Clarify serverinfo usage with Certificate messages

Ensure that serverinfo only gets added for the first Certificate in a list. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
author: Matt Caswell <matt@openssl.org> 2017-04-25 13:42:17 +0200
committer: Matt Caswell <matt@openssl.org> 2017-05-03 15:37:42 +0200
commit: f233a9d181b5cd150322e2e10348a4c1d96fc1f3 (patch)
tree: f24cd909e8ec46b7da94e83dbff225a44ddbbdfb /ssl/ssl_rsa.c
parent: Document the new SSL_CTX_use_serverinfo_ex() function (diff)
download: openssl-f233a9d181b5cd150322e2e10348a4c1d96fc1f3.tar.xz
openssl-f233a9d181b5cd150322e2e10348a4c1d96fc1f3.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index bf9678d118..f0a058e4bc 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -758,6 +758,10 @@ static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type,
     const unsigned char *serverinfo = NULL;
     size_t serverinfo_length = 0;
 
+    /* We only support extensions for the first Certificate */
+    if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0)
+        return 0;
+
     /* Is there serverinfo data for the chosen server cert? */
     if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
                                         &serverinfo_length)) != 0) {
author	Matt Caswell <matt@openssl.org>	2017-04-25 13:42:17 +0200
committer	Matt Caswell <matt@openssl.org>	2017-05-03 15:37:42 +0200
commit	f233a9d181b5cd150322e2e10348a4c1d96fc1f3 (patch)
tree	f24cd909e8ec46b7da94e83dbff225a44ddbbdfb /ssl/ssl_rsa.c
parent	Document the new SSL_CTX_use_serverinfo_ex() function (diff)
download	openssl-f233a9d181b5cd150322e2e10348a4c1d96fc1f3.tar.xz openssl-f233a9d181b5cd150322e2e10348a4c1d96fc1f3.zip