From f233a9d181b5cd150322e2e10348a4c1d96fc1f3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 25 Apr 2017 12:42:17 +0100 Subject: [PATCH] Clarify serverinfo usage with Certificate messages Ensure that serverinfo only gets added for the first Certificate in a list. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3298) --- doc/man3/SSL_CTX_use_serverinfo.pod | 4 +++- ssl/ssl_rsa.c | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_use_serverinfo.pod b/doc/man3/SSL_CTX_use_serverinfo.pod index b1412432f6..a5defb30ee 100644 --- a/doc/man3/SSL_CTX_use_serverinfo.pod +++ b/doc/man3/SSL_CTX_use_serverinfo.pod @@ -33,7 +33,9 @@ byte array provided in B<*serverinfo> which is of length B. If B is B then the extensions in the array must consist of a 4-byte context, a 2-byte Extension Type, a 2-byte length, and then length bytes of extension_data. The context and type values have the same -meaning as for L. +meaning as for L. If serverinfo is being loaded for +extensions to be added to a Certificate message, then the extension will only +be added for the first Certificate in the message. If B is B then the extensions in the array must consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index bf9678d118..f0a058e4bc 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -758,6 +758,10 @@ static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type, const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; + /* We only support extensions for the first Certificate */ + if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0) + return 0; + /* Is there serverinfo data for the chosen server cert? */ if ((ssl_get_server_cert_serverinfo(s, &serverinfo, &serverinfo_length)) != 0) { -- 2.34.1