Prepare for 1.0.1j release

[openssl.git] / ssl / t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8167a51e5c593be305096f8a6a063195480d6c64..d6aff4b682f234499862819c4a68b15e6a869fe9 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 #endif
 
 #ifndef OPENSSL_NO_SRTP
-        if(SSL_get_srtp_profiles(s))
+       if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
                 {
                 int el;
 
@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
 #endif
 
 #ifndef OPENSSL_NO_SRTP
-        if(s->srtp_profile)
+       if(SSL_IS_DTLS(s) && s->srtp_profile)
                 {
                 int el;
 
@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
                /* session ticket processed earlier */
 #ifndef OPENSSL_NO_SRTP
-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+                        && type == TLSEXT_TYPE_use_srtp)
                        {
                        if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
                                                              al))
@@ -1555,15 +1556,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ecpointformatlist_length = 0;
-                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-                       if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               s->session->tlsext_ecpointformatlist_length = 0;
+                               if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
+                               if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+                               memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                                }
-                       s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                       memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
                        sdata = s->session->tlsext_ecpointformatlist;
@@ -1695,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 #endif
 #ifndef OPENSSL_NO_SRTP
-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
                        {
                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
                                                              al))
@@ -2344,7 +2348,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        HMAC_Final(&hctx, tick_hmac, NULL);
        HMAC_CTX_cleanup(&hctx);
        if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
+               {
+               EVP_CIPHER_CTX_cleanup(&ctx);
                return 2;
+               }
        /* Attempt to decrypt session data */
        /* Move p after IV to start of encrypted ticket, update length */
        p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);