Enforce SRTP mandatory HS messages

Enforce CertificateRequest, client and server Certificates, and CertificateVerify messages, which are mandatory in DTLS-SRTP, as defined in RFC 5764 section 4.1 Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2025-07-29 11:41:15 +03:00 · 2018-04-02 18:25:16 +03:00
parent 9e9096476e
commit 57cc70ec81
3 changed files with 75 additions and 13 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -3018,14 +3018,33 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
        authmode = ssl->handshake->sni_authmode;
    else
+#endif
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    /* check if we have a chosen srtp protection profile */
+    if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
+        authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    }
+        else
 #endif
        authmode = ssl->conf->authmode;

    if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
        authmode == MBEDTLS_SSL_VERIFY_NONE )
    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
-        return( 0 );
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+    /* check if we have a chosen srtp protection profile */
+        if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "should not happen" ) );
+            return ( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+        else
+        {
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+            return( 0 );
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+        }
+#endif
    }

    /*