From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 25 Jul 2018 11:08:35 +0000 (+0200)
Subject: hello_ext_parse: apply the test for pre-shared key ext being last on client hello
X-Git-Tag: gnutls_3_6_4~56^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10f83e36ed9213bb3e77922bdc15d5b8d64f3ffb;p=thirdparty%2Fgnutls.git

hello_ext_parse: apply the test for pre-shared key ext being last on client hello

We were incorrectly insisting on pre-shared key extension being last in
both client and server hello. That was incorrect, as only in client hello
it is required by TLS1.3 to be last.

Quoting:
   The "pre_shared_key" extension MUST be the last extension in the
   ClientHello (this facilitates implementation as described below).
   Servers MUST check that it is the last extension and otherwise fail
   the handshake with an "illegal_parameter" alert.

Resolves #525

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a6..f72afe77fd 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
 
 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
 		ctx->seen_pre_shared_key = 1;
-	} else if (ctx->seen_pre_shared_key) {
+	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
 		/* the pre-shared key extension must always be the last one,
 		 * draft-ietf-tls-tls13-28: 4.2.11 */
 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);