X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_rsa.c;h=7fcd8460a3e5832c385e264f033b154b4f77225b;hp=b6765a30e1fe200563e6b2303cf718def7100d77;hb=7988163c3bd5d4c72e12ac7db960da57eba4eb0e;hpb=92acab0b6a540fb2990ced45815f56072ef66d20

diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index b6765a30e1..7fcd8460a3 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -758,19 +758,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		X509 *ca;
 		int r;
 		unsigned long err;
-		
-		if (ctx->extra_certs != NULL)
-			{
-			sk_X509_pop_free(ctx->extra_certs, X509_free);
-			ctx->extra_certs = NULL;
-			}
 
+		SSL_CTX_clear_chain_certs(ctx);
+		
 		while ((ca = PEM_read_bio_X509(in, NULL,
 					ctx->default_passwd_callback,
 					ctx->default_passwd_callback_userdata))
 			!= NULL)
 			{
-			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+			r = SSL_CTX_add0_chain_cert(ctx, ca);
 			if (!r) 
 				{
 				X509_free(ca);
@@ -982,6 +978,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
 	long extension_length = 0;
 	char* name = NULL;
 	char* header = NULL;
+	char namePrefix[] = "SERVERINFO FOR ";
 	int ret = 0;
 	BIO *bin = NULL;
 	size_t num_extensions = 0;
@@ -1011,17 +1008,28 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
 			/* There must be at least one extension in this file */
 			if (num_extensions == 0)
 				{
-				SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+				SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_NO_PEM_EXTENSIONS);
 				goto end;
 				}
 			else /* End of file, we're done */
 				break;
 			}
+		/* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
+		if (strlen(name) < strlen(namePrefix))
+			{
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
+			goto end;
+			}
+		if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
+			{
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_BAD_PREFIX);
+			goto end;
+			}
 		/* Check that the decoded PEM data is plausible (valid length field) */
 		if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
 			{
-				SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
-				goto end;
+			SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
+			goto end;
 			}
 		/* Append the decoded extension to the serverinfo buffer */
 		serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);