Implement RFC 5764 (DTLS-SRTP).

net/third_party/nss/ssl/sslsock.c

Index: net/third_party/nss/ssl/sslsock.c
===================================================================
--- net/third_party/nss/ssl/sslsock.c	(revision 130750)
+++ net/third_party/nss/ssl/sslsock.c	(working copy)
@@ -225,6 +225,13 @@
 char lockStatus[] = "Locks are ENABLED.  ";
 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
 
+/* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */
+static const PRUint16 srtpCiphers[] = {
+    SRTP_AES128_CM_HMAC_SHA1_80,
+    SRTP_AES128_CM_HMAC_SHA1_32,
+    0
+};
+
 /* forward declarations. */
 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant);
 static SECStatus  ssl_MakeLocks(sslSocket *ss);
@@ -1596,6 +1603,70 @@
     return SECSuccess;
 }
 
+SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
+			     const PRUint16 *ciphers,
+			     unsigned int numCiphers)
+{
+    sslSocket * ss;
+    int i;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss || !IS_DTLS(ss)) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers",
+		 SSL_GETPID(), fd));
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    for (i = 0; i < numCiphers; i++) {
+	const PRUint16 *srtpCipher = srtpCiphers;
+
+	while (*srtpCipher) {
+	    if (ciphers[i] == *srtpCipher)
+		break;
+	    srtpCipher++;
+	}
+	if (!*srtpCipher) {
+	    SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
+		     "suite specified: 0x%04hx", SSL_GETPID(), fd,
+		     ciphers[i]));
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);

[Ryan Sleevi, 2012/05/10 19:43:11]

The NSS SSL/DTLS code accepts non-existant cipher suites without issue, simply
ignoring them. I think this works to our advantage. Does it make sense to do the
same here?

[wtc, 2012/05/12 01:00:59]

SSL_CipherPrefSet returns SECFailure with
SSL_ERROR_UNKNOWN_CIPHER_SUITE if the cipher suite is
nonexistent.  Perhaps I misunderstood your comment here?

[Ryan Sleevi, 2012/05/12 01:13:06]

Ah, you're right, sorry for not double-checking memory.

In the SSL/TLS case, we can enable/disable individual cipher suites via
SSL_CipherPrefSet, so we can safely ignore any errors with unrecognized suites (
see
http://code.google.com/searchframe#OAMlx_jo-ck/src/net/socket/ssl_server_sock...
)

With this code, because setting enabled suites is all-or-nothing, and because
even enabling SRTP is dependent on all-or-nothing suites, we couldn't do such an
approach if we wanted to.

This would be an issue if a cipher suite ever needed to be removed, as it would
break clients still supplying the old cipher suite. I think that would argue in
favour of separating the API?

[wtc, 2012/05/15 00:56:41]

I also came to the same conclusion that we probably should
enable SRTP cipher suites individually, in the same way we
enable TLS cipher suites.

Ekr: do you have time to implement an SSL_USE_SRTP socket
option and the SSL_SRTPCipherPrefSet and SSL_SRTPCipherPrefGet
functions, or do you want me to do that?

I think we can omit the global preferences and just support
a model socket.

+	    return SECFailure;
+	}
+    }
+
+    if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    memcpy(ss->ssl3.dtlsSRTPCiphers, ciphers, sizeof(PRUint16) * numCiphers);
+    ss->ssl3.dtlsSRTPCipherCount = numCiphers;
+
+    return SECSuccess;
+}
+
+SECStatus
+SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher)
+{
+    sslSocket * ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher",
+		 SSL_GETPID(), fd));
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (!ss->ssl3.dtlsSRTPCipherSuite) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    *cipher = ss->ssl3.dtlsSRTPCipherSuite;
+    return SECSuccess;
+}
+
 PRFileDesc *
 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
 {