diff --git a/cyassl/internal.h b/cyassl/internal.h index 66d4041f6..600e3461b 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1233,6 +1233,7 @@ typedef enum { MAX_FRAGMENT_LENGTH = 0x0001, TRUNCATED_HMAC = 0x0004, ELLIPTIC_CURVES = 0x000a, + SESSION_TICKET = 0x0023, SECURE_RENEGOTIATION = 0xff01 } TLSX_Type; @@ -1243,9 +1244,9 @@ typedef struct TLSX { struct TLSX* next; /* List Behavior */ } TLSX; -CYASSL_LOCAL TLSX* TLSX_Find(TLSX* list, TLSX_Type type); -CYASSL_LOCAL void TLSX_FreeAll(TLSX* list); -CYASSL_LOCAL int TLSX_SupportExtensions(CYASSL* ssl); +CYASSL_LOCAL TLSX* TLSX_Find(TLSX* list, TLSX_Type type); +CYASSL_LOCAL void TLSX_FreeAll(TLSX* list); +CYASSL_LOCAL int TLSX_SupportExtensions(CYASSL* ssl); #ifndef NO_CYASSL_CLIENT CYASSL_LOCAL word16 TLSX_GetRequestSize(CYASSL* ssl); @@ -1259,6 +1260,16 @@ CYASSL_LOCAL word16 TLSX_WriteResponse(CYASSL* ssl, byte* output); CYASSL_LOCAL int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, Suites *suites); + +#elif defined(HAVE_SNI) \ + || defined(HAVE_MAX_FRAGMENT) \ + || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_SUPPORTED_CURVES) \ + || defined(HAVE_SECURE_RENEGOTIATION) + +#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. + +#endif /* HAVE_TLS_EXTENSIONS */ /* Server Name Indication */ #ifdef HAVE_SNI @@ -1342,7 +1353,6 @@ CYASSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions); #endif /* HAVE_SECURE_RENEGOTIATION */ -#endif /* HAVE_TLS_EXTENSIONS */ /* CyaSSL context type */ struct CYASSL_CTX { diff --git a/src/internal.c b/src/internal.c index 93d239140..53c66f8ec 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4421,7 +4421,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size, } } -#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS) +#ifdef HAVE_SECURE_RENEGOTIATION if (ssl->secure_renegotiation) { /* save peer's state */ if (ssl->options.side == CYASSL_CLIENT_END) @@ -4431,7 +4431,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size, XMEMCPY(ssl->secure_renegotiation->client_verify_data, input + *inOutIdx, TLS_FINISHED_SZ); } -#endif /* (HAVE_SECURE_RENEGOTIATION) && (HAVE_TLS_EXTENSIONS) */ +#endif /* force input exhaustion at ProcessReply consuming padSz */ *inOutIdx += size + ssl->keys.padSz; @@ -6784,7 +6784,7 @@ int SendFinished(CYASSL* ssl) ssl->options.side == CYASSL_CLIENT_END ? client : server); if (ret != 0) return ret; -#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS) +#ifdef HAVE_SECURE_RENEGOTIATION if (ssl->secure_renegotiation) { if (ssl->options.side == CYASSL_CLIENT_END) XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes, @@ -6793,7 +6793,7 @@ int SendFinished(CYASSL* ssl) XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes, TLS_FINISHED_SZ); } -#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */ +#endif sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz, handshake); diff --git a/src/tls.c b/src/tls.c index 1235adcc7..5f95a5319 100644 --- a/src/tls.c +++ b/src/tls.c @@ -704,12 +704,29 @@ int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, #ifdef HAVE_TLS_EXTENSIONS -static INLINE word16 ConvertExtType(word16 type) -{ - if (type < 0x10) - return type; +/** Supports up to 64 flags. Update as needed. */ +#define SEMAPHORE_SIZE 8 - return 0x0a + (type & 0xFF); + +static INLINE word16 TLSX_ToSemaphore(word16 type) +{ + switch (type) { + case SECURE_RENEGOTIATION: + return 63; + + default: + if (type > 62) { + /* This message SHOULD only happens during the adding of + new TLS extensions in which its IANA number overflows + the current semaphore's range, or if its number already + is assigned to be used by another extension. + Use this check value for the new extension and decrement + the check value by one. */ + CYASSL_MSG("### TLSX semaphore colision or overflow detected!"); + } + } + + return type; } @@ -718,7 +735,7 @@ static INLINE word16 ConvertExtType(word16 type) #define TURN_ON(semaphore, light) \ - ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8))) + ((semaphore)[(light) / 8] |= (byte) (0xff01 << ((light) % 8))) static int TLSX_Push(TLSX** list, TLSX_Type type, void* data) @@ -1386,7 +1403,7 @@ static void TLSX_EllipticCurve_ValidateRequest(CYASSL* ssl, byte* semaphore) return; /* No elliptic curve suite found */ - TURN_ON(semaphore, ConvertExtType(ELLIPTIC_CURVES)); + TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES)); } static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) @@ -1799,7 +1816,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) if (!isRequest && !extension->resp) continue; /* skip! */ - if (!IS_OFF(semaphore, ConvertExtType(extension->type))) + if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type))) continue; /* skip! */ /* type + data length */ @@ -1827,7 +1844,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) break; } - TURN_ON(semaphore, ConvertExtType(extension->type)); + TURN_ON(semaphore, TLSX_ToSemaphore(extension->type)); } return length; @@ -1846,7 +1863,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, if (!isRequest && !extension->resp) continue; /* skip! */ - if (!IS_OFF(semaphore, ConvertExtType(extension->type))) + if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type))) continue; /* skip! */ /* extension type */ @@ -1869,21 +1886,21 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* empty extension. */ break; - case ELLIPTIC_CURVES: - offset += EC_WRITE((EllipticCurve*)extension->data, + case ELLIPTIC_CURVES: + offset += EC_WRITE((EllipticCurve*)extension->data, output + offset); - break; + break; - case SECURE_RENEGOTIATION: - offset += SCR_WRITE((SecureRenegotiation*)extension->data, + case SECURE_RENEGOTIATION: + offset += SCR_WRITE((SecureRenegotiation*)extension->data, output + offset, isRequest); - break; + break; } /* writing extension data length */ c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN); - TURN_ON(semaphore, ConvertExtType(extension->type)); + TURN_ON(semaphore, TLSX_ToSemaphore(extension->type)); } return offset; @@ -1896,7 +1913,7 @@ word16 TLSX_GetRequestSize(CYASSL* ssl) word16 length = 0; if (TLSX_SupportExtensions(ssl)) { - byte semaphore[16] = {0}; + byte semaphore[SEMAPHORE_SIZE] = {0}; EC_VALIDATE_REQUEST(ssl, semaphore); @@ -1921,7 +1938,7 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output) word16 offset = 0; if (TLSX_SupportExtensions(ssl) && output) { - byte semaphore[16] = {0}; + byte semaphore[SEMAPHORE_SIZE] = {0}; offset += OPAQUE16_LEN; /* extensions length */ @@ -1969,7 +1986,7 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output) word16 TLSX_GetResponseSize(CYASSL* ssl) { word16 length = 0; - byte semaphore[16] = {0}; + byte semaphore[SEMAPHORE_SIZE] = {0}; if (TLSX_SupportExtensions(ssl)) length += TLSX_GetSize(ssl->extensions, semaphore, 0); @@ -1987,7 +2004,7 @@ word16 TLSX_WriteResponse(CYASSL *ssl, byte* output) word16 offset = 0; if (TLSX_SupportExtensions(ssl) && output) { - byte semaphore[16] = {0}; + byte semaphore[SEMAPHORE_SIZE] = {0}; offset += OPAQUE16_LEN; /* extensions length */ @@ -2089,15 +2106,9 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, /* undefining semaphore macros */ #undef IS_OFF #undef TURN_ON +#undef SEMAPHORE_SIZE -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_SUPPORTED_CURVES) - -#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. - -#endif /* HAVE_TLS_EXTENSIONS */ +#endif #ifndef NO_CYASSL_CLIENT