[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Mon May 2 20:55:30 UTC 2016
The branch master has been updated
via 5c4b8c6f613e82d8fb35ceb6e7f799cedd4d173f (commit)
via 5f18bc589865e6cc07e47ba7412a4cfd208abd04 (commit)
from afce395cba521e395e6eecdaf9589105f61e4411 (commit)
- Log -----------------------------------------------------------------
commit 5c4b8c6f613e82d8fb35ceb6e7f799cedd4d173f
Author: TJ Saunders <tj at castaglia.org>
Date: Fri Apr 29 07:41:50 2016 -0700
Remove confusing comment.
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 5f18bc589865e6cc07e47ba7412a4cfd208abd04
Author: TJ Saunders <tj at castaglia.org>
Date: Wed Mar 23 11:55:53 2016 -0700
Issue #719:
If no serverinfo extension is found in some cases, do not abort the handshake,
but simply omit/skip that extension.
Check for already-registered serverinfo callbacks during serverinfo
registration.
Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
same serverinfo per certificate, for servers with multiple server certificates.
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_use_serverinfo.pod | 8 ++++++++
ssl/ssl_rsa.c | 28 +++++++++++++++++++++-------
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod b/doc/ssl/SSL_CTX_use_serverinfo.pod
index 318e052..caeb28d 100644
--- a/doc/ssl/SSL_CTX_use_serverinfo.pod
+++ b/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -30,6 +30,14 @@ must consist of a 2-byte Extension Type, a 2-byte length, and then length
bytes of extension_data. Each PEM extension name must begin with the phrase
"BEGIN SERVERINFO FOR ".
+If more than one certificate (RSA/DSA) is installed using
+SSL_CTX_use_certificate(), the serverinfo extension will be loaded into the
+last certificate installed. If e.g. the last item was a RSA certificate, the
+loaded serverinfo extension data will be loaded for that certificate. To
+use the serverinfo extension for multiple certificates,
+SSL_CTX_use_serverinfo() needs to be called multiple times, once B<after>
+each time a certificate is loaded.
+
=head1 NOTES
=head1 RETURN VALUES
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 00bf887..f1280ad 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -831,7 +831,7 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
return 0; /* No extension found, don't send extension */
return 1; /* Send extension */
}
- return -1; /* No serverinfo data found, don't send
+ return 0; /* No serverinfo data found, don't send
* extension */
}
@@ -860,12 +860,26 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo,
/* Register callbacks for extensions */
ext_type = (serverinfo[0] << 8) + serverinfo[1];
- if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
- serverinfo_srv_add_cb,
- NULL, NULL,
- serverinfo_srv_parse_cb,
- NULL))
- return 0;
+ if (ctx) {
+ int have_ext_cbs = 0;
+ size_t i;
+ custom_ext_methods *exts = &ctx->cert->srv_ext;
+ custom_ext_method *meth = exts->meths;
+
+ for (i = 0; i < exts->meths_count; i++, meth++) {
+ if (ext_type == meth->ext_type) {
+ have_ext_cbs = 1;
+ break;
+ }
+ }
+
+ if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
+ serverinfo_srv_add_cb,
+ NULL, NULL,
+ serverinfo_srv_parse_cb,
+ NULL))
+ return 0;
+ }
serverinfo += 2;
serverinfo_length -= 2;
More information about the openssl-commits
mailing list