Fix mki issues

1. Set correct mki from the `use_srtp` extension.
2. Use mki value received from the client as the mki used by server.
3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
Ron Eldor 2018-07-03 15:08:32 +03:00 committed by Johan Pascal
parent 6ea64518ad
commit 12c6eaddd5
3 changed files with 16 additions and 28 deletions

View file

@ -856,9 +856,10 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->dtls_srtp_info.mki_len = buf[ profile_length + 2 ];
for( i=0; i < ssl->dtls_srtp_info.mki_len; i++ )
{
ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + i ];
ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + 1 + i ];
}
}

View file

@ -185,7 +185,7 @@ int main( void )
#define DFL_QUERY_CONFIG_MODE 0
#define DFL_USE_SRTP 0
#define DFL_SRTP_FORCE_PROFILE MBEDTLS_SRTP_UNSET_PROFILE
#define DFL_SRTP_MKI ""
#define DFL_SRTP_SUPPORT_MKI 0
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -423,7 +423,7 @@ int main( void )
" 2 - SRTP_AES128_CM_HMAC_SHA1_32\n" \
" 3 - SRTP_NULL_HMAC_SHA1_80\n" \
" 4 - SRTP_NULL_HMAC_SHA1_32\n" \
" mki=%%s default: \"\" (in hex, without 0x)\n"
" support_mki=%%d default: 0 (not supported)\n"
#else
#define USAGE_SRTP ""
#endif
@ -665,7 +665,7 @@ struct options
int query_config_mode; /* whether to read config */
int use_srtp; /* Support SRTP */
int force_srtp_profile; /* SRTP protection profile to use or all */
const char* mki; /* The dtls mki value to use */
int support_mki; /* The dtls mki mki support */
} opt;
int query_config( const char *config );
@ -2002,7 +2002,7 @@ int main( int argc, char *argv[] )
opt.query_config_mode = DFL_QUERY_CONFIG_MODE;
opt.use_srtp = DFL_USE_SRTP;
opt.force_srtp_profile = DFL_SRTP_FORCE_PROFILE;
opt.mki = DFL_SRTP_MKI;
opt.support_mki = DFL_SRTP_SUPPORT_MKI;
for( i = 1; i < argc; i++ )
{
@ -2459,9 +2459,9 @@ int main( int argc, char *argv[] )
{
opt.force_srtp_profile = atoi( q );
}
else if( strcmp( p, "mki" ) == 0 )
else if( strcmp( p, "support_mki" ) == 0 )
{
opt.mki = q;
opt.support_mki = atoi( q );
}
else
goto usage;
@ -3120,6 +3120,11 @@ int main( int argc, char *argv[] )
goto exit;
}
mbedtls_ssl_conf_srtp_mki_value_supported( &conf,
opt.support_mki ?
MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED :
MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED );
}
else if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE )
{
@ -3534,24 +3539,6 @@ int main( int argc, char *argv[] )
mbedtls_timing_get_delay );
#endif
#if defined(MBEDTLS_SSL_DTLS_SRTP)
if( opt.use_srtp != DFL_USE_SRTP && strlen( opt.mki ) != 0 )
{
if( unhexify( mki, opt.mki, &mki_len ) != 0 )
{
mbedtls_printf( "mki value not valid hex\n" );
goto exit;
}
mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED );
if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, mki_len) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret );
goto exit;
}
}
#endif
mbedtls_printf( " ok\n" );
reset: