diff options
author | Matt Caswell <matt@openssl.org> | 2017-04-25 12:42:17 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-05-03 14:37:42 +0100 |
commit | f233a9d181b5cd150322e2e10348a4c1d96fc1f3 (patch) | |
tree | f24cd909e8ec46b7da94e83dbff225a44ddbbdfb | |
parent | fb29c0f0704a488b9e282caf7643cde0119223b8 (diff) |
Clarify serverinfo usage with Certificate messages
Ensure that serverinfo only gets added for the first Certificate in a list.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3298)
-rw-r--r-- | doc/man3/SSL_CTX_use_serverinfo.pod | 4 | ||||
-rw-r--r-- | ssl/ssl_rsa.c | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/doc/man3/SSL_CTX_use_serverinfo.pod b/doc/man3/SSL_CTX_use_serverinfo.pod index b1412432f6..a5defb30ee 100644 --- a/doc/man3/SSL_CTX_use_serverinfo.pod +++ b/doc/man3/SSL_CTX_use_serverinfo.pod @@ -33,7 +33,9 @@ byte array provided in B<*serverinfo> which is of length B<serverinfo_length>. If B<version> is B<SSL_SERVERINFOV2> then the extensions in the array must consist of a 4-byte context, a 2-byte Extension Type, a 2-byte length, and then length bytes of extension_data. The context and type values have the same -meaning as for L<SSL_CTX_add_custom_ext(3)>. +meaning as for L<SSL_CTX_add_custom_ext(3)>. If serverinfo is being loaded for +extensions to be added to a Certificate message, then the extension will only +be added for the first Certificate in the message. If B<version> is B<SSL_SERVERINFOV1> then the extensions in the array must consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index bf9678d118..f0a058e4bc 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -758,6 +758,10 @@ static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type, const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; + /* We only support extensions for the first Certificate */ + if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0) + return 0; + /* Is there serverinfo data for the chosen server cert? */ if ((ssl_get_server_cert_serverinfo(s, &serverinfo, &serverinfo_length)) != 0) { |