hello_ext_parse: apply the test for pre-shared key ext being last on client hello

We were incorrectly insisting on pre-shared key extension being last in
both client and server hello. That was incorrect, as only in client hello
it is required by TLS1.3 to be last.

Quoting:
   The "pre_shared_key" extension MUST be the last extension in the
   ClientHello (this facilitates implementation as described below).
   Servers MUST check that it is the last extension and otherwise fail
   the handshake with an "illegal_parameter" alert.

Resolves #525

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a60b0df4ed7272a1e2ceaa3a7d71fcc5..f72afe77fd35d20ec7bcc12122652b423f700a82 100644 (file)
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
 
        if (tls_id == PRE_SHARED_KEY_TLS_ID) {
                ctx->seen_pre_shared_key = 1;
-       } else if (ctx->seen_pre_shared_key) {
+       } else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
                /* the pre-shared key extension must always be the last one,
                 * draft-ietf-tls-tls13-28: 4.2.11 */
                return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);