Commit 367739f0 authored by johan's avatar johan
Browse files

Add DTLS-SRTP to mbedtls wrapper

parent 28de772d
...@@ -55,10 +55,6 @@ elseif (ENABLE_POLARSSL) ...@@ -55,10 +55,6 @@ elseif (ENABLE_POLARSSL)
find_package(PolarSSL) find_package(PolarSSL)
if (POLARSSL_FOUND) if (POLARSSL_FOUND)
message("Use polarSSL") message("Use polarSSL")
if (HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
message("DTLS SRTP available")
set(HAVE_DTLS_SRTP 1)
endif()
else() else()
message(FATAL_ERROR " No polarSSL or mbedTLS found") message(FATAL_ERROR " No polarSSL or mbedTLS found")
endif() endif()
...@@ -66,6 +62,13 @@ else () ...@@ -66,6 +62,13 @@ else ()
message(FATAL_ERROR "Neither polarSSL nor mbedTLS enabled") message(FATAL_ERROR "Neither polarSSL nor mbedTLS enabled")
endif() endif()
if (HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
message("DTLS SRTP available")
set(HAVE_DTLS_SRTP 1)
else()
message("DTLS SRTP not available")
endif()
set(prefix ${CMAKE_INSTALL_PREFIX}) set(prefix ${CMAKE_INSTALL_PREFIX})
set(exec_prefix ${prefix}/bin) set(exec_prefix ${prefix}/bin)
set(libdir ${prefix}/lib) set(libdir ${prefix}/lib)
......
...@@ -81,10 +81,18 @@ if (MBEDTLS_V2) ...@@ -81,10 +81,18 @@ if (MBEDTLS_V2)
) )
endif() endif()
if (MBEDTLS_LIBRARIES)
cmake_push_check_state(RESET)
set(CMAKE_REQUIRED_INCLUDES ${MBEDTLS_INCLUDE_DIRS})
set(CMAKE_REQUIRED_LIBRARIES ${MBEDTLS_LIBRARIES})
check_symbol_exists(mbedtls_ssl_get_dtls_srtp_protection_profile "mbedtls/ssl.h" HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
cmake_pop_check_state()
endif()
include(FindPackageHandleStandardArgs) include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(MbedTLS find_package_handle_standard_args(MbedTLS
DEFAULT_MSG DEFAULT_MSG
MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES
) )
mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES) mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
...@@ -823,33 +823,33 @@ uint8_t bctoolbox_dtls_srtp_supported(void) { ...@@ -823,33 +823,33 @@ uint8_t bctoolbox_dtls_srtp_supported(void) {
return 1; return 1;
} }
static bctoolbox_dtls_srtp_profile_t bctoolbox_srtp_profile_polarssl2bctoolbox(enum DTLS_SRTP_protection_profiles polarssl_profile) { static bctoolbox_dtls_srtp_profile_t bctoolbox_srtp_profile_mbedtls2bctoolbox(enum mbedtls_DTLS_SRTP_protection_profiles mbedtls_profile) {
switch (polarssl_profile) { switch (mbedtls_profile) {
case SRTP_AES128_CM_HMAC_SHA1_80: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80; return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80;
case SRTP_AES128_CM_HMAC_SHA1_32: case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32; return BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32;
case SRTP_NULL_HMAC_SHA1_80: case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80; return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80;
case SRTP_NULL_HMAC_SHA1_32: case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32; return BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32;
default: default:
return BCTOOLBOX_SRTP_UNDEFINED; return BCTOOLBOX_SRTP_UNDEFINED;
} }
} }
static enum DTLS_SRTP_protection_profiles bctoolbox_srtp_profile_bctoolbox2polarssl(bctoolbox_dtls_srtp_profile_t bctoolbox_profile) { static enum mbedtls_DTLS_SRTP_protection_profiles bctoolbox_srtp_profile_bctoolbox2mbedtls(bctoolbox_dtls_srtp_profile_t bctoolbox_profile) {
switch (bctoolbox_profile) { switch (bctoolbox_profile) {
case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80: case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_80:
return SRTP_AES128_CM_HMAC_SHA1_80; return MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32: case BCTOOLBOX_SRTP_AES128_CM_HMAC_SHA1_32:
return SRTP_AES128_CM_HMAC_SHA1_32; return MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80: case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_80:
return SRTP_NULL_HMAC_SHA1_80; return MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32: case BCTOOLBOX_SRTP_NULL_HMAC_SHA1_32:
return SRTP_NULL_HMAC_SHA1_32; return MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
default: default:
return SRTP_UNSET_PROFILE; return MBEDTLS_SRTP_UNSET_PROFILE;
} }
} }
...@@ -858,23 +858,23 @@ bctoolbox_dtls_srtp_profile_t bctoolbox_ssl_get_dtls_srtp_protection_profile(bct ...@@ -858,23 +858,23 @@ bctoolbox_dtls_srtp_profile_t bctoolbox_ssl_get_dtls_srtp_protection_profile(bct
return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT; return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT;
} }
return bctoolbox_srtp_profile_polarssl2bctoolbox(ssl_get_dtls_srtp_protection_profile(&(ssl_ctx->ssl_ctx))); return bctoolbox_srtp_profile_polarssl2bctoolbox(mbedtls_ssl_get_dtls_srtp_protection_profile(&(ssl_ctx->ssl_ctx)));
}; };
int32_t bctoolbox_ssl_get_dtls_srtp_key_material(bctoolbox_ssl_context_t *ssl_ctx, char *output, size_t *output_length) { int32_t bctoolbox_ssl_get_dtls_srtp_key_material(bctoolbox_ssl_context_t *ssl_ctx, char *output, size_t *output_length) {
int ret 0;
if (ssl_ctx==NULL) { if (ssl_ctx==NULL) {
return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT; return BCTOOLBOX_ERROR_INVALID_SSL_CONTEXT;
} }
/* check output buffer size */ ret = mbedtls_ssl_get_dtls_srtp_key_material(&(ssl_ctx->ssl_ctx), output, *output_length, output_length);
if (*output_length<ssl_ctx->ssl_ctx.dtls_srtp_keys_len) {
/* remap the output error code */
if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
return BCTOOLBOX_ERROR_OUTPUT_BUFFER_TOO_SMALL; return BCTOOLBOX_ERROR_OUTPUT_BUFFER_TOO_SMALL;
} }
memcpy(output, ssl_ctx->ssl_ctx.dtls_srtp_keys, ssl_ctx->ssl_ctx.dtls_srtp_keys_len);
*output_length = ssl_ctx->ssl_ctx.dtls_srtp_keys_len;
return 0; return 0;
} }
#else /* HAVE_DTLS_SRTP */ #else /* HAVE_DTLS_SRTP */
...@@ -1111,22 +1111,21 @@ int32_t bctoolbox_ssl_config_set_own_cert(bctoolbox_ssl_config_t *ssl_config, bc ...@@ -1111,22 +1111,21 @@ int32_t bctoolbox_ssl_config_set_own_cert(bctoolbox_ssl_config_t *ssl_config, bc
#ifdef HAVE_DTLS_SRTP #ifdef HAVE_DTLS_SRTP
int32_t bctoolbox_ssl_config_set_dtls_srtp_protection_profiles(bctoolbox_ssl_config_t *ssl_config, const bctoolbox_dtls_srtp_profile_t *profiles, size_t profiles_number) { int32_t bctoolbox_ssl_config_set_dtls_srtp_protection_profiles(bctoolbox_ssl_config_t *ssl_config, const bctoolbox_dtls_srtp_profile_t *profiles, size_t profiles_number) {
int i; int i;
enum mbedtls_DTLS_SRTP_protection_profiles dtls_srtp_mbedtls_profiles[4];
if (ssl_config == NULL) { if (ssl_config == NULL) {
return BCTOOLBOX_ERROR_INVALID_SSL_CONFIG; return BCTOOLBOX_ERROR_INVALID_SSL_CONFIG;
} }
/* convert the profiles array into a polarssl profiles array */ /* convert the profiles array into a mbedtls profiles array */
for (i=0; i<profiles_number && i<4; i++) { /* 4 profiles defined max */ for (i=0; i<profiles_number && i<4; i++) { /* 4 profiles defined max */
ssl_config->dtls_srtp_profiles[i] = bctoolbox_srtp_profile_bctoolbox2polarssl(profiles[i]); dtls_srtp_mbedtls_profiles[i] = bctoolbox_srtp_profile_bctoolbox2mbedtls(profiles[i]);
} }
for (;i<4; i++) { /* make sure to have harmless values in the rest of the array */ for (;i<4; i++) { /* make sure to have harmless values in the rest of the array */
ssl_config->dtls_srtp_profiles[i] = SRTP_UNSET_PROFILE; dtls_srtp_mbedtls_profiles[i] = MBEDTLS_SRTP_UNSET_PROFILE;
} }
ssl_config->dtls_srtp_profiles_number = profiles_number; return mbedtls_ssl_conf_dtls_srtp_protection_profiles(ssl_config->ssl_config, dtls_srtp_mbedtls_profiles, profiles_number);
return 0;
} }
#else /* HAVE_DTLS_SRTP */ #else /* HAVE_DTLS_SRTP */
...@@ -1153,10 +1152,6 @@ int32_t bctoolbox_ssl_context_setup(bctoolbox_ssl_context_t *ssl_ctx, bctoolbox_ ...@@ -1153,10 +1152,6 @@ int32_t bctoolbox_ssl_context_setup(bctoolbox_ssl_context_t *ssl_ctx, bctoolbox_
} }
#ifdef HAVE_DTLS_SRTP #ifdef HAVE_DTLS_SRTP
if (ssl_config->dtls_srtp_profiles_number > 0) {
ssl_set_dtls_srtp_protection_profiles(&(ssl_ctx->ssl_ctx), ssl_config->dtls_srtp_profiles, ssl_config->dtls_srtp_profiles_number );
}
/* We do not use DTLS SRTP cookie, so we must set to NULL the callbacks. Cookies are used to prevent DoS attack but our server is on only when during a brief period so we do not need this */ /* We do not use DTLS SRTP cookie, so we must set to NULL the callbacks. Cookies are used to prevent DoS attack but our server is on only when during a brief period so we do not need this */
mbedtls_ssl_conf_dtls_cookies(ssl_config->ssl_config, NULL, NULL, NULL); mbedtls_ssl_conf_dtls_cookies(ssl_config->ssl_config, NULL, NULL, NULL);
#endif /* HAVE_DTLS_SRTP */ #endif /* HAVE_DTLS_SRTP */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment