Various custom extension fixes.

Force no SSL2 when custom extensions in use. Don't clear extension state when cert is set. Clear on renegotiate.
author: Trevor Perrin <unsafe@trevp.net> 2013-07-27 23:10:14 -0700
committer: Ben Laurie <ben@links.org> 2013-07-31 14:29:41 +0100
commit: 0b2bde70dd8fc290d640ed64cf7609dc2963a48b (patch)
tree: 70693fd57b9dbe0b6151c57c3d0b11d32a82c148
parent: a898936218bc279b5d7cdf76d58a25e7a2d419cb (diff)
download: openssl-new-0b2bde70dd8fc290d640ed64cf7609dc2963a48b.tar.gz
3 files changed, 13 insertions, 20 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 2c38b1a76a..15da654bf1 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -340,7 +340,9 @@ static int ssl23_client_hello(SSL *s)
 		if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
 			ssl2_compat = 0;
 #endif
-                if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+		if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+			ssl2_compat = 0;
+		if (s->ctx->custom_cli_ext_records_count != 0)
 			ssl2_compat = 0;
 		}
 #endif
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 77abcfce83..2837624ae9 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -463,23 +463,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
 		X509_free(c->pkeys[i].x509);
 	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
 	c->pkeys[i].x509=x;
-#ifndef OPENSSL_NO_TLSEXT
-	/* Free the old authz data, if it exists. */
-	if (c->pkeys[i].authz != NULL)
-		{
-		OPENSSL_free(c->pkeys[i].authz);
-		c->pkeys[i].authz = NULL;
-		c->pkeys[i].authz_length = 0;
-		}
-
-	/* Free the old serverinfo data, if it exists. */
-	if (c->pkeys[i].serverinfo != NULL)
-		{
-		OPENSSL_free(c->pkeys[i].serverinfo);
-		c->pkeys[i].serverinfo = NULL;
-		c->pkeys[i].serverinfo_length = 0;
-		}
-#endif
 	c->key= &(c->pkeys[i]);
 
 	c->valid=0;
@@ -1083,7 +1066,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
 	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-		return(0);
+		return 0;
 		}
 	if (!ssl_cert_inst(&ctx->cert))
 		{
@@ -1110,7 +1093,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
 	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-		return(0);
+		return 0;
 		}
 	return 1;
 	}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3a048e145a..ee376de545 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1909,6 +1909,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 		s->s3->alpn_selected = NULL;
 		}
 
+	/* Clear observed custom extensions */
+	s->s3->tlsext_custom_types_count = 0;
+	if (s->s3->tlsext_custom_types != NULL)
+		{
+		OPENSSL_free(s->s3->tlsext_custom_types);
+		s->s3->tlsext_custom_types = NULL;
+		}		
+
 #ifndef OPENSSL_NO_HEARTBEATS
 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
author	Trevor Perrin <unsafe@trevp.net>	2013-07-27 23:10:14 -0700
committer	Ben Laurie <ben@links.org>	2013-07-31 14:29:41 +0100
commit	0b2bde70dd8fc290d640ed64cf7609dc2963a48b (patch)
tree	70693fd57b9dbe0b6151c57c3d0b11d32a82c148
parent	a898936218bc279b5d7cdf76d58a25e7a2d419cb (diff)
download	openssl-new-0b2bde70dd8fc290d640ed64cf7609dc2963a48b.tar.gz