Add DTLS-SRTP to mbedtls wrapper

367739f0 · johan · 28de772d · 367739f0 · 367739f0 · 367739f0
Commit 367739f0 authored Feb 10, 2016 by johan
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 33 deletions

CMakeLists.txt CMakeLists.txt +7 -4

cmake/FindMbedTLS.cmake cmake/FindMbedTLS.cmake +9 -1

src/crypto_mbedtls.c src/crypto_mbedtls.c +23 -28

No files found.
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -55,10 +55,6 @@ elseif (ENABLE_POLARSSL)
 	find_package(PolarSSL)
 	if (POLARSSL_FOUND)
 		message("Use polarSSL")
-		if (HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
-			message("DTLS SRTP available")
-			set(HAVE_DTLS_SRTP 1)
-		endif()
 	else()
 		message(FATAL_ERROR " No polarSSL or mbedTLS found")
 	endif()
@@ -66,6 +62,13 @@ else ()
 	message(FATAL_ERROR "Neither polarSSL nor mbedTLS enabled")
 endif()

+if (HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
+	message("DTLS SRTP available")
+	set(HAVE_DTLS_SRTP 1)
+else()
+	message("DTLS SRTP not available")
+endif()
+
 set(prefix ${CMAKE_INSTALL_PREFIX})
 set(exec_prefix ${prefix}/bin)
 set(libdir ${prefix}/lib)

--- a/cmake/FindMbedTLS.cmake
+++ b/cmake/FindMbedTLS.cmake
@@ -81,10 +81,18 @@ if (MBEDTLS_V2)
 	)
 endif()

+if (MBEDTLS_LIBRARIES)
+	cmake_push_check_state(RESET)
+	set(CMAKE_REQUIRED_INCLUDES ${MBEDTLS_INCLUDE_DIRS})
+	set(CMAKE_REQUIRED_LIBRARIES ${MBEDTLS_LIBRARIES})
+	check_symbol_exists(mbedtls_ssl_get_dtls_srtp_protection_profile "mbedtls/ssl.h" HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
+	cmake_pop_check_state()
+endif()
+
 include(FindPackageHandleStandardArgs)
 find_package_handle_standard_args(MbedTLS
 	DEFAULT_MSG
 	MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES
 )

-mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES)
+mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
--- a/src/crypto_mbedtls.c
+++ b/src/crypto_mbedtls.c
@@ -823,33 +823,33 @@ uint8_t bctoolbox_dtls_srtp_supported(void) {
 	return 1;
 }

-static bctoolbox_dtls_srtp_profile_t bctoolbox_srtp_profile_polarssl2bctoolbox(enum DTLS_SRTP_protection_profiles polarssl_profile) {
-	switch (polarssl_profile) {
-		case SRTP_AES128_CM_HMAC_SHA1_80:
+static bctoolbox_dtls_srtp_profile_t bctoolbox_srtp_profile_mbedtls2bctoolbox(enum mbedtls_DTLS_SRTP_protection_profiles mbedtls_profile) {
+	switch (mbedtls_profile) {
+		case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
 			return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80;
-		case SRTP_AES128_CM_HMAC_SHA1_32:
+		case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
 			return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32;
-		case SRTP_NULL_HMAC_SHA1_80:
+		case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
 			return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80;
-		case SRTP_NULL_HMAC_SHA1_32:
+		case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
 			return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32;
 		default:
 			return BCTOOLBOX_SRTP_UNDEFINED;
 	}
 }

-static enum DTLS_SRTP_protection_profiles bctoolbox_srtp_profile_bctoolbox2polarssl(bctoolbox_dtls_srtp_profile_t bctoolbox_profile) {
+static enum mbedtls_DTLS_SRTP_protection_profiles bctoolbox_srtp_profile_bctoolbox2mbedtls(bctoolbox_dtls_srtp_profile_t bctoolbox_profile) {
 	switch (bctoolbox_profile) {
 		case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80:
-			return SRTP_AES128_CM_HMAC_SHA1_80;
+			return MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
 		case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32:
-			return SRTP_AES128_CM_HMAC_SHA1_32;
+			return MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
 		case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80:
-			return SRTP_NULL_HMAC_SHA1_80;
+			return MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
 		case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32:
-			return SRTP_NULL_HMAC_SHA1_32;
+			return MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
 		default:
-			return SRTP_UNSET_PROFILE;
+			return MBEDTLS_SRTP_UNSET_PROFILE;
 	}
 }

@@ -858,23 +858,23 @@ bctoolbox_dtls_srtp_profile_t bctoolbox_ssl_get_dtls_srtp_protection_profile(bct
 		return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT;
 	}

-	return bctoolbox_srtp_profile_polarssl2bctoolbox(ssl_get_dtls_srtp_protection_profile(&(ssl_ctx->ssl_ctx)));
+	return bctoolbox_srtp_profile_polarssl2bctoolbox(mbedtls_ssl_get_dtls_srtp_protection_profile(&(ssl_ctx->ssl_ctx)));
 };


 int32_t bctoolbox_ssl_get_dtls_srtp_key_material(bctoolbox_ssl_context_t *ssl_ctx, char *output, size_t *output_length) {
+	int ret  0;
 	if (ssl_ctx==NULL) {
 		return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT;
 	}

-	/* check output buffer size */
-	if (*output_length<ssl_ctx->ssl_ctx.dtls_srtp_keys_len) {
+	ret = mbedtls_ssl_get_dtls_srtp_key_material(&(ssl_ctx->ssl_ctx), output, *output_length, output_length);
+
+	/* remap the output error code */
+	if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
 		return BCTOOLBOX_ERROR_OUTPUT_BUFFER_TOO_SMALL;
 	}

-	memcpy(output, ssl_ctx->ssl_ctx.dtls_srtp_keys, ssl_ctx->ssl_ctx.dtls_srtp_keys_len);
-	*output_length = ssl_ctx->ssl_ctx.dtls_srtp_keys_len;
-
 	return 0;
 }
 #else /* HAVE_DTLS_SRTP */
@@ -1111,22 +1111,21 @@ int32_t bctoolbox_ssl_config_set_own_cert(bctoolbox_ssl_config_t *ssl_config, bc
 #ifdef HAVE_DTLS_SRTP
 int32_t bctoolbox_ssl_config_set_dtls_srtp_protection_profiles(bctoolbox_ssl_config_t *ssl_config, const bctoolbox_dtls_srtp_profile_t *profiles, size_t profiles_number) {
 	int i;
+	enum mbedtls_DTLS_SRTP_protection_profiles dtls_srtp_mbedtls_profiles[4];

 	if (ssl_config == NULL) {
 		return BCTOOLBOX_ERROR_INVALID_SSL_CONFIG;
 	}

-	/* convert the profiles array into a polarssl profiles array */
+	/* convert the profiles array into a mbedtls profiles array */
 	for (i=0; i<profiles_number && i<4; i++) { /* 4 profiles defined max */
-		ssl_config->dtls_srtp_profiles[i] = bctoolbox_srtp_profile_bctoolbox2polarssl(profiles[i]);
+		dtls_srtp_mbedtls_profiles[i] = bctoolbox_srtp_profile_bctoolbox2mbedtls(profiles[i]);
 	}
 	for (;i<4; i++) { /* make sure to have harmless values in the rest of the array */
-		ssl_config->dtls_srtp_profiles[i] = SRTP_UNSET_PROFILE;
+		dtls_srtp_mbedtls_profiles[i] = MBEDTLS_SRTP_UNSET_PROFILE;
 	}

-	ssl_config->dtls_srtp_profiles_number = profiles_number;
-
-	return 0;
+	return mbedtls_ssl_conf_dtls_srtp_protection_profiles(ssl_config->ssl_config, dtls_srtp_mbedtls_profiles, profiles_number);
 }

 #else /* HAVE_DTLS_SRTP */
@@ -1153,10 +1152,6 @@ int32_t bctoolbox_ssl_context_setup(bctoolbox_ssl_context_t *ssl_ctx, bctoolbox_
 	}

 #ifdef HAVE_DTLS_SRTP
-	if (ssl_config->dtls_srtp_profiles_number > 0) {
-		ssl_set_dtls_srtp_protection_profiles(&(ssl_ctx->ssl_ctx), ssl_config->dtls_srtp_profiles, ssl_config->dtls_srtp_profiles_number );
-	}
-
 	/* We do not use DTLS SRTP cookie, so we must set to NULL the callbacks. Cookies are used to prevent DoS attack but our server is on only when during a brief period so we do not need this */
 	mbedtls_ssl_conf_dtls_cookies(ssl_config->ssl_config, NULL, NULL, NULL);
 #endif /* HAVE_DTLS_SRTP */