git.ipfire.org Git - thirdparty/openssl.git/commit

author	Sergey Kandaurov <pluknet@nginx.com>
	Wed, 28 May 2025 17:58:26 +0000 (21:58 +0400)
committer	Matt Caswell <matt@openssl.org>
	Fri, 20 Jun 2025 14:56:58 +0000 (15:56 +0100)
commit	45bd3c3798ab2f1f143f26c27b6d080c72b70eea
tree	7c489606ba35e9a75796dd70911ec60e8a1fa0f2	tree
parent	be4e3977b1a812c03d242b5c61378e24c8dfc963	commit \| diff

Preserve connection custom extensions in SSL_set_SSL_CTX()

The SSL_set_SSL_CTX() function is used to switch SSL contexts for
the given SSL object.  If contexts differ, this includes updating
a cert structure with custom extensions from the new context.  This
however overwrites connection custom extensions previously set on
top of inherited from the old context.

The fix is to preserve connection custom extensions using a newly
introduced flag SSL_EXT_FLAG_CONN in custom_ext_copy_conn().
Similar to custom_ext_copy(), it is a no-op if there are no custom
extensions to copy.

The only such consumer is ossl_quic_tls_configure() used to set the
"quic_transport_parameters" extension.  Before this change, context
switch resulted in transport parameters not being sent due to the
missing extension.

Initially reported at https://github.com/nginx/nginx/issues/711

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27706)

(cherry picked from commit 403ba31a02e47d37070036529966d5a94d98c6fd)

ssl/ssl_lib.c		diff \| blob \| blame \| history
ssl/ssl_local.h		diff \| blob \| blame \| history
ssl/statem/extensions_cust.c		diff \| blob \| blame \| history
test/sslapitest.c		diff \| blob \| blame \| history