From 63d4bbeb9093375004b5a045899a57ce412a4188 Mon Sep 17 00:00:00 2001
From: Bohdan Shubenok <bohdan.shubenok@sigma.software>
Date: Tue, 15 Aug 2023 14:55:41 +0300
Subject: [PATCH 1/3] Add necessary bits for DTLS-SRTP

---
 mbedtls-sys-espidf/src/lib.rs     |  1 -
 mbedtls/src/ssl/context/asynch.rs | 34 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/mbedtls-sys-espidf/src/lib.rs b/mbedtls-sys-espidf/src/lib.rs
index b6b59b66e..c28c571a9 100644
--- a/mbedtls-sys-espidf/src/lib.rs
+++ b/mbedtls-sys-espidf/src/lib.rs
@@ -1,6 +1,5 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 
-#[macro_use]
 extern crate cfg_if;
 
 pub mod types;
diff --git a/mbedtls/src/ssl/context/asynch.rs b/mbedtls/src/ssl/context/asynch.rs
index 673e11eef..c79152d1e 100644
--- a/mbedtls/src/ssl/context/asynch.rs
+++ b/mbedtls/src/ssl/context/asynch.rs
@@ -13,6 +13,20 @@ define!(
 
 unsafe impl<'a> Sync for Config<'a> {}
 
+const MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: u16 = 0x0001;
+const MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: u16 = 0x0002;
+const MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: u16 = 0x0005;
+const MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: u16 = 0x0006;
+const MBEDTLS_TLS_SRTP_UNSET: u16 = 0x0000;
+
+const DEFAULT_SRTP_PROFILES: [ssl_srtp_profile; 5] = [
+    MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80,
+    MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32,
+    MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80,
+    MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32,
+    MBEDTLS_TLS_SRTP_UNSET,
+];
+
 impl<'a> Config<'a> {
     pub fn new(e: Endpoint, t: Transport, p: Preset) -> Self {
         let mut config = Self::init();
@@ -35,6 +49,14 @@ impl<'a> Config<'a> {
         }
     }
 
+    /// Required for SRTP negotiation
+    pub fn set_default_srtp_profiles(&mut self) -> Result<()> {
+        unsafe {
+            ssl_conf_dtls_srtp_protection_profiles(self.into(), DEFAULT_SRTP_PROFILES.as_ptr())
+                .into_result_discard()
+        }
+    }
+
     setter!(set_authmode(am: AuthMode) = ssl_conf_authmode);
 }
 
@@ -67,6 +89,10 @@ impl<'a> Context<'a> {
         unsafe { ssl_close_notify(self.handle_mut()) }.into_result()
     }
 
+    pub fn handshake(&mut self) -> Result<c_int> {
+        unsafe { ssl_handshake(self.handle_mut()) }.into_result()
+    }
+
     /// # Safety
     /// TODO
     pub unsafe fn set_bio(
@@ -89,6 +115,14 @@ impl<'a> Context<'a> {
     ) {
         ssl_set_timer_cb(self.handle_mut(), timer, set, get)
     }
+
+    pub unsafe fn set_key_export_cb(&mut self, cb: ssl_export_keys_t, keys: *mut c_void) {
+        ssl_set_export_keys_cb(self.handle_mut(), cb, keys)
+    }
+
+    pub unsafe fn get_dtls_srtp_negotiation_result(&self, info: *mut dtls_srtp_info) {
+        ssl_get_dtls_srtp_negotiation_result(self.handle(), info)
+    }
 }
 
 impl embedded_io::Error for Error {

From 98546ffe0d473ccbed196880905dd1ed6c16a512 Mon Sep 17 00:00:00 2001
From: Bohdan Shubenok <bohdan.shubenok@sigma.software>
Date: Tue, 12 Sep 2023 18:16:57 +0300
Subject: [PATCH 2/3] Add method for changing advertised ciphersuites

---
 mbedtls/src/ssl/context/asynch.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mbedtls/src/ssl/context/asynch.rs b/mbedtls/src/ssl/context/asynch.rs
index c79152d1e..a9a891c62 100644
--- a/mbedtls/src/ssl/context/asynch.rs
+++ b/mbedtls/src/ssl/context/asynch.rs
@@ -57,6 +57,11 @@ impl<'a> Config<'a> {
         }
     }
 
+    pub fn set_ciphersuites(&mut self, ciphersuites: &[i32]) -> Result<()> {
+        unsafe { ssl_conf_ciphersuites(self.into(), ciphersuites.as_ptr()) }
+        Ok(())
+    }
+
     setter!(set_authmode(am: AuthMode) = ssl_conf_authmode);
 }
 

From 6f9142d375108b78635a67171926f4a13b0080e3 Mon Sep 17 00:00:00 2001
From: Bohdan Shubenok <bohdan.shubenok@sigma.software>
Date: Thu, 14 Sep 2023 15:33:05 +0300
Subject: [PATCH 3/3] Switch `Context` and `Config` to using Arc instead of
 references

---
 mbedtls/src/ssl/context/asynch.rs | 58 ++++++++++++++++++++-----------
 1 file changed, 38 insertions(+), 20 deletions(-)

diff --git a/mbedtls/src/ssl/context/asynch.rs b/mbedtls/src/ssl/context/asynch.rs
index a9a891c62..b58de2f1c 100644
--- a/mbedtls/src/ssl/context/asynch.rs
+++ b/mbedtls/src/ssl/context/asynch.rs
@@ -1,17 +1,20 @@
 use crate::rng::{EspRandom, RngCallback};
 use crate::ssl::{config::*, context::*};
+use std::sync::Arc;
 
 define!(
     #[c_ty(ssl_config)]
-    #[repr(transparent)]
-    struct Config<'a>;
-    const init: fn() -> Self = ssl_config_init;
+    #[repr(C)]
+    struct Config {
+        own_cert: Vec<Arc<Certificate>>,
+        own_pk: Vec<Arc<Pk>>,
+    };
     const drop: fn(&mut Self) = ssl_config_free;
     impl<'b> Into<ptr> {}
     impl<'b> UnsafeFrom<ptr> {}
 );
 
-unsafe impl<'a> Sync for Config<'a> {}
+unsafe impl Sync for Config {}
 
 const MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: u16 = 0x0001;
 const MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: u16 = 0x0002;
@@ -27,26 +30,35 @@ const DEFAULT_SRTP_PROFILES: [ssl_srtp_profile; 5] = [
     MBEDTLS_TLS_SRTP_UNSET,
 ];
 
-impl<'a> Config<'a> {
+impl Config {
     pub fn new(e: Endpoint, t: Transport, p: Preset) -> Self {
-        let mut config = Self::init();
-        let conf = config.handle_mut();
+        let mut inner = ssl_config::default();
         unsafe {
-            ssl_config_defaults(conf, e as c_int, t as c_int, p as c_int);
-            ssl_conf_rng(conf, Some(EspRandom::call), EspRandom.data_ptr());
+            ssl_config_init(&mut inner);
+            ssl_config_defaults(&mut inner, e as c_int, t as c_int, p as c_int);
+            ssl_conf_rng(&mut inner, Some(EspRandom::call), EspRandom.data_ptr());
         };
-        config
+
+        Self {
+            inner,
+            own_cert: vec![],
+            own_pk: vec![],
+        }
     }
 
-    pub fn push_cert(&mut self, own_cert: &'a Certificate, own_pk: &'a Pk) -> Result<()> {
+    pub fn push_cert(&mut self, own_cert: &Arc<Certificate>, own_pk: &Arc<Pk>) -> Result<()> {
         unsafe {
             ssl_conf_own_cert(
                 self.into(),
                 own_cert.inner_ffi_mut(),
                 own_pk.inner_ffi_mut(),
             )
-            .into_result_discard()
+            .into_result_discard()?;
         }
+        self.own_cert.push(Arc::clone(own_cert));
+        self.own_pk.push(Arc::clone(own_pk));
+
+        Ok(())
     }
 
     /// Required for SRTP negotiation
@@ -67,19 +79,25 @@ impl<'a> Config<'a> {
 
 define!(
     #[c_ty(ssl_context)]
-    #[repr(transparent)]
-    struct Context<'a>;
-    const init: fn() -> Self = ssl_init;
+    #[repr(C)]
+    struct Context {
+        config: Arc<Config>,
+    };
     const drop: fn(&mut Self) = ssl_free;
     impl<'b> Into<ptr> {}
     impl<'b> UnsafeFrom<ptr> {}
 );
 
-impl<'a> Context<'a> {
-    pub fn new(config: &'a Config<'a>) -> Result<Self> {
-        let mut context = Self::init();
-        unsafe { ssl_setup(context.handle_mut(), config.handle()) }.into_result()?;
-        Ok(context)
+impl Context {
+    pub fn new(config: &Arc<Config>) -> Result<Self> {
+        let mut inner = ssl_context::default();
+        let config = Arc::clone(&config);
+        unsafe {
+            ssl_init(&mut inner);
+            ssl_setup(&mut inner, (&*config).into()).into_result()?;
+        };
+
+        Ok(Self { inner, config })
     }
 
     pub fn read(&mut self, buf: &mut [u8]) -> Result<c_int> {