From: Jacob Champion <jchampion@apache.org>
Date: Wed, 19 Apr 2017 01:32:58 +0000 (+0000)
Subject: mod_ssl_ct: fix return values for custom extension callback
X-Git-Tag: 2.5.0-alpha~466
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f10517a08499525d0732ef9ffe47cff49ad499a;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl_ct: fix return values for custom extension callback

This is most likely a follow-up to r1628833.

At some point during the OpenSSL 1.0.2 beta, the contract for custom
extension callbacks changed from "returning -1 skips the extension" to
"returning -1 will issue a TLS fatal alert". This caused mod_ssl_ct to
abort TLS connections that it intended to ignore. Zero is the correct
return value for "do nothing" in 1.0.2.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1791845 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/mod_ssl_ct.c b/modules/ssl/mod_ssl_ct.c
index 39ff1cc770b..15fe288560d 100644
--- a/modules/ssl/mod_ssl_ct.c
+++ b/modules/ssl/mod_ssl_ct.c
@@ -2286,7 +2286,7 @@ static int server_extension_add_callback(SSL *ssl, unsigned ext_type,
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03032)
                       "server_extension_callback_2: client isn't CT-aware");
         /* Skip this extension for ServerHello */
-        return -1;
+        return 0;
     }
 
     /* need to reply with SCT */
@@ -2309,7 +2309,7 @@ static int server_extension_add_callback(SSL *ssl, unsigned ext_type,
     }
     else {
         /* Skip this extension for ServerHello */
-        return -1;
+        return 0;
     }
 
     return 1;