diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 1ded993bc..085d27082 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3204,13 +3204,13 @@ void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, * \brief Set the supported DTLS-SRTP protection profiles. * * \param conf SSL configuration - * \param profiles List of supported protection profiles, + * \param profiles Pointer to a List of MBEDTLS_TLS_SRTP_UNSET terminated + * supported protection profiles * in decreasing preference order. - * The pointer to the list is - * recorded by the library for later reference as required, - * so the lifetime of the table must be at least as long - * as the lifetime of the SSL configuration structure. - * \param profiles_number Number of supported profiles. + * The pointer to the list is recorded by the library + * for later reference as required, so the lifetime + * of the table must be at least as long as the lifetime + * of the SSL configuration structure. * * \return 0 on success * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of @@ -3218,8 +3218,7 @@ void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf, */ int mbedtls_ssl_conf_dtls_srtp_protection_profiles ( mbedtls_ssl_config *conf, - const mbedtls_ssl_srtp_profile *profiles, - size_t profiles_number ); + const mbedtls_ssl_srtp_profile *profiles ); /** * \brief Set the mki_value for the current DTLS-SRTP session. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index caaba2428..f6b56f197 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4735,38 +4735,36 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl, } int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, - const mbedtls_ssl_srtp_profile *profiles, - size_t profiles_number ) + const mbedtls_ssl_srtp_profile *profiles ) { - size_t i; - /* - * Check input validity : must be a list of profiles from enumeration. - * Maximum length is 4 as only 4 protection profiles are defined. - */ - if( profiles_number > 4 ) - { - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - } + const mbedtls_ssl_srtp_profile *p; + size_t list_size = 0; - - for( i=0; i < profiles_number; i++ ) + /* check the profiles list: all entry must be valid, + * its size cannot be more than the total number of supported profiles, currently 4 */ + for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET && list_size < 5; p++ ) { - switch( profiles[i] ) + switch( *p ) { case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: + list_size++; break; - default: - conf->dtls_srtp_profile_list = NULL; - conf->dtls_srtp_profile_list_len = 0; - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + default: /* unsupported value, stop parsing and set the size to an error value */ + list_size = 5; } } + if ( list_size > 4 ) { + conf->dtls_srtp_profile_list = NULL; + conf->dtls_srtp_profile_list_len = 0; + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + conf->dtls_srtp_profile_list = profiles; - conf->dtls_srtp_profile_list_len = profiles_number; + conf->dtls_srtp_profile_list_len = list_size; return( 0 ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 33fbc0538..cdedbd290 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1249,7 +1249,8 @@ int main( int argc, char *argv[] ) MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80, MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32, MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80, - MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32 + MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32, + MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */ @@ -2334,18 +2335,12 @@ int main( int argc, char *argv[] ) { if( opt.force_srtp_profile != 0 ) { - const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; - ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles - ( &conf, - forced_profile, - sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); + const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile, MBEDTLS_TLS_SRTP_UNSET }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles ( &conf, forced_profile ); } else { - ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles - ( &conf, - default_profiles, - sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles ( &conf, default_profiles ); } if( ret != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b6f0736a8..e66ca4041 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1880,7 +1880,8 @@ int main( int argc, char *argv[] ) MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80, MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32, MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80, - MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32 + MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32, + MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */ @@ -3146,16 +3147,12 @@ int main( int argc, char *argv[] ) { if( opt.force_srtp_profile != 0 ) { - const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile }; - ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, - forced_profile, - sizeof( forced_profile ) / sizeof( mbedtls_ssl_srtp_profile ) ); + const mbedtls_ssl_srtp_profile forced_profile[] = { opt.force_srtp_profile, MBEDTLS_TLS_SRTP_UNSET }; + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, forced_profile ); } else { - ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, - default_profiles, - sizeof( default_profiles ) / sizeof( mbedtls_ssl_srtp_profile ) ); + ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles( &conf, default_profiles ); } if( ret != 0 )