1 files changed, 6 insertions, 7 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index d0d67598d4..08bf5593ec 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.153 2024/06/26 03:41:10 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1573,6 +1573,10 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
                         return 0;
 
+                /* Ignore this client share if we're using earlier than TLSv1.3 */
+                if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
+                        continue;
+
                 /*
                  * Ensure the client share group was sent in supported groups,
                  * and was sent in the same order as supported groups. The
@@ -1590,12 +1594,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         return 0;
                 }
 
-                /*
-                 * Ignore this client share if we're using earlier than TLSv1.3
-                 * or we've already selected a key share.
-                 */
-                if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
-                        continue;
+                /* Ignore this client share if we have already selected a key share */
                 if (s->s3->hs.key_share != NULL)
                         continue;