cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Corrections after the code review

Browse Source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-05-20 14:46:20 +02:00
parent d807060e0a
commit 4ca18aae38
9 changed files with 339 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog.d/issue4286.txt
View File

@ -6,9 +6,6 @@ Removals
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING,
MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE,
MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions:
ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(),
ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(),
mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(),
ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test
function component_test_variable_ssl_in_out_buffer_len_record_splitting().
Fixes #4286.
mbedtls_ssl_conf_cbc_record_splitting(),
mbedtls_ssl_get_key_exchange_md_ssl_tls(),
mbedtls_ssl_check_record(), mbedtls_ssl_conf_fallback(). Fixes #4286.

4
docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md
View File

@ -1,7 +1,7 @@
Remove suport for TLS 1.0, 1.1 and DLTS 1.0
Remove suport for TLS 1.0, 1.1 and DTLS 1.0
-------------------------------------------
This change affects users of the TLS 1.0, 1.1 and DTLS 1.0.
This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols.
The versions of (D)TLS that are being removed are not as secure as the latest
versions. Keeping them in the library creates opportunities for misconfiguration

7
include/mbedtls/ssl.h
View File

@ -2533,9 +2533,8 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
* supported)
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_1,
* MBEDTLS_SSL_MINOR_VERSION_2,
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
* \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3
* supported)
*
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*/
@ -3203,7 +3202,7 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
* \note Input outside of the SSL_MAX_XXXXX_VERSION and
* SSL_MIN_XXXXX_VERSION range is ignored.
*
* \note With DTLS, MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
*
* \param conf SSL configuration
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)

12
library/ssl_misc.h
View File

@ -72,7 +72,7 @@
#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
/* Determine maximum supported version */
@ -113,13 +113,7 @@
* counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* This macro determines whether CBC is supported. */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
@ -147,7 +141,7 @@
#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
/* Ciphersuites using HMAC */

66
library/ssl_msg.c
View File

@ -86,6 +86,70 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
return( 0 );
}
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t len,
mbedtls_record *rec );
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char *buf,
size_t buflen )
{
int ret = 0;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
/* We don't support record checking in TLS because
* (a) there doesn't seem to be a usecase for it, and
* (b) In TLS 1.0, CBC record decryption has state
* and we'd need to backup the transform here.
*/
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
{
ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
goto exit;
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
else
{
mbedtls_record rec;
ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
goto exit;
}
if( ssl->transform_in != NULL )
{
ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
goto exit;
}
}
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
exit:
/* On success, we have decrypted the buffer in-place, so make
* sure we don't leak any plaintext data. */
mbedtls_platform_zeroize( buf, buflen );
/* For the purpose of this API, treat messages with unexpected CID
* as well as such from future epochs as unexpected. */
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
{
ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
}
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret );
}
#define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1
@ -4960,7 +5024,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
* more than the block size of the underlying cipher. */
transform_expansion += block_size;
/* For TLS 1.1 or higher, an explicit IV is added
/* For TLS 1.2 or higher, an explicit IV is added
* after the record header. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )

13
library/ssl_srv.c
View File

@ -3148,11 +3148,8 @@ curve_matching_done:
/*
* 2.1: Choose hash algorithm:
* A: For TLS 1.2, obey signature-hash-algorithm extension
* For TLS 1.2, obey signature-hash-algorithm extension
* to choose appropriate hash.
* B: For TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
* (RFC 4492, Sec. 5.4)
* C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
*/
mbedtls_md_type_t md_alg;
@ -3162,7 +3159,7 @@ curve_matching_done:
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
/* A: For TLS 1.2, obey signature-hash-algorithm extension
/* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */
if( sig_alg == MBEDTLS_PK_NONE ||
( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
@ -3175,11 +3172,11 @@ curve_matching_done:
}
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{
/* C: MD5 + SHA1 */
md_alg = MBEDTLS_MD_NONE;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) );

2
library/ssl_tls.c
View File

@ -961,7 +961,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
goto end;
}
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
{

2
programs/ssl/ssl_client2.c
View File

@ -1324,7 +1324,7 @@ int main( int argc, char *argv[] )
if( opt.min_version < ciphersuite_info->min_minor_ver )
{
opt.min_version = ciphersuite_info->min_minor_ver;
/* for DTLS 1.2 */
/* DTLS starts with TLS 1.2 */
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_3 )
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3;

255
tests/ssl-opt.sh
View File

@ -2622,6 +2622,27 @@ run_test "Session resume using tickets, DTLS: session copy" \
-s "a session has been resumed" \
-c "a session has been resumed"
run_test "Session resume using tickets, DTLS: openssl server" \
"$O_SRV -dtls" \
"$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
0 \
-c "client hello, adding session ticket extension" \
-c "found session_ticket extension" \
-c "parse new session ticket" \
-c "a session has been resumed"
run_test "Session resume using tickets, DTLS: openssl client" \
"$P_SRV dtls=1 debug_level=3 tickets=1" \
"( $O_CLI -dtls -sess_out $SESSION; \
$O_CLI -dtls -sess_in $SESSION; \
rm -f $SESSION )" \
0 \
-s "found session ticket extension" \
-s "server hello, adding session ticket extension" \
-S "session successfully restored from cache" \
-s "session successfully restored from ticket" \
-s "a session has been resumed"
# Tests for Session Resume based on session-ID and cache
run_test "Session resume using cache: tickets enabled on client" \
@ -2810,6 +2831,26 @@ run_test "Session resume using cache, DTLS: session copy" \
-s "a session has been resumed" \
-c "a session has been resumed"
run_test "Session resume using cache, DTLS: openssl client" \
"$P_SRV dtls=1 debug_level=3 tickets=0" \
"( $O_CLI -dtls -sess_out $SESSION; \
$O_CLI -dtls -sess_in $SESSION; \
rm -f $SESSION )" \
0 \
-s "found session ticket extension" \
-S "server hello, adding session ticket extension" \
-s "session successfully restored from cache" \
-S "session successfully restored from ticket" \
-s "a session has been resumed"
run_test "Session resume using cache, DTLS: openssl server" \
"$O_SRV -dtls" \
"$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
0 \
-C "found session_ticket extension" \
-C "parse new session ticket" \
-c "a session has been resumed"
# Tests for Max Fragment Length extension
if [ "$MAX_IN_LEN" -lt "4096" ]; then
@ -6623,6 +6664,34 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
-C "error" \
-s "Extra-header:"
run_test "DTLS reassembly: no fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 2048" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-C "found fragmented DTLS handshake message" \
-C "error"
run_test "DTLS reassembly: some fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 768" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-C "error"
run_test "DTLS reassembly: more fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-C "error"
run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
"$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 nbio=2 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-C "error"
# Tests for sending fragmented handshake messages with DTLS
#
# Use client auth when we need the client to send large messages,
@ -7593,6 +7662,192 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
-C "dumping 'received mki' (8 bytes)" \
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP all profiles supported. openssl client." \
"$P_SRV dtls=1 use_srtp=1 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \
"$P_SRV dtls=1 use_srtp=1 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \
"$P_SRV dtls=1 use_srtp=1 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \
"$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \
"$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \
"$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-s "found srtp profile" \
-S "selected srtp profile" \
-S "server hello, adding use_srtp extension" \
-S "DTLS-SRTP key material is"\
-C "SRTP Extension negotiated, profile"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \
"$P_SRV dtls=1 debug_level=3" \
"$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
0 \
-s "found use_srtp extension" \
-S "server hello, adding use_srtp extension" \
-S "DTLS-SRTP key material is"\
-C "SRTP Extension negotiated, profile"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP all profiles supported. openssl server" \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile" \
-c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
-c "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-C "found use_srtp extension" \
-C "found srtp profile" \
-C "selected srtp profile" \
-C "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \
"$O_SRV -dtls" \
"$P_CLI dtls=1 use_srtp=1 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-C "found use_srtp extension" \
-C "found srtp profile" \
-C "selected srtp profile" \
-C "DTLS-SRTP key material is"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \
"$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
"$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
0 \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
-c "DTLS-SRTP no mki value negotiated"\
-c "dumping 'sending mki' (8 bytes)" \
-C "dumping 'received mki' (8 bytes)" \
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
requires_gnutls
run_test "DTLS-SRTP all profiles supported. gnutls client." \