Don't complain if we receive the cryptopro extension in the ClientHello

The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unofficial and unregistered - therefore we should really treat it like any other unknown extension if we see it in the ClientHello. Fixes #7747 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7984)
author: Matt Caswell <matt@openssl.org> 2019-01-04 16:54:03 +0000
committer: Matt Caswell <matt@openssl.org> 2019-01-07 09:39:10 +0000
commit: 23fed8ba0ec895e1b2a089cae380697f15170afc (patch)
tree: bfdd8b2ca0329e2bd918b22cdb70aac0383b7926
parent: 67ee899cb51d3e3d7b5f00b878f8f82a097b93f0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index ffa4b460f7..773309a13c 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -348,10 +348,12 @@ static const EXTENSION_DEFINITION ext_defs[] = {
     {
         /*
          * Special unsolicited ServerHello extension only used when
-         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
+         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
+         * ignore it.
          */
         TLSEXT_TYPE_cryptopro_bug,
-        SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
+        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
         NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
     },
     {
author	Matt Caswell <matt@openssl.org>	2019-01-04 16:54:03 +0000
committer	Matt Caswell <matt@openssl.org>	2019-01-07 09:39:10 +0000
commit	23fed8ba0ec895e1b2a089cae380697f15170afc (patch)
tree	bfdd8b2ca0329e2bd918b22cdb70aac0383b7926
parent	67ee899cb51d3e3d7b5f00b878f8f82a097b93f0 (diff)