mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 06:04:18 +01:00
Add variable validation
1. Check allocation success. 2. Check parameter correctness in the use_srtp extension in server and client. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
parent
75870ec6a7
commit
313d7b5d74
@ -837,6 +837,10 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
if( mki_len != 0 )
|
if( mki_len != 0 )
|
||||||
{
|
{
|
||||||
memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len );
|
memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len );
|
||||||
|
/*
|
||||||
|
* Increment p to point to the current position.
|
||||||
|
*/
|
||||||
|
p += mki_len;
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
|
MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
|
||||||
ssl->dtls_srtp_info.mki_len );
|
ssl->dtls_srtp_info.mki_len );
|
||||||
}
|
}
|
||||||
@ -847,8 +851,9 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
* + protection profile length (2 bytes)
|
* + protection profile length (2 bytes)
|
||||||
* + 2 * number of protection profiles
|
* + 2 * number of protection profiles
|
||||||
* + srtp_mki vector length(1 byte)
|
* + srtp_mki vector length(1 byte)
|
||||||
|
* + mki value
|
||||||
*/
|
*/
|
||||||
*olen = 2 + 2 + 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len;
|
*olen = p - buf;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||||
|
|
||||||
@ -1848,7 +1853,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Length is 5 and optional mki_value : one protection profile(2 bytes)
|
* Length is 5 and optional mki_value : one protection profile(2 bytes)
|
||||||
* + length(2 bytes) and srtp_mki
|
* + length(2 bytes) + mki_len(1 byte)
|
||||||
|
* and optional srtp_mki
|
||||||
*/
|
*/
|
||||||
if( ( len != 5 ) && ( len != ( 5 + mki_len ) ) )
|
if( ( len != 5 ) && ( len != ( 5 + mki_len ) ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
@ -1862,9 +1868,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
* one protection profile in server Hello
|
* one protection profile in server Hello
|
||||||
*/
|
*/
|
||||||
if( ( buf[0] != 0 ) || ( buf[1] != 2 ) )
|
if( ( buf[0] != 0 ) || ( buf[1] != 2 ) )
|
||||||
{
|
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
|
||||||
|
|
||||||
server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
|
server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
|
||||||
server_protection = mbedtls_ssl_get_srtp_profile_value( server_protection_profile_value );
|
server_protection = mbedtls_ssl_get_srtp_profile_value( server_protection_profile_value );
|
||||||
@ -1901,8 +1905,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
* that is different than the one the client offered, then the client
|
* that is different than the one the client offered, then the client
|
||||||
* MUST abort the handshake and SHOULD send an invalid_parameter alert.
|
* MUST abort the handshake and SHOULD send an invalid_parameter alert.
|
||||||
*/
|
*/
|
||||||
if( len > 5 &&
|
if( len > 5 && ( buf[4] != mki_len ||
|
||||||
( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) )
|
( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
|
||||||
{
|
{
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||||
|
@ -785,6 +785,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
size_t i,j;
|
size_t i,j;
|
||||||
size_t profile_length;
|
size_t profile_length;
|
||||||
const mbedtls_ssl_srtp_profile_info *profile_info;
|
const mbedtls_ssl_srtp_profile_info *profile_info;
|
||||||
|
/*! 2 bytes for profile length and 1 byte for mki len */
|
||||||
|
const size_t size_of_lengths = 3;
|
||||||
|
|
||||||
/* If use_srtp is not configured, just ignore the extension */
|
/* If use_srtp is not configured, just ignore the extension */
|
||||||
if( ssl->conf->dtls_srtp_profile_list == NULL ||
|
if( ssl->conf->dtls_srtp_profile_list == NULL ||
|
||||||
@ -806,14 +808,24 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
* Min length is 5: at least one protection profile(2 bytes)
|
* Min length is 5: at least one protection profile(2 bytes)
|
||||||
* and length(2 bytes) + srtp_mki length(1 byte)
|
* and length(2 bytes) + srtp_mki length(1 byte)
|
||||||
*/
|
*/
|
||||||
if( len < 5 )
|
if( len < size_of_lengths + 2 )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
|
|
||||||
ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
|
ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
|
||||||
|
|
||||||
/* first 2 bytes are protection profile length(in bytes) */
|
/* first 2 bytes are protection profile length(in bytes) */
|
||||||
profile_length = ( buf[0] << 8 ) | buf[1];
|
profile_length = ( buf[0] << 8 ) | buf[1];
|
||||||
|
|
||||||
|
if( profile_length > len - size_of_lengths )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
}
|
||||||
/*
|
/*
|
||||||
* parse the extension list values are defined in
|
* parse the extension list values are defined in
|
||||||
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
|
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
|
||||||
@ -846,7 +858,8 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
( len > ( profile_length + 2 ) ) )
|
( len > ( profile_length + 2 ) ) )
|
||||||
{
|
{
|
||||||
ssl->dtls_srtp_info.mki_len = buf[profile_length + 2];
|
ssl->dtls_srtp_info.mki_len = buf[profile_length + 2];
|
||||||
if( ssl->dtls_srtp_info.mki_len > MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH )
|
if( ssl->dtls_srtp_info.mki_len > MBEDTLS_DTLS_SRTP_MAX_MKI_LENGTH ||
|
||||||
|
ssl->dtls_srtp_info.mki_len + profile_length + size_of_lengths != len )
|
||||||
{
|
{
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||||
@ -854,7 +867,6 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
|
|||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl->dtls_srtp_info.mki_len = buf[profile_length + 2];
|
|
||||||
for( i=0; i < ssl->dtls_srtp_info.mki_len; i++ )
|
for( i=0; i < ssl->dtls_srtp_info.mki_len; i++ )
|
||||||
{
|
{
|
||||||
ssl->dtls_srtp_info.mki_value[i] = buf[profile_length + 2 + 1 + i];
|
ssl->dtls_srtp_info.mki_value[i] = buf[profile_length + 2 + 1 + i];
|
||||||
|
@ -4807,6 +4807,8 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
|
|||||||
conf->dtls_srtp_profile_list =
|
conf->dtls_srtp_profile_list =
|
||||||
(mbedtls_ssl_srtp_profile*)mbedtls_calloc(1,
|
(mbedtls_ssl_srtp_profile*)mbedtls_calloc(1,
|
||||||
profiles_number * sizeof( mbedtls_ssl_srtp_profile ) );
|
profiles_number * sizeof( mbedtls_ssl_srtp_profile ) );
|
||||||
|
if( conf->dtls_srtp_profile_list == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||||
|
|
||||||
for( i=0; i < profiles_number; i++ ) {
|
for( i=0; i < profiles_number; i++ ) {
|
||||||
switch( profiles[i] ) {
|
switch( profiles[i] ) {
|
||||||
|
Loading…
Reference in New Issue
Block a user