[PATCH 1/2] Add support for DTLS-SRTP profile negotiation (RFC 5764)

Martin Storsjö martin at martin.st
Wed Oct 31 19:10:50 CET 2012


On Wed, 31 Oct 2012, Nikos Mavrogiannopoulos wrote:

> On 10/31/2012 02:46 PM, Martin Storsjo wrote:
>
>> The code is heavily modelled on the server_name extension
>
>> implementation.
>
> Hello,
> Thank you for the patch. After the negotiation though, how does the
> SRTP layer gets the keys? Or would a later patch make gnutls output SRTP?

The actual keys for SRTP are generated using RFC 5705, which can be 
handled via gnutls_prf. (For the context parameter in RFC 5705, one has to 
manually construct such a buffer to pass as the extra parameter to 
gnutls_prf, but other than that, it's all there already.)

>> Open questions:
>> - Would it be necessary to add an accessor function for quering
>>   the offered profiles that have been set?
>> - The profile name strings match the ones used in OpenSSL, but
>>   compared with the RFC, they lack a "HMAC_" before "SHA1". Is
>>   this ok?
>
>
> I don't know. How do you expect users to get those names? If they get it
> from the RFC then being identical to it would help. Otherwise you may
> just add a small section in the gnutls manual with the available options.
>
>> - Is it ok to have both the setter and getter functions use strings?
>>   The corresponding APIs in OpenSSL set the profiles based on a string,
>>   but expose the selected profile via a struct.
>
>
> see below.
>
>> +int
>> +gnutls_srtp_get_selected_profile (gnutls_session_t session, char *profile,
>> +                                  size_t *profile_length)
>
>
> I think it would be easier for a user of this function to have profiles
> in an enumeration and this function to return a member of this enumeration.
>
> That may need though a function such as
> const char* gnutls_srtp_get_profile_name(gnutls_srtp_profile_t)
> to return a printable name.
>
>> +/**
>> + * gnutls_srtp_set_profiles:
>> + * @session: is a #gnutls_session_t structure.
>> + * @profiles: is a string that contains the supported SRTP profiles,
>> + *   separated by colons.
>> + *
>> + * This function is to be used by both clients and servers, to declare
>> + * what SRTP profiles they support, to negotiate with the peer.
>> + *
>> + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
>> + *   otherwise a negative error code is returned.
>> + **/
>> +int
>> +gnutls_srtp_set_profiles (gnutls_session_t session,
>> +                          const char *profiles)
>
>
> I see that here a string helps because multiple profiles can be
> specified. However an interface similar to gnutls_priority_set_direct()
> would suit better human-provided strings since it would allow pointing
> out the typo.
>
> e.g.
> gnutls_srtp_set_profiles (gnutls_session_t session,
>                          const char *profiles, char** err_pos)

That sounds like a good idea, I'll return with an improved patch later.

> btw. Would you be willing to transfer copyright to the FSF?

Yes, that's ok with me.

// Martin




More information about the Gnutls-devel mailing list