Implement RFC 5764 (DTLS-SRTP).

net/third_party/nss/ssl/ssl3ext.c

 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 72 matching lines @@
 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
                         PRUint16 ex_type, SECItem *data);
 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
                                                PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
 static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
     PRBool append, PRUint32 maxBytes);
+static SECStatus ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
+    PRUint32 maxBytes);
+static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
+    SECItem *data);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
  * on a shallow copy of the structure.
  */
 static SECStatus
 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
 {
     if (bytes > item->len)
@@ skipping 140 matching lines @@
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
 #ifdef NSS_ENABLE_ECC
     { ssl_elliptic_curves_xtn,    &ssl3_HandleSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,   &ssl3_HandleSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
     { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
     { ssl_ob_cert_xtn,            &ssl3_ServerHandleOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { -1, NULL }
 };
 
 /* These two tables are used by the client, to handle server hello
  * extensions. */
 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
     /* TODO: add a handler for ssl_ec_point_formats_xtn */
     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
     { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
     { ssl_ob_cert_xtn,            &ssl3_ClientHandleOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn},
     { -1, NULL }
 };
 
 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { -1, NULL }
 };
 
 /* Tables of functions to format TLS hello extensions, one function per
  * extension.
  * These static tables are for the formatting of client hello extensions.
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
 static const 
 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_server_name_xtn,        &ssl3_SendServerNameXtn        },
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
 #ifdef NSS_ENABLE_ECC
     { ssl_elliptic_curves_xtn,    &ssl3_SendSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
     { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
+    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static const 
 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static PRBool
@@ skipping 1557 matching lines @@
 
     /* The echoed extension must be empty. */
     if (data->len != 0)
         return SECFailure;
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     return SECSuccess;
 }
+
+static SECStatus
+ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
+{
+    PRUint32 ext_data_len;
+    PRInt16 i;
+    SECStatus rv;
+
+    if (!ss)
+        return 0;
+
+    if (!ss->sec.isServer) {
+        /* Client */
+
+        if (!ss->ssl3.dtlsSRTPCipherCount)
+            return 0;  /* Not relevant */
+        
+        ext_data_len = 2 + (2*ss->ssl3.dtlsSRTPCipherCount) + 1;
+        
+        if (append && ((4 + ext_data_len) <= maxBytes)) {
+            /* Xtn type */
+            rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+            if (rv != SECSuccess) return -1;
+            /* Length of extension data */
+            rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
+            if (rv != SECSuccess) return -1;
+            /* Length of the SRTP cipher list */
+            rv = ssl3_AppendHandshakeNumber(ss,
+                                            2 * ss->ssl3.dtlsSRTPCipherCount,
+                                            2);
+            if (rv != SECSuccess) return -1;
+            /* The SRTP ciphers */
+            for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+                rv = ssl3_AppendHandshakeNumber(ss,
+                                                ss->ssl3.dtlsSRTPCiphers[i],
+                                                2);
+            }
+            /* Empty MKI value */
+            ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+
+            ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_use_srtp_xtn;
+        }
+
+        return ext_data_len + 4;
+    }
+
+    /* Server side */
+    if (append && (maxBytes >= 9)) {
+        /* Xtn type */
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+        if (rv != SECSuccess) return -1;
+        /* Length of extension data */
+        rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
+        if (rv != SECSuccess) return -1;
+        /* Length of the SRTP cipher list */
+        rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
+        if (rv != SECSuccess) return -1;
+        /* The selected cipher */
+        rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
+        if (rv != SECSuccess) return -1;
+        /* Empty MKI value */
+        ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);   
+    }
+
+    return 9;
+}
+
+SECStatus
+ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
+{
+    SECStatus rv;
+    PRInt16 i;
+    PRInt16 bestIndex;
+    PRBool found = PR_FALSE;
+    SECItem litem;
+    PRUint32 cipherLenBytes;
+    PRUint32 cipher;
+
+    if (!ss->sec.isServer) {
+        /* Client side */
+        if (!data->data || !data->len ||
+            !ssl3_ClientExtensionAdvertised(ss, ssl_use_srtp_xtn)) {

[wtc, 2012/04/20 02:02:13]

We don't need to check this here because
ssl3_HandleHelloExtensions checks this (on line 1622).

[ekr, 2012/04/26 14:33:42]

Agreed.

+            /* malformed or was not initiated by the client.*/
+            return SECFailure;
+        }
+
+        if (data->len != 5) { /* Must always be 9 since we don't offer MKI */
+            /* malformed or was not initiated by the client.*/
+            return SECFailure;
+        }
+        
+        /* Now check that the number of ciphers listed is 1 (len = 2) */
+        cipherLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2,
+                                                     &data->data, &data->len);
+        if (cipherLenBytes != 2)
+            return SECFailure;
+        
+        /* Get the selected cipher */
+        cipher = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+
+        /* Get the use_mki value */
+        rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1 ,
+                                           &data->data, &data->len);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        /* We didn't offer an MKI, so this must be 0 length */
+        if (litem.len != 0)
+            return SECFailure;
+
+        /* Now check that this is one of the ciphers we offered */
+        for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+            if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+                found = PR_TRUE;
+                break;
+            }
+        }
+
+        if (!found)
+            return SECFailure;
+        
+        /* OK, this looks fine. */
+        ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+        ss->ssl3.dtlsSRTPCipherSuite = cipher;
+        return SECSuccess;
+    }
+
+    /* Server side */
+    if (!IS_DTLS(ss)) {
+        /* Ignore the extension. */

[wtc, 2012/04/04 23:32:49]

If the client offers the use_srtp extension in stream TLS
mode, should we ignore the extension or fail?

[ekr, 2012/04/19 14:29:36]

I think it's best to ignore it. 

In the OpenSSL code, I don't even test for DTLS, I believe. But it's
pretty clear from the spec that this isn't a TLS feature.

+        return SECSuccess;
+    }
+
+    if (!data->data || data->len < 5) {
+        /* malformed */ 
+        return SECFailure;
+    }
+
+    /* Get the length of the cipher list */
+    cipherLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2,
+                                                 &data->data, &data->len);
+    /* Check that there is room for the ciphers and that the list is even
+     * length */
+    if ((cipherLenBytes > (data->len - 1)) || (cipherLenBytes % 2))
+        return SECFailure;
+
+    /* Walk through the offered list one at a time and pick the most preferred
+     * of our ciphers, if any */
+    while (cipherLenBytes > 0) {
+        cipher = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+        cipherLenBytes -= 2;
+        
+        for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+            /* Unknown ciphers just go through the entire list */
+            if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+                if (!found) {
+                    found = PR_TRUE;
+                    bestIndex = i;
+                } else {
+                    if (i < bestIndex)
+                        bestIndex = i;
+                }
+                break;
+            }
+        }
+    }
+
+    /* Get the use_mki value */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    if (data->len)
+        return SECFailure; /* Malformed */
+
+    /* Now figure out what to do */
+    if (!found) {
+        /* No matching ciphers */
+        return SECSuccess;
+    }
+
+    /* OK, we have a valid cipher and we've selected it */
+    ss->ssl3.dtlsSRTPCipherSuite = ss->ssl3.dtlsSRTPCiphers[bestIndex];
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+
+    rv = ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
+                                                 ssl3_SendUseSRTPXtn);
+    if (rv != SECSuccess)
+        return rv;
+
+    return SECSuccess;
+}