diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2015-07-17 17:36:25 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2015-07-17 17:36:25 +0000 |
| commit | 6ec2dfc9be7c7c2d6cbab0a26a117fd37b69b2a9 (patch) | |
| tree | 08cf6da4cba74394f9eda09286c61a2686bcb3d3 | |
| parent | 0648fda297cd0b072f32820e0229845c7a30e092 (diff) | |
Convert ssl_parse_serverhello_use_srtp_ext to CBS.
ok miod@ jsing@
| -rw-r--r-- | lib/libssl/src/ssl/d1_srtp.c | 25 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_locl.h | 4 |
2 files changed, 17 insertions, 12 deletions
diff --git a/lib/libssl/src/ssl/d1_srtp.c b/lib/libssl/src/ssl/d1_srtp.c index 8f05c4abc87..2974691e3c6 100644 --- a/lib/libssl/src/ssl/d1_srtp.c +++ b/lib/libssl/src/ssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.13 2015/07/15 21:52:02 beck Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.14 2015/07/17 17:36:24 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -404,32 +404,37 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) int -ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al) +ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int *al) { STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; SRTP_PROTECTION_PROFILE *prof; - unsigned id; int i; - int ct; + uint16_t id; + CBS cbs, profile_ids, mki; - if (len != 5) { + if (len < 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } - n2s(d, ct); - if (ct != 2) { + CBS_init(&cbs, d, len); + + /* + * As per RFC 5764 section 4.1.1, server response MUST be a single + * profile id. + */ + if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) || + !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } - n2s(d, id); - if (*d) { - /* Must be no MKI, since we never offer one. */ + /* Must be no MKI, since we never offer one. */ + if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE); *al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index 0056daa1555..3256354463d 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.95 2015/07/14 03:38:26 doug Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.96 2015/07/17 17:36:24 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -854,7 +854,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int *al); int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); -int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, +int ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int *al); /* s3_cbc.c */ |