Fix selection of protection cipher in srtp set up (#1492)

* Fix the srtp protection profile selection logic.

* Updated entry point of webrtccmdline docker image.

Author: sipsorcery

Dockerfile-webrtccmdline

@@ -10,15 +10,16 @@
 # To run a local container:
 # docker run -it --rm -p 8081:8081 -p 60042:60042/udp webrtccmdline --ws --stun stun:stun.l.google.com:19302
 
-FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 WORKDIR /src
 COPY . .
 WORKDIR /src/examples/webrtccmdline
 RUN dotnet publish "webrtccmdline.csproj" -c Release -o /app/publish
 
-FROM mcr.microsoft.com/dotnet/runtime:8.0 AS final
+FROM mcr.microsoft.com/dotnet/runtime:10.0 AS final
 WORKDIR /app
 EXPOSE 8080-8081
 EXPOSE 60042
 COPY --from=build /app/publish .
-ENTRYPOINT ["dotnet", "webrtccmdline.dll", "--port", "60042", "--ws", "--stun", "stun:stun.l.google.com:19302"]
+#ENTRYPOINT ["dotnet", "webrtccmdline.dll", "--port", "60042", "--ws", "--stun", "stun:stun.l.google.com:19302"]
+ENTRYPOINT ["dotnet", "webrtccmdline.dll"]

src/net/DtlsSrtp/DtlsSrtpClient.cs

@@ -16,6 +16,7 @@
 using System;
 using System.Collections;
 using System.Collections.Generic;
+using System.Linq;
 using Microsoft.Extensions.Logging;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Security;
@@ -193,16 +194,20 @@ public override void ProcessServerExtensions(IDictionary<int, byte[]> serverExte
             int chosenProfile = SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80;
             clientSrtpData = TlsSrtpUtilities.GetUseSrtpExtension(serverExtensions);
 
-            foreach (int profile in clientSrtpData.ProtectionProfiles)
+            if (clientSrtpData?.ProtectionProfiles == null)
             {
-                switch (profile)
+                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+            }
+
+            if (!clientSrtpData.ProtectionProfiles.Contains(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80))
+            {
+                if (clientSrtpData.ProtectionProfiles.Contains(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32))
+                {
+                    chosenProfile = SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32;
+                }
+                else
                 {
-                    case SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32:
-                    case SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80:
-                    case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_32:
-                    case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_80:
-                        chosenProfile = profile;
-                        break;
+                    throw new TlsFatalAlert(AlertDescription.illegal_parameter);
                 }
             }
 

src/net/DtlsSrtp/DtlsSrtpServer.cs

@@ -361,16 +361,20 @@ public override void ProcessClientExtensions(IDictionary<int, byte[]> clientExte
             int chosenProfile = SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80;
             UseSrtpData clientSrtpData = TlsSrtpUtilities.GetUseSrtpExtension(clientExtensions);
 
-            foreach (int profile in clientSrtpData.ProtectionProfiles)
+            if (clientSrtpData?.ProtectionProfiles == null)
             {
-                switch (profile)
+                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+            }
+
+            if (!clientSrtpData.ProtectionProfiles.Contains(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80))
+            {
+                if (clientSrtpData.ProtectionProfiles.Contains(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32))
+                {
+                    chosenProfile = SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32;
+                }
+                else
                 {
-                    case SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32:
-                    case SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80:
-                    case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_32:
-                    case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_80:
-                        chosenProfile = profile;
-                        break;
+                    throw new TlsFatalAlert(AlertDescription.illegal_parameter);
                 }
             }
 

src/net/DtlsSrtp/SrtpParameters.cs

@@ -32,9 +32,6 @@ public struct SrtpParameters
         // hrosa - converted lengths to work with bytes, not bits (1 byte = 8 bits)
         public static readonly SrtpParameters SRTP_AES128_CM_HMAC_SHA1_80 = new SrtpParameters(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_80, SrtpPolicy.AESCM_ENCRYPTION, 16, SrtpPolicy.HMACSHA1_AUTHENTICATION, 20, 10, 10, 14);
         public static readonly SrtpParameters SRTP_AES128_CM_HMAC_SHA1_32 = new SrtpParameters(SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32, SrtpPolicy.AESCM_ENCRYPTION, 16, SrtpPolicy.HMACSHA1_AUTHENTICATION, 20, 4, 10, 14);
-        public static readonly SrtpParameters SRTP_NULL_HMAC_SHA1_80 = new SrtpParameters(SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_80, SrtpPolicy.NULL_ENCRYPTION, 0, SrtpPolicy.HMACSHA1_AUTHENTICATION, 20, 10, 10, 0);
-        public static readonly SrtpParameters SRTP_NULL_HMAC_SHA1_32 = new SrtpParameters(SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_32, SrtpPolicy.NULL_ENCRYPTION, 0, SrtpPolicy.HMACSHA1_AUTHENTICATION, 20, 4, 10, 0);
-
 
         private int profile;
         private int encType;
@@ -80,10 +77,6 @@ public static SrtpParameters GetSrtpParametersForProfile(int profileValue)
                     return SRTP_AES128_CM_HMAC_SHA1_80;
                 case SrtpProtectionProfile.SRTP_AES128_CM_HMAC_SHA1_32:
                     return SRTP_AES128_CM_HMAC_SHA1_32;
-                case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_80:
-                    return SRTP_NULL_HMAC_SHA1_80;
-                case SrtpProtectionProfile.SRTP_NULL_HMAC_SHA1_32:
-                    return SRTP_NULL_HMAC_SHA1_32;
                 default:
                     throw new Exception($"SRTP Protection Profile value {profileValue} is not allowed for DTLS SRTP. See http://tools.ietf.org/html/rfc5764#section-4.1.2 for valid values.");
             }