API modified so server side can get mki value
+ client side discards self mki if server does not support it Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
parent
adbd9449ec
commit
20c7db3a67
@ -3257,7 +3257,8 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
|
||||
unsigned char *mki_value,
|
||||
uint16_t mki_len );
|
||||
/**
|
||||
* \brief Get the negotiated DTLS-SRTP Protection Profile.
|
||||
* \brief Get the negotiated DTLS-SRTP informations:
|
||||
* Protection profile and MKI value.
|
||||
*
|
||||
* \warning This function must be called after the handshake is
|
||||
* completed. The value returned by this function must
|
||||
@ -3265,14 +3266,20 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
|
||||
*
|
||||
* \param ssl The SSL context to query.
|
||||
*
|
||||
* \return The DTLS SRTP protection profile in use. The return type is
|
||||
* a direct mapping of the iana defined value for protection
|
||||
* \return The negotiated DTLS-SRTP informations:
|
||||
* - Protection profile in use.
|
||||
* A direct mapping of the iana defined value for protection
|
||||
* profile on an uint16_t.
|
||||
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
|
||||
* \return #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
|
||||
* #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
|
||||
* or peer's Hello packet was not parsed yet.
|
||||
* - mki size and value (if size is > 0). These informations are valid only
|
||||
* if the protection profile returned is not MBEDTLS_TLS_SRTP_UNSET.
|
||||
* Ownership of the returned structure is kept by the ssl context,
|
||||
* the caller must duplicate any information that must live longer than
|
||||
* the context (typically MKI size and value if any)
|
||||
*/
|
||||
mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile
|
||||
const mbedtls_dtls_srtp_info *mbedtls_ssl_get_dtls_srtp_negotiation_result
|
||||
( const mbedtls_ssl_context *ssl );
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
||||
|
@ -1925,6 +1925,14 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
/* If server does not use mki in its reply, make sure the client won't keep
|
||||
* one as negotiated */
|
||||
if( len == 5 )
|
||||
{
|
||||
ssl->dtls_srtp_info.mki_len = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC5764:
|
||||
* If the client detects a nonzero-length MKI in the server's response
|
||||
|
@ -4751,10 +4751,10 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
mbedtls_ssl_srtp_profile
|
||||
mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl )
|
||||
const mbedtls_dtls_srtp_info *
|
||||
mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
return( ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
|
||||
return( &( ssl->dtls_srtp_info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
||||
|
@ -2754,8 +2754,10 @@ int main( int argc, char *argv[] )
|
||||
else if( opt.use_srtp != 0 )
|
||||
{
|
||||
size_t j = 0;
|
||||
const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
|
||||
mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
|
||||
|
||||
if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
|
||||
if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
|
||||
== MBEDTLS_TLS_SRTP_UNSET ) )
|
||||
{
|
||||
mbedtls_printf( " Unable to negotiate "
|
||||
@ -2797,6 +2799,20 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
|
||||
if ( dtls_srtp_negotiation_result->mki_len > 0 )
|
||||
{
|
||||
mbedtls_printf( " DTLS-SRTP mki value: " );
|
||||
for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
|
||||
{
|
||||
mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
mbedtls_printf( " DTLS-SRTP no mki value negociated" );
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
@ -3865,8 +3865,10 @@ handshake:
|
||||
else if( opt.use_srtp != 0 )
|
||||
{
|
||||
size_t j = 0;
|
||||
const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
|
||||
mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
|
||||
|
||||
if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
|
||||
if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
|
||||
== MBEDTLS_TLS_SRTP_UNSET ) )
|
||||
{
|
||||
mbedtls_printf( " Unable to negotiate "
|
||||
@ -3908,6 +3910,21 @@ handshake:
|
||||
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
|
||||
if ( dtls_srtp_negotiation_result->mki_len > 0 )
|
||||
{
|
||||
mbedtls_printf( " DTLS-SRTP mki value: " );
|
||||
for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
|
||||
{
|
||||
mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
mbedtls_printf( " DTLS-SRTP no mki value negociated" );
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
@ -8862,6 +8862,7 @@ run_test "DTLS-SRTP all profiles supported. mki used" \
|
||||
-c "dumping 'received mki' (8 bytes)" \
|
||||
-c "DTLS-SRTP key material is"\
|
||||
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
||||
-g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
|
||||
-C "error"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
|
||||
@ -8874,12 +8875,14 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
|
||||
-s "selected srtp profile" \
|
||||
-s "server hello, adding use_srtp extension" \
|
||||
-s "DTLS-SRTP key material is"\
|
||||
-s "DTLS-SRTP no mki value negociated"\
|
||||
-S "dumping 'using mki' (8 bytes)" \
|
||||
-c "client hello, adding use_srtp extension" \
|
||||
-c "found use_srtp extension" \
|
||||
-c "found srtp profile" \
|
||||
-c "selected srtp profile" \
|
||||
-c "DTLS-SRTP key material is"\
|
||||
-c "DTLS-SRTP no mki value negociated"\
|
||||
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
||||
-c "dumping 'sending mki' (8 bytes)" \
|
||||
-C "dumping 'received mki' (8 bytes)" \
|
||||
@ -9066,6 +9069,7 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl
|
||||
-c "found srtp profile" \
|
||||
-c "selected srtp profile" \
|
||||
-c "DTLS-SRTP key material is"\
|
||||
-c "DTLS-SRTP no mki value negociated"\
|
||||
-c "dumping 'sending mki' (8 bytes)" \
|
||||
-C "dumping 'received mki' (8 bytes)" \
|
||||
-C "error"
|
||||
@ -9261,6 +9265,7 @@ run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \
|
||||
-c "found srtp profile" \
|
||||
-c "selected srtp profile" \
|
||||
-c "DTLS-SRTP key material is"\
|
||||
-c "DTLS-SRTP mki value:"\
|
||||
-c "dumping 'sending mki' (8 bytes)" \
|
||||
-c "dumping 'received mki' (8 bytes)" \
|
||||
-C "error"
|
||||
|
Loading…
Reference in New Issue
Block a user