Work around bug in F5's handling of the supported elliptic curves extension.

RFC 4492 only defines elliptic_curves for ClientHello.  However, F5 is
sending it in ServerHello.  We need to skip over it since our TLS extension
parsing code is now more strict.

Thanks to Armin Wolfermann and WJ Liu for reporting the issue.

input + ok jsing@

1 files changed, 16 insertions, 2 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 646c59e5d6..60daff6f8d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.9 2017/08/12 23:38:12 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.10 2017/08/23 15:39:38 doug Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -130,7 +130,21 @@ tlsext_ec_serverhello_build(SSL *s, CBB *cbb)
 int
 tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert)
 {
-        return 0;
+        /*
+         * Servers should not send this extension per the RFC.
+         *
+         * However, F5 sends it by mistake (case ID 492780) so we need to skip
+         * over it.  This bug is from at least 2014 but as of 2017, there
+         * are still large sites with this bug in production.
+         *
+         * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server
+         */
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
+                *alert = TLS1_AD_INTERNAL_ERROR;
+                return 0;
+        }
+
+        return 1;
 }
 
 /*