Issue 9982019: Implement RFC 5764 (DTLS-SRTP).

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+331 lines, -8 lines)			Patch
M	net/third_party/nss/ssl/ssl.h	View	1 2 3 4 5 6 7 8	1 chunk	+22 lines, -0 lines	0 comments	Download
M	net/third_party/nss/ssl/ssl3ext.c	View	1 2 3 4 5 6 7 8	5 chunks	+211 lines, -1 line	0 comments	Download
M	net/third_party/nss/ssl/sslimpl.h	View	1 2 3 4 5 6 7 8	2 chunks	+7 lines, -0 lines	0 comments	Download
M	net/third_party/nss/ssl/sslproto.h	View	1 2 3 4 5 6 7 8	1 chunk	+7 lines, -0 lines	0 comments	Download
M	net/third_party/nss/ssl/sslsock.c	View	1 2 3 4 5 6 7 8	5 chunks	+82 lines, -6 lines	0 comments	Download
M	net/third_party/nss/ssl/sslt.h	View	1 2 3 4 5 6 7 8	1 chunk	+2 lines, -1 line	0 comments	Download

Messages

Total messages: 34 (0 generated)

Expand Messages | Collapse Messages

wtc

Ekr: Patch set 1 is your original patch in the upstream NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=737178, excluding ...

8 years, 8 months ago (2012-04-04 23:32:49 UTC) #1

ekr

https://chromiumcodereview.appspot.com/9982019/diff/1/net/third_party/nss/ssl/ssl3ext.c File net/third_party/nss/ssl/ssl3ext.c (right): https://chromiumcodereview.appspot.com/9982019/diff/1/net/third_party/nss/ssl/ssl3ext.c#newcode1679 net/third_party/nss/ssl/ssl3ext.c:1679: sender = (ss->version > SSL_LIBRARY_VERSION_3_0 || IS_DTLS(ss)) ? On ...

8 years, 8 months ago (2012-04-19 14:29:35 UTC) #2

wtc

Ekr: the CL is ready for your review. Patch set 1 is your original NSS ...

8 years, 8 months ago (2012-04-20 02:02:13 UTC) #3

ekr

I had a little trouble with Rietveld figuring out how to isolate each patch set, ...

8 years, 8 months ago (2012-04-26 14:33:42 UTC) #4

I had a little trouble with Rietveld figuring out how to isolate each patch set,
but I think I got all the changes.

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h
File net/third_party/nss/ssl/ssl.h (right):

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl....
net/third_party/nss/ssl/ssl.h:846: unsigned int numCiphers);
On 2012/04/20 02:02:13, wtc wrote:
> 
> To enable SSL/TLS cipher suites, one has to call the
> SSL_CipherPrefSet function on individual cipher suites.
> So SSL_SetSRTPCiphers uses a different method to enable
> all SRTP cipher suites in one shot.
> 
> I wonder if we should use a SSL_SRTPCipherPrefSet function
> instead to be consistent with the SSL_CipherPrefSet style.

That seems to be a change consistent with NSS style. I.e., "Yes" :)

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl3...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl3...
net/third_party/nss/ssl/ssl3ext.c:1960: !ssl3_ClientExtensionAdvertised(ss,
ssl_use_srtp_xtn)) {
On 2012/04/20 02:02:13, wtc wrote:
> 
> We don't need to check this here because
> ssl3_HandleHelloExtensions checks this (on line 1622).

Agreed.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1897: if (append && maxBytes >= 4 +
ext_data_len) {
As a matter of style, I tend to add parentheses wherever I don't immediately
know the precedence rules. I believe that you are correct that this is a safe
transformation, but I'm not sure I would make it. Matter of house style.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1956: 
Why are these signed? Doesn't the encoding require unsigned values?

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1995: /* We didn't offer an MKI, so this must
be 0 length */
On 2012/04/20 02:02:13, wtc wrote:
> 
> The RFC says:
>   If the client detects a nonzero-length MKI in the server's
>   response that is different than the one the client offered,
>   then the client MUST abort the handshake and SHOULD send an
>   invalid_parameter alert.
> 
> Due to a limitation of the ssl3_HandleHelloExtensions
> function, this is not easy to do.  (See lines 1633-1636.)
> I described this problem before in
> https://bugzilla.mozilla.org/show_bug.cgi?id=537356#c52
> and Nelson commented on it in
> https://bugzilla.mozilla.org/show_bug.cgi?id=537356#c53.
> 
> Returning SECFailure here won't abort the handshake.  It
> will merely cause the use_srtp extension to be not
> negotiated.
> 
> I hope this deviation from the RFC's requirement is
> acceptable.

Did I misread your comment in c55 where it sounded like you
were going to change to be able to abort the handshake with
SECFailure? I think it would be good to abort the handshake,
even if we can't generate an error.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2008: return SECSuccess;
I would change this comment to say
/* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP preferences have
been set */

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2038: }
This is arguably slightly less clear because it involves setting found to true
multiple times. I don't feel strongly about it. You think clearer because no
nested conditionals?

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/sslproto.h (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/sslproto.h:242: #define
SRTP_AES128_CM_HMAC_SHA1_80		0x0001
On 2012/04/20 02:02:13, wtc wrote:
> 
> I hope it's fine to use the exact cipher suite names
> (which have _HMAC) from the RFC.

Yes, that seems like an improvement.

> By the way, these are called "protection profiles" in the
> RFC.  Should we also use that term here?

Yes, we should.

wtc

Ekr: thank you for reviewing my changes. I answer your questions below. http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h File net/third_party/nss/ssl/ssl.h ...

8 years, 8 months ago (2012-04-27 01:06:08 UTC) #5

Ekr: thank you for reviewing my changes.  I answer your
questions below.

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h
File net/third_party/nss/ssl/ssl.h (right):

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl....
net/third_party/nss/ssl/ssl.h:846: unsigned int numCiphers);
On 2012/04/26 14:33:42, ekr wrote:
>
> That seems to be a change consistent with NSS style. I.e., "Yes" :)

I just realized that one disadvantage of the
SSL_CipherPrefSet style is that the ordering of cipher
suites is fixed.

So, if you think the number of SRTP cipher suites will
remain small, the SSL_SetSRTPCiphers function seems
better: it allows us to specify all the SRTP cipher to
enable, including their ordering, in one shot.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1897: if (append && maxBytes >= 4 +
ext_data_len) {
On 2012/04/26 14:33:42, ekr wrote:
> As a matter of style, I tend to add parentheses wherever I don't immediately
> know the precedence rules. I believe that you are correct that this is a safe
> transformation, but I'm not sure I would make it. Matter of house style.

I removed these parentheses because I found the other
extender sender functions don't use them.  I seem to recall
gcc prefers adding parentheses when there is && or ||.
I can add these parentheses back like this:

  if (append && (maxBytes >= 4 + ext_data_len)) {

but I think this would be excessive:

  if (append && (maxBytes >= (4 + ext_data_len))) {

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1956: 
On 2012/04/26 14:33:42, ekr wrote:
> Why are these signed? Doesn't the encoding require unsigned values?

These two variables are used to store the return value
of ssl3_ConsumeHandshakeNumber, which is PRInt32.  This
is why I changed them to PRInt32.

But I just discovered that these two variables are compared
with variables of unsigned types, which would cause MSVC
warnings.  So it seems that I should change these back to
PRUint32?

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1995: /* We didn't offer an MKI, so this must
be 0 length */
On 2012/04/26 14:33:42, ekr wrote:
>
> Did I misread your comment in c55 where it sounded like you
> were going to change to be able to abort the handshake with
> SECFailure?

You read my comment in c55 correctly.  I did volunteer to
do that, and in c56 Nelson agreed with my plan.  But for
some reason I never got around to doing that :-(

> I think it would be good to abort the handshake,
> even if we can't generate an error.

By generating an error, you meant sending an invalid_parameter alert?

In any case, I should open a new NSS bug report for the
work I volunteered to do in c55.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2038: }
On 2012/04/26 14:33:42, ekr wrote:
> This is arguably slightly less clear because it involves setting found to true
> multiple times. I don't feel strongly about it. You think clearer because no
> nested conditionals?

This was my attempt to do
    bestIndex = i;
in only one place.

I can change it back to your original code.  But after
looking into this, I think the best solution is to imitate
how ssl3_HandleClientHello picks a cipher suite:
- Call ssl3_ConsumeHandshakeVariable to read the entire
  list of cipher suites into a SECItem.
- Use nested for loops, with the outer loop iterating over
  ss->ssl3.dtlsSRTPCiphers[i], to pick a match in our
  order of preference.

ekr

See comments. http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h File net/third_party/nss/ssl/ssl.h (right): http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h#newcode846 net/third_party/nss/ssl/ssl.h:846: unsigned int numCiphers); On 2012/04/27 01:06:08, wtc ...

8 years, 8 months ago (2012-04-27 03:36:33 UTC) #6

See comments.

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl.h
File net/third_party/nss/ssl/ssl.h (right):

http://codereview.chromium.org/9982019/diff/5001/net/third_party/nss/ssl/ssl....
net/third_party/nss/ssl/ssl.h:846: unsigned int numCiphers);
On 2012/04/27 01:06:08, wtc wrote:
> On 2012/04/26 14:33:42, ekr wrote:
> >
> > That seems to be a change consistent with NSS style. I.e., "Yes" :)
> 
> I just realized that one disadvantage of the
> SSL_CipherPrefSet style is that the ordering of cipher
> suites is fixed.
> 
> So, if you think the number of SRTP cipher suites will
> remain small, the SSL_SetSRTPCiphers function seems
> better: it allows us to specify all the SRTP cipher to
> enable, including their ordering, in one shot.

I think it's likely to remain very small; there's no combinatoric explosion
problem with key exchange, so we may just add AEAD (GCM) or something, but
probably no more than 10 cipher suites.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1897: if (append && maxBytes >= 4 +
ext_data_len) {
On 2012/04/27 01:06:09, wtc wrote:
> On 2012/04/26 14:33:42, ekr wrote:
> > As a matter of style, I tend to add parentheses wherever I don't immediately
> > know the precedence rules. I believe that you are correct that this is a
safe
> > transformation, but I'm not sure I would make it. Matter of house style.
> 
> I removed these parentheses because I found the other
> extender sender functions don't use them.  I seem to recall
> gcc prefers adding parentheses when there is && or ||.
> I can add these parentheses back like this:
> 
>   if (append && (maxBytes >= 4 + ext_data_len)) {
> 
> but I think this would be excessive:
> 
>   if (append && (maxBytes >= (4 + ext_data_len))) {

If it were me, I would do the first of these, but really, it's OK as long as
you're sure it's OK. I looked at it and it seemed good, but I had to check the
precedence table first.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1956: 
On 2012/04/27 01:06:09, wtc wrote:
> On 2012/04/26 14:33:42, ekr wrote:
> > Why are these signed? Doesn't the encoding require unsigned values?
> 
> These two variables are used to store the return value
> of ssl3_ConsumeHandshakeNumber, which is PRInt32.  This
> is why I changed them to PRInt32.
> 
> But I just discovered that these two variables are compared
> with variables of unsigned types, which would cause MSVC
> warnings.  So it seems that I should change these back to
> PRUint32?

Ouch, that's not a good state of affairs, esp. since SECFailure = -1.

Maybe we should use PRInt32 and then cast to PRUint32. E.g.,

PRInt32 x;

x = ssl3_ConsumeHandshakeNumber()

if (x == SECFailure)
  return SECFailure;

PRUint32 y = x & 0xffff;

It's kind of bad no matter what.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1995: /* We didn't offer an MKI, so this must
be 0 length */
On 2012/04/27 01:06:09, wtc wrote:
> On 2012/04/26 14:33:42, ekr wrote:
> >
> > Did I misread your comment in c55 where it sounded like you
> > were going to change to be able to abort the handshake with
> > SECFailure?
> 
> You read my comment in c55 correctly.  I did volunteer to
> do that, and in c56 Nelson agreed with my plan.  But for
> some reason I never got around to doing that :-(
> 
> > I think it would be good to abort the handshake,
> > even if we can't generate an error.
> 
> By generating an error, you meant sending an invalid_parameter alert?
> 
> In any case, I should open a new NSS bug report for the
> work I volunteered to do in c55.

I think failing with no alert would be satisfactory for now, plus a TODO if you
get around to c55.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2038: }
On 2012/04/27 01:06:09, wtc wrote:
> On 2012/04/26 14:33:42, ekr wrote:
> > This is arguably slightly less clear because it involves setting found to
true
> > multiple times. I don't feel strongly about it. You think clearer because no
> > nested conditionals?
> 
> This was my attempt to do
>     bestIndex = i;
> in only one place.
> 
> I can change it back to your original code.  But after
> looking into this, I think the best solution is to imitate
> how ssl3_HandleClientHello picks a cipher suite:
> - Call ssl3_ConsumeHandshakeVariable to read the entire
>   list of cipher suites into a SECItem.
> - Use nested for loops, with the outer loop iterating over
>   ss->ssl3.dtlsSRTPCiphers[i], to pick a match in our
>   order of preference.

I'm not sure I'm knowledgeable enough about SECItem to do this easily. Do you
want to try and have me take a look?

wtc

Ekr: I will send you a new patch set some time next week. See my ...

8 years, 8 months ago (2012-04-27 17:32:55 UTC) #7

Ekr: I will send you a new patch set some time next week.
See my answers to your questions below.  Thanks.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1956: 

On 2012/04/27 03:36:34, ekr wrote:
>
> Ouch, that's not a good state of affairs, esp. since SECFailure = -1.
> 
> Maybe we should use PRInt32 and then cast to PRUint32. E.g.,
> 
> PRInt32 x;
> 
> x = ssl3_ConsumeHandshakeNumber()
> 
> if (x == SECFailure)
>   return SECFailure;

We can also do
  if (x < 0)
    return SECFailure;

This will get rid of all the negative numbers.

> PRUint32 y = x & 0xffff;

y should be PRUint16, right?  Both cipherLenBytes and
cipher are 16-bit quantities in the use_srtp extension.
Ah, I see, the 0xffff mask you used truncates it to 16 bits.
Strictly speaking the masking is not necessary because
we ask ssl3_ConsumeHandshakeNumber to read two bytes.

> It's kind of bad no matter what.

Yes.  I will look at this more closely next week and
propose a solution.  I actually like your idea.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2038: }
On 2012/04/27 03:36:34, ekr wrote:
>
> I'm not sure I'm knowledgeable enough about SECItem to do this easily. Do you
> want to try and have me take a look?

Yes, I'll be happy to do that.  I can make all the changes
that I suggested and you agreed with, but I'll need you to
test my changes.

Please wait for a new patch set from me some time next week.

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/sslproto.h (right):

http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/sslproto.h:242: #define
SRTP_AES128_CM_HMAC_SHA1_80		0x0001
On 2012/04/26 14:33:42, ekr wrote:
> On 2012/04/20 02:02:13, wtc wrote:
> > By the way, these are called "protection profiles" in the
> > RFC.  Should we also use that term here?
> 
> Yes, we should.

Any suggestion on how to abbreviate "ProtectionProfile"
if it is too long?

I actually like "cipher suites" better.  "Protection profiles"
have a different meaning in Common Criteria evaluations.

ekr

On Fri, Apr 27, 2012 at 10:32 AM, <wtc@chromium.org> wrote > http://codereview.chromium.org/9982019/diff/13001/net/third_party/nss/ssl/ssl3ext.c#newcode2038 > net/third_party/nss/ssl/ssl3ext.c:2038: } ...

8 years, 8 months ago (2012-04-27 17:41:21 UTC) #8

wtc

Ekr: please review patch set 4. If it looks good, please also test it. Thanks! ...

8 years, 7 months ago (2012-05-03 02:00:15 UTC) #9

ekr

Except for the above comment, I think this is fine. I have tested it against ...

8 years, 7 months ago (2012-05-07 22:51:00 UTC) #11

wtc

rsleevi: please review patch set 6. This CL was based on Eric Rescorla's NSS patch, ...

8 years, 7 months ago (2012-05-08 22:15:11 UTC) #12

ekr

On Tue, May 8, 2012 at 3:15 PM, <wtc@chromium.org> wrote: > rsleevi: please review patch ...

8 years, 7 months ago (2012-05-08 22:17:47 UTC) #13

Ryan Sleevi

wtc: Based on the ChromeOS TPM work ongoing, I'm not sure I'll have a chance ...

8 years, 7 months ago (2012-05-08 22:55:36 UTC) #14

wtc

rsleevi: since you reviewed the previous DTLS patch, I think you are the best reviewer ...

8 years, 7 months ago (2012-05-09 18:58:02 UTC) #15

Ryan Sleevi

wtc: I only focused on the code, and did not focus on the implementation of ...

8 years, 7 months ago (2012-05-10 19:43:10 UTC) #16

wtc

rsleevi: please review patch set 7. Thank you very much for your thoughtful review. I ...

8 years, 7 months ago (2012-05-12 01:00:59 UTC) #18

rsleevi: please review patch set 7.  Thank you very much for
your thoughtful review.  I made all the changes you suggested
except for adding a SSL_UseSRTP function and global preference
for SRTP ciphers.  I will discuss them with Ekr.

Ekr: what do you think of rsleevi's suggestion?  (Search for
"Ekr" in the comment below.)

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl.h
File net/third_party/nss/ssl/ssl.h (right):

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl.h:842: ** negotiated.

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> If you have to document that it has a side-effect, would it make more sense to
> have a UseSRTP function (which sets some default cipher list) and then a
> SetSRTPCiphers?
> 
> This would parallel the DTLS/TLS cipher preference setting.

I will talk to Ekr about this.  Thanks for the suggestion.

> Also, the interaction with SSL model sockets is not clear here. Does this have
a
> model socket / global preference parallel?

I updated ssl_DupSocket and SSL_ReconfigFD to copy from
the model socket.

I will talk to Ekr about a global preference for
SRTP ciphers.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1892: if (!IS_DTLS(ss) ||
!ss->ssl3.dtlsSRTPCipherCount)

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> Seems IS_DTLS should be checked before the server side is checked, otherwise
> SRTP can be negotiated on a TLS socket?

This is a good question.

The server side checks IS_DTLS in ssl3_HandleUseSRTPXtn on
line 2021.  The reason client and server check IS_DTLS in
different places is that the client always calls
ssl3_SendUseSRTPXtn, but the server calls 
ssl3_SendUseSRTPXtn
only if ssl3_HandleUseSRTPXtn has validated the extension
and marked that ssl3_SendUseSRTPXtn should be called.

Similarly, the client side does not need to check IS_DTLS
in ssl3_HandleUseSRTPXtn because the client won't call
ssl3_HandleUseSRTPXtn (even if the server sends the
extension) unless the client has sent the extension.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2010: */

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> Perhaps move this up to 1964, since it applies to the SECFailure returned in
> (1961/1966), and at least there it provides context about the MKI.

After studying this code, I decided to move the
extension data length check (data->len != 5) on line 1964 after the MKI length
check here.  This way we only need to
talk about MKI here.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2045: for (j = 0; j + 1 < ciphers.len; j += 2)
{

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> !found && j + 1 ...

It is not necessary to test !found here because !found is
guaranteed to be true by the !found test on line 2044 and
the break statement on line 2049.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2049: break;

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> I assume this is where you were talking about gotos?

Yes, it is.  Do you still prefer that we avoid goto here?

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/sslsock.c (right):

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/sslsock.c:1633: PORT_SetError(SEC_ERROR_INVALID_ARGS);

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> The NSS SSL/DTLS code accepts non-existant cipher suites without issue, simply
> ignoring them.

SSL_CipherPrefSet returns SECFailure with
SSL_ERROR_UNKNOWN_CIPHER_SUITE if the cipher suite is
nonexistent.  Perhaps I misunderstood your comment here?

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/sslsock.c:1677: #if 0

On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> Does it make sense to update this function, even though it's not implemented?

I updated both this function and ssl_DupSocket (both of them
take a model socket as input).

Ryan Sleevi

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c File net/third_party/nss/ssl/ssl3ext.c (right): http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c#newcode1892 net/third_party/nss/ssl/ssl3ext.c:1892: if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) On 2012/05/12 01:00:59, wtc wrote: ...

8 years, 7 months ago (2012-05-12 01:13:05 UTC) #19

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/ssl3ext.c (right):

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:1892: if (!IS_DTLS(ss) ||
!ss->ssl3.dtlsSRTPCipherCount)
On 2012/05/12 01:00:59, wtc wrote:
> 
> On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> > Seems IS_DTLS should be checked before the server side is checked, otherwise
> > SRTP can be negotiated on a TLS socket?
> 
> This is a good question.
> 
> The server side checks IS_DTLS in ssl3_HandleUseSRTPXtn on
> line 2021.  The reason client and server check IS_DTLS in
> different places is that the client always calls
> ssl3_SendUseSRTPXtn, but the server calls 
> ssl3_SendUseSRTPXtn
> only if ssl3_HandleUseSRTPXtn has validated the extension
> and marked that ssl3_SendUseSRTPXtn should be called.
> 
> Similarly, the client side does not need to check IS_DTLS
> in ssl3_HandleUseSRTPXtn because the client won't call
> ssl3_HandleUseSRTPXtn (even if the server sends the
> extension) unless the client has sent the extension.

Fair enough, if that's the contract. I wanted to make sure it wasn't possible
for a misbehaving program to end up with this called on a server socket or a
malicious server to be able to send an invalid extension. Seems like this is
already covered.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2010: */
On 2012/05/12 01:00:59, wtc wrote:
> 
> On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> > Perhaps move this up to 1964, since it applies to the SECFailure returned in
> > (1961/1966), and at least there it provides context about the MKI.
> 
> After studying this code, I decided to move the
> extension data length check (data->len != 5) on line 1964 after the MKI length
> check here.  This way we only need to
> talk about MKI here.

This means you're now relying on ssl3_ConsumeHandshakeVariable to do the length
check.

This is probably fine, but note that if the lengths don't match, this will force
SSL3_SendAlert() to be called. Is this what you want to happen?

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2045: for (j = 0; j + 1 < ciphers.len; j += 2)
{
On 2012/05/12 01:00:59, wtc wrote:
> 
> On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> > !found && j + 1 ...
> 
> It is not necessary to test !found here because !found is
> guaranteed to be true by the !found test on line 2044 and
> the break statement on line 2049.

Ah, right.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/ssl3ext.c:2049: break;
On 2012/05/12 01:00:59, wtc wrote:
> 
> On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> > I assume this is where you were talking about gotos?
> 
> Yes, it is.  Do you still prefer that we avoid goto here?

Depends.

Currently, the code always consumes the srtp_mki value (line 2055), even when
!found (line 2064). If that's the expected behaviour, then yeah, I think goto is
considered harmful.

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
File net/third_party/nss/ssl/sslsock.c (right):

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl...
net/third_party/nss/ssl/sslsock.c:1633: PORT_SetError(SEC_ERROR_INVALID_ARGS);
On 2012/05/12 01:00:59, wtc wrote:
> 
> On 2012/05/10 19:43:11, Ryan Sleevi wrote:
> > The NSS SSL/DTLS code accepts non-existant cipher suites without issue,
simply
> > ignoring them.
> 
> SSL_CipherPrefSet returns SECFailure with
> SSL_ERROR_UNKNOWN_CIPHER_SUITE if the cipher suite is
> nonexistent.  Perhaps I misunderstood your comment here?

Ah, you're right, sorry for not double-checking memory.

In the SSL/TLS case, we can enable/disable individual cipher suites via
SSL_CipherPrefSet, so we can safely ignore any errors with unrecognized suites (
see
http://code.google.com/searchframe#OAMlx_jo-ck/src/net/socket/ssl_server_sock...
)

With this code, because setting enabled suites is all-or-nothing, and because
even enabling SRTP is dependent on all-or-nothing suites, we couldn't do such an
approach if we wanted to.

This would be an issue if a cipher suite ever needed to be removed, as it would
break clients still supplying the old cipher suite. I think that would argue in
favour of separating the API?

ekr

On Fri, May 11, 2012 at 6:00 PM, <wtc@chromium.org> wrote: > > http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl.h > File ...

8 years, 7 months ago (2012-05-14 22:49:14 UTC) #20

ekr

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c File net/third_party/nss/ssl/ssl3ext.c (right): http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c#newcode2049 net/third_party/nss/ssl/ssl3ext.c:2049: break; On 2012/05/12 01:13:06, Ryan Sleevi wrote: > On ...

8 years, 7 months ago (2012-05-14 22:50:49 UTC) #21

wtc

http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c File net/third_party/nss/ssl/ssl3ext.c (right): http://codereview.chromium.org/9982019/diff/37002/net/third_party/nss/ssl/ssl3ext.c#newcode2010 net/third_party/nss/ssl/ssl3ext.c:2010: */ On 2012/05/12 01:13:06, Ryan Sleevi wrote: > > ...

8 years, 7 months ago (2012-05-15 00:56:41 UTC) #22

ekr

lso came to the same conclusion that we probably should > enable SRTP cipher suites ...

8 years, 7 months ago (2012-05-16 18:52:16 UTC) #23

ekr

Wan-Teh, are you able to to do this, or should I pick it back up? ...

8 years, 7 months ago (2012-05-24 18:27:34 UTC) #24

wtc1

On Thu, May 24, 2012 at 11:26 AM, Eric Rescorla <ekr@rtfm.com> wrote: > Wan-Teh, are ...

8 years, 7 months ago (2012-05-24 18:46:31 UTC) #25

ekr

On Thu, May 24, 2012 at 11:46 AM, Wan-Teh Chang <wtc@google.com> wrote: > On Thu, ...

8 years, 7 months ago (2012-05-24 22:57:26 UTC) #26

wtc1

On Thu, May 24, 2012 at 3:56 PM, Eric Rescorla <ekr@rtfm.com> wrote: > On Thu, ...

8 years, 7 months ago (2012-05-24 23:22:27 UTC) #27

wtc

Ekr: please review patch set 8. You can just review the delta between patch sets ...

8 years, 6 months ago (2012-06-02 01:19:57 UTC) #28

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/wtc@chromium.org/9982019/65002

8 years, 6 months ago (2012-06-05 13:17:47 UTC) #31

commit-bot: I haz the power

Try job failure for 9982019-65002 on win for step "update". http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win&number=14375 Step "update" is always ...

8 years, 6 months ago (2012-06-05 13:19:21 UTC) #32

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/wtc@chromium.org/9982019/65002

8 years, 6 months ago (2012-06-05 14:53:57 UTC) #33

Change committed as 140535

Expand Messages | Collapse Messages

Issue 9982019: Implement RFC 5764 (DTLS-SRTP). (Closed)

Description

Patch Set 1 #

Patch Set 2 : Fix coding style nits, require DTLS for the use_srtp extension #

Patch Set 3 : First full review #

Patch Set 4 : Change how we read the cipher list and make changes suggested by ekr #

Patch Set 5 : Avoid goto #

Patch Set 6 : Add NSS bug number #

Patch Set 7 : Make the changes suggested by rsleevi #

Patch Set 8 : Fix the all-or-nothing behavior of SSL_SetSRTPCiphers #

Patch Set 9 : Sync before checkin #

Messages