WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #1938 from SparkiDev/tls13_ext 

Check for TLS 1.3 version in the method for extenstions.
pull/1943/head
toddouska 2018-11-28 08:05:42 -08:00 committed by GitHub
parent 814e45a12b 310ffd0045
commit 2827ef6a57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 69 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
src/tls.c
View File

@ -6837,7 +6837,7 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, byte* input, word16 length,
byte msgType) byte msgType)
{ {
int ret; int ret;
KeyShareEntry *keyShareEntry; KeyShareEntry *keyShareEntry = NULL;
word16 group; word16 group;
if (msgType == client_hello) { if (msgType == client_hello) {
@ -6897,7 +6897,7 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, byte* input, word16 length,
return BUFFER_ERROR; return BUFFER_ERROR;
/* Not in list sent if there isn't a private key. */ /* Not in list sent if there isn't a private key. */
if (keyShareEntry->key == NULL) if (keyShareEntry == NULL || keyShareEntry->key == NULL)
return BAD_KEY_SHARE_DATA; return BAD_KEY_SHARE_DATA;
/* Process the entry to calculate the secret. */ /* Process the entry to calculate the secret. */
@ -9792,11 +9792,15 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("SNI extension received"); WOLFSSL_MSG("SNI extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != encrypted_extensions) { msgType != encrypted_extensions) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
else if (!IsAtLeastTLSv1_3(ssl->version) &&
msgType == encrypted_extensions) {
return EXT_NOT_ALLOWED;
}
#endif #endif
ret = SNI_PARSE(ssl, input + offset, size, isRequest); ret = SNI_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9805,11 +9809,15 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Max Fragment Length extension received"); WOLFSSL_MSG("Max Fragment Length extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != encrypted_extensions) { msgType != encrypted_extensions) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
else if (!IsAtLeastTLSv1_3(ssl->version) &&
msgType == encrypted_extensions) {
return EXT_NOT_ALLOWED;
}
#endif #endif
ret = MFL_PARSE(ssl, input + offset, size, isRequest); ret = MFL_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9818,8 +9826,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Truncated HMAC extension received"); WOLFSSL_MSG("Truncated HMAC extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
ret = THM_PARSE(ssl, input + offset, size, isRequest); ret = THM_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9828,11 +9838,15 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Supported Groups extension received"); WOLFSSL_MSG("Supported Groups extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != encrypted_extensions) { msgType != encrypted_extensions) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
else if (!IsAtLeastTLSv1_3(ssl->version) &&
msgType == encrypted_extensions) {
return EXT_NOT_ALLOWED;
}
#endif #endif
ret = EC_PARSE(ssl, input + offset, size, isRequest); ret = EC_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9841,8 +9855,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Point Formats extension received"); WOLFSSL_MSG("Point Formats extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
ret = PF_PARSE(ssl, input + offset, size, isRequest); ret = PF_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9851,8 +9867,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Certificate Status Request extension received"); WOLFSSL_MSG("Certificate Status Request extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
ret = CSR_PARSE(ssl, input + offset, size, isRequest); ret = CSR_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9861,7 +9879,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Certificate Status Request v2 extension received"); WOLFSSL_MSG("Certificate Status Request v2 extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != certificate_request && msgType != certificate_request &&
msgType != certificate) { msgType != certificate) {
@ -9876,8 +9894,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Extended Master Secret extension received"); WOLFSSL_MSG("Extended Master Secret extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
if (isRequest) if (isRequest)
@ -9891,8 +9911,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Secure Renegotiation extension received"); WOLFSSL_MSG("Secure Renegotiation extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
ret = SCR_PARSE(ssl, input + offset, size, isRequest); ret = SCR_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9913,8 +9935,10 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); WOLFSSL_MSG("Quantum-Safe-Hybrid extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && !ssl->options.downgrade) if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
!ssl->options.downgrade) {
break; break;
}
#endif #endif
ret = QSH_PARSE(ssl, input + offset, size, isRequest); ret = QSH_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9923,11 +9947,15 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_MSG("ALPN extension received"); WOLFSSL_MSG("ALPN extension received");
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != encrypted_extensions) { msgType != encrypted_extensions) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
else if (!IsAtLeastTLSv1_3(ssl->version) &&
msgType == encrypted_extensions) {
return EXT_NOT_ALLOWED;
}
#endif #endif
ret = ALPN_PARSE(ssl, input + offset, size, isRequest); ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -9939,7 +9967,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
break; break;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) && if (IsAtLeastTLSv1_3(ssl->ctx->method->version) &&
msgType != client_hello && msgType != client_hello &&
msgType != certificate_request) { msgType != certificate_request) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
@ -9955,7 +9983,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
if (!IsAtLeastTLSv1_3(ssl->ctx->method->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (
#ifdef WOLFSSL_TLS13_DRAFT_18 #ifdef WOLFSSL_TLS13_DRAFT_18
msgType != client_hello msgType != client_hello
#else #else
@ -9972,14 +10000,14 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
case TLSX_COOKIE: case TLSX_COOKIE:
WOLFSSL_MSG("Cookie extension received"); WOLFSSL_MSG("Cookie extension received");
if (!IsAtLeastTLSv1_3(ssl->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello &&
msgType != client_hello &&
msgType != hello_retry_request) { msgType != hello_retry_request) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
ret = CKE_PARSE(ssl, input + offset, size, msgType); ret = CKE_PARSE(ssl, input + offset, size, msgType);
break; break;
@ -9990,11 +10018,9 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
if (!IsAtLeastTLSv1_3(ssl->ctx->method->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello && msgType != server_hello)
msgType != client_hello &&
msgType != server_hello) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
}
ret = PSK_PARSE(ssl, input + offset, size, msgType); ret = PSK_PARSE(ssl, input + offset, size, msgType);
pskDone = 1; pskDone = 1;
break; break;
@ -10002,13 +10028,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
case TLSX_PSK_KEY_EXCHANGE_MODES: case TLSX_PSK_KEY_EXCHANGE_MODES:
WOLFSSL_MSG("PSK Key Exchange Modes extension received"); WOLFSSL_MSG("PSK Key Exchange Modes extension received");
if (!IsAtLeastTLSv1_3(ssl->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello)
msgType != client_hello) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
}
ret = PKM_PARSE(ssl, input + offset, size, msgType); ret = PKM_PARSE(ssl, input + offset, size, msgType);
break; break;
#endif #endif
@ -10017,13 +10042,16 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
case TLSX_EARLY_DATA: case TLSX_EARLY_DATA:
WOLFSSL_MSG("Early Data extension received"); WOLFSSL_MSG("Early Data extension received");
if (!IsAtLeastTLSv1_3(ssl->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello && msgType != session_ticket &&
msgType != client_hello && msgType != encrypted_extensions) {
msgType != session_ticket && return EXT_NOT_ALLOWED;
msgType != encrypted_extensions) { }
if (!IsAtLeastTLSv1_3(ssl->version) &&
(msgType == session_ticket ||
msgType == encrypted_extensions)) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
ret = EDI_PARSE(ssl, input + offset, size, msgType); ret = EDI_PARSE(ssl, input + offset, size, msgType);
@ -10034,13 +10062,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
case TLSX_POST_HANDSHAKE_AUTH: case TLSX_POST_HANDSHAKE_AUTH:
WOLFSSL_MSG("Post Handshake Authentication extension received"); WOLFSSL_MSG("Post Handshake Authentication extension received");
if (!IsAtLeastTLSv1_3(ssl->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello)
msgType != client_hello) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
}
ret = PHA_PARSE(ssl, input + offset, size, msgType); ret = PHA_PARSE(ssl, input + offset, size, msgType);
break; break;
#endif #endif
@ -10049,14 +10076,17 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
case TLSX_SIGNATURE_ALGORITHMS_CERT: case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension received"); WOLFSSL_MSG("Signature Algorithms extension received");
if (!IsAtLeastTLSv1_3(ssl->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->version) && if (msgType != client_hello &&
msgType != client_hello &&
msgType != certificate_request) { msgType != certificate_request) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }
if (!IsAtLeastTLSv1_3(ssl->version) &&
msgType == certificate_request) {
return EXT_NOT_ALLOWED;
}
ret = SAC_PARSE(ssl, input + offset, size, isRequest); ret = SAC_PARSE(ssl, input + offset, size, isRequest);
break; break;
@ -10068,9 +10098,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
if (!IsAtLeastTLSv1_3(ssl->ctx->method->version)) if (!IsAtLeastTLSv1_3(ssl->ctx->method->version))
break; break;
if (IsAtLeastTLSv1_3(ssl->ctx->method->version) && if (msgType != client_hello && msgType != server_hello &&
msgType != client_hello &&
msgType != server_hello &&
msgType != hello_retry_request) { msgType != hello_retry_request) {
return EXT_NOT_ALLOWED; return EXT_NOT_ALLOWED;
} }