From b465539476fc9191c24fa9e839fb84cafb3036ef Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Thu, 5 Jul 2018 18:25:39 +0300 Subject: [PATCH] Add tests and code to support 1. Add DTLS-SRTP tests in `ssl-opts.sh` 2. Add logs for the tests to filter. 3. Add function to get the profile informations. Signed-off-by: Johan Pascal --- library/ssl_cli.c | 14 ++++++ library/ssl_srv.c | 9 ++++ library/ssl_tls.c | 24 +++++++++ tests/ssl-opt.sh | 125 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 172 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7d9c9c317..d6b429df2 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -843,6 +843,7 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl, { *p++ = ssl->dtls_srtp_info.mki_value[i]; } + MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); } /* total extension length: extension type (2 bytes) + extension length (2 bytes) + protection profile length (2 bytes) + 2*nb protection profiles + srtp_mki vector length(1 byte)*/ @@ -1819,6 +1820,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, mbedtls_ssl_srtp_profile server_protection = MBEDTLS_SRTP_UNSET_PROFILE; size_t i, mki_len = 0; uint16_t server_protection_profile_value = 0; + const mbedtls_ssl_srtp_profile_info * profile_info; /* If use_srtp is not configured, just ignore the extension */ if( ( ssl->conf->dtls_srtp_profile_list == NULL ) || ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) @@ -1878,9 +1880,15 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, server_protection = MBEDTLS_SRTP_UNSET_PROFILE; break; } + profile_info = mbedtls_ssl_dtls_srtp_profile_info_from_id( server_protection ); + if( profile_info != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s", profile_info->name ) ); + } if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) { ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s", profile_info->name ) ); break; } } @@ -1904,6 +1912,12 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } +#if defined (MBEDTLS_DEBUG_C) + if( len > 5) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); + } +#endif return 0; } #endif /* MBEDTLS_SSL_DTLS_SRTP */ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 00549649c..4c59e5b40 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -783,6 +783,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, mbedtls_ssl_srtp_profile client_protection = MBEDTLS_SRTP_UNSET_PROFILE; size_t i,j; size_t profile_length; + const mbedtls_ssl_srtp_profile_info * profile_info; /* If use_srtp is not configured, just ignore the extension */ if( ( ssl->conf->dtls_srtp_profile_list == NULL ) || ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) @@ -832,12 +833,18 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, client_protection = MBEDTLS_SRTP_UNSET_PROFILE; break; } + profile_info = mbedtls_ssl_dtls_srtp_profile_info_from_id( client_protection ); + if( profile_info != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s", profile_info->name ) ); + } /* check if suggested profile is in our list */ for( i=0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { if( client_protection == ssl->conf->dtls_srtp_profile_list[i] ) { ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s", profile_info->name ) ); break; } } @@ -861,6 +868,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, { ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + 1 + i ]; } + + MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value, ssl->dtls_srtp_info.mki_len ); } return( 0 ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 02efcb412..18c86a5ce 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4738,6 +4738,30 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_DTLS_SRTP) +static const mbedtls_ssl_srtp_profile_info srtp_profile_definitions[] = +{ + { MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80, "MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80" }, + { MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32, "MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32" }, + { MBEDTLS_SRTP_NULL_HMAC_SHA1_80, "MBEDTLS_SRTP_NULL_HMAC_SHA1_80" }, + { MBEDTLS_SRTP_NULL_HMAC_SHA1_32, "MBEDTLS_SRTP_NULL_HMAC_SHA1_32" }, + { MBEDTLS_SRTP_UNSET_PROFILE, "" } +}; + +const mbedtls_ssl_srtp_profile_info *mbedtls_ssl_dtls_srtp_profile_info_from_id( mbedtls_ssl_srtp_profile profile ) +{ + const mbedtls_ssl_srtp_profile_info *cur = srtp_profile_definitions; + + while( cur->profile != MBEDTLS_SRTP_UNSET_PROFILE ) + { + if( cur->profile == profile ) + return( cur ); + + cur++; + } + + return( NULL ); +} + void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, int support_mki_value ) { conf->dtls_srtp_mki_support = support_mki_value; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 653d88da7..ada4dbeb1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8713,6 +8713,131 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ 0 \ -s "fragmenting handshake message" +# Tests for DTLS-SRTP (RFC 5764) +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported" \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports one profile." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=3 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_80" \ + -s "selected srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_80" \ + -s "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_80" \ + -c "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports one profile. Client supports profiles." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=4 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_32" \ + -s "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one matching profile." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile: MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -s "selected srtp profile: MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -s "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one different profile." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=4 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile: MBEDTLS_SRTP_NULL_HMAC_SHA1_32" \ + -S "selected srtp profile" \ + -S "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server doesn't support use_srtp extension." \ + "$P_SRV dtls=1 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -S "server hello, adding use_srtp extension" \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. mki used" \ + "$P_SRV dtls=1 use_srtp=1 support_mki=1 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "dumping 'using mki' (8 bytes)" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "dumping 'sending mki' (8 bytes)" \ + -c "dumping 'received mki' (8 bytes)" \ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -S "dumping 'using mki' (8 bytes)" \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "dumping 'sending mki' (8 bytes)" \ + -C "dumping 'received mki' (8 bytes)" \ + -C "error" + # Tests for specific things with "unreliable" UDP connection not_with_valgrind # spurious resend due to timeout