From 8d9af257acc025d45123eac80c891d1cf039b4e1 Mon Sep 17 00:00:00 2001
From: Reda Chouk <reda@wolfssl.com>
Date: Tue, 28 Apr 2026 17:50:09 +0200
Subject: [PATCH] reject extensions in a TLS 1.3 Certificate message that were
 not offered in the prior ClientHello/CertificateRequest per rfc 8446 4.4.2

---
 src/tls.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/tls.c b/src/tls.c
index c608261217..86a1bd2f2d 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -17387,6 +17387,20 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
             break;
         }
 
+#ifdef WOLFSSL_TLS13
+        /* RFC 8446 4.4.2: extensions in a Certificate message MUST
+         * correspond to ones offered in our prior ClientHello (client) or
+         * CertificateRequest (server). Reject anything we did not offer. */
+        if (msgType == certificate &&
+            IsAtLeastTLSv1_3(ssl->version) &&
+            TLSX_Find(ssl->extensions, (TLSX_Type)type) == NULL) {
+            WOLFSSL_MSG("Cert-msg extension not offered in CH/CR");
+            SendAlert(ssl, alert_fatal, unsupported_extension);
+            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
+            return UNSUPPORTED_EXTENSION;
+        }
+#endif
+
         switch (type) {
 #ifdef HAVE_SNI
             case TLSX_SERVER_NAME: