENCH_SIPHASH)) {
-            bench_siphash();
-        }
-    #endif
 #endif /* NO_HMAC */
+#ifdef WOLFSSL_SIPHASH
+    if (bench_all || (bench_mac_algs & BENCH_SIPHASH)) {
+        bench_siphash();
+    }
+#endif
+
+#ifdef WC_SRTP_KDF
+    if (bench_all || (bench_kdf_algs & BENCH_SRTP_KDF)) {
+        bench_srtpkdf();
+    }
+#endif

 #ifdef HAVE_SCRYPT
    if (bench_all || (bench_other_algs & BENCH_SCRYPT))
@ -6721,6 +6743,68 @@ void bench_siphash(void)
 }
 #endif

+#ifdef WC_SRTP_KDF
+void bench_srtpkdf(void)
+{
+    double start;
+    int count;
+    int ret = 0;
+    byte keyE[32];
+    byte keyA[20];
+    byte keyS[14];
+    const byte *key = bench_key_buf;
+    const byte salt[14] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                           0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e };
+    const byte index[6] = { 0x55, 0xAA, 0x55, 0xAA, 0x55, 0xAA };
+    int kdrIdx = 0;
+    int i;
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTP_KDF(key, AES_128_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_128_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 128, "SRTP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTP_KDF(key, AES_256_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_256_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 256, "SRTP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTCP_KDF(key, AES_128_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_128_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 128, "SRTCP", 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_SRTCP_KDF(key, AES_256_KEY_SIZE, salt, sizeof(salt),
+                kdrIdx, index, keyE, AES_256_KEY_SIZE, keyA, sizeof(keyA),
+                keyS, sizeof(keyS));
+        }
+        count += i;
+    } while (bench_stats_check(start));
+    bench_stats_asym_finish("KDF", 256, "SRTCP", 0, count, start, ret);
+}
+#endif
+
 #ifndef NO_RSA

 #if defined(WOLFSSL_KEY_GEN)
@ -10661,6 +10745,8 @@ static void Usage(void)
        print_alg(bench_digest_opt[i].str, &line);
    for (i=0; bench_mac_opt[i].str != NULL; i++)
        print_alg(bench_mac_opt[i].str, &line);
+    for (i=0; bench_kdf_opt[i].str != NULL; i++)
+        print_alg(bench_kdf_opt[i].str, &line);
    for (i=0; bench_asym_opt[i].str != NULL; i++)
        print_alg(bench_asym_opt[i].str, &line);
    for (i=0; bench_other_opt[i].str != NULL; i++)
@ -10895,6 +10981,14 @@ int wolfcrypt_benchmark_main(int argc, char** argv)
                    optMatched = 1;
                }
            }
+            /* Known KDF algorithms */
+            for (i=0; !optMatched && bench_kdf_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_kdf_opt[i].str)) {
+                    bench_kdf_algs |= bench_kdf_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
            /* Known asymmetric algorithms */
            for (i=0; !optMatched && bench_asym_opt[i].str != NULL; i++) {
                if (string_matches(argv[1], bench_asym_opt[i].str)) {
--- a/wolfcrypt/benchmark/benchmark.h
+++ b/wolfcrypt/benchmark/benchmark.h
@ -95,6 +95,7 @@ void bench_hmac_sha256(int useDeviceID);
 void bench_hmac_sha384(int useDeviceID);
 void bench_hmac_sha512(int useDeviceID);
 void bench_siphash(void);
+void bench_srtpkdf(void);
 void bench_rsaKeyGen(int useDeviceID);
 void bench_rsaKeyGen_size(int useDeviceID, word32 keySz);
 void bench_rsa(int useDeviceID);
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@ -52,6 +52,9 @@

 #include <wolfssl/wolfcrypt/hmac.h>
 #include <wolfssl/wolfcrypt/kdf.h>
+#ifdef WC_SRTP_KDF
+#include <wolfssl/wolfcrypt/aes.h>
+#endif


 #if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC)
@ -870,4 +873,292 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,

 #endif /* WOLFSSL_WOLFSSH */

+#ifdef WC_SRTP_KDF
+/* Calculate first block to encrypt.
+ *
+ * @param [in]  salt     Random value to XOR in.
+ * @param [in]  saltSz   Size of random value in bytes.
+ * @param [in]  kdrIdx   Key derivation rate. kdr = 0 when -1, otherwise
+ *                       kdr = 2^kdrIdx.
+ * @param [in]  index    Index value to XOR in.
+ * @param [in]  indexSz  Size of index value in bytes.
+ * @param [out] block    First block to encrypt.
+ */
+static void wc_srtp_kdf_first_block(const byte* salt, word32 saltSz, int kdrIdx,
+        const byte* index, byte indexSz, unsigned char* block)
+{
+    word32 i;
+
+    /* XOR salt into zeroized buffer. */
+    for (i = 0; i < WC_SRTP_MAX_SALT - saltSz; i++)
+        block[i] = 0;
+    XMEMCPY(block + WC_SRTP_MAX_SALT - saltSz, salt, saltSz);
+    block[WC_SRTP_MAX_SALT] = 0;
+    /* block[15] is counter. */
+
+    /* When kdrIdx is -1, don't XOR in index. */
+    if (kdrIdx >= 0) {
+        /* Get the number of bits to shift index by. */
+        word32 bits = kdrIdx & 0x7;
+        /* Reduce index size by number of bytes to remove. */
+        indexSz -= kdrIdx >> 3;
+
+        if ((kdrIdx & 0x7) == 0) {
+            /* Just XOR in as no bit shifting. */
+            for (i = 0; i < indexSz; i++)
+                block[i + WC_SRTP_MAX_SALT - indexSz] ^= index[i];
+        }
+        else {
+            /* XOR in as bit shifted index. */
+            block[WC_SRTP_MAX_SALT - indexSz] ^= index[i+0] >> bits;
+            for (i = 1; i < indexSz; i++) {
+                block[i + WC_SRTP_MAX_SALT - indexSz] ^=
+                    (index[i-1] << (8 - bits)) |
+                    (index[i+0] >>      bits );
+            }
+        }
+    }
+}
+
+/* Derive a key given the first block.
+ *
+ * @param [in, out] block    First block to encrypt. Need label XORed in.
+ * @param [in]      indexSz  Size of index in bytes to calculate where label is
+ *                           XORed into.
+ * @param [in]      label    Label byte that differs for each key.
+ * @param [out]     key      Derived key.
+ * @param [in]      keySz    Size of key to derive in bytes.
+ * @param [in]      aes      AES object to encrypt with.
+ * @return  0 on success.
+ */
+static int wc_srtp_kdf_derive_key(byte* block, byte indexSz, byte label,
+        byte* key, word32 keySz, Aes* aes)
+{
+    int i;
+    int ret = 0;
+    /* Calculate the number of full blocks needed for derived key. */
+    int blocks = keySz / AES_BLOCK_SIZE;
+
+    /* XOR in label. */
+    block[WC_SRTP_MAX_SALT - indexSz - 1] ^= label;
+    for (i = 0; (ret == 0) && (i < blocks); i++) {
+        /* Set counter. */
+        block[15] = i;
+        /* Encrypt block into key buffer. */
+        ret = wc_AesEcbEncrypt(aes, key, block, AES_BLOCK_SIZE);
+        /* Reposition for more derived key. */
+        key += AES_BLOCK_SIZE;
+        /* Reduce the count of key bytes required. */
+        keySz -= AES_BLOCK_SIZE;
+    }
+    /* Do any partial blocks. */
+    if ((ret == 0) && (keySz > 0)) {
+        byte enc[AES_BLOCK_SIZE];
+        /* Set counter. */
+        block[15] = i;
+        /* Encrypt block into temporary. */
+        ret = wc_AesEcbEncrypt(aes, enc, block, AES_BLOCK_SIZE);
+        if (ret == 0) {
+            /* Copy into key required amount. */
+            XMEMCPY(key, enc, keySz);
+        }
+    }
+    /* XOR out label. */
+    block[WC_SRTP_MAX_SALT - indexSz - 1] ^= label;
+
+    return ret;
+}
+
+/* Derive keys using SRTP KDF algorithm.
+ *
+ * SP 800-135 (RFC 3711).
+ *
+ * @param [in]  key      Key to use with encryption.
+ * @param [in]  keySz    Size of key in bytes.
+ * @param [in]  salt     Random non-secret value.
+ * @param [in]  saltSz   Size of random in bytes.
+ * @param [in]  kdrIdx   Key derivation rate. kdr = 0 when -1, otherwise
+ *                       kdr = 2^kdrIdx.
+ * @param [in]  index    Index value to XOR in.
+ * @param [out] key1     First key. Label value of 0x00.
+ * @param [in]  key1Sz   Size of first key in bytes.
+ * @param [out] key2     Second key. Label value of 0x01.
+ * @param [in]  key2Sz   Size of second key in bytes.
+ * @param [out] key3     Third key. Label value of 0x02.
+ * @param [in]  key3Sz   Size of third key in bytes.
+ * @return  BAD_FUNC_ARG when key or salt is NULL.
+ * @return  BAD_FUNC_ARG when key length is not 16, 24 or 32.
+ * @return  BAD_FUNC_ARG when saltSz is larger than 14.
+ * @return  BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
+ * @return  MEMORY_E on dynamic memory allocation failure.
+ * @return  0 on success.
+ */
+int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz)
+{
+    int ret = 0;
+    byte block[AES_BLOCK_SIZE];
+#ifdef WOLFSSL_SMALL_STACK
+    Aes* aes = NULL;
+#else
+    Aes aes[1];
+#endif
+
+    /* Validate parameters. */
+    if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (ret == 0) {
+        aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
+        if (aes == NULL) {
+            ret = MEMORY_E;
+        }
+    }
+    if (aes != NULL)
+#endif
+    {
+        XMEMSET(aes, 0, sizeof(Aes));
+    }
+
+    /* Setup AES object. */
+    if (ret == 0)
+        ret = wc_AesInit(aes, NULL, INVALID_DEVID);
+    if (ret == 0)
+        ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
+
+    /* Calculate first block that can be used in each derivation. */
+    if (ret == 0)
+        wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, 6, block);
+
+    /* Calculate first key if required. */
+    if ((ret == 0) && (key1 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 6, 0x00, key1, key1Sz, aes);
+    }
+    /* Calculate second key if required. */
+    if ((ret == 0) && (key2 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 6, 0x01, key2, key2Sz, aes);
+    }
+    /* Calculate third key if required. */
+    if ((ret == 0) && (key3 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 6, 0x02, key3, key3Sz, aes);
+    }
+
+    /* AES object memset so can always free. */
+    wc_AesFree(aes);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
+#endif
+    return ret;
+}
+
+/* Derive keys using SRTCP KDF algorithm.
+ *
+ * SP 800-135 (RFC 3711).
+ *
+ * @param [in]  key      Key to use with encryption.
+ * @param [in]  keySz    Size of key in bytes.
+ * @param [in]  salt     Random non-secret value.
+ * @param [in]  saltSz   Size of random in bytes.
+ * @param [in]  kdrIdx   Key derivation rate index. kdr = 0 when -1, otherwise
+ *                       kdr = 2^kdrIdx. See wc_SRTP_KDF_kdr_to_idx()
+ * @param [in]  index    Index value to XOR in.
+ * @param [out] key1     First key. Label value of 0x03.
+ * @param [in]  key1Sz   Size of first key in bytes.
+ * @param [out] key2     Second key. Label value of 0x04.
+ * @param [in]  key2Sz   Size of second key in bytes.
+ * @param [out] key3     Third key. Label value of 0x05.
+ * @param [in]  key3Sz   Size of third key in bytes.
+ * @return  BAD_FUNC_ARG when key or salt is NULL.
+ * @return  BAD_FUNC_ARG when key length is not 16, 24 or 32.
+ * @return  BAD_FUNC_ARG when saltSz is larger than 14.
+ * @return  BAD_FUNC_ARG when kdrIdx is less than -1 or larger than 24.
+ * @return  MEMORY_E on dynamic memory allocation failure.
+ * @return  0 on success.
+ */
+int wc_SRTCP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
+        int kdrIdx, const byte* index, byte* key1, word32 key1Sz, byte* key2,
+        word32 key2Sz, byte* key3, word32 key3Sz)
+{
+    int ret = 0;
+    byte block[AES_BLOCK_SIZE];
+#ifdef WOLFSSL_SMALL_STACK
+    Aes* aes = NULL;
+#else
+    Aes aes[1];
+#endif
+
+    /* Validate parameters. */
+    if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (ret == 0) {
+        aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_CIPHER);
+        if (aes == NULL) {
+            ret = MEMORY_E;
+        }
+    }
+    if (aes != NULL)
+#endif
+    {
+        XMEMSET(aes, 0, sizeof(Aes));
+    }
+
+    /* Setup AES object. */
+    if (ret == 0)
+        ret = wc_AesInit(aes, NULL, INVALID_DEVID);
+    if (ret == 0)
+        ret = wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
+
+    /* Calculate first block that can be used in each derivation. */
+    if (ret == 0)
+        wc_srtp_kdf_first_block(salt, saltSz, kdrIdx, index, 4, block);
+
+    /* Calculate first key if required. */
+    if ((ret == 0) && (key1 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 4, 0x03, key1, key1Sz, aes);
+    }
+    /* Calculate second key if required. */
+    if ((ret == 0) && (key2 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 4, 0x04, key2, key2Sz, aes);
+    }
+    /* Calculate third key if required. */
+    if ((ret == 0) && (key3 != NULL)) {
+        ret = wc_srtp_kdf_derive_key(block, 4, 0x05, key3, key3Sz, aes);
+    }
+
+    /* AES object memset so can always free. */
+    wc_AesFree(aes);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(aes, NULL, DYNAMIC_TYPE_CIPHER);
+#endif
+    return ret;
+}
+
+/* Converts a kdr value to an index to use in SRTP/SRTCP KDF API.
+ *
+ * @param [in] kdr  Key derivation rate to convert.
+ * @return  Key derivation rate as an index.
+ */
+int wc_SRTP_KDF_kdr_to_idx(word32 kdr)
+{
+    int idx = -1;
+
+    /* Keep shifting value down and incrementing index until top bit is gone. */
+    while (kdr != 0) {
+        kdr >>= 1;
+        idx++;
+    }
+
+    /* Index of top bit set. */
+    return idx;
+}
+#endif /* WC_SRTP_KDF */
+
 #endif /* NO_KDF */
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -518,6 +518,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  tls13_kdf_test(void);
 #endif
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  x963kdf_test(void);
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  hpke_test(void);
+#ifdef WC_SRTP_KDF
+WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  srtpkdf_test(void);
+#endif
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  arc4_test(void);
 #ifdef WC_RC2
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t  rc2_test(void);
@ -1333,6 +1336,13 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
        TEST_PASS("HPKE     test passed!\n");
 #endif

+#if defined(WC_SRTP_KDF)
+    if ( (ret = srtpkdf_test()) != 0)
+        TEST_FAIL("SRTP KDF test failed!\n", ret);
+    else
+        TEST_PASS("SRTP KDF test passed!\n");
+#endif
+
 #if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
   !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
   !defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY)
@ -24806,6 +24816,396 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hpke_test(void)
 }
 #endif /* HAVE_HPKE && HAVE_ECC && HAVE_AESGCM */

+#if defined(WC_SRTP_KDF)
+typedef struct Srtp_Kdf_Tv {
+    const unsigned char* key;
+    word32 keySz;
+    const unsigned char* salt;
+    word32 saltSz;
+    int kdfIdx;
+    const unsigned char* index;
+    const unsigned char* ke;
+    const unsigned char* ka;
+    const unsigned char* ks;
+    const unsigned char* index_c;
+    const unsigned char* ke_c;
+    const unsigned char* ka_c;
+    const unsigned char* ks_c;
+    word32 keSz;
+    word32 kaSz;
+    word32 ksSz;
+} Srtp_Kdf_Tv;
+
+WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void)
+{
+    wc_test_ret_t ret = 0;
+    /* 128-bit key, kdrIdx = -1 */
+    WOLFSSL_SMALL_STACK_STATIC const byte key_0[] = {
+        0xc4, 0x80, 0x9f, 0x6d, 0x36, 0x98, 0x88, 0x72,
+        0x8e, 0x26, 0xad, 0xb5, 0x32, 0x12, 0x98, 0x90
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte salt_0[] = {
+        0x0e, 0x23, 0x00, 0x6c, 0x6c, 0x04, 0x4f, 0x56,
+        0x62, 0x40, 0x0e, 0x9d, 0x1b, 0xd6
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_0[] = {
+        0x48, 0x71, 0x65, 0x64, 0x9c, 0xca
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_0[] = {
+        0xdc, 0x38, 0x21, 0x92, 0xab, 0x65, 0x10, 0x8a,
+        0x86, 0xb2, 0x59, 0xb6, 0x1b, 0x3a, 0xf4, 0x6f
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_0[] = {
+        0xb8, 0x39, 0x37, 0xfb, 0x32, 0x17, 0x92, 0xee,
+        0x87, 0xb7, 0x88, 0x19, 0x3b, 0xe5, 0xa4, 0xe3,
+        0xbd, 0x32, 0x6e, 0xe4
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_0[] = {
+        0xf1, 0xc0, 0x35, 0xc0, 0x0b, 0x5a, 0x54, 0xa6,
+        0x16, 0x92, 0xc0, 0x16, 0x27, 0x6c
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_c_0[] = {
+        0x56, 0xf3, 0xf1, 0x97
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_c_0[] = {
+        0xab, 0x5b, 0xe0, 0xb4, 0x56, 0x23, 0x5d, 0xcf,
+        0x77, 0xd5, 0x08, 0x69, 0x29, 0xba, 0xfb, 0x38
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_c_0[] = {
+        0xc5, 0x2f, 0xde, 0x0b, 0x80, 0xb0, 0xf0, 0xba,
+        0xd8, 0xd1, 0x56, 0x45, 0xcb, 0x86, 0xe7, 0xc7,
+        0xc3, 0xd8, 0x77, 0x0e
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_c_0[] = {
+        0xde, 0xb5, 0xf8, 0x5f, 0x81, 0x33, 0x6a, 0x96,
+        0x5e, 0xd3, 0x2b, 0xb7, 0xed, 0xe8
+    };
+    /* 192-bit key, kdrIdx = 0 */
+    WOLFSSL_SMALL_STACK_STATIC const byte key_1[] = {
+        0xbb, 0x04, 0x5b, 0x1f, 0x53, 0xc6, 0x93, 0x2c,
+        0x2b, 0xa6, 0x88, 0xf5, 0xe3, 0xf2, 0x24, 0x70,
+        0xe1, 0x7d, 0x7d, 0xec, 0x8a, 0x93, 0x4d, 0xf2
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte salt_1[] = {
+        0xe7, 0x22, 0xab, 0x92, 0xfc, 0x7c, 0x89, 0xb6,
+        0x53, 0x8a, 0xf9, 0x3c, 0xb9, 0x52
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_1[] = {
+        0xd7, 0x87, 0x8f, 0x33, 0xb1, 0x76
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_1[] = {
+        0x2c, 0xc8, 0x3e, 0x54, 0xb2, 0x33, 0x89, 0xb3,
+        0x71, 0x65, 0x0f, 0x51, 0x61, 0x65, 0xe4, 0x93,
+        0x07, 0x4e, 0xb3, 0x47, 0xba, 0x2d, 0x60, 0x60
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_1[] = {
+        0x2e, 0x80, 0xe4, 0x82, 0x55, 0xa2, 0xbe, 0x6d,
+        0xe0, 0x46, 0xcc, 0xc1, 0x75, 0x78, 0x6e, 0x78,
+        0xd1, 0xd1, 0x47, 0x08
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_1[] = {
+        0xe0, 0xc1, 0xe6, 0xaf, 0x1e, 0x8d, 0x8c, 0xfe,
+        0xe5, 0x60, 0x70, 0xb5, 0xe6, 0xea
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_c_1[] = {
+        0x40, 0xbf, 0xd4, 0xa9
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_c_1[] = {
+        0x94, 0x0f, 0x55, 0xce, 0x58, 0xd8, 0x16, 0x65,
+        0xf0, 0xfa, 0x46, 0x40, 0x0c, 0xda, 0xb1, 0x11,
+        0x9e, 0x69, 0xa0, 0x93, 0x4e, 0xd7, 0xf2, 0x84
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_c_1[] = {
+        0xf5, 0x41, 0x6f, 0xc2, 0x65, 0xc5, 0xb3, 0xef,
+        0xbb, 0x22, 0xc8, 0xfc, 0x6b, 0x00, 0x14, 0xb2,
+        0xf3, 0x3b, 0x8e, 0x29
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_c_1[] = {
+        0x35, 0xb7, 0x42, 0x43, 0xf0, 0x01, 0x01, 0xb4,
+        0x68, 0xa1, 0x28, 0x80, 0x37, 0xf0
+    };
+    /* 256-bit key, kdrIdx = 1 */
+    WOLFSSL_SMALL_STACK_STATIC const byte key_2[] = {
+        0x10, 0x38, 0x0a, 0xcd, 0xd6, 0x47, 0xab, 0xee,
+        0xc0, 0xd4, 0x44, 0xf4, 0x7e, 0x51, 0x36, 0x02,
+        0x79, 0xa8, 0x94, 0x80, 0x35, 0x40, 0xed, 0x50,
+        0xf4, 0x45, 0x30, 0x3d, 0xb5, 0xf0, 0x2b, 0xbb
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte salt_2[] = {
+        0xc7, 0x31, 0xf2, 0xc8, 0x40, 0x43, 0xb8, 0x74,
+        0x8a, 0x61, 0x84, 0x7a, 0x25, 0x8a
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_2[] = {
+        0x82, 0xf1, 0x84, 0x8c, 0xac, 0x42
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_2[] = {
+        0xb2, 0x26, 0x60, 0xaf, 0x08, 0x23, 0x14, 0x98,
+        0x91, 0xde, 0x5d, 0x87, 0x95, 0x61, 0xca, 0x8f,
+        0x0e, 0xce, 0xfb, 0x68, 0x4d, 0xd6, 0x28, 0xcb,
+        0x28, 0xe2, 0x27, 0x20, 0x2d, 0xff, 0x64, 0xbb
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_2[] = {
+        0x12, 0x6f, 0x52, 0xe8, 0x07, 0x7f, 0x07, 0x84,
+        0xa0, 0x61, 0x96, 0xf8, 0xee, 0x4d, 0x05, 0x57,
+        0x65, 0xc7, 0x50, 0xc1
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_2[] = {
+        0x18, 0x5a, 0x59, 0xe5, 0x91, 0x4d, 0xc9, 0x6c,
+        0xfa, 0x5b, 0x36, 0x06, 0x8c, 0x9a
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_c_2[] = {
+        0x31, 0x2d, 0x58, 0x15
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_c_2[] = {
+        0x14, 0xf2, 0xc8, 0x25, 0x02, 0x79, 0x22, 0xa1,
+        0x96, 0xb6, 0xf7, 0x07, 0x76, 0xa6, 0xa3, 0xc4,
+        0x37, 0xdf, 0xa0, 0xf8, 0x78, 0x93, 0x2c, 0xfa,
+        0xea, 0x35, 0xf0, 0xf3, 0x3f, 0x32, 0x6e, 0xfd
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_c_2[] = {
+        0x6e, 0x3d, 0x4a, 0x99, 0xea, 0x2f, 0x9d, 0x13,
+        0x4a, 0x1e, 0x71, 0x2e, 0x15, 0xc0, 0xca, 0xb6,
+        0x35, 0x78, 0xdf, 0xa4
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_c_2[] = {
+        0xae, 0xe4, 0xec, 0x18, 0x31, 0x70, 0x5d, 0x3f,
+        0xdc, 0x97, 0x89, 0x88, 0xfd, 0xff
+    };
+    /* 128-bit key, kdrIdx = 8 */
+    WOLFSSL_SMALL_STACK_STATIC const byte key_3[] = {
+        0x36, 0xb4, 0xde, 0xcb, 0x2e, 0x51, 0x23, 0x76,
+        0xe0, 0x27, 0x7e, 0x3e, 0xc8, 0xf6, 0x54, 0x04
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte salt_3[] = {
+        0x73, 0x26, 0xf4, 0x3f, 0xc0, 0xd9, 0xc6, 0xe3,
+        0x2f, 0x92, 0x7d, 0x46, 0x12, 0x76
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_3[] = {
+        0x44, 0x73, 0xb2, 0x2d, 0xb2, 0x60
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_3[] = {
+        0x79, 0x91, 0x3d, 0x7b, 0x20, 0x5d, 0xea, 0xe2,
+        0xeb, 0x46, 0x89, 0x68, 0x5a, 0x06, 0x73, 0x74
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_3[] = {
+        0x2d, 0x2e, 0x97, 0x4e, 0x76, 0x8c, 0x62, 0xa6,
+        0x57, 0x80, 0x13, 0x42, 0x0b, 0x51, 0xa7, 0x66,
+        0xea, 0x31, 0x24, 0xe6
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_3[] = {
+        0xcc, 0xd7, 0x31, 0xf6, 0x3b, 0xf3, 0x89, 0x8a,
+        0x5b, 0x7b, 0xb5, 0x8b, 0x4c, 0x3f
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte index_c_3[] = {
+        0x4a, 0x7d, 0xaa, 0x85
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ke_c_3[] = {
+        0x34, 0x99, 0x71, 0xfe, 0x12, 0x93, 0xae, 0x8c,
+        0x4a, 0xe9, 0x84, 0xe4, 0x93, 0x53, 0x63, 0x88
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ka_c_3[] = {
+        0xa4, 0x53, 0x5e, 0x0a, 0x9c, 0xf2, 0xce, 0x13,
+        0xef, 0x7a, 0x13, 0xee, 0x0a, 0xef, 0xba, 0x17,
+        0x05, 0x18, 0xe3, 0xed
+    };
+    WOLFSSL_SMALL_STACK_STATIC const byte ks_c_3[] = {
+        0xe1, 0x29, 0x4f, 0x61, 0x30, 0x3c, 0x4d, 0x46,
+        0x5f, 0x5c, 0x81, 0x3c, 0x38, 0xb6
+    };
+    #define SRTP_TV_CNT     4
+    Srtp_Kdf_Tv tv[SRTP_TV_CNT] = {
+        { key_0, (word32)sizeof(key_0), salt_0, (word32)sizeof(salt_0), -1,
+          index_0, ke_0, ka_0, ks_0, index_c_0, ke_c_0, ka_c_0, ks_c_0,
+          16, 20, 14 },
+        { key_1, (word32)sizeof(key_1), salt_1, (word32)sizeof(salt_1), 0,
+          index_1, ke_1, ka_1, ks_1, index_c_1, ke_c_1, ka_c_1, ks_c_1,
+          24, 20, 14 },
+        { key_2, (word32)sizeof(key_2), salt_2, (word32)sizeof(salt_2), 1,
+          index_2, ke_2, ka_2, ks_2, index_c_2, ke_c_2, ka_c_2, ks_c_2,
+          32, 20, 14 },
+        { key_3, (word32)sizeof(key_3), salt_3, (word32)sizeof(salt_3), 8,
+          index_3, ke_3, ka_3, ks_3, index_c_3, ke_c_3, ka_c_3, ks_c_3,
+          16, 20, 14 },
+    };
+    int i;
+    int idx;
+    unsigned char keyE[32];
+    unsigned char keyA[20];
+    unsigned char keyS[14];
+
+    for (i = 0; (ret == 0) && (i < SRTP_TV_CNT); i++) {
+    #ifndef WOLFSSL_AES_128
+        if (tv[i].keySz == AES_128_KEY_SIZE) {
+            continue;
+        }
+    #endif
+    #ifndef WOLFSSL_AES_192
+        if (tv[i].keySz == AES_192_KEY_SIZE) {
+            continue;
+        }
+    #endif
+    #ifndef WOLFSSL_AES_256
+        if (tv[i].keySz == AES_256_KEY_SIZE) {
+            continue;
+        }
+    #endif
+
+        ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+            tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+            keyS, tv[i].ksSz);
+        if (ret != 0)
+            return WC_TEST_RET_ENC_EC(ret);
+        if (XMEMCMP(keyE, tv[i].ke, 16) != 0)
+            return WC_TEST_RET_ENC_NC;
+        if (XMEMCMP(keyA, tv[i].ka, 20) != 0)
+            return WC_TEST_RET_ENC_NC;
+        if (XMEMCMP(keyS, tv[i].ks, 14) != 0)
+            return WC_TEST_RET_ENC_NC;
+
+        ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+            tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+            keyS, tv[i].ksSz);
+        if (ret != 0)
+            return WC_TEST_RET_ENC_EC(ret);
+        if (XMEMCMP(keyE, tv[i].ke_c, 16) != 0)
+            return WC_TEST_RET_ENC_NC;
+        if (XMEMCMP(keyA, tv[i].ka_c, 20) != 0)
+            return WC_TEST_RET_ENC_NC;
+        if (XMEMCMP(keyS, tv[i].ks_c, 14) != 0)
+            return WC_TEST_RET_ENC_NC;
+    }
+
+#ifdef WOLFSSL_AES_128
+    i = 0;
+#elif defined(WOLFSSL_AES_192)
+    i = 1;
+#else
+    i = 2;
+#endif
+    ret = wc_SRTP_KDF(tv[i].key, 33, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, 33, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, 15, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, 15, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, 15,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, 15,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(NULL, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(NULL, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, NULL, tv[i].saltSz,
+            tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+            keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, NULL, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        25, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        25, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        -2, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        -2, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != BAD_FUNC_ARG)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, NULL, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, NULL, tv[i].keSz, keyA, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, NULL, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, NULL, tv[i].kaSz,
+        keyS, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        NULL, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+    ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
+        tv[i].kdfIdx, tv[i].index_c, keyE, tv[i].keSz, keyA, tv[i].kaSz,
+        NULL, tv[i].ksSz);
+    if (ret != 0)
+        return WC_TEST_RET_ENC_EC(ret);
+
+    idx = wc_SRTP_KDF_kdr_to_idx(0);
+    if (idx != -1)
+        return WC_TEST_RET_ENC_NC;
+    for (i = 0; i < 32; i++) {
+        word32 kdr = 1 << i;
+        idx = wc_SRTP_KDF_kdr_to_idx(kdr);
+        if (idx != i)
+            return WC_TEST_RET_ENC_NC;
+    }
+
+    return 0;
+}
+#endif
+
 #ifdef HAVE_ECC

 /* size to use for ECC key gen tests */
--- a/wolfssl/wolfcrypt/kdf.h
+++ b/wolfssl/wolfcrypt/kdf.h
@ -105,6 +105,21 @@ WOLFSSL_API int wc_SSH_KDF(byte hashId, byte keyId,

 #endif /* WOLFSSL_WOLFSSH */

+#ifdef WC_SRTP_KDF
+/* Maximum length of salt that can be used with SRTP/SRTCP. */
+#define WC_SRTP_MAX_SALT    14
+
+WOLFSSL_API int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt,
+    word32 saltSz, int kdrIdx, const byte* index, byte* key1, word32 key1Sz,
+    byte* key2, word32 key2Sz, byte* key3, word32 key3Sz);
+WOLFSSL_API int wc_SRTCP_KDF(const byte* key, word32 keySz, const byte* salt,
+    word32 saltSz, int kdrIdx, const byte* index, byte* key1, word32 key1Sz,
+    byte* key2, word32 key2Sz, byte* key3, word32 key3Sz);
+
+WOLFSSL_API int wc_SRTP_KDF_kdr_to_idx(word32 kdr);
+
+#endif /* WC_SRTP_KDF */
+
 #ifdef __cplusplus
    } /* extern "C" */
 #endif