The branch OpenSSL_1_0_2-stable has been updated
via a8d40f64d820e199c87a21597acd92a530286885 (commit)
via 876931488652438645427b041da058883cbb3513 (commit)
from 64eaf6c928f4066d62aa86f805796ef05bd0b1cc (commit)
- Log -----------------------------------------------------------------
commit a8d40f64d820e199c87a21597acd92a530286885
Author: TJ Saunders <[email protected]>
Date: Fri Apr 29 07:40:28 2016 -0700
Remove confusing comment.
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Rich Salz <[email protected]>
commit 876931488652438645427b041da058883cbb3513
Author: TJ Saunders <[email protected]>
Date: Wed Mar 23 11:55:53 2016 -0700
Issue #719:
If no serverinfo extension is found in some cases, do not abort the
handshake,
but simply omit/skip that extension.
Check for already-registered serverinfo callbacks during serverinfo
registration.
Update SSL_CTX_use_serverinfo() documentation to mention the need to reload
the
same serverinfo per certificate, for servers with multiple server
certificates.
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Rich Salz <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_use_serverinfo.pod | 8 ++++++++
ssl/ssl_rsa.c | 28 +++++++++++++++++++++-------
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod
b/doc/ssl/SSL_CTX_use_serverinfo.pod
index 318e052..caeb28d 100644
--- a/doc/ssl/SSL_CTX_use_serverinfo.pod
+++ b/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -30,6 +30,14 @@ must consist of a 2-byte Extension Type, a 2-byte length,
and then length
bytes of extension_data. Each PEM extension name must begin with the phrase
"BEGIN SERVERINFO FOR ".
+If more than one certificate (RSA/DSA) is installed using
+SSL_CTX_use_certificate(), the serverinfo extension will be loaded into the
+last certificate installed. If e.g. the last item was a RSA certificate, the
+loaded serverinfo extension data will be loaded for that certificate. To
+use the serverinfo extension for multiple certificates,
+SSL_CTX_use_serverinfo() needs to be called multiple times, once B<after>
+each time a certificate is loaded.
+
=head1 NOTES
=head1 RETURN VALUES
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index b0f75c9..8202247 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -841,7 +841,7 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int
ext_type,
return 0; /* No extension found, don't send extension */
return 1; /* Send extension */
}
- return -1; /* No serverinfo data found, don't send
+ return 0; /* No serverinfo data found, don't send
* extension */
}
@@ -870,12 +870,26 @@ static int serverinfo_process_buffer(const unsigned char
*serverinfo,
/* Register callbacks for extensions */
ext_type = (serverinfo[0] << 8) + serverinfo[1];
- if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
- serverinfo_srv_add_cb,
- NULL, NULL,
- serverinfo_srv_parse_cb,
- NULL))
- return 0;
+ if (ctx) {
+ int have_ext_cbs = 0;
+ size_t i;
+ custom_ext_methods *exts = &ctx->cert->srv_ext;
+ custom_ext_method *meth = exts->meths;
+
+ for (i = 0; i < exts->meths_count; i++, meth++) {
+ if (ext_type == meth->ext_type) {
+ have_ext_cbs = 1;
+ break;
+ }
+ }
+
+ if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
+
serverinfo_srv_add_cb,
+ NULL, NULL,
+
serverinfo_srv_parse_cb,
+ NULL))
+ return 0;
+ }
serverinfo += 2;
serverinfo_length -= 2;
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
