Various custom extension fixes.

Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 2c38b1a76a676e541fe5570c2925443884b5794a..15da654bf195e50d55b62c78fade8e282f0fefb1 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -340,7 +340,9 @@ static int ssl23_client_hello(SSL *s)
                if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
                        ssl2_compat = 0;
 #endif
-                if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+               if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+                       ssl2_compat = 0;
+               if (s->ctx->custom_cli_ext_records_count != 0)
                        ssl2_compat = 0;
                }
 #endif

diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 77abcfce8318a9a870d07466a5592ec1fff237d8..2837624ae9e387590cba33fdc8ac17259f2defc6 100644 (file)
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -463,23 +463,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
                X509_free(c->pkeys[i].x509);
        CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
        c->pkeys[i].x509=x;
-#ifndef OPENSSL_NO_TLSEXT
-       /* Free the old authz data, if it exists. */
-       if (c->pkeys[i].authz != NULL)
-               {
-               OPENSSL_free(c->pkeys[i].authz);
-               c->pkeys[i].authz = NULL;
-               c->pkeys[i].authz_length = 0;
-               }
-
-       /* Free the old serverinfo data, if it exists. */
-       if (c->pkeys[i].serverinfo != NULL)
-               {
-               OPENSSL_free(c->pkeys[i].serverinfo);
-               c->pkeys[i].serverinfo = NULL;
-               c->pkeys[i].serverinfo_length = 0;
-               }
-#endif
        c->key= &(c->pkeys[i]);
 
        c->valid=0;
@@ -1083,7 +1066,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
        if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
                {
                SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-               return(0);
+               return 0;
                }
        if (!ssl_cert_inst(&ctx->cert))
                {
@@ -1110,7 +1093,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
        if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
                {
                SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-               return(0);
+               return 0;
                }
        return 1;
        }

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3a048e145af532832ff6bf71adc0845fe4348d85..ee376de545ce1a39ec3fdb936e6e668e09e48ba7 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1909,6 +1909,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                s->s3->alpn_selected = NULL;
                }
 
+       /* Clear observed custom extensions */
+       s->s3->tlsext_custom_types_count = 0;
+       if (s->s3->tlsext_custom_types != NULL)
+               {
+               OPENSSL_free(s->s3->tlsext_custom_types);
+               s->s3->tlsext_custom_types = NULL;
+               }               
+
 #ifndef OPENSSL_NO_HEARTBEATS
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);