Commit ea3fc601 authored by Matt Caswell's avatar Matt Caswell
Browse files

Copy custom extension flags in a call to SSL_set_SSL_CTX() 



The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
a connection as part of an SNI callback. One result of this is that the
s->cert structure is replaced. However this structure contains information
about any custom extensions that have been loaded. In particular flags are
set indicating whether a particular extension has been received in the
ClientHello. By replacing the s->cert structure we lose the custom
extension flag values, and it appears as if a client has not sent those
extensions.

SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
in both the old and the new cert structure.

Fixes #2180

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3427)
parent 4ae5993c

ssl/ssl_lib.c

+3 −0
Original line number Diff line number Diff line
@@ -3194,6 +3194,9 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) 
        ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len;

        ocert->alpn_proposed = NULL;

        ssl->cert->alpn_sent = ocert->alpn_sent;



        if (!custom_exts_copy_flags(&ssl->cert->srv_ext, &ocert->srv_ext))

            return NULL;

#endif

        ssl_cert_free(ocert);

    }

ssl/ssl_locl.h

+2 −0
Original line number Diff line number Diff line
@@ -1482,6 +1482,8 @@ int custom_ext_add(SSL *s, int server, 
                   unsigned char **pret, unsigned char *limit, int *al);



int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src);

int custom_exts_copy_flags(custom_ext_methods *dst,

                           const custom_ext_methods *src);

void custom_exts_free(custom_ext_methods *exts);



# else

ssl/t1_ext.c

+19 −0
Original line number Diff line number Diff line
@@ -179,6 +179,25 @@ int custom_ext_add(SSL *s, int server, 
    return 1;

}



/* Copy the flags from src to dst for any extensions that exist in both */

int custom_exts_copy_flags(custom_ext_methods *dst,

                           const custom_ext_methods *src)

{

    size_t i;

    custom_ext_method *methsrc = src->meths;



    for (i = 0; i < src->meths_count; i++, methsrc++) {

        custom_ext_method *methdst = custom_ext_find(dst, methsrc->ext_type);



        if (methdst == NULL)

            continue;



        methdst->ext_flags = methsrc->ext_flags;

    }



    return 1;

}



/* Copy table of custom extensions */

int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src)

{