Implement RFC 5764 (DTLS-SRTP).

net/third_party/nss/ssl/ssl.h

Index: net/third_party/nss/ssl/ssl.h
===================================================================
--- net/third_party/nss/ssl/ssl.h	(revision 130750)
+++ net/third_party/nss/ssl/ssl.h	(working copy)
@@ -836,6 +836,24 @@
                       struct SECKEYPrivateKeyStr **pRetKey);
 
 /*
+** Configure DTLS-SRTP (RFC 5764) cipher suite preferences.
+** Input is a list of ciphers in descending preference order and a length
+** of the list. As a side effect, this causes the use_srtp extension to be
+** negotiated.

[Ryan Sleevi, 2012/05/10 19:43:11]

If you have to document that it has a side-effect, would it make more sense to
have a UseSRTP function (which sets some default cipher list) and then a
SetSRTPCiphers?

This would parallel the DTLS/TLS cipher preference setting.

Also, the interaction with SSL model sockets is not clear here. Does this have a
model socket / global preference parallel?

[wtc, 2012/05/12 01:00:59]

I will talk to Ekr about this.  Thanks for the suggestion.
I updated ssl_DupSocket and SSL_ReconfigFD to copy from
the model socket.

I will talk to Ekr about a global preference for
SRTP ciphers.

+*/
+SSL_IMPORT SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
+					const PRUint16 *ciphers,
+					unsigned int numCiphers);
+
+/*
+** Get the selected DTLS-SRTP cipher suite (if any).
+** To be called after the handshake completes.
+** Returns SECFailure if not negotiated.
+*/
+SSL_IMPORT SECStatus SSL_GetSRTPCipher(PRFileDesc *fd,
+				       PRUint16 *cipher);
+
+/*
  * Look to see if any of the signers in the cert chain for "cert" are found
  * in the list of caNames.  
  * Returns SECSuccess if so, SECFailure if not.