From 88859b506c1b17390ceb317aa041fbbe04006c68 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 5 Sep 2022 13:06:20 +0200
Subject: [PATCH] libtls: Fix encoding of TLS 1.3 certificate extension as
 server

Same as 9664ef4ba60f ("libtls: Fixed encoding of TLS 1.3 certificate
extension") but for the server.
---
 src/libtls/tls_server.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index f1119884cf..c9c300917d 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -1327,11 +1327,12 @@ static status_t send_certificate(private_tls_server_t *this,
 				 cert->get_subject(cert));
 			certs->write_data24(certs, data);
 			free(data.ptr);
-		}
-		/* extensions see RFC 8446, section 4.4.2 */
-		if (this->tls->get_version_max(this->tls) > TLS_1_2)
-		{
-			certs->write_uint16(certs, 0);
+
+			/* extensions see RFC 8446, section 4.4.2 */
+			if (this->tls->get_version_max(this->tls) > TLS_1_2)
+			{
+				certs->write_uint16(certs, 0);
+			}
 		}
 	}
 	enumerator = this->server_auth->create_enumerator(this->server_auth);
@@ -1345,6 +1346,12 @@ static status_t send_certificate(private_tls_server_t *this,
 					 cert->get_subject(cert));
 				certs->write_data24(certs, data);
 				free(data.ptr);
+
+				/* extensions see RFC 8446, section 4.4.2 */
+				if (this->tls->get_version_max(this->tls) > TLS_1_2)
+				{
+					certs->write_uint16(certs, 0);
+				}
 			}
 		}
 	}