Fix TLS key share check to not fire when using < TLS 1.3

The check was being too aggressive and was catching us when the
extension was being sent by a client which supports tls 1.3 but
the server was capped at TLS 1.2. This moves the check after the
max version check, so we won't error out if we do not support
TLS 1.3

Reported by obsd@bartula.de

ok tb@

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index d0d6759..08bf559 100644 (file)
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.153 2024/06/26 03:41:10 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1573,6 +1573,10 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
                        return 0;
 
+               /* Ignore this client share if we're using earlier than TLSv1.3 */
+               if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
+                       continue;
+
                /*
                 * Ensure the client share group was sent in supported groups,
                 * and was sent in the same order as supported groups. The
@@ -1590,12 +1594,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        return 0;
                }
 
-               /*
-                * Ignore this client share if we're using earlier than TLSv1.3
-                * or we've already selected a key share.
-                */
-               if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
-                       continue;
+               /* Ignore this client share if we have already selected a key share */
                if (s->s3->hs.key_share != NULL)
                        continue;