summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_srtp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_srtp.c')
-rw-r--r--src/lib/libssl/d1_srtp.c497
1 files changed, 237 insertions, 260 deletions
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index ab9c41922c..fadd9f381f 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -124,371 +124,348 @@
124#include "srtp.h" 124#include "srtp.h"
125 125
126 126
127static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= 127static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= {
128 { 128 {
129 { 129 "SRTP_AES128_CM_SHA1_80",
130 "SRTP_AES128_CM_SHA1_80", 130 SRTP_AES128_CM_SHA1_80,
131 SRTP_AES128_CM_SHA1_80, 131 },
132 }, 132 {
133 { 133 "SRTP_AES128_CM_SHA1_32",
134 "SRTP_AES128_CM_SHA1_32", 134 SRTP_AES128_CM_SHA1_32,
135 SRTP_AES128_CM_SHA1_32, 135 },
136 },
137#if 0 136#if 0
138 { 137 {
139 "SRTP_NULL_SHA1_80", 138 "SRTP_NULL_SHA1_80",
140 SRTP_NULL_SHA1_80, 139 SRTP_NULL_SHA1_80,
141 }, 140 },
142 { 141 {
143 "SRTP_NULL_SHA1_32", 142 "SRTP_NULL_SHA1_32",
144 SRTP_NULL_SHA1_32, 143 SRTP_NULL_SHA1_32,
145 }, 144 },
146#endif 145#endif
147 {0} 146 {0}
148 }; 147};
149 148
150static int find_profile_by_name(char *profile_name, 149static int
151 SRTP_PROTECTION_PROFILE **pptr,unsigned len) 150find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr,
152 { 151 unsigned len)
152{
153 SRTP_PROTECTION_PROFILE *p; 153 SRTP_PROTECTION_PROFILE *p;
154 154
155 p=srtp_known_profiles; 155 p = srtp_known_profiles;
156 while(p->name) 156 while (p->name) {
157 { 157 if ((len == strlen(p->name)) &&
158 if((len == strlen(p->name)) && !strncmp(p->name,profile_name, 158 !strncmp(p->name, profile_name, len)) {
159 len)) 159 *pptr = p;
160 {
161 *pptr=p;
162 return 0; 160 return 0;
163 } 161 }
164 162
165 p++; 163 p++;
166 } 164 }
167 165
168 return 1; 166 return 1;
169 } 167}
170 168
171static int find_profile_by_num(unsigned profile_num, 169static int
172 SRTP_PROTECTION_PROFILE **pptr) 170find_profile_by_num(unsigned profile_num, SRTP_PROTECTION_PROFILE **pptr)
173 { 171{
174 SRTP_PROTECTION_PROFILE *p; 172 SRTP_PROTECTION_PROFILE *p;
175 173
176 p=srtp_known_profiles; 174 p = srtp_known_profiles;
177 while(p->name) 175 while (p->name) {
178 { 176 if (p->id == profile_num) {
179 if(p->id == profile_num) 177 *pptr = p;
180 {
181 *pptr=p;
182 return 0; 178 return 0;
183 }
184 p++;
185 } 179 }
180 p++;
181 }
186 182
187 return 1; 183 return 1;
188 } 184}
189 185
190static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) 186static int
191 { 187ssl_ctx_make_profiles(const char *profiles_string,
188 STACK_OF(SRTP_PROTECTION_PROFILE) **out)
189{
192 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; 190 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
193 191
194 char *col; 192 char *col;
195 char *ptr=(char *)profiles_string; 193 char *ptr = (char *)profiles_string;
196 194
197 SRTP_PROTECTION_PROFILE *p; 195 SRTP_PROTECTION_PROFILE *p;
198 196
199 if(!(profiles=sk_SRTP_PROTECTION_PROFILE_new_null())) 197 if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) {
200 {
201 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); 198 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
202 return 1; 199 return 1;
203 } 200 }
204
205 do
206 {
207 col=strchr(ptr,':');
208
209 if(!find_profile_by_name(ptr,&p,
210 col ? col-ptr : (int)strlen(ptr)))
211 {
212 sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
213 }
214 else
215 {
216 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
217 return 1;
218 }
219 201
220 if(col) ptr=col+1; 202 do {
221 } while (col); 203 col = strchr(ptr, ':');
222 204
223 *out=profiles; 205 if (!find_profile_by_name(ptr, &p,
224 206 col ? col - ptr : (int)strlen(ptr))) {
225 return 0; 207 sk_SRTP_PROTECTION_PROFILE_push(profiles, p);
226 } 208 } else {
227 209 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
228int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,const char *profiles) 210 return 1;
229 { 211 }
230 return ssl_ctx_make_profiles(profiles,&ctx->srtp_profiles);
231 }
232 212
233int SSL_set_tlsext_use_srtp(SSL *s,const char *profiles) 213 if (col)
234 { 214 ptr = col + 1;
235 return ssl_ctx_make_profiles(profiles,&s->srtp_profiles); 215 } while (col);
236 }
237 216
217 *out = profiles;
238 218
239STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *s) 219 return 0;
240 { 220}
241 if(s != NULL) 221
242 { 222int
243 if(s->srtp_profiles != NULL) 223SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
244 { 224{
225 return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);
226}
227
228int
229SSL_set_tlsext_use_srtp(SSL *s, const char *profiles)
230{
231 return ssl_ctx_make_profiles(profiles, &s->srtp_profiles);
232}
233
234
235STACK_OF(SRTP_PROTECTION_PROFILE)
236*SSL_get_srtp_profiles(SSL *s)
237{
238 if (s != NULL) {
239 if (s->srtp_profiles != NULL) {
245 return s->srtp_profiles; 240 return s->srtp_profiles;
246 } 241 } else if ((s->ctx != NULL) &&
247 else if((s->ctx != NULL) && 242 (s->ctx->srtp_profiles != NULL)) {
248 (s->ctx->srtp_profiles != NULL))
249 {
250 return s->ctx->srtp_profiles; 243 return s->ctx->srtp_profiles;
251 }
252 } 244 }
245 }
253 246
254 return NULL; 247 return NULL;
255 } 248}
256 249
257SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s) 250SRTP_PROTECTION_PROFILE
258 { 251*SSL_get_selected_srtp_profile(SSL *s)
252{
259 return s->srtp_profile; 253 return s->srtp_profile;
260 } 254}
261 255
262/* Note: this function returns 0 length if there are no 256/* Note: this function returns 0 length if there are no
263 profiles specified */ 257 profiles specified */
264int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) 258int
265 { 259ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
266 int ct=0; 260{
261 int ct = 0;
267 int i; 262 int i;
268 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0; 263 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
269 SRTP_PROTECTION_PROFILE *prof; 264 SRTP_PROTECTION_PROFILE *prof;
270
271 clnt=SSL_get_srtp_profiles(s);
272 ct=sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
273
274 if(p)
275 {
276 if(ct==0)
277 {
278 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
279 return 1;
280 }
281 265
282 if((2 + ct*2 + 1) > maxlen) 266 clnt = SSL_get_srtp_profiles(s);
283 { 267
284 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); 268 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
269
270 if (p) {
271 if (ct == 0) {
272 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
285 return 1; 273 return 1;
286 } 274 }
287 275
288 /* Add the length */ 276 if ((2 + ct * 2 + 1) > maxlen) {
289 s2n(ct * 2, p); 277 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
290 for(i=0;i<ct;i++) 278 return 1;
291 { 279 }
292 prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
293 s2n(prof->id,p);
294 }
295 280
296 /* Add an empty use_mki value */ 281 /* Add the length */
297 *p++ = 0; 282 s2n(ct * 2, p);
283 for (i = 0; i < ct; i++) {
284 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
285 s2n(prof->id, p);
298 } 286 }
299 287
300 *len=2 + ct*2 + 1; 288 /* Add an empty use_mki value */
301 289 *p++ = 0;
302 return 0;
303 } 290 }
304 291
292 *len = 2 + ct*2 + 1;
305 293
306int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) 294 return 0;
307 { 295}
308 SRTP_PROTECTION_PROFILE *cprof,*sprof; 296
309 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; 297
310 int ct; 298int
311 int mki_len; 299ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
312 int i,j; 300{
301 SRTP_PROTECTION_PROFILE *cprof, *sprof;
302 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0, *srvr;
303 int ct;
304 int mki_len;
305 int i, j;
313 int id; 306 int id;
314 int ret; 307 int ret;
315 308
316 /* Length value + the MKI length */ 309 /* Length value + the MKI length */
317 if(len < 3) 310 if (len < 3) {
318 { 311 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
319 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 312 *al = SSL_AD_DECODE_ERROR;
320 *al=SSL_AD_DECODE_ERROR;
321 return 1; 313 return 1;
322 } 314 }
323 315
324 /* Pull off the length of the cipher suite list */ 316 /* Pull off the length of the cipher suite list */
325 n2s(d, ct); 317 n2s(d, ct);
326 len -= 2; 318 len -= 2;
327 319
328 /* Check that it is even */ 320 /* Check that it is even */
329 if(ct%2) 321 if (ct % 2) {
330 { 322 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
331 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 323 *al = SSL_AD_DECODE_ERROR;
332 *al=SSL_AD_DECODE_ERROR;
333 return 1; 324 return 1;
334 } 325 }
335 326
336 /* Check that lengths are consistent */ 327 /* Check that lengths are consistent */
337 if(len < (ct + 1)) 328 if (len < (ct + 1)) {
338 { 329 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
339 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 330 *al = SSL_AD_DECODE_ERROR;
340 *al=SSL_AD_DECODE_ERROR;
341 return 1; 331 return 1;
342 } 332 }
343 333
344
345 clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
346 334
347 while(ct) 335 clnt = sk_SRTP_PROTECTION_PROFILE_new_null();
348 {
349 n2s(d,id);
350 ct-=2;
351 len-=2;
352 336
353 if(!find_profile_by_num(id,&cprof)) 337 while (ct) {
354 { 338 n2s(d, id);
355 sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); 339 ct -= 2;
356 } 340 len -= 2;
357 else 341
358 { 342 if (!find_profile_by_num(id, &cprof)) {
343 sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof);
344 } else {
359 ; /* Ignore */ 345 ; /* Ignore */
360 }
361 } 346 }
347 }
362 348
363 /* Now extract the MKI value as a sanity check, but discard it for now */ 349 /* Now extract the MKI value as a sanity check, but discard it for now */
364 mki_len = *d; 350 mki_len = *d;
365 d++; len--; 351 d++;
352 len--;
366 353
367 if (mki_len != len) 354 if (mki_len != len) {
368 { 355 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE);
369 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE); 356 *al = SSL_AD_DECODE_ERROR;
370 *al=SSL_AD_DECODE_ERROR;
371 return 1; 357 return 1;
372 } 358 }
373 359
374 srvr=SSL_get_srtp_profiles(s); 360 srvr = SSL_get_srtp_profiles(s);
375 361
376 /* Pick our most preferred profile. If no profiles have been 362 /* Pick our most preferred profile. If no profiles have been
377 configured then the outer loop doesn't run 363 configured then the outer loop doesn't run
378 (sk_SRTP_PROTECTION_PROFILE_num() = -1) 364 (sk_SRTP_PROTECTION_PROFILE_num() = -1)
379 and so we just return without doing anything */ 365 and so we just return without doing anything */
380 for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++) 366 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
381 { 367 sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
382 sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i); 368
383 369 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
384 for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++) 370 cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j);
385 { 371
386 cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j); 372 if (cprof->id == sprof->id) {
387 373 s->srtp_profile = sprof;
388 if(cprof->id==sprof->id) 374 *al = 0;
389 { 375 ret = 0;
390 s->srtp_profile=sprof;
391 *al=0;
392 ret=0;
393 goto done; 376 goto done;
394 }
395 } 377 }
396 } 378 }
379 }
380
381 ret = 0;
397 382
398 ret=0;
399
400done: 383done:
401 if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); 384 if (clnt)
385 sk_SRTP_PROTECTION_PROFILE_free(clnt);
402 386
403 return ret; 387 return ret;
404 } 388}
405 389
406int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) 390int
407 { 391ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
408 if(p) 392{
409 { 393 if (p) {
410 if(maxlen < 5) 394 if (maxlen < 5) {
411 { 395 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
412 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
413 return 1; 396 return 1;
414 } 397 }
415 398
416 if(s->srtp_profile==0) 399 if (s->srtp_profile == 0) {
417 { 400 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, SSL_R_USE_SRTP_NOT_NEGOTIATED);
418 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_USE_SRTP_NOT_NEGOTIATED);
419 return 1; 401 return 1;
420 }
421 s2n(2, p);
422 s2n(s->srtp_profile->id,p);
423 *p++ = 0;
424 } 402 }
425 *len=5; 403 s2n(2, p);
426 404 s2n(s->srtp_profile->id, p);
427 return 0; 405 *p++ = 0;
428 } 406 }
429 407 *len = 5;
430 408
431int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) 409 return 0;
432 { 410}
411
412
413int
414ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
415{
433 unsigned id; 416 unsigned id;
434 int i; 417 int i;
435 int ct; 418 int ct;
436 419
437 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 420 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
438 SRTP_PROTECTION_PROFILE *prof; 421 SRTP_PROTECTION_PROFILE *prof;
439 422
440 if(len!=5) 423 if (len != 5) {
441 { 424 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
442 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 425 *al = SSL_AD_DECODE_ERROR;
443 *al=SSL_AD_DECODE_ERROR;
444 return 1; 426 return 1;
445 } 427 }
446 428
447 n2s(d, ct); 429 n2s(d, ct);
448 if(ct!=2) 430 if (ct != 2) {
449 { 431 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
450 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 432 *al = SSL_AD_DECODE_ERROR;
451 *al=SSL_AD_DECODE_ERROR;
452 return 1; 433 return 1;
453 } 434 }
454 435
455 n2s(d,id); 436 n2s(d, id);
456 if (*d) /* Must be no MKI, since we never offer one */ 437 if (*d) /* Must be no MKI, since we never offer one */
457 { 438 {
458 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE); 439 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE);
459 *al=SSL_AD_ILLEGAL_PARAMETER; 440 *al = SSL_AD_ILLEGAL_PARAMETER;
460 return 1; 441 return 1;
461 } 442 }
462 443
463 clnt=SSL_get_srtp_profiles(s); 444 clnt = SSL_get_srtp_profiles(s);
464 445
465 /* Throw an error if the server gave us an unsolicited extension */ 446 /* Throw an error if the server gave us an unsolicited extension */
466 if (clnt == NULL) 447 if (clnt == NULL) {
467 { 448 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_NO_SRTP_PROFILES);
468 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_NO_SRTP_PROFILES); 449 *al = SSL_AD_DECODE_ERROR;
469 *al=SSL_AD_DECODE_ERROR;
470 return 1; 450 return 1;
471 } 451 }
472 452
473 /* Check to see if the server gave us something we support 453 /* Check to see if the server gave us something we support
474 (and presumably offered) 454 (and presumably offered)
475 */ 455 */
476 for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(clnt);i++) 456 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
477 { 457 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
478 prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i); 458
479 459 if (prof->id == id) {
480 if(prof->id == id) 460 s->srtp_profile = prof;
481 { 461 *al = 0;
482 s->srtp_profile=prof;
483 *al=0;
484 return 0; 462 return 0;
485 }
486 } 463 }
487
488 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 *al=SSL_AD_DECODE_ERROR;
490 return 1;
491 } 464 }
492 465
466 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
467 *al = SSL_AD_DECODE_ERROR;
468 return 1;
469}
493 470
494#endif 471#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-17 10:44:44 +0000