Only send custom extensions where we have received one in the ClientHello

[openssl.git] / ssl / statem / extensions_cust.c

diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index 3188adea0c3855df8e686429d62882d15e19c115..2a21ec492ca7045cc0cdc59aa0e7190e9aa43f84 100644 (file)
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -64,6 +64,9 @@ static int custom_ext_parse_old_cb_wrap(SSL *s, unsigned int ext_type,
     custom_ext_parse_cb_wrap *parse_cb_wrap =
         (custom_ext_parse_cb_wrap *)parse_arg;
 
+    if (parse_cb_wrap->parse_cb == NULL)
+        return 1;
+
     return parse_cb_wrap->parse_cb(s, ext_type, in, inlen, al,
                                    parse_cb_wrap->parse_arg);
 }
@@ -178,11 +181,10 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
 
         if ((context & (SSL_EXT_TLS1_2_SERVER_HELLO
                         | SSL_EXT_TLS1_3_SERVER_HELLO
-                        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS)) != 0) {
-            /*
-             * For ServerHello/EncryptedExtensions only send extensions present
-             * in ClientHello.
-             */
+                        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+                        | SSL_EXT_TLS1_3_CERTIFICATE
+                        | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) {
+            /* Only send extensions present in ClientHello. */
             if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
                 continue;
         }