1 files changed, 6 insertions, 7 deletions

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index d0d67598d4c..08bf5593ecd 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.153 2024/06/26 03:41:10 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1573,6 +1573,10 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
 			return 0;
 
+		/* Ignore this client share if we're using earlier than TLSv1.3 */
+		if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
+			continue;
+
 		/*
 		 * Ensure the client share group was sent in supported groups,
 		 * and was sent in the same order as supported groups. The
@@ -1590,12 +1594,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 			return 0;
 		}
 
-		/*
-		 * Ignore this client share if we're using earlier than TLSv1.3
-		 * or we've already selected a key share.
-		 */
-		if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
-			continue;
+		/* Ignore this client share if we have already selected a key share */
 		if (s->s3->hs.key_share != NULL)
 			continue;