MFC: Correct TLS extensions handling when no extensions are present.

If no TLS extensions are present in a client hello or server hello, omit
the entire extensions block, rather than including it with a length of
zero.

ok beck@ inoguchi@

Thanks to Eric Elena <eric at voguemerry dot com> for providing packet
captures and testing the fix.

3 files changed, 35 insertions, 3 deletions

diff --git a/src/lib/libssl/bs_cbb.c b/src/lib/libssl/bs_cbb.c
index 9de75fbb02..1c02eaf0be 100644
--- a/src/lib/libssl/bs_cbb.c
+++ b/src/lib/libssl/bs_cbb.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bs_cbb.c,v 1.17 2017/08/12 02:50:05 jsing Exp $       */
+/*      $OpenBSD: bs_cbb.c,v 1.17.4.1 2017/12/09 13:43:25 jsing Exp $   */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -271,6 +271,20 @@ CBB_flush(CBB *cbb)
         return 1;
 }
 
+void
+CBB_discard_child(CBB *cbb)
+{
+        if (cbb->child == NULL)
+                return;
+
+        cbb->base->len = cbb->offset;
+        
+        cbb->child->base = NULL;
+        cbb->child = NULL;
+        cbb->pending_len_len = 0;
+        cbb->pending_is_asn1 = 0;
+        cbb->offset = 0;
+}
 
 static int
 cbb_add_length_prefixed(CBB *cbb, CBB *out_contents, size_t len_len)
diff --git a/src/lib/libssl/bytestring.h b/src/lib/libssl/bytestring.h
index d8c8e6ada6..42d3d5d6d1 100644
--- a/src/lib/libssl/bytestring.h
+++ b/src/lib/libssl/bytestring.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bytestring.h,v 1.15 2016/11/04 18:28:58 guenther Exp $        */
+/*      $OpenBSD: bytestring.h,v 1.15.6.1 2017/12/09 13:43:25 jsing Exp $       */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -394,6 +394,12 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len);
 int CBB_flush(CBB *cbb);
 
 /*
+ * CBB_discard_child discards the current unflushed child of |cbb|. Neither the
+ * child's contents nor the length prefix will be included in the output.
+ */
+void CBB_discard_child(CBB *cbb);
+
+/*
  * CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The
  * data written to |*out_contents| will be prefixed in |cbb| with an 8-bit
  * length. It returns one on success or zero on error.
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 835c413478..2abfa723d8 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.17 2017/09/25 18:02:27 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.17.4.1 2017/12/09 13:43:25 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1296,6 +1296,7 @@ tlsext_clienthello_build(SSL *s, CBB *cbb)
 {
         CBB extensions, extension_data;
         struct tls_extension *tlsext;
+        int extensions_present = 0;
         size_t i;
 
         if (!CBB_add_u16_length_prefixed(cbb, &extensions))
@@ -1313,8 +1314,13 @@ tlsext_clienthello_build(SSL *s, CBB *cbb)
                         return 0;
                 if (!tls_extensions[i].clienthello_build(s, &extension_data))
                         return 0;
+
+                extensions_present = 1;
         }
 
+        if (!extensions_present)
+                CBB_discard_child(cbb);
+
         if (!CBB_flush(cbb))
                 return 0;
 
@@ -1351,6 +1357,7 @@ tlsext_serverhello_build(SSL *s, CBB *cbb)
 {
         CBB extensions, extension_data;
         struct tls_extension *tlsext;
+        int extensions_present = 0;
         size_t i;
 
         if (!CBB_add_u16_length_prefixed(cbb, &extensions))
@@ -1368,8 +1375,13 @@ tlsext_serverhello_build(SSL *s, CBB *cbb)
                         return 0;
                 if (!tlsext->serverhello_build(s, &extension_data))
                         return 0;
+
+                extensions_present = 1;
         }
 
+        if (!extensions_present)
+                CBB_discard_child(cbb);
+
         if (!CBB_flush(cbb))
                 return 0;