|
|
170643 |
diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
|
|
|
170643 |
--- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100
|
|
|
170643 |
+++ openssl-1.0.1e/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200
|
|
|
170643 |
@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
|
|
|
170643 |
return 1;
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
-static int find_profile_by_num(unsigned profile_num,
|
|
|
170643 |
- SRTP_PROTECTION_PROFILE **pptr)
|
|
|
170643 |
- {
|
|
|
170643 |
- SRTP_PROTECTION_PROFILE *p;
|
|
|
170643 |
-
|
|
|
170643 |
- p=srtp_known_profiles;
|
|
|
170643 |
- while(p->name)
|
|
|
170643 |
- {
|
|
|
170643 |
- if(p->id == profile_num)
|
|
|
170643 |
- {
|
|
|
170643 |
- *pptr=p;
|
|
|
170643 |
- return 0;
|
|
|
170643 |
- }
|
|
|
170643 |
- p++;
|
|
|
170643 |
- }
|
|
|
170643 |
-
|
|
|
170643 |
- return 1;
|
|
|
170643 |
- }
|
|
|
170643 |
-
|
|
|
170643 |
static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
|
|
|
170643 |
{
|
|
|
170643 |
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
|
|
|
170643 |
@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
|
|
|
170643 |
if(!find_profile_by_name(ptr,&p,
|
|
|
170643 |
col ? col-ptr : (int)strlen(ptr)))
|
|
|
170643 |
{
|
|
|
170643 |
+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
|
|
|
170643 |
+ {
|
|
|
170643 |
+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
|
|
170643 |
+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
|
|
|
170643 |
+ return 1;
|
|
|
170643 |
+ }
|
|
|
170643 |
+
|
|
|
170643 |
sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
|
|
|
170643 |
}
|
|
|
170643 |
else
|
|
|
170643 |
{
|
|
|
170643 |
SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
|
|
|
170643 |
+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
|
|
|
170643 |
return 1;
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
|
|
|
170643 |
|
|
|
170643 |
int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
|
|
|
170643 |
{
|
|
|
170643 |
- SRTP_PROTECTION_PROFILE *cprof,*sprof;
|
|
|
170643 |
- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
|
|
|
170643 |
+ SRTP_PROTECTION_PROFILE *sprof;
|
|
|
170643 |
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
|
|
|
170643 |
int ct;
|
|
|
170643 |
int mki_len;
|
|
|
170643 |
- int i,j;
|
|
|
170643 |
- int id;
|
|
|
170643 |
- int ret;
|
|
|
170643 |
+ int i, srtp_pref;
|
|
|
170643 |
+ unsigned int id;
|
|
|
170643 |
|
|
|
170643 |
/* Length value + the MKI length */
|
|
|
170643 |
if(len < 3)
|
|
|
170643 |
@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
|
|
|
170643 |
return 1;
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
+ srvr=SSL_get_srtp_profiles(s);
|
|
|
170643 |
+ s->srtp_profile = NULL;
|
|
|
170643 |
+ /* Search all profiles for a match initially */
|
|
|
170643 |
+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
|
|
|
170643 |
|
|
|
170643 |
- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
|
|
|
170643 |
-
|
|
|
170643 |
while(ct)
|
|
|
170643 |
{
|
|
|
170643 |
n2s(d,id);
|
|
|
170643 |
ct-=2;
|
|
|
170643 |
len-=2;
|
|
|
170643 |
|
|
|
170643 |
- if(!find_profile_by_num(id,&cprof))
|
|
|
170643 |
+ /*
|
|
|
170643 |
+ * Only look for match in profiles of higher preference than
|
|
|
170643 |
+ * current match.
|
|
|
170643 |
+ * If no profiles have been have been configured then this
|
|
|
170643 |
+ * does nothing.
|
|
|
170643 |
+ */
|
|
|
170643 |
+ for (i = 0; i < srtp_pref; i++)
|
|
|
170643 |
{
|
|
|
170643 |
- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
|
|
|
170643 |
- }
|
|
|
170643 |
- else
|
|
|
170643 |
- {
|
|
|
170643 |
- ; /* Ignore */
|
|
|
170643 |
+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
|
|
|
170643 |
+ if (sprof->id == id)
|
|
|
170643 |
+ {
|
|
|
170643 |
+ s->srtp_profile = sprof;
|
|
|
170643 |
+ srtp_pref = i;
|
|
|
170643 |
+ break;
|
|
|
170643 |
+ }
|
|
|
170643 |
}
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
|
|
|
170643 |
return 1;
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
- srvr=SSL_get_srtp_profiles(s);
|
|
|
170643 |
-
|
|
|
170643 |
- /* Pick our most preferred profile. If no profiles have been
|
|
|
170643 |
- configured then the outer loop doesn't run
|
|
|
170643 |
- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
|
|
|
170643 |
- and so we just return without doing anything */
|
|
|
170643 |
- for(i=0;i
|
|
|
170643 |
- {
|
|
|
170643 |
- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
|
|
|
170643 |
-
|
|
|
170643 |
- for(j=0;j
|
|
|
170643 |
- {
|
|
|
170643 |
- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
|
|
|
170643 |
-
|
|
|
170643 |
- if(cprof->id==sprof->id)
|
|
|
170643 |
- {
|
|
|
170643 |
- s->srtp_profile=sprof;
|
|
|
170643 |
- *al=0;
|
|
|
170643 |
- ret=0;
|
|
|
170643 |
- goto done;
|
|
|
170643 |
- }
|
|
|
170643 |
- }
|
|
|
170643 |
- }
|
|
|
170643 |
-
|
|
|
170643 |
- ret=0;
|
|
|
170643 |
-
|
|
|
170643 |
-done:
|
|
|
170643 |
- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
|
|
|
170643 |
-
|
|
|
170643 |
- return ret;
|
|
|
170643 |
+ return 0;
|
|
|
170643 |
}
|
|
|
170643 |
|
|
|
170643 |
int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
|
|
|
170643 |
diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
|
|
|
170643 |
--- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200
|
|
|
170643 |
+++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200
|
|
|
170643 |
@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
|
|
|
170643 |
#endif
|
|
|
170643 |
|
|
|
170643 |
#ifndef OPENSSL_NO_SRTP
|
|
|
170643 |
- if(SSL_get_srtp_profiles(s))
|
|
|
170643 |
+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
|
|
|
170643 |
{
|
|
|
170643 |
int el;
|
|
|
170643 |
|
|
|
170643 |
@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
|
|
|
170643 |
#endif
|
|
|
170643 |
|
|
|
170643 |
#ifndef OPENSSL_NO_SRTP
|
|
|
170643 |
- if(s->srtp_profile)
|
|
|
170643 |
+ if(SSL_IS_DTLS(s) && s->srtp_profile)
|
|
|
170643 |
{
|
|
|
170643 |
int el;
|
|
|
170643 |
|
|
|
170643 |
@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
|
170643 |
|
|
|
170643 |
/* session ticket processed earlier */
|
|
|
170643 |
#ifndef OPENSSL_NO_SRTP
|
|
|
170643 |
- else if (type == TLSEXT_TYPE_use_srtp)
|
|
|
170643 |
+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
|
|
|
170643 |
+ && type == TLSEXT_TYPE_use_srtp)
|
|
|
170643 |
{
|
|
|
170643 |
if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
|
|
|
170643 |
al))
|
|
|
170643 |
@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
|
170643 |
}
|
|
|
170643 |
#endif
|
|
|
170643 |
#ifndef OPENSSL_NO_SRTP
|
|
|
170643 |
- else if (type == TLSEXT_TYPE_use_srtp)
|
|
|
170643 |
+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
|
|
|
170643 |
{
|
|
|
170643 |
if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
|
|
|
170643 |
al))
|