Parse custom extensions after internal extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f46279d..dc108aa 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2434,6 +2434,10 @@
al))
return 0;
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ else if (type == TLSEXT_TYPE_encrypt_then_mac)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+#endif
/* If this ClientHello extension was unhandled and this is
* a nonresumed connection, check whether the extension is a
* custom TLS Extension (has a custom_srv_ext_record), and if
@@ -2445,10 +2449,6 @@
if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
return 0;
}
-#ifdef TLSEXT_TYPE_encrypt_then_mac
- else if (type == TLSEXT_TYPE_encrypt_then_mac)
- s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
-#endif
data+=size;
}
@@ -2774,11 +2774,6 @@
al))
return 0;
}
- /* If this extension type was not otherwise handled, but
- * matches a custom_cli_ext_record, then send it to the c
- * callback */
- else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
- return 0;
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
{
@@ -2787,6 +2782,11 @@
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
}
#endif
+ /* If this extension type was not otherwise handled, but
+ * matches a custom_cli_ext_record, then send it to the c
+ * callback */
+ else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
+ return 0;
data += size;
}
