X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fextensions.c;h=8e1b502083f9627f7436ab0c0702a54ac42a35fa;hp=8d08b0cf4c2b09f8256ee0eebc7ef753f8fea168;hb=28a31a0a10f41ef855cabab4e18c994c44225125;hpb=2248dbebeeedd77f08d67e3dcd9031f6c1f0894f

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8d08b0cf4c..8e1b502083 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -36,7 +36,9 @@ static int init_etm(SSL *s, unsigned int context);
 static int init_ems(SSL *s, unsigned int context);
 static int final_ems(SSL *s, unsigned int context, int sent, int *al);
 static int init_psk_kex_modes(SSL *s, unsigned int context);
+#ifndef OPENSSL_NO_EC
 static int final_key_share(SSL *s, unsigned int context, int sent, int *al);
+#endif
 #ifndef OPENSSL_NO_SRTP
 static int init_srtp(SSL *s, unsigned int context);
 #endif
@@ -205,7 +207,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
 #endif
     {
         TLSEXT_TYPE_encrypt_then_mac,
-        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED,
         init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
         tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
     },
@@ -244,6 +246,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
         init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
         tls_construct_ctos_psk_kex_modes, NULL
     },
+#ifndef OPENSSL_NO_EC
     {
         /*
          * Must be in this list after supported_groups. We need that to have
@@ -257,6 +260,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
         tls_construct_stoc_key_share, tls_construct_ctos_key_share,
         final_key_share
     },
+#endif
     {
         /*
          * Special unsolicited ServerHello extension only used when
@@ -908,7 +912,7 @@ static int init_srp(SSL *s, unsigned int context)
 
 static int init_etm(SSL *s, unsigned int context)
 {
-    s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+    s->ext.use_etm = 0;
 
     return 1;
 }
@@ -960,7 +964,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
     return 1;
 }
 
-
+#ifndef OPENSSL_NO_EC
 static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
 {
     if (!SSL_IS_TLS13(s))
@@ -1018,7 +1022,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
                        != 0)) {
             const unsigned char *pcurves, *pcurvestmp, *clntcurves;
             size_t num_curves, clnt_num_curves, i;
-            unsigned int group_id;
+            unsigned int group_id = 0;
 
             /* Check if a shared group exists */
 
@@ -1039,7 +1043,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
             /* Find the first group we allow that is also in client's list */
             for (i = 0, pcurvestmp = pcurves; i < num_curves;
                  i++, pcurvestmp += 2) {
-                group_id = pcurvestmp[0] << 8 | pcurvestmp[1];
+                group_id = bytestogroup(pcurvestmp);
 
                 if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1))
                     break;
@@ -1078,6 +1082,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
 
     return 1;
 }
+#endif
 
 static int init_psk_kex_modes(SSL *s, unsigned int context)
 {