{
return s->srtp_profile;
}
-
-int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
-{
- SRTP_PROTECTION_PROFILE *sprof;
- STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
- unsigned int ct, mki_len, id;
- int i, srtp_pref;
- PACKET subpkt;
-
- /* Pull off the length of the cipher suite list and check it is even */
- if (!PACKET_get_net_2(pkt, &ct)
- || (ct & 1) != 0 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- srvr = SSL_get_srtp_profiles(s);
- s->srtp_profile = NULL;
- /* Search all profiles for a match initially */
- srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
-
- while (PACKET_remaining(&subpkt)) {
- if (!PACKET_get_net_2(&subpkt, &id)) {
- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- /*
- * Only look for match in profiles of higher preference than
- * current match.
- * If no profiles have been have been configured then this
- * does nothing.
- */
- for (i = 0; i < srtp_pref; i++) {
- sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
- if (sprof->id == id) {
- s->srtp_profile = sprof;
- srtp_pref = i;
- break;
- }
- }
- }
-
- /*
- * Now extract the MKI value as a sanity check, but discard it for now
- */
- if (!PACKET_get_1(pkt, &mki_len)) {
- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- if (!PACKET_forward(pkt, mki_len)
- || PACKET_remaining(pkt)) {
- SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_MKI_VALUE);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- return 0;
-}
-
-int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
-{
- unsigned int id, ct, mki;
- int i;
-
- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
- SRTP_PROTECTION_PROFILE *prof;
-
- if (!PACKET_get_net_2(pkt, &ct)
- || ct != 2 || !PACKET_get_net_2(pkt, &id)
- || !PACKET_get_1(pkt, &mki)
- || PACKET_remaining(pkt) != 0) {
- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- if (mki != 0) {
- /* Must be no MKI, since we never offer one */
- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_MKI_VALUE);
- *al = SSL_AD_ILLEGAL_PARAMETER;
- return 1;
- }
-
- clnt = SSL_get_srtp_profiles(s);
-
- /* Throw an error if the server gave us an unsolicited extension */
- if (clnt == NULL) {
- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
- SSL_R_NO_SRTP_PROFILES);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
- }
-
- /*
- * Check to see if the server gave us something we support (and
- * presumably offered)
- */
- for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
- prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
-
- if (prof->id == id) {
- s->srtp_profile = prof;
- *al = 0;
- return 0;
- }
- }
-
- SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
- *al = SSL_AD_DECODE_ERROR;
- return 1;
-}
-
#endif
projects / openssl.git / blobdiff