[PATCH 1/2] Add support for DTLS-SRTP profile negotiation (RFC 5764)
martin at martin.st
Wed Oct 31 19:10:50 CET 2012
On Wed, 31 Oct 2012, Nikos Mavrogiannopoulos wrote:
> On 10/31/2012 02:46 PM, Martin Storsjo wrote:
>> The code is heavily modelled on the server_name extension
> Thank you for the patch. After the negotiation though, how does the
> SRTP layer gets the keys? Or would a later patch make gnutls output SRTP?
The actual keys for SRTP are generated using RFC 5705, which can be
handled via gnutls_prf. (For the context parameter in RFC 5705, one has to
manually construct such a buffer to pass as the extra parameter to
gnutls_prf, but other than that, it's all there already.)
>> Open questions:
>> - Would it be necessary to add an accessor function for quering
>> the offered profiles that have been set?
>> - The profile name strings match the ones used in OpenSSL, but
>> compared with the RFC, they lack a "HMAC_" before "SHA1". Is
>> this ok?
> I don't know. How do you expect users to get those names? If they get it
> from the RFC then being identical to it would help. Otherwise you may
> just add a small section in the gnutls manual with the available options.
>> - Is it ok to have both the setter and getter functions use strings?
>> The corresponding APIs in OpenSSL set the profiles based on a string,
>> but expose the selected profile via a struct.
> see below.
>> +gnutls_srtp_get_selected_profile (gnutls_session_t session, char *profile,
>> + size_t *profile_length)
> I think it would be easier for a user of this function to have profiles
> in an enumeration and this function to return a member of this enumeration.
> That may need though a function such as
> const char* gnutls_srtp_get_profile_name(gnutls_srtp_profile_t)
> to return a printable name.
>> + * gnutls_srtp_set_profiles:
>> + * @session: is a #gnutls_session_t structure.
>> + * @profiles: is a string that contains the supported SRTP profiles,
>> + * separated by colons.
>> + *
>> + * This function is to be used by both clients and servers, to declare
>> + * what SRTP profiles they support, to negotiate with the peer.
>> + *
>> + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
>> + * otherwise a negative error code is returned.
>> + **/
>> +gnutls_srtp_set_profiles (gnutls_session_t session,
>> + const char *profiles)
> I see that here a string helps because multiple profiles can be
> specified. However an interface similar to gnutls_priority_set_direct()
> would suit better human-provided strings since it would allow pointing
> out the typo.
> gnutls_srtp_set_profiles (gnutls_session_t session,
> const char *profiles, char** err_pos)
That sounds like a good idea, I'll return with an improved patch later.
> btw. Would you be willing to transfer copyright to the FSF?
Yes, that's ok with me.
More information about the Gnutls-devel