From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 22 Aug 2022 12:27:48 +0000 (+0200)
Subject: libtls: Fixed encoding of TLS 1.3 certificate extension
X-Git-Tag: 5.9.8dr1~2^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9664ef4ba60fc303dd35d319222dda1dd1d2c8b9;p=thirdparty%2Fstrongswan.git

libtls: Fixed encoding of TLS 1.3 certificate extension
---

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 91f7efba82..edddf3262d 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -938,7 +938,6 @@ static status_t process_certreq(private_tls_peer_t *this, bio_reader_t *reader)
 	{
 		/* certificate request context as described in RFC 8446, section 4.3.2 */
 		reader->read_data8(reader, &context);
-
 		reader->read_data16(reader, &ext);
 		extensions = bio_reader_create(ext);
 		while (extensions->remaining(extensions))
@@ -1532,11 +1531,12 @@ static status_t send_certificate(private_tls_peer_t *this,
 				 cert->get_subject(cert));
 			certs->write_data24(certs, data);
 			free(data.ptr);
-		}
-		/* extensions see RFC 8446, section 4.4.2 */
-		if (version_max > TLS_1_2)
-		{
-			certs->write_uint16(certs, 0);
+
+			/* extensions see RFC 8446, section 4.4.2 */
+			if (version_max > TLS_1_2)
+			{
+				certs->write_uint16(certs, 0);
+			}
 		}
 	}
 	enumerator = this->peer_auth->create_enumerator(this->peer_auth);
@@ -1550,6 +1550,12 @@ static status_t send_certificate(private_tls_peer_t *this,
 					 cert->get_subject(cert));
 				certs->write_data24(certs, data);
 				free(data.ptr);
+
+				/* extensions see RFC 8446, section 4.4.2 */
+				if (version_max > TLS_1_2)
+				{
+					certs->write_uint16(certs, 0);
+				}
 			}
 		}
 	}