diff options
author | Matt Caswell <matt@openssl.org> | 2017-04-10 16:18:26 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-05-03 14:37:42 +0100 |
commit | 7f533d6fa1e1497e3c43630952528521b2627f53 (patch) | |
tree | 236d261b9cf8f0ca2746cd688c87391673a2c778 | |
parent | 84c34ba8762463057d372e22ad98a045dbd9a51f (diff) |
Only send custom extensions where we have received one in the ClientHello
We already did this for ServerHello and EncryptedExtensions. We should be
doing it for Certificate and HelloRetryRequest as well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3298)
-rw-r--r-- | ssl/statem/extensions_cust.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 6de59e2425..2a21ec492c 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -181,11 +181,10 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, if ((context & (SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO - | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS)) != 0) { - /* - * For ServerHello/EncryptedExtensions only send extensions present - * in ClientHello. - */ + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_3_CERTIFICATE + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { + /* Only send extensions present in ClientHello. */ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) continue; } |