tls: set selfsigned Elliptic Curve (EC) function

[cHuberCoffee]

A new function to generate a self signed cert using elliptic curve cryptographic primitives.
The used elliptic curve is hardcoded with NID_secp521r1.
One can use this function in the barsip dtls_srtp module.

[sreimers]

This return assignment looks a bit strange should it return err;?

[cHuberCoffee]

yes u are right. should be a normal return err;

[alfredh]

is this change done on purpose ?

[cHuberCoffee]

not on purpose for this PR.
but on purpose in general. Since the SHA1 algo. is broken. This effects the cert. signatures with SHA1 as well. Using SHA2 alogs. is a small but effective change.

[alfredh]

I agree to the change, but I think it should be a separate PR.
also very important to test that it works.

[alfredh]

have you done any interop testing with WebRTC browsers ?
(i.e. using DTLS-SRTP with EC certificate).

[cHuberCoffee]

I'm working on a setup baresip-asterisk-sipML5 to test the dtls-srtp with the EC certificates.
It's a good idea in general to work through such a testsetup, to get a deeper understanding of the underlying structures.

I will give you more information of my results asap.

[cHuberCoffee]

The setup is now baresip<->asterisk<->sipML5. The communication happens between these points. The key exchange via DTLSv1.2 is working with the cert. signed via ECDSA-SHA256 version. The media stream is established and audio data is transmitted.

[alfredh]

did you try to call in both directions ? the DTLS server is normally the caller.

also please test with Chrome and Firefox.

[alfredh]

I have tested this patch with Chrome and CtxSip. The calling direction is from baresip to CtxSip.

The DTLS handshake fails:

dtls_srtp: incoming DTLS connect from 10.0.1.10:51789 
tls: 140736434426816:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2284:
dtls: accept error: 1
dtls_srtp: dtls_accept failed (Protocol error)

[alfredh]

at Wire I implemented this function to generate ECDSA cert:

https://github.com/wireapp/wire-audio-video-signaling/blob/master/src/cert/cert.c#L37

perhaps this missing part will make it work:

	EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE);

[cHuberCoffee]

The test-setup is running with the original RSA method. I tested RSA and EC signed certificates against CtxSip with Firefox and Chrome. Both (RSA and EC) worked for both browsers. Call direction was barsip->CtxSip.

[alfredh]

I tested the original code (no patches) between Safari and baresip-webrtc:

dtls_srtp: media=audio -- start DTLS client
dtls_srtp: component start: RTP [raddr=192.168.88.36:53019]
dtls_srtp: 'audio,RTP' dtls connect to 192.168.88.36:53019
    >> dtls cipher: ECDHE-ECDSA-CHACHA20-POLY1305
dtls_srtp: verified sha-256 fingerprint OK
dtls_srtp: ---> DTLS-SRTP complete (video/RTP) Profile=AES_CM_128_HMAC_SHA1_80
rtcsession: mediaenc event 'Secure' (video,RTP)

please note that in most cases, the DTLS Server is normally the same as the caller.

the negotiated cipher depends heavily on the calling direction.

try to add this in your code:

	info("    >> dtls cipher: %s\n", tls_cipher_name(comp->tls_conn));

and try to call in both directions, and then check if the cipher is different.

[alfredh]

additional test with ctxSip, calling both directions:

chrome -> baresip:
.... dtls cipher: ECDHE-ECDSA-CHACHA20-POLY1305

baresip -> chrome:
.... dtls cipher: ECDHE-RSA-AES128-GCM-SHA256

[alfredh]

with your patch and _ec function used in baresip dtls_srtp module, DTLS handshake fails:

dtls_srtp: incoming DTLS connect from 10.0.1.10:55045
tls: 140736434426816:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2284:
dtls: accept error: 1
dtls_srtp: dtls_accept failed (Protocol error)
stream: update 'audio'
stream: audio: starting mediaenc 'dtls_srtp' (wait_secure=1)
sip:[email protected]: session closed: Connection reset by peer
sip:[email protected]: Call with sip:[email protected] terminated (duration: 9 secs)

--- System info: ---
 Machine:  x86_64/darwin
 Version:  1.0.0 (libre v1.1.0)
 Build:    64-bit little endian
 Kernel:   Darwin Johns-MacBook-Pro.local 16.7.0 Darwin Kernel Version 16.7.0: Wed Apr 24 20:50:53 PDT 2019; root:xnu-3789.73.49~1/RELEASE_X86_64 x86_64
 Uptime:   1 min 48 secs
 Started:  Wed Oct 21 17:38:21 2020
 Compiler: 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)
 OpenSSL:  OpenSSL 1.1.1h  22 Sep 2020

calling direction is from baresip to chrome/ctxsip.

[alfredh]

perhaps the curve name can be added as a function argument.
then the application can choose which one to use.

[alfredh]

perhaps this curve will make it work: "prime256v1"

[alfredh]

please have a look at this specification:

https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-20#section-6.5

   All Implementations MUST support DTLS 1.2 with the
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256
   curve [FIPS186]. 

if I change the curve name in your patch to use "prime256v1", it works fine.

suggest using this curve or make it configurable via argument string.

[alfredh]

this looks good.

a small ccheck warning must be fixed before merging:

./include/re_tls.h:39: has trailing space(s)

[sreimers]

@cHuberCoffee please prevent force-push, its easier to review normal commits and the changes. for cleanup we can squash the pull request afterwards (if necessary).

[alfredh]

looks good now.

ready to merge to master, I would say ..