From 6ea64518ad7d7a1d52b3d4a8f3d07a2b4b7047dd Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Mon, 2 Jul 2018 10:08:07 +0300 Subject: [PATCH] Add dtls-srtp to client and server examples Add dtls-srtp to `ssl_client2` and `ssl_server2` examples, for reference and for allowing in tests. Signed-off-by: Johan Pascal --- programs/ssl/ssl_client2.c | 91 ++++++++++++++++++++++++++++++++++++- programs/ssl/ssl_server2.c | 92 +++++++++++++++++++++++++++++++++++++- 2 files changed, 180 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index b9047df1d..d9d5cad36 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -150,6 +150,9 @@ int main( void ) #define DFL_NSS_KEYLOG_FILE NULL #define DFL_SKIP_CLOSE_NOTIFY 0 #define DFL_QUERY_CONFIG_MODE 0 +#define DFL_USE_SRTP 0 +#define DFL_SRTP_FORCE_PROFILE MBEDTLS_SRTP_UNSET_PROFILE +#define DFL_SRTP_MKI "" #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST_END "\r\n\r\n" @@ -321,6 +324,20 @@ int main( void ) #define USAGE_DTLS "" #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) +#define USAGE_SRTP \ + " use_srtp=%%d default: 0 (disabled)\n" \ + " srtp_force_profile=%%d default: all enabled\n" \ + " available profiles:\n" \ + " 1 - SRTP_AES128_CM_HMAC_SHA1_80\n" \ + " 2 - SRTP_AES128_CM_HMAC_SHA1_32\n" \ + " 3 - SRTP_NULL_HMAC_SHA1_80\n" \ + " 4 - SRTP_NULL_HMAC_SHA1_32\n" \ + " mki=%%s default: \"\" (in hex, without 0x)\n" +#else +#define USAGE_SRTP "" +#endif + #if defined(MBEDTLS_SSL_FALLBACK_SCSV) #define USAGE_FALLBACK \ " fallback=0/1 default: (library default: off)\n" @@ -407,6 +424,7 @@ int main( void ) "\n" \ USAGE_DTLS \ USAGE_CID \ + USAGE_SRTP \ "\n" #define USAGE2 \ " auth_mode=%%s default: (library default: none)\n" \ @@ -541,6 +559,9 @@ struct options int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ int query_config_mode; /* whether to read config */ + int use_srtp; /* Support SRTP */ + int force_srtp_profile; /* SRTP protection profile to use or all */ + const char* mki; /* The dtls mki value to use */ } opt; int query_config( const char *config ); @@ -1134,6 +1155,10 @@ int main( int argc, char *argv[] ) mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE]; const mbedtls_ecp_curve_info *curve_cur; #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) + unsigned char mki[MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH]; + size_t mki_len = 0; +#endif const char *pers = "ssl_client2"; @@ -1304,6 +1329,9 @@ int main( int argc, char *argv[] ) opt.nss_keylog_file = DFL_NSS_KEYLOG_FILE; opt.skip_close_notify = DFL_SKIP_CLOSE_NOTIFY; opt.query_config_mode = DFL_QUERY_CONFIG_MODE; + opt.use_srtp = DFL_USE_SRTP; + opt.force_srtp_profile = DFL_SRTP_FORCE_PROFILE; + opt.mki = DFL_SRTP_MKI; for( i = 1; i < argc; i++ ) { @@ -1729,6 +1757,18 @@ int main( int argc, char *argv[] ) opt.skip_close_notify = atoi( q ); if( opt.skip_close_notify < 0 || opt.skip_close_notify > 1 ) goto usage; + } + else if( strcmp( p, "use_srtp" ) == 0 ) + { + opt.use_srtp = atoi ( q ); + } + else if( strcmp( p, "srtp_force_profile" ) == 0 ) + { + opt.force_srtp_profile = atoi( q ); + } + else if( strcmp( p, "mki" ) == 0 ) + { + opt.mki = q; } else goto usage; @@ -1837,7 +1877,6 @@ int main( int argc, char *argv[] ) opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; } - #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.psk_opaque != 0 ) { @@ -2240,6 +2279,37 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) + if( opt.use_srtp != DFL_USE_SRTP ) + { + if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) + { + const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, forced_profile, sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); + } + else + { + const mbedtls_ssl_srtp_profile default_profiles[] = { MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80, + MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32, + MBEDTLS_SRTP_NULL_HMAC_SHA1_80, + MBEDTLS_SRTP_NULL_HMAC_SHA1_32 }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, default_profiles, sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); + } + + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_dtls_srtp_protection_profiles returned %d\n\n", ret ); + goto exit; + } + + } + else if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) + { + mbedtls_printf( " failed\n ! must enable use_srtp to force srtp profile\n\n" ); + goto exit; + } +#endif /* MBEDTLS_SSL_DTLS_SRTP */ + #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); @@ -2476,6 +2546,25 @@ int main( int argc, char *argv[] ) mbedtls_ecp_set_max_ops( opt.ec_max_ops ); #endif + #if defined(MBEDTLS_SSL_DTLS_SRTP) + if( opt.use_srtp != DFL_USE_SRTP && strlen( opt.mki ) != 0 ) + { + if( mbedtls_test_unhexify( mki, sizeof( mki ), + opt.mki,&mki_len ) != 0 ) + { + mbedtls_printf( "mki value not valid hex\n" ); + goto exit; + } + + mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ); + if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, strlen( mki )) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret ); + goto exit; + } + } +#endif + mbedtls_printf( " ok\n" ); /* diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index a98aec119..be45e5463 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -183,6 +183,9 @@ int main( void ) #define DFL_NSS_KEYLOG 0 #define DFL_NSS_KEYLOG_FILE NULL #define DFL_QUERY_CONFIG_MODE 0 +#define DFL_USE_SRTP 0 +#define DFL_SRTP_FORCE_PROFILE MBEDTLS_SRTP_UNSET_PROFILE +#define DFL_SRTP_MKI "" #define LONG_RESPONSE "

01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ @@ -411,6 +414,20 @@ int main( void ) #define USAGE_DTLS "" #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) +#define USAGE_SRTP \ + " use_srtp=%%d default: 0 (disabled)\n" \ + " srtp_force_profile=%%d default: all enabled\n" \ + " available profiles:\n" \ + " 1 - SRTP_AES128_CM_HMAC_SHA1_80\n" \ + " 2 - SRTP_AES128_CM_HMAC_SHA1_32\n" \ + " 3 - SRTP_NULL_HMAC_SHA1_80\n" \ + " 4 - SRTP_NULL_HMAC_SHA1_32\n" \ + " mki=%%s default: \"\" (in hex, without 0x)\n" +#else +#define USAGE_SRTP "" +#endif + #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #define USAGE_EMS \ " extended_ms=0/1 default: (library default: on)\n" @@ -490,6 +507,7 @@ int main( void ) " read_timeout=%%d default: 0 ms (no timeout)\n" \ "\n" \ USAGE_DTLS \ + USAGE_SRTP \ USAGE_COOKIES \ USAGE_ANTI_REPLAY \ USAGE_BADMAC_LIMIT \ @@ -645,6 +663,9 @@ struct options * after renegotiation */ int reproducible; /* make communication reproducible */ int query_config_mode; /* whether to read config */ + int use_srtp; /* Support SRTP */ + int force_srtp_profile; /* SRTP protection profile to use or all */ + const char* mki; /* The dtls mki value to use */ } opt; int query_config( const char *config ); @@ -1792,7 +1813,6 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) unsigned char alloc_buf[MEMORY_HEAP_SIZE]; #endif - #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX]; @@ -1804,6 +1824,10 @@ int main( int argc, char *argv[] ) size_t context_buf_len = 0; #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) + unsigned char mki[MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH]; + size_t mki_len = 0; +#endif int i; char *p, *q; const int *list; @@ -1976,6 +2000,9 @@ int main( int argc, char *argv[] ) opt.nss_keylog = DFL_NSS_KEYLOG; opt.nss_keylog_file = DFL_NSS_KEYLOG_FILE; opt.query_config_mode = DFL_QUERY_CONFIG_MODE; + opt.use_srtp = DFL_USE_SRTP; + opt.force_srtp_profile = DFL_SRTP_FORCE_PROFILE; + opt.mki = DFL_SRTP_MKI; for( i = 1; i < argc; i++ ) { @@ -2424,6 +2451,18 @@ int main( int argc, char *argv[] ) { opt.nss_keylog_file = q; } + else if( strcmp( p, "use_srtp" ) == 0 ) + { + opt.use_srtp = atoi ( q ); + } + else if( strcmp( p, "srtp_force_profile" ) == 0 ) + { + opt.force_srtp_profile = atoi( q ); + } + else if( strcmp( p, "mki" ) == 0 ) + { + opt.mki = q; + } else goto usage; } @@ -3028,7 +3067,7 @@ int main( int argc, char *argv[] ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret ); goto exit; - }; + } #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -3058,6 +3097,37 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_DTLS_SRTP) + if( opt.use_srtp != DFL_USE_SRTP ) + { + if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) + { + const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, forced_profile, sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); + } + else + { + const mbedtls_ssl_srtp_profile default_profiles[] = { MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80, + MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32, + MBEDTLS_SRTP_NULL_HMAC_SHA1_80, + MBEDTLS_SRTP_NULL_HMAC_SHA1_32 }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, default_profiles, sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); + } + + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_dtls_srtp_protection_profiles returned %d\n\n", ret ); + goto exit; + } + + } + else if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE ) + { + mbedtls_printf( " failed\n ! must enable use_srtp to force srtp profile\n\n" ); + goto exit; + } +#endif /* MBEDTLS_SSL_DTLS_SRTP */ + #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); @@ -3464,6 +3534,24 @@ int main( int argc, char *argv[] ) mbedtls_timing_get_delay ); #endif +#if defined(MBEDTLS_SSL_DTLS_SRTP) + if( opt.use_srtp != DFL_USE_SRTP && strlen( opt.mki ) != 0 ) + { + if( unhexify( mki, opt.mki, &mki_len ) != 0 ) + { + mbedtls_printf( "mki value not valid hex\n" ); + goto exit; + } + + mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ); + if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, mki_len) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret ); + goto exit; + } + } +#endif + mbedtls_printf( " ok\n" ); reset: