From d7f9cac0f7a624d75948ed247cc21fdc22dc8a19 Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 22 Apr 2021 18:27:53 +0000 Subject: [PATCH] Only hash known CH extensions RFC 4.1.2 specifies the ways in which the extensions in the first and the second ClientHello may differ. It basically says that extensions not known to a server must not change. This in turn makes it impossible to introduce new extensions that do change. It makes little sense to enforce that extensions we don't know and care about aren't modified, so make the hashing more lenient and restrict it to the extensions we do care about. Arguably, enforcing no change in an unknown extension is incompatible with the requirement that it be ignored. ok bcook jsing --- lib/libssl/ssl_tlsext.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 797eb84001c..0ed53f7ab2b 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.89 2021/03/29 16:46:09 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.90 2021/04/22 18:27:53 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -2105,6 +2105,10 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) CBS_len(&extension_data), s->internal->tlsext_debug_arg); + /* Unknown extensions are ignored. */ + if ((tlsext = tls_extension_find(type, &idx)) == NULL) + continue; + if (tls_version >= TLS1_3_VERSION && is_server && msg_type == SSL_TLSEXT_MSG_CH) { if (!tlsext_clienthello_hash_extension(s, type, @@ -2112,10 +2116,6 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) goto err; } - /* Unknown extensions are ignored. */ - if ((tlsext = tls_extension_find(type, &idx)) == NULL) - continue; - /* RFC 8446 Section 4.2 */ if (tls_version >= TLS1_3_VERSION && !(tlsext->messages & msg_type)) { -- 2.20.1