mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-02 00:24:19 +01:00
API modified so server side can get mki value
+ client side discards self mki if server does not support it Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
parent
adbd9449ec
commit
20c7db3a67
@ -3257,7 +3257,8 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
|
|||||||
unsigned char *mki_value,
|
unsigned char *mki_value,
|
||||||
uint16_t mki_len );
|
uint16_t mki_len );
|
||||||
/**
|
/**
|
||||||
* \brief Get the negotiated DTLS-SRTP Protection Profile.
|
* \brief Get the negotiated DTLS-SRTP informations:
|
||||||
|
* Protection profile and MKI value.
|
||||||
*
|
*
|
||||||
* \warning This function must be called after the handshake is
|
* \warning This function must be called after the handshake is
|
||||||
* completed. The value returned by this function must
|
* completed. The value returned by this function must
|
||||||
@ -3265,14 +3266,20 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
|
|||||||
*
|
*
|
||||||
* \param ssl The SSL context to query.
|
* \param ssl The SSL context to query.
|
||||||
*
|
*
|
||||||
* \return The DTLS SRTP protection profile in use. The return type is
|
* \return The negotiated DTLS-SRTP informations:
|
||||||
* a direct mapping of the iana defined value for protection
|
* - Protection profile in use.
|
||||||
|
* A direct mapping of the iana defined value for protection
|
||||||
* profile on an uint16_t.
|
* profile on an uint16_t.
|
||||||
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
|
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
|
||||||
* \return #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
|
* #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
|
||||||
* or peer's Hello packet was not parsed yet.
|
* or peer's Hello packet was not parsed yet.
|
||||||
|
* - mki size and value (if size is > 0). These informations are valid only
|
||||||
|
* if the protection profile returned is not MBEDTLS_TLS_SRTP_UNSET.
|
||||||
|
* Ownership of the returned structure is kept by the ssl context,
|
||||||
|
* the caller must duplicate any information that must live longer than
|
||||||
|
* the context (typically MKI size and value if any)
|
||||||
*/
|
*/
|
||||||
mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile
|
const mbedtls_dtls_srtp_info *mbedtls_ssl_get_dtls_srtp_negotiation_result
|
||||||
( const mbedtls_ssl_context *ssl );
|
( const mbedtls_ssl_context *ssl );
|
||||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||||
|
|
||||||
|
@ -1925,6 +1925,14 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If server does not use mki in its reply, make sure the client won't keep
|
||||||
|
* one as negotiated */
|
||||||
|
if( len == 5 )
|
||||||
|
{
|
||||||
|
ssl->dtls_srtp_info.mki_len = 0;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* RFC5764:
|
* RFC5764:
|
||||||
* If the client detects a nonzero-length MKI in the server's response
|
* If the client detects a nonzero-length MKI in the server's response
|
||||||
|
@ -4751,10 +4751,10 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_ssl_srtp_profile
|
const mbedtls_dtls_srtp_info *
|
||||||
mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl )
|
mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
return( ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
|
return( &( ssl->dtls_srtp_info ) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||||
|
|
||||||
|
@ -2754,8 +2754,10 @@ int main( int argc, char *argv[] )
|
|||||||
else if( opt.use_srtp != 0 )
|
else if( opt.use_srtp != 0 )
|
||||||
{
|
{
|
||||||
size_t j = 0;
|
size_t j = 0;
|
||||||
|
const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
|
||||||
|
mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
|
||||||
|
|
||||||
if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
|
if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
|
||||||
== MBEDTLS_TLS_SRTP_UNSET ) )
|
== MBEDTLS_TLS_SRTP_UNSET ) )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " Unable to negotiate "
|
mbedtls_printf( " Unable to negotiate "
|
||||||
@ -2797,6 +2799,20 @@ int main( int argc, char *argv[] )
|
|||||||
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
||||||
}
|
}
|
||||||
mbedtls_printf( "\n" );
|
mbedtls_printf( "\n" );
|
||||||
|
|
||||||
|
if ( dtls_srtp_negotiation_result->mki_len > 0 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( " DTLS-SRTP mki value: " );
|
||||||
|
for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
mbedtls_printf( " DTLS-SRTP no mki value negociated" );
|
||||||
|
}
|
||||||
|
mbedtls_printf( "\n" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||||
|
@ -3865,8 +3865,10 @@ handshake:
|
|||||||
else if( opt.use_srtp != 0 )
|
else if( opt.use_srtp != 0 )
|
||||||
{
|
{
|
||||||
size_t j = 0;
|
size_t j = 0;
|
||||||
|
const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
|
||||||
|
mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
|
||||||
|
|
||||||
if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
|
if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
|
||||||
== MBEDTLS_TLS_SRTP_UNSET ) )
|
== MBEDTLS_TLS_SRTP_UNSET ) )
|
||||||
{
|
{
|
||||||
mbedtls_printf( " Unable to negotiate "
|
mbedtls_printf( " Unable to negotiate "
|
||||||
@ -3908,6 +3910,21 @@ handshake:
|
|||||||
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
|
||||||
}
|
}
|
||||||
mbedtls_printf( "\n" );
|
mbedtls_printf( "\n" );
|
||||||
|
|
||||||
|
if ( dtls_srtp_negotiation_result->mki_len > 0 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( " DTLS-SRTP mki value: " );
|
||||||
|
for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
|
||||||
|
{
|
||||||
|
mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
mbedtls_printf( " DTLS-SRTP no mki value negociated" );
|
||||||
|
}
|
||||||
|
mbedtls_printf( "\n" );
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||||
|
@ -8862,6 +8862,7 @@ run_test "DTLS-SRTP all profiles supported. mki used" \
|
|||||||
-c "dumping 'received mki' (8 bytes)" \
|
-c "dumping 'received mki' (8 bytes)" \
|
||||||
-c "DTLS-SRTP key material is"\
|
-c "DTLS-SRTP key material is"\
|
||||||
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
||||||
|
-g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
|
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
|
||||||
@ -8874,12 +8875,14 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
|
|||||||
-s "selected srtp profile" \
|
-s "selected srtp profile" \
|
||||||
-s "server hello, adding use_srtp extension" \
|
-s "server hello, adding use_srtp extension" \
|
||||||
-s "DTLS-SRTP key material is"\
|
-s "DTLS-SRTP key material is"\
|
||||||
|
-s "DTLS-SRTP no mki value negociated"\
|
||||||
-S "dumping 'using mki' (8 bytes)" \
|
-S "dumping 'using mki' (8 bytes)" \
|
||||||
-c "client hello, adding use_srtp extension" \
|
-c "client hello, adding use_srtp extension" \
|
||||||
-c "found use_srtp extension" \
|
-c "found use_srtp extension" \
|
||||||
-c "found srtp profile" \
|
-c "found srtp profile" \
|
||||||
-c "selected srtp profile" \
|
-c "selected srtp profile" \
|
||||||
-c "DTLS-SRTP key material is"\
|
-c "DTLS-SRTP key material is"\
|
||||||
|
-c "DTLS-SRTP no mki value negociated"\
|
||||||
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
|
||||||
-c "dumping 'sending mki' (8 bytes)" \
|
-c "dumping 'sending mki' (8 bytes)" \
|
||||||
-C "dumping 'received mki' (8 bytes)" \
|
-C "dumping 'received mki' (8 bytes)" \
|
||||||
@ -9066,6 +9069,7 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl
|
|||||||
-c "found srtp profile" \
|
-c "found srtp profile" \
|
||||||
-c "selected srtp profile" \
|
-c "selected srtp profile" \
|
||||||
-c "DTLS-SRTP key material is"\
|
-c "DTLS-SRTP key material is"\
|
||||||
|
-c "DTLS-SRTP no mki value negociated"\
|
||||||
-c "dumping 'sending mki' (8 bytes)" \
|
-c "dumping 'sending mki' (8 bytes)" \
|
||||||
-C "dumping 'received mki' (8 bytes)" \
|
-C "dumping 'received mki' (8 bytes)" \
|
||||||
-C "error"
|
-C "error"
|
||||||
@ -9261,6 +9265,7 @@ run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \
|
|||||||
-c "found srtp profile" \
|
-c "found srtp profile" \
|
||||||
-c "selected srtp profile" \
|
-c "selected srtp profile" \
|
||||||
-c "DTLS-SRTP key material is"\
|
-c "DTLS-SRTP key material is"\
|
||||||
|
-c "DTLS-SRTP mki value:"\
|
||||||
-c "dumping 'sending mki' (8 bytes)" \
|
-c "dumping 'sending mki' (8 bytes)" \
|
||||||
-c "dumping 'received mki' (8 bytes)" \
|
-c "dumping 'received mki' (8 bytes)" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
Loading…
Reference in New Issue
Block a user