Commit fe5a516b authored by Matt Caswell's avatar Matt Caswell
Browse files

Don't complain if we receive the cryptopro extension in the ClientHello 



The cryptopro extension is supposed to be unsolicited and appears in the
ServerHello only. Additionally it is unofficial and unregistered - therefore
we should really treat it like any other unknown extension if we see it in
the ClientHello.

Fixes #7747

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7984)

(cherry picked from commit 23fed8ba)
parent 053aedf1

ssl/statem/extensions.c

+4 −2
Original line number Diff line number Diff line
@@ -348,10 +348,12 @@ static const EXTENSION_DEFINITION ext_defs[] = { 
    {

        /*

         * Special unsolicited ServerHello extension only used when

         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set

         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but

         * ignore it.

         */

        TLSEXT_TYPE_cryptopro_bug,

        SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL

    },

    {