From 0dbcd1d3f094c5ffd491b479b15efe3dbe08496d Mon Sep 17 00:00:00 2001
From: Johan Pascal <johan.pascal@belledonne-communications.com>
Date: Wed, 28 Oct 2020 11:03:07 +0100
Subject: [PATCH] Make API safer

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
---
 include/mbedtls/ssl.h      |  5 +----
 library/ssl_tls.c          | 10 ++++++++--
 programs/ssl/ssl_client2.c | 10 +++++-----
 programs/ssl/ssl_server2.c | 10 +++++-----
 4 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 398eb012a..4805c67b3 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3275,11 +3275,8 @@ int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
  *                 or peer's Hello packet was not parsed yet.
  *                 - mki size and value (if size is > 0). These informations are valid only
  *                 if the protection profile returned is not MBEDTLS_TLS_SRTP_UNSET.
- *                 Ownership of the returned structure is kept by the ssl context,
- *                 the caller must duplicate any information that must live longer than
- *                 the context (typically MKI size and value if any)
  */
-const mbedtls_dtls_srtp_info *mbedtls_ssl_get_dtls_srtp_negotiation_result
+mbedtls_dtls_srtp_info mbedtls_ssl_get_dtls_srtp_negotiation_result
                                              ( const mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index cee8ba132..0739b8f05 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4751,10 +4751,16 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
     return( 0 );
 }
 
-const mbedtls_dtls_srtp_info *
+mbedtls_dtls_srtp_info
      mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl )
 {
-    return( &( ssl->dtls_srtp_info ) );
+    mbedtls_dtls_srtp_info ret = ssl->dtls_srtp_info;
+    /* discard the mki if there is no chosen profile */
+    if ( ret.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
+    {
+        ret.mki_len = 0;
+    }
+    return( ret );
 }
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
 
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index d53a40af8..2a6050789 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2754,10 +2754,10 @@ int main( int argc, char *argv[] )
     else if( opt.use_srtp != 0  )
     {
         size_t j = 0;
-        const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
+        mbedtls_dtls_srtp_info dtls_srtp_negotiation_result =
                         mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
 
-        if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
+        if( ( dtls_srtp_negotiation_result.chosen_dtls_srtp_profile
                                 == MBEDTLS_TLS_SRTP_UNSET ) )
         {
             mbedtls_printf( "    Unable to negotiate "
@@ -2800,12 +2800,12 @@ int main( int argc, char *argv[] )
             }
             mbedtls_printf( "\n" );
 
-            if ( dtls_srtp_negotiation_result->mki_len > 0 )
+            if ( dtls_srtp_negotiation_result.mki_len > 0 )
             {
                 mbedtls_printf( "    DTLS-SRTP mki value: " );
-                for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
+                for( j = 0; j < dtls_srtp_negotiation_result.mki_len; j++ )
                 {
-                    mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
+                    mbedtls_printf( "%02X", dtls_srtp_negotiation_result.mki_value[j] );
                 }
             }
             else
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 126a64c0d..81721bbca 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3865,10 +3865,10 @@ handshake:
     else if( opt.use_srtp != 0  )
     {
         size_t j = 0;
-        const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
+        mbedtls_dtls_srtp_info dtls_srtp_negotiation_result =
                         mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
 
-        if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
+        if( ( dtls_srtp_negotiation_result.chosen_dtls_srtp_profile
                                 == MBEDTLS_TLS_SRTP_UNSET ) )
         {
             mbedtls_printf( "    Unable to negotiate "
@@ -3911,12 +3911,12 @@ handshake:
             }
             mbedtls_printf( "\n" );
 
-            if ( dtls_srtp_negotiation_result->mki_len > 0 )
+            if ( dtls_srtp_negotiation_result.mki_len > 0 )
             {
                 mbedtls_printf( "    DTLS-SRTP mki value: " );
-                for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
+                for( j = 0; j < dtls_srtp_negotiation_result.mki_len; j++ )
                 {
-                    mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
+                    mbedtls_printf( "%02X", dtls_srtp_negotiation_result.mki_value[j] );
                 }
             }
             else