Fix mki issues

1. Set correct mki from the `use_srtp` extension. 2. Use mki value received from the client as the mki used by server. 3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2024-10-19 07:41:15 +00:00 · 2018-07-03 15:08:32 +03:00 · 2018-07-03 15:08:32 +03:00 · 12c6eaddd5
parent 6ea64518ad
commit 12c6eaddd5
3 changed files with 16 additions and 28 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -1851,7 +1851,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
    if (((uint16_t)( ( buf[0]<<8 ) | buf[1] ) ) != 0x0002) { /* protection profile length must be 0x0002 as we must have only one protection profile in server Hello */
        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
    } else {
-        server_protection_profile_value = ( buf[2]<<8 ) | buf[3];
+        server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
    }
    ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -800,13 +800,13 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
     *
     */
-    /* Min length is 5 : at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
+    /* Min length is 5: at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
    if( len < 5 )
        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
   ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
-    profile_length = ( buf[0]<<8 ) | buf[1]; /* first 2 bytes are protection profile length(in bytes) */
+    profile_length = ( buf[0] << 8 ) | buf[1]; /* first 2 bytes are protection profile length(in bytes) */
    /* parse the extension list values are defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
@ -856,9 +856,10 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
        }
        ssl->dtls_srtp_info.mki_len = buf[ profile_length + 2 ];
        for( i=0; i < ssl->dtls_srtp_info.mki_len; i++ )
        {
-            ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + i ];
+            ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + 1 + i ];
        }
    }
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -185,7 +185,7 @@ int main( void )
 #define DFL_QUERY_CONFIG_MODE   0
 #define DFL_USE_SRTP            0
 #define DFL_SRTP_FORCE_PROFILE  MBEDTLS_SRTP_UNSET_PROFILE
-#define DFL_SRTP_MKI            ""
+#define DFL_SRTP_SUPPORT_MKI    0
 #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
    "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
@ -423,7 +423,7 @@ int main( void )
    "                        2 - SRTP_AES128_CM_HMAC_SHA1_32\n"  \
    "                        3 - SRTP_NULL_HMAC_SHA1_80\n"       \
    "                        4 - SRTP_NULL_HMAC_SHA1_32\n"       \
-    "    mki=%%s              default: \"\" (in hex, without 0x)\n"
+    "    support_mki=%%d     default: 0 (not supported)\n"
 #else
 #define USAGE_SRTP ""
 #endif
@ -665,7 +665,7 @@ struct options
    int query_config_mode;      /* whether to read config                   */
    int use_srtp;               /* Support SRTP                             */
    int force_srtp_profile;     /* SRTP protection profile to use or all    */
-    const char* mki;            /* The dtls mki value to use                */
+    int support_mki;            /* The dtls mki mki support                 */
 } opt;
 int query_config( const char *config );
@ -2002,7 +2002,7 @@ int main( int argc, char *argv[] )
    opt.query_config_mode   = DFL_QUERY_CONFIG_MODE;
    opt.use_srtp            = DFL_USE_SRTP;
    opt.force_srtp_profile  = DFL_SRTP_FORCE_PROFILE;
-    opt.mki                 = DFL_SRTP_MKI;
+    opt.support_mki         = DFL_SRTP_SUPPORT_MKI;
    for( i = 1; i < argc; i++ )
    {
@ -2459,9 +2459,9 @@ int main( int argc, char *argv[] )
        {
            opt.force_srtp_profile = atoi( q );
        }
-        else if( strcmp( p, "mki" ) == 0 )
+        else if( strcmp( p, "support_mki" ) == 0 )
        {
-            opt.mki = q;
+            opt.support_mki = atoi( q );
        }
        else
            goto usage;
@ -3120,6 +3120,11 @@ int main( int argc, char *argv[] )
            goto exit;
        }
        mbedtls_ssl_conf_srtp_mki_value_supported( &conf,
                                                   opt.support_mki ?
                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED :
                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED );
    }
    else if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE )
    {
@ -3534,24 +3539,6 @@ int main( int argc, char *argv[] )
                                            mbedtls_timing_get_delay );
 #endif
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
    if( opt.use_srtp != DFL_USE_SRTP &&  strlen( opt.mki ) != 0 )
    {
        if( unhexify( mki, opt.mki, &mki_len ) != 0 )
        {
            mbedtls_printf( "mki value not valid hex\n" );
             goto exit;
        }
        mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED );
        if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, mki_len) ) != 0 )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret );
            goto exit;
        }
    }
 #endif
    mbedtls_printf( " ok\n" );
 reset: