d1_srtp.c@ 69890

Last change on this file since 69890 was 69890, checked in by vboxsync, 7 years ago
Added OpenSSL 1.1.0g with unneeded files removed, otherwise unmodified. bugref:8070: src/libs maintenance
Property svn:eol-style set to `native`
File size: 8.6 KB

Line
1	/*
2	* Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/*
11	* DTLS code by Eric Rescorla <[email protected]>
12	*
13	* Copyright (C) 2006, Network Resonance, Inc. Copyright (C) 2011, RTFM, Inc.
14	*/
15
16	#include <stdio.h>
17	#include <openssl/objects.h>
18	#include "ssl_locl.h"
19
20	#ifndef OPENSSL_NO_SRTP
21
22	static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
23	{
24	"SRTP_AES128_CM_SHA1_80",
25	SRTP_AES128_CM_SHA1_80,
26	},
27	{
28	"SRTP_AES128_CM_SHA1_32",
29	SRTP_AES128_CM_SHA1_32,
30	},
31	{
32	"SRTP_AEAD_AES_128_GCM",
33	SRTP_AEAD_AES_128_GCM,
34	},
35	{
36	"SRTP_AEAD_AES_256_GCM",
37	SRTP_AEAD_AES_256_GCM,
38	},
39	{0}
40	};
41
42	static int find_profile_by_name(char *profile_name,
43	SRTP_PROTECTION_PROFILE **pptr, unsigned len)
44	{
45	SRTP_PROTECTION_PROFILE *p;
46
47	p = srtp_known_profiles;
48	while (p->name) {
49	if ((len == strlen(p->name))
50	&& strncmp(p->name, profile_name, len) == 0) {
51	*pptr = p;
52	return 0;
53	}
54
55	p++;
56	}
57
58	return 1;
59	}
60
61	static int ssl_ctx_make_profiles(const char *profiles_string,
62	STACK_OF(SRTP_PROTECTION_PROFILE) **out)
63	{
64	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
65
66	char *col;
67	char ptr = (char )profiles_string;
68	SRTP_PROTECTION_PROFILE *p;
69
70	if ((profiles = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) {
71	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
72	SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
73	return 1;
74	}
75
76	do {
77	col = strchr(ptr, ':');
78
79	if (!find_profile_by_name(ptr, &p, col ? col - ptr : (int)strlen(ptr))) {
80	if (sk_SRTP_PROTECTION_PROFILE_find(profiles, p) >= 0) {
81	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
82	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
83	goto err;
84	}
85
86	if (!sk_SRTP_PROTECTION_PROFILE_push(profiles, p)) {
87	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
88	SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
89	goto err;
90	}
91	} else {
92	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
93	SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
94	goto err;
95	}
96
97	if (col)
98	ptr = col + 1;
99	} while (col);
100
101	sk_SRTP_PROTECTION_PROFILE_free(*out);
102
103	*out = profiles;
104
105	return 0;
106	err:
107	sk_SRTP_PROTECTION_PROFILE_free(profiles);
108	return 1;
109	}
110
111	int SSL_CTX_set_tlsext_use_srtp(SSL_CTX ctx, const char profiles)
112	{
113	return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);
114	}
115
116	int SSL_set_tlsext_use_srtp(SSL s, const char profiles)
117	{
118	return ssl_ctx_make_profiles(profiles, &s->srtp_profiles);
119	}
120
121	STACK_OF(SRTP_PROTECTION_PROFILE) SSL_get_srtp_profiles(SSL s)
122	{
123	if (s != NULL) {
124	if (s->srtp_profiles != NULL) {
125	return s->srtp_profiles;
126	} else if ((s->ctx != NULL) && (s->ctx->srtp_profiles != NULL)) {
127	return s->ctx->srtp_profiles;
128	}
129	}
130
131	return NULL;
132	}
133
134	SRTP_PROTECTION_PROFILE SSL_get_selected_srtp_profile(SSL s)
135	{
136	return s->srtp_profile;
137	}
138
139	/*
140	* Note: this function returns 0 length if there are no profiles specified
141	*/
142	int ssl_add_clienthello_use_srtp_ext(SSL s, unsigned char p, int *len,
143	int maxlen)
144	{
145	int ct = 0;
146	int i;
147	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
148	SRTP_PROTECTION_PROFILE *prof;
149
150	clnt = SSL_get_srtp_profiles(s);
151	ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
152
153	if (p) {
154	if (ct == 0) {
155	SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
156	SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
157	return 1;
158	}
159
160	if ((2 + ct * 2 + 1) > maxlen) {
161	SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
162	SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
163	return 1;
164	}
165
166	/* Add the length */
167	s2n(ct * 2, p);
168	for (i = 0; i < ct; i++) {
169	prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
170	s2n(prof->id, p);
171	}
172
173	/* Add an empty use_mki value */
174	*p++ = 0;
175	}
176
177	len = 2 + ct 2 + 1;
178
179	return 0;
180	}
181
182	int ssl_parse_clienthello_use_srtp_ext(SSL s, PACKET pkt, int *al)
183	{
184	SRTP_PROTECTION_PROFILE *sprof;
185	STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
186	unsigned int ct, mki_len, id;
187	int i, srtp_pref;
188	PACKET subpkt;
189
190	/* Pull off the length of the cipher suite list and check it is even */
191	if (!PACKET_get_net_2(pkt, &ct)
192	\|\| (ct & 1) != 0 \|\| !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
193	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
194	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
195	*al = SSL_AD_DECODE_ERROR;
196	return 1;
197	}
198
199	srvr = SSL_get_srtp_profiles(s);
200	s->srtp_profile = NULL;
201	/* Search all profiles for a match initially */
202	srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
203
204	while (PACKET_remaining(&subpkt)) {
205	if (!PACKET_get_net_2(&subpkt, &id)) {
206	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
207	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
208	*al = SSL_AD_DECODE_ERROR;
209	return 1;
210	}
211
212	/*
213	* Only look for match in profiles of higher preference than
214	* current match.
215	* If no profiles have been have been configured then this
216	* does nothing.
217	*/
218	for (i = 0; i < srtp_pref; i++) {
219	sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
220	if (sprof->id == id) {
221	s->srtp_profile = sprof;
222	srtp_pref = i;
223	break;
224	}
225	}
226	}
227
228	/*
229	* Now extract the MKI value as a sanity check, but discard it for now
230	*/
231	if (!PACKET_get_1(pkt, &mki_len)) {
232	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
233	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
234	*al = SSL_AD_DECODE_ERROR;
235	return 1;
236	}
237
238	if (!PACKET_forward(pkt, mki_len)
239	\|\| PACKET_remaining(pkt)) {
240	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
241	SSL_R_BAD_SRTP_MKI_VALUE);
242	*al = SSL_AD_DECODE_ERROR;
243	return 1;
244	}
245
246	return 0;
247	}
248
249	int ssl_add_serverhello_use_srtp_ext(SSL s, unsigned char p, int *len,
250	int maxlen)
251	{
252	if (p) {
253	if (maxlen < 5) {
254	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
255	SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
256	return 1;
257	}
258
259	if (s->srtp_profile == 0) {
260	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
261	SSL_R_USE_SRTP_NOT_NEGOTIATED);
262	return 1;
263	}
264	s2n(2, p);
265	s2n(s->srtp_profile->id, p);
266	*p++ = 0;
267	}
268	*len = 5;
269
270	return 0;
271	}
272
273	int ssl_parse_serverhello_use_srtp_ext(SSL s, PACKET pkt, int *al)
274	{
275	unsigned int id, ct, mki;
276	int i;
277
278	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
279	SRTP_PROTECTION_PROFILE *prof;
280
281	if (!PACKET_get_net_2(pkt, &ct)
282	\|\| ct != 2 \|\| !PACKET_get_net_2(pkt, &id)
283	\|\| !PACKET_get_1(pkt, &mki)
284	\|\| PACKET_remaining(pkt) != 0) {
285	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
286	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
287	*al = SSL_AD_DECODE_ERROR;
288	return 1;
289	}
290
291	if (mki != 0) {
292	/* Must be no MKI, since we never offer one */
293	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
294	SSL_R_BAD_SRTP_MKI_VALUE);
295	*al = SSL_AD_ILLEGAL_PARAMETER;
296	return 1;
297	}
298
299	clnt = SSL_get_srtp_profiles(s);
300
301	/* Throw an error if the server gave us an unsolicited extension */
302	if (clnt == NULL) {
303	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
304	SSL_R_NO_SRTP_PROFILES);
305	*al = SSL_AD_DECODE_ERROR;
306	return 1;
307	}
308
309	/*
310	* Check to see if the server gave us something we support (and
311	* presumably offered)
312	*/
313	for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
314	prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
315
316	if (prof->id == id) {
317	s->srtp_profile = prof;
318	*al = 0;
319	return 0;
320	}
321	}
322
323	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
324	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
325	*al = SSL_AD_DECODE_ERROR;
326	return 1;
327	}
328
329	#endif

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-1.1.0g/ssl/d1_srtp.c@ 69890

Download in other formats: