From 4f099264b5a7848289af3a2c3dab11bc6da15115 Mon Sep 17 00:00:00 2001 From: Johan Pascal <johan.pascal@belledonne-communications.com> Date: Tue, 22 Sep 2020 10:59:26 +0200 Subject: [PATCH] use_srtp extension shall not interfere in the handshake settings Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com> --- library/ssl_srv.c | 29 ++--------------------------- library/ssl_tls.c | 33 ++++----------------------------- 2 files changed, 6 insertions(+), 56 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e151ffe89..f774b407f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3055,39 +3055,14 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) authmode = ssl->handshake->sni_authmode; else -#endif -#if defined(MBEDTLS_SSL_DTLS_SRTP) - /* - * check if we have a chosen srtp protection profile, - * force verify mode to be at least OPTIONAL - */ - if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE && - ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) - { - authmode = MBEDTLS_SSL_VERIFY_OPTIONAL; - } - else #endif authmode = ssl->conf->authmode; if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || authmode == MBEDTLS_SSL_VERIFY_NONE ) { -#if defined(MBEDTLS_SSL_DTLS_SRTP) - /* check if we have a chosen srtp protection profile */ - if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "should not happen" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); - } - else - { -#endif - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); - return( 0 ); -#if defined(MBEDTLS_SSL_DTLS_SRTP) - } -#endif + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); + return( 0 ); } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 696eb85ea..6b084450c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2088,21 +2088,9 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) { -#if defined(MBEDTLS_SSL_DTLS_SRTP) - /* check if we have a chosen srtp protection profile */ - if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) - { - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); - } - else - { -#endif /* MBEDTLS_SSL_DTLS_SRTP */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); - ssl->state++; - return( 0 ); -#if defined(MBEDTLS_SSL_DTLS_SRTP) - } -#endif + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + ssl->state++; + return( 0 ); } #if defined(MBEDTLS_SSL_CLI_C) @@ -2727,22 +2715,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ? ssl->handshake->sni_authmode -#if defined(MBEDTLS_SSL_DTLS_SRTP) - : ssl->dtls_srtp_info.chosen_dtls_srtp_profile != - MBEDTLS_SRTP_UNSET_PROFILE - && ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE - ? MBEDTLS_SSL_VERIFY_OPTIONAL -#endif /* MBEDTLS_SSL_DTLS_SRTP */ : ssl->conf->authmode; #else - const int authmode = -#if defined(MBEDTLS_SSL_DTLS_SRTP) - ssl->dtls_srtp_info.chosen_dtls_srtp_profile != - MBEDTLS_SRTP_UNSET_PROFILE && - ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ? - MBEDTLS_SSL_VERIFY_OPTIONAL : -#endif /* MBEDTLS_SSL_DTLS_SRTP */ - ssl->conf->authmode; + const int authmode = ssl->conf->authmode; #endif void *rs_ctx = NULL; mbedtls_x509_crt *chain = NULL;