diff --git a/src/tls.c b/src/tls.c index 86371329f..bfe4ed0e3 100644 --- a/src/tls.c +++ b/src/tls.c @@ -12264,17 +12264,18 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_SNI) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && - msgType != encrypted_extensions) { - return EXT_NOT_ALLOWED; - } - else if (!IsAtLeastTLSv1_3(ssl->version) && - msgType == encrypted_extensions) { - return EXT_NOT_ALLOWED; +#ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && + msgType != encrypted_extensions) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello) + return EXT_NOT_ALLOWED; + } ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; #endif @@ -12285,13 +12286,18 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_TRUSTED_CA) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && - msgType != encrypted_extensions) { - return EXT_NOT_ALLOWED; +#ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && + msgType != encrypted_extensions) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello) + return EXT_NOT_ALLOWED; + } ret = TCA_PARSE(ssl, input + offset, size, isRequest); break; @@ -12301,19 +12307,23 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_MAX_FRAGMENT) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && +#ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && msgType != encrypted_extensions) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; - } - else if (!IsAtLeastTLSv1_3(ssl->version) && - msgType == encrypted_extensions) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; + WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); + return EXT_NOT_ALLOWED; + } } + else #endif + { + if (msgType != client_hello && + msgType != server_hello) { + WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); + return EXT_NOT_ALLOWED; + } + } ret = MFL_PARSE(ssl, input + offset, size, isRequest); break; @@ -12323,10 +12333,12 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_TRUNCATED_HMAC) +#ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) break; #endif + if (msgType != client_hello) + return EXT_NOT_ALLOWED; ret = THM_PARSE(ssl, input + offset, size, isRequest); break; @@ -12336,19 +12348,22 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && +#ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && msgType != encrypted_extensions) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; - } - else if (!IsAtLeastTLSv1_3(ssl->version) && - msgType == encrypted_extensions) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; + WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); + return EXT_NOT_ALLOWED; + } } + else #endif + { + if (msgType != client_hello) { + WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); + return EXT_NOT_ALLOWED; + } + } ret = EC_PARSE(ssl, input + offset, size, isRequest); break; @@ -12358,10 +12373,16 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) +#ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) break; #endif + if (msgType != client_hello && + msgType != server_hello) { + WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); + return EXT_NOT_ALLOWED; + } + ret = PF_PARSE(ssl, input + offset, size, isRequest); break; @@ -12371,14 +12392,20 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && +#ifdef WOLFSSL_TLS13 + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && msgType != certificate_request && - msgType != certificate) { - break; + msgType != certificate) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; + } ret = CSR_PARSE(ssl, input + offset, size, isRequest); break; @@ -12389,13 +12416,19 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, #endif #if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && msgType != certificate_request && - msgType != certificate) { - return EXT_NOT_ALLOWED; + msgType != certificate) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; + } ret = CSR2_PARSE(ssl, input + offset, size, isRequest); break; @@ -12410,6 +12443,9 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, if (IsAtLeastTLSv1_3(ssl->version)) break; #endif + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; if (size != 0) return BUFFER_ERROR; @@ -12427,10 +12463,13 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_BUFFER(input + offset, size); #endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_SERVER_RENEGOTIATION_INFO) +#ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) break; #endif + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; ret = SCR_PARSE(ssl, input + offset, size, isRequest); break; @@ -12441,11 +12480,17 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, #endif #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello) { - return EXT_NOT_ALLOWED; + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; + } ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest); break; @@ -12457,16 +12502,18 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, #endif #if defined(WOLFSSL_TLS13) && defined(HAVE_ALPN) - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && - msgType != encrypted_extensions) { - return EXT_NOT_ALLOWED; - } - else if (!IsAtLeastTLSv1_3(ssl->version) && - msgType == encrypted_extensions) { - return EXT_NOT_ALLOWED; + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && + msgType != encrypted_extensions) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; + } ret = ALPN_PARSE(ssl, input + offset, size, isRequest); break; #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) @@ -12479,12 +12526,17 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, if (!IsAtLeastTLSv1_2(ssl)) break; #ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version) && - msgType != client_hello && - msgType != certificate_request) { - return EXT_NOT_ALLOWED; + if (IsAtLeastTLSv1_3(ssl->version)) { + if (msgType != client_hello && + msgType != certificate_request) + return EXT_NOT_ALLOWED; } + else #endif + { + if (msgType != client_hello) + return EXT_NOT_ALLOWED; + } ret = SA_PARSE(ssl, input + offset, size, isRequest, suites); break; #endif @@ -12496,6 +12548,9 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, /* Ignore for TLS 1.3+ */ if (IsAtLeastTLSv1_3(ssl->version)) break; + if (msgType != client_hello && + msgType != server_hello) + return EXT_NOT_ALLOWED; ret = ETM_PARSE(ssl, input + offset, size, msgType); break; @@ -12507,6 +12562,10 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, #ifdef WOLFSSL_DEBUG_TLS WOLFSSL_BUFFER(input + offset, size); #endif + if (msgType != client_hello && + msgType != server_hello && + msgType != hello_retry_request) + return EXT_NOT_ALLOWED; break; @@ -12521,7 +12580,7 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, break; if (msgType != client_hello && - msgType != hello_retry_request) { + msgType != hello_retry_request) { return EXT_NOT_ALLOWED; } @@ -12539,7 +12598,8 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, if (!IsAtLeastTLSv1_3(ssl->version)) break; - if (msgType != client_hello && msgType != server_hello) { + if (msgType != client_hello && + msgType != server_hello) { WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); return EXT_NOT_ALLOWED; } @@ -12577,13 +12637,7 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, break; if (msgType != client_hello && msgType != session_ticket && - msgType != encrypted_extensions) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; - } - if (!IsAtLeastTLSv1_3(ssl->version) && - (msgType == session_ticket || - msgType == encrypted_extensions)) { + msgType != encrypted_extensions) { WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); return EXT_NOT_ALLOWED; } @@ -12625,11 +12679,6 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); return EXT_NOT_ALLOWED; } - if (!IsAtLeastTLSv1_3(ssl->version) && - msgType == certificate_request) { - WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); - return EXT_NOT_ALLOWED; - } ret = SAC_PARSE(ssl, input + offset, size, isRequest); break;