wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-05 21:54:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:cyassl/cyassl

Browse Source
This commit is contained in:
John Safranek
2014-02-11 14:48:21 -08:00
parent 8178acfe13 2ff78b7fda
commit 4842538fde
6 changed files with 165 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
configure.ac
View File

@@ -1340,6 +1340,30 @@ then
fi fi
# Certificate Service Support
AC_ARG_ENABLE([certservice],
[ --enable-certservice Enable cert service (default: disabled)],
[ ENABLED_CERT_SERVICE=$enableval ],
[ ENABLED_CERT_SERVICE=no ]
)
if test "$ENABLED_CERT_SERVICE" = "yes"
then
# Requires ecc and certgen, make sure on
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DCYASSL_CERT_GEN"
fi
if test "x$ENABLED_ECC" = "xno"
then
ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR"
AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"])
fi
AM_CFLAGS="$AM_CFLAGS -DCYASSL_HAVE_CERT_SERVICE"
fi
# set fastmath default # set fastmath default
FASTMATH_DEFAULT=no FASTMATH_DEFAULT=no

6
cyassl/ssl.h
View File

@@ -1285,9 +1285,13 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack,
#ifdef CYASSL_HAVE_WOLFSCEP #ifdef CYASSL_HAVE_WOLFSCEP
CYASSL_API void CyaSSL_wolfSCEP(void); CYASSL_API void CyaSSL_wolfSCEP(void);
#endif /* CYASSL_HAVE_WOLFSCEP */ #endif /* CYASSL_HAVE_WOLFSCEP */
#ifdef CYASSL_HAVE_CERT_SERVICE
CYASSL_API void CyaSSL_cert_service(void);
#endif
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */

129
src/internal.c
View File

@@ -9988,30 +9988,39 @@ static void PickHashSigAlgo(CYASSL* ssl,
static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx,
word32 totalSz, word32 helloSz) word32 totalSz, word32 helloSz)
{ {
byte b; byte b;
ProtocolVersion pv; ProtocolVersion pv;
Suites clSuites; Suites clSuites;
word32 i = *inOutIdx; word32 i = *inOutIdx;
word32 begin = i; word32 begin = i;
#ifdef CYASSL_CALLBACKS #ifdef CYASSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo); if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
#endif #endif
/* make sure can read up to session */
if (i + sizeof(pv) + RAN_LEN + ENUM_LEN > totalSz) /* make sure can read the client hello */
if (begin + helloSz > totalSz)
return INCOMPLETE_DATA; return INCOMPLETE_DATA;
XMEMCPY(&pv, input + i, sizeof(pv)); /* protocol version, random and session id length check */
if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz)
return BUFFER_ERROR;
/* protocol version */
XMEMCPY(&pv, input + i, OPAQUE16_LEN);
ssl->chVersion = pv; /* store */ ssl->chVersion = pv; /* store */
i += (word32)sizeof(pv); i += OPAQUE16_LEN;
if (ssl->version.minor > pv.minor) { if (ssl->version.minor > pv.minor) {
byte haveRSA = 0; byte haveRSA = 0;
byte havePSK = 0; byte havePSK = 0;
if (!ssl->options.downgrade) { if (!ssl->options.downgrade) {
CYASSL_MSG("Client trying to connect with lesser version"); CYASSL_MSG("Client trying to connect with lesser version");
return VERSION_ERROR; return VERSION_ERROR;
} }
if (pv.minor == SSLv3_MINOR) { if (pv.minor == SSLv3_MINOR) {
/* turn off tls */ /* turn off tls */
CYASSL_MSG(" downgrading to SSLv3"); CYASSL_MSG(" downgrading to SSLv3");
@@ -10040,6 +10049,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side); ssl->options.side);
} }
/* random */ /* random */
XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
i += RAN_LEN; i += RAN_LEN;
@@ -10053,79 +10063,103 @@ static void PickHashSigAlgo(CYASSL* ssl,
printf("\n"); printf("\n");
} }
#endif #endif
/* session id */ /* session id */
b = input[i++]; b = input[i++];
if (b) {
if (i + ID_LEN > totalSz) if (b == ID_LEN) {
return INCOMPLETE_DATA; if ((i - begin) + ID_LEN > helloSz)
return BUFFER_ERROR;
XMEMCPY(ssl->arrays->sessionID, input + i, ID_LEN); XMEMCPY(ssl->arrays->sessionID, input + i, ID_LEN);
i += b; i += ID_LEN;
ssl->options.resuming= 1; /* client wants to resume */ ssl->options.resuming = 1; /* client wants to resume */
CYASSL_MSG("Client wants to resume session"); CYASSL_MSG("Client wants to resume session");
} }
else if (b)
return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
/* cookie */ /* cookie */
if (ssl->options.dtls) { if (ssl->options.dtls) {
if ((i - begin) + ENUM_LEN > helloSz)
return BUFFER_ERROR;
b = input[i++]; b = input[i++];
if (b) { if (b) {
byte cookie[MAX_COOKIE_LEN]; byte cookie[MAX_COOKIE_LEN];
if (b > MAX_COOKIE_LEN) if (b > MAX_COOKIE_LEN)
return BUFFER_ERROR; return BUFFER_ERROR;
if (i + b > totalSz)
return INCOMPLETE_DATA; if ((i - begin) + b > helloSz)
return BUFFER_ERROR;
if (ssl->ctx->CBIOCookie == NULL) { if (ssl->ctx->CBIOCookie == NULL) {
CYASSL_MSG("Your Cookie callback is null, please set"); CYASSL_MSG("Your Cookie callback is null, please set");
return COOKIE_ERROR; return COOKIE_ERROR;
} }
if ((ssl->ctx->CBIOCookie(ssl, cookie, COOKIE_SZ, if ((ssl->ctx->CBIOCookie(ssl, cookie, COOKIE_SZ,
ssl->IOCB_CookieCtx) != COOKIE_SZ) ssl->IOCB_CookieCtx) != COOKIE_SZ)
|| (b != COOKIE_SZ) || (b != COOKIE_SZ)
|| (XMEMCMP(cookie, input + i, b) != 0)) { || (XMEMCMP(cookie, input + i, b) != 0)) {
return COOKIE_ERROR; return COOKIE_ERROR;
} }
i += b; i += b;
} }
} }
#endif #endif
if (i + LENGTH_SZ > totalSz)
return INCOMPLETE_DATA;
/* suites */ /* suites */
ato16(&input[i], &clSuites.suiteSz); if ((i - begin) + OPAQUE16_LEN > helloSz)
i += 2; return BUFFER_ERROR;
ato16(&input[i], &clSuites.suiteSz);
i += OPAQUE16_LEN;
/* suites and compression length check */
if ((i - begin) + clSuites.suiteSz + ENUM_LEN > helloSz)
return BUFFER_ERROR;
/* suites and comp len */
if (i + clSuites.suiteSz + ENUM_LEN > totalSz)
return INCOMPLETE_DATA;
if (clSuites.suiteSz > MAX_SUITE_SZ) if (clSuites.suiteSz > MAX_SUITE_SZ)
return BUFFER_ERROR; return BUFFER_ERROR;
XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
i += clSuites.suiteSz; i += clSuites.suiteSz;
clSuites.hashSigAlgoSz = 0; clSuites.hashSigAlgoSz = 0;
b = input[i++]; /* comp len */ /* compression length */
if (i + b > totalSz) b = input[i++];
return INCOMPLETE_DATA;
if ((i - begin) + b > helloSz)
return BUFFER_ERROR;
if (ssl->options.usingCompression) { if (ssl->options.usingCompression) {
int match = 0; int match = 0;
while (b--) { while (b--) {
byte comp = input[i++]; byte comp = input[i++];
if (comp == ZLIB_COMPRESSION) if (comp == ZLIB_COMPRESSION)
match = 1; match = 1;
} }
if (!match) { if (!match) {
CYASSL_MSG("Not matching compression, turning off"); CYASSL_MSG("Not matching compression, turning off");
ssl->options.usingCompression = 0; /* turn off */ ssl->options.usingCompression = 0; /* turn off */
} }
} }
else else
i += b; /* ignore, since we're not on */ i += b; /* ignore, since we're not on */
*inOutIdx = i; *inOutIdx = i;
if ( (i - begin) < helloSz) {
/* tls extensions */
if ((i - begin) < helloSz) {
#ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_TLS_EXTENSIONS
if (IsTLS(ssl)) { if (IsTLS(ssl)) {
int ret = 0; int ret = 0;
@@ -10135,10 +10169,14 @@ static void PickHashSigAlgo(CYASSL* ssl,
/* Process the hello extension. Skip unsupported. */ /* Process the hello extension. Skip unsupported. */
word16 totalExtSz; word16 totalExtSz;
if ((i - begin) + OPAQUE16_LEN > helloSz)
return BUFFER_ERROR;
ato16(&input[i], &totalExtSz); ato16(&input[i], &totalExtSz);
i += LENGTH_SZ; i += OPAQUE16_LEN;
if (totalExtSz > helloSz + begin - i)
return INCOMPLETE_DATA; if ((i - begin) + totalExtSz > helloSz)
return BUFFER_ERROR;
#ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_TLS_EXTENSIONS
if ((ret = TLSX_Parse(ssl, (byte *) input + i, if ((ret = TLSX_Parse(ssl, (byte *) input + i,
@@ -10150,18 +10188,23 @@ static void PickHashSigAlgo(CYASSL* ssl,
while (totalExtSz) { while (totalExtSz) {
word16 extId, extSz; word16 extId, extSz;
if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz)
return BUFFER_ERROR;
ato16(&input[i], &extId); ato16(&input[i], &extId);
i += LENGTH_SZ; i += OPAQUE16_LEN;
ato16(&input[i], &extSz); ato16(&input[i], &extSz);
i += EXT_ID_SZ; i += OPAQUE16_LEN;
if (extSz > totalExtSz - LENGTH_SZ - EXT_ID_SZ)
return INCOMPLETE_DATA; if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz)
return BUFFER_ERROR;
if (extId == HELLO_EXT_SIG_ALGO) { if (extId == HELLO_EXT_SIG_ALGO) {
ato16(&input[i], &clSuites.hashSigAlgoSz); ato16(&input[i], &clSuites.hashSigAlgoSz);
i += LENGTH_SZ; i += OPAQUE16_LEN;
if (clSuites.hashSigAlgoSz > extSz - LENGTH_SZ)
return INCOMPLETE_DATA; if (OPAQUE16_LEN + clSuites.hashSigAlgoSz > extSz)
return BUFFER_ERROR;
XMEMCPY(clSuites.hashSigAlgo, &input[i], XMEMCPY(clSuites.hashSigAlgo, &input[i],
min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX)); min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX));
@@ -10170,27 +10213,29 @@ static void PickHashSigAlgo(CYASSL* ssl,
else else
i += extSz; i += extSz;
totalExtSz -= LENGTH_SZ + EXT_ID_SZ + extSz; totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
} }
#endif #endif
*inOutIdx = i; *inOutIdx = i;
} }
else else
*inOutIdx = begin + helloSz; /* skip extensions */ *inOutIdx = begin + helloSz; /* skip extensions */
} }
ssl->options.clientState = CLIENT_HELLO_COMPLETE; ssl->options.clientState = CLIENT_HELLO_COMPLETE;
ssl->options.haveSessionId = 1; ssl->options.haveSessionId = 1;
/* ProcessOld uses same resume code */ /* ProcessOld uses same resume code */
if (ssl->options.resuming && (!ssl->options.dtls || if (ssl->options.resuming && (!ssl->options.dtls ||
ssl->options.acceptState == HELLO_VERIFY_SENT)) { /* let's try */ ssl->options.acceptState == HELLO_VERIFY_SENT)) { /* let's try */
int ret = -1; int ret = -1;
CYASSL_SESSION* session = GetSession(ssl,ssl->arrays->masterSecret); CYASSL_SESSION* session = GetSession(ssl,ssl->arrays->masterSecret);
if (!session) { if (!session) {
CYASSL_MSG("Session lookup for resume failed"); CYASSL_MSG("Session lookup for resume failed");
ssl->options.resuming = 0; ssl->options.resuming = 0;
} else { }
else {
if (MatchSuite(ssl, &clSuites) < 0) { if (MatchSuite(ssl, &clSuites) < 0) {
CYASSL_MSG("Unsupported cipher suite, ClientHello"); CYASSL_MSG("Unsupported cipher suite, ClientHello");
return UNSUPPORTED_SUITE; return UNSUPPORTED_SUITE;

16
src/sniffer.c
View File

@@ -962,12 +962,13 @@ int ssl_SetPrivateKey(const char* serverAddress, int port, const char* keyFile,
/* Check IP Header for IPV4, TCP, and a registered server address */ /* Check IP Header for IPV4, TCP, and a registered server address */
/* returns 0 on success, -1 on error */ /* returns 0 on success, -1 on error */
static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, char* error) static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error)
{ {
int version = IP_V(iphdr); int version = IP_V(iphdr);
TraceIP(iphdr); TraceIP(iphdr);
Trace(IP_CHECK_STR); Trace(IP_CHECK_STR);
if (version != IPV4) { if (version != IPV4) {
SetError(BAD_IPVER_STR, error, NULL, 0); SetError(BAD_IPVER_STR, error, NULL, 0);
return -1; return -1;
@@ -988,6 +989,9 @@ static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, char* error)
info->src = iphdr->src; info->src = iphdr->src;
info->dst = iphdr->dst; info->dst = iphdr->dst;
if (info->total == 0)
info->total = length; /* reassembled may be off */
return 0; return 0;
} }
@@ -1856,13 +1860,16 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
{ {
TraceHeader(); TraceHeader();
TracePacket(); TracePacket();
/* ip header */
if (length < IP_HDR_SZ) { if (length < IP_HDR_SZ) {
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
return -1; return -1;
} }
if (CheckIpHdr((IpHdr*)packet, ipInfo, error) != 0) if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0)
return -1; return -1;
/* tcp header */
if (length < (ipInfo->length + TCP_HDR_SZ)) { if (length < (ipInfo->length + TCP_HDR_SZ)) {
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
return -1; return -1;
@@ -1870,6 +1877,7 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0) if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0)
return -1; return -1;
/* setup */
*sslFrame = packet + ipInfo->length + tcpInfo->length; *sslFrame = packet + ipInfo->length + tcpInfo->length;
if (*sslFrame > packet + length) { if (*sslFrame > packet + length) {
SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
@@ -2314,6 +2322,10 @@ static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
session->sslServer : session->sslClient; session->sslServer : session->sslClient;
doMessage: doMessage:
notEnough = 0; notEnough = 0;
if (sslBytes < 0) {
SetError(PACKET_HDR_SHORT_STR, error, session, FATAL_ERROR_STATE);
return -1;
}
if (sslBytes >= RECORD_HEADER_SZ) { if (sslBytes >= RECORD_HEADER_SZ) {
if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) { if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) {
SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE); SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE);

6
src/ssl.c
View File

@@ -11403,3 +11403,9 @@ void* CyaSSL_GetRsaDecCtx(CYASSL* ssl)
void CyaSSL_wolfSCEP(void) {} void CyaSSL_wolfSCEP(void) {}
#endif #endif
#ifdef CYASSL_HAVE_CERT_SERVICE
/* Used by autoconf to see if cert service is available */
void CyaSSL_cert_service(void) {}
#endif

62
src/tls.c
View File

@@ -721,46 +721,38 @@ static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length,
if (!extension) if (!extension)
extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
if (!extension || !extension->data) { if (!extension || !extension->data)
if (!isRequest) { return isRequest ? 0 : BUFFER_ERROR; /* not using SNI OR unexpected
CYASSL_MSG("Unexpected SNI response from server"); SNI response from server. */
}
return 0; /* not using SNI */ if (!isRequest)
} return length ? BUFFER_ERROR : 0; /* SNI response must be empty!
Nothing else to do. */
if (!isRequest) {
if (length) {
CYASSL_MSG("SNI response should be empty!");
}
return 0; /* nothing to do */
}
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
if (OPAQUE16_LEN > length) if (OPAQUE16_LEN > length)
return INCOMPLETE_DATA; return BUFFER_ERROR;
ato16(input, &size); ato16(input, &size);
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
/* validating sni list length */ /* validating sni list length */
if (length != OPAQUE16_LEN + size) if (length != OPAQUE16_LEN + size)
return INCOMPLETE_DATA; return BUFFER_ERROR;
for (size = 0; offset < length; offset += size) { for (size = 0; offset < length; offset += size) {
SNI *sni; SNI *sni;
byte type = input[offset++]; byte type = input[offset++];
if (offset + OPAQUE16_LEN > length) if (offset + OPAQUE16_LEN > length)
return INCOMPLETE_DATA; return BUFFER_ERROR;
ato16(input + offset, &size); ato16(input + offset, &size);
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (offset + size > length) if (offset + size > length)
return INCOMPLETE_DATA; return BUFFER_ERROR;
if (!(sni = TLSX_SNI_Find((SNI *) extension->data, type))) { if (!(sni = TLSX_SNI_Find((SNI *) extension->data, type))) {
continue; /* not using this SNI type */ continue; /* not using this SNI type */
@@ -905,34 +897,34 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
offset += HANDSHAKE_HEADER_SZ; offset += HANDSHAKE_HEADER_SZ;
if (offset + len32 > helloSz) if (offset + len32 > helloSz)
return INCOMPLETE_DATA; return BUFFER_ERROR;
/* client hello */ /* client hello */
offset += VERSION_SZ + RAN_LEN; /* version, random */ offset += VERSION_SZ + RAN_LEN; /* version, random */
if (helloSz < offset + clientHello[offset]) if (helloSz < offset + clientHello[offset])
return INCOMPLETE_DATA; return BUFFER_ERROR;
offset += ENUM_LEN + clientHello[offset]; /* skip session id */ offset += ENUM_LEN + clientHello[offset]; /* skip session id */
/* cypher suites */ /* cypher suites */
if (helloSz < offset + OPAQUE16_LEN) if (helloSz < offset + OPAQUE16_LEN)
return INCOMPLETE_DATA; return BUFFER_ERROR;
ato16(clientHello + offset, &len16); ato16(clientHello + offset, &len16);
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (helloSz < offset + len16) if (helloSz < offset + len16)
return INCOMPLETE_DATA; return BUFFER_ERROR;
offset += len16; /* skip cypher suites */ offset += len16; /* skip cypher suites */
/* compression methods */ /* compression methods */
if (helloSz < offset + 1) if (helloSz < offset + 1)
return INCOMPLETE_DATA; return BUFFER_ERROR;
if (helloSz < offset + clientHello[offset]) if (helloSz < offset + clientHello[offset])
return INCOMPLETE_DATA; return BUFFER_ERROR;
offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */ offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
@@ -944,7 +936,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (helloSz < offset + len16) if (helloSz < offset + len16)
return INCOMPLETE_DATA; return BUFFER_ERROR;
while (len16 > OPAQUE16_LEN + OPAQUE16_LEN) { while (len16 > OPAQUE16_LEN + OPAQUE16_LEN) {
word16 extType; word16 extType;
@@ -957,7 +949,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (helloSz < offset + extLen) if (helloSz < offset + extLen)
return INCOMPLETE_DATA; return BUFFER_ERROR;
if (extType != SERVER_NAME_INDICATION) { if (extType != SERVER_NAME_INDICATION) {
offset += extLen; /* skip extension */ offset += extLen; /* skip extension */
@@ -968,7 +960,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (helloSz < offset + listLen) if (helloSz < offset + listLen)
return INCOMPLETE_DATA; return BUFFER_ERROR;
while (listLen > ENUM_LEN + OPAQUE16_LEN) { while (listLen > ENUM_LEN + OPAQUE16_LEN) {
byte sniType = clientHello[offset++]; byte sniType = clientHello[offset++];
@@ -978,7 +970,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (helloSz < offset + sniLen) if (helloSz < offset + sniLen)
return INCOMPLETE_DATA; return BUFFER_ERROR;
if (sniType != type) { if (sniType != type) {
offset += sniLen; offset += sniLen;
@@ -1028,7 +1020,7 @@ static int TLSX_MFL_Parse(CYASSL* ssl, byte* input, word16 length,
byte isRequest) byte isRequest)
{ {
if (length != ENUM_LEN) if (length != ENUM_LEN)
return INCOMPLETE_DATA; return BUFFER_ERROR;
switch (*input) { switch (*input) {
case CYASSL_MFL_2_9 : ssl->max_fragment = 512; break; case CYASSL_MFL_2_9 : ssl->max_fragment = 512; break;
@@ -1135,7 +1127,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length,
byte isRequest) byte isRequest)
{ {
if (length != 0 || input == NULL) if (length != 0 || input == NULL)
return INCOMPLETE_DATA; return BUFFER_ERROR;
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
if (isRequest) { if (isRequest) {
@@ -1258,13 +1250,13 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length,
(void) isRequest; /* shut up compiler! */ (void) isRequest; /* shut up compiler! */
if (OPAQUE16_LEN > length || length % OPAQUE16_LEN) if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
return INCOMPLETE_DATA; return BUFFER_ERROR;
ato16(input, &offset); ato16(input, &offset);
/* validating curve list length */ /* validating curve list length */
if (length != OPAQUE16_LEN + offset) if (length != OPAQUE16_LEN + offset)
return INCOMPLETE_DATA; return BUFFER_ERROR;
while (offset) { while (offset) {
ato16(input + offset, &name); ato16(input + offset, &name);
@@ -1705,7 +1697,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
word16 size; word16 size;
if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN) if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
return INCOMPLETE_DATA; return BUFFER_ERROR;
ato16(input + offset, &type); ato16(input + offset, &type);
offset += HELLO_EXT_TYPE_SZ; offset += HELLO_EXT_TYPE_SZ;
@@ -1714,7 +1706,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
offset += OPAQUE16_LEN; offset += OPAQUE16_LEN;
if (offset + size > length) if (offset + size > length)
return INCOMPLETE_DATA; return BUFFER_ERROR;
switch (type) { switch (type) {
case SERVER_NAME_INDICATION: case SERVER_NAME_INDICATION:
@@ -1748,7 +1740,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
ato16(input + offset, &suites->hashSigAlgoSz); ato16(input + offset, &suites->hashSigAlgoSz);
if (suites->hashSigAlgoSz > size - OPAQUE16_LEN) if (suites->hashSigAlgoSz > size - OPAQUE16_LEN)
return INCOMPLETE_DATA; return BUFFER_ERROR;
XMEMCPY(suites->hashSigAlgo, XMEMCPY(suites->hashSigAlgo,
input + offset + OPAQUE16_LEN, input + offset + OPAQUE16_LEN,