cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Style fixes

Browse Source 
1. Adjust to 80 colums where possible.
2. Add \ remove spaces where needed.
3. Fix alignments.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
Ron Eldor 2018-07-12 11:54:20 +03:00 committed by Johan Pascal
parent 2b3dfe41af
commit ef72faf2bb
6 changed files with 212 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
include/mbedtls/ssl.h
View File

@ -3190,10 +3190,11 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
* (Default: MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) * (Default: MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED)
* *
* \param conf SSL configuration * \param conf SSL configuration
* \param support_mki_value Enable or disable (MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED or * \param support_mki_value Enable or disable (MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED
* MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) * or MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED)
*/ */
void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, int support_mki_value ); void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
int support_mki_value );
/** /**
* \brief Set the supported DTLS-SRTP protection profiles. * \brief Set the supported DTLS-SRTP protection profiles.
@ -3205,7 +3206,9 @@ void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, int su
* *
* \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
*/ */
int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, const mbedtls_ssl_srtp_profile *profiles, size_t profiles_number); int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
const mbedtls_ssl_srtp_profile *profiles,
size_t profiles_number );
/** /**
* \brief Set the mki_value for the current dtls session. * \brief Set the mki_value for the current dtls session.
@ -3214,9 +3217,12 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, co
* \param mki_value MKI value to set * \param mki_value MKI value to set
* \param mki_len MKI length * \param mki_len MKI length
* *
* \return 0 on success, MBEDTLS_ERR_SSL_BAD_INPUT_DATA or MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE * \return 0 on success, MBEDTLS_ERR_SSL_BAD_INPUT_DATA
* or MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE on failure
*/ */
int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl, unsigned char* mki_value, size_t mki_len ); int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
unsigned char *mki_value,
size_t mki_len );
/** /**
* \brief Get the negotiated DTLS-SRTP Protection Profile. * \brief Get the negotiated DTLS-SRTP Protection Profile.
* This function should be called after the handshake is * This function should be called after the handshake is
@ -3224,22 +3230,28 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl, unsigned char
* *
* \param ssl SSL context * \param ssl SSL context
* *
* \return Protection Profile enum member, MBEDTLS_SRTP_UNSET_PROFILE if no protocol was negotiated. * \return Protection Profile enum member,
* MBEDTLS_SRTP_UNSET_PROFILE if no protocol was negotiated.
*/ */
mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl ); mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl );
/** /**
* \brief Get the generated DTLS-SRTP key material. * \brief Get the generated DTLS-SRTP key material.
* This function should be called after the handshake is * This function should be called after the handshake is
* completed. It shall returns 80 bytes of key material generated according to RFC5764 * completed. It shall returns 80 bytes of key material
* generated according to RFC5764
* *
* \param ssl SSL context * \param ssl SSL context
* \param key Buffer to hold the generated key material * \param key Buffer to hold the generated key material
* \param key_len [in/out] key buffer size. outputs the actual number of bytes written * \param key_len [in/out] key buffer size. outputs the actual number
* of bytes written
* *
* \return 0 on succes, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if the key buffer is too small to hold the generated key * \return 0 on succes, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if the key buffer
* is too small to hold the generated key
*/ */
int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl, unsigned char *key, size_t *key_len ); int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl,
unsigned char *key,
size_t *key_len );
/** /**
* \brief Utility function to get information on dtls srtp profile. * \brief Utility function to get information on dtls srtp profile.

95
library/ssl_cli.c
View File

@ -766,7 +766,8 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
*olen = 0; *olen = 0;
if( (ssl->conf->dtls_srtp_profile_list == NULL) || (ssl->conf->dtls_srtp_profile_list_len == 0) ) if( (ssl->conf->dtls_srtp_profile_list == NULL) ||
(ssl->conf->dtls_srtp_profile_list_len == 0) )
{ {
return; return;
} }
@ -785,52 +786,69 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
* } UseSRTPData; * } UseSRTPData;
* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
*
*/ */
if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
ssl->dtls_srtp_info.mki_len != 0 ) ssl->dtls_srtp_info.mki_len != 0 )
{ {
mki_len = ssl->dtls_srtp_info.mki_len; mki_len = ssl->dtls_srtp_info.mki_len;
} }
/* Extension length = 2bytes for profiles length, ssl->conf->dtls_srtp_profile_list_len*2 (each profile is 2 bytes length ) + 1 byte for srtp_mki vector length and the mki_len value */ /* Extension length = 2 bytes for profiles length,
*p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len ) >> 8 ) & 0xFF ); * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
*p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len ) ) & 0xFF ); * 1 byte for srtp_mki vector length and the mki_len value
*/
*p++ = (unsigned char)( ( ( 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len )
+ 1 + mki_len ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len )
+ 1 + mki_len ) ) & 0xFF );
/* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
*p++ = (unsigned char)( ( ( 2*(ssl->conf->dtls_srtp_profile_list_len) ) >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( ( 2 * (ssl->conf->dtls_srtp_profile_list_len) )
*p++ = (unsigned char)( ( 2*(ssl->conf->dtls_srtp_profile_list_len) ) & 0xFF ); >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( 2 * (ssl->conf->dtls_srtp_profile_list_len) )
& 0xFF );
for( protection_profiles_index=0; protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; protection_profiles_index++ ) for( protection_profiles_index=0;
protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
protection_profiles_index++ )
{ {
switch (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]) { switch (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]) {
case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x", MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) ); MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) );
*p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF); *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE )
*p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) & 0xFF); >> 8 ) & 0xFF );
*p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE )
& 0xFF );
break; break;
case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x", MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) ); MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) );
*p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF); *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE )
*p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) & 0xFF); >> 8 ) & 0xFF );
*p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE )
& 0xFF );
break; break;
case MBEDTLS_SRTP_NULL_HMAC_SHA1_80: case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x", MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) ); MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) );
*p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF); *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) >> 8 )
& 0xFF ) ;
*p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF ); *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF );
break; break;
case MBEDTLS_SRTP_NULL_HMAC_SHA1_32: case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x", MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) ); MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) );
*p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF); *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) >> 8 )
& 0xFF );
*p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF ); *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF );
break; break;
default: default:
/* Note: we shall never arrive here as protection profiles is checked by ssl_set_dtls_srtp_protection_profiles function */ /*
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello, ignore illegal DTLS-SRTP protection profile %d", ssl->conf->dtls_srtp_profile_list[protection_profiles_index]) ); * Note: we shall never arrive here as protection profiles
* is checked by ssl_set_dtls_srtp_protection_profiles function
*/
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello, ignore illegal DTLS-SRTP protection profile %d",
ssl->conf->dtls_srtp_profile_list[protection_profiles_index]) );
break; break;
} }
} }
@ -843,10 +861,17 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
{ {
*p++ = ssl->dtls_srtp_info.mki_value[i]; *p++ = ssl->dtls_srtp_info.mki_value[i];
} }
MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
ssl->dtls_srtp_info.mki_len );
} }
/* total extension length: extension type (2 bytes) + extension length (2 bytes) + protection profile length (2 bytes) + 2*nb protection profiles + srtp_mki vector length(1 byte)*/ /*
* total extension length: extension type (2 bytes)
* + extension length (2 bytes)
* + protection profile length (2 bytes)
* + 2 * number of protection profiles
* + srtp_mki vector length(1 byte)
*/
*olen = 2 + 2 + 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len; *olen = 2 + 2 + 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len;
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
@ -1815,7 +1840,8 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)
static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len ) const unsigned char *buf,
size_t len )
{ {
mbedtls_ssl_srtp_profile server_protection = MBEDTLS_SRTP_UNSET_PROFILE; mbedtls_ssl_srtp_profile server_protection = MBEDTLS_SRTP_UNSET_PROFILE;
size_t i, mki_len = 0; size_t i, mki_len = 0;
@ -1823,7 +1849,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const mbedtls_ssl_srtp_profile_info * profile_info; const mbedtls_ssl_srtp_profile_info * profile_info;
/* If use_srtp is not configured, just ignore the extension */ /* If use_srtp is not configured, just ignore the extension */
if( ( ssl->conf->dtls_srtp_profile_list == NULL ) || ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) if( ssl->conf->dtls_srtp_profile_list == NULL ||
ssl->conf->dtls_srtp_profile_list_len == 0 )
return( 0 ); return( 0 );
/* RFC5764 section 4.1.1 /* RFC5764 section 4.1.1
@ -1843,16 +1870,27 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
mki_len = ssl->dtls_srtp_info.mki_len; mki_len = ssl->dtls_srtp_info.mki_len;
} }
/* Length is 5 and optional mki_value : one protection profile(2 bytes) + length(2 bytes) and srtp_mki */ /*
* Length is 5 and optional mki_value : one protection profile(2 bytes)
* + length(2 bytes) and srtp_mki
*/
if( ( len != 5 ) && ( len != ( 5 + mki_len ) ) ) if( ( len != 5 ) && ( len != ( 5 + mki_len ) ) )
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
/* /*
* get the server protection profile * get the server protection profile
*/ */
if (((uint16_t)( ( buf[0]<<8 ) | buf[1] ) ) != 0x0002) { /* protection profile length must be 0x0002 as we must have only one protection profile in server Hello */
/*
* protection profile length must be 0x0002 as we must have only
* one protection profile in server Hello
*/
if( ( (uint16_t)( ( buf[0] << 8 ) | buf[1] ) ) != 0x0002 )
{
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
} else { }
else
{
server_protection_profile_value = ( buf[2] << 8 ) | buf[3]; server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
} }
@ -1900,7 +1938,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
} }
/* RFC5764: /*
* RFC5764:
* If the client detects a nonzero-length MKI in the server's response * If the client detects a nonzero-length MKI in the server's response
* that is different than the one the client offered, then the client * that is different than the one the client offered, then the client
* MUST abort the handshake and SHOULD send an invalid_parameter alert. * MUST abort the handshake and SHOULD send an invalid_parameter alert.
@ -1915,7 +1954,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
#if defined (MBEDTLS_DEBUG_C) #if defined (MBEDTLS_DEBUG_C)
if( len > 5 ) if( len > 5 )
{ {
MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value,
ssl->dtls_srtp_info.mki_len );
} }
#endif #endif
return 0; return 0;
@ -3475,8 +3515,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
} }
else else
{ {
#endif #endif /* MBEDTLS_SSL_DTLS_SRTP */
/* MBEDTLS_SSL_DTLS_SRTP */
/* Current message is probably the ServerHelloDone */ /* Current message is probably the ServerHelloDone */
ssl->keep_current_message = 1; ssl->keep_current_message = 1;
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)

67
library/ssl_srv.c
View File

@ -778,7 +778,8 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)
static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len ) const unsigned char *buf,
size_t len )
{ {
mbedtls_ssl_srtp_profile client_protection = MBEDTLS_SRTP_UNSET_PROFILE; mbedtls_ssl_srtp_profile client_protection = MBEDTLS_SRTP_UNSET_PROFILE;
size_t i,j; size_t i,j;
@ -786,7 +787,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
const mbedtls_ssl_srtp_profile_info *profile_info; const mbedtls_ssl_srtp_profile_info *profile_info;
/* If use_srtp is not configured, just ignore the extension */ /* If use_srtp is not configured, just ignore the extension */
if( ( ssl->conf->dtls_srtp_profile_list == NULL ) || ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) if( ssl->conf->dtls_srtp_profile_list == NULL ||
ssl->conf->dtls_srtp_profile_list_len == 0 )
return( 0 ); return( 0 );
/* RFC5764 section 4.1.1 /* RFC5764 section 4.1.1
@ -798,22 +800,28 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
* } UseSRTPData; * } UseSRTPData;
* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
*
*/ */
/* Min length is 5: at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */ /*
* Min length is 5: at least one protection profile(2 bytes)
* and length(2 bytes) + srtp_mki length(1 byte)
*/
if( len < 5 ) if( len < 5 )
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE; ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
profile_length = ( buf[0] << 8 ) | buf[1]; /* first 2 bytes are protection profile length(in bytes) */ /* first 2 bytes are protection profile length(in bytes) */
profile_length = ( buf[0] << 8 ) | buf[1];
/*
/* parse the extension list values are defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */ * parse the extension list values are defined in
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
*/
for( j=0; j < profile_length; j += 2 ) for( j=0; j < profile_length; j += 2 )
{ {
uint16_t protection_profile_value = buf[j+2]<<8 | buf[j+3]; /* +2 to skip the length field */ /* + 2 to skip the length field */
uint16_t protection_profile_value = buf[j + 2] << 8 | buf[j+3];
switch ( protection_profile_value ) switch ( protection_profile_value )
{ {
@ -869,7 +877,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
ssl->dtls_srtp_info.mki_value[i] = buf[profile_length + 2 + 1 + i]; ssl->dtls_srtp_info.mki_value[i] = buf[profile_length + 2 + 1 + i];
} }
MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value,
ssl->dtls_srtp_info.mki_len );
} }
return( 0 ); return( 0 );
@ -2611,7 +2620,8 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl, static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
unsigned char *buf, size_t *olen ) unsigned char *buf,
size_t *olen )
{ {
size_t mki_len = 0, ext_len = 0, i; size_t mki_len = 0, ext_len = 0, i;
@ -2632,7 +2642,10 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
/* extension */ /* extension */
buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF ); buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF ); buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
/* total length 5 and mki value: only one profile(2 bytes) and length(2 bytes) and srtp_mki ) */ /*
* total length 5 and mki value: only one profile(2 bytes)
* and length(2 bytes) and srtp_mki )
*/
ext_len = 5 + mki_len; ext_len = 5 + mki_len;
buf[2] = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); buf[2] = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
buf[3] = (unsigned char)( ext_len & 0xFF ); buf[3] = (unsigned char)( ext_len & 0xFF );
@ -2642,20 +2655,28 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
buf[5] = 0x02; buf[5] = 0x02;
switch (ssl->dtls_srtp_info.chosen_dtls_srtp_profile) { switch (ssl->dtls_srtp_info.chosen_dtls_srtp_profile) {
case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF ); buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE >> 8 )
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) & 0xFF ); & 0xFF );
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE )
& 0xFF );
break; break;
case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF ); buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE >> 8 )
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) & 0xFF ); & 0xFF );
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE )
& 0xFF );
break; break;
case MBEDTLS_SRTP_NULL_HMAC_SHA1_80: case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF ); buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE >> 8 )
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF ); & 0xFF );
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE )
& 0xFF );
break; break;
case MBEDTLS_SRTP_NULL_HMAC_SHA1_32: case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF ); buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE >> 8 )
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF ); & 0xFF );
buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE )
& 0xFF );
break; break;
default: default:
*olen = 0; *olen = 0;
@ -3030,8 +3051,12 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
else else
#endif #endif
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)
/* check if we have a chosen srtp protection profile, force verify mode to be at least OPTIONAL */ /*
if ( ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) && ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) { * check if we have a chosen srtp protection profile,
* force verify mode to be at least OPTIONAL
*/
if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE &&
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) {
authmode = MBEDTLS_SSL_VERIFY_OPTIONAL; authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
} }
else else

36
library/ssl_tls.c
View File

@ -874,18 +874,18 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
#if defined(MBEDTLS_SSL_DTLS_SRTP) #if defined(MBEDTLS_SSL_DTLS_SRTP)
/* check if we have a chosen srtp protection profile */ /* check if we have a chosen srtp protection profile */
if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) { if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
/* derive key material for srtp session RFC5764 section 4.2 */ /* derive key material for srtp session RFC5764 section 4.2
/* master key and master salt are respectively 128 bits and 112 bits for all currently available modes : * master key and master salt are respectively 128 bits and 112 bits
* for all currently available modes :
* SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32 * SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32
* SRTP_NULL_HMAC_SHA1_80, SRTP_NULL_HMAC_SHA1_32 * SRTP_NULL_HMAC_SHA1_80, SRTP_NULL_HMAC_SHA1_32
* So we must export 2*(128 + 112) = 480 bits * So we must export 2*(128 + 112) = 480 bits
*/ */
ssl->dtls_srtp_info.dtls_srtp_keys_len = MBEDTLS_DTLS_SRTP_MAX_KEY_MATERIAL_LENGTH; ssl->dtls_srtp_info.dtls_srtp_keys_len = MBEDTLS_DTLS_SRTP_MAX_KEY_MATERIAL_LENGTH;
//ssl->dtls_srtp_info.dtls_srtp_keys = (unsigned char *)mbedtls_calloc(1, ssl->dtls_srtp_info.dtls_srtp_keys_len);
ret = tls_prf( master, 48, "EXTRACTOR-dtls_srtp", ret = tls_prf( master, 48, "EXTRACTOR-dtls_srtp",
randbytes, 64, ssl->dtls_srtp_info.dtls_srtp_keys, ssl->dtls_srtp_info.dtls_srtp_keys_len ); randbytes, 64, ssl->dtls_srtp_info.dtls_srtp_keys,
ssl->dtls_srtp_info.dtls_srtp_keys_len );
if( ret != 0 ) if( ret != 0 )
{ {
@ -2754,7 +2754,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
: ssl->dtls_srtp_info.chosen_dtls_srtp_profile != : ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
MBEDTLS_SRTP_UNSET_PROFILE MBEDTLS_SRTP_UNSET_PROFILE
&& ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE && ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE
? MBEDTLS_SSL_VERIFY_REQUIRED ? MBEDTLS_SSL_VERIFY_OPTIONAL
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
: ssl->conf->authmode; : ssl->conf->authmode;
#else #else
@ -2763,7 +2763,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ssl->dtls_srtp_info.chosen_dtls_srtp_profile != ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
MBEDTLS_SRTP_UNSET_PROFILE && MBEDTLS_SRTP_UNSET_PROFILE &&
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ? ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ?
MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_OPTIONAL :
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
ssl->conf->authmode; ssl->conf->authmode;
#endif #endif
@ -4762,12 +4762,15 @@ const mbedtls_ssl_srtp_profile_info *mbedtls_ssl_dtls_srtp_profile_info_from_id(
return( NULL ); return( NULL );
} }
void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, int support_mki_value ) void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
int support_mki_value )
{ {
conf->dtls_srtp_mki_support = support_mki_value; conf->dtls_srtp_mki_support = support_mki_value;
} }
int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl, unsigned char* mki_value, size_t mki_len ) int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
unsigned char *mki_value,
size_t mki_len )
{ {
if ( mki_len > MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH ) if ( mki_len > MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH )
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@ -4780,7 +4783,9 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl, unsigned char
return 0; return 0;
} }
int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, const mbedtls_ssl_srtp_profile *profiles, size_t profiles_number) int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
const mbedtls_ssl_srtp_profile *profiles,
size_t profiles_number )
{ {
size_t i; size_t i;
/* check in put validity : must be a list of profiles from enumeration */ /* check in put validity : must be a list of profiles from enumeration */
@ -4819,14 +4824,17 @@ mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile( const mbe
return( ssl->dtls_srtp_info.chosen_dtls_srtp_profile ); return( ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
} }
int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl, unsigned char *key, size_t *key_len ) { int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl,
unsigned char *key,
size_t *key_len ) {
/* check output buffer size */ /* check output buffer size */
if( *key_len < ssl->dtls_srtp_info.dtls_srtp_keys_len ) { if( *key_len < ssl->dtls_srtp_info.dtls_srtp_keys_len ) {
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
} }
memcpy( key, ssl->dtls_srtp_info.dtls_srtp_keys, ssl->dtls_srtp_info.dtls_srtp_keys_len); memcpy( key, ssl->dtls_srtp_info.dtls_srtp_keys,
ssl->dtls_srtp_info.dtls_srtp_keys_len );
*key_len = ssl->dtls_srtp_info.dtls_srtp_keys_len; *key_len = ssl->dtls_srtp_info.dtls_srtp_keys_len;
return 0; return 0;
@ -6931,8 +6939,8 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
#endif #endif
#if defined (MBEDTLS_SSL_DTLS_SRTP) #if defined (MBEDTLS_SSL_DTLS_SRTP)
mbedtls_platform_zeroize( ssl->dtls_srtp_info.dtls_srtp_keys, ssl->dtls_srtp_info.dtls_srtp_keys_len ); mbedtls_platform_zeroize( ssl->dtls_srtp_info.dtls_srtp_keys,
//mbedtls_free( ssl->dtls_srtp_keys ); ssl->dtls_srtp_info.dtls_srtp_keys_len );
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );

11
programs/ssl/ssl_client2.c
View File

@ -2285,7 +2285,9 @@ int main( int argc, char *argv[] )
if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE )
{ {
const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile };
ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, forced_profile, sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf,
forced_profile,
sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) );
} }
else else
{ {
@ -2293,7 +2295,9 @@ int main( int argc, char *argv[] )
MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32, MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32,
MBEDTLS_SRTP_NULL_HMAC_SHA1_80, MBEDTLS_SRTP_NULL_HMAC_SHA1_80,
MBEDTLS_SRTP_NULL_HMAC_SHA1_32 }; MBEDTLS_SRTP_NULL_HMAC_SHA1_32 };
ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, default_profiles, sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf,
default_profiles,
sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) );
} }
if( ret != 0 ) if( ret != 0 )
@ -2557,7 +2561,8 @@ int main( int argc, char *argv[] )
} }
mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ); mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED );
if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, strlen( mki )) ) != 0 ) if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki,
strlen( mki ) ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret );
goto exit; goto exit;

8
programs/ssl/ssl_server2.c
View File

@ -3103,7 +3103,9 @@ int main( int argc, char *argv[] )
if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE )
{ {
const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile };
ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, forced_profile, sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf,
forced_profile,
sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) );
} }
else else
{ {
@ -3111,7 +3113,9 @@ int main( int argc, char *argv[] )
MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32, MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32,
MBEDTLS_SRTP_NULL_HMAC_SHA1_80, MBEDTLS_SRTP_NULL_HMAC_SHA1_80,
MBEDTLS_SRTP_NULL_HMAC_SHA1_32 }; MBEDTLS_SRTP_NULL_HMAC_SHA1_32 };
ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, default_profiles, sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf,
default_profiles,
sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) );
} }
if( ret != 0 ) if( ret != 0 )