Implement RFC 5764 (DTLS-SRTP).

net/third_party/nss/ssl/ssl3ext.c

Index: net/third_party/nss/ssl/ssl3ext.c
===================================================================
--- net/third_party/nss/ssl/ssl3ext.c	(revision 130750)
+++ net/third_party/nss/ssl/ssl3ext.c	(working copy)
@@ -90,7 +90,10 @@
     PRUint16 ex_type, SECItem *data);
 static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
     PRBool append, PRUint32 maxBytes);
+static SECStatus ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes);
+SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data);
 
+
 /*
  * Write bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
@@ -250,6 +253,7 @@
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
     { ssl_ob_cert_xtn,            &ssl3_ServerHandleOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { -1, NULL }
 };
 
@@ -264,6 +268,7 @@
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
     { ssl_ob_cert_xtn,            &ssl3_ClientHandleOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn}, 
     { -1, NULL }
 };
 
@@ -290,7 +295,8 @@
     { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
+    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn },
+    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
@@ -1670,7 +1676,7 @@
     int i;
 
     if (!sender) {
-    	sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
+    	sender = (ss->version > SSL_LIBRARY_VERSION_3_0 || IS_DTLS(ss)) ?

[wtc, 2012/04/04 23:32:49]

This is no longer necessary after we made ss->version the
base TLS protocol version.

[ekr, 2012/04/19 14:29:35]

Concur.

                  &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0];
     }
 
@@ -1868,3 +1874,185 @@
 
     return SECSuccess;
 }
+
+static SECStatus
+ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
+{
+    PRUint32 ext_data_len;
+    PRInt16 i;
+    SECStatus rv;
+
+    if (!ss)
+	return 0;
+
+    if (!ss->sec.isServer) {
+	/* Client */
+
+	if (!ss->ssl3.dtlsSRTPCipherCt)
+	    return 0;  /* Not relevant */
+	
+	ext_data_len = 2 + (2*ss->ssl3.dtlsSRTPCipherCt) + 1;
+	
+	if (append && ((4 + ext_data_len) <= maxBytes)) {
+	    /* Xtn type */
+	    rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+	    if (rv != SECSuccess) return -1;
+	    /* Length of extension data */
+	    rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
+	    if (rv != SECSuccess) return -1;
+	    /* Length of the SRTP cipher list */
+	    rv = ssl3_AppendHandshakeNumber(ss, 2 * ss->ssl3.dtlsSRTPCipherCt, 2);
+	    if (rv != SECSuccess) return -1;
+	    /* The SRTP ciphers */
+	    for (i=0; i<ss->ssl3.dtlsSRTPCipherCt; i++) {
+		rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCiphers[i], 2);
+	    }
+	    /* Empty MKI value */
+	    ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+	    
+	    ss->xtnData.advertised[ss->xtnData.numAdvertised++] = ssl_use_srtp_xtn;
+	} 
+
+	return ext_data_len + 4;
+    }
+
+    /* Server side */
+    if (append && (maxBytes >= 9)) {
+	/* Xtn type */
+	rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+	if (rv != SECSuccess) return -1;
+	/* Length of extension data */
+	rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
+	if (rv != SECSuccess) return -1;
+	/* Length of the SRTP cipher list */
+	rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
+	if (rv != SECSuccess) return -1;
+	/* The selected cipher */
+	rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
+	if (rv != SECSuccess) return -1;
+	/* Empty MKI value */
+	ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);	
+    }
+
+    return 9;
+}
+
+SECStatus
+ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
+{
+    SECStatus rv;
+    PRInt16 i;
+    PRInt16 bestIndex;
+    PRBool found = PR_FALSE;
+    SECItem litem;
+    PRUint32 cipherLenBytes;
+    PRUint32 cipher;
+
+    if (!ss->sec.isServer) {
+	/* Client side */
+	if (!data->data || !data->len ||
+	    !ssl3_ClientExtensionAdvertised(ss, ssl_use_srtp_xtn)) {
+            /* malformed or was not initiated by the client.*/
+            return SECFailure;
+	}
+
+	if (data->len != 5) { /* Must always be 9 since we don't offer MKI */
+            /* malformed or was not initiated by the client.*/
+            return SECFailure;
+	}
+	
+	/* Now check that the number of ciphers listed is 1 (len = 2) */
+	cipherLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+	if (cipherLenBytes != 2)
+	    return SECFailure;
+	
+	/* Get the selected cipher */
+	cipher = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+
+	/* Get the use_mki value */
+        rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1 , &data->data, &data->len);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+	/* We didn't offer an MKI, so this must be 0 length */
+	if (litem.len != 0)
+	    return SECFailure;
+
+	/* Now check that this is one of the ciphers we offered */
+	for (i=0; i<ss->ssl3.dtlsSRTPCipherCt; i++) {
+	    if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+		found = PR_TRUE;
+		break;
+	    }
+	}
+
+	if (!found)
+	    return SECFailure;
+	
+	/* OK, this looks fine. */
+	ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+	ss->ssl3.dtlsSRTPCipherSuite = cipher;
+	return SECSuccess;
+    }
+
+    /* Server side */
+    if (!data->data || data->len < 5) {
+	/* malformed */	
+	return SECFailure;
+    }
+
+    /* Get the length of the cipher list */
+    cipherLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+    /* Check that there is room for the ciphers and that the list is even length */
+    if ((cipherLenBytes > (data->len - 1)) || (cipherLenBytes % 2))
+	return SECFailure;
+    
+    /* Walk through the offered list one at a time and pick the most preferred
+       of our ciphers, if any */
+    while (cipherLenBytes > 0) {
+	cipher = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+	cipherLenBytes -= 2;
+	
+	for (i=0; i<ss->ssl3.dtlsSRTPCipherCt; i++) {
+	    /* Unknown ciphers just go through the entire list */
+	    if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+		if (!found) {
+		    found = PR_TRUE;
+		    bestIndex = i;
+		}
+		else {
+		    if (i < bestIndex)
+			bestIndex = i;
+		}
+		break;
+	    }
+	}
+    }
+    
+    /* Get the use_mki value */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+
+    if (data->len)
+	return SECFailure; /* Malformed */
+    
+    /* Now figure out what to do */
+    if (!found) {
+	/* No matching ciphers */
+	return SECSuccess;
+    }
+    
+    /* OK, we have a valid cipher and we've selected it */
+    ss->ssl3.dtlsSRTPCipherSuite = ss->ssl3.dtlsSRTPCiphers[bestIndex];
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+    
+    rv = ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
+						 ssl3_SendUseSRTPXtn);
+    if (rv != SECSuccess)
+	return rv;
+
+    return SECSuccess;
+}
+