Clarify serverinfo usage with Certificate messages

Ensure that serverinfo only gets added for the first Certificate in a list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3298)

doc/man3/SSL_CTX_use_serverinfo.pod

@@ -33,7 +33,9 @@ byte array provided in B<*serverinfo> which is of length B<serverinfo_length>.
 If B<version> is B<SSL_SERVERINFOV2> then the extensions in the array must
 consist of a 4-byte context, a 2-byte Extension Type, a 2-byte length, and then
 length bytes of extension_data. The context and type values have the same
-meaning as for L<SSL_CTX_add_custom_ext(3)>.
+meaning as for L<SSL_CTX_add_custom_ext(3)>. If serverinfo is being loaded for
+extensions to be added to a Certificate message, then the extension will only
+be added for the first Certificate in the message.
 
 If B<version> is B<SSL_SERVERINFOV1> then the extensions in the array must
 consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of

ssl/ssl_rsa.c

@@ -758,6 +758,10 @@ static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type,
     const unsigned char *serverinfo = NULL;
     size_t serverinfo_length = 0;
 
+    /* We only support extensions for the first Certificate */
+    if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0)
+        return 0;
+
     /* Is there serverinfo data for the chosen server cert? */
     if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
                                         &serverinfo_length)) != 0) {