Commit 6da49899 authored by Trevor Perrin's avatar Trevor Perrin Committed by Ben Laurie
Browse files

Various custom extension fixes. 

Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.

Conflicts:
	ssl/t1_lib.c
parent 86a66deb

ssl/s23_clnt.c

+3 −1
Original line number Diff line number Diff line
@@ -342,6 +342,8 @@ static int ssl23_client_hello(SSL *s) 
#endif

		if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)

			ssl2_compat = 0;

		if (s->ctx->custom_cli_ext_records_count != 0)

			ssl2_compat = 0;

		}

#endif

ssl/ssl_rsa.c

+2 −19
Original line number Diff line number Diff line
@@ -463,23 +463,6 @@ static int ssl_set_cert(CERT *c, X509 *x) 
		X509_free(c->pkeys[i].x509);

	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);

	c->pkeys[i].x509=x;

#ifndef OPENSSL_NO_TLSEXT

	/* Free the old authz data, if it exists. */

	if (c->pkeys[i].authz != NULL)

		{

		OPENSSL_free(c->pkeys[i].authz);

		c->pkeys[i].authz = NULL;

		c->pkeys[i].authz_length = 0;

		}



	/* Free the old serverinfo data, if it exists. */

	if (c->pkeys[i].serverinfo != NULL)

		{

		OPENSSL_free(c->pkeys[i].serverinfo);

		c->pkeys[i].serverinfo = NULL;

		c->pkeys[i].serverinfo_length = 0;

		}

#endif

	c->key= &(c->pkeys[i]);



	c->valid=0;
@@ -1083,7 +1066,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 
	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))

		{

		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);

		return(0);

		return 0;

		}

	if (!ssl_cert_inst(&ctx->cert))

		{
@@ -1110,7 +1093,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 
	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))

		{

		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);

		return(0);

		return 0;

		}

	return 1;

	}

ssl/t1_lib.c

+8 −0
Original line number Diff line number Diff line
@@ -1860,6 +1860,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char 
	s->s3->next_proto_neg_seen = 0;

#endif



	/* Clear observed custom extensions */

	s->s3->tlsext_custom_types_count = 0;

	if (s->s3->tlsext_custom_types != NULL)

		{

		OPENSSL_free(s->s3->tlsext_custom_types);

		s->s3->tlsext_custom_types = NULL;

		}		



#ifndef OPENSSL_NO_HEARTBEATS

	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |

	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);