From ba589955f7d66487c2522626b1d59a89f80e7010 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 18 Jan 2022 08:58:06 -0800
Subject: [PATCH] Improve the DTLS SRTP client side parsing.

---
 src/ssl.c |  7 ++++---
 src/tls.c | 39 +++++++++++++++++++++++++--------------
 2 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index a26198519..3addd1ed1 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1406,14 +1406,15 @@ int wolfSSL_export_dtls_srtp_keying_material(WOLFSSL* ssl,
         WOLFSSL_MSG("Not using DTLS SRTP");
         return EXT_MISSING;
     }
-    if (*olen < (size_t)profile->kdfBits) {
-        return BUFFER_E;
-    }
     if (out == NULL) {
         *olen = profile->kdfBits;
         return LENGTH_ONLY_E;
     }
 
+    if (*olen < (size_t)profile->kdfBits) {
+        return BUFFER_E;
+    }
+
 #ifdef WOLFSSL_HAVE_PRF
     XMEMCPY(seed,           ssl->arrays->serverRandom, RAN_LEN);
     XMEMCPY(seed + RAN_LEN, ssl->arrays->clientRandom, RAN_LEN);
diff --git a/src/tls.c b/src/tls.c
index e52e38a27..c1fe13b21 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -5407,33 +5407,44 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     byte isRequest)
 {
     int ret = BAD_FUNC_ARG;
-#ifndef NO_WOLFSSL_SERVER
-    int i;
-    TlsxSrtp* srtp = NULL;
     word16 profile_len = 0;
     word16 profile_value = 0;
     word16 offset = 0;
+#ifndef NO_WOLFSSL_SERVER
+    int i;
+    TlsxSrtp* srtp = NULL;
 #endif
 
     if (length < OPAQUE16_LEN) {
         return BUFFER_ERROR;
     }
 
+    /* reset selected DTLS SRTP profile ID */
+    ssl->dtlsSrtpId = 0;
+
+    /* total length, not include itself */
+    ato16(input, &profile_len);
+    offset += OPAQUE16_LEN;
+
     if (!isRequest) {
 #ifndef NO_WOLFSSL_CLIENT
-        ssl->dtlsSrtpProfiles = ssl->ctx->dtlsSrtpProfiles;
-        ret = 0; /* success */
+        if (length < offset + OPAQUE16_LEN)
+            return BUFFER_ERROR;
+
+        ato16(input + offset, &profile_value);
+
+        /* check that the profile received was in the ones we support */
+        if (profile_value < 16 && 
+                               (ssl->dtlsSrtpProfiles & (1 << profile_value))) {
+            ssl->dtlsSrtpId = profile_value;
+            ret = 0; /* success */
+        }
 #endif
     }
 #ifndef NO_WOLFSSL_SERVER
     else {
-        /* total length, not include itself */
-        ato16(input, &profile_len);
-        offset += OPAQUE16_LEN;
-
         /* parse remainder one profile at a time, looking for match in CTX */
         ret = 0;
-        ssl->dtlsSrtpId = 0;
         for (i=offset; i<length; i+=OPAQUE16_LEN) {
             ato16(input+i, &profile_value);
             /* find first match */
@@ -5448,6 +5459,7 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
                         (void*)srtp, ssl->heap);
                     if (ret == 0) {
                         TLSX_SetResponse(ssl, TLSX_USE_SRTP);
+                        /* successfully set extension */
                     }
                 }
                 else {
@@ -5456,19 +5468,18 @@ static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
                 break;
             }
         }
-        (void)profile_len;
     }
 
     if (ret == 0 && ssl->dtlsSrtpId == 0) {
-        WOLFSSL_MSG("SRP Profile not found!");
-        /* not fatal, so return 0 */
-        ret = 0;
+        WOLFSSL_MSG("TLSX_UseSRTP_Parse profile not found!");
+        /* not fatal */
     }
     else if (ret != 0) {
         ssl->dtlsSrtpId = 0;
         TLSX_UseSRTP_Free(srtp, ssl->heap);
     }
 #endif
+    (void)profile_len;
 
     return ret;
 }