commit 12c6eaddd505919160852d98291d3d4f390b7479
author Ron Eldor <Ron.Eldor@arm.com> Tue Jul 03 15:08:32 2018 +0300
committer Johan Pascal <johan.pascal@belledonne-communications.com> Thu Oct 29 01:14:49 2020 +0100
tree 53d15fb02e9d96ec4bdc48fc9aabf7fac4268f8f
parent 6ea64518ad7d7a1d52b3d4a8f3d07a2b4b7047dd

Fix mki issues

1. Set correct mki from the `use_srtp` extension.
2. Use mki value received from the client as the mki used by server.
3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 4073f89..7d9c9c3 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1851,7 +1851,7 @@
     if (((uint16_t)( ( buf[0]<<8 ) | buf[1] ) ) != 0x0002) { /* protection profile length must be 0x0002 as we must have only one protection profile in server Hello */
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
     } else {
-        server_protection_profile_value = ( buf[2]<<8 ) | buf[3];
+        server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
     }
 
     ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1f497ae..82baeca 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -800,13 +800,13 @@
      *
      */
 
-    /* Min length is 5 : at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
+    /* Min length is 5: at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
     if( len < 5 )
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
 
    ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
 
-    profile_length = ( buf[0]<<8 ) | buf[1]; /* first 2 bytes are protection profile length(in bytes) */
+    profile_length = ( buf[0] << 8 ) | buf[1]; /* first 2 bytes are protection profile length(in bytes) */
 
 
     /* parse the extension list values are defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
@@ -856,9 +856,10 @@
             return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
         }
 
+        ssl->dtls_srtp_info.mki_len = buf[ profile_length + 2 ];
         for( i=0; i < ssl->dtls_srtp_info.mki_len; i++ )
         {
-            ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + i ];
+            ssl->dtls_srtp_info.mki_value[i] = buf[ profile_length + 2 + 1 + i ];
         }
     }
 

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index be45e54..2db5887 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -185,7 +185,7 @@
 #define DFL_QUERY_CONFIG_MODE   0
 #define DFL_USE_SRTP            0
 #define DFL_SRTP_FORCE_PROFILE  MBEDTLS_SRTP_UNSET_PROFILE
-#define DFL_SRTP_MKI            ""
+#define DFL_SRTP_SUPPORT_MKI    0
 
 #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
     "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
@@ -423,7 +423,7 @@
     "                        2 - SRTP_AES128_CM_HMAC_SHA1_32\n"  \
     "                        3 - SRTP_NULL_HMAC_SHA1_80\n"       \
     "                        4 - SRTP_NULL_HMAC_SHA1_32\n"       \
-    "    mki=%%s              default: \"\" (in hex, without 0x)\n"
+    "    support_mki=%%d     default: 0 (not supported)\n"
 #else
 #define USAGE_SRTP ""
 #endif
@@ -665,7 +665,7 @@
     int query_config_mode;      /* whether to read config                   */
     int use_srtp;               /* Support SRTP                             */
     int force_srtp_profile;     /* SRTP protection profile to use or all    */
-    const char* mki;            /* The dtls mki value to use                */
+    int support_mki;            /* The dtls mki mki support                 */
 } opt;
 
 int query_config( const char *config );
@@ -2002,7 +2002,7 @@
     opt.query_config_mode   = DFL_QUERY_CONFIG_MODE;
     opt.use_srtp            = DFL_USE_SRTP;
     opt.force_srtp_profile  = DFL_SRTP_FORCE_PROFILE;
-    opt.mki                 = DFL_SRTP_MKI;
+    opt.support_mki         = DFL_SRTP_SUPPORT_MKI;
 
     for( i = 1; i < argc; i++ )
     {
@@ -2459,9 +2459,9 @@
         {
             opt.force_srtp_profile = atoi( q );
         }
-        else if( strcmp( p, "mki" ) == 0 )
+        else if( strcmp( p, "support_mki" ) == 0 )
         {
-            opt.mki = q;
+            opt.support_mki = atoi( q );
         }
         else
             goto usage;
@@ -3120,6 +3120,11 @@
             goto exit;
         }
 
+        mbedtls_ssl_conf_srtp_mki_value_supported( &conf,
+                                                   opt.support_mki ?
+                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED :
+                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED );
+
     }
     else if( opt.force_srtp_profile != DFL_SRTP_FORCE_PROFILE )
     {
@@ -3534,24 +3539,6 @@
                                             mbedtls_timing_get_delay );
 #endif
 
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-    if( opt.use_srtp != DFL_USE_SRTP &&  strlen( opt.mki ) != 0 )
-    {
-        if( unhexify( mki, opt.mki, &mki_len ) != 0 )
-        {
-            mbedtls_printf( "mki value not valid hex\n" );
-             goto exit;
-        }
-
-        mbedtls_ssl_conf_srtp_mki_value_supported( &conf, MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED );
-        if( ( ret = mbedtls_ssl_dtls_srtp_set_mki_value( &ssl, mki, mki_len) ) != 0 )
-        {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_dtls_srtp_set_mki_value returned %d\n\n", ret );
-            goto exit;
-        }
-    }
-#endif
-
     mbedtls_printf( " ok\n" );
 
 reset: