11f13597dSJung-uk Kim /* ssl/t1_lib.c */ 21f13597dSJung-uk Kim /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 31f13597dSJung-uk Kim * All rights reserved. 41f13597dSJung-uk Kim * 51f13597dSJung-uk Kim * This package is an SSL implementation written 61f13597dSJung-uk Kim * by Eric Young (eay@cryptsoft.com). 71f13597dSJung-uk Kim * The implementation was written so as to conform with Netscapes SSL. 81f13597dSJung-uk Kim * 91f13597dSJung-uk Kim * This library is free for commercial and non-commercial use as long as 101f13597dSJung-uk Kim * the following conditions are aheared to. The following conditions 111f13597dSJung-uk Kim * apply to all code found in this distribution, be it the RC4, RSA, 121f13597dSJung-uk Kim * lhash, DES, etc., code; not just the SSL code. The SSL documentation 131f13597dSJung-uk Kim * included with this distribution is covered by the same copyright terms 141f13597dSJung-uk Kim * except that the holder is Tim Hudson (tjh@cryptsoft.com). 151f13597dSJung-uk Kim * 161f13597dSJung-uk Kim * Copyright remains Eric Young's, and as such any Copyright notices in 171f13597dSJung-uk Kim * the code are not to be removed. 181f13597dSJung-uk Kim * If this package is used in a product, Eric Young should be given attribution 191f13597dSJung-uk Kim * as the author of the parts of the library used. 201f13597dSJung-uk Kim * This can be in the form of a textual message at program startup or 211f13597dSJung-uk Kim * in documentation (online or textual) provided with the package. 221f13597dSJung-uk Kim * 231f13597dSJung-uk Kim * Redistribution and use in source and binary forms, with or without 241f13597dSJung-uk Kim * modification, are permitted provided that the following conditions 251f13597dSJung-uk Kim * are met: 261f13597dSJung-uk Kim * 1. Redistributions of source code must retain the copyright 271f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer. 281f13597dSJung-uk Kim * 2. Redistributions in binary form must reproduce the above copyright 291f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer in the 301f13597dSJung-uk Kim * documentation and/or other materials provided with the distribution. 311f13597dSJung-uk Kim * 3. All advertising materials mentioning features or use of this software 321f13597dSJung-uk Kim * must display the following acknowledgement: 331f13597dSJung-uk Kim * "This product includes cryptographic software written by 341f13597dSJung-uk Kim * Eric Young (eay@cryptsoft.com)" 351f13597dSJung-uk Kim * The word 'cryptographic' can be left out if the rouines from the library 361f13597dSJung-uk Kim * being used are not cryptographic related :-). 371f13597dSJung-uk Kim * 4. If you include any Windows specific code (or a derivative thereof) from 381f13597dSJung-uk Kim * the apps directory (application code) you must include an acknowledgement: 391f13597dSJung-uk Kim * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 401f13597dSJung-uk Kim * 411f13597dSJung-uk Kim * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 421f13597dSJung-uk Kim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 431f13597dSJung-uk Kim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 441f13597dSJung-uk Kim * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 451f13597dSJung-uk Kim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 461f13597dSJung-uk Kim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 471f13597dSJung-uk Kim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 481f13597dSJung-uk Kim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 491f13597dSJung-uk Kim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 501f13597dSJung-uk Kim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 511f13597dSJung-uk Kim * SUCH DAMAGE. 521f13597dSJung-uk Kim * 531f13597dSJung-uk Kim * The licence and distribution terms for any publically available version or 541f13597dSJung-uk Kim * derivative of this code cannot be changed. i.e. this code cannot simply be 551f13597dSJung-uk Kim * copied and put under another distribution licence 561f13597dSJung-uk Kim * [including the GNU Public Licence.] 571f13597dSJung-uk Kim */ 581f13597dSJung-uk Kim /* ==================================================================== 591f13597dSJung-uk Kim * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 601f13597dSJung-uk Kim * 611f13597dSJung-uk Kim * Redistribution and use in source and binary forms, with or without 621f13597dSJung-uk Kim * modification, are permitted provided that the following conditions 631f13597dSJung-uk Kim * are met: 641f13597dSJung-uk Kim * 651f13597dSJung-uk Kim * 1. Redistributions of source code must retain the above copyright 661f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer. 671f13597dSJung-uk Kim * 681f13597dSJung-uk Kim * 2. Redistributions in binary form must reproduce the above copyright 691f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer in 701f13597dSJung-uk Kim * the documentation and/or other materials provided with the 711f13597dSJung-uk Kim * distribution. 721f13597dSJung-uk Kim * 731f13597dSJung-uk Kim * 3. All advertising materials mentioning features or use of this 741f13597dSJung-uk Kim * software must display the following acknowledgment: 751f13597dSJung-uk Kim * "This product includes software developed by the OpenSSL Project 761f13597dSJung-uk Kim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 771f13597dSJung-uk Kim * 781f13597dSJung-uk Kim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 791f13597dSJung-uk Kim * endorse or promote products derived from this software without 801f13597dSJung-uk Kim * prior written permission. For written permission, please contact 811f13597dSJung-uk Kim * openssl-core@openssl.org. 821f13597dSJung-uk Kim * 831f13597dSJung-uk Kim * 5. Products derived from this software may not be called "OpenSSL" 841f13597dSJung-uk Kim * nor may "OpenSSL" appear in their names without prior written 851f13597dSJung-uk Kim * permission of the OpenSSL Project. 861f13597dSJung-uk Kim * 871f13597dSJung-uk Kim * 6. Redistributions of any form whatsoever must retain the following 881f13597dSJung-uk Kim * acknowledgment: 891f13597dSJung-uk Kim * "This product includes software developed by the OpenSSL Project 901f13597dSJung-uk Kim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 911f13597dSJung-uk Kim * 921f13597dSJung-uk Kim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 931f13597dSJung-uk Kim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 941f13597dSJung-uk Kim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 951f13597dSJung-uk Kim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 961f13597dSJung-uk Kim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 971f13597dSJung-uk Kim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 981f13597dSJung-uk Kim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 991f13597dSJung-uk Kim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 1001f13597dSJung-uk Kim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 1011f13597dSJung-uk Kim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 1021f13597dSJung-uk Kim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 1031f13597dSJung-uk Kim * OF THE POSSIBILITY OF SUCH DAMAGE. 1041f13597dSJung-uk Kim * ==================================================================== 1051f13597dSJung-uk Kim * 1061f13597dSJung-uk Kim * This product includes cryptographic software written by Eric Young 1071f13597dSJung-uk Kim * (eay@cryptsoft.com). This product includes software written by Tim 1081f13597dSJung-uk Kim * Hudson (tjh@cryptsoft.com). 1091f13597dSJung-uk Kim * 1101f13597dSJung-uk Kim */ 1111f13597dSJung-uk Kim /* 1121f13597dSJung-uk Kim DTLS code by Eric Rescorla <ekr@rtfm.com> 1131f13597dSJung-uk Kim 1141f13597dSJung-uk Kim Copyright (C) 2006, Network Resonance, Inc. 1151f13597dSJung-uk Kim Copyright (C) 2011, RTFM, Inc. 1161f13597dSJung-uk Kim */ 1171f13597dSJung-uk Kim 1181f13597dSJung-uk Kim #include <stdio.h> 1191f13597dSJung-uk Kim #include <openssl/objects.h> 1201f13597dSJung-uk Kim #include "ssl_locl.h" 12109286989SJung-uk Kim 12209286989SJung-uk Kim #ifndef OPENSSL_NO_SRTP 12309286989SJung-uk Kim 1241f13597dSJung-uk Kim #include "srtp.h" 1251f13597dSJung-uk Kim 1261f13597dSJung-uk Kim 1271f13597dSJung-uk Kim static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= 1281f13597dSJung-uk Kim { 1291f13597dSJung-uk Kim { 1301f13597dSJung-uk Kim "SRTP_AES128_CM_SHA1_80", 1311f13597dSJung-uk Kim SRTP_AES128_CM_SHA1_80, 1321f13597dSJung-uk Kim }, 1331f13597dSJung-uk Kim { 1341f13597dSJung-uk Kim "SRTP_AES128_CM_SHA1_32", 1351f13597dSJung-uk Kim SRTP_AES128_CM_SHA1_32, 1361f13597dSJung-uk Kim }, 1371f13597dSJung-uk Kim #if 0 1381f13597dSJung-uk Kim { 1391f13597dSJung-uk Kim "SRTP_NULL_SHA1_80", 1401f13597dSJung-uk Kim SRTP_NULL_SHA1_80, 1411f13597dSJung-uk Kim }, 1421f13597dSJung-uk Kim { 1431f13597dSJung-uk Kim "SRTP_NULL_SHA1_32", 1441f13597dSJung-uk Kim SRTP_NULL_SHA1_32, 1451f13597dSJung-uk Kim }, 1461f13597dSJung-uk Kim #endif 1471f13597dSJung-uk Kim {0} 1481f13597dSJung-uk Kim }; 1491f13597dSJung-uk Kim 1501f13597dSJung-uk Kim static int find_profile_by_name(char *profile_name, 1511f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE **pptr,unsigned len) 1521f13597dSJung-uk Kim { 1531f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE *p; 1541f13597dSJung-uk Kim 1551f13597dSJung-uk Kim p=srtp_known_profiles; 1561f13597dSJung-uk Kim while(p->name) 1571f13597dSJung-uk Kim { 1581f13597dSJung-uk Kim if((len == strlen(p->name)) && !strncmp(p->name,profile_name, 1591f13597dSJung-uk Kim len)) 1601f13597dSJung-uk Kim { 1611f13597dSJung-uk Kim *pptr=p; 1621f13597dSJung-uk Kim return 0; 1631f13597dSJung-uk Kim } 1641f13597dSJung-uk Kim 1651f13597dSJung-uk Kim p++; 1661f13597dSJung-uk Kim } 1671f13597dSJung-uk Kim 1681f13597dSJung-uk Kim return 1; 1691f13597dSJung-uk Kim } 1701f13597dSJung-uk Kim 1711f13597dSJung-uk Kim static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) 1721f13597dSJung-uk Kim { 1731f13597dSJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; 1741f13597dSJung-uk Kim 1751f13597dSJung-uk Kim char *col; 1761f13597dSJung-uk Kim char *ptr=(char *)profiles_string; 1771f13597dSJung-uk Kim 1781f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE *p; 1791f13597dSJung-uk Kim 1801f13597dSJung-uk Kim if(!(profiles=sk_SRTP_PROTECTION_PROFILE_new_null())) 1811f13597dSJung-uk Kim { 1821f13597dSJung-uk Kim SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); 1831f13597dSJung-uk Kim return 1; 1841f13597dSJung-uk Kim } 1851f13597dSJung-uk Kim 1861f13597dSJung-uk Kim do 1871f13597dSJung-uk Kim { 1881f13597dSJung-uk Kim col=strchr(ptr,':'); 1891f13597dSJung-uk Kim 1901f13597dSJung-uk Kim if(!find_profile_by_name(ptr,&p, 1911f13597dSJung-uk Kim col ? col-ptr : (int)strlen(ptr))) 1921f13597dSJung-uk Kim { 193*fa5fddf1SJung-uk Kim if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) 194*fa5fddf1SJung-uk Kim { 195*fa5fddf1SJung-uk Kim SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 196*fa5fddf1SJung-uk Kim sk_SRTP_PROTECTION_PROFILE_free(profiles); 197*fa5fddf1SJung-uk Kim return 1; 198*fa5fddf1SJung-uk Kim } 199*fa5fddf1SJung-uk Kim 2001f13597dSJung-uk Kim sk_SRTP_PROTECTION_PROFILE_push(profiles,p); 2011f13597dSJung-uk Kim } 2021f13597dSJung-uk Kim else 2031f13597dSJung-uk Kim { 2041f13597dSJung-uk Kim SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); 205*fa5fddf1SJung-uk Kim sk_SRTP_PROTECTION_PROFILE_free(profiles); 2061f13597dSJung-uk Kim return 1; 2071f13597dSJung-uk Kim } 2081f13597dSJung-uk Kim 2091f13597dSJung-uk Kim if(col) ptr=col+1; 2101f13597dSJung-uk Kim } while (col); 2111f13597dSJung-uk Kim 2121f13597dSJung-uk Kim *out=profiles; 2131f13597dSJung-uk Kim 2141f13597dSJung-uk Kim return 0; 2151f13597dSJung-uk Kim } 2161f13597dSJung-uk Kim 2171f13597dSJung-uk Kim int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,const char *profiles) 2181f13597dSJung-uk Kim { 2191f13597dSJung-uk Kim return ssl_ctx_make_profiles(profiles,&ctx->srtp_profiles); 2201f13597dSJung-uk Kim } 2211f13597dSJung-uk Kim 2221f13597dSJung-uk Kim int SSL_set_tlsext_use_srtp(SSL *s,const char *profiles) 2231f13597dSJung-uk Kim { 2241f13597dSJung-uk Kim return ssl_ctx_make_profiles(profiles,&s->srtp_profiles); 2251f13597dSJung-uk Kim } 2261f13597dSJung-uk Kim 2271f13597dSJung-uk Kim 2281f13597dSJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *s) 2291f13597dSJung-uk Kim { 2301f13597dSJung-uk Kim if(s != NULL) 2311f13597dSJung-uk Kim { 2321f13597dSJung-uk Kim if(s->srtp_profiles != NULL) 2331f13597dSJung-uk Kim { 2341f13597dSJung-uk Kim return s->srtp_profiles; 2351f13597dSJung-uk Kim } 2361f13597dSJung-uk Kim else if((s->ctx != NULL) && 2371f13597dSJung-uk Kim (s->ctx->srtp_profiles != NULL)) 2381f13597dSJung-uk Kim { 2391f13597dSJung-uk Kim return s->ctx->srtp_profiles; 2401f13597dSJung-uk Kim } 2411f13597dSJung-uk Kim } 2421f13597dSJung-uk Kim 2431f13597dSJung-uk Kim return NULL; 2441f13597dSJung-uk Kim } 2451f13597dSJung-uk Kim 2461f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s) 2471f13597dSJung-uk Kim { 2481f13597dSJung-uk Kim return s->srtp_profile; 2491f13597dSJung-uk Kim } 2501f13597dSJung-uk Kim 2511f13597dSJung-uk Kim /* Note: this function returns 0 length if there are no 2521f13597dSJung-uk Kim profiles specified */ 2531f13597dSJung-uk Kim int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) 2541f13597dSJung-uk Kim { 2551f13597dSJung-uk Kim int ct=0; 2561f13597dSJung-uk Kim int i; 2571f13597dSJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0; 2581f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE *prof; 2591f13597dSJung-uk Kim 2601f13597dSJung-uk Kim clnt=SSL_get_srtp_profiles(s); 2611f13597dSJung-uk Kim ct=sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */ 2621f13597dSJung-uk Kim 2631f13597dSJung-uk Kim if(p) 2641f13597dSJung-uk Kim { 2651f13597dSJung-uk Kim if(ct==0) 2661f13597dSJung-uk Kim { 2671f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 2681f13597dSJung-uk Kim return 1; 2691f13597dSJung-uk Kim } 2701f13597dSJung-uk Kim 2711f13597dSJung-uk Kim if((2 + ct*2 + 1) > maxlen) 2721f13597dSJung-uk Kim { 2731f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); 2741f13597dSJung-uk Kim return 1; 2751f13597dSJung-uk Kim } 2761f13597dSJung-uk Kim 2771f13597dSJung-uk Kim /* Add the length */ 2781f13597dSJung-uk Kim s2n(ct * 2, p); 2791f13597dSJung-uk Kim for(i=0;i<ct;i++) 2801f13597dSJung-uk Kim { 2811f13597dSJung-uk Kim prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i); 2821f13597dSJung-uk Kim s2n(prof->id,p); 2831f13597dSJung-uk Kim } 2841f13597dSJung-uk Kim 2851f13597dSJung-uk Kim /* Add an empty use_mki value */ 2861f13597dSJung-uk Kim *p++ = 0; 2871f13597dSJung-uk Kim } 2881f13597dSJung-uk Kim 2891f13597dSJung-uk Kim *len=2 + ct*2 + 1; 2901f13597dSJung-uk Kim 2911f13597dSJung-uk Kim return 0; 2921f13597dSJung-uk Kim } 2931f13597dSJung-uk Kim 2941f13597dSJung-uk Kim 2951f13597dSJung-uk Kim int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) 2961f13597dSJung-uk Kim { 297*fa5fddf1SJung-uk Kim SRTP_PROTECTION_PROFILE *sprof; 298*fa5fddf1SJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; 2991f13597dSJung-uk Kim int ct; 3001f13597dSJung-uk Kim int mki_len; 301*fa5fddf1SJung-uk Kim int i, srtp_pref; 302*fa5fddf1SJung-uk Kim unsigned int id; 3031f13597dSJung-uk Kim 3041f13597dSJung-uk Kim /* Length value + the MKI length */ 3051f13597dSJung-uk Kim if(len < 3) 3061f13597dSJung-uk Kim { 3071f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 3081f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 3091f13597dSJung-uk Kim return 1; 3101f13597dSJung-uk Kim } 3111f13597dSJung-uk Kim 3121f13597dSJung-uk Kim /* Pull off the length of the cipher suite list */ 3131f13597dSJung-uk Kim n2s(d, ct); 3141f13597dSJung-uk Kim len -= 2; 3151f13597dSJung-uk Kim 3161f13597dSJung-uk Kim /* Check that it is even */ 3171f13597dSJung-uk Kim if(ct%2) 3181f13597dSJung-uk Kim { 3191f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 3201f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 3211f13597dSJung-uk Kim return 1; 3221f13597dSJung-uk Kim } 3231f13597dSJung-uk Kim 3241f13597dSJung-uk Kim /* Check that lengths are consistent */ 3251f13597dSJung-uk Kim if(len < (ct + 1)) 3261f13597dSJung-uk Kim { 3271f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 3281f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 3291f13597dSJung-uk Kim return 1; 3301f13597dSJung-uk Kim } 3311f13597dSJung-uk Kim 332*fa5fddf1SJung-uk Kim srvr=SSL_get_srtp_profiles(s); 333*fa5fddf1SJung-uk Kim s->srtp_profile = NULL; 334*fa5fddf1SJung-uk Kim /* Search all profiles for a match initially */ 335*fa5fddf1SJung-uk Kim srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); 3361f13597dSJung-uk Kim 3371f13597dSJung-uk Kim while(ct) 3381f13597dSJung-uk Kim { 3391f13597dSJung-uk Kim n2s(d,id); 3401f13597dSJung-uk Kim ct-=2; 3411f13597dSJung-uk Kim len-=2; 3421f13597dSJung-uk Kim 343*fa5fddf1SJung-uk Kim /* 344*fa5fddf1SJung-uk Kim * Only look for match in profiles of higher preference than 345*fa5fddf1SJung-uk Kim * current match. 346*fa5fddf1SJung-uk Kim * If no profiles have been have been configured then this 347*fa5fddf1SJung-uk Kim * does nothing. 348*fa5fddf1SJung-uk Kim */ 349*fa5fddf1SJung-uk Kim for (i = 0; i < srtp_pref; i++) 3501f13597dSJung-uk Kim { 351*fa5fddf1SJung-uk Kim sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); 352*fa5fddf1SJung-uk Kim if (sprof->id == id) 353*fa5fddf1SJung-uk Kim { 354*fa5fddf1SJung-uk Kim s->srtp_profile = sprof; 355*fa5fddf1SJung-uk Kim srtp_pref = i; 356*fa5fddf1SJung-uk Kim break; 3571f13597dSJung-uk Kim } 3581f13597dSJung-uk Kim } 3591f13597dSJung-uk Kim } 3601f13597dSJung-uk Kim 3611f13597dSJung-uk Kim /* Now extract the MKI value as a sanity check, but discard it for now */ 3621f13597dSJung-uk Kim mki_len = *d; 3631f13597dSJung-uk Kim d++; len--; 3641f13597dSJung-uk Kim 3651f13597dSJung-uk Kim if (mki_len != len) 3661f13597dSJung-uk Kim { 3671f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE); 3681f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 3691f13597dSJung-uk Kim return 1; 3701f13597dSJung-uk Kim } 3711f13597dSJung-uk Kim 372*fa5fddf1SJung-uk Kim return 0; 3731f13597dSJung-uk Kim } 3741f13597dSJung-uk Kim 3751f13597dSJung-uk Kim int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) 3761f13597dSJung-uk Kim { 3771f13597dSJung-uk Kim if(p) 3781f13597dSJung-uk Kim { 3791f13597dSJung-uk Kim if(maxlen < 5) 3801f13597dSJung-uk Kim { 3811f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); 3821f13597dSJung-uk Kim return 1; 3831f13597dSJung-uk Kim } 3841f13597dSJung-uk Kim 3851f13597dSJung-uk Kim if(s->srtp_profile==0) 3861f13597dSJung-uk Kim { 3871f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_USE_SRTP_NOT_NEGOTIATED); 3881f13597dSJung-uk Kim return 1; 3891f13597dSJung-uk Kim } 3901f13597dSJung-uk Kim s2n(2, p); 3911f13597dSJung-uk Kim s2n(s->srtp_profile->id,p); 3921f13597dSJung-uk Kim *p++ = 0; 3931f13597dSJung-uk Kim } 3941f13597dSJung-uk Kim *len=5; 3951f13597dSJung-uk Kim 3961f13597dSJung-uk Kim return 0; 3971f13597dSJung-uk Kim } 3981f13597dSJung-uk Kim 3991f13597dSJung-uk Kim 4001f13597dSJung-uk Kim int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) 4011f13597dSJung-uk Kim { 4021f13597dSJung-uk Kim unsigned id; 4031f13597dSJung-uk Kim int i; 4041f13597dSJung-uk Kim int ct; 4051f13597dSJung-uk Kim 4061f13597dSJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 4071f13597dSJung-uk Kim SRTP_PROTECTION_PROFILE *prof; 4081f13597dSJung-uk Kim 4091f13597dSJung-uk Kim if(len!=5) 4101f13597dSJung-uk Kim { 4111f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 4121f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 4131f13597dSJung-uk Kim return 1; 4141f13597dSJung-uk Kim } 4151f13597dSJung-uk Kim 4161f13597dSJung-uk Kim n2s(d, ct); 4171f13597dSJung-uk Kim if(ct!=2) 4181f13597dSJung-uk Kim { 4191f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 4201f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 4211f13597dSJung-uk Kim return 1; 4221f13597dSJung-uk Kim } 4231f13597dSJung-uk Kim 4241f13597dSJung-uk Kim n2s(d,id); 4251f13597dSJung-uk Kim if (*d) /* Must be no MKI, since we never offer one */ 4261f13597dSJung-uk Kim { 4271f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE); 4281f13597dSJung-uk Kim *al=SSL_AD_ILLEGAL_PARAMETER; 4291f13597dSJung-uk Kim return 1; 4301f13597dSJung-uk Kim } 4311f13597dSJung-uk Kim 4321f13597dSJung-uk Kim clnt=SSL_get_srtp_profiles(s); 4331f13597dSJung-uk Kim 4341f13597dSJung-uk Kim /* Throw an error if the server gave us an unsolicited extension */ 4351f13597dSJung-uk Kim if (clnt == NULL) 4361f13597dSJung-uk Kim { 4371f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_NO_SRTP_PROFILES); 4381f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 4391f13597dSJung-uk Kim return 1; 4401f13597dSJung-uk Kim } 4411f13597dSJung-uk Kim 4421f13597dSJung-uk Kim /* Check to see if the server gave us something we support 4431f13597dSJung-uk Kim (and presumably offered) 4441f13597dSJung-uk Kim */ 4451f13597dSJung-uk Kim for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(clnt);i++) 4461f13597dSJung-uk Kim { 4471f13597dSJung-uk Kim prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i); 4481f13597dSJung-uk Kim 4491f13597dSJung-uk Kim if(prof->id == id) 4501f13597dSJung-uk Kim { 4511f13597dSJung-uk Kim s->srtp_profile=prof; 4521f13597dSJung-uk Kim *al=0; 4531f13597dSJung-uk Kim return 0; 4541f13597dSJung-uk Kim } 4551f13597dSJung-uk Kim } 4561f13597dSJung-uk Kim 4571f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 4581f13597dSJung-uk Kim *al=SSL_AD_DECODE_ERROR; 4591f13597dSJung-uk Kim return 1; 4601f13597dSJung-uk Kim } 4611f13597dSJung-uk Kim 4621f13597dSJung-uk Kim 4631f13597dSJung-uk Kim #endif 464