SSL export fixes (from Adam Langley) [original from 1.0.1]

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 0b5f234e5c5a7a266cca2d3534394bc51e151073..7a4943dec6fe195e3564178a5662b082016a118b 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -177,7 +177,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
        0,      /* client_finished_label_len */
        NULL,   /* server_finished_label */
        0,      /* server_finished_label_len */
-       (int (*)(int))ssl_undefined_function
+       (int (*)(int))ssl_undefined_function,
+       (int (*)(SSL *, unsigned char *, size_t, const char *,
+                size_t, const unsigned char *, size_t,
+                int use_context)) ssl_undefined_function,
        };
 
 int SSL_clear(SSL *s)
@@ -596,6 +599,9 @@ void SSL_free(SSL *s)
                OPENSSL_free(s->next_proto_negotiated);
 #endif
 
+        if (s->srtp_profiles)
+            sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
+
        OPENSSL_free(s);
        }
 
@@ -1075,8 +1081,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                s->max_cert_list=larg;
                return(l);
        case SSL_CTRL_SET_MTU:
-               if (larg < dtls1_min_mtu())
+#ifndef OPENSSL_NO_DTLS1
+               if (larg < (long)dtls1_min_mtu())
                        return 0;
+#endif
 
                if (SSL_version(s) == DTLS1_VERSION ||
                    SSL_version(s) == DTLS1_BAD_VER)
@@ -1381,7 +1389,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                c=sk_SSL_CIPHER_value(sk,i);
                /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
                if ((c->algorithm_ssl & SSL_TLSV1_2) && 
-                       (TLS1_get_version(s) < TLS1_2_VERSION))
+                       (TLS1_get_client_version(s) < TLS1_2_VERSION))
                        continue;
 #ifndef OPENSSL_NO_KRB5
                if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
@@ -1624,6 +1632,18 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned
 # endif
 #endif
 
+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+       const char *label, size_t llen, const unsigned char *p, size_t plen,
+       int use_context)
+       {
+       if (s->version < TLS1_VERSION)
+               return -1;
+
+       return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
+                                                          llen, p, plen,
+                                                          use_context);
+       }
+
 static unsigned long ssl_session_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1849,8 +1869,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         * deployed might change this.
         */
        ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-       /* Disable TLS v1.2 by default for now */
-       ret->options |= SSL_OP_NO_TLSv1_2;
 
        return(ret);
 err:
@@ -1937,6 +1955,9 @@ void SSL_CTX_free(SSL_CTX *a)
        a->comp_methods = NULL;
 #endif
 
+        if (a->srtp_profiles)
+                sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
+
 #ifndef OPENSSL_NO_PSK
        if (a->psk_identity_hint)
                OPENSSL_free(a->psk_identity_hint);
@@ -2090,6 +2111,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        if (dh_dsa) mask_k|=SSL_kDHd;
        if (dh_dsa_export) emask_k|=SSL_kDHd;
 
+       if (emask_k & (SSL_kDHr|SSL_kDHd))
+               mask_a |= SSL_aDH;
+
        if (rsa_enc || rsa_sign)
                {
                mask_a|=SSL_aRSA;
@@ -2269,7 +2293,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
        {
        unsigned long alg_k,alg_a;
        CERT *c;
@@ -2329,7 +2353,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
                }
        if (c->pkeys[i].x509 == NULL) return(NULL);
 
-       return(c->pkeys[i].x509);
+       return(&c->pkeys[i]);
        }
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)