Add a helper function for parsing extensions blocks. TLS 1.3 adds a number of places with extensions blocks that don't easily fit into our ClientHello/EncryptedExtensions callbacks. Between HelloRetryRequest, ServerHello, draft 18 going nuts with Certificate, and NewSessionTicket when we do 0-RTT, this passes the "abstract things that are repeated three times" sniff test. For now, it rejects unknown extensions, but it will probably grow an allow_unknown parameter for NewSessionTicket. This involves disabling some MSVC warnings, but they're invalid as of C99 which we otherwise require. See https://connect.microsoft.com/VisualStudio/feedback/details/1230248/remove-c99-related-warnings-or-make-them-off-by-default Change-Id: Iea8bf8ab216270c081dd63e79aaad9ec73b3b550 Reviewed-on: https://boringssl-review.googlesource.com/12233 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: ffb1107c91e5c389bdb360f85ceb18e40e49742e [log] [tgz]
author: David Benjamin <davidben@google.com> Sun Nov 13 10:32:10 2016 +0900
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Nov 15 06:58:52 2016 +0000
tree: bc0b32040f90b0c97daee5e1983c18d3a0bf758d
parent: 32b47a5e3530aa1b53fbd69204ea0975499b4a4a [diff] [blame]
diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c
index 242aa03..ab09240 100644
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c

@@ -25,6 +25,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "../crypto/internal.h"
 #include "internal.h"
 
 
@@ -221,40 +222,16 @@
     /* Parse out the extensions. */
     int have_status_request = 0, have_sct = 0;
     CBS status_request, sct;
-    while (CBS_len(&extensions) != 0) {
-      uint16_t type;
-      CBS extension;
-      if (!CBS_get_u16(&extensions, &type) ||
-          !CBS_get_u16_length_prefixed(&extensions, &extension)) {
-        OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
-        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-        goto err;
-      }
+    const SSL_EXTENSION_TYPE ext_types[] = {
+        {TLSEXT_TYPE_status_request, &have_status_request, &status_request},
+        {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct},
+    };
 
-      switch (type) {
-        case TLSEXT_TYPE_status_request:
-          if (have_status_request) {
-            OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
-            ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
-            goto err;
-          }
-          status_request = extension;
-          have_status_request = 1;
-          break;
-        case TLSEXT_TYPE_certificate_timestamp:
-          if (have_sct) {
-            OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
-            ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
-            goto err;
-          }
-          sct = extension;
-          have_sct = 1;
-          break;
-        default:
-          OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
-          ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
-          goto err;
-      }
+    uint8_t alert;
+    if (!ssl_parse_extensions(&extensions, &alert, ext_types,
+                              OPENSSL_ARRAY_SIZE(ext_types))) {
+      ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+      goto err;
     }
 
     /* All Certificate extensions are parsed, but only the leaf extensions are
commit	ffb1107c91e5c389bdb360f85ceb18e40e49742e	[log] [tgz]
author	David Benjamin <davidben@google.com>	Sun Nov 13 10:32:10 2016 +0900
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Tue Nov 15 06:58:52 2016 +0000
tree	bc0b32040f90b0c97daee5e1983c18d3a0bf758d
parent	32b47a5e3530aa1b53fbd69204ea0975499b4a4a [diff] [blame]