From c340d78c93c9a5323a404c45107594519e6d5adc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= <moisesguimaraesm@gmail.com>
Date: Fri, 26 Sep 2014 15:57:37 -0300
Subject: [PATCH] adds SESSION_TICKET extension id. adds HAVE_TLS_EXTENSIONS as
 a dependency to HAVE_SECURE_RENEGOTIATION reduces tlsx semaphore from 16 to 8
 bytes (128 flags to 64 flags). refactors ConvertExtType() to
 TLSX_ToSemaphore() for a better name and behavior. Now the overflowing flags
 are set backwards from the end of the flags to avoid collisions.

---
 cyassl/internal.h | 18 ++++++++++---
 src/internal.c    |  8 +++---
 src/tls.c         | 69 +++++++++++++++++++++++++++--------------------
 3 files changed, 58 insertions(+), 37 deletions(-)

diff --git a/cyassl/internal.h b/cyassl/internal.h
index 66d4041f6..600e3461b 100644
--- a/cyassl/internal.h
+++ b/cyassl/internal.h
@@ -1233,6 +1233,7 @@ typedef enum {
     MAX_FRAGMENT_LENGTH    = 0x0001,
     TRUNCATED_HMAC         = 0x0004,
     ELLIPTIC_CURVES        = 0x000a,
+    SESSION_TICKET         = 0x0023,
     SECURE_RENEGOTIATION   = 0xff01
 } TLSX_Type;
 
@@ -1243,9 +1244,9 @@ typedef struct TLSX {
     struct TLSX* next; /* List Behavior   */
 } TLSX;
 
-CYASSL_LOCAL TLSX* TLSX_Find(TLSX* list, TLSX_Type type);
-CYASSL_LOCAL void TLSX_FreeAll(TLSX* list);
-CYASSL_LOCAL int TLSX_SupportExtensions(CYASSL* ssl);
+CYASSL_LOCAL TLSX*  TLSX_Find(TLSX* list, TLSX_Type type);
+CYASSL_LOCAL void   TLSX_FreeAll(TLSX* list);
+CYASSL_LOCAL int    TLSX_SupportExtensions(CYASSL* ssl);
 
 #ifndef NO_CYASSL_CLIENT
 CYASSL_LOCAL word16 TLSX_GetRequestSize(CYASSL* ssl);
@@ -1259,6 +1260,16 @@ CYASSL_LOCAL word16 TLSX_WriteResponse(CYASSL* ssl, byte* output);
 
 CYASSL_LOCAL int    TLSX_Parse(CYASSL* ssl, byte* input, word16 length,
                                                 byte isRequest, Suites *suites);
+                                                
+#elif defined(HAVE_SNI)                 \
+   || defined(HAVE_MAX_FRAGMENT)        \
+   || defined(HAVE_TRUNCATED_HMAC)      \
+   || defined(HAVE_SUPPORTED_CURVES)    \
+   || defined(HAVE_SECURE_RENEGOTIATION)
+
+#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
+
+#endif /* HAVE_TLS_EXTENSIONS */
 
 /* Server Name Indication */
 #ifdef HAVE_SNI
@@ -1342,7 +1353,6 @@ CYASSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions);
 
 #endif /* HAVE_SECURE_RENEGOTIATION */
 
-#endif /* HAVE_TLS_EXTENSIONS */
 
 /* CyaSSL context type */
 struct CYASSL_CTX {
diff --git a/src/internal.c b/src/internal.c
index 93d239140..53c66f8ec 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4421,7 +4421,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
         }
     }
 
-#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
+#ifdef HAVE_SECURE_RENEGOTIATION
     if (ssl->secure_renegotiation) {
         /* save peer's state */
         if (ssl->options.side == CYASSL_CLIENT_END)
@@ -4431,7 +4431,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 size,
             XMEMCPY(ssl->secure_renegotiation->client_verify_data,
                     input + *inOutIdx, TLS_FINISHED_SZ);
     }
-#endif /* (HAVE_SECURE_RENEGOTIATION) && (HAVE_TLS_EXTENSIONS) */
+#endif
 
     /* force input exhaustion at ProcessReply consuming padSz */
     *inOutIdx += size + ssl->keys.padSz;
@@ -6784,7 +6784,7 @@ int SendFinished(CYASSL* ssl)
                       ssl->options.side == CYASSL_CLIENT_END ? client : server);
     if (ret != 0) return ret;
 
-#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_TLS_EXTENSIONS)
+#ifdef HAVE_SECURE_RENEGOTIATION
     if (ssl->secure_renegotiation) {
         if (ssl->options.side == CYASSL_CLIENT_END)
             XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes,
@@ -6793,7 +6793,7 @@ int SendFinished(CYASSL* ssl)
             XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes,
                     TLS_FINISHED_SZ);
     }
-#endif /* HAVE_SECURE_RENEGOTIATION && HAVE_TLS_EXTENSIONS */
+#endif
 
     sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
                           handshake);
diff --git a/src/tls.c b/src/tls.c
index 1235adcc7..5f95a5319 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -704,12 +704,29 @@ int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
 #ifdef HAVE_TLS_EXTENSIONS
 
 
-static INLINE word16 ConvertExtType(word16 type)
-{
-    if (type < 0x10)
-        return type;
+/** Supports up to 64 flags. Update as needed. */
+#define SEMAPHORE_SIZE 8
 
-    return 0x0a + (type & 0xFF);
+
+static INLINE word16 TLSX_ToSemaphore(word16 type)
+{
+    switch (type) {
+        case SECURE_RENEGOTIATION:
+            return 63;
+
+        default:
+            if (type > 62) {
+                /* This message SHOULD only happens during the adding of
+                   new TLS extensions in which its IANA number overflows
+                   the current semaphore's range, or if its number already
+                   is assigned to be used by another extension.
+                   Use this check value for the new extension and decrement
+                   the check value by one. */
+                CYASSL_MSG("### TLSX semaphore colision or overflow detected!");
+            }
+    }
+    
+    return type;
 }
 
 
@@ -718,7 +735,7 @@ static INLINE word16 ConvertExtType(word16 type)
 
 
 #define TURN_ON(semaphore, light) \
-    ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
+    ((semaphore)[(light) / 8] |= (byte) (0xff01 << ((light) % 8)))
 
 
 static int TLSX_Push(TLSX** list, TLSX_Type type, void* data)
@@ -1386,7 +1403,7 @@ static void TLSX_EllipticCurve_ValidateRequest(CYASSL* ssl, byte* semaphore)
             return;
 
     /* No elliptic curve suite found */
-    TURN_ON(semaphore, ConvertExtType(ELLIPTIC_CURVES));
+    TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES));
 }
 
 static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
@@ -1799,7 +1816,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
         if (!isRequest && !extension->resp)
             continue; /* skip! */
 
-        if (!IS_OFF(semaphore, ConvertExtType(extension->type)))
+        if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
             continue; /* skip! */
 
         /* type + data length */
@@ -1827,7 +1844,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
                 break;
         }
 
-        TURN_ON(semaphore, ConvertExtType(extension->type));
+        TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
     }
 
     return length;
@@ -1846,7 +1863,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
         if (!isRequest && !extension->resp)
             continue; /* skip! */
 
-        if (!IS_OFF(semaphore, ConvertExtType(extension->type)))
+        if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
             continue; /* skip! */
 
         /* extension type */
@@ -1869,21 +1886,21 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
                 /* empty extension. */
                 break;
 
-                case ELLIPTIC_CURVES:
-                    offset += EC_WRITE((EllipticCurve*)extension->data,
+            case ELLIPTIC_CURVES:
+                offset += EC_WRITE((EllipticCurve*)extension->data,
                                                                output + offset);
-                    break;
+                break;
 
-                case SECURE_RENEGOTIATION:
-                    offset += SCR_WRITE((SecureRenegotiation*)extension->data,
+            case SECURE_RENEGOTIATION:
+                offset += SCR_WRITE((SecureRenegotiation*)extension->data,
                                                     output + offset, isRequest);
-                    break;
+                break;
         }
 
         /* writing extension data length */
         c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN);
 
-        TURN_ON(semaphore, ConvertExtType(extension->type));
+        TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
     }
 
     return offset;
@@ -1896,7 +1913,7 @@ word16 TLSX_GetRequestSize(CYASSL* ssl)
     word16 length = 0;
 
     if (TLSX_SupportExtensions(ssl)) {
-        byte semaphore[16] = {0};
+        byte semaphore[SEMAPHORE_SIZE] = {0};
 
         EC_VALIDATE_REQUEST(ssl, semaphore);
 
@@ -1921,7 +1938,7 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output)
     word16 offset = 0;
 
     if (TLSX_SupportExtensions(ssl) && output) {
-        byte semaphore[16] = {0};
+        byte semaphore[SEMAPHORE_SIZE] = {0};
 
         offset += OPAQUE16_LEN; /* extensions length */
 
@@ -1969,7 +1986,7 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output)
 word16 TLSX_GetResponseSize(CYASSL* ssl)
 {
     word16 length = 0;
-    byte semaphore[16] = {0};
+    byte semaphore[SEMAPHORE_SIZE] = {0};
 
     if (TLSX_SupportExtensions(ssl))
         length += TLSX_GetSize(ssl->extensions, semaphore, 0);
@@ -1987,7 +2004,7 @@ word16 TLSX_WriteResponse(CYASSL *ssl, byte* output)
     word16 offset = 0;
 
     if (TLSX_SupportExtensions(ssl) && output) {
-        byte semaphore[16] = {0};
+        byte semaphore[SEMAPHORE_SIZE] = {0};
 
         offset += OPAQUE16_LEN; /* extensions length */
 
@@ -2089,15 +2106,9 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
 /* undefining semaphore macros */
 #undef IS_OFF
 #undef TURN_ON
+#undef SEMAPHORE_SIZE
 
-#elif defined(HAVE_SNI)             \
-   || defined(HAVE_MAX_FRAGMENT)    \
-   || defined(HAVE_TRUNCATED_HMAC)  \
-   || defined(HAVE_SUPPORTED_CURVES)
-
-#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
-
-#endif /* HAVE_TLS_EXTENSIONS */
+#endif
 
 
 #ifndef NO_CYASSL_CLIENT