diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ffdf3a90fb..9060ee38f0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "internal/cryptlib.h" #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) @@ -3947,6 +3948,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 0; } } + if (!X509v3_cache_extensions((X509 *)parg, ctx->libctx, ctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE); return 0; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 56e3642fbd..f753bbee38 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -253,11 +253,20 @@ void ssl_cert_free(CERT *c) int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) { int i, r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; + SSL_CTX *realctx = s != NULL ? s->ctx : ctx; + if (!cpk) return 0; for (i = 0; i < sk_X509_num(chain); i++) { - r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); + X509 *x = sk_X509_value(chain, i); + + if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } + + r = ssl_security_cert(s, ctx, x, 0, 0); if (r != 1) { SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r); return 0; diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index b32a7b90bb..3a222e5571 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -14,6 +14,7 @@ #include #include #include +#include #include static int ssl_set_cert(CERT *c, X509 *x509); @@ -31,6 +32,10 @@ int SSL_use_certificate(SSL *ssl, X509 *x) SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (!X509v3_cache_extensions(x, ssl->ctx->libctx, ssl->ctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } rv = ssl_security_cert(ssl, NULL, x, 0, 1); if (rv != 1) { SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv); @@ -305,6 +310,10 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (!X509v3_cache_extensions(x, ctx->libctx, ctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } rv = ssl_security_cert(NULL, ctx, x, 0, 1); if (rv != 1) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);