diff options
| author | Matt Caswell <matt@openssl.org> | 2017-05-10 11:28:53 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-05-10 16:54:06 +0100 |
| commit | c645f9de477e3a90da2109863f9971e93ea38b58 (patch) | |
| tree | f4c3ebbf80fa11e18a353d9195a259e3d0d66cbc /ssl | |
| parent | fbf09642692d3bf9343301d1e8befd37eef0277c (diff) | |
Copy custom extension flags in a call to SSL_set_SSL_CTX()
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
a connection as part of an SNI callback. One result of this is that the
s->cert structure is replaced. However this structure contains information
about any custom extensions that have been loaded. In particular flags are
set indicating whether a particular extension has been received in the
ClientHello. By replacing the s->cert structure we lose the custom
extension flag values, and it appears as if a client has not sent those
extensions.
SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
in both the old and the new cert structure.
Fixes #2180
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3426)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_lib.c | 6 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 2 | ||||
| -rw-r--r-- | ssl/t1_ext.c | 19 |
3 files changed, 27 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fc651bb5d1..cf246157ce 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3393,6 +3393,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) if (new_cert == NULL) { return NULL; } + + if (!custom_exts_copy_flags(&new_cert->srv_ext, &ssl->cert->srv_ext)) { + ssl_cert_free(new_cert); + return NULL; + } + ssl_cert_free(ssl->cert); ssl->cert = new_cert; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 08de52eea2..eb7e8c9d2b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2117,6 +2117,8 @@ __owur int custom_ext_add(SSL *s, int server, unsigned char **pret, __owur int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src); +__owur int custom_exts_copy_flags(custom_ext_methods *dst, + const custom_ext_methods *src); void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index adcd0f9e88..a996a20dec 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -131,6 +131,25 @@ int custom_ext_add(SSL *s, int server, return 1; } +/* Copy the flags from src to dst for any extensions that exist in both */ +int custom_exts_copy_flags(custom_ext_methods *dst, + const custom_ext_methods *src) +{ + size_t i; + custom_ext_method *methsrc = src->meths; + + for (i = 0; i < src->meths_count; i++, methsrc++) { + custom_ext_method *methdst = custom_ext_find(dst, methsrc->ext_type); + + if (methdst == NULL) + continue; + + methdst->ext_flags = methsrc->ext_flags; + } + + return 1; +} + /* Copy table of custom extensions */ int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src) { |