Don't complain if we receive the cryptopro extension in the ClientHello

The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unofficial and unregistered - therefore we should really treat it like any other unknown extension if we see it in the ClientHello. Fixes #7747 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7984) (cherry picked from commit 23fed8ba0ec895e1b2a089cae380697f15170afc)
author: Matt Caswell <matt@openssl.org> 2019-01-04 16:54:03 +0000
committer: Matt Caswell <matt@openssl.org> 2019-01-07 09:43:28 +0000
commit: fe5a516b72942f5eacda8c9c7f032e8c76e0cb7b (patch)
tree: cd5e2da7ea92c24a1fc7ab38324ed5f19d82ac23 /ssl
parent: 053aedf1536267b621cb8d7bceaafece4df03c41 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 11feae5456..091639597b 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -348,10 +348,12 @@ static const EXTENSION_DEFINITION ext_defs[] = {
     {
         /*
          * Special unsolicited ServerHello extension only used when
-         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
+         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
+         * ignore it.
          */
         TLSEXT_TYPE_cryptopro_bug,
-        SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
+        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
         NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
     },
     {
author	Matt Caswell <matt@openssl.org>	2019-01-04 16:54:03 +0000
committer	Matt Caswell <matt@openssl.org>	2019-01-07 09:43:28 +0000
commit	fe5a516b72942f5eacda8c9c7f032e8c76e0cb7b (patch)
tree	cd5e2da7ea92c24a1fc7ab38324ed5f19d82ac23 /ssl
parent	053aedf1536267b621cb8d7bceaafece4df03c41 (diff)