[PATCH 1/2] Add support for DTLS-SRTP profile negotiation (RFC 5764)

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Oct 31 19:00:26 CET 2012

On 10/31/2012 02:46 PM, Martin Storsjo wrote:

> The code is heavily modelled on the server_name extension

> implementation.

 Thank you for the patch. After the negotiation though, how does the
SRTP layer gets the keys? Or would a later patch make gnutls output SRTP?

> Open questions:
> - Would it be necessary to add an accessor function for quering
>   the offered profiles that have been set?
> - The profile name strings match the ones used in OpenSSL, but
>   compared with the RFC, they lack a "HMAC_" before "SHA1". Is
>   this ok?

I don't know. How do you expect users to get those names? If they get it
from the RFC then being identical to it would help. Otherwise you may
just add a small section in the gnutls manual with the available options.

> - Is it ok to have both the setter and getter functions use strings?
>   The corresponding APIs in OpenSSL set the profiles based on a string,
>   but expose the selected profile via a struct.

see below.

> +int
> +gnutls_srtp_get_selected_profile (gnutls_session_t session, char *profile,
> +                                  size_t *profile_length)

I think it would be easier for a user of this function to have profiles
in an enumeration and this function to return a member of this enumeration.

That may need though a function such as
const char* gnutls_srtp_get_profile_name(gnutls_srtp_profile_t)
to return a printable name.

> +/**
> + * gnutls_srtp_set_profiles:
> + * @session: is a #gnutls_session_t structure.
> + * @profiles: is a string that contains the supported SRTP profiles,
> + *   separated by colons.
> + *
> + * This function is to be used by both clients and servers, to declare
> + * what SRTP profiles they support, to negotiate with the peer.
> + *
> + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
> + *   otherwise a negative error code is returned.
> + **/
> +int
> +gnutls_srtp_set_profiles (gnutls_session_t session,
> +                          const char *profiles)

I see that here a string helps because multiple profiles can be
specified. However an interface similar to gnutls_priority_set_direct()
would suit better human-provided strings since it would allow pointing
out the typo.

gnutls_srtp_set_profiles (gnutls_session_t session,
                          const char *profiles, char** err_pos)

btw. Would you be willing to transfer copyright to the FSF?


More information about the Gnutls-devel mailing list