From 00f1eddee429ff51390b20caadd2eb6afe51e1aa Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 15 May 2023 15:49:44 -0700
Subject: [PATCH] add tls extension sanity check

---
 src/tls.c   |  3 +++
 src/tls13.c | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/src/tls.c b/src/tls.c
index bced9f9b13..9bbabfb14e 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -8475,6 +8475,9 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
         if (!WOLFSSL_NAMED_GROUP_IS_PQC(group))
 #endif
             ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
+
+        if (ret == 0)
+            ssl->session->namedGroup = ssl->namedGroup = group;
     }
     else {
         /* Not a message type that is allowed to have this extension. */
diff --git a/src/tls13.c b/src/tls13.c
index e5360790b3..0f1bbc1aad 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -5236,8 +5236,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         }
 #endif
 
+        /* sanity check on PSK / KSE */
+        if (
+    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+            ssl->options.pskNegotiated == 0 &&
+    #endif
+            ssl->session->namedGroup == 0) {
+            return EXT_MISSING;
+        }
+
         ssl->keys.encryptionOn = 1;
         ssl->options.serverState = SERVER_HELLO_COMPLETE;
+
     }
     else {
         ssl->options.tls1_3 = 1;