Only hash known CH extensions

author tb <tb@openbsd.org>

Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)

committer tb <tb@openbsd.org>

Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)
author tb <tb@openbsd.org>
Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)
committer tb <tb@openbsd.org>
Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c

index 797eb84..0ed53f7 100644 (file)
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.89 2021/03/29 16:46:09 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.90 2021/04/22 18:27:53 tb Exp $ */
  /*
   * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
   * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2105,6 +2105,10 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                             CBS_len(&extension_data),
                             s->internal->tlsext_debug_arg);
  
+               /* Unknown extensions are ignored. */
+               if ((tlsext = tls_extension_find(type, &idx)) == NULL)
+                       continue;
+
                 if (tls_version >= TLS1_3_VERSION && is_server &&
                     msg_type == SSL_TLSEXT_MSG_CH) {
                         if (!tlsext_clienthello_hash_extension(s, type,
@@ -2112,10 +2116,6 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
                                 goto err;
                 }
  
-               /* Unknown extensions are ignored. */
-               if ((tlsext = tls_extension_find(type, &idx)) == NULL)
-                       continue;
-
                 /* RFC 8446 Section 4.2 */
                 if (tls_version >= TLS1_3_VERSION &&
                     !(tlsext->messages & msg_type)) {
author	tb <tb@openbsd.org>
	Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)
committer	tb <tb@openbsd.org>
	Thu, 22 Apr 2021 18:27:53 +0000 (18:27 +0000)