Various custom extension fixes.
Force no SSL2 when custom extensions in use. Don't clear extension state when cert is set. Clear on renegotiate.
This commit is contained in:
parent
a898936218
commit
0b2bde70dd
3 changed files with 13 additions and 20 deletions
|
@ -340,7 +340,9 @@ static int ssl23_client_hello(SSL *s)
|
|||
if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
|
||||
ssl2_compat = 0;
|
||||
#endif
|
||||
if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
|
||||
if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
|
||||
ssl2_compat = 0;
|
||||
if (s->ctx->custom_cli_ext_records_count != 0)
|
||||
ssl2_compat = 0;
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -463,23 +463,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
|
|||
X509_free(c->pkeys[i].x509);
|
||||
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
|
||||
c->pkeys[i].x509=x;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* Free the old authz data, if it exists. */
|
||||
if (c->pkeys[i].authz != NULL)
|
||||
{
|
||||
OPENSSL_free(c->pkeys[i].authz);
|
||||
c->pkeys[i].authz = NULL;
|
||||
c->pkeys[i].authz_length = 0;
|
||||
}
|
||||
|
||||
/* Free the old serverinfo data, if it exists. */
|
||||
if (c->pkeys[i].serverinfo != NULL)
|
||||
{
|
||||
OPENSSL_free(c->pkeys[i].serverinfo);
|
||||
c->pkeys[i].serverinfo = NULL;
|
||||
c->pkeys[i].serverinfo_length = 0;
|
||||
}
|
||||
#endif
|
||||
c->key= &(c->pkeys[i]);
|
||||
|
||||
c->valid=0;
|
||||
|
@ -1083,7 +1066,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
|
|||
if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
|
||||
return(0);
|
||||
return 0;
|
||||
}
|
||||
if (!ssl_cert_inst(&ctx->cert))
|
||||
{
|
||||
|
@ -1110,7 +1093,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
|
|||
if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
|
||||
return(0);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -1909,6 +1909,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
|
|||
s->s3->alpn_selected = NULL;
|
||||
}
|
||||
|
||||
/* Clear observed custom extensions */
|
||||
s->s3->tlsext_custom_types_count = 0;
|
||||
if (s->s3->tlsext_custom_types != NULL)
|
||||
{
|
||||
OPENSSL_free(s->s3->tlsext_custom_types);
|
||||
s->s3->tlsext_custom_types = NULL;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
|
||||
SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
|
||||
|
|
Loading…
Reference in a new issue