[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Wed May 10 16:04:18 UTC 2017


The branch OpenSSL_1_0_2-stable has been updated
       via  ea3fc6010f56bad83560592b54bc54de962bbd39 (commit)
      from  4ae5993cab1b1c42cfc99180c00ae0a235ce940c (commit)


- Log -----------------------------------------------------------------
commit ea3fc6010f56bad83560592b54bc54de962bbd39
Author: Matt Caswell <matt at openssl.org>
Date:   Wed May 10 11:28:53 2017 +0100

    Copy custom extension flags in a call to SSL_set_SSL_CTX()
    
    The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
    a connection as part of an SNI callback. One result of this is that the
    s->cert structure is replaced. However this structure contains information
    about any custom extensions that have been loaded. In particular flags are
    set indicating whether a particular extension has been received in the
    ClientHello. By replacing the s->cert structure we lose the custom
    extension flag values, and it appears as if a client has not sent those
    extensions.
    
    SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
    in both the old and the new cert structure.
    
    Fixes #2180
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3427)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c  |  3 +++
 ssl/ssl_locl.h |  2 ++
 ssl/t1_ext.c   | 19 +++++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4deae85..24be376 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3194,6 +3194,9 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
         ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len;
         ocert->alpn_proposed = NULL;
         ssl->cert->alpn_sent = ocert->alpn_sent;
+
+        if (!custom_exts_copy_flags(&ssl->cert->srv_ext, &ocert->srv_ext))
+            return NULL;
 #endif
         ssl_cert_free(ocert);
     }
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 362c2b8..aeffc00 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1482,6 +1482,8 @@ int custom_ext_add(SSL *s, int server,
                    unsigned char **pret, unsigned char *limit, int *al);
 
 int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src);
+int custom_exts_copy_flags(custom_ext_methods *dst,
+                           const custom_ext_methods *src);
 void custom_exts_free(custom_ext_methods *exts);
 
 # else
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 8909914..0f4aba0 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -179,6 +179,25 @@ int custom_ext_add(SSL *s, int server,
     return 1;
 }
 
+/* Copy the flags from src to dst for any extensions that exist in both */
+int custom_exts_copy_flags(custom_ext_methods *dst,
+                           const custom_ext_methods *src)
+{
+    size_t i;
+    custom_ext_method *methsrc = src->meths;
+
+    for (i = 0; i < src->meths_count; i++, methsrc++) {
+        custom_ext_method *methdst = custom_ext_find(dst, methsrc->ext_type);
+
+        if (methdst == NULL)
+            continue;
+
+        methdst->ext_flags = methsrc->ext_flags;
+    }
+
+    return 1;
+}
+
 /* Copy table of custom extensions */
 int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src)
 {


More information about the openssl-commits mailing list