From 84113b351970b142c1aa31f17c83e5487656f281 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 29 Aug 2017 17:24:12 +0000
Subject: Actually parse the ALPN extension in a client hello, even if no ALPN
 callback has been installed. This ensures that the ALPN extension is valid
 and avoids leaving unprocessed extension data, which leads to a decode error.

Found the hard way by jsg@
---
 src/lib/libssl/ssl_tlsext.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 2438b90d04..6b60ccd27f 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.12 2017/08/27 02:58:04 doug Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -61,9 +61,6 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
 	unsigned char selected_len;
 	int r;
 
-	if (s->ctx->internal->alpn_select_cb == NULL)
-		return 1;
-
 	if (!CBS_get_u16_length_prefixed(cbs, &alpn))
 		goto err;
 	if (CBS_len(&alpn) < 2)
@@ -81,6 +78,9 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
 			goto err;
 	}
 
+	if (s->ctx->internal->alpn_select_cb == NULL)
+		return 1;
+
 	r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
 	    CBS_data(&alpn), CBS_len(&alpn),
 	    s->ctx->internal->alpn_select_cb_arg);
-- 
cgit v1.2.3-55-g6feb