Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Tree: 2efe7f6d96
Branches Tags
wolfssl
/
src
/
tls.c

tls.c 268 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998 
  1. /* tls.c
    2. 

  2.  *
    3. 

  3.  * Copyright (C) 2006-2017 wolfSSL Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of wolfSSL.
    6. 

  6.  *
    7. 

  7.  * wolfSSL is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 2 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * wolfSSL is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program; if not, write to the Free Software
    19. 

  19.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
    20. 

  20.  */
    21. 

  21. 

  22. 

  23. 

  24. #ifdef HAVE_CONFIG_H
    25. 

  25.     #include <config.h>
    26. 

  26. #endif
    27. 

  27. 

  28. #include <wolfssl/wolfcrypt/settings.h>
    29. 

  29. 

  30. #ifndef WOLFCRYPT_ONLY
    31. 

  31. 

  32. #include <wolfssl/ssl.h>
    33. 

  33. #include <wolfssl/internal.h>
    34. 

  34. #include <wolfssl/error-ssl.h>
    35. 

  35. #include <wolfssl/wolfcrypt/hmac.h>
    36. 

  36. #ifdef NO_INLINE
    37. 

  37.     #include <wolfssl/wolfcrypt/misc.h>
    38. 

  38. #else
    39. 

  39.     #define WOLFSSL_MISC_INCLUDED
    40. 

  40.     #include <wolfcrypt/src/misc.c>
    41. 

  41. #endif
    42. 

  42. 

  43. #ifdef HAVE_CURVE25519
    44. 

  44.     #include <wolfssl/wolfcrypt/curve25519.h>
    45. 

  45. #endif
    46. 

  46. 

  47. #ifdef HAVE_NTRU
    48. 

  48.     #include "libntruencrypt/ntru_crypto.h"
    49. 

  49.     #include <wolfssl/wolfcrypt/random.h>
    50. 

  50. #endif
    51. 

  51. #ifdef HAVE_QSH
    52. 

  52.     static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key);
    53. 

  53.     static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name);
    54. 

  54. #if defined(HAVE_NTRU)
    55. 

  55.     static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type);
    56. 

  56. #endif
    57. 

  57. #endif /* HAVE_QSH */
    58. 

  58. 

  59. 

  60. #ifndef NO_TLS
    61. 

  61. 

  62. /* Digest enable checks */
    63. 

  63. #ifdef NO_OLD_TLS /* TLS 1.2 only */
    64. 

  64.     #if defined(NO_SHA256) && !defined(WOLFSSL_SHA384) && \
    65. 

  65.             !defined(WOLFSSL_SHA512)
    66. 

  66.         #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2
    67. 

  67.     #endif
    68. 

  68. #else  /* TLS 1.1 or older */
    69. 

  69.     #if defined(NO_MD5) && defined(NO_SHA)
    70. 

  70.         #error Must have SHA1 and MD5 enabled for old TLS
    71. 

  71.     #endif
    72. 

  72. #endif
    73. 

  73. 

  74. 

  75. #ifdef WOLFSSL_SHA384
    76. 

  76.     #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE
    77. 

  77. #else
    78. 

  78.     #define P_HASH_MAX_SIZE WC_SHA256_DIGEST_SIZE
    79. 

  79. #endif
    80. 

  80. 

  81. 

  82. /* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
    83. 

  83. static int p_hash(byte* result, word32 resLen, const byte* secret,
    84. 

  84.                   word32 secLen, const byte* seed, word32 seedLen, int hash,
    85. 

  85.                   void* heap, int devId)
    86. 

  86. {
    87. 

  87.     word32 len = P_HASH_MAX_SIZE;
    88. 

  88.     word32 times;
    89. 

  89.     word32 lastLen;
    90. 

  90.     word32 lastTime;
    91. 

  91.     word32 i;
    92. 

  92.     word32 idx = 0;
    93. 

  93.     int    ret = 0;
    94. 

  94. #ifdef WOLFSSL_SMALL_STACK
    95. 

  95.     byte*  previous;
    96. 

  96.     byte*  current;
    97. 

  97.     Hmac*  hmac;
    98. 

  98. #else
    99. 

  99.     byte   previous[P_HASH_MAX_SIZE];  /* max size */
    100. 

  100.     byte   current[P_HASH_MAX_SIZE];   /* max size */
    101. 

  101.     Hmac   hmac[1];
    102. 

  102. #endif
    103. 

  103. 

  104. #ifdef WOLFSSL_SMALL_STACK
    105. 

  105.     previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
    106. 

  106.     current  = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
    107. 

  107.     hmac     = (Hmac*)XMALLOC(sizeof(Hmac),    heap, DYNAMIC_TYPE_HMAC);
    108. 

  108. 

  109.     if (previous == NULL || current == NULL || hmac == NULL) {
    110. 

  110.         if (previous) XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
    111. 

  111.         if (current)  XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
    112. 

  112.         if (hmac)     XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
    113. 

  113. 

  114.         return MEMORY_E;
    115. 

  115.     }
    116. 

  116. #endif
    117. 

  117. 

  118.     switch (hash) {
    119. 

  119.         #ifndef NO_MD5
    120. 

  120.             case md5_mac:
    121. 

  121.                 hash = WC_MD5;
    122. 

  122.                 len  = WC_MD5_DIGEST_SIZE;
    123. 

  123.             break;
    124. 

  124.         #endif
    125. 

  125. 

  126.         #ifndef NO_SHA256
    127. 

  127.             case sha256_mac:
    128. 

  128.                 hash = WC_SHA256;
    129. 

  129.                 len  = WC_SHA256_DIGEST_SIZE;
    130. 

  130.             break;
    131. 

  131.         #endif
    132. 

  132. 

  133.         #ifdef WOLFSSL_SHA384
    134. 

  134.             case sha384_mac:
    135. 

  135.                 hash = WC_SHA384;
    136. 

  136.                 len  = WC_SHA384_DIGEST_SIZE;
    137. 

  137.             break;
    138. 

  138.         #endif
    139. 

  139. 

  140.         #ifndef NO_SHA
    141. 

  141.             case sha_mac:
    142. 

  142.             default:
    143. 

  143.                 hash = WC_SHA;
    144. 

  144.                 len  = WC_SHA_DIGEST_SIZE;
    145. 

  145.             break;
    146. 

  146.         #endif
    147. 

  147.     }
    148. 

  148. 

  149.     times   = resLen / len;
    150. 

  150.     lastLen = resLen % len;
    151. 

  151. 

  152.     if (lastLen)
    153. 

  153.         times += 1;
    154. 

  154. 

  155.     lastTime = times - 1;
    156. 

  156. 

  157.     ret = wc_HmacInit(hmac, heap, devId);
    158. 

  158.     if (ret == 0) {
    159. 

  159.         ret = wc_HmacSetKey(hmac, hash, secret, secLen);
    160. 

  160.         if (ret == 0)
    161. 

  161.             ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */
    162. 

  162.         if (ret == 0)
    163. 

  163.             ret = wc_HmacFinal(hmac, previous);       /* A1 */
    164. 

  164.         if (ret == 0) {
    165. 

  165.             for (i = 0; i < times; i++) {
    166. 

  166.                 ret = wc_HmacUpdate(hmac, previous, len);
    167. 

  167.                 if (ret != 0)
    168. 

  168.                     break;
    169. 

  169.                 ret = wc_HmacUpdate(hmac, seed, seedLen);
    170. 

  170.                 if (ret != 0)
    171. 

  171.                     break;
    172. 

  172.                 ret = wc_HmacFinal(hmac, current);
    173. 

  173.                 if (ret != 0)
    174. 

  174.                     break;
    175. 

  175. 

  176.                 if ((i == lastTime) && lastLen)
    177. 

  177.                     XMEMCPY(&result[idx], current,
    178. 

  178.                                              min(lastLen, P_HASH_MAX_SIZE));
    179. 

  179.                 else {
    180. 

  180.                     XMEMCPY(&result[idx], current, len);
    181. 

  181.                     idx += len;
    182. 

  182.                     ret = wc_HmacUpdate(hmac, previous, len);
    183. 

  183.                     if (ret != 0)
    184. 

  184.                         break;
    185. 

  185.                     ret = wc_HmacFinal(hmac, previous);
    186. 

  186.                     if (ret != 0)
    187. 

  187.                         break;
    188. 

  188.                 }
    189. 

  189.             }
    190. 

  190.         }
    191. 

  191.         wc_HmacFree(hmac);
    192. 

  192.     }
    193. 

  193. 

  194.     ForceZero(previous,  P_HASH_MAX_SIZE);
    195. 

  195.     ForceZero(current,   P_HASH_MAX_SIZE);
    196. 

  196.     ForceZero(hmac,      sizeof(Hmac));
    197. 

  197. 

  198. #ifdef WOLFSSL_SMALL_STACK
    199. 

  199.     XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
    200. 

  200.     XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
    201. 

  201.     XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
    202. 

  202. #endif
    203. 

  203. 

  204.     return ret;
    205. 

  205. }
    206. 

  206. 

  207. #undef P_HASH_MAX_SIZE
    208. 

  208. 

  209. 

  210. #ifndef NO_OLD_TLS
    211. 

  211. 

  212. /* calculate XOR for TLSv1 PRF */
    213. 

  213. static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
    214. 

  214. {
    215. 

  215.     word32 i;
    216. 

  216. 

  217.     for (i = 0; i < digLen; i++)
    218. 

  218.         digest[i] = md5[i] ^ sha[i];
    219. 

  219. }
    220. 

  220. 

  221. 

  222. /* compute TLSv1 PRF (pseudo random function using HMAC) */
    223. 

  223. static int doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
    224. 

  224.                  const byte* label, word32 labLen, const byte* seed,
    225. 

  225.                  word32 seedLen, void* heap, int devId)
    226. 

  226. {
    227. 

  227.     int    ret  = 0;
    228. 

  228.     word32 half = (secLen + 1) / 2;
    229. 

  229. 

  230. #ifdef WOLFSSL_SMALL_STACK
    231. 

  231.     byte* md5_half;
    232. 

  232.     byte* sha_half;
    233. 

  233.     byte* labelSeed;
    234. 

  234.     byte* md5_result;
    235. 

  235.     byte* sha_result;
    236. 

  236. #else
    237. 

  237.     byte  md5_half[MAX_PRF_HALF];     /* half is real size */
    238. 

  238.     byte  sha_half[MAX_PRF_HALF];     /* half is real size */
    239. 

  239.     byte  labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
    240. 

  240.     byte  md5_result[MAX_PRF_DIG];    /* digLen is real size */
    241. 

  241.     byte  sha_result[MAX_PRF_DIG];    /* digLen is real size */
    242. 

  242. #endif
    243. 

  243. 

  244.     if (half > MAX_PRF_HALF)
    245. 

  245.         return BUFFER_E;
    246. 

  246.     if (labLen + seedLen > MAX_PRF_LABSEED)
    247. 

  247.         return BUFFER_E;
    248. 

  248.     if (digLen > MAX_PRF_DIG)
    249. 

  249.         return BUFFER_E;
    250. 

  250. 

  251. #ifdef WOLFSSL_SMALL_STACK
    252. 

  252.     md5_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
    253. 

  253.     sha_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
    254. 

  254.     labelSeed  = (byte*)XMALLOC(MAX_PRF_LABSEED, heap, DYNAMIC_TYPE_SEED);
    255. 

  255.     md5_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
    256. 

  256.     sha_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
    257. 

  257. 

  258.     if (md5_half == NULL || sha_half == NULL || labelSeed == NULL ||
    259. 

  259.                                      md5_result == NULL || sha_result == NULL) {
    260. 

  260.         if (md5_half)   XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
    261. 

  261.         if (sha_half)   XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
    262. 

  262.         if (labelSeed)  XFREE(labelSeed,  heap, DYNAMIC_TYPE_SEED);
    263. 

  263.         if (md5_result) XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
    264. 

  264.         if (sha_result) XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
    265. 

  265. 

  266.         return MEMORY_E;
    267. 

  267.     }
    268. 

  268. #endif
    269. 

  269. 

  270.     XMEMSET(md5_result, 0, digLen);
    271. 

  271.     XMEMSET(sha_result, 0, digLen);
    272. 

  272. 

  273.     XMEMCPY(md5_half, secret, half);
    274. 

  274.     XMEMCPY(sha_half, secret + half - secLen % 2, half);
    275. 

  275. 

  276.     XMEMCPY(labelSeed, label, labLen);
    277. 

  277.     XMEMCPY(labelSeed + labLen, seed, seedLen);
    278. 

  278. 

  279.     if ((ret = p_hash(md5_result, digLen, md5_half, half, labelSeed,
    280. 

  280.                                 labLen + seedLen, md5_mac, heap, devId)) == 0) {
    281. 

  281.         if ((ret = p_hash(sha_result, digLen, sha_half, half, labelSeed,
    282. 

  282.                                 labLen + seedLen, sha_mac, heap, devId)) == 0) {
    283. 

  283.             get_xor(digest, digLen, md5_result, sha_result);
    284. 

  284.         }
    285. 

  285.     }
    286. 

  286. 

  287. #ifdef WOLFSSL_SMALL_STACK
    288. 

  288.     XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
    289. 

  289.     XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
    290. 

  290.     XFREE(labelSeed,  heap, DYNAMIC_TYPE_SEED);
    291. 

  291.     XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
    292. 

  292.     XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
    293. 

  293. #endif
    294. 

  294. 

  295.     return ret;
    296. 

  296. }
    297. 

  297. 

  298. #endif
    299. 

  299. 

  300. 

  301. /* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
    302. 

  302.    use */
    303. 

  303. static int PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
    304. 

  304.             const byte* label, word32 labLen, const byte* seed, word32 seedLen,
    305. 

  305.             int useAtLeastSha256, int hash_type, void* heap, int devId)
    306. 

  306. {
    307. 

  307.     int ret = 0;
    308. 

  308. 

  309.     if (useAtLeastSha256) {
    310. 

  310. #ifdef WOLFSSL_SMALL_STACK
    311. 

  311.         byte* labelSeed;
    312. 

  312. #else
    313. 

  313.         byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
    314. 

  314. #endif
    315. 

  315. 

  316.         if (labLen + seedLen > MAX_PRF_LABSEED)
    317. 

  317.             return BUFFER_E;
    318. 

  318. 

  319. #ifdef WOLFSSL_SMALL_STACK
    320. 

  320.         labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, heap, DYNAMIC_TYPE_SEED);
    321. 

  321.         if (labelSeed == NULL)
    322. 

  322.            return MEMORY_E;
    323. 

  323. #endif
    324. 

  324. 

  325.         XMEMCPY(labelSeed, label, labLen);
    326. 

  326.         XMEMCPY(labelSeed + labLen, seed, seedLen);
    327. 

  327. 

  328.         /* If a cipher suite wants an algorithm better than sha256, it
    329. 

  329.          * should use better. */
    330. 

  330.         if (hash_type < sha256_mac || hash_type == blake2b_mac)
    331. 

  331.             hash_type = sha256_mac;
    332. 

  332.         ret = p_hash(digest, digLen, secret, secLen, labelSeed,
    333. 

  333.                      labLen + seedLen, hash_type, heap, devId);
    334. 

  334. 

  335. #ifdef WOLFSSL_SMALL_STACK
    336. 

  336.         XFREE(labelSeed, heap, DYNAMIC_TYPE_SEED);
    337. 

  337. #endif
    338. 

  338.     }
    339. 

  339. #ifndef NO_OLD_TLS
    340. 

  340.     else {
    341. 

  341.         ret = doPRF(digest, digLen, secret, secLen, label, labLen, seed,
    342. 

  342.                     seedLen, heap, devId);
    343. 

  343.     }
    344. 

  344. #endif
    345. 

  345. 

  346.     return ret;
    347. 

  347. }
    348. 

  348. 

  349. #ifdef WOLFSSL_SHA384
    350. 

  350.     #define HSHASH_SZ WC_SHA384_DIGEST_SIZE
    351. 

  351. #else
    352. 

  352.     #define HSHASH_SZ FINISHED_SZ
    353. 

  353. #endif
    354. 

  354. 

  355. 

  356. int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, word32* hashLen)
    357. 

  357. {
    358. 

  358.     word32 hashSz = FINISHED_SZ;
    359. 

  359. 

  360.     if (ssl == NULL || hash == NULL || hashLen == NULL || *hashLen < HSHASH_SZ)
    361. 

  361.         return BAD_FUNC_ARG;
    362. 

  362. 

  363. #ifndef NO_OLD_TLS
    364. 

  364.     wc_Md5GetHash(&ssl->hsHashes->hashMd5, hash);
    365. 

  365.     wc_ShaGetHash(&ssl->hsHashes->hashSha, &hash[WC_MD5_DIGEST_SIZE]);
    366. 

  366. #endif
    367. 

  367. 

  368.     if (IsAtLeastTLSv1_2(ssl)) {
    369. 

  369. #ifndef NO_SHA256
    370. 

  370.         if (ssl->specs.mac_algorithm <= sha256_mac ||
    371. 

  371.             ssl->specs.mac_algorithm == blake2b_mac) {
    372. 

  372.             int ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
    373. 

  373. 

  374.             if (ret != 0)
    375. 

  375.                 return ret;
    376. 

  376. 

  377.             hashSz = WC_SHA256_DIGEST_SIZE;
    378. 

  378.         }
    379. 

  379. #endif
    380. 

  380. #ifdef WOLFSSL_SHA384
    381. 

  381.         if (ssl->specs.mac_algorithm == sha384_mac) {
    382. 

  382.             int ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
    383. 

  383. 

  384.             if (ret != 0)
    385. 

  385.                 return ret;
    386. 

  386. 

  387.             hashSz = WC_SHA384_DIGEST_SIZE;
    388. 

  388.         }
    389. 

  389. #endif
    390. 

  390.     }
    391. 

  391. 

  392.     *hashLen = hashSz;
    393. 

  393. 

  394.     return 0;
    395. 

  395. }
    396. 

  396. 

  397. 

  398. int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
    399. 

  399. {
    400. 

  400.     int         ret;
    401. 

  401.     const byte* side;
    402. 

  402.     byte*       handshake_hash;
    403. 

  403.     word32      hashSz = HSHASH_SZ;
    404. 

  404. 

  405.     /* using allocate here to allow async hardware to use buffer directly */
    406. 

  406.     handshake_hash = (byte*)XMALLOC(hashSz, ssl->heap, DYNAMIC_TYPE_DIGEST);
    407. 

  407.     if (handshake_hash == NULL)
    408. 

  408.         return MEMORY_E;
    409. 

  409. 

  410.     ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
    411. 

  411.     if (ret == 0) {
    412. 

  412.         if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
    413. 

  413.             side = tls_client;
    414. 

  414.         else
    415. 

  415.             side = tls_server;
    416. 

  416. 

  417.         ret = PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret,
    418. 

  418.                    SECRET_LEN, side, FINISHED_LABEL_SZ, handshake_hash, hashSz,
    419. 

  419.                    IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
    420. 

  420.                    ssl->heap, ssl->devId);
    421. 

  421.     }
    422. 

  422. 

  423.     XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
    424. 

  424. 

  425.     return ret;
    426. 

  426. }
    427. 

  427. 

  428. 

  429. #ifndef NO_OLD_TLS
    430. 

  430. 

  431. #ifdef WOLFSSL_ALLOW_TLSV10
    432. 

  432. ProtocolVersion MakeTLSv1(void)
    433. 

  433. {
    434. 

  434.     ProtocolVersion pv;
    435. 

  435.     pv.major = SSLv3_MAJOR;
    436. 

  436.     pv.minor = TLSv1_MINOR;
    437. 

  437. 

  438.     return pv;
    439. 

  439. }
    440. 

  440. #endif /* WOLFSSL_ALLOW_TLSV10 */
    441. 

  441. 

  442. 

  443. ProtocolVersion MakeTLSv1_1(void)
    444. 

  444. {
    445. 

  445.     ProtocolVersion pv;
    446. 

  446.     pv.major = SSLv3_MAJOR;
    447. 

  447.     pv.minor = TLSv1_1_MINOR;
    448. 

  448. 

  449.     return pv;
    450. 

  450. }
    451. 

  451. 

  452. #endif /* !NO_OLD_TLS */
    453. 

  453. 

  454. 

  455. ProtocolVersion MakeTLSv1_2(void)
    456. 

  456. {
    457. 

  457.     ProtocolVersion pv;
    458. 

  458.     pv.major = SSLv3_MAJOR;
    459. 

  459.     pv.minor = TLSv1_2_MINOR;
    460. 

  460. 

  461.     return pv;
    462. 

  462. }
    463. 

  463. 

  464. #ifdef WOLFSSL_TLS13
    465. 

  465. /* The TLS v1.3 protocol version.
    466. 

  466.  *
    467. 

  467.  * returns the protocol version data for TLS v1.3.
    468. 

  468.  */
    469. 

  469. ProtocolVersion MakeTLSv1_3(void)
    470. 

  470. {
    471. 

  471.     ProtocolVersion pv;
    472. 

  472.     pv.major = SSLv3_MAJOR;
    473. 

  473.     pv.minor = TLSv1_3_MINOR;
    474. 

  474. 

  475.     return pv;
    476. 

  476. }
    477. 

  477. #endif
    478. 

  478. 

  479. 

  480. #ifdef HAVE_EXTENDED_MASTER
    481. 

  481. static const byte ext_master_label[EXT_MASTER_LABEL_SZ + 1] =
    482. 

  482.                                                       "extended master secret";
    483. 

  483. #endif
    484. 

  484. static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
    485. 

  485. static const byte key_label   [KEY_LABEL_SZ + 1]    = "key expansion";
    486. 

  486. 

  487. static int _DeriveTlsKeys(byte* key_dig, word32 key_dig_len,
    488. 

  488.                          const byte* ms, word32 msLen,
    489. 

  489.                          const byte* sr, const byte* cr,
    490. 

  490.                          int tls1_2, int hash_type,
    491. 

  491.                          void* heap, int devId)
    492. 

  492. {
    493. 

  493.     byte  seed[SEED_LEN];
    494. 

  494. 

  495.     XMEMCPY(seed,           sr, RAN_LEN);
    496. 

  496.     XMEMCPY(seed + RAN_LEN, cr, RAN_LEN);
    497. 

  497. 

  498.     return PRF(key_dig, key_dig_len, ms, msLen, key_label, KEY_LABEL_SZ,
    499. 

  499.                seed, SEED_LEN, tls1_2, hash_type, heap, devId);
    500. 

  500. }
    501. 

  501. 

  502. /* External facing wrapper so user can call as well, 0 on success */
    503. 

  503. int wolfSSL_DeriveTlsKeys(byte* key_dig, word32 key_dig_len,
    504. 

  504.                          const byte* ms, word32 msLen,
    505. 

  505.                          const byte* sr, const byte* cr,
    506. 

  506.                          int tls1_2, int hash_type)
    507. 

  507. {
    508. 

  508.     return _DeriveTlsKeys(key_dig, key_dig_len, ms, msLen, sr, cr, tls1_2,
    509. 

  509.         hash_type, NULL, INVALID_DEVID);
    510. 

  510. }
    511. 

  511. 

  512. 

  513. int DeriveTlsKeys(WOLFSSL* ssl)
    514. 

  514. {
    515. 

  515.     int   ret;
    516. 

  516.     int   key_dig_len = 2 * ssl->specs.hash_size +
    517. 

  517.                         2 * ssl->specs.key_size  +
    518. 

  518.                         2 * ssl->specs.iv_size;
    519. 

  519. #ifdef WOLFSSL_SMALL_STACK
    520. 

  520.     byte* key_dig;
    521. 

  521. #else
    522. 

  522.     byte  key_dig[MAX_PRF_DIG];
    523. 

  523. #endif
    524. 

  524. 

  525. #ifdef WOLFSSL_SMALL_STACK
    526. 

  526.     key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
    527. 

  527.     if (key_dig == NULL) {
    528. 

  528.         return MEMORY_E;
    529. 

  529.     }
    530. 

  530. #endif
    531. 

  531. 

  532.     ret = _DeriveTlsKeys(key_dig, key_dig_len,
    533. 

  533.                          ssl->arrays->masterSecret, SECRET_LEN,
    534. 

  534.                          ssl->arrays->serverRandom, ssl->arrays->clientRandom,
    535. 

  535.                          IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
    536. 

  536.                          ssl->heap, ssl->devId);
    537. 

  537.     if (ret == 0)
    538. 

  538.         ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
    539. 

  539. 

  540. #ifdef WOLFSSL_SMALL_STACK
    541. 

  541.     XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
    542. 

  542. #endif
    543. 

  543. 

  544.     return ret;
    545. 

  545. }
    546. 

  546. 

  547. static int _MakeTlsMasterSecret(byte* ms, word32 msLen,
    548. 

  548.                                const byte* pms, word32 pmsLen,
    549. 

  549.                                const byte* cr, const byte* sr,
    550. 

  550.                                int tls1_2, int hash_type,
    551. 

  551.                                void* heap, int devId)
    552. 

  552. {
    553. 

  553.     byte  seed[SEED_LEN];
    554. 

  554. 

  555.     XMEMCPY(seed,           cr, RAN_LEN);
    556. 

  556.     XMEMCPY(seed + RAN_LEN, sr, RAN_LEN);
    557. 

  557. 

  558.     return PRF(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ,
    559. 

  559.                seed, SEED_LEN, tls1_2, hash_type, heap, devId);
    560. 

  560. }
    561. 

  561. 

  562. /* External facing wrapper so user can call as well, 0 on success */
    563. 

  563. int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen,
    564. 

  564.                                const byte* pms, word32 pmsLen,
    565. 

  565.                                const byte* cr, const byte* sr,
    566. 

  566.                                int tls1_2, int hash_type)
    567. 

  567. {
    568. 

  568.     return _MakeTlsMasterSecret(ms, msLen, pms, pmsLen, cr, sr, tls1_2,
    569. 

  569.         hash_type, NULL, INVALID_DEVID);
    570. 

  570. }
    571. 

  571. 

  572. 

  573. #ifdef HAVE_EXTENDED_MASTER
    574. 

  574. 

  575. static int _MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
    576. 

  576.                                         const byte* pms, word32 pmsLen,
    577. 

  577.                                         const byte* sHash, word32 sHashLen,
    578. 

  578.                                         int tls1_2, int hash_type,
    579. 

  579.                                         void* heap, int devId)
    580. 

  580. {
    581. 

  581.     return PRF(ms, msLen, pms, pmsLen, ext_master_label, EXT_MASTER_LABEL_SZ,
    582. 

  582.                sHash, sHashLen, tls1_2, hash_type, heap, devId);
    583. 

  583. }
    584. 

  584. 

  585. /* External facing wrapper so user can call as well, 0 on success */
    586. 

  586. int wolfSSL_MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
    587. 

  587.                                         const byte* pms, word32 pmsLen,
    588. 

  588.                                         const byte* sHash, word32 sHashLen,
    589. 

  589.                                         int tls1_2, int hash_type)
    590. 

  590. {
    591. 

  591.     return _MakeTlsExtendedMasterSecret(ms, msLen, pms, pmsLen, sHash, sHashLen,
    592. 

  592.         tls1_2, hash_type, NULL, INVALID_DEVID);
    593. 

  593. }
    594. 

  594. 

  595. #endif /* HAVE_EXTENDED_MASTER */
    596. 

  596. 

  597. 

  598. int MakeTlsMasterSecret(WOLFSSL* ssl)
    599. 

  599. {
    600. 

  600.     int    ret;
    601. 

  601. #ifdef HAVE_EXTENDED_MASTER
    602. 

  602.     if (ssl->options.haveEMS) {
    603. 

  603.         byte*  handshake_hash;
    604. 

  604.         word32 hashSz = HSHASH_SZ;
    605. 

  605. 

  606.         handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap,
    607. 

  607.                                         DYNAMIC_TYPE_DIGEST);
    608. 

  608.         if (handshake_hash == NULL)
    609. 

  609.             return MEMORY_E;
    610. 

  610. 

  611.         ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
    612. 

  612.         if (ret < 0) {
    613. 

  613.             XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
    614. 

  614.             return ret;
    615. 

  615.         }
    616. 

  616. 

  617.         ret = _MakeTlsExtendedMasterSecret(
    618. 

  618.                 ssl->arrays->masterSecret, SECRET_LEN,
    619. 

  619.                 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
    620. 

  620.                 handshake_hash, hashSz,
    621. 

  621.                 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
    622. 

  622.                 ssl->heap, ssl->devId);
    623. 

  623. 

  624.         XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
    625. 

  625.     } else
    626. 

  626. #endif
    627. 

  627.     ret = _MakeTlsMasterSecret(ssl->arrays->masterSecret, SECRET_LEN,
    628. 

  628.               ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
    629. 

  629.               ssl->arrays->clientRandom, ssl->arrays->serverRandom,
    630. 

  630.               IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
    631. 

  631.               ssl->heap, ssl->devId);
    632. 

  632. 

  633.     if (ret == 0) {
    634. 

  634.     #ifdef SHOW_SECRETS
    635. 

  635.         int i;
    636. 

  636. 

  637.         printf("master secret: ");
    638. 

  638.         for (i = 0; i < SECRET_LEN; i++)
    639. 

  639.             printf("%02x", ssl->arrays->masterSecret[i]);
    640. 

  640.         printf("\n");
    641. 

  641.     #endif
    642. 

  642. 

  643.         ret = DeriveTlsKeys(ssl);
    644. 

  644.     }
    645. 

  645. 

  646.     return ret;
    647. 

  647. }
    648. 

  648. 

  649. 

  650. /* Used by EAP-TLS and EAP-TTLS to derive keying material from
    651. 

  651.  * the master_secret. */
    652. 

  652. int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* msk, unsigned int len,
    653. 

  653.                                                               const char* label)
    654. 

  654. {
    655. 

  655.     int   ret;
    656. 

  656. #ifdef WOLFSSL_SMALL_STACK
    657. 

  657.     byte* seed;
    658. 

  658. #else
    659. 

  659.     byte  seed[SEED_LEN];
    660. 

  660. #endif
    661. 

  661. 

  662. #ifdef WOLFSSL_SMALL_STACK
    663. 

  663.     seed = (byte*)XMALLOC(SEED_LEN, ssl->heap, DYNAMIC_TYPE_SEED);
    664. 

  664.     if (seed == NULL)
    665. 

  665.         return MEMORY_E;
    666. 

  666. #endif
    667. 

  667. 

  668.     /*
    669. 

  669.      * As per RFC-5281, the order of the client and server randoms is reversed
    670. 

  670.      * from that used by the TLS protocol to derive keys.
    671. 

  671.      */
    672. 

  672.     XMEMCPY(seed,           ssl->arrays->clientRandom, RAN_LEN);
    673. 

  673.     XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN);
    674. 

  674. 

  675.     ret = PRF((byte*)msk, len, ssl->arrays->masterSecret, SECRET_LEN,
    676. 

  676.               (const byte *)label, (word32)XSTRLEN(label), seed, SEED_LEN,
    677. 

  677.               IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
    678. 

  678.               ssl->heap, ssl->devId);
    679. 

  679. 

  680. #ifdef WOLFSSL_SMALL_STACK
    681. 

  681.     XFREE(seed, ssl->heap, DYNAMIC_TYPE_SEED);
    682. 

  682. #endif
    683. 

  683. 

  684.     return ret;
    685. 

  685. }
    686. 

  686. 

  687. 

  688. static INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
    689. 

  689. {
    690. 

  690.     if (verify) {
    691. 

  691.         seq[0] = ssl->keys.peer_sequence_number_hi;
    692. 

  692.         seq[1] = ssl->keys.peer_sequence_number_lo++;
    693. 

  693.         if (seq[1] > ssl->keys.peer_sequence_number_lo) {
    694. 

  694.             /* handle rollover */
    695. 

  695.             ssl->keys.peer_sequence_number_hi++;
    696. 

  696.         }
    697. 

  697.     }
    698. 

  698.     else {
    699. 

  699.         seq[0] = ssl->keys.sequence_number_hi;
    700. 

  700.         seq[1] = ssl->keys.sequence_number_lo++;
    701. 

  701.         if (seq[1] > ssl->keys.sequence_number_lo) {
    702. 

  702.             /* handle rollover */
    703. 

  703.             ssl->keys.sequence_number_hi++;
    704. 

  704.         }
    705. 

  705.     }
    706. 

  706. }
    707. 

  707. 

  708. 

  709. #ifdef WOLFSSL_DTLS
    710. 

  710. static INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2])
    711. 

  711. {
    712. 

  712.     if (order == PREV_ORDER) {
    713. 

  713.         /* Previous epoch case */
    714. 

  714.         seq[0] = ((ssl->keys.dtls_epoch - 1) << 16) |
    715. 

  715.                  (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF);
    716. 

  716.         seq[1] = ssl->keys.dtls_prev_sequence_number_lo;
    717. 

  717.     }
    718. 

  718.     else if (order == PEER_ORDER) {
    719. 

  719.         seq[0] = (ssl->keys.curEpoch << 16) |
    720. 

  720.                  (ssl->keys.curSeq_hi & 0xFFFF);
    721. 

  721.         seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */
    722. 

  722.     }
    723. 

  723.     else {
    724. 

  724.         seq[0] = (ssl->keys.dtls_epoch << 16) |
    725. 

  725.                  (ssl->keys.dtls_sequence_number_hi & 0xFFFF);
    726. 

  726.         seq[1] = ssl->keys.dtls_sequence_number_lo;
    727. 

  727.     }
    728. 

  728. }
    729. 

  729. #endif /* WOLFSSL_DTLS */
    730. 

  730. 

  731. 

  732. static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
    733. 

  733. {
    734. 

  734.     word32 seq[2] = {0, 0};
    735. 

  735. 

  736.     if (!ssl->options.dtls) {
    737. 

  737.         GetSEQIncrement(ssl, verifyOrder, seq);
    738. 

  738.     }
    739. 

  739.     else {
    740. 

  740. #ifdef WOLFSSL_DTLS
    741. 

  741.         DtlsGetSEQ(ssl, verifyOrder, seq);
    742. 

  742. #endif
    743. 

  743.     }
    744. 

  744. 

  745.     c32toa(seq[0], out);
    746. 

  746.     c32toa(seq[1], out + OPAQUE32_LEN);
    747. 

  747. }
    748. 

  748. 

  749. 

  750. /*** end copy ***/
    751. 

  751. 

  752. 

  753. /* return HMAC digest type in wolfSSL format */
    754. 

  754. int wolfSSL_GetHmacType(WOLFSSL* ssl)
    755. 

  755. {
    756. 

  756.     if (ssl == NULL)
    757. 

  757.         return BAD_FUNC_ARG;
    758. 

  758. 

  759.     switch (ssl->specs.mac_algorithm) {
    760. 

  760.         #ifndef NO_MD5
    761. 

  761.         case md5_mac:
    762. 

  762.         {
    763. 

  763.             return WC_MD5;
    764. 

  764.         }
    765. 

  765.         #endif
    766. 

  766.         #ifndef NO_SHA256
    767. 

  767.         case sha256_mac:
    768. 

  768.         {
    769. 

  769.             return WC_SHA256;
    770. 

  770.         }
    771. 

  771.         #endif
    772. 

  772.         #ifdef WOLFSSL_SHA384
    773. 

  773.         case sha384_mac:
    774. 

  774.         {
    775. 

  775.             return WC_SHA384;
    776. 

  776.         }
    777. 

  777. 

  778.         #endif
    779. 

  779.         #ifndef NO_SHA
    780. 

  780.         case sha_mac:
    781. 

  781.         {
    782. 

  782.             return WC_SHA;
    783. 

  783.         }
    784. 

  784.         #endif
    785. 

  785.         #ifdef HAVE_BLAKE2
    786. 

  786.         case blake2b_mac:
    787. 

  787.         {
    788. 

  788.             return BLAKE2B_ID;
    789. 

  789.         }
    790. 

  790.         #endif
    791. 

  791.         default:
    792. 

  792.         {
    793. 

  793.             return WOLFSSL_FATAL_ERROR;
    794. 

  794.         }
    795. 

  795.     }
    796. 

  796. }
    797. 

  797. 

  798. 

  799. int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content,
    800. 

  800.                            int verify)
    801. 

  801. {
    802. 

  802.     if (ssl == NULL || inner == NULL)
    803. 

  803.         return BAD_FUNC_ARG;
    804. 

  804. 

  805.     XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ);
    806. 

  806. 

  807.     WriteSEQ(ssl, verify, inner);
    808. 

  808.     inner[SEQ_SZ] = (byte)content;
    809. 

  809.     inner[SEQ_SZ + ENUM_LEN]            = ssl->version.major;
    810. 

  810.     inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
    811. 

  811.     c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
    812. 

  812. 

  813.     return 0;
    814. 

  814. }
    815. 

  815. 

  816. 

  817. /* TLS type HMAC */
    818. 

  818. int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
    819. 

  819.               int content, int verify)
    820. 

  820. {
    821. 

  821.     Hmac hmac;
    822. 

  822.     int  ret = 0;
    823. 

  823.     byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ];
    824. 

  824. 

  825.     if (ssl == NULL)
    826. 

  826.         return BAD_FUNC_ARG;
    827. 

  827. 

  828. #ifdef HAVE_FUZZER
    829. 

  829.     if (ssl->fuzzerCb)
    830. 

  830.         ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
    831. 

  831. #endif
    832. 

  832. 

  833.     wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
    834. 

  834. 

  835.     ret = wc_HmacInit(&hmac, ssl->heap, ssl->devId);
    836. 

  836.     if (ret != 0)
    837. 

  837.         return ret;
    838. 

  838. 

  839.     ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl),
    840. 

  840.                      wolfSSL_GetMacSecret(ssl, verify), ssl->specs.hash_size);
    841. 

  841.     if (ret == 0) {
    842. 

  842.         ret = wc_HmacUpdate(&hmac, myInner, sizeof(myInner));
    843. 

  843.         if (ret == 0)
    844. 

  844.             ret = wc_HmacUpdate(&hmac, in, sz);                    /* content */
    845. 

  845.         if (ret == 0)
    846. 

  846.             ret = wc_HmacFinal(&hmac, digest);
    847. 

  847.     }
    848. 

  848.     wc_HmacFree(&hmac);
    849. 

  849. 

  850.     return ret;
    851. 

  851. }
    852. 

  852. 

  853. #ifdef HAVE_TLS_EXTENSIONS
    854. 

  854. 

  855. /**
    856. 

  856.  * The TLSX semaphore is used to calculate the size of the extensions to be sent
    857. 

  857.  * from one peer to another.
    858. 

  858.  */
    859. 

  859. 

  860. /** Supports up to 64 flags. Increase as needed. */
    861. 

  861. #define SEMAPHORE_SIZE 8
    862. 

  862. 

  863. /**
    864. 

  864.  * Converts the extension type (id) to an index in the semaphore.
    865. 

  865.  *
    866. 

  866.  * Oficial reference for TLS extension types:
    867. 

  867.  *   http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
    868. 

  868.  *
    869. 

  869.  * Motivation:
    870. 

  870.  *   Previously, we used the extension type itself as the index of that
    871. 

  871.  *   extension in the semaphore as the extension types were declared
    872. 

  872.  *   sequentially, but maintain a semaphore as big as the number of available
    873. 

  873.  *   extensions is no longer an option since the release of renegotiation_info.
    874. 

  874.  *
    875. 

  875.  * How to update:
    876. 

  876.  *   Assign extension types that extrapolate the number of available semaphores
    877. 

  877.  *   to the first available index going backwards in the semaphore array.
    878. 

  878.  *   When adding a new extension type that don't extrapolate the number of
    879. 

  879.  *   available semaphores, check for a possible collision with with a
    880. 

  880.  *   'remapped' extension type.
    881. 

  881.  */
    882. 

  882. static INLINE word16 TLSX_ToSemaphore(word16 type)
    883. 

  883. {
    884. 

  884.     switch (type) {
    885. 

  885. 

  886.         case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */
    887. 

  887.             return 63;
    888. 

  888. 

  889.         default:
    890. 

  890.             if (type > 62) {
    891. 

  891.                 /* This message SHOULD only happens during the adding of
    892. 

  892.                    new TLS extensions in which its IANA number overflows
    893. 

  893.                    the current semaphore's range, or if its number already
    894. 

  894.                    is assigned to be used by another extension.
    895. 

  895.                    Use this check value for the new extension and decrement
    896. 

  896.                    the check value by one. */
    897. 

  897.                 WOLFSSL_MSG("### TLSX semaphore colision or overflow detected!");
    898. 

  898.             }
    899. 

  899.     }
    900. 

  900. 

  901.     return type;
    902. 

  902. }
    903. 

  903. 

  904. /** Checks if a specific light (tls extension) is not set in the semaphore. */
    905. 

  905. #define IS_OFF(semaphore, light) \
    906. 

  906.     (!(((semaphore)[(light) / 8] &  (byte) (0x01 << ((light) % 8)))))
    907. 

  907. 

  908. /** Turn on a specific light (tls extension) in the semaphore. */
    909. 

  909. /* the semaphore marks the extensions already written to the message */
    910. 

  910. #define TURN_ON(semaphore, light) \
    911. 

  911.     ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
    912. 

  912. 

  913. /** Turn off a specific light (tls extension) in the semaphore. */
    914. 

  914. #define TURN_OFF(semaphore, light) \
    915. 

  915.     ((semaphore)[(light) / 8] &= (byte) ~(0x01 << ((light) % 8)))
    916. 

  916. 

  917. /** Creates a new extension. */
    918. 

  918. static TLSX* TLSX_New(TLSX_Type type, void* data, void* heap)
    919. 

  919. {
    920. 

  920.     TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), heap, DYNAMIC_TYPE_TLSX);
    921. 

  921. 

  922.     if (extension) {
    923. 

  923.         extension->type = type;
    924. 

  924.         extension->data = data;
    925. 

  925.         extension->resp = 0;
    926. 

  926.         extension->next = NULL;
    927. 

  927.     }
    928. 

  928. 

  929.     return extension;
    930. 

  930. }
    931. 

  931. 

  932. /**
    933. 

  933.  * Creates a new extension and pushes it to the provided list.
    934. 

  934.  * Checks for duplicate extensions, keeps the newest.
    935. 

  935.  */
    936. 

  936. static int TLSX_Push(TLSX** list, TLSX_Type type, void* data, void* heap)
    937. 

  937. {
    938. 

  938.     TLSX* extension = TLSX_New(type, data, heap);
    939. 

  939. 

  940.     if (extension == NULL)
    941. 

  941.         return MEMORY_E;
    942. 

  942. 

  943.     /* pushes the new extension on the list. */
    944. 

  944.     extension->next = *list;
    945. 

  945.     *list = extension;
    946. 

  946. 

  947.     /* remove duplicate extensions, there should be only one of each type. */
    948. 

  948.     do {
    949. 

  949.         if (extension->next && extension->next->type == type) {
    950. 

  950.             TLSX *next = extension->next;
    951. 

  951. 

  952.             extension->next = next->next;
    953. 

  953.             next->next = NULL;
    954. 

  954. 

  955.             TLSX_FreeAll(next, heap);
    956. 

  956. 

  957.             /* there is no way to occur more than
    958. 

  958.              * two extensions of the same type.
    959. 

  959.              */
    960. 

  960.             break;
    961. 

  961.         }
    962. 

  962.     } while ((extension = extension->next));
    963. 

  963. 

  964.     return 0;
    965. 

  965. }
    966. 

  966. 

  967. #ifndef NO_WOLFSSL_CLIENT
    968. 

  968. 

  969. int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type);
    970. 

  970. 

  971. int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type)
    972. 

  972. {
    973. 

  973.     TLSX *extension = TLSX_Find(ssl->extensions, type);
    974. 

  974. 

  975.     if (!extension)
    976. 

  976.         extension = TLSX_Find(ssl->ctx->extensions, type);
    977. 

  977. 

  978.     return extension == NULL;
    979. 

  979. }
    980. 

  980. 

  981. int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl);
    982. 

  982. 

  983. int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl)
    984. 

  984. {
    985. 

  985.     SendAlert(ssl, alert_fatal, unsupported_extension);
    986. 

  986.     return UNSUPPORTED_EXTENSION;
    987. 

  987. }
    988. 

  988. 

  989. #else
    990. 

  990. 

  991. #define TLSX_CheckUnsupportedExtension(ssl, type) 0
    992. 

  992. #define TLSX_HandleUnsupportedExtension(ssl) 0
    993. 

  993. 

  994. #endif
    995. 

  995. 

  996. #ifndef NO_WOLFSSL_SERVER
    997. 

  997. 

  998. /** Mark an extension to be sent back to the client. */
    999. 

  999. void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type);
    1000. 

  1000. 

  1001. void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
    1002. 

  1002. {
    1003. 

  1003.     TLSX *extension = TLSX_Find(ssl->extensions, type);
    1004. 

  1004. 

  1005.     if (extension)
    1006. 

  1006.         extension->resp = 1;
    1007. 

  1007. }
    1008. 

  1008. 

  1009. #endif
    1010. 

  1010. 

  1011. /******************************************************************************/
    1012. 

  1012. /* Application-Layer Protocol Negotiation                                     */
    1013. 

  1013. /******************************************************************************/
    1014. 

  1014. 

  1015. #ifdef HAVE_ALPN
    1016. 

  1016. /** Creates a new ALPN object, providing protocol name to use. */
    1017. 

  1017. static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz,
    1018. 

  1018.                                                                      void* heap)
    1019. 

  1019. {
    1020. 

  1020.     ALPN *alpn;
    1021. 

  1021. 

  1022.     WOLFSSL_ENTER("TLSX_ALPN_New");
    1023. 

  1023. 

  1024.     if (protocol_name == NULL ||
    1025. 

  1025.         protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
    1026. 

  1026.         WOLFSSL_MSG("Invalid arguments");
    1027. 

  1027.         return NULL;
    1028. 

  1028.     }
    1029. 

  1029. 

  1030.     alpn = (ALPN*)XMALLOC(sizeof(ALPN), heap, DYNAMIC_TYPE_TLSX);
    1031. 

  1031.     if (alpn == NULL) {
    1032. 

  1032.         WOLFSSL_MSG("Memory failure");
    1033. 

  1033.         return NULL;
    1034. 

  1034.     }
    1035. 

  1035. 

  1036.     alpn->next = NULL;
    1037. 

  1037.     alpn->negotiated = 0;
    1038. 

  1038.     alpn->options = 0;
    1039. 

  1039. 

  1040.     alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1,
    1041. 

  1041.                                          heap, DYNAMIC_TYPE_TLSX);
    1042. 

  1042.     if (alpn->protocol_name == NULL) {
    1043. 

  1043.         WOLFSSL_MSG("Memory failure");
    1044. 

  1044.         XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
    1045. 

  1045.         return NULL;
    1046. 

  1046.     }
    1047. 

  1047. 

  1048.     XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
    1049. 

  1049.     alpn->protocol_name[protocol_nameSz] = 0;
    1050. 

  1050. 

  1051.     return alpn;
    1052. 

  1052. }
    1053. 

  1053. 

  1054. /** Releases an ALPN object. */
    1055. 

  1055. static void TLSX_ALPN_Free(ALPN *alpn, void* heap)
    1056. 

  1056. {
    1057. 

  1057.     (void)heap;
    1058. 

  1058. 

  1059.     if (alpn == NULL)
    1060. 

  1060.         return;
    1061. 

  1061. 

  1062.     XFREE(alpn->protocol_name, heap, DYNAMIC_TYPE_TLSX);
    1063. 

  1063.     XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
    1064. 

  1064. }
    1065. 

  1065. 

  1066. /** Releases all ALPN objects in the provided list. */
    1067. 

  1067. static void TLSX_ALPN_FreeAll(ALPN *list, void* heap)
    1068. 

  1068. {
    1069. 

  1069.     ALPN* alpn;
    1070. 

  1070. 

  1071.     while ((alpn = list)) {
    1072. 

  1072.         list = alpn->next;
    1073. 

  1073.         TLSX_ALPN_Free(alpn, heap);
    1074. 

  1074.     }
    1075. 

  1075. }
    1076. 

  1076. 

  1077. /** Tells the buffered size of the ALPN objects in a list. */
    1078. 

  1078. static word16 TLSX_ALPN_GetSize(ALPN *list)
    1079. 

  1079. {
    1080. 

  1080.     ALPN* alpn;
    1081. 

  1081.     word16 length = OPAQUE16_LEN; /* list length */
    1082. 

  1082. 

  1083.     while ((alpn = list)) {
    1084. 

  1084.         list = alpn->next;
    1085. 

  1085. 

  1086.         length++; /* protocol name length is on one byte */
    1087. 

  1087.         length += (word16)XSTRLEN(alpn->protocol_name);
    1088. 

  1088.     }
    1089. 

  1089. 

  1090.     return length;
    1091. 

  1091. }
    1092. 

  1092. 

  1093. /** Writes the ALPN objects of a list in a buffer. */
    1094. 

  1094. static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
    1095. 

  1095. {
    1096. 

  1096.     ALPN* alpn;
    1097. 

  1097.     word16 length = 0;
    1098. 

  1098.     word16 offset = OPAQUE16_LEN; /* list length offset */
    1099. 

  1099. 

  1100.     while ((alpn = list)) {
    1101. 

  1101.         list = alpn->next;
    1102. 

  1102. 

  1103.         length = (word16)XSTRLEN(alpn->protocol_name);
    1104. 

  1104. 

  1105.         /* protocol name length */
    1106. 

  1106.         output[offset++] = (byte)length;
    1107. 

  1107. 

  1108.         /* protocol name value */
    1109. 

  1109.         XMEMCPY(output + offset, alpn->protocol_name, length);
    1110. 

  1110. 

  1111.         offset += length;
    1112. 

  1112.     }
    1113. 

  1113. 

  1114.     /* writing list length */
    1115. 

  1115.     c16toa(offset - OPAQUE16_LEN, output);
    1116. 

  1116. 

  1117.     return offset;
    1118. 

  1118. }
    1119. 

  1119. 

  1120. /** Finds a protocol name in the provided ALPN list */
    1121. 

  1121. static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
    1122. 

  1122. {
    1123. 

  1123.     ALPN *alpn;
    1124. 

  1124. 

  1125.     if (list == NULL || protocol_name == NULL)
    1126. 

  1126.         return NULL;
    1127. 

  1127. 

  1128.     alpn = list;
    1129. 

  1129.     while (alpn != NULL && (
    1130. 

  1130.            (word16)XSTRLEN(alpn->protocol_name) != size ||
    1131. 

  1131.            XSTRNCMP(alpn->protocol_name, protocol_name, size)))
    1132. 

  1132.         alpn = alpn->next;
    1133. 

  1133. 

  1134.     return alpn;
    1135. 

  1135. }
    1136. 

  1136. 

  1137. /** Set the ALPN matching client and server requirements */
    1138. 

  1138. static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size,
    1139. 

  1139.                                                                      void* heap)
    1140. 

  1140. {
    1141. 

  1141.     ALPN *alpn;
    1142. 

  1142.     int  ret;
    1143. 

  1143. 

  1144.     if (extensions == NULL || data == NULL)
    1145. 

  1145.         return BAD_FUNC_ARG;
    1146. 

  1146. 

  1147.     alpn = TLSX_ALPN_New((char *)data, size, heap);
    1148. 

  1148.     if (alpn == NULL) {
    1149. 

  1149.         WOLFSSL_MSG("Memory failure");
    1150. 

  1150.         return MEMORY_E;
    1151. 

  1151.     }
    1152. 

  1152. 

  1153.     alpn->negotiated = 1;
    1154. 

  1154. 

  1155.     ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn,
    1156. 

  1156.                                                                           heap);
    1157. 

  1157.     if (ret != 0) {
    1158. 

  1158.         TLSX_ALPN_Free(alpn, heap);
    1159. 

  1159.         return ret;
    1160. 

  1160.     }
    1161. 

  1161. 

  1162.     return WOLFSSL_SUCCESS;
    1163. 

  1163. }
    1164. 

  1164. 

  1165. /** Parses a buffer of ALPN extensions and set the first one matching
    1166. 

  1166.  * client and server requirements */
    1167. 

  1167. static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
    1168. 

  1168.                                  byte isRequest)
    1169. 

  1169. {
    1170. 

  1170.     word16  size = 0, offset = 0, idx = 0;
    1171. 

  1171.     int     r = BUFFER_ERROR;
    1172. 

  1172.     byte    match = 0;
    1173. 

  1173.     TLSX    *extension;
    1174. 

  1174.     ALPN    *alpn = NULL, *list;
    1175. 

  1175. 

  1176.     if (OPAQUE16_LEN > length)
    1177. 

  1177.         return BUFFER_ERROR;
    1178. 

  1178. 

  1179.     ato16(input, &size);
    1180. 

  1180.     offset += OPAQUE16_LEN;
    1181. 

  1181. 

  1182.     extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
    1183. 

  1183.     if (extension == NULL)
    1184. 

  1184.         extension = TLSX_Find(ssl->ctx->extensions,
    1185. 

  1185.                                                TLSX_APPLICATION_LAYER_PROTOCOL);
    1186. 

  1186. 

  1187. #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
    1188. 

  1188.     if (ssl->alpnSelect != NULL) {
    1189. 

  1189.         const byte* out;
    1190. 

  1190.         unsigned char outLen;
    1191. 

  1191. 

  1192.         if (ssl->alpnSelect(ssl, &out, &outLen, input + offset, size,
    1193. 

  1193.                             ssl->alpnSelectArg) == 0) {
    1194. 

  1194.             WOLFSSL_MSG("ALPN protocol match");
    1195. 

  1195.             if (TLSX_UseALPN(&ssl->extensions, (char*)out, outLen, 0, ssl->heap)
    1196. 

  1196.                                                            == WOLFSSL_SUCCESS) {
    1197. 

  1197.                 if (extension == NULL) {
    1198. 

  1198.                     extension = TLSX_Find(ssl->extensions,
    1199. 

  1199.                                           TLSX_APPLICATION_LAYER_PROTOCOL);
    1200. 

  1200.                 }
    1201. 

  1201.             }
    1202. 

  1202.         }
    1203. 

  1203.     }
    1204. 

  1204. #endif
    1205. 

  1205. 

  1206.     if (extension == NULL || extension->data == NULL) {
    1207. 

  1207.         return isRequest ? 0
    1208. 

  1208.                          : TLSX_HandleUnsupportedExtension(ssl);
    1209. 

  1209.     }
    1210. 

  1210. 

  1211.     /* validating alpn list length */
    1212. 

  1212.     if (length != OPAQUE16_LEN + size)
    1213. 

  1213.         return BUFFER_ERROR;
    1214. 

  1214. 

  1215.     list = (ALPN*)extension->data;
    1216. 

  1216. 

  1217.     /* keep the list sent by client */
    1218. 

  1218.     if (isRequest) {
    1219. 

  1219.         if (ssl->alpn_client_list != NULL)
    1220. 

  1220.             XFREE(ssl->alpn_client_list, ssl->heap, DYNAMIC_TYPE_ALPN);
    1221. 

  1221. 

  1222.         ssl->alpn_client_list = (char *)XMALLOC(size, ssl->heap,
    1223. 

  1223.                                                 DYNAMIC_TYPE_ALPN);
    1224. 

  1224.         if (ssl->alpn_client_list == NULL)
    1225. 

  1225.             return MEMORY_ERROR;
    1226. 

  1226.     }
    1227. 

  1227. 

  1228.     for (size = 0; offset < length; offset += size) {
    1229. 

  1229. 

  1230.         size = input[offset++];
    1231. 

  1231.         if (offset + size > length)
    1232. 

  1232.             return BUFFER_ERROR;
    1233. 

  1233. 

  1234.         if (isRequest) {
    1235. 

  1235.             XMEMCPY(ssl->alpn_client_list+idx, (char*)input + offset, size);
    1236. 

  1236.             idx += size;
    1237. 

  1237.             ssl->alpn_client_list[idx++] = ',';
    1238. 

  1238.         }
    1239. 

  1239. 

  1240.         if (!match) {
    1241. 

  1241.             alpn = TLSX_ALPN_Find(list, (char*)input + offset, size);
    1242. 

  1242.             if (alpn != NULL) {
    1243. 

  1243.                 WOLFSSL_MSG("ALPN protocol match");
    1244. 

  1244.                 match = 1;
    1245. 

  1245. 

  1246.                 /* skip reading other values if not required */
    1247. 

  1247.                 if (!isRequest)
    1248. 

  1248.                     break;
    1249. 

  1249.             }
    1250. 

  1250.         }
    1251. 

  1251.     }
    1252. 

  1252. 

  1253.     if (isRequest)
    1254. 

  1254.         ssl->alpn_client_list[idx-1] = 0;
    1255. 

  1255. 

  1256.     if (!match) {
    1257. 

  1257.         WOLFSSL_MSG("No ALPN protocol match");
    1258. 

  1258. 

  1259.         /* do nothing if no protocol match between client and server and option
    1260. 

  1260.          is set to continue (like OpenSSL) */
    1261. 

  1261.         if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) {
    1262. 

  1262.             WOLFSSL_MSG("Continue on mismatch");
    1263. 

  1263.             return 0;
    1264. 

  1264.         }
    1265. 

  1265. 

  1266.         SendAlert(ssl, alert_fatal, no_application_protocol);
    1267. 

  1267.         return UNKNOWN_ALPN_PROTOCOL_NAME_E;
    1268. 

  1268.     }
    1269. 

  1269. 

  1270.     /* set the matching negotiated protocol */
    1271. 

  1271.     r = TLSX_SetALPN(&ssl->extensions,
    1272. 

  1272.                      alpn->protocol_name,
    1273. 

  1273.                      (word16)XSTRLEN(alpn->protocol_name),
    1274. 

  1274.                      ssl->heap);
    1275. 

  1275.     if (r != WOLFSSL_SUCCESS) {
    1276. 

  1276.         WOLFSSL_MSG("TLSX_UseALPN failed");
    1277. 

  1277.         return BUFFER_ERROR;
    1278. 

  1278.     }
    1279. 

  1279. 

  1280.     /* reply to ALPN extension sent from client */
    1281. 

  1281.     if (isRequest) {
    1282. 

  1282. #ifndef NO_WOLFSSL_SERVER
    1283. 

  1283.         TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL);
    1284. 

  1284. #endif
    1285. 

  1285.     }
    1286. 

  1286. 

  1287.     return 0;
    1288. 

  1288. }
    1289. 

  1289. 

  1290. /** Add a protocol name to the list of accepted usable ones */
    1291. 

  1291. int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options,
    1292. 

  1292.                                                                      void* heap)
    1293. 

  1293. {
    1294. 

  1294.     ALPN *alpn;
    1295. 

  1295.     TLSX *extension;
    1296. 

  1296.     int  ret;
    1297. 

  1297. 

  1298.     if (extensions == NULL || data == NULL)
    1299. 

  1299.         return BAD_FUNC_ARG;
    1300. 

  1300. 

  1301.     alpn = TLSX_ALPN_New((char *)data, size, heap);
    1302. 

  1302.     if (alpn == NULL) {
    1303. 

  1303.         WOLFSSL_MSG("Memory failure");
    1304. 

  1304.         return MEMORY_E;
    1305. 

  1305.     }
    1306. 

  1306. 

  1307.     /* Set Options of ALPN */
    1308. 

  1308.     alpn->options = options;
    1309. 

  1309. 

  1310.     extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
    1311. 

  1311.     if (extension == NULL) {
    1312. 

  1312.         ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL,
    1313. 

  1313.                                                              (void*)alpn, heap);
    1314. 

  1314.         if (ret != 0) {
    1315. 

  1315.             TLSX_ALPN_Free(alpn, heap);
    1316. 

  1316.             return ret;
    1317. 

  1317.         }
    1318. 

  1318.     }
    1319. 

  1319.     else {
    1320. 

  1320.         /* push new ALPN object to extension data. */
    1321. 

  1321.         alpn->next = (ALPN*)extension->data;
    1322. 

  1322.         extension->data = (void*)alpn;
    1323. 

  1323.     }
    1324. 

  1324. 

  1325.     return WOLFSSL_SUCCESS;
    1326. 

  1326. }
    1327. 

  1327. 

  1328. /** Get the protocol name set by the server */
    1329. 

  1329. int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
    1330. 

  1330. {
    1331. 

  1331.     TLSX *extension;
    1332. 

  1332.     ALPN *alpn;
    1333. 

  1333. 

  1334.     if (extensions == NULL || data == NULL || dataSz == NULL)
    1335. 

  1335.         return BAD_FUNC_ARG;
    1336. 

  1336. 

  1337.     extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
    1338. 

  1338.     if (extension == NULL) {
    1339. 

  1339.         WOLFSSL_MSG("TLS extension not found");
    1340. 

  1340.         return WOLFSSL_ALPN_NOT_FOUND;
    1341. 

  1341.     }
    1342. 

  1342. 

  1343.     alpn = (ALPN *)extension->data;
    1344. 

  1344.     if (alpn == NULL) {
    1345. 

  1345.         WOLFSSL_MSG("ALPN extension not found");
    1346. 

  1346.         *data = NULL;
    1347. 

  1347.         *dataSz = 0;
    1348. 

  1348.         return WOLFSSL_FATAL_ERROR;
    1349. 

  1349.     }
    1350. 

  1350. 

  1351.     if (alpn->negotiated != 1) {
    1352. 

  1352. 

  1353.         /* consider as an error */
    1354. 

  1354.         if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) {
    1355. 

  1355.             WOLFSSL_MSG("No protocol match with peer -> Failed");
    1356. 

  1356.             return WOLFSSL_FATAL_ERROR;
    1357. 

  1357.         }
    1358. 

  1358. 

  1359.         /* continue without negotiated protocol */
    1360. 

  1360.         WOLFSSL_MSG("No protocol match with peer -> Continue");
    1361. 

  1361.         return WOLFSSL_ALPN_NOT_FOUND;
    1362. 

  1362.     }
    1363. 

  1363. 

  1364.     if (alpn->next != NULL) {
    1365. 

  1365.         WOLFSSL_MSG("Only one protocol name must be accepted");
    1366. 

  1366.         return WOLFSSL_FATAL_ERROR;
    1367. 

  1367.     }
    1368. 

  1368. 

  1369.     *data = alpn->protocol_name;
    1370. 

  1370.     *dataSz = (word16)XSTRLEN((char*)*data);
    1371. 

  1371. 

  1372.     return WOLFSSL_SUCCESS;
    1373. 

  1373. }
    1374. 

  1374. 

  1375. #define ALPN_FREE_ALL     TLSX_ALPN_FreeAll
    1376. 

  1376. #define ALPN_GET_SIZE     TLSX_ALPN_GetSize
    1377. 

  1377. #define ALPN_WRITE        TLSX_ALPN_Write
    1378. 

  1378. #define ALPN_PARSE        TLSX_ALPN_ParseAndSet
    1379. 

  1379. 

  1380. #else /* HAVE_ALPN */
    1381. 

  1381. 

  1382. #define ALPN_FREE_ALL(list, heap)
    1383. 

  1383. #define ALPN_GET_SIZE(list)     0
    1384. 

  1384. #define ALPN_WRITE(a, b)        0
    1385. 

  1385. #define ALPN_PARSE(a, b, c, d)  0
    1386. 

  1386. 

  1387. #endif /* HAVE_ALPN */
    1388. 

  1388. 

  1389. /******************************************************************************/
    1390. 

  1390. /* Server Name Indication                                                     */
    1391. 

  1391. /******************************************************************************/
    1392. 

  1392. 

  1393. #ifdef HAVE_SNI
    1394. 

  1394. 

  1395. /** Creates a new SNI object. */
    1396. 

  1396. static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap)
    1397. 

  1397. {
    1398. 

  1398.     SNI* sni = (SNI*)XMALLOC(sizeof(SNI), heap, DYNAMIC_TYPE_TLSX);
    1399. 

  1399. 

  1400.     if (sni) {
    1401. 

  1401.         sni->type = type;
    1402. 

  1402.         sni->next = NULL;
    1403. 

  1403. 

  1404.     #ifndef NO_WOLFSSL_SERVER
    1405. 

  1405.         sni->options = 0;
    1406. 

  1406.         sni->status  = WOLFSSL_SNI_NO_MATCH;
    1407. 

  1407.     #endif
    1408. 

  1408. 

  1409.         switch (sni->type) {
    1410. 

  1410.             case WOLFSSL_SNI_HOST_NAME:
    1411. 

  1411.                 sni->data.host_name = (char*)XMALLOC(size + 1, heap,
    1412. 

  1412.                                                      DYNAMIC_TYPE_TLSX);
    1413. 

  1413.                 if (sni->data.host_name) {
    1414. 

  1414.                     XSTRNCPY(sni->data.host_name, (const char*)data, size);
    1415. 

  1415.                     sni->data.host_name[size] = 0;
    1416. 

  1416.                 } else {
    1417. 

  1417.                     XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
    1418. 

  1418.                     sni = NULL;
    1419. 

  1419.                 }
    1420. 

  1420.             break;
    1421. 

  1421. 

  1422.             default: /* invalid type */
    1423. 

  1423.                 XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
    1424. 

  1424.                 sni = NULL;
    1425. 

  1425.         }
    1426. 

  1426.     }
    1427. 

  1427. 

  1428.     return sni;
    1429. 

  1429. }
    1430. 

  1430. 

  1431. /** Releases a SNI object. */
    1432. 

  1432. static void TLSX_SNI_Free(SNI* sni, void* heap)
    1433. 

  1433. {
    1434. 

  1434.     if (sni) {
    1435. 

  1435.         switch (sni->type) {
    1436. 

  1436.             case WOLFSSL_SNI_HOST_NAME:
    1437. 

  1437.                 XFREE(sni->data.host_name, heap, DYNAMIC_TYPE_TLSX);
    1438. 

  1438.             break;
    1439. 

  1439.         }
    1440. 

  1440. 

  1441.         XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
    1442. 

  1442.     }
    1443. 

  1443.     (void)heap;
    1444. 

  1444. }
    1445. 

  1445. 

  1446. /** Releases all SNI objects in the provided list. */
    1447. 

  1447. static void TLSX_SNI_FreeAll(SNI* list, void* heap)
    1448. 

  1448. {
    1449. 

  1449.     SNI* sni;
    1450. 

  1450. 

  1451.     while ((sni = list)) {
    1452. 

  1452.         list = sni->next;
    1453. 

  1453.         TLSX_SNI_Free(sni, heap);
    1454. 

  1454.     }
    1455. 

  1455. }
    1456. 

  1456. 

  1457. /** Tells the buffered size of the SNI objects in a list. */
    1458. 

  1458. static word16 TLSX_SNI_GetSize(SNI* list)
    1459. 

  1459. {
    1460. 

  1460.     SNI* sni;
    1461. 

  1461.     word16 length = OPAQUE16_LEN; /* list length */
    1462. 

  1462. 

  1463.     while ((sni = list)) {
    1464. 

  1464.         list = sni->next;
    1465. 

  1465. 

  1466.         length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
    1467. 

  1467. 

  1468.         switch (sni->type) {
    1469. 

  1469.             case WOLFSSL_SNI_HOST_NAME:
    1470. 

  1470.                 length += (word16)XSTRLEN((char*)sni->data.host_name);
    1471. 

  1471.             break;
    1472. 

  1472.         }
    1473. 

  1473.     }
    1474. 

  1474. 

  1475.     return length;
    1476. 

  1476. }
    1477. 

  1477. 

  1478. /** Writes the SNI objects of a list in a buffer. */
    1479. 

  1479. static word16 TLSX_SNI_Write(SNI* list, byte* output)
    1480. 

  1480. {
    1481. 

  1481.     SNI* sni;
    1482. 

  1482.     word16 length = 0;
    1483. 

  1483.     word16 offset = OPAQUE16_LEN; /* list length offset */
    1484. 

  1484. 

  1485.     while ((sni = list)) {
    1486. 

  1486.         list = sni->next;
    1487. 

  1487. 

  1488.         output[offset++] = sni->type; /* sni type */
    1489. 

  1489. 

  1490.         switch (sni->type) {
    1491. 

  1491.             case WOLFSSL_SNI_HOST_NAME:
    1492. 

  1492.                 length = (word16)XSTRLEN((char*)sni->data.host_name);
    1493. 

  1493. 

  1494.                 c16toa(length, output + offset); /* sni length */
    1495. 

  1495.                 offset += OPAQUE16_LEN;
    1496. 

  1496. 

  1497.                 XMEMCPY(output + offset, sni->data.host_name, length);
    1498. 

  1498. 

  1499.                 offset += length;
    1500. 

  1500.             break;
    1501. 

  1501.         }
    1502. 

  1502.     }
    1503. 

  1503. 

  1504.     c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
    1505. 

  1505. 

  1506.     return offset;
    1507. 

  1507. }
    1508. 

  1508. 

  1509. /** Finds a SNI object in the provided list. */
    1510. 

  1510. static SNI* TLSX_SNI_Find(SNI *list, byte type)
    1511. 

  1511. {
    1512. 

  1512.     SNI* sni = list;
    1513. 

  1513. 

  1514.     while (sni && sni->type != type)
    1515. 

  1515.         sni = sni->next;
    1516. 

  1516. 

  1517.     return sni;
    1518. 

  1518. }
    1519. 

  1519. 

  1520. /** Sets the status of a SNI object. */
    1521. 

  1521. static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
    1522. 

  1522. {
    1523. 

  1523.     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
    1524. 

  1524.     SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
    1525. 

  1525. 

  1526.     if (sni)
    1527. 

  1527.         sni->status = status;
    1528. 

  1528. }
    1529. 

  1529. 

  1530. /** Gets the status of a SNI object. */
    1531. 

  1531. byte TLSX_SNI_Status(TLSX* extensions, byte type)
    1532. 

  1532. {
    1533. 

  1533.     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
    1534. 

  1534.     SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
    1535. 

  1535. 

  1536.     if (sni)
    1537. 

  1537.         return sni->status;
    1538. 

  1538. 

  1539.     return 0;
    1540. 

  1540. }
    1541. 

  1541. 

  1542. /** Parses a buffer of SNI extensions. */
    1543. 

  1543. static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
    1544. 

  1544.                                                                  byte isRequest)
    1545. 

  1545. {
    1546. 

  1546. #ifndef NO_WOLFSSL_SERVER
    1547. 

  1547.     word16 size = 0;
    1548. 

  1548.     word16 offset = 0;
    1549. 

  1549.     int cacheOnly = 0;
    1550. 

  1550. #endif
    1551. 

  1551. 

  1552.     TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
    1553. 

  1553. 

  1554.     if (!extension)
    1555. 

  1555.         extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
    1556. 

  1556. 

  1557.     if (!isRequest) {
    1558. 

  1558.         #ifndef NO_WOLFSSL_CLIENT
    1559. 

  1559.             if (!extension || !extension->data)
    1560. 

  1560.                 return TLSX_HandleUnsupportedExtension(ssl);
    1561. 

  1561. 

  1562.             if (length > 0)
    1563. 

  1563.                 return BUFFER_ERROR; /* SNI response MUST be empty. */
    1564. 

  1564. 

  1565.             /* This call enables wolfSSL_SNI_GetRequest() to be called in the
    1566. 

  1566.              * client side to fetch the used SNI. It will only work if the SNI
    1567. 

  1567.              * was set at the SSL object level. Right now we only support one
    1568. 

  1568.              * name type, WOLFSSL_SNI_HOST_NAME, but in the future, the
    1569. 

  1569.              * inclusion of other name types will turn this method inaccurate,
    1570. 

  1570.              * as the extension response doesn't contains information of which
    1571. 

  1571.              * name was accepted.
    1572. 

  1572.              */
    1573. 

  1573.             TLSX_SNI_SetStatus(ssl->extensions, WOLFSSL_SNI_HOST_NAME,
    1574. 

  1574.                                                         WOLFSSL_SNI_REAL_MATCH);
    1575. 

  1575. 

  1576.             return 0;
    1577. 

  1577.         #endif
    1578. 

  1578.     }
    1579. 

  1579. 

  1580. #ifndef NO_WOLFSSL_SERVER
    1581. 

  1581.     if (!extension || !extension->data) {
    1582. 

  1582.         #if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER)
    1583. 

  1583.             /* This will keep SNI even though TLSX_UseSNI has not been called.
    1584. 

  1584.             * Enable it so that the received sni is available to functions
    1585. 

  1585.             * that use a custom callback when SNI is received.
    1586. 

  1586.             */
    1587. 

  1587. 

  1588.             cacheOnly = 1;
    1589. 

  1589.             WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
    1590. 

  1590.         #else
    1591. 

  1591.             /* Skipping, SNI not enabled at server side. */
    1592. 

  1592.             return 0;
    1593. 

  1593.         #endif
    1594. 

  1594.     }
    1595. 

  1595. 

  1596.     if (OPAQUE16_LEN > length)
    1597. 

  1597.         return BUFFER_ERROR;
    1598. 

  1598. 

  1599.     ato16(input, &size);
    1600. 

  1600.     offset += OPAQUE16_LEN;
    1601. 

  1601. 

  1602.     /* validating sni list length */
    1603. 

  1603.     if (length != OPAQUE16_LEN + size)
    1604. 

  1604.         return BUFFER_ERROR;
    1605. 

  1605. 

  1606.     for (size = 0; offset < length; offset += size) {
    1607. 

  1607.         SNI *sni = NULL;
    1608. 

  1608.         byte type = input[offset++];
    1609. 

  1609. 

  1610.         if (offset + OPAQUE16_LEN > length)
    1611. 

  1611.             return BUFFER_ERROR;
    1612. 

  1612. 

  1613.         ato16(input + offset, &size);
    1614. 

  1614.         offset += OPAQUE16_LEN;
    1615. 

  1615. 

  1616.         if (offset + size > length)
    1617. 

  1617.             return BUFFER_ERROR;
    1618. 

  1618. 

  1619.         if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
    1620. 

  1620.             continue; /* not using this type of SNI. */
    1621. 

  1621. 

  1622.         switch(type) {
    1623. 

  1623.             case WOLFSSL_SNI_HOST_NAME: {
    1624. 

  1624.                 int matchStat;
    1625. 

  1625.                 byte matched;
    1626. 

  1626. 

  1627. #ifdef WOLFSSL_TLS13
    1628. 

  1628.                 /* Don't process the second ClientHello SNI extension if there
    1629. 

  1629.                  * was problems with the first.
    1630. 

  1630.                  */
    1631. 

  1631.                 if (!cacheOnly && sni->status != 0)
    1632. 

  1632.                     break;
    1633. 

  1633. #endif
    1634. 

  1634.                 matched = cacheOnly ||
    1635. 

  1635.                     ((XSTRLEN(sni->data.host_name) == size) &&
    1636. 

  1636.                     (XSTRNCMP(sni->data.host_name,
    1637. 

  1637.                                       (const char*)input + offset, size) == 0));
    1638. 

  1638. 

  1639.                 if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) {
    1640. 

  1640.                     int r = TLSX_UseSNI(&ssl->extensions,
    1641. 

  1641.                                          type, input + offset, size, ssl->heap);
    1642. 

  1642. 

  1643.                     if (r != WOLFSSL_SUCCESS)
    1644. 

  1644.                         return r; /* throws error. */
    1645. 

  1645. 

  1646.                     if(cacheOnly) {
    1647. 

  1647.                         WOLFSSL_MSG("Forcing storage of SNI, Fake match");
    1648. 

  1648.                         matchStat = WOLFSSL_SNI_FORCE_KEEP;
    1649. 

  1649.                     } else if(matched) {
    1650. 

  1650.                         WOLFSSL_MSG("SNI did match!");
    1651. 

  1651.                         matchStat = WOLFSSL_SNI_REAL_MATCH;
    1652. 

  1652.                     } else {
    1653. 

  1653.                         WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH");
    1654. 

  1654.                         matchStat = WOLFSSL_SNI_FAKE_MATCH;
    1655. 

  1655.                     }
    1656. 

  1656. 

  1657.                     TLSX_SNI_SetStatus(ssl->extensions, type, (byte)matchStat);
    1658. 

  1658. 

  1659.                     if(!cacheOnly)
    1660. 

  1660.                         TLSX_SetResponse(ssl, TLSX_SERVER_NAME);
    1661. 

  1661. 

  1662.                 } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
    1663. 

  1663.                     SendAlert(ssl, alert_fatal, unrecognized_name);
    1664. 

  1664. 

  1665.                     return UNKNOWN_SNI_HOST_NAME_E;
    1666. 

  1666.                 }
    1667. 

  1667.                 break;
    1668. 

  1668.             }
    1669. 

  1669.         }
    1670. 

  1670.     }
    1671. 

  1671. #else
    1672. 

  1672.     (void)input;
    1673. 

  1673. #endif
    1674. 

  1674. 

  1675.     return 0;
    1676. 

  1676. }
    1677. 

  1677. 

  1678. static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
    1679. 

  1679. {
    1680. 

  1680.     (void)ssl;
    1681. 

  1681. 

  1682.     if (isRequest) {
    1683. 

  1683.     #ifndef NO_WOLFSSL_SERVER
    1684. 

  1684.         TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
    1685. 

  1685.         TLSX* ssl_ext = TLSX_Find(ssl->extensions,      TLSX_SERVER_NAME);
    1686. 

  1686.         SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL;
    1687. 

  1687.         SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL;
    1688. 

  1688.         SNI* sni = NULL;
    1689. 

  1689. 

  1690.         for (; ctx_sni; ctx_sni = ctx_sni->next) {
    1691. 

  1691.             if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
    1692. 

  1692.                 sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type);
    1693. 

  1693. 

  1694.                 if (sni) {
    1695. 

  1695.                     if (sni->status != WOLFSSL_SNI_NO_MATCH)
    1696. 

  1696.                         continue;
    1697. 

  1697. 

  1698.                     /* if ssl level overrides ctx level, it is ok. */
    1699. 

  1699.                     if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0)
    1700. 

  1700.                         continue;
    1701. 

  1701.                 }
    1702. 

  1702. 

  1703.                 SendAlert(ssl, alert_fatal, handshake_failure);
    1704. 

  1704.                 return SNI_ABSENT_ERROR;
    1705. 

  1705.             }
    1706. 

  1706.         }
    1707. 

  1707. 

  1708.         for (; ssl_sni; ssl_sni = ssl_sni->next) {
    1709. 

  1709.             if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
    1710. 

  1710.                 if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH)
    1711. 

  1711.                     continue;
    1712. 

  1712. 

  1713.                 SendAlert(ssl, alert_fatal, handshake_failure);
    1714. 

  1714.                 return SNI_ABSENT_ERROR;
    1715. 

  1715.             }
    1716. 

  1716.         }
    1717. 

  1717.     #endif /* NO_WOLFSSL_SERVER */
    1718. 

  1718.     }
    1719. 

  1719. 

  1720.     return 0;
    1721. 

  1721. }
    1722. 

  1722. 

  1723. int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size,
    1724. 

  1724.                                                                      void* heap)
    1725. 

  1725. {
    1726. 

  1726.     TLSX* extension;
    1727. 

  1727.     SNI* sni = NULL;
    1728. 

  1728. 

  1729.     if (extensions == NULL || data == NULL)
    1730. 

  1730.         return BAD_FUNC_ARG;
    1731. 

  1731. 

  1732.     if ((sni = TLSX_SNI_New(type, data, size, heap)) == NULL)
    1733. 

  1733.         return MEMORY_E;
    1734. 

  1734. 

  1735.     extension = TLSX_Find(*extensions, TLSX_SERVER_NAME);
    1736. 

  1736.     if (!extension) {
    1737. 

  1737.         int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni, heap);
    1738. 

  1738. 

  1739.         if (ret != 0) {
    1740. 

  1740.             TLSX_SNI_Free(sni, heap);
    1741. 

  1741.             return ret;
    1742. 

  1742.         }
    1743. 

  1743.     }
    1744. 

  1744.     else {
    1745. 

  1745.         /* push new SNI object to extension data. */
    1746. 

  1746.         sni->next = (SNI*)extension->data;
    1747. 

  1747.         extension->data = (void*)sni;
    1748. 

  1748. 

  1749.         /* remove duplicate SNI, there should be only one of each type. */
    1750. 

  1750.         do {
    1751. 

  1751.             if (sni->next && sni->next->type == type) {
    1752. 

  1752.                 SNI* next = sni->next;
    1753. 

  1753. 

  1754.                 sni->next = next->next;
    1755. 

  1755.                 TLSX_SNI_Free(next, heap);
    1756. 

  1756. 

  1757.                 /* there is no way to occur more than
    1758. 

  1758.                  * two SNIs of the same type.
    1759. 

  1759.                  */
    1760. 

  1760.                 break;
    1761. 

  1761.             }
    1762. 

  1762.         } while ((sni = sni->next));
    1763. 

  1763.     }
    1764. 

  1764. 

  1765.     return WOLFSSL_SUCCESS;
    1766. 

  1766. }
    1767. 

  1767. 

  1768. #ifndef NO_WOLFSSL_SERVER
    1769. 

  1769. 

  1770. /** Tells the SNI requested by the client. */
    1771. 

  1771. word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
    1772. 

  1772. {
    1773. 

  1773.     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
    1774. 

  1774.     SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
    1775. 

  1775. 

  1776.     if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
    1777. 

  1777.         switch (sni->type) {
    1778. 

  1778.             case WOLFSSL_SNI_HOST_NAME:
    1779. 

  1779.                 if (data) {
    1780. 

  1780.                     *data = sni->data.host_name;
    1781. 

  1781.                     return (word16)XSTRLEN((char*)*data);
    1782. 

  1782.                 }
    1783. 

  1783.         }
    1784. 

  1784.     }
    1785. 

  1785. 

  1786.     return 0;
    1787. 

  1787. }
    1788. 

  1788. 

  1789. /** Sets the options for a SNI object. */
    1790. 

  1790. void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
    1791. 

  1791. {
    1792. 

  1792.     TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
    1793. 

  1793.     SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
    1794. 

  1794. 

  1795.     if (sni)
    1796. 

  1796.         sni->options = options;
    1797. 

  1797. }
    1798. 

  1798. 

  1799. /** Retrieves a SNI request from a client hello buffer. */
    1800. 

  1800. int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
    1801. 

  1801.                            byte type, byte* sni, word32* inOutSz)
    1802. 

  1802. {
    1803. 

  1803.     word32 offset = 0;
    1804. 

  1804.     word32 len32 = 0;
    1805. 

  1805.     word16 len16 = 0;
    1806. 

  1806. 

  1807.     if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
    1808. 

  1808.         return INCOMPLETE_DATA;
    1809. 

  1809. 

  1810.     /* TLS record header */
    1811. 

  1811.     if ((enum ContentType) clientHello[offset++] != handshake) {
    1812. 

  1812. 

  1813.         /* checking for SSLv2.0 client hello according to: */
    1814. 

  1814.         /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */
    1815. 

  1815.         if ((enum HandShakeType) clientHello[++offset] == client_hello) {
    1816. 

  1816.             offset += ENUM_LEN + VERSION_SZ; /* skip version */
    1817. 

  1817. 

  1818.             ato16(clientHello + offset, &len16);
    1819. 

  1819.             offset += OPAQUE16_LEN;
    1820. 

  1820. 

  1821.             if (len16 % 3) /* cipher_spec_length must be multiple of 3 */
    1822. 

  1822.                 return BUFFER_ERROR;
    1823. 

  1823. 

  1824.             ato16(clientHello + offset, &len16);
    1825. 

  1825.             /* Returning SNI_UNSUPPORTED do not increment offset here */
    1826. 

  1826. 

  1827.             if (len16 != 0) /* session_id_length must be 0 */
    1828. 

  1828.                 return BUFFER_ERROR;
    1829. 

  1829. 

  1830.             return SNI_UNSUPPORTED;
    1831. 

  1831.         }
    1832. 

  1832. 

  1833.         return BUFFER_ERROR;
    1834. 

  1834.     }
    1835. 

  1835. 

  1836.     if (clientHello[offset++] != SSLv3_MAJOR)
    1837. 

  1837.         return BUFFER_ERROR;
    1838. 

  1838. 

  1839.     if (clientHello[offset++] < TLSv1_MINOR)
    1840. 

  1840.         return SNI_UNSUPPORTED;
    1841. 

  1841. 

  1842.     ato16(clientHello + offset, &len16);
    1843. 

  1843.     offset += OPAQUE16_LEN;
    1844. 

  1844. 

  1845.     if (offset + len16 > helloSz)
    1846. 

  1846.         return INCOMPLETE_DATA;
    1847. 

  1847. 

  1848.     /* Handshake header */
    1849. 

  1849.     if ((enum HandShakeType) clientHello[offset] != client_hello)
    1850. 

  1850.         return BUFFER_ERROR;
    1851. 

  1851. 

  1852.     c24to32(clientHello + offset + 1, &len32);
    1853. 

  1853.     offset += HANDSHAKE_HEADER_SZ;
    1854. 

  1854. 

  1855.     if (offset + len32 > helloSz)
    1856. 

  1856.         return BUFFER_ERROR;
    1857. 

  1857. 

  1858.     /* client hello */
    1859. 

  1859.     offset += VERSION_SZ + RAN_LEN; /* version, random */
    1860. 

  1860. 

  1861.     if (helloSz < offset + clientHello[offset])
    1862. 

  1862.         return BUFFER_ERROR;
    1863. 

  1863. 

  1864.     offset += ENUM_LEN + clientHello[offset]; /* skip session id */
    1865. 

  1865. 

  1866.     /* cypher suites */
    1867. 

  1867.     if (helloSz < offset + OPAQUE16_LEN)
    1868. 

  1868.         return BUFFER_ERROR;
    1869. 

  1869. 

  1870.     ato16(clientHello + offset, &len16);
    1871. 

  1871.     offset += OPAQUE16_LEN;
    1872. 

  1872. 

  1873.     if (helloSz < offset + len16)
    1874. 

  1874.         return BUFFER_ERROR;
    1875. 

  1875. 

  1876.     offset += len16; /* skip cypher suites */
    1877. 

  1877. 

  1878.     /* compression methods */
    1879. 

  1879.     if (helloSz < offset + 1)
    1880. 

  1880.         return BUFFER_ERROR;
    1881. 

  1881. 

  1882.     if (helloSz < offset + clientHello[offset])
    1883. 

  1883.         return BUFFER_ERROR;
    1884. 

  1884. 

  1885.     offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
    1886. 

  1886. 

  1887.     /* extensions */
    1888. 

  1888.     if (helloSz < offset + OPAQUE16_LEN)
    1889. 

  1889.         return 0; /* no extensions in client hello. */
    1890. 

  1890. 

  1891.     ato16(clientHello + offset, &len16);
    1892. 

  1892.     offset += OPAQUE16_LEN;
    1893. 

  1893. 

  1894.     if (helloSz < offset + len16)
    1895. 

  1895.         return BUFFER_ERROR;
    1896. 

  1896. 

  1897.     while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) {
    1898. 

  1898.         word16 extType;
    1899. 

  1899.         word16 extLen;
    1900. 

  1900. 

  1901.         ato16(clientHello + offset, &extType);
    1902. 

  1902.         offset += OPAQUE16_LEN;
    1903. 

  1903. 

  1904.         ato16(clientHello + offset, &extLen);
    1905. 

  1905.         offset += OPAQUE16_LEN;
    1906. 

  1906. 

  1907.         if (helloSz < offset + extLen)
    1908. 

  1908.             return BUFFER_ERROR;
    1909. 

  1909. 

  1910.         if (extType != TLSX_SERVER_NAME) {
    1911. 

  1911.             offset += extLen; /* skip extension */
    1912. 

  1912.         } else {
    1913. 

  1913.             word16 listLen;
    1914. 

  1914. 

  1915.             ato16(clientHello + offset, &listLen);
    1916. 

  1916.             offset += OPAQUE16_LEN;
    1917. 

  1917. 

  1918.             if (helloSz < offset + listLen)
    1919. 

  1919.                 return BUFFER_ERROR;
    1920. 

  1920. 

  1921.             while (listLen > ENUM_LEN + OPAQUE16_LEN) {
    1922. 

  1922.                 byte   sniType = clientHello[offset++];
    1923. 

  1923.                 word16 sniLen;
    1924. 

  1924. 

  1925.                 ato16(clientHello + offset, &sniLen);
    1926. 

  1926.                 offset += OPAQUE16_LEN;
    1927. 

  1927. 

  1928.                 if (helloSz < offset + sniLen)
    1929. 

  1929.                     return BUFFER_ERROR;
    1930. 

  1930. 

  1931.                 if (sniType != type) {
    1932. 

  1932.                     offset  += sniLen;
    1933. 

  1933.                     listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
    1934. 

  1934.                     continue;
    1935. 

  1935.                 }
    1936. 

  1936. 

  1937.                 *inOutSz = min(sniLen, *inOutSz);
    1938. 

  1938.                 XMEMCPY(sni, clientHello + offset, *inOutSz);
    1939. 

  1939. 

  1940.                 return WOLFSSL_SUCCESS;
    1941. 

  1941.             }
    1942. 

  1942.         }
    1943. 

  1943. 

  1944.         len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
    1945. 

  1945.     }
    1946. 

  1946. 

  1947.     return len16 ? BUFFER_ERROR : 0;
    1948. 

  1948. }
    1949. 

  1949. 

  1950. #endif
    1951. 

  1951. 

  1952. #define SNI_FREE_ALL     TLSX_SNI_FreeAll
    1953. 

  1953. #define SNI_GET_SIZE     TLSX_SNI_GetSize
    1954. 

  1954. #define SNI_WRITE        TLSX_SNI_Write
    1955. 

  1955. #define SNI_PARSE        TLSX_SNI_Parse
    1956. 

  1956. #define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse
    1957. 

  1957. 

  1958. #else
    1959. 

  1959. 

  1960. #define SNI_FREE_ALL(list, heap)
    1961. 

  1961. #define SNI_GET_SIZE(list)     0
    1962. 

  1962. #define SNI_WRITE(a, b)        0
    1963. 

  1963. #define SNI_PARSE(a, b, c, d)  0
    1964. 

  1964. #define SNI_VERIFY_PARSE(a, b) 0
    1965. 

  1965. 

  1966. #endif /* HAVE_SNI */
    1967. 

  1967. 

  1968. /******************************************************************************/
    1969. 

  1969. /* Max Fragment Length Negotiation                                            */
    1970. 

  1970. /******************************************************************************/
    1971. 

  1971. 

  1972. #ifdef HAVE_MAX_FRAGMENT
    1973. 

  1973. 

  1974. static word16 TLSX_MFL_Write(byte* data, byte* output)
    1975. 

  1975. {
    1976. 

  1976.     output[0] = data[0];
    1977. 

  1977. 

  1978.     return ENUM_LEN;
    1979. 

  1979. }
    1980. 

  1980. 

  1981. static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
    1982. 

  1982.                                                                  byte isRequest)
    1983. 

  1983. {
    1984. 

  1984.     if (length != ENUM_LEN)
    1985. 

  1985.         return BUFFER_ERROR;
    1986. 

  1986. 

  1987. #ifdef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
    1988. 

  1988.     (void) isRequest;
    1989. 

  1989. #else
    1990. 

  1990.     if (!isRequest)
    1991. 

  1991.         if (TLSX_CheckUnsupportedExtension(ssl, TLSX_MAX_FRAGMENT_LENGTH))
    1992. 

  1992.             return TLSX_HandleUnsupportedExtension(ssl);
    1993. 

  1993. #endif
    1994. 

  1994. 

  1995.     switch (*input) {
    1996. 

  1996.         case WOLFSSL_MFL_2_9 : ssl->max_fragment =  512; break;
    1997. 

  1997.         case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
    1998. 

  1998.         case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
    1999. 

  1999.         case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
    2000. 

  2000.         case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;
    2001. 

  2001. 

  2002.         default:
    2003. 

  2003.             SendAlert(ssl, alert_fatal, illegal_parameter);
    2004. 

  2004. 

  2005.             return UNKNOWN_MAX_FRAG_LEN_E;
    2006. 

  2006.     }
    2007. 

  2007. 

  2008. #ifndef NO_WOLFSSL_SERVER
    2009. 

  2009.     if (isRequest) {
    2010. 

  2010.         int ret = TLSX_UseMaxFragment(&ssl->extensions, *input, ssl->heap);
    2011. 

  2011. 

  2012.         if (ret != WOLFSSL_SUCCESS)
    2013. 

  2013.             return ret; /* throw error */
    2014. 

  2014. 

  2015.         TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH);
    2016. 

  2016.     }
    2017. 

  2017. #endif
    2018. 

  2018. 

  2019.     return 0;
    2020. 

  2020. }
    2021. 

  2021. 

  2022. int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
    2023. 

  2023. {
    2024. 

  2024.     byte* data = NULL;
    2025. 

  2025.     int ret = 0;
    2026. 

  2026. 

  2027.     if (extensions == NULL || mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
    2028. 

  2028.         return BAD_FUNC_ARG;
    2029. 

  2029. 

  2030.     data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX);
    2031. 

  2031.     if (data == NULL)
    2032. 

  2032.         return MEMORY_E;
    2033. 

  2033. 

  2034.     data[0] = mfl;
    2035. 

  2035. 

  2036.     ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data, heap);
    2037. 

  2037.     if (ret != 0) {
    2038. 

  2038.         XFREE(data, heap, DYNAMIC_TYPE_TLSX);
    2039. 

  2039.         return ret;
    2040. 

  2040.     }
    2041. 

  2041. 

  2042.     return WOLFSSL_SUCCESS;
    2043. 

  2043. }
    2044. 

  2044. 

  2045. 

  2046. #define MFL_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
    2047. 

  2047. #define MFL_GET_SIZE(data) ENUM_LEN
    2048. 

  2048. #define MFL_WRITE          TLSX_MFL_Write
    2049. 

  2049. #define MFL_PARSE          TLSX_MFL_Parse
    2050. 

  2050. 

  2051. #else
    2052. 

  2052. 

  2053. #define MFL_FREE_ALL(a, b)
    2054. 

  2054. #define MFL_GET_SIZE(a)       0
    2055. 

  2055. #define MFL_WRITE(a, b)       0
    2056. 

  2056. #define MFL_PARSE(a, b, c, d) 0
    2057. 

  2057. 

  2058. #endif /* HAVE_MAX_FRAGMENT */
    2059. 

  2059. 

  2060. /******************************************************************************/
    2061. 

  2061. /* Truncated HMAC                                                             */
    2062. 

  2062. /******************************************************************************/
    2063. 

  2063. 

  2064. #ifdef HAVE_TRUNCATED_HMAC
    2065. 

  2065. 

  2066. static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
    2067. 

  2067.                                                                  byte isRequest)
    2068. 

  2068. {
    2069. 

  2069.     if (length != 0 || input == NULL)
    2070. 

  2070.         return BUFFER_ERROR;
    2071. 

  2071. 

  2072.     if (!isRequest) {
    2073. 

  2073.     #ifndef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
    2074. 

  2074.         if (TLSX_CheckUnsupportedExtension(ssl, TLSX_TRUNCATED_HMAC))
    2075. 

  2075.             return TLSX_HandleUnsupportedExtension(ssl);
    2076. 

  2076.     #endif
    2077. 

  2077.     }
    2078. 

  2078.     else {
    2079. 

  2079.         #ifndef NO_WOLFSSL_SERVER
    2080. 

  2080.             int ret = TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap);
    2081. 

  2081. 

  2082.             if (ret != WOLFSSL_SUCCESS)
    2083. 

  2083.                 return ret; /* throw error */
    2084. 

  2084. 

  2085.             TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC);
    2086. 

  2086.         #endif
    2087. 

  2087.     }
    2088. 

  2088. 

  2089.     ssl->truncated_hmac = 1;
    2090. 

  2090. 

  2091.     return 0;
    2092. 

  2092. }
    2093. 

  2093. 

  2094. int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap)
    2095. 

  2095. {
    2096. 

  2096.     int ret = 0;
    2097. 

  2097. 

  2098.     if (extensions == NULL)
    2099. 

  2099.         return BAD_FUNC_ARG;
    2100. 

  2100. 

  2101.     ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL, heap);
    2102. 

  2102.     if (ret != 0)
    2103. 

  2103.         return ret;
    2104. 

  2104. 

  2105.     return WOLFSSL_SUCCESS;
    2106. 

  2106. }
    2107. 

  2107. 

  2108. #define THM_PARSE TLSX_THM_Parse
    2109. 

  2109. 

  2110. #else
    2111. 

  2111. 

  2112. #define THM_PARSE(a, b, c, d) 0
    2113. 

  2113. 

  2114. #endif /* HAVE_TRUNCATED_HMAC */
    2115. 

  2115. 

  2116. /******************************************************************************/
    2117. 

  2117. /* Certificate Status Request                                                 */
    2118. 

  2118. /******************************************************************************/
    2119. 

  2119. 

  2120. #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
    2121. 

  2121. 

  2122. static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap)
    2123. 

  2123. {
    2124. 

  2124.     switch (csr->status_type) {
    2125. 

  2125.         case WOLFSSL_CSR_OCSP:
    2126. 

  2126.             FreeOcspRequest(&csr->request.ocsp);
    2127. 

  2127.         break;
    2128. 

  2128.     }
    2129. 

  2129. 

  2130.     XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
    2131. 

  2131.     (void)heap;
    2132. 

  2132. }
    2133. 

  2133. 

  2134. static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest)
    2135. 

  2135. {
    2136. 

  2136.     word16 size = 0;
    2137. 

  2137. 

  2138.     /* shut up compiler warnings */
    2139. 

  2139.     (void) csr; (void) isRequest;
    2140. 

  2140. 

  2141. #ifndef NO_WOLFSSL_CLIENT
    2142. 

  2142.     if (isRequest) {
    2143. 

  2143.         switch (csr->status_type) {
    2144. 

  2144.             case WOLFSSL_CSR_OCSP:
    2145. 

  2145.                 size += ENUM_LEN + 2 * OPAQUE16_LEN;
    2146. 

  2146. 

  2147.                 if (csr->request.ocsp.nonceSz)
    2148. 

  2148.                     size += OCSP_NONCE_EXT_SZ;
    2149. 

  2149.             break;
    2150. 

  2150.         }
    2151. 

  2151.     }
    2152. 

  2152. #endif
    2153. 

  2153. 

  2154.     return size;
    2155. 

  2155. }
    2156. 

  2156. 

  2157. static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output,
    2158. 

  2158.                                                                  byte isRequest)
    2159. 

  2159. {
    2160. 

  2160.     /* shut up compiler warnings */
    2161. 

  2161.     (void) csr; (void) output; (void) isRequest;
    2162. 

  2162. 

  2163. #ifndef NO_WOLFSSL_CLIENT
    2164. 

  2164.     if (isRequest) {
    2165. 

  2165.         word16 offset = 0;
    2166. 

  2166.         word16 length = 0;
    2167. 

  2167. 

  2168.         /* type */
    2169. 

  2169.         output[offset++] = csr->status_type;
    2170. 

  2170. 

  2171.         switch (csr->status_type) {
    2172. 

  2172.             case WOLFSSL_CSR_OCSP:
    2173. 

  2173.                 /* responder id list */
    2174. 

  2174.                 c16toa(0, output + offset);
    2175. 

  2175.                 offset += OPAQUE16_LEN;
    2176. 

  2176. 

  2177.                 /* request extensions */
    2178. 

  2178.                 if (csr->request.ocsp.nonceSz)
    2179. 

  2179.                     length = (word16)EncodeOcspRequestExtensions(
    2180. 

  2180.                                                  &csr->request.ocsp,
    2181. 

  2181.                                                  output + offset + OPAQUE16_LEN,
    2182. 

  2182.                                                  OCSP_NONCE_EXT_SZ);
    2183. 

  2183. 

  2184.                 c16toa(length, output + offset);
    2185. 

  2185.                 offset += OPAQUE16_LEN + length;
    2186. 

  2186. 

  2187.             break;
    2188. 

  2188.         }
    2189. 

  2189. 

  2190.         return offset;
    2191. 

  2191.     }
    2192. 

  2192. #endif
    2193. 

  2193. 

  2194.     return 0;
    2195. 

  2195. }
    2196. 

  2196. 

  2197. static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
    2198. 

  2198.                                                                  byte isRequest)
    2199. 

  2199. {
    2200. 

  2200.     int ret;
    2201. 

  2201. 

  2202.     /* shut up compiler warnings */
    2203. 

  2203.     (void) ssl; (void) input;
    2204. 

  2204. 

  2205.     if (!isRequest) {
    2206. 

  2206. #ifndef NO_WOLFSSL_CLIENT
    2207. 

  2207.         TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
    2208. 

  2208.         CertificateStatusRequest* csr = extension ?
    2209. 

  2209.                               (CertificateStatusRequest*)extension->data : NULL;
    2210. 

  2210. 

  2211.         if (!csr) {
    2212. 

  2212.             /* look at context level */
    2213. 

  2213.             extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST);
    2214. 

  2214.             csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
    2215. 

  2215. 

  2216.             if (!csr) /* unexpected extension */
    2217. 

  2217.                 return TLSX_HandleUnsupportedExtension(ssl);
    2218. 

  2218. 

  2219.             /* enable extension at ssl level */
    2220. 

  2220.             ret = TLSX_UseCertificateStatusRequest(&ssl->extensions,
    2221. 

  2221.                                      csr->status_type, csr->options, ssl->heap,
    2222. 

  2222.                                      ssl->devId);
    2223. 

  2223.             if (ret != WOLFSSL_SUCCESS)
    2224. 

  2224.                 return ret;
    2225. 

  2225. 

  2226.             switch (csr->status_type) {
    2227. 

  2227.                 case WOLFSSL_CSR_OCSP:
    2228. 

  2228.                     /* propagate nonce */
    2229. 

  2229.                     if (csr->request.ocsp.nonceSz) {
    2230. 

  2230.                         OcspRequest* request =
    2231. 

  2231.                              (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
    2232. 

  2232. 

  2233.                         if (request) {
    2234. 

  2234.                             XMEMCPY(request->nonce, csr->request.ocsp.nonce,
    2235. 

  2235.                                                     csr->request.ocsp.nonceSz);
    2236. 

  2236.                             request->nonceSz = csr->request.ocsp.nonceSz;
    2237. 

  2237.                         }
    2238. 

  2238.                     }
    2239. 

  2239.                 break;
    2240. 

  2240.             }
    2241. 

  2241.         }
    2242. 

  2242. 

  2243.         ssl->status_request = 1;
    2244. 

  2244. 

  2245.         return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
    2246. 

  2246. #endif
    2247. 

  2247.     }
    2248. 

  2248.     else {
    2249. 

  2249. #ifndef NO_WOLFSSL_SERVER
    2250. 

  2250.         byte   status_type;
    2251. 

  2251.         word16 offset = 0;
    2252. 

  2252.         word16 size = 0;
    2253. 

  2253. 

  2254.         if (length < ENUM_LEN)
    2255. 

  2255.             return BUFFER_ERROR;
    2256. 

  2256. 

  2257.         status_type = input[offset++];
    2258. 

  2258. 

  2259.         switch (status_type) {
    2260. 

  2260.             case WOLFSSL_CSR_OCSP: {
    2261. 

  2261. 

  2262.                 /* skip responder_id_list */
    2263. 

  2263.                 if (length - offset < OPAQUE16_LEN)
    2264. 

  2264.                     return BUFFER_ERROR;
    2265. 

  2265. 

  2266.                 ato16(input + offset, &size);
    2267. 

  2267.                 offset += OPAQUE16_LEN + size;
    2268. 

  2268. 

  2269.                 /* skip request_extensions */
    2270. 

  2270.                 if (length - offset < OPAQUE16_LEN)
    2271. 

  2271.                     return BUFFER_ERROR;
    2272. 

  2272. 

  2273.                 ato16(input + offset, &size);
    2274. 

  2274.                 offset += OPAQUE16_LEN + size;
    2275. 

  2275. 

  2276.                 if (offset > length)
    2277. 

  2277.                     return BUFFER_ERROR;
    2278. 

  2278. 

  2279.                 /* is able to send OCSP response? */
    2280. 

  2280.                 if (ssl->ctx->cm == NULL || !ssl->ctx->cm->ocspStaplingEnabled)
    2281. 

  2281.                     return 0;
    2282. 

  2282.             }
    2283. 

  2283.             break;
    2284. 

  2284. 

  2285.             /* unknown status type */
    2286. 

  2286.             default:
    2287. 

  2287.                 return 0;
    2288. 

  2288.         }
    2289. 

  2289. 

  2290.         /* if using status_request and already sending it, skip this one */
    2291. 

  2291.         #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
    2292. 

  2292.         if (ssl->status_request_v2)
    2293. 

  2293.             return 0;
    2294. 

  2294.         #endif
    2295. 

  2295. 

  2296.         /* accept the first good status_type and return */
    2297. 

  2297.         ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type,
    2298. 

  2298.                                                       0, ssl->heap, ssl->devId);
    2299. 

  2299.         if (ret != WOLFSSL_SUCCESS)
    2300. 

  2300.             return ret; /* throw error */
    2301. 

  2301. 

  2302.         TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
    2303. 

  2303.         ssl->status_request = status_type;
    2304. 

  2304. 

  2305. #endif
    2306. 

  2306.     }
    2307. 

  2307. 

  2308.     return 0;
    2309. 

  2309. }
    2310. 

  2310. 

  2311. int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap)
    2312. 

  2312. {
    2313. 

  2313.     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
    2314. 

  2314.     CertificateStatusRequest* csr = extension ?
    2315. 

  2315.         (CertificateStatusRequest*)extension->data : NULL;
    2316. 

  2316.     int ret = 0;
    2317. 

  2317. 

  2318.     if (csr) {
    2319. 

  2319.         switch (csr->status_type) {
    2320. 

  2320.             case WOLFSSL_CSR_OCSP: {
    2321. 

  2321.                 byte nonce[MAX_OCSP_NONCE_SZ];
    2322. 

  2322.                 int  nonceSz = csr->request.ocsp.nonceSz;
    2323. 

  2323. 

  2324.                 /* preserve nonce */
    2325. 

  2325.                 XMEMCPY(nonce, csr->request.ocsp.nonce, nonceSz);
    2326. 

  2326. 

  2327.                 if ((ret = InitOcspRequest(&csr->request.ocsp, cert, 0, heap))
    2328. 

  2328.                                                                            != 0)
    2329. 

  2329.                     return ret;
    2330. 

  2330. 

  2331.                 /* restore nonce */
    2332. 

  2332.                 XMEMCPY(csr->request.ocsp.nonce, nonce, nonceSz);
    2333. 

  2333.                 csr->request.ocsp.nonceSz = nonceSz;
    2334. 

  2334.             }
    2335. 

  2335.             break;
    2336. 

  2336.         }
    2337. 

  2337.     }
    2338. 

  2338. 

  2339.     return ret;
    2340. 

  2340. }
    2341. 

  2341. 

  2342. void* TLSX_CSR_GetRequest(TLSX* extensions)
    2343. 

  2343. {
    2344. 

  2344.     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
    2345. 

  2345.     CertificateStatusRequest* csr = extension ?
    2346. 

  2346.                               (CertificateStatusRequest*)extension->data : NULL;
    2347. 

  2347. 

  2348.     if (csr) {
    2349. 

  2349.         switch (csr->status_type) {
    2350. 

  2350.             case WOLFSSL_CSR_OCSP:
    2351. 

  2351.                 return &csr->request.ocsp;
    2352. 

  2352.             break;
    2353. 

  2353.         }
    2354. 

  2354.     }
    2355. 

  2355. 

  2356.     return NULL;
    2357. 

  2357. }
    2358. 

  2358. 

  2359. int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
    2360. 

  2360. {
    2361. 

  2361.     TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
    2362. 

  2362.     CertificateStatusRequest* csr = extension ?
    2363. 

  2363.                               (CertificateStatusRequest*)extension->data : NULL;
    2364. 

  2364. 

  2365.     if (csr) {
    2366. 

  2366.         switch (csr->status_type) {
    2367. 

  2367.             case WOLFSSL_CSR_OCSP:
    2368. 

  2368.                 if (ssl->ctx->cm->ocspEnabled) {
    2369. 

  2369.                     csr->request.ocsp.ssl = ssl;
    2370. 

  2370.                     return CheckOcspRequest(ssl->ctx->cm->ocsp,
    2371. 

  2371.                                                       &csr->request.ocsp, NULL);
    2372. 

  2372.                 }
    2373. 

  2373.                 else
    2374. 

  2374.                     return OCSP_LOOKUP_FAIL;
    2375. 

  2375.         }
    2376. 

  2376.     }
    2377. 

  2377. 

  2378.     return 0;
    2379. 

  2379. }
    2380. 

  2380. 

  2381. int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type,
    2382. 

  2382.                                            byte options, void* heap, int devId)
    2383. 

  2383. {
    2384. 

  2384.     CertificateStatusRequest* csr = NULL;
    2385. 

  2385.     int ret = 0;
    2386. 

  2386. 

  2387.     if (!extensions || status_type != WOLFSSL_CSR_OCSP)
    2388. 

  2388.         return BAD_FUNC_ARG;
    2389. 

  2389. 

  2390.     csr = (CertificateStatusRequest*)
    2391. 

  2391.              XMALLOC(sizeof(CertificateStatusRequest), heap, DYNAMIC_TYPE_TLSX);
    2392. 

  2392.     if (!csr)
    2393. 

  2393.         return MEMORY_E;
    2394. 

  2394. 

  2395.     ForceZero(csr, sizeof(CertificateStatusRequest));
    2396. 

  2396. 

  2397.     csr->status_type = status_type;
    2398. 

  2398.     csr->options     = options;
    2399. 

  2399. 

  2400.     switch (csr->status_type) {
    2401. 

  2401.         case WOLFSSL_CSR_OCSP:
    2402. 

  2402.             if (options & WOLFSSL_CSR_OCSP_USE_NONCE) {
    2403. 

  2403.                 WC_RNG rng;
    2404. 

  2404. 

  2405.             #ifndef HAVE_FIPS
    2406. 

  2406.                 ret = wc_InitRng_ex(&rng, heap, devId);
    2407. 

  2407.             #else
    2408. 

  2408.                 ret = wc_InitRng(&rng);
    2409. 

  2409.                 (void)devId;
    2410. 

  2410.             #endif
    2411. 

  2411.                 if (ret == 0) {
    2412. 

  2412.                     if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp.nonce,
    2413. 

  2413.                                                         MAX_OCSP_NONCE_SZ) == 0)
    2414. 

  2414.                         csr->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ;
    2415. 

  2415. 

  2416.                     wc_FreeRng(&rng);
    2417. 

  2417.                 }
    2418. 

  2418.             }
    2419. 

  2419.         break;
    2420. 

  2420.     }
    2421. 

  2421. 

  2422.     if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr, heap)) != 0) {
    2423. 

  2423.         XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
    2424. 

  2424.         return ret;
    2425. 

  2425.     }
    2426. 

  2426. 

  2427.     return WOLFSSL_SUCCESS;
    2428. 

  2428. }
    2429. 

  2429. 

  2430. #define CSR_FREE_ALL TLSX_CSR_Free
    2431. 

  2431. #define CSR_GET_SIZE TLSX_CSR_GetSize
    2432. 

  2432. #define CSR_WRITE    TLSX_CSR_Write
    2433. 

  2433. #define CSR_PARSE    TLSX_CSR_Parse
    2434. 

  2434. 

  2435. #else
    2436. 

  2436. 

  2437. #define CSR_FREE_ALL(data, heap)
    2438. 

  2438. #define CSR_GET_SIZE(a, b)    0
    2439. 

  2439. #define CSR_WRITE(a, b, c)    0
    2440. 

  2440. #define CSR_PARSE(a, b, c, d) 0
    2441. 

  2441. 

  2442. #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
    2443. 

  2443. 

  2444. /******************************************************************************/
    2445. 

  2445. /* Certificate Status Request v2                                              */
    2446. 

  2446. /******************************************************************************/
    2447. 

  2447. 

  2448. #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
    2449. 

  2449. 

  2450. static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap)
    2451. 

  2451. {
    2452. 

  2452.     CertificateStatusRequestItemV2* next;
    2453. 

  2453. 

  2454.     for (; csr2; csr2 = next) {
    2455. 

  2455.         next = csr2->next;
    2456. 

  2456. 

  2457.         switch (csr2->status_type) {
    2458. 

  2458.             case WOLFSSL_CSR2_OCSP:
    2459. 

  2459.             case WOLFSSL_CSR2_OCSP_MULTI:
    2460. 

  2460.                 while(csr2->requests--)
    2461. 

  2461.                     FreeOcspRequest(&csr2->request.ocsp[csr2->requests]);
    2462. 

  2462.             break;
    2463. 

  2463.         }
    2464. 

  2464. 

  2465.         XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
    2466. 

  2466.     }
    2467. 

  2467.     (void)heap;
    2468. 

  2468. }
    2469. 

  2469. 

  2470. static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
    2471. 

  2471.                                                                  byte isRequest)
    2472. 

  2472. {
    2473. 

  2473.     word16 size = 0;
    2474. 

  2474. 

  2475.     /* shut up compiler warnings */
    2476. 

  2476.     (void) csr2; (void) isRequest;
    2477. 

  2477. 

  2478. #ifndef NO_WOLFSSL_CLIENT
    2479. 

  2479.     if (isRequest) {
    2480. 

  2480.         CertificateStatusRequestItemV2* next;
    2481. 

  2481. 

  2482.         for (size = OPAQUE16_LEN; csr2; csr2 = next) {
    2483. 

  2483.             next = csr2->next;
    2484. 

  2484. 

  2485.             switch (csr2->status_type) {
    2486. 

  2486.                 case WOLFSSL_CSR2_OCSP:
    2487. 

  2487.                 case WOLFSSL_CSR2_OCSP_MULTI:
    2488. 

  2488.                     size += ENUM_LEN + 3 * OPAQUE16_LEN;
    2489. 

  2489. 

  2490.                     if (csr2->request.ocsp[0].nonceSz)
    2491. 

  2491.                         size += OCSP_NONCE_EXT_SZ;
    2492. 

  2492.                 break;
    2493. 

  2493.             }
    2494. 

  2494.         }
    2495. 

  2495.     }
    2496. 

  2496. #endif
    2497. 

  2497. 

  2498.     return size;
    2499. 

  2499. }
    2500. 

  2500. 

  2501. static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2,
    2502. 

  2502.                                                    byte* output, byte isRequest)
    2503. 

  2503. {
    2504. 

  2504.     /* shut up compiler warnings */
    2505. 

  2505.     (void) csr2; (void) output; (void) isRequest;
    2506. 

  2506. 

  2507. #ifndef NO_WOLFSSL_CLIENT
    2508. 

  2508.     if (isRequest) {
    2509. 

  2509.         word16 offset;
    2510. 

  2510.         word16 length;
    2511. 

  2511. 

  2512.         for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) {
    2513. 

  2513.             /* status_type */
    2514. 

  2514.             output[offset++] = csr2->status_type;
    2515. 

  2515. 

  2516.             /* request */
    2517. 

  2517.             switch (csr2->status_type) {
    2518. 

  2518.                 case WOLFSSL_CSR2_OCSP:
    2519. 

  2519.                 case WOLFSSL_CSR2_OCSP_MULTI:
    2520. 

  2520.                     /* request_length */
    2521. 

  2521.                     length = 2 * OPAQUE16_LEN;
    2522. 

  2522. 

  2523.                     if (csr2->request.ocsp[0].nonceSz)
    2524. 

  2524.                         length += OCSP_NONCE_EXT_SZ;
    2525. 

  2525. 

  2526.                     c16toa(length, output + offset);
    2527. 

  2527.                     offset += OPAQUE16_LEN;
    2528. 

  2528. 

  2529.                     /* responder id list */
    2530. 

  2530.                     c16toa(0, output + offset);
    2531. 

  2531.                     offset += OPAQUE16_LEN;
    2532. 

  2532. 

  2533.                     /* request extensions */
    2534. 

  2534.                     length = 0;
    2535. 

  2535. 

  2536.                     if (csr2->request.ocsp[0].nonceSz)
    2537. 

  2537.                         length = (word16)EncodeOcspRequestExtensions(
    2538. 

  2538.                                                  &csr2->request.ocsp[0],
    2539. 

  2539.                                                  output + offset + OPAQUE16_LEN,
    2540. 

  2540.                                                  OCSP_NONCE_EXT_SZ);
    2541. 

  2541. 

  2542.                     c16toa(length, output + offset);
    2543. 

  2543.                     offset += OPAQUE16_LEN + length;
    2544. 

  2544.                 break;
    2545. 

  2545.             }
    2546. 

  2546.         }
    2547. 

  2547. 

  2548.         /* list size */
    2549. 

  2549.         c16toa(offset - OPAQUE16_LEN, output);
    2550. 

  2550. 

  2551.         return offset;
    2552. 

  2552.     }
    2553. 

  2553. #endif
    2554. 

  2554. 

  2555.     return 0;
    2556. 

  2556. }
    2557. 

  2557. 

  2558. static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length,
    2559. 

  2559.                                                                  byte isRequest)
    2560. 

  2560. {
    2561. 

  2561.     int ret;
    2562. 

  2562. 

  2563.     /* shut up compiler warnings */
    2564. 

  2564.     (void) ssl; (void) input;
    2565. 

  2565. 

  2566.     if (!isRequest) {
    2567. 

  2567. #ifndef NO_WOLFSSL_CLIENT
    2568. 

  2568.         TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
    2569. 

  2569.         CertificateStatusRequestItemV2* csr2 = extension ?
    2570. 

  2570.                         (CertificateStatusRequestItemV2*)extension->data : NULL;
    2571. 

  2571. 

  2572.         if (!csr2) {
    2573. 

  2573.             /* look at context level */
    2574. 

  2574.             extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2);
    2575. 

  2575.             csr2 = extension ?
    2576. 

  2576.                         (CertificateStatusRequestItemV2*)extension->data : NULL;
    2577. 

  2577. 

  2578.             if (!csr2) /* unexpected extension */
    2579. 

  2579.                 return TLSX_HandleUnsupportedExtension(ssl);
    2580. 

  2580. 

  2581.             /* enable extension at ssl level */
    2582. 

  2582.             for (; csr2; csr2 = csr2->next) {
    2583. 

  2583.                 ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
    2584. 

  2584.                        csr2->status_type, csr2->options, ssl->heap, ssl->devId);
    2585. 

  2585.                 if (ret != WOLFSSL_SUCCESS)
    2586. 

  2586.                     return ret;
    2587. 

  2587. 

  2588.                 switch (csr2->status_type) {
    2589. 

  2589.                     case WOLFSSL_CSR2_OCSP:
    2590. 

  2590.                         /* followed by */
    2591. 

  2591.                     case WOLFSSL_CSR2_OCSP_MULTI:
    2592. 

  2592.                         /* propagate nonce */
    2593. 

  2593.                         if (csr2->request.ocsp[0].nonceSz) {
    2594. 

  2594.                             OcspRequest* request =
    2595. 

  2595.                              (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions,
    2596. 

  2596.                                                           csr2->status_type, 0);
    2597. 

  2597. 

  2598.                             if (request) {
    2599. 

  2599.                                 XMEMCPY(request->nonce,
    2600. 

  2600.                                         csr2->request.ocsp[0].nonce,
    2601. 

  2601.                                         csr2->request.ocsp[0].nonceSz);
    2602. 

  2602. 

  2603.                                 request->nonceSz =
    2604. 

  2604.                                                   csr2->request.ocsp[0].nonceSz;
    2605. 

  2605.                             }
    2606. 

  2606.                         }
    2607. 

  2607.                     break;
    2608. 

  2608.                 }
    2609. 

  2609.             }
    2610. 

  2610.         }
    2611. 

  2611. 

  2612.         ssl->status_request_v2 = 1;
    2613. 

  2613. 

  2614.         return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
    2615. 

  2615. #endif
    2616. 

  2616.     }
    2617. 

  2617.     else {
    2618. 

  2618. #ifndef NO_WOLFSSL_SERVER
    2619. 

  2619.         byte   status_type;
    2620. 

  2620.         word16 request_length;
    2621. 

  2621.         word16 offset = 0;
    2622. 

  2622.         word16 size = 0;
    2623. 

  2623. 

  2624.         /* list size */
    2625. 

  2625.         ato16(input + offset, &request_length);
    2626. 

  2626.         offset += OPAQUE16_LEN;
    2627. 

  2627. 

  2628.         if (length - OPAQUE16_LEN != request_length)
    2629. 

  2629.             return BUFFER_ERROR;
    2630. 

  2630. 

  2631.         while (length > offset) {
    2632. 

  2632.             if (length - offset < ENUM_LEN + OPAQUE16_LEN)
    2633. 

  2633.                 return BUFFER_ERROR;
    2634. 

  2634. 

  2635.             status_type = input[offset++];
    2636. 

  2636. 

  2637.             ato16(input + offset, &request_length);
    2638. 

  2638.             offset += OPAQUE16_LEN;
    2639. 

  2639. 

  2640.             if (length - offset < request_length)
    2641. 

  2641.                 return BUFFER_ERROR;
    2642. 

  2642. 

  2643.             switch (status_type) {
    2644. 

  2644.                 case WOLFSSL_CSR2_OCSP:
    2645. 

  2645.                 case WOLFSSL_CSR2_OCSP_MULTI:
    2646. 

  2646.                     /* skip responder_id_list */
    2647. 

  2647.                     if (length - offset < OPAQUE16_LEN)
    2648. 

  2648.                         return BUFFER_ERROR;
    2649. 

  2649. 

  2650.                     ato16(input + offset, &size);
    2651. 

  2651.                     offset += OPAQUE16_LEN + size;
    2652. 

  2652. 

  2653.                     /* skip request_extensions */
    2654. 

  2654.                     if (length - offset < OPAQUE16_LEN)
    2655. 

  2655.                         return BUFFER_ERROR;
    2656. 

  2656. 

  2657.                     ato16(input + offset, &size);
    2658. 

  2658.                     offset += OPAQUE16_LEN + size;
    2659. 

  2659. 

  2660.                     if (offset > length)
    2661. 

  2661.                         return BUFFER_ERROR;
    2662. 

  2662. 

  2663.                     /* is able to send OCSP response? */
    2664. 

  2664.                     if (ssl->ctx->cm == NULL
    2665. 

  2665.                     || !ssl->ctx->cm->ocspStaplingEnabled)
    2666. 

  2666.                         continue;
    2667. 

  2667.                 break;
    2668. 

  2668. 

  2669.                 default:
    2670. 

  2670.                     /* unknown status type, skipping! */
    2671. 

  2671.                     offset += request_length;
    2672. 

  2672.                     continue;
    2673. 

  2673.             }
    2674. 

  2674. 

  2675.             /* if using status_request and already sending it, skip this one */
    2676. 

  2676.             #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
    2677. 

  2677.             if (ssl->status_request)
    2678. 

  2678.                 return 0;
    2679. 

  2679.             #endif
    2680. 

  2680. 

  2681.             /* accept the first good status_type and return */
    2682. 

  2682.             ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
    2683. 

  2683.                                          status_type, 0, ssl->heap, ssl->devId);
    2684. 

  2684.             if (ret != WOLFSSL_SUCCESS)
    2685. 

  2685.                 return ret; /* throw error */
    2686. 

  2686. 

  2687.             TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
    2688. 

  2688.             ssl->status_request_v2 = status_type;
    2689. 

  2689. 

  2690.             return 0;
    2691. 

  2691.         }
    2692. 

  2692. #endif
    2693. 

  2693.     }
    2694. 

  2694. 

  2695.     return 0;
    2696. 

  2696. }
    2697. 

  2697. 

  2698. int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer,
    2699. 

  2699.                                                                      void* heap)
    2700. 

  2700. {
    2701. 

  2701.     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
    2702. 

  2702.     CertificateStatusRequestItemV2* csr2 = extension ?
    2703. 

  2703.         (CertificateStatusRequestItemV2*)extension->data : NULL;
    2704. 

  2704.     int ret = 0;
    2705. 

  2705. 

  2706.     for (; csr2; csr2 = csr2->next) {
    2707. 

  2707.         switch (csr2->status_type) {
    2708. 

  2708.             case WOLFSSL_CSR2_OCSP:
    2709. 

  2709.                 if (!isPeer || csr2->requests != 0)
    2710. 

  2710.                     break;
    2711. 

  2711. 

  2712.                 FALL_THROUGH; /* followed by */
    2713. 

  2713. 

  2714.             case WOLFSSL_CSR2_OCSP_MULTI: {
    2715. 

  2715.                 if (csr2->requests < 1 + MAX_CHAIN_DEPTH) {
    2716. 

  2716.                     byte nonce[MAX_OCSP_NONCE_SZ];
    2717. 

  2717.                     int  nonceSz = csr2->request.ocsp[0].nonceSz;
    2718. 

  2718. 

  2719.                     /* preserve nonce, replicating nonce of ocsp[0] */
    2720. 

  2720.                     XMEMCPY(nonce, csr2->request.ocsp[0].nonce, nonceSz);
    2721. 

  2721. 

  2722.                     if ((ret = InitOcspRequest(
    2723. 

  2723.                                       &csr2->request.ocsp[csr2->requests], cert,
    2724. 

  2724.                                                                  0, heap)) != 0)
    2725. 

  2725.                         return ret;
    2726. 

  2726. 

  2727.                     /* restore nonce */
    2728. 

  2728.                     XMEMCPY(csr2->request.ocsp[csr2->requests].nonce,
    2729. 

  2729.                                                                 nonce, nonceSz);
    2730. 

  2730.                     csr2->request.ocsp[csr2->requests].nonceSz = nonceSz;
    2731. 

  2731.                     csr2->requests++;
    2732. 

  2732.                 }
    2733. 

  2733.             }
    2734. 

  2734.             break;
    2735. 

  2735.         }
    2736. 

  2736.     }
    2737. 

  2737. 

  2738.     (void)cert;
    2739. 

  2739.     return ret;
    2740. 

  2740. }
    2741. 

  2741. 

  2742. void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte idx)
    2743. 

  2743. {
    2744. 

  2744.     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
    2745. 

  2745.     CertificateStatusRequestItemV2* csr2 = extension ?
    2746. 

  2746.                         (CertificateStatusRequestItemV2*)extension->data : NULL;
    2747. 

  2747. 

  2748.     for (; csr2; csr2 = csr2->next) {
    2749. 

  2749.         if (csr2->status_type == status_type) {
    2750. 

  2750.             switch (csr2->status_type) {
    2751. 

  2751.                 case WOLFSSL_CSR2_OCSP:
    2752. 

  2752.                     /* followed by */
    2753. 

  2753. 

  2754.                 case WOLFSSL_CSR2_OCSP_MULTI:
    2755. 

  2755.                     /* requests are initialized in the reverse order */
    2756. 

  2756.                     return idx < csr2->requests
    2757. 

  2757.                          ? &csr2->request.ocsp[csr2->requests - idx - 1]
    2758. 

  2758.                          : NULL;
    2759. 

  2759.                 break;
    2760. 

  2760.             }
    2761. 

  2761.         }
    2762. 

  2762.     }
    2763. 

  2763. 

  2764.     return NULL;
    2765. 

  2765. }
    2766. 

  2766. 

  2767. int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
    2768. 

  2768. {
    2769. 

  2769.     TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
    2770. 

  2770.     CertificateStatusRequestItemV2* csr2 = extension ?
    2771. 

  2771.                         (CertificateStatusRequestItemV2*)extension->data : NULL;
    2772. 

  2772. 

  2773.     /* forces only the first one */
    2774. 

  2774.     if (csr2) {
    2775. 

  2775.         switch (csr2->status_type) {
    2776. 

  2776.             case WOLFSSL_CSR2_OCSP:
    2777. 

  2777.                 /* followed by */
    2778. 

  2778. 

  2779.             case WOLFSSL_CSR2_OCSP_MULTI:
    2780. 

  2780.                 if (ssl->ctx->cm->ocspEnabled) {
    2781. 

  2781.                     csr2->request.ocsp[0].ssl = ssl;
    2782. 

  2782.                     return CheckOcspRequest(ssl->ctx->cm->ocsp,
    2783. 

  2783.                                                   &csr2->request.ocsp[0], NULL);
    2784. 

  2784.                 }
    2785. 

  2785.                 else
    2786. 

  2786.                     return OCSP_LOOKUP_FAIL;
    2787. 

  2787.         }
    2788. 

  2788.     }
    2789. 

  2789. 

  2790.     return 0;
    2791. 

  2791. }
    2792. 

  2792. 

  2793. int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
    2794. 

  2794.                                            byte options, void* heap, int devId)
    2795. 

  2795. {
    2796. 

  2796.     TLSX* extension = NULL;
    2797. 

  2797.     CertificateStatusRequestItemV2* csr2 = NULL;
    2798. 

  2798.     int ret = 0;
    2799. 

  2799. 

  2800.     if (!extensions)
    2801. 

  2801.         return BAD_FUNC_ARG;
    2802. 

  2802. 

  2803.     if (status_type != WOLFSSL_CSR2_OCSP
    2804. 

  2804.     &&  status_type != WOLFSSL_CSR2_OCSP_MULTI)
    2805. 

  2805.         return BAD_FUNC_ARG;
    2806. 

  2806. 

  2807.     csr2 = (CertificateStatusRequestItemV2*)
    2808. 

  2808.        XMALLOC(sizeof(CertificateStatusRequestItemV2), heap, DYNAMIC_TYPE_TLSX);
    2809. 

  2809.     if (!csr2)
    2810. 

  2810.         return MEMORY_E;
    2811. 

  2811. 

  2812.     ForceZero(csr2, sizeof(CertificateStatusRequestItemV2));
    2813. 

  2813. 

  2814.     csr2->status_type = status_type;
    2815. 

  2815.     csr2->options     = options;
    2816. 

  2816.     csr2->next        = NULL;
    2817. 

  2817. 

  2818.     switch (csr2->status_type) {
    2819. 

  2819.         case WOLFSSL_CSR2_OCSP:
    2820. 

  2820.         case WOLFSSL_CSR2_OCSP_MULTI:
    2821. 

  2821.             if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) {
    2822. 

  2822.                 WC_RNG rng;
    2823. 

  2823. 

  2824.             #ifndef HAVE_FIPS
    2825. 

  2825.                 ret = wc_InitRng_ex(&rng, heap, devId);
    2826. 

  2826.             #else
    2827. 

  2827.                 ret = wc_InitRng(&rng);
    2828. 

  2828.                 (void)devId;
    2829. 

  2829.             #endif
    2830. 

  2830.                 if (ret == 0) {
    2831. 

  2831.                     if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce,
    2832. 

  2832.                                                         MAX_OCSP_NONCE_SZ) == 0)
    2833. 

  2833.                         csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
    2834. 

  2834. 

  2835.                     wc_FreeRng(&rng);
    2836. 

  2836.                 }
    2837. 

  2837.             }
    2838. 

  2838.         break;
    2839. 

  2839.     }
    2840. 

  2840. 

  2841.     /* append new item */
    2842. 

  2842.     if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) {
    2843. 

  2843.         CertificateStatusRequestItemV2* last =
    2844. 

  2844.                                (CertificateStatusRequestItemV2*)extension->data;
    2845. 

  2845. 

  2846.         for (; last->next; last = last->next);
    2847. 

  2847. 

  2848.         last->next = csr2;
    2849. 

  2849.     }
    2850. 

  2850.     else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2,heap))) {
    2851. 

  2851.         XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
    2852. 

  2852.         return ret;
    2853. 

  2853.     }
    2854. 

  2854. 

  2855.     return WOLFSSL_SUCCESS;
    2856. 

  2856. }
    2857. 

  2857. 

  2858. #define CSR2_FREE_ALL TLSX_CSR2_FreeAll
    2859. 

  2859. #define CSR2_GET_SIZE TLSX_CSR2_GetSize
    2860. 

  2860. #define CSR2_WRITE    TLSX_CSR2_Write
    2861. 

  2861. #define CSR2_PARSE    TLSX_CSR2_Parse
    2862. 

  2862. 

  2863. #else
    2864. 

  2864. 

  2865. #define CSR2_FREE_ALL(data, heap)
    2866. 

  2866. #define CSR2_GET_SIZE(a, b)    0
    2867. 

  2867. #define CSR2_WRITE(a, b, c)    0
    2868. 

  2868. #define CSR2_PARSE(a, b, c, d) 0
    2869. 

  2869. 

  2870. #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
    2871. 

  2871. 

  2872. /******************************************************************************/
    2873. 

  2873. /* Supported Elliptic Curves                                                  */
    2874. 

  2874. /******************************************************************************/
    2875. 

  2875. 

  2876. #ifdef HAVE_SUPPORTED_CURVES
    2877. 

  2877. 

  2878. #if !defined(HAVE_ECC) && !defined(WOLFSSL_TLS13)
    2879. 

  2879. #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
    2880. 

  2880.        Use --enable-ecc in the configure script or define HAVE_ECC.
    2881. 

  2881. #endif
    2882. 

  2882. 

  2883. static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
    2884. 

  2884.                                                                      void* heap)
    2885. 

  2885. {
    2886. 

  2886.     if (curve == NULL)
    2887. 

  2887.         return BAD_FUNC_ARG;
    2888. 

  2888. 

  2889.     *curve = (SupportedCurve*)XMALLOC(sizeof(SupportedCurve), heap,
    2890. 

  2890.                                                              DYNAMIC_TYPE_TLSX);
    2891. 

  2891.     if (*curve == NULL)
    2892. 

  2892.         return MEMORY_E;
    2893. 

  2893. 

  2894.     (*curve)->name = name;
    2895. 

  2895.     (*curve)->next = NULL;
    2896. 

  2896. 

  2897.     return 0;
    2898. 

  2898. }
    2899. 

  2899. 

  2900. static int TLSX_PointFormat_New(PointFormat** point, byte format, void* heap)
    2901. 

  2901. {
    2902. 

  2902.     if (point == NULL)
    2903. 

  2903.         return BAD_FUNC_ARG;
    2904. 

  2904. 

  2905.     *point = (PointFormat*)XMALLOC(sizeof(PointFormat), heap,
    2906. 

  2906.                                                              DYNAMIC_TYPE_TLSX);
    2907. 

  2907.     if (*point == NULL)
    2908. 

  2908.         return MEMORY_E;
    2909. 

  2909. 

  2910.     (*point)->format = format;
    2911. 

  2911.     (*point)->next = NULL;
    2912. 

  2912. 

  2913.     return 0;
    2914. 

  2914. }
    2915. 

  2915. 

  2916. static void TLSX_SupportedCurve_FreeAll(SupportedCurve* list, void* heap)
    2917. 

  2917. {
    2918. 

  2918.     SupportedCurve* curve;
    2919. 

  2919. 

  2920.     while ((curve = list)) {
    2921. 

  2921.         list = curve->next;
    2922. 

  2922.         XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
    2923. 

  2923.     }
    2924. 

  2924.     (void)heap;
    2925. 

  2925. }
    2926. 

  2926. 

  2927. static void TLSX_PointFormat_FreeAll(PointFormat* list, void* heap)
    2928. 

  2928. {
    2929. 

  2929.     PointFormat* point;
    2930. 

  2930. 

  2931.     while ((point = list)) {
    2932. 

  2932.         list = point->next;
    2933. 

  2933.         XFREE(point, heap, DYNAMIC_TYPE_TLSX);
    2934. 

  2934.     }
    2935. 

  2935.     (void)heap;
    2936. 

  2936. }
    2937. 

  2937. 

  2938. static int TLSX_SupportedCurve_Append(SupportedCurve* list, word16 name,
    2939. 

  2939.                                                                      void* heap)
    2940. 

  2940. {
    2941. 

  2941.     int ret = BAD_FUNC_ARG;
    2942. 

  2942. 

  2943.     while (list) {
    2944. 

  2944.         if (list->name == name) {
    2945. 

  2945.             ret = 0; /* curve alreay in use */
    2946. 

  2946.             break;
    2947. 

  2947.         }
    2948. 

  2948. 

  2949.         if (list->next == NULL) {
    2950. 

  2950.             ret = TLSX_SupportedCurve_New(&list->next, name, heap);
    2951. 

  2951.             break;
    2952. 

  2952.         }
    2953. 

  2953. 

  2954.         list = list->next;
    2955. 

  2955.     }
    2956. 

  2956. 

  2957.     return ret;
    2958. 

  2958. }
    2959. 

  2959. 

  2960. static int TLSX_PointFormat_Append(PointFormat* list, byte format, void* heap)
    2961. 

  2961. {
    2962. 

  2962.     int ret = BAD_FUNC_ARG;
    2963. 

  2963. 

  2964.     while (list) {
    2965. 

  2965.         if (list->format == format) {
    2966. 

  2966.             ret = 0; /* format already in use */
    2967. 

  2967.             break;
    2968. 

  2968.         }
    2969. 

  2969. 

  2970.         if (list->next == NULL) {
    2971. 

  2971.             ret = TLSX_PointFormat_New(&list->next, format, heap);
    2972. 

  2972.             break;
    2973. 

  2973.         }
    2974. 

  2974. 

  2975.         list = list->next;
    2976. 

  2976.     }
    2977. 

  2977. 

  2978.     return ret;
    2979. 

  2979. }
    2980. 

  2980. 

  2981. #ifndef NO_WOLFSSL_CLIENT
    2982. 

  2982. 

  2983. static void TLSX_SupportedCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
    2984. 

  2984. {
    2985. 

  2985.     int i;
    2986. 

  2986. 

  2987.     for (i = 0; i < ssl->suites->suiteSz; i+= 2)
    2988. 

  2988.         if (ssl->suites->suites[i] == ECC_BYTE ||
    2989. 

  2989.                 ssl->suites->suites[i] == CHACHA_BYTE ||
    2990. 

  2990.                 ssl->suites->suites[i] == TLS13_BYTE)
    2991. 

  2991.             return;
    2992. 

  2992. 

  2993.     /* turns semaphore on to avoid sending this extension. */
    2994. 

  2994.     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
    2995. 

  2995. }
    2996. 

  2996. 

  2997. static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
    2998. 

  2998. {
    2999. 

  2999.     int i;
    3000. 

  3000. 

  3001.     for (i = 0; i < ssl->suites->suiteSz; i+= 2)
    3002. 

  3002.         if (ssl->suites->suites[i] == ECC_BYTE ||
    3003. 

  3003.                 ssl->suites->suites[i] == CHACHA_BYTE ||
    3004. 

  3004.                 ssl->suites->suites[i] == TLS13_BYTE)
    3005. 

  3005.             return;
    3006. 

  3006. 

  3007.     /* turns semaphore on to avoid sending this extension. */
    3008. 

  3008.     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
    3009. 

  3009. }
    3010. 

  3010. 

  3011. #endif
    3012. 

  3012. #ifndef NO_WOLFSSL_SERVER
    3013. 

  3013. 

  3014. static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
    3015. 

  3015. {
    3016. 

  3016.     if (ssl->options.cipherSuite0 == ECC_BYTE ||
    3017. 

  3017.         ssl->options.cipherSuite0 == CHACHA_BYTE ||
    3018. 

  3018.         ssl->options.cipherSuite0 == TLS13_BYTE)
    3019. 

  3019.         return;
    3020. 

  3020. 

  3021.     /* turns semaphore on to avoid sending this extension. */
    3022. 

  3022.     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
    3023. 

  3023. }
    3024. 

  3024. 

  3025. #endif
    3026. 

  3026. #ifndef NO_WOLFSSL_CLIENT
    3027. 

  3027. 

  3028. static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
    3029. 

  3029. {
    3030. 

  3030.     SupportedCurve* curve;
    3031. 

  3031.     word16 length = OPAQUE16_LEN; /* list length */
    3032. 

  3032. 

  3033.     while ((curve = list)) {
    3034. 

  3034.         list = curve->next;
    3035. 

  3035.         length += OPAQUE16_LEN; /* curve length */
    3036. 

  3036.     }
    3037. 

  3037. 

  3038.     return length;
    3039. 

  3039. }
    3040. 

  3040. 

  3041. #endif
    3042. 

  3042. 

  3043. static word16 TLSX_PointFormat_GetSize(PointFormat* list)
    3044. 

  3044. {
    3045. 

  3045.     PointFormat* point;
    3046. 

  3046.     word16 length = ENUM_LEN; /* list length */
    3047. 

  3047. 

  3048.     while ((point = list)) {
    3049. 

  3049.         list = point->next;
    3050. 

  3050.         length += ENUM_LEN; /* format length */
    3051. 

  3051.     }
    3052. 

  3052. 

  3053.     return length;
    3054. 

  3054. }
    3055. 

  3055. 

  3056. #ifndef NO_WOLFSSL_CLIENT
    3057. 

  3057. 

  3058. static word16 TLSX_SupportedCurve_Write(SupportedCurve* list, byte* output)
    3059. 

  3059. {
    3060. 

  3060.     word16 offset = OPAQUE16_LEN;
    3061. 

  3061. 

  3062.     while (list) {
    3063. 

  3063.         c16toa(list->name, output + offset);
    3064. 

  3064.         offset += OPAQUE16_LEN;
    3065. 

  3065.         list = list->next;
    3066. 

  3066.     }
    3067. 

  3067. 

  3068.     c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
    3069. 

  3069. 

  3070.     return offset;
    3071. 

  3071. }
    3072. 

  3072. 

  3073. #endif
    3074. 

  3074. 

  3075. static word16 TLSX_PointFormat_Write(PointFormat* list, byte* output)
    3076. 

  3076. {
    3077. 

  3077.     word16 offset = ENUM_LEN;
    3078. 

  3078. 

  3079.     while (list) {
    3080. 

  3080.         output[offset++] = list->format;
    3081. 

  3081.         list = list->next;
    3082. 

  3082.     }
    3083. 

  3083. 

  3084.     output[0] = (byte)(offset - ENUM_LEN);
    3085. 

  3085. 

  3086.     return offset;
    3087. 

  3087. }
    3088. 

  3088. 

  3089. #ifndef NO_WOLFSSL_SERVER
    3090. 

  3090. 

  3091. static int TLSX_SupportedCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
    3092. 

  3092.                                                                  byte isRequest)
    3093. 

  3093. {
    3094. 

  3094.     word16 offset;
    3095. 

  3095.     word16 name;
    3096. 

  3096.     int ret;
    3097. 

  3097. 

  3098.     if(!isRequest && !IsAtLeastTLSv1_3(ssl->version))
    3099. 

  3099.         return BUFFER_ERROR; /* servers doesn't send this extension. */
    3100. 

  3100. 

  3101.     if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
    3102. 

  3102.         return BUFFER_ERROR;
    3103. 

  3103. 

  3104.     ato16(input, &offset);
    3105. 

  3105. 

  3106.     /* validating curve list length */
    3107. 

  3107.     if (length != OPAQUE16_LEN + offset)
    3108. 

  3108.         return BUFFER_ERROR;
    3109. 

  3109. 

  3110.     for (offset = OPAQUE16_LEN; offset < length; offset += OPAQUE16_LEN) {
    3111. 

  3111.         ato16(input + offset, &name);
    3112. 

  3112. 

  3113.         ret = TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap);
    3114. 

  3114.         if (ret != WOLFSSL_SUCCESS)
    3115. 

  3115.             return ret; /* throw error */
    3116. 

  3116.     }
    3117. 

  3117. 

  3118.     return 0;
    3119. 

  3119. }
    3120. 

  3120. 

  3121. static int TLSX_PointFormat_Parse(WOLFSSL* ssl, byte* input, word16 length,
    3122. 

  3122.                                                                  byte isRequest)
    3123. 

  3123. {
    3124. 

  3124.     int ret;
    3125. 

  3125. 

  3126.     /* validating formats list length */
    3127. 

  3127.     if (ENUM_LEN > length || length != ENUM_LEN + input[0])
    3128. 

  3128.         return BUFFER_ERROR;
    3129. 

  3129. 

  3130.     if (isRequest) {
    3131. 

  3131.         /* adding uncompressed point format to response */
    3132. 

  3132.         ret = TLSX_UsePointFormat(&ssl->extensions, WOLFSSL_EC_PF_UNCOMPRESSED,
    3133. 

  3133.                                                                      ssl->heap);
    3134. 

  3134.         if (ret != WOLFSSL_SUCCESS)
    3135. 

  3135.             return ret; /* throw error */
    3136. 

  3136. 

  3137.         TLSX_SetResponse(ssl, TLSX_EC_POINT_FORMATS);
    3138. 

  3138.     }
    3139. 

  3139. 

  3140.     return 0;
    3141. 

  3141. }
    3142. 

  3142. 

  3143. #ifdef HAVE_ECC
    3144. 

  3144. int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
    3145. 

  3145.     TLSX*          extension = (first == ECC_BYTE || first == CHACHA_BYTE)
    3146. 

  3146.                              ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
    3147. 

  3147.                              : NULL;
    3148. 

  3148.     SupportedCurve* curve     = NULL;
    3149. 

  3149.     word32         oid       = 0;
    3150. 

  3150.     word32         pkOid     = 0;
    3151. 

  3151.     word32         defOid    = 0;
    3152. 

  3152.     word32         defSz     = 80; /* Maximum known curve size is 66. */
    3153. 

  3153.     word32         nextOid   = 0;
    3154. 

  3154.     word32         nextSz    = 80; /* Maximum known curve size is 66. */
    3155. 

  3155.     word32         currOid   = ssl->ecdhCurveOID;
    3156. 

  3156.     int            ephmSuite = 0;
    3157. 

  3157.     word16         octets    = 0; /* according to 'ecc_set_type ecc_sets[];' */
    3158. 

  3158.     int            sig       = 0; /* validate signature */
    3159. 

  3159.     int            key       = 0; /* validate key       */
    3160. 

  3160. 

  3161.     (void)oid;
    3162. 

  3162. 

  3163.     if (!extension)
    3164. 

  3164.         return 1; /* no suite restriction */
    3165. 

  3165. 

  3166.     for (curve = (SupportedCurve*)extension->data;
    3167. 

  3167.          curve && !(sig && key);
    3168. 

  3168.          curve = curve->next) {
    3169. 

  3169. 

  3170.     #ifdef OPENSSL_EXTRA
    3171. 

  3171.         if (ssl->ctx->disabledCurves & (1 << curve->name))
    3172. 

  3172.             continue;
    3173. 

  3173.     #endif
    3174. 

  3174. 

  3175.         /* find supported curve */
    3176. 

  3176.         switch (curve->name) {
    3177. 

  3177.     #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
    3178. 

  3178.         #ifndef NO_ECC_SECP
    3179. 

  3179.             case WOLFSSL_ECC_SECP160R1:
    3180. 

  3180.                 pkOid = oid = ECC_SECP160R1_OID;
    3181. 

  3181.                 octets = 20;
    3182. 

  3182.                 break;
    3183. 

  3183.         #endif /* !NO_ECC_SECP */
    3184. 

  3184.         #ifdef HAVE_ECC_SECPR2
    3185. 

  3185.             case WOLFSSL_ECC_SECP160R2:
    3186. 

  3186.                 pkOid = oid = ECC_SECP160R2_OID;
    3187. 

  3187.                 octets = 20;
    3188. 

  3188.                 break;
    3189. 

  3189.         #endif /* HAVE_ECC_SECPR2 */
    3190. 

  3190.         #ifdef HAVE_ECC_KOBLITZ
    3191. 

  3191.             case WOLFSSL_ECC_SECP160K1:
    3192. 

  3192.                 pkOid = oid = ECC_SECP160K1_OID;
    3193. 

  3193.                 octets = 20;
    3194. 

  3194.                 break;
    3195. 

  3195.         #endif /* HAVE_ECC_KOBLITZ */
    3196. 

  3196.     #endif
    3197. 

  3197.     #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
    3198. 

  3198.         #ifndef NO_ECC_SECP
    3199. 

  3199.             case WOLFSSL_ECC_SECP192R1:
    3200. 

  3200.                 pkOid = oid = ECC_SECP192R1_OID;
    3201. 

  3201.                 octets = 24;
    3202. 

  3202.                 break;
    3203. 

  3203.         #endif /* !NO_ECC_SECP */
    3204. 

  3204.         #ifdef HAVE_ECC_KOBLITZ
    3205. 

  3205.             case WOLFSSL_ECC_SECP192K1:
    3206. 

  3206.                 pkOid = oid = ECC_SECP192K1_OID;
    3207. 

  3207.                 octets = 24;
    3208. 

  3208.                 break;
    3209. 

  3209.         #endif /* HAVE_ECC_KOBLITZ */
    3210. 

  3210.     #endif
    3211. 

  3211.     #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
    3212. 

  3212.         #ifndef NO_ECC_SECP
    3213. 

  3213.             case WOLFSSL_ECC_SECP224R1:
    3214. 

  3214.                 pkOid = oid = ECC_SECP224R1_OID;
    3215. 

  3215.                 octets = 28;
    3216. 

  3216.                 break;
    3217. 

  3217.         #endif /* !NO_ECC_SECP */
    3218. 

  3218.         #ifdef HAVE_ECC_KOBLITZ
    3219. 

  3219.             case WOLFSSL_ECC_SECP224K1:
    3220. 

  3220.                 pkOid = oid = ECC_SECP224K1_OID;
    3221. 

  3221.                 octets = 28;
    3222. 

  3222.                 break;
    3223. 

  3223.         #endif /* HAVE_ECC_KOBLITZ */
    3224. 

  3224.     #endif
    3225. 

  3225.     #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
    3226. 

  3226.         #ifndef NO_ECC_SECP
    3227. 

  3227.             case WOLFSSL_ECC_SECP256R1:
    3228. 

  3228.                 pkOid = oid = ECC_SECP256R1_OID;
    3229. 

  3229.                 octets = 32;
    3230. 

  3230.                 break;
    3231. 

  3231.         #endif /* !NO_ECC_SECP */
    3232. 

  3232.         #ifdef HAVE_CURVE25519
    3233. 

  3233.             case WOLFSSL_ECC_X25519:
    3234. 

  3234.                 oid = ECC_X25519_OID;
    3235. 

  3235.             #ifdef HAVE_ED25519
    3236. 

  3236.                 pkOid = ECC_ED25519_OID;
    3237. 

  3237.             #else
    3238. 

  3238.                 pkOid = ECC_X25519_OID;
    3239. 

  3239.             #endif
    3240. 

  3240.                 octets = 32;
    3241. 

  3241.                 break;
    3242. 

  3242.         #endif /* HAVE_CURVE25519 */
    3243. 

  3243.         #ifdef HAVE_ECC_KOBLITZ
    3244. 

  3244.             case WOLFSSL_ECC_SECP256K1:
    3245. 

  3245.                 pkOid = oid = ECC_SECP256K1_OID;
    3246. 

  3246.                 octets = 32;
    3247. 

  3247.                 break;
    3248. 

  3248.         #endif /* HAVE_ECC_KOBLITZ */
    3249. 

  3249.         #ifdef HAVE_ECC_BRAINPOOL
    3250. 

  3250.             case WOLFSSL_ECC_BRAINPOOLP256R1:
    3251. 

  3251.                 pkOid = oid = ECC_BRAINPOOLP256R1_OID;
    3252. 

  3252.                 octets = 32;
    3253. 

  3253.                 break;
    3254. 

  3254.         #endif /* HAVE_ECC_BRAINPOOL */
    3255. 

  3255.     #endif
    3256. 

  3256.     #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
    3257. 

  3257.         #ifndef NO_ECC_SECP
    3258. 

  3258.             case WOLFSSL_ECC_SECP384R1:
    3259. 

  3259.                 pkOid = oid = ECC_SECP384R1_OID;
    3260. 

  3260.                 octets = 48;
    3261. 

  3261.                 break;
    3262. 

  3262.         #endif /* !NO_ECC_SECP */
    3263. 

  3263.         #ifdef HAVE_ECC_BRAINPOOL
    3264. 

  3264.             case WOLFSSL_ECC_BRAINPOOLP384R1:
    3265. 

  3265.                 pkOid = oid = ECC_BRAINPOOLP384R1_OID;
    3266. 

  3266.                 octets = 48;
    3267. 

  3267.                 break;
    3268. 

  3268.         #endif /* HAVE_ECC_BRAINPOOL */
    3269. 

  3269.     #endif
    3270. 

  3270.     #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
    3271. 

  3271.         #ifdef HAVE_ECC_BRAINPOOL
    3272. 

  3272.             case WOLFSSL_ECC_BRAINPOOLP512R1:
    3273. 

  3273.                 pkOid = oid = ECC_BRAINPOOLP512R1_OID;
    3274. 

  3274.                 octets = 64;
    3275. 

  3275.                 break;
    3276. 

  3276.         #endif /* HAVE_ECC_BRAINPOOL */
    3277. 

  3277.     #endif
    3278. 

  3278.     #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
    3279. 

  3279.         #ifndef NO_ECC_SECP
    3280. 

  3280.             case WOLFSSL_ECC_SECP521R1:
    3281. 

  3281.                 pkOid = oid = ECC_SECP521R1_OID;
    3282. 

  3282.                 octets = 66;
    3283. 

  3283.                 break;
    3284. 

  3284.         #endif /* !NO_ECC_SECP */
    3285. 

  3285.     #endif
    3286. 

  3286.             default: continue; /* unsupported curve */
    3287. 

  3287.         }
    3288. 

  3288. 

  3289.         /* Set default Oid */
    3290. 

  3290.         if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) {
    3291. 

  3291.             defOid = oid;
    3292. 

  3292.             defSz = octets;
    3293. 

  3293.         }
    3294. 

  3294. 

  3295.         if (currOid == 0 && ssl->eccTempKeySz == octets)
    3296. 

  3296.             currOid = oid;
    3297. 

  3297.         if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) {
    3298. 

  3298.             nextOid = oid;
    3299. 

  3299.             nextSz  = octets;
    3300. 

  3300.         }
    3301. 

  3301. 

  3302.         if (first == ECC_BYTE) {
    3303. 

  3303.             switch (second) {
    3304. 

  3304.                 /* ECDHE_ECDSA */
    3305. 

  3305.                 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
    3306. 

  3306.                 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
    3307. 

  3307.                 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
    3308. 

  3308.                 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
    3309. 

  3309.                 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
    3310. 

  3310.                 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
    3311. 

  3311.                 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
    3312. 

  3312.                 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
    3313. 

  3313.                 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
    3314. 

  3314.                 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
    3315. 

  3315.                     sig |= ssl->pkCurveOID == pkOid;
    3316. 

  3316.                     key |= ssl->ecdhCurveOID == oid;
    3317. 

  3317.                     ephmSuite = 1;
    3318. 

  3318.                 break;
    3319. 

  3319. 

  3320. #ifdef WOLFSSL_STATIC_DH
    3321. 

  3321.                 /* ECDH_ECDSA */
    3322. 

  3322.                 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
    3323. 

  3323.                 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
    3324. 

  3324.                 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
    3325. 

  3325.                 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
    3326. 

  3326.                 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
    3327. 

  3327.                 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
    3328. 

  3328.                 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
    3329. 

  3329.                 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
    3330. 

  3330.                     if (oid == ECC_X25519_OID && defOid == oid) {
    3331. 

  3331.                         defOid = 0;
    3332. 

  3332.                         defSz = 80;
    3333. 

  3333.                     }
    3334. 

  3334.                     sig |= ssl->pkCurveOID == pkOid;
    3335. 

  3335.                     key |= ssl->pkCurveOID == oid;
    3336. 

  3336.                 break;
    3337. 

  3337. #endif /* WOLFSSL_STATIC_DH */
    3338. 

  3338. #ifndef NO_RSA
    3339. 

  3339.                 /* ECDHE_RSA */
    3340. 

  3340.                 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
    3341. 

  3341.                 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
    3342. 

  3342.                 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
    3343. 

  3343.                 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
    3344. 

  3344.                 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
    3345. 

  3345.                 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
    3346. 

  3346.                 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
    3347. 

  3347.                 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
    3348. 

  3348.                     sig = 1;
    3349. 

  3349.                     key |= ssl->ecdhCurveOID == oid;
    3350. 

  3350.                     ephmSuite = 1;
    3351. 

  3351.                 break;
    3352. 

  3352. 

  3353. #ifdef WOLFSSL_STATIC_DH
    3354. 

  3354.                 /* ECDH_RSA */
    3355. 

  3355.                 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
    3356. 

  3356.                 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
    3357. 

  3357.                 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
    3358. 

  3358.                 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
    3359. 

  3359.                 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
    3360. 

  3360.                 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
    3361. 

  3361.                 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
    3362. 

  3362.                 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
    3363. 

  3363.                     if (oid == ECC_X25519_OID && defOid == oid) {
    3364. 

  3364.                         defOid = 0;
    3365. 

  3365.                         defSz = 80;
    3366. 

  3366.                     }
    3367. 

  3367.                     sig = 1;
    3368. 

  3368.                     key |= ssl->pkCurveOID == pkOid;
    3369. 

  3369.                 break;
    3370. 

  3370. #endif /* WOLFSSL_STATIC_DH */
    3371. 

  3371. #endif
    3372. 

  3372.                 default:
    3373. 

  3373.                     if (oid == ECC_X25519_OID && defOid == oid) {
    3374. 

  3374.                         defOid = 0;
    3375. 

  3375.                         defSz = 80;
    3376. 

  3376.                     }
    3377. 

  3377.                     if (oid != ECC_X25519_OID)
    3378. 

  3378.                         sig = 1;
    3379. 

  3379.                     key = 1;
    3380. 

  3380.                 break;
    3381. 

  3381.             }
    3382. 

  3382.         }
    3383. 

  3383. 

  3384.         /* ChaCha20-Poly1305 ECC cipher suites */
    3385. 

  3385.         if (first == CHACHA_BYTE) {
    3386. 

  3386.             switch (second) {
    3387. 

  3387.                 /* ECDHE_ECDSA */
    3388. 

  3388.                 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
    3389. 

  3389.                 case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
    3390. 

  3390.                     sig |= ssl->pkCurveOID == pkOid;
    3391. 

  3391.                     key |= ssl->ecdhCurveOID == oid;
    3392. 

  3392.                     ephmSuite = 1;
    3393. 

  3393.                 break;
    3394. 

  3394. #ifndef NO_RSA
    3395. 

  3395.                 /* ECDHE_RSA */
    3396. 

  3396.                 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
    3397. 

  3397.                 case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
    3398. 

  3398.                     sig = 1;
    3399. 

  3399.                     key |= ssl->ecdhCurveOID == oid;
    3400. 

  3400.                     ephmSuite = 1;
    3401. 

  3401.                 break;
    3402. 

  3402. #endif
    3403. 

  3403.                 default:
    3404. 

  3404.                     sig = 1;
    3405. 

  3405.                     key = 1;
    3406. 

  3406.                 break;
    3407. 

  3407.             }
    3408. 

  3408.         }
    3409. 

  3409.     }
    3410. 

  3410. 

  3411.     /* Choose the default if it is at the required strength. */
    3412. 

  3412.     if (ssl->ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz) {
    3413. 

  3413.         key = 1;
    3414. 

  3414.         ssl->ecdhCurveOID = defOid;
    3415. 

  3415.     }
    3416. 

  3416.     /* Choose any curve at the required strength. */
    3417. 

  3417.     if (ssl->ecdhCurveOID == 0) {
    3418. 

  3418.         key = 1;
    3419. 

  3419.         ssl->ecdhCurveOID = currOid;
    3420. 

  3420.     }
    3421. 

  3421.     /* Choose the default if it is at the next highest strength. */
    3422. 

  3422.     if (ssl->ecdhCurveOID == 0 && defSz == nextSz)
    3423. 

  3423.         ssl->ecdhCurveOID = defOid;
    3424. 

  3424.     /* Choose any curve at the next highest strength. */
    3425. 

  3425.     if (ssl->ecdhCurveOID == 0)
    3426. 

  3426.         ssl->ecdhCurveOID = nextOid;
    3427. 

  3427.     /* No curve and ephemeral ECC suite requires a matching curve. */
    3428. 

  3428.     if (ssl->ecdhCurveOID == 0 && ephmSuite)
    3429. 

  3429.         key = 0;
    3430. 

  3430. 

  3431.     return sig && key;
    3432. 

  3432. }
    3433. 

  3433. #endif
    3434. 

  3434. 

  3435. #endif /* NO_WOLFSSL_SERVER */
    3436. 

  3436. 

  3437. int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap)
    3438. 

  3438. {
    3439. 

  3439.     TLSX* extension = NULL;
    3440. 

  3440.     SupportedCurve* curve = NULL;
    3441. 

  3441.     int ret = 0;
    3442. 

  3442. 

  3443.     if (extensions == NULL)
    3444. 

  3444.         return BAD_FUNC_ARG;
    3445. 

  3445. 

  3446.     extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
    3447. 

  3447. 

  3448.     if (!extension) {
    3449. 

  3449.         ret = TLSX_SupportedCurve_New(&curve, name, heap);
    3450. 

  3450.         if (ret != 0)
    3451. 

  3451.             return ret;
    3452. 

  3452. 

  3453.         ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve, heap);
    3454. 

  3454.         if (ret != 0) {
    3455. 

  3455.             XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
    3456. 

  3456.             return ret;
    3457. 

  3457.         }
    3458. 

  3458.     }
    3459. 

  3459.     else {
    3460. 

  3460.         ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, name,
    3461. 

  3461.                                                                           heap);
    3462. 

  3462.         if (ret != 0)
    3463. 

  3463.             return ret;
    3464. 

  3464.     }
    3465. 

  3465. 

  3466.     return (TLSX_Find(*extensions, TLSX_EC_POINT_FORMATS) == NULL)
    3467. 

  3467.         ? TLSX_UsePointFormat(extensions, WOLFSSL_EC_PF_UNCOMPRESSED, heap)
    3468. 

  3468.         : WOLFSSL_SUCCESS;
    3469. 

  3469. }
    3470. 

  3470. 

  3471. int TLSX_UsePointFormat(TLSX** extensions, byte format, void* heap)
    3472. 

  3472. {
    3473. 

  3473.     TLSX* extension = NULL;
    3474. 

  3474.     PointFormat* point = NULL;
    3475. 

  3475.     int ret = 0;
    3476. 

  3476. 

  3477.     if (extensions == NULL)
    3478. 

  3478.         return BAD_FUNC_ARG;
    3479. 

  3479. 

  3480.     extension = TLSX_Find(*extensions, TLSX_EC_POINT_FORMATS);
    3481. 

  3481. 

  3482.     if (!extension) {
    3483. 

  3483.         ret = TLSX_PointFormat_New(&point, format, heap);
    3484. 

  3484.         if (ret != 0)
    3485. 

  3485.             return ret;
    3486. 

  3486. 

  3487.         ret = TLSX_Push(extensions, TLSX_EC_POINT_FORMATS, point, heap);
    3488. 

  3488.         if (ret != 0) {
    3489. 

  3489.             XFREE(point, heap, DYNAMIC_TYPE_TLSX);
    3490. 

  3490.             return ret;
    3491. 

  3491.         }
    3492. 

  3492.     }
    3493. 

  3493.     else {
    3494. 

  3494.         ret = TLSX_PointFormat_Append((PointFormat*)extension->data, format,
    3495. 

  3495.                                                                           heap);
    3496. 

  3496.         if (ret != 0)
    3497. 

  3497.             return ret;
    3498. 

  3498.     }
    3499. 

  3499. 

  3500.     return WOLFSSL_SUCCESS;
    3501. 

  3501. }
    3502. 

  3502. 

  3503. #define EC_FREE_ALL         TLSX_SupportedCurve_FreeAll
    3504. 

  3504. #define EC_VALIDATE_REQUEST TLSX_SupportedCurve_ValidateRequest
    3505. 

  3505. 

  3506. #ifndef NO_WOLFSSL_CLIENT
    3507. 

  3507. #define EC_GET_SIZE TLSX_SupportedCurve_GetSize
    3508. 

  3508. #define EC_WRITE    TLSX_SupportedCurve_Write
    3509. 

  3509. #else
    3510. 

  3510. #define EC_GET_SIZE(list)         0
    3511. 

  3511. #define EC_WRITE(a, b)            0
    3512. 

  3512. #endif
    3513. 

  3513. 

  3514. #ifndef NO_WOLFSSL_SERVER
    3515. 

  3515. #define EC_PARSE TLSX_SupportedCurve_Parse
    3516. 

  3516. #else
    3517. 

  3517. #define EC_PARSE(a, b, c, d)      0
    3518. 

  3518. #endif
    3519. 

  3519. 

  3520. #define PF_FREE_ALL          TLSX_PointFormat_FreeAll
    3521. 

  3521. #define PF_VALIDATE_REQUEST  TLSX_PointFormat_ValidateRequest
    3522. 

  3522. #define PF_VALIDATE_RESPONSE TLSX_PointFormat_ValidateResponse
    3523. 

  3523. 

  3524. #define PF_GET_SIZE TLSX_PointFormat_GetSize
    3525. 

  3525. #define PF_WRITE    TLSX_PointFormat_Write
    3526. 

  3526. 

  3527. #ifndef NO_WOLFSSL_SERVER
    3528. 

  3528. #define PF_PARSE TLSX_PointFormat_Parse
    3529. 

  3529. #else
    3530. 

  3530. #define PF_PARSE(a, b, c, d)      0
    3531. 

  3531. #endif
    3532. 

  3532. 

  3533. #else
    3534. 

  3534. 

  3535. #define EC_FREE_ALL(list, heap)
    3536. 

  3536. #define EC_GET_SIZE(list)         0
    3537. 

  3537. #define EC_WRITE(a, b)            0
    3538. 

  3538. #define EC_PARSE(a, b, c, d)      0
    3539. 

  3539. #define EC_VALIDATE_REQUEST(a, b)
    3540. 

  3540. 

  3541. #define PF_FREE_ALL(list, heap)
    3542. 

  3542. #define PF_GET_SIZE(list)         0
    3543. 

  3543. #define PF_WRITE(a, b)            0
    3544. 

  3544. #define PF_PARSE(a, b, c, d)      0
    3545. 

  3545. #define PF_VALIDATE_REQUEST(a, b)
    3546. 

  3546. #define PF_VALIDATE_RESPONSE(a, b)
    3547. 

  3547. 

  3548. #endif /* HAVE_SUPPORTED_CURVES */
    3549. 

  3549. 

  3550. /******************************************************************************/
    3551. 

  3551. /* Renegotiation Indication                                                   */
    3552. 

  3552. /******************************************************************************/
    3553. 

  3553. 

  3554. #if defined(HAVE_SECURE_RENEGOTIATION) \
    3555. 

  3555.  || defined(HAVE_SERVER_RENEGOTIATION_INFO)
    3556. 

  3556. 

  3557. static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
    3558. 

  3558.                                                                   int isRequest)
    3559. 

  3559. {
    3560. 

  3560.     byte length = OPAQUE8_LEN; /* empty info length */
    3561. 

  3561. 

  3562.     /* data will be NULL for HAVE_SERVER_RENEGOTIATION_INFO only */
    3563. 

  3563.     if (data && data->enabled) {
    3564. 

  3564.         /* client sends client_verify_data only */
    3565. 

  3565.         length += TLS_FINISHED_SZ;
    3566. 

  3566. 

  3567.         /* server also sends server_verify_data */
    3568. 

  3568.         if (!isRequest)
    3569. 

  3569.             length += TLS_FINISHED_SZ;
    3570. 

  3570.     }
    3571. 

  3571. 

  3572.     return length;
    3573. 

  3573. }
    3574. 

  3574. 

  3575. static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data,
    3576. 

  3576.                                                     byte* output, int isRequest)
    3577. 

  3577. {
    3578. 

  3578.     word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */
    3579. 

  3579. 

  3580.     if (data && data->enabled) {
    3581. 

  3581.         /* client sends client_verify_data only */
    3582. 

  3582.         XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ);
    3583. 

  3583.         offset += TLS_FINISHED_SZ;
    3584. 

  3584. 

  3585.         /* server also sends server_verify_data */
    3586. 

  3586.         if (!isRequest) {
    3587. 

  3587.             XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ);
    3588. 

  3588.             offset += TLS_FINISHED_SZ;
    3589. 

  3589.         }
    3590. 

  3590.     }
    3591. 

  3591. 

  3592.     output[0] = (byte)(offset - 1);  /* info length - self */
    3593. 

  3593. 

  3594.     return offset;
    3595. 

  3595. }
    3596. 

  3596. 

  3597. static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input,
    3598. 

  3598.                                                   word16 length, byte isRequest)
    3599. 

  3599. {
    3600. 

  3600.     int ret = SECURE_RENEGOTIATION_E;
    3601. 

  3601. 

  3602.     if (length >= OPAQUE8_LEN) {
    3603. 

  3603.         if (ssl->secure_renegotiation == NULL) {
    3604. 

  3604.         #ifndef NO_WOLFSSL_SERVER
    3605. 

  3605.             if (isRequest && *input == 0) {
    3606. 

  3606.             #ifdef HAVE_SERVER_RENEGOTIATION_INFO
    3607. 

  3607.                 if (length == OPAQUE8_LEN) {
    3608. 

  3608.                     if (TLSX_Find(ssl->extensions,
    3609. 

  3609.                                   TLSX_RENEGOTIATION_INFO) == NULL) {
    3610. 

  3610.                         ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions,
    3611. 

  3611.                                                              ssl->heap);
    3612. 

  3612.                         if (ret == WOLFSSL_SUCCESS)
    3613. 

  3613.                             ret = 0;
    3614. 

  3614. 

  3615.                     } else {
    3616. 

  3616.                         ret = 0;
    3617. 

  3617.                     }
    3618. 

  3618.                 }
    3619. 

  3619.             #else
    3620. 

  3620.                 ret = 0;  /* don't reply, user didn't enable */
    3621. 

  3621.             #endif /* HAVE_SERVER_RENEGOTIATION_INFO */
    3622. 

  3622.             }
    3623. 

  3623.             #ifdef HAVE_SERVER_RENEGOTIATION_INFO
    3624. 

  3624.             else if (!isRequest) {
    3625. 

  3625.                 /* don't do anything on client side */
    3626. 

  3626.                 ret = 0;
    3627. 

  3627.             }
    3628. 

  3628.             #endif
    3629. 

  3629.         #endif
    3630. 

  3630.         }
    3631. 

  3631.         else if (isRequest) {
    3632. 

  3632.         #ifndef NO_WOLFSSL_SERVER
    3633. 

  3633.             if (*input == TLS_FINISHED_SZ) {
    3634. 

  3634.                 /* TODO compare client_verify_data */
    3635. 

  3635.                 ret = 0;
    3636. 

  3636.             }
    3637. 

  3637.         #endif
    3638. 

  3638.         }
    3639. 

  3639.         else {
    3640. 

  3640.         #ifndef NO_WOLFSSL_CLIENT
    3641. 

  3641.             if (!ssl->secure_renegotiation->enabled) {
    3642. 

  3642.                 if (*input == 0) {
    3643. 

  3643.                     ssl->secure_renegotiation->enabled = 1;
    3644. 

  3644.                     ret = 0;
    3645. 

  3645.                 }
    3646. 

  3646.             }
    3647. 

  3647.             else if (*input == 2 * TLS_FINISHED_SZ &&
    3648. 

  3648.                      length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) {
    3649. 

  3649.                 input++;  /* get past size */
    3650. 

  3650. 

  3651.                 /* validate client and server verify data */
    3652. 

  3652.                 if (XMEMCMP(input,
    3653. 

  3653.                             ssl->secure_renegotiation->client_verify_data,
    3654. 

  3654.                             TLS_FINISHED_SZ) == 0 &&
    3655. 

  3655.                     XMEMCMP(input + TLS_FINISHED_SZ,
    3656. 

  3656.                             ssl->secure_renegotiation->server_verify_data,
    3657. 

  3657.                             TLS_FINISHED_SZ) == 0) {
    3658. 

  3658.                     WOLFSSL_MSG("SCR client and server verify data match");
    3659. 

  3659.                     ret = 0;  /* verified */
    3660. 

  3660.                 } else {
    3661. 

  3661.                     /* already in error state */
    3662. 

  3662.                     WOLFSSL_MSG("SCR client and server verify data Failure");
    3663. 

  3663.                 }
    3664. 

  3664.             }
    3665. 

  3665.         #endif
    3666. 

  3666.         }
    3667. 

  3667.     }
    3668. 

  3668. 

  3669.     if (ret != 0) {
    3670. 

  3670.         SendAlert(ssl, alert_fatal, handshake_failure);
    3671. 

  3671.     }
    3672. 

  3672. 

  3673.     return ret;
    3674. 

  3674. }
    3675. 

  3675. 

  3676. int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap)
    3677. 

  3677. {
    3678. 

  3678.     int ret = 0;
    3679. 

  3679.     SecureRenegotiation* data = NULL;
    3680. 

  3680. 

  3681.     data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), heap,
    3682. 

  3682.                                                              DYNAMIC_TYPE_TLSX);
    3683. 

  3683.     if (data == NULL)
    3684. 

  3684.         return MEMORY_E;
    3685. 

  3685. 

  3686.     XMEMSET(data, 0, sizeof(SecureRenegotiation));
    3687. 

  3687. 

  3688.     ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data, heap);
    3689. 

  3689.     if (ret != 0) {
    3690. 

  3690.         XFREE(data, heap, DYNAMIC_TYPE_TLSX);
    3691. 

  3691.         return ret;
    3692. 

  3692.     }
    3693. 

  3693. 

  3694.     return WOLFSSL_SUCCESS;
    3695. 

  3695. }
    3696. 

  3696. 

  3697. #ifdef HAVE_SERVER_RENEGOTIATION_INFO
    3698. 

  3698. 

  3699. int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
    3700. 

  3700. {
    3701. 

  3701.     int ret;
    3702. 

  3702. 

  3703.     ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, NULL, heap);
    3704. 

  3704.     if (ret != 0)
    3705. 

  3705.         return ret;
    3706. 

  3706. 

  3707.     /* send empty renegotiation_info extension */
    3708. 

  3708.     TLSX* ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO);
    3709. 

  3709.     if (ext)
    3710. 

  3710.         ext->resp = 1;
    3711. 

  3711. 

  3712.     return WOLFSSL_SUCCESS;
    3713. 

  3713. }
    3714. 

  3714. 

  3715. #endif /* HAVE_SERVER_RENEGOTIATION_INFO */
    3716. 

  3716. 

  3717. 

  3718. #define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
    3719. 

  3719. #define SCR_GET_SIZE       TLSX_SecureRenegotiation_GetSize
    3720. 

  3720. #define SCR_WRITE          TLSX_SecureRenegotiation_Write
    3721. 

  3721. #define SCR_PARSE          TLSX_SecureRenegotiation_Parse
    3722. 

  3722. 

  3723. #else
    3724. 

  3724. 

  3725. #define SCR_FREE_ALL(a, heap)
    3726. 

  3726. #define SCR_GET_SIZE(a, b)    0
    3727. 

  3727. #define SCR_WRITE(a, b, c)    0
    3728. 

  3728. #define SCR_PARSE(a, b, c, d) 0
    3729. 

  3729. 

  3730. #endif /* HAVE_SECURE_RENEGOTIATION */
    3731. 

  3731. 

  3732. /******************************************************************************/
    3733. 

  3733. /* Session Tickets                                                            */
    3734. 

  3734. /******************************************************************************/
    3735. 

  3735. 

  3736. #ifdef HAVE_SESSION_TICKET
    3737. 

  3737. 

  3738. #ifndef NO_WOLFSSL_CLIENT
    3739. 

  3739. static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
    3740. 

  3740. {
    3741. 

  3741.     TLSX*          extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET);
    3742. 

  3742.     SessionTicket* ticket    = extension ?
    3743. 

  3743.                                          (SessionTicket*)extension->data : NULL;
    3744. 

  3744. 

  3745.     if (ticket) {
    3746. 

  3746.         /* TODO validate ticket timeout here! */
    3747. 

  3747.         if (ticket->lifetime == 0xfffffff) {
    3748. 

  3748.             /* send empty ticket on timeout */
    3749. 

  3749.             TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
    3750. 

  3750.         }
    3751. 

  3751.     }
    3752. 

  3752. }
    3753. 

  3753. #endif /* NO_WOLFSSL_CLIENT */
    3754. 

  3754. 

  3755. 

  3756. static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
    3757. 

  3757. {
    3758. 

  3758.     (void)isRequest;
    3759. 

  3759.     return ticket ? ticket->size : 0;
    3760. 

  3760. }
    3761. 

  3761. 

  3762. static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output,
    3763. 

  3763.                                                                   int isRequest)
    3764. 

  3764. {
    3765. 

  3765.     word16 offset = 0; /* empty ticket */
    3766. 

  3766. 

  3767.     if (isRequest && ticket) {
    3768. 

  3768.         XMEMCPY(output + offset, ticket->data, ticket->size);
    3769. 

  3769.         offset += ticket->size;
    3770. 

  3770.     }
    3771. 

  3771. 

  3772.     return offset;
    3773. 

  3773. }
    3774. 

  3774. 

  3775. 

  3776. static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
    3777. 

  3777.                                                                  byte isRequest)
    3778. 

  3778. {
    3779. 

  3779.     int ret = 0;
    3780. 

  3780. 

  3781.     (void) input; /* avoid unused parameter if NO_WOLFSSL_SERVER defined */
    3782. 

  3782. 

  3783.     if (!isRequest) {
    3784. 

  3784.         if (TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET))
    3785. 

  3785.             return TLSX_HandleUnsupportedExtension(ssl);
    3786. 

  3786. 

  3787.         if (length != 0)
    3788. 

  3788.             return BUFFER_ERROR;
    3789. 

  3789. 

  3790. #ifndef NO_WOLFSSL_CLIENT
    3791. 

  3791.         ssl->expect_session_ticket = 1;
    3792. 

  3792. #endif
    3793. 

  3793.     }
    3794. 

  3794. #ifndef NO_WOLFSSL_SERVER
    3795. 

  3795.     else {
    3796. 

  3796.         /* server side */
    3797. 

  3797.         if (ssl->ctx->ticketEncCb == NULL) {
    3798. 

  3798.             WOLFSSL_MSG("Client sent session ticket, server has no callback");
    3799. 

  3799.             return 0;
    3800. 

  3800.         }
    3801. 

  3801. 

  3802.         if (length == 0) {
    3803. 

  3803.             /* blank ticket */
    3804. 

  3804.             ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
    3805. 

  3805.             if (ret == WOLFSSL_SUCCESS) {
    3806. 

  3806.                 ret = 0;
    3807. 

  3807.                 TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);  /* send blank ticket */
    3808. 

  3808.                 ssl->options.createTicket = 1;  /* will send ticket msg */
    3809. 

  3809.                 ssl->options.useTicket    = 1;
    3810. 

  3810.                 ssl->options.resuming     = 0;  /* no standard resumption */
    3811. 

  3811.                 ssl->arrays->sessionIDSz  = 0;  /* no echo on blank ticket */
    3812. 

  3812.             }
    3813. 

  3813.         } else {
    3814. 

  3814.             /* got actual ticket from client */
    3815. 

  3815.             ret = DoClientTicket(ssl, input, length);
    3816. 

  3816.             if (ret == WOLFSSL_TICKET_RET_OK) {    /* use ticket to resume */
    3817. 

  3817.                 WOLFSSL_MSG("Using exisitng client ticket");
    3818. 

  3818.                 ssl->options.useTicket = 1;
    3819. 

  3819.                 ssl->options.resuming  = 1;
    3820. 

  3820.             } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
    3821. 

  3821.                 WOLFSSL_MSG("Using existing client ticket, creating new one");
    3822. 

  3822.                 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
    3823. 

  3823.                 if (ret == WOLFSSL_SUCCESS) {
    3824. 

  3824.                     ret = 0;
    3825. 

  3825.                     TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
    3826. 

  3826.                                                     /* send blank ticket */
    3827. 

  3827.                     ssl->options.createTicket = 1;  /* will send ticket msg */
    3828. 

  3828.                     ssl->options.useTicket    = 1;
    3829. 

  3829.                     ssl->options.resuming     = 1;
    3830. 

  3830.                 }
    3831. 

  3831.             } else if (ret == WOLFSSL_TICKET_RET_REJECT) {
    3832. 

  3832.                 WOLFSSL_MSG("Process client ticket rejected, not using");
    3833. 

  3833.                 ssl->options.rejectTicket = 1;
    3834. 

  3834.                 ret = 0;  /* not fatal */
    3835. 

  3835.             } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
    3836. 

  3836.                 WOLFSSL_MSG("Process client ticket fatal error, not using");
    3837. 

  3837.             }
    3838. 

  3838.         }
    3839. 

  3839.     }
    3840. 

  3840. #endif /* NO_WOLFSSL_SERVER */
    3841. 

  3841. 

  3842.     return ret;
    3843. 

  3843. }
    3844. 

  3844. 

  3845. WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
    3846. 

  3846.                                             byte* data, word16 size, void* heap)
    3847. 

  3847. {
    3848. 

  3848.     SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket),
    3849. 

  3849.                                                        heap, DYNAMIC_TYPE_TLSX);
    3850. 

  3850.     if (ticket) {
    3851. 

  3851.         ticket->data = (byte*)XMALLOC(size, heap, DYNAMIC_TYPE_TLSX);
    3852. 

  3852.         if (ticket->data == NULL) {
    3853. 

  3853.             XFREE(ticket, heap, DYNAMIC_TYPE_TLSX);
    3854. 

  3854.             return NULL;
    3855. 

  3855.         }
    3856. 

  3856. 

  3857.         XMEMCPY(ticket->data, data, size);
    3858. 

  3858.         ticket->size     = size;
    3859. 

  3859.         ticket->lifetime = lifetime;
    3860. 

  3860.     }
    3861. 

  3861. 

  3862.     return ticket;
    3863. 

  3863. }
    3864. 

  3864. WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap)
    3865. 

  3865. {
    3866. 

  3866.     if (ticket) {
    3867. 

  3867.         XFREE(ticket->data, heap, DYNAMIC_TYPE_TLSX);
    3868. 

  3868.         XFREE(ticket,       heap, DYNAMIC_TYPE_TLSX);
    3869. 

  3869.     }
    3870. 

  3870. 

  3871.     (void)heap;
    3872. 

  3872. }
    3873. 

  3873. 

  3874. int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
    3875. 

  3875. {
    3876. 

  3876.     int ret = 0;
    3877. 

  3877. 

  3878.     if (extensions == NULL)
    3879. 

  3879.         return BAD_FUNC_ARG;
    3880. 

  3880. 

  3881.     /* If the ticket is NULL, the client will request a new ticket from the
    3882. 

  3882.        server. Otherwise, the client will use it in the next client hello. */
    3883. 

  3883.     if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket, heap))
    3884. 

  3884.                                                                            != 0)
    3885. 

  3885.         return ret;
    3886. 

  3886. 

  3887.     return WOLFSSL_SUCCESS;
    3888. 

  3888. }
    3889. 

  3889. 

  3890. #define WOLF_STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest
    3891. 

  3891. #define WOLF_STK_GET_SIZE         TLSX_SessionTicket_GetSize
    3892. 

  3892. #define WOLF_STK_WRITE            TLSX_SessionTicket_Write
    3893. 

  3893. #define WOLF_STK_PARSE            TLSX_SessionTicket_Parse
    3894. 

  3894. #define WOLF_STK_FREE(stk, heap)  TLSX_SessionTicket_Free((SessionTicket*)stk,(heap))
    3895. 

  3895. 

  3896. #else
    3897. 

  3897. 

  3898. #define WOLF_STK_FREE(a, b)
    3899. 

  3899. #define WOLF_STK_VALIDATE_REQUEST(a)
    3900. 

  3900. #define WOLF_STK_GET_SIZE(a, b)      0
    3901. 

  3901. #define WOLF_STK_WRITE(a, b, c)      0
    3902. 

  3902. #define WOLF_STK_PARSE(a, b, c, d)   0
    3903. 

  3903. 

  3904. #endif /* HAVE_SESSION_TICKET */
    3905. 

  3905. 

  3906. /******************************************************************************/
    3907. 

  3907. /* Quantum-Safe-Hybrid                                                        */
    3908. 

  3908. /******************************************************************************/
    3909. 

  3909. 

  3910. #ifdef HAVE_QSH
    3911. 

  3911. #if defined(HAVE_NTRU)
    3912. 

  3912. static WC_RNG* gRng;
    3913. 

  3913. static wolfSSL_Mutex* gRngMutex;
    3914. 

  3914. #endif
    3915. 

  3915. 

  3916. static void TLSX_QSH_FreeAll(QSHScheme* list, void* heap)
    3917. 

  3917. {
    3918. 

  3918.     QSHScheme* current;
    3919. 

  3919. 

  3920.     while ((current = list)) {
    3921. 

  3921.         list = current->next;
    3922. 

  3922.         XFREE(current, heap, DYNAMIC_TYPE_TLSX);
    3923. 

  3923.     }
    3924. 

  3924. 

  3925.     (void)heap;
    3926. 

  3926. }
    3927. 

  3927. 

  3928. static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub,
    3929. 

  3929.                                                                   word16 pubLen)
    3930. 

  3930. {
    3931. 

  3931.     QSHScheme* temp;
    3932. 

  3932. 

  3933.     if (list == NULL)
    3934. 

  3934.         return BAD_FUNC_ARG;
    3935. 

  3935. 

  3936.     if ((temp = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL,
    3937. 

  3937.                                                     DYNAMIC_TYPE_TLSX)) == NULL)
    3938. 

  3938.         return MEMORY_E;
    3939. 

  3939. 

  3940.     temp->name  = name;
    3941. 

  3941.     temp->PK    = pub;
    3942. 

  3942.     temp->PKLen = pubLen;
    3943. 

  3943.     temp->next  = *list;
    3944. 

  3944. 

  3945.     *list = temp;
    3946. 

  3946. 

  3947.     return 0;
    3948. 

  3948. }
    3949. 

  3949. 

  3950. 

  3951. /* request for server's public key : 02 indicates 0-2 requested */
    3952. 

  3952. static byte TLSX_QSH_SerPKReq(byte* output, byte isRequest)
    3953. 

  3953. {
    3954. 

  3954.     if (isRequest) {
    3955. 

  3955.         /* only request one public key from the server */
    3956. 

  3956.         output[0] = 0x01;
    3957. 

  3957. 

  3958.         return OPAQUE8_LEN;
    3959. 

  3959.     }
    3960. 

  3960.     else {
    3961. 

  3961.         return 0;
    3962. 

  3962.     }
    3963. 

  3963. }
    3964. 

  3964. 

  3965. #ifndef NO_WOLFSSL_CLIENT
    3966. 

  3966. 

  3967. /* check for TLS_QSH suite */
    3968. 

  3968. static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
    3969. 

  3969. {
    3970. 

  3970.     int i;
    3971. 

  3971. 

  3972.     for (i = 0; i < ssl->suites->suiteSz; i+= 2)
    3973. 

  3973.         if (ssl->suites->suites[i] == QSH_BYTE)
    3974. 

  3974.             return;
    3975. 

  3975. 

  3976.     /* No QSH suite found */
    3977. 

  3977.     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID));
    3978. 

  3978. }
    3979. 

  3979. 

  3980. 

  3981. /* return the size of the QSH hello extension
    3982. 

  3982.    list      the list of QSHScheme structs containing id and key
    3983. 

  3983.    isRequest if 1 then is being sent to the server
    3984. 

  3984.  */
    3985. 

  3985. word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest)
    3986. 

  3986. {
    3987. 

  3987.     QSHScheme* temp = list;
    3988. 

  3988.     word16 length = 0;
    3989. 

  3989. 

  3990.     /* account for size of scheme list and public key list */
    3991. 

  3991.     if (isRequest)
    3992. 

  3992.         length = OPAQUE16_LEN;
    3993. 

  3993.     length += OPAQUE24_LEN;
    3994. 

  3994. 

  3995.     /* for each non null element in list add size */
    3996. 

  3996.     while ((temp)) {
    3997. 

  3997.         /* add public key info Scheme | Key Length | Key */
    3998. 

  3998.         length += OPAQUE16_LEN;
    3999. 

  3999.         length += OPAQUE16_LEN;
    4000. 

  4000.         length += temp->PKLen;
    4001. 

  4001. 

  4002.         /* if client add name size for scheme list
    4003. 

  4003.            advance to next QSHScheme struct in list */
    4004. 

  4004.         if (isRequest)
    4005. 

  4005.             length += OPAQUE16_LEN;
    4006. 

  4006.         temp = temp->next;
    4007. 

  4007.     }
    4008. 

  4008. 

  4009.     /* add length for request server public keys */
    4010. 

  4010.     if (isRequest)
    4011. 

  4011.         length += OPAQUE8_LEN;
    4012. 

  4012. 

  4013.     return length;
    4014. 

  4014. }
    4015. 

  4015. 

  4016. 

  4017. /* write out a list of QSHScheme IDs */
    4018. 

  4018. static word16 TLSX_QSH_Write(QSHScheme* list, byte* output)
    4019. 

  4019. {
    4020. 

  4020.     QSHScheme* current = list;
    4021. 

  4021.     word16 length      = 0;
    4022. 

  4022. 

  4023.     length += OPAQUE16_LEN;
    4024. 

  4024. 

  4025.     while (current) {
    4026. 

  4026.         c16toa(current->name, output + length);
    4027. 

  4027.         length += OPAQUE16_LEN;
    4028. 

  4028.         current = (QSHScheme*)current->next;
    4029. 

  4029.     }
    4030. 

  4030. 

  4031.     c16toa(length - OPAQUE16_LEN, output); /* writing list length */
    4032. 

  4032. 

  4033.     return length;
    4034. 

  4034. }
    4035. 

  4035. 

  4036. 

  4037. /* write public key list in extension */
    4038. 

  4038. static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output);
    4039. 

  4039. static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output)
    4040. 

  4040. {
    4041. 

  4041.     word32 offset = 0;
    4042. 

  4042.     word16 public_len = 0;
    4043. 

  4043. 

  4044.     if (!format)
    4045. 

  4045.         return offset;
    4046. 

  4046. 

  4047.     /* write scheme ID */
    4048. 

  4048.     c16toa(format->name, output + offset);
    4049. 

  4049.     offset += OPAQUE16_LEN;
    4050. 

  4050. 

  4051.     /* write public key matching scheme */
    4052. 

  4052.     public_len = format->PKLen;
    4053. 

  4053.     c16toa(public_len, output + offset);
    4054. 

  4054.     offset += OPAQUE16_LEN;
    4055. 

  4055.     if (format->PK) {
    4056. 

  4056.         XMEMCPY(output+offset, format->PK, public_len);
    4057. 

  4057.     }
    4058. 

  4058. 

  4059.     return public_len + offset;
    4060. 

  4060. }
    4061. 

  4061. 

  4062. word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output)
    4063. 

  4063. {
    4064. 

  4064.     QSHScheme* current = list;
    4065. 

  4065.     word32 length = 0;
    4066. 

  4066.     word24 toWire;
    4067. 

  4067. 

  4068.     length += OPAQUE24_LEN;
    4069. 

  4069. 

  4070.     while (current) {
    4071. 

  4071.         length += TLSX_QSHPK_WriteR(current, output + length);
    4072. 

  4072.         current = (QSHScheme*)current->next;
    4073. 

  4073.     }
    4074. 

  4074.     /* length of public keys sent */
    4075. 

  4075.     c32to24(length - OPAQUE24_LEN, toWire);
    4076. 

  4076.     output[0] = toWire[0];
    4077. 

  4077.     output[1] = toWire[1];
    4078. 

  4078.     output[2] = toWire[2];
    4079. 

  4079. 

  4080.     return length;
    4081. 

  4081. }
    4082. 

  4082. 

  4083. #endif /* NO_WOLFSSL_CLIENT */
    4084. 

  4084. #ifndef NO_WOLFSSL_SERVER
    4085. 

  4085. 

  4086. static void TLSX_QSHAgreement(TLSX** extensions, void* heap)
    4087. 

  4087. {
    4088. 

  4088.     TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
    4089. 

  4089.     QSHScheme* format = NULL;
    4090. 

  4090.     QSHScheme* del    = NULL;
    4091. 

  4091.     QSHScheme* prev   = NULL;
    4092. 

  4092. 

  4093.     if (extension == NULL)
    4094. 

  4094.         return;
    4095. 

  4095. 

  4096.     format = (QSHScheme*)extension->data;
    4097. 

  4097.     while (format) {
    4098. 

  4098.         if (format->PKLen == 0) {
    4099. 

  4099.             /* case of head */
    4100. 

  4100.             if (format == extension->data) {
    4101. 

  4101.                 extension->data = format->next;
    4102. 

  4102.             }
    4103. 

  4103.             if (prev)
    4104. 

  4104.                 prev->next = format->next;
    4105. 

  4105.             del = format;
    4106. 

  4106.             format = format->next;
    4107. 

  4107.             XFREE(del, heap, DYNAMIC_TYPE_TMP_BUFFER);
    4108. 

  4108.             del = NULL;
    4109. 

  4109.         } else {
    4110. 

  4110.             prev   = format;
    4111. 

  4111.             format = format->next;
    4112. 

  4112.         }
    4113. 

  4113.     }
    4114. 

  4114. 

  4115.     (void)heap;
    4116. 

  4116. }
    4117. 

  4117. 

  4118. 

  4119. /* Parse in hello extension
    4120. 

  4120.    input     the byte stream to process
    4121. 

  4121.    length    length of total extension found
    4122. 

  4122.    isRequest set to 1 if being sent to the server
    4123. 

  4123.  */
    4124. 

  4124. static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
    4125. 

  4125.                                                                  byte isRequest)
    4126. 

  4126. {
    4127. 

  4127.     byte   numKeys    = 0;
    4128. 

  4128.     word16 offset     = 0;
    4129. 

  4129.     word16 schemSz    = 0;
    4130. 

  4130.     word16 offset_len = 0;
    4131. 

  4131.     word32 offset_pk  = 0;
    4132. 

  4132.     word16 name  = 0;
    4133. 

  4133.     word16 PKLen = 0;
    4134. 

  4134.     byte*  PK = NULL;
    4135. 

  4135.     int r;
    4136. 

  4136. 

  4137. 

  4138.     if (OPAQUE16_LEN > length)
    4139. 

  4139.         return BUFFER_ERROR;
    4140. 

  4140. 

  4141.     if (isRequest) {
    4142. 

  4142.         ato16(input, &schemSz);
    4143. 

  4143. 

  4144.         /* list of public keys available for QSH schemes */
    4145. 

  4145.         offset_len = schemSz + OPAQUE16_LEN;
    4146. 

  4146.     }
    4147. 

  4147. 

  4148.     offset_pk = ((input[offset_len] << 16)   & 0xFF00000) |
    4149. 

  4149.                 (((input[offset_len + 1]) << 8) & 0xFF00) |
    4150. 

  4150.                 (input[offset_len + 2] & 0xFF);
    4151. 

  4151.     offset_len += OPAQUE24_LEN;
    4152. 

  4152. 

  4153.     /* check buffer size */
    4154. 

  4154.     if (offset_pk > length)
    4155. 

  4155.         return BUFFER_ERROR;
    4156. 

  4156. 

  4157.     /* set maximum number of keys the client will accept */
    4158. 

  4158.     if (!isRequest)
    4159. 

  4159.         numKeys = (ssl->maxRequest < 1)? 1 : ssl->maxRequest;
    4160. 

  4160. 

  4161.     /* hello extension read list of scheme ids */
    4162. 

  4162.     if (isRequest) {
    4163. 

  4163. 

  4164.         /* read in request for public keys */
    4165. 

  4165.         ssl->minRequest = (input[length -1] >> 4) & 0xFF;
    4166. 

  4166.         ssl->maxRequest = input[length -1] & 0x0F;
    4167. 

  4167. 

  4168.         /* choose the min between min requested by client and 1 */
    4169. 

  4169.         numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1;
    4170. 

  4170. 

  4171.         if (ssl->minRequest > ssl->maxRequest)
    4172. 

  4172.             return BAD_FUNC_ARG;
    4173. 

  4173. 

  4174.         offset  += OPAQUE16_LEN;
    4175. 

  4175.         schemSz += offset;
    4176. 

  4176. 

  4177.         /* check buffer size */
    4178. 

  4178.         if (schemSz > length)
    4179. 

  4179.             return BUFFER_ERROR;
    4180. 

  4180. 

  4181.         while ((offset < schemSz) && numKeys) {
    4182. 

  4182.             /* Scheme ID list */
    4183. 

  4183.             ato16(input + offset, &name);
    4184. 

  4184.             offset += OPAQUE16_LEN;
    4185. 

  4185. 

  4186.             /* validate we have scheme id */
    4187. 

  4187.             if (ssl->user_set_QSHSchemes &&
    4188. 

  4188.                     !TLSX_ValidateQSHScheme(&ssl->extensions, name)) {
    4189. 

  4189.                 continue;
    4190. 

  4190.             }
    4191. 

  4191. 

  4192.             /* server create keys on demand */
    4193. 

  4193.             if ((r = TLSX_CreateNtruKey(ssl, name)) != 0) {
    4194. 

  4194.                 WOLFSSL_MSG("Error creating ntru keys");
    4195. 

  4195.                 return r;
    4196. 

  4196.             }
    4197. 

  4197. 

  4198.             /* peer sent an agreed upon scheme */
    4199. 

  4199.             r = TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0, ssl->heap);
    4200. 

  4200. 

  4201.             if (r != WOLFSSL_SUCCESS) return r; /* throw error */
    4202. 

  4202. 

  4203.             numKeys--;
    4204. 

  4204.         }
    4205. 

  4205. 

  4206.         /* choose the min between min requested by client and 1 */
    4207. 

  4207.         numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1;
    4208. 

  4208.     }
    4209. 

  4209. 

  4210.     /* QSHPK struct */
    4211. 

  4211.     offset_pk += offset_len;
    4212. 

  4212.     while ((offset_len < offset_pk) && numKeys) {
    4213. 

  4213.         QSHKey * temp;
    4214. 

  4214. 

  4215.         if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap,
    4216. 

  4216.                                                     DYNAMIC_TYPE_TLSX)) == NULL)
    4217. 

  4217.             return MEMORY_E;
    4218. 

  4218. 

  4219.         /* initialize */
    4220. 

  4220.         temp->next = NULL;
    4221. 

  4221.         temp->pub.buffer = NULL;
    4222. 

  4222.         temp->pub.length = 0;
    4223. 

  4223.         temp->pri.buffer = NULL;
    4224. 

  4224.         temp->pri.length = 0;
    4225. 

  4225. 

  4226.         /* scheme id */
    4227. 

  4227.         ato16(input + offset_len, &(temp->name));
    4228. 

  4228.         offset_len += OPAQUE16_LEN;
    4229. 

  4229. 

  4230.         /* public key length */
    4231. 

  4231.         ato16(input + offset_len, &PKLen);
    4232. 

  4232.         temp->pub.length = PKLen;
    4233. 

  4233.         offset_len += OPAQUE16_LEN;
    4234. 

  4234. 

  4235. 

  4236.         if (isRequest) {
    4237. 

  4237.             /* validate we have scheme id */
    4238. 

  4238.             if (ssl->user_set_QSHSchemes &&
    4239. 

  4239.                     (!TLSX_ValidateQSHScheme(&ssl->extensions, temp->name))) {
    4240. 

  4240.                 offset_len += PKLen;
    4241. 

  4241.                 XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX);
    4242. 

  4242.                 continue;
    4243. 

  4243.             }
    4244. 

  4244.         }
    4245. 

  4245. 

  4246.         /* read in public key */
    4247. 

  4247.         if (PKLen > 0) {
    4248. 

  4248.             temp->pub.buffer = (byte*)XMALLOC(temp->pub.length,
    4249. 

  4249.                                             ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    4250. 

  4250.             XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length);
    4251. 

  4251.             offset_len += PKLen;
    4252. 

  4252.         }
    4253. 

  4253.         else {
    4254. 

  4254.             PK = NULL;
    4255. 

  4255.         }
    4256. 

  4256. 

  4257.         /* use own key when adding to extensions list for sending reply */
    4258. 

  4258.         PKLen = 0;
    4259. 

  4259.         PK = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, &PKLen, temp->name);
    4260. 

  4260.         r  = TLSX_UseQSHScheme(&ssl->extensions, temp->name, PK, PKLen,
    4261. 

  4261.                                                                      ssl->heap);
    4262. 

  4262. 

  4263.         /* store peers key */
    4264. 

  4264.         ssl->peerQSHKeyPresent = 1;
    4265. 

  4265.         if (TLSX_AddQSHKey(&ssl->peerQSHKey, temp) != 0)
    4266. 

  4266.             return MEMORY_E;
    4267. 

  4267. 

  4268.         if (temp->pub.length == 0) {
    4269. 

  4269.             XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX);
    4270. 

  4270.         }
    4271. 

  4271. 

  4272.         if (r != WOLFSSL_SUCCESS) {return r;} /* throw error */
    4273. 

  4273. 

  4274.         numKeys--;
    4275. 

  4275.     }
    4276. 

  4276. 

  4277.     /* reply to a QSH extension sent from client */
    4278. 

  4278.     if (isRequest) {
    4279. 

  4279.         TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID);
    4280. 

  4280.         /* only use schemes we have key generated for -- free the rest */
    4281. 

  4281.         TLSX_QSHAgreement(&ssl->extensions, ssl->heap);
    4282. 

  4282.     }
    4283. 

  4283. 

  4284.     return 0;
    4285. 

  4285. }
    4286. 

  4286. 

  4287. 

  4288. /* Used for parsing in QSHCipher structs on Key Exchange */
    4289. 

  4289. int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length,
    4290. 

  4290.                                                                   byte isServer)
    4291. 

  4291. {
    4292. 

  4292.     QSHKey* key;
    4293. 

  4293.     word16 Max_Secret_Len = 48;
    4294. 

  4294.     word16 offset     = 0;
    4295. 

  4295.     word16 offset_len = 0;
    4296. 

  4296.     word32 offset_pk  = 0;
    4297. 

  4297.     word16 name       = 0;
    4298. 

  4298.     word16 secretLen  = 0;
    4299. 

  4299.     byte*  secret     = NULL;
    4300. 

  4300.     word16 buffLen    = 0;
    4301. 

  4301.     byte buff[145]; /* size enough for 3 secrets */
    4302. 

  4302.     buffer* buf;
    4303. 

  4303. 

  4304.     /* pointer to location where secret should be stored */
    4305. 

  4305.     if (isServer) {
    4306. 

  4306.         buf = ssl->QSH_secret->CliSi;
    4307. 

  4307.     }
    4308. 

  4308.     else {
    4309. 

  4309.         buf = ssl->QSH_secret->SerSi;
    4310. 

  4310.     }
    4311. 

  4311. 

  4312.     offset_pk = ((input[offset_len] << 16)    & 0xFF0000) |
    4313. 

  4313.                 (((input[offset_len + 1]) << 8) & 0xFF00) |
    4314. 

  4314.                 (input[offset_len + 2] & 0xFF);
    4315. 

  4315.     offset_len += OPAQUE24_LEN;
    4316. 

  4316. 

  4317.     /* validating extension list length -- check if trying to read over edge
    4318. 

  4318.        of buffer */
    4319. 

  4319.     if (length < (offset_pk + OPAQUE24_LEN)) {
    4320. 

  4320.         return BUFFER_ERROR;
    4321. 

  4321.     }
    4322. 

  4322. 

  4323.     /* QSHCipherList struct */
    4324. 

  4324.     offset_pk += offset_len;
    4325. 

  4325.     while (offset_len < offset_pk) {
    4326. 

  4326. 

  4327.         /* scheme id */
    4328. 

  4328.         ato16(input + offset_len, &name);
    4329. 

  4329.         offset_len += OPAQUE16_LEN;
    4330. 

  4330. 

  4331.         /* public key length */
    4332. 

  4332.         ato16(input + offset_len, &secretLen);
    4333. 

  4333.         offset_len += OPAQUE16_LEN;
    4334. 

  4334. 

  4335.         /* read in public key */
    4336. 

  4336.         if (secretLen > 0) {
    4337. 

  4337.             secret = (byte*)(input + offset_len);
    4338. 

  4338.             offset_len += secretLen;
    4339. 

  4339.         }
    4340. 

  4340.         else {
    4341. 

  4341.             secret = NULL;
    4342. 

  4342.         }
    4343. 

  4343. 

  4344.         /* no secret sent */
    4345. 

  4345.         if (secret == NULL)
    4346. 

  4346.             continue;
    4347. 

  4347. 

  4348.         /* find corresponding key */
    4349. 

  4349.         key = ssl->QSH_Key;
    4350. 

  4350.         while (key) {
    4351. 

  4351.             if (key->name == name)
    4352. 

  4352.                 break;
    4353. 

  4353.             else
    4354. 

  4354.                 key = (QSHKey*)key->next;
    4355. 

  4355.         }
    4356. 

  4356. 

  4357.         /* if we do not have the key than there was a big issue negotiation */
    4358. 

  4358.         if (key == NULL) {
    4359. 

  4359.             WOLFSSL_MSG("key was null for decryption!!!\n");
    4360. 

  4360.             return MEMORY_E;
    4361. 

  4361.         }
    4362. 

  4362. 

  4363.         /* Decrypt sent secret */
    4364. 

  4364.         buffLen = Max_Secret_Len;
    4365. 

  4365.         QSH_Decrypt(key, secret, secretLen, buff + offset, &buffLen);
    4366. 

  4366.         offset += buffLen;
    4367. 

  4367.     }
    4368. 

  4368. 

  4369.     /* allocate memory for buffer */
    4370. 

  4370.     buf->length = offset;
    4371. 

  4371.     buf->buffer = (byte*)XMALLOC(offset, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
    4372. 

  4372.     if (buf->buffer == NULL)
    4373. 

  4373.         return MEMORY_E;
    4374. 

  4374. 

  4375.     /* store secrets */
    4376. 

  4376.     XMEMCPY(buf->buffer, buff, offset);
    4377. 

  4377.     ForceZero(buff, offset);
    4378. 

  4378. 

  4379.     return offset_len;
    4380. 

  4380. }
    4381. 

  4381. 

  4382. 

  4383. /* return 1 on success */
    4384. 

  4384. int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) {
    4385. 

  4385.     TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
    4386. 

  4386.     QSHScheme* format    = NULL;
    4387. 

  4387. 

  4388.     /* if no extension is sent then do not use QSH */
    4389. 

  4389.     if (!extension) {
    4390. 

  4390.         WOLFSSL_MSG("No QSH Extension");
    4391. 

  4391.         return 0;
    4392. 

  4392.     }
    4393. 

  4393. 

  4394.     for (format = (QSHScheme*)extension->data; format; format = format->next) {
    4395. 

  4395.         if (format->name == theirs) {
    4396. 

  4396. 	        WOLFSSL_MSG("Found Matching QSH Scheme");
    4397. 

  4397.             return 1; /* have QSH */
    4398. 

  4398.         }
    4399. 

  4399.     }
    4400. 

  4400. 

  4401.     return 0;
    4402. 

  4402. }
    4403. 

  4403. #endif /* NO_WOLFSSL_SERVER */
    4404. 

  4404. 

  4405. /* test if the QSH Scheme is implemented
    4406. 

  4406.    return 1 if yes 0 if no */
    4407. 

  4407. static int TLSX_HaveQSHScheme(word16 name)
    4408. 

  4408. {
    4409. 

  4409.     switch(name) {
    4410. 

  4410.         #ifdef HAVE_NTRU
    4411. 

  4411.             case WOLFSSL_NTRU_EESS439:
    4412. 

  4412.             case WOLFSSL_NTRU_EESS593:
    4413. 

  4413.             case WOLFSSL_NTRU_EESS743:
    4414. 

  4414.                     return 1;
    4415. 

  4415.         #endif
    4416. 

  4416.             case WOLFSSL_LWE_XXX:
    4417. 

  4417.             case WOLFSSL_HFE_XXX:
    4418. 

  4418.                     return 0; /* not supported yet */
    4419. 

  4419. 

  4420.         default:
    4421. 

  4421.             return 0;
    4422. 

  4422.     }
    4423. 

  4423. }
    4424. 

  4424. 

  4425. 

  4426. /* Add a QSHScheme struct to list of usable ones */
    4427. 

  4427. int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz,
    4428. 

  4428.                                                                      void* heap)
    4429. 

  4429. {
    4430. 

  4430.     TLSX*      extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
    4431. 

  4431.     QSHScheme* format    = NULL;
    4432. 

  4432.     int        ret       = 0;
    4433. 

  4433. 

  4434.     /* sanity check */
    4435. 

  4435.     if (extensions == NULL || (pKey == NULL && pkeySz != 0))
    4436. 

  4436.         return BAD_FUNC_ARG;
    4437. 

  4437. 

  4438.     /* if scheme is implemented than add */
    4439. 

  4439.     if (TLSX_HaveQSHScheme(name)) {
    4440. 

  4440. 	    if ((ret = TLSX_QSH_Append(&format, name, pKey, pkeySz)) != 0)
    4441. 

  4441. 	        return ret;
    4442. 

  4442. 

  4443. 	    if (!extension) {
    4444. 

  4444. 	        if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format,
    4445. 

  4445.                                                                   heap)) != 0) {
    4446. 

  4446. 	            XFREE(format, 0, DYNAMIC_TYPE_TLSX);
    4447. 

  4447. 	            return ret;
    4448. 

  4448. 	        }
    4449. 

  4449. 	    }
    4450. 

  4450. 	    else {
    4451. 

  4451. 	        /* push new QSH object to extension data. */
    4452. 

  4452. 	        format->next = (QSHScheme*)extension->data;
    4453. 

  4453. 	        extension->data = (void*)format;
    4454. 

  4454. 

  4455. 	        /* look for another format of the same name to remove (replacement) */
    4456. 

  4456. 	        do {
    4457. 

  4457. 	            if (format->next && (format->next->name == name)) {
    4458. 

  4458. 	                QSHScheme* next = format->next;
    4459. 

  4459. 

  4460. 	                format->next = next->next;
    4461. 

  4461. 	                XFREE(next, 0, DYNAMIC_TYPE_TLSX);
    4462. 

  4462. 

  4463. 	                break;
    4464. 

  4464. 	            }
    4465. 

  4465. 	        } while ((format = format->next));
    4466. 

  4466. 	    }
    4467. 

  4467.     }
    4468. 

  4468.     return WOLFSSL_SUCCESS;
    4469. 

  4469. }
    4470. 

  4470. 

  4471. #define QSH_FREE_ALL         TLSX_QSH_FreeAll
    4472. 

  4472. #define QSH_VALIDATE_REQUEST TLSX_QSH_ValidateRequest
    4473. 

  4473. 

  4474. #ifndef NO_WOLFSSL_CLIENT
    4475. 

  4475. #define QSH_GET_SIZE TLSX_QSH_GetSize
    4476. 

  4476. #define QSH_WRITE    TLSX_QSH_Write
    4477. 

  4477. #else
    4478. 

  4478. #define QSH_GET_SIZE(list)         0
    4479. 

  4479. #define QSH_WRITE(a, b)            0
    4480. 

  4480. #endif
    4481. 

  4481. 

  4482. #ifndef NO_WOLFSSL_SERVER
    4483. 

  4483. #define QSH_PARSE TLSX_QSH_Parse
    4484. 

  4484. #else
    4485. 

  4485. #define QSH_PARSE(a, b, c, d)      0
    4486. 

  4486. #endif
    4487. 

  4487. 

  4488. #define QSHPK_WRITE TLSX_QSHPK_Write
    4489. 

  4489. #define QSH_SERREQ TLSX_QSH_SerPKReq
    4490. 

  4490. #else
    4491. 

  4491. 

  4492. #define QSH_FREE_ALL(list, heap)
    4493. 

  4493. #define QSH_GET_SIZE(list, a)      0
    4494. 

  4494. #define QSH_WRITE(a, b)            0
    4495. 

  4495. #define QSH_PARSE(a, b, c, d)      0
    4496. 

  4496. #define QSHPK_WRITE(a, b)          0
    4497. 

  4497. #define QSH_SERREQ(a, b)           0
    4498. 

  4498. #define QSH_VALIDATE_REQUEST(a, b)
    4499. 

  4499. 

  4500. #endif /* HAVE_QSH */
    4501. 

  4501. 

  4502. /******************************************************************************/
    4503. 

  4503. /* Supported Versions                                                         */
    4504. 

  4504. /******************************************************************************/
    4505. 

  4505. 

  4506. #ifdef WOLFSSL_TLS13
    4507. 

  4507. /* Return the size of the SupportedVersions extension's data.
    4508. 

  4508.  *
    4509. 

  4509.  * data       The SSL/TLS object.
    4510. 

  4510.  * msgType The type of the message this extension is being written into.
    4511. 

  4511.  * returns the length of data that will be in the extension.
    4512. 

  4512.  */
    4513. 

  4513. static word16 TLSX_SupportedVersions_GetSize(void* data, byte msgType)
    4514. 

  4514. {
    4515. 

  4515.     WOLFSSL* ssl = (WOLFSSL*)data;
    4516. 

  4516. 

  4517.     if (msgType == client_hello) {
    4518. 

  4518.         /* TLS v1.2 and TLS v1.3  */
    4519. 

  4519.         int cnt = 2;
    4520. 

  4520. 

  4521. #ifndef NO_OLD_TLS
    4522. 

  4522.         /* TLS v1 and TLS v1.1  */
    4523. 

  4523.         cnt += 2;
    4524. 

  4524. #endif
    4525. 

  4525. 

  4526.         if (!ssl->options.downgrade)
    4527. 

  4527.             cnt = 1;
    4528. 

  4528. 

  4529.         return (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
    4530. 

  4530.     }
    4531. 

  4531. #ifndef WOLFSSL_TLS13_DRAFT_18
    4532. 

  4532.     else if (msgType == server_hello || msgType == hello_retry_request)
    4533. 

  4533.         return OPAQUE16_LEN;
    4534. 

  4534. #endif
    4535. 

  4535.     else
    4536. 

  4536.         return SANITY_MSG_E;
    4537. 

  4537. }
    4538. 

  4538. 

  4539. /* Writes the SupportedVersions extension into the buffer.
    4540. 

  4540.  *
    4541. 

  4541.  * data    The SSL/TLS object.
    4542. 

  4542.  * output  The buffer to write the extension into.
    4543. 

  4543.  * msgType The type of the message this extension is being written into.
    4544. 

  4544.  * returns the length of data that was written.
    4545. 

  4545.  */
    4546. 

  4546. static word16 TLSX_SupportedVersions_Write(void* data, byte* output,
    4547. 

  4547.                                            byte msgType)
    4548. 

  4548. {
    4549. 

  4549.     WOLFSSL* ssl = (WOLFSSL*)data;
    4550. 

  4550.     ProtocolVersion pv;
    4551. 

  4551.     int i;
    4552. 

  4552.     int cnt;
    4553. 

  4553. 

  4554.     if (msgType == client_hello) {
    4555. 

  4555.         pv = ssl->ctx->method->version;
    4556. 

  4556.         /* TLS v1.2 and TLS v1.3  */
    4557. 

  4557.         cnt = 2;
    4558. 

  4558. 

  4559. #ifndef NO_OLD_TLS
    4560. 

  4560.         /* TLS v1 and TLS v1.1  */
    4561. 

  4561.         cnt += 2;
    4562. 

  4562. #endif
    4563. 

  4563. 

  4564.         if (!ssl->options.downgrade)
    4565. 

  4565.             cnt = 1;
    4566. 

  4566. 

  4567.         *(output++) = (byte)(cnt * OPAQUE16_LEN);
    4568. 

  4568.         for (i = 0; i < cnt; i++) {
    4569. 

  4569.             /* TODO: [TLS13] Remove code when TLS v1.3 becomes an RFC. */
    4570. 

  4570.             if (pv.minor - i == TLSv1_3_MINOR) {
    4571. 

  4571.                 /* The TLS draft major number. */
    4572. 

  4572.                 *(output++) = TLS_DRAFT_MAJOR;
    4573. 

  4573.                 /* Version of draft supported. */
    4574. 

  4574.                 *(output++) = TLS_DRAFT_MINOR;
    4575. 

  4575.                 continue;
    4576. 

  4576.             }
    4577. 

  4577. 

  4578.             *(output++) = pv.major;
    4579. 

  4579.             *(output++) = pv.minor - i;
    4580. 

  4580.         }
    4581. 

  4581. 

  4582.         return (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
    4583. 

  4583.     }
    4584. 

  4584. #ifndef WOLFSSL_TLS13_DRAFT_18
    4585. 

  4585.     else if (msgType == server_hello || msgType == hello_retry_request) {
    4586. 

  4586.         output[0] = ssl->version.major;
    4587. 

  4587.         output[1] = ssl->version.minor;
    4588. 

  4588. 

  4589.         return OPAQUE16_LEN;
    4590. 

  4590.     }
    4591. 

  4591. #endif
    4592. 

  4592.     else
    4593. 

  4593.         return SANITY_MSG_E;
    4594. 

  4594. }
    4595. 

  4595. 

  4596. /* Parse the SupportedVersions extension.
    4597. 

  4597.  *
    4598. 

  4598.  * ssl     The SSL/TLS object.
    4599. 

  4599.  * input   The buffer with the extension data.
    4600. 

  4600.  * length  The length of the extension data.
    4601. 

  4601.  * msgType The type of the message this extension is being parsed from.
    4602. 

  4602.  * returns 0 on success, otherwise failure.
    4603. 

  4603.  */
    4604. 

  4604. static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input,
    4605. 

  4605.                                         word16 length, byte msgType)
    4606. 

  4606. {
    4607. 

  4607.     ProtocolVersion pv = ssl->ctx->method->version;
    4608. 

  4608.     int i;
    4609. 

  4609.     int ret = VERSION_ERROR;
    4610. 

  4610.     int len;
    4611. 

  4611.     byte major, minor;
    4612. 

  4612. 

  4613.     if (msgType == client_hello) {
    4614. 

  4614.         /* Must contain a length and at least one version. */
    4615. 

  4615.         if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1)
    4616. 

  4616.             return BUFFER_ERROR;
    4617. 

  4617. 

  4618.         len = *input;
    4619. 

  4619. 

  4620.         /* Protocol version array must fill rest of data. */
    4621. 

  4621.         if (length != OPAQUE8_LEN + len)
    4622. 

  4622.             return BUFFER_ERROR;
    4623. 

  4623. 

  4624.         input++;
    4625. 

  4625. 

  4626.         /* Find first match. */
    4627. 

  4627.         for (i = 0; i < len; i += OPAQUE16_LEN) {
    4628. 

  4628.             major = input[i];
    4629. 

  4629.             minor = input[i + OPAQUE8_LEN];
    4630. 

  4630. 

  4631.             /* TODO: [TLS13] Remove code when TLS v1.3 becomes an RFC. */
    4632. 

  4632.             if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
    4633. 

  4633.                 major = SSLv3_MAJOR;
    4634. 

  4634.                 minor = TLSv1_3_MINOR;
    4635. 

  4635.             }
    4636. 

  4636. 

  4637.             if (major != pv.major)
    4638. 

  4638.                 continue;
    4639. 

  4639. 

  4640.             /* No upgrade allowed. */
    4641. 

  4641.             if (ssl->version.minor > minor)
    4642. 

  4642.                     continue;
    4643. 

  4643.             /* Check downgrade. */
    4644. 

  4644.             if (ssl->version.minor < minor) {
    4645. 

  4645.                 if (!ssl->options.downgrade)
    4646. 

  4646.                     continue;
    4647. 

  4647. 

  4648. #ifdef NO_OLD_TLS
    4649. 

  4649.                 if (minor < TLSv1_2_MINOR)
    4650. 

  4650.                     continue;
    4651. 

  4651. #endif
    4652. 

  4652.                 /* Downgrade the version. */
    4653. 

  4653.                 ssl->version.minor = minor;
    4654. 

  4654.             }
    4655. 

  4655. 

  4656.             if (minor >= TLSv1_3_MINOR) {
    4657. 

  4657.                 ssl->options.tls1_3 = 1;
    4658. 

  4658.                 TLSX_Push(&ssl->extensions, TLSX_SUPPORTED_VERSIONS, ssl,
    4659. 

  4659.                           ssl->heap);
    4660. 

  4660. #ifndef WOLFSSL_TLS13_DRAFT_18
    4661. 

  4661.                 TLSX_SetResponse(ssl, TLSX_SUPPORTED_VERSIONS);
    4662. 

  4662. #endif
    4663. 

  4663.             }
    4664. 

  4664.             ret = 0;
    4665. 

  4665.             break;
    4666. 

  4666.         }
    4667. 

  4667.     }
    4668. 

  4668. #ifndef WOLFSSL_TLS13_DRAFT_18
    4669. 

  4669.     else if (msgType == server_hello || msgType == hello_retry_request) {
    4670. 

  4670.         /* Must contain one version. */
    4671. 

  4671.         if (length != OPAQUE16_LEN)
    4672. 

  4672.             return BUFFER_ERROR;
    4673. 

  4673. 

  4674.         major = input[0];
    4675. 

  4675.         minor = input[OPAQUE8_LEN];
    4676. 

  4676. 

  4677.         /* TODO: [TLS13] Remove code when TLS v1.3 becomes an RFC. */
    4678. 

  4678.         if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
    4679. 

  4679.             major = SSLv3_MAJOR;
    4680. 

  4680.             minor = TLSv1_3_MINOR;
    4681. 

  4681.         }
    4682. 

  4682. 

  4683.         if (major != pv.major)
    4684. 

  4684.             return VERSION_ERROR;
    4685. 

  4685. 

  4686.         /* No upgrade allowed. */
    4687. 

  4687.         if (ssl->version.minor < minor)
    4688. 

  4688.             return VERSION_ERROR;
    4689. 

  4689. 

  4690.         /* Check downgrade. */
    4691. 

  4691.         if (ssl->version.minor > minor) {
    4692. 

  4692.             if (!ssl->options.downgrade)
    4693. 

  4693.                 return VERSION_ERROR;
    4694. 

  4694. 

  4695. #ifdef NO_OLD_TLS
    4696. 

  4696.             if (minor < TLSv1_2_MINOR)
    4697. 

  4697.                 return VERSION_ERROR;
    4698. 

  4698. #endif
    4699. 

  4699.             /* Downgrade the version. */
    4700. 

  4700.             ssl->version.minor = minor;
    4701. 

  4701.         }
    4702. 

  4702. 

  4703.         ret = 0;
    4704. 

  4704.     }
    4705. 

  4705. #endif
    4706. 

  4706.     else
    4707. 

  4707.         return SANITY_MSG_E;
    4708. 

  4708. 

  4709.     return ret;
    4710. 

  4710. }
    4711. 

  4711. 

  4712. /* Sets a new SupportedVersions extension into the extension list.
    4713. 

  4713.  *
    4714. 

  4714.  * extensions  The list of extensions.
    4715. 

  4715.  * data        The extensions specific data.
    4716. 

  4716.  * heap        The heap used for allocation.
    4717. 

  4717.  * returns 0 on success, otherwise failure.
    4718. 

  4718.  */
    4719. 

  4719. static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data,
    4720. 

  4720.                                      void* heap)
    4721. 

  4721. {
    4722. 

  4722.     if (extensions == NULL || data == NULL)
    4723. 

  4723.         return BAD_FUNC_ARG;
    4724. 

  4724. 

  4725.     return TLSX_Push(extensions, TLSX_SUPPORTED_VERSIONS, (void *)data, heap);
    4726. 

  4726. }
    4727. 

  4727. 

  4728. #define SV_GET_SIZE  TLSX_SupportedVersions_GetSize
    4729. 

  4729. #define SV_WRITE     TLSX_SupportedVersions_Write
    4730. 

  4730. #define SV_PARSE     TLSX_SupportedVersions_Parse
    4731. 

  4731. 

  4732. #else
    4733. 

  4733. 

  4734. #define SV_GET_SIZE(a, b)    0
    4735. 

  4735. #define SV_WRITE(a, b, c)    0
    4736. 

  4736. #define SV_PARSE(a, b, c, d) 0
    4737. 

  4737. 

  4738. #endif /* WOLFSSL_TLS13 */
    4739. 

  4739. 

  4740. #if defined(WOLFSSL_TLS13)
    4741. 

  4741. 

  4742. /******************************************************************************/
    4743. 

  4743. /* Cookie                                                                     */
    4744. 

  4744. /******************************************************************************/
    4745. 

  4745. 

  4746. /* Free the cookie data.
    4747. 

  4747.  *
    4748. 

  4748.  * cookie  Cookie data.
    4749. 

  4749.  * heap    The heap used for allocation.
    4750. 

  4750.  */
    4751. 

  4751. static void TLSX_Cookie_FreeAll(Cookie* cookie, void* heap)
    4752. 

  4752. {
    4753. 

  4753.     (void)heap;
    4754. 

  4754. 

  4755.     if (cookie != NULL)
    4756. 

  4756.         XFREE(cookie, heap, DYNAMIC_TYPE_TLSX);
    4757. 

  4757. }
    4758. 

  4758. 

  4759. /* Get the size of the encoded Cookie extension.
    4760. 

  4760.  * In messages: ClientHello and HelloRetryRequest.
    4761. 

  4761.  *
    4762. 

  4762.  * cookie   The cookie to write.
    4763. 

  4763.  * msgType  The type of the message this extension is being written into.
    4764. 

  4764.  * returns the number of bytes of the encoded Cookie extension.
    4765. 

  4765.  */
    4766. 

  4766. static word16 TLSX_Cookie_GetSize(Cookie* cookie, byte msgType)
    4767. 

  4767. {
    4768. 

  4768.     if (msgType == client_hello || msgType == hello_retry_request)
    4769. 

  4769.         return OPAQUE16_LEN + cookie->len;
    4770. 

  4770. 

  4771.     return SANITY_MSG_E;
    4772. 

  4772. }
    4773. 

  4773. 

  4774. /* Writes the Cookie extension into the output buffer.
    4775. 

  4775.  * Assumes that the the output buffer is big enough to hold data.
    4776. 

  4776.  * In messages: ClientHello and HelloRetryRequest.
    4777. 

  4777.  *
    4778. 

  4778.  * cookie   The cookie to write.
    4779. 

  4779.  * output   The buffer to write into.
    4780. 

  4780.  * msgType  The type of the message this extension is being written into.
    4781. 

  4781.  * returns the number of bytes written into the buffer.
    4782. 

  4782.  */
    4783. 

  4783. static word16 TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType)
    4784. 

  4784. {
    4785. 

  4785.     if (msgType == client_hello || msgType == hello_retry_request) {
    4786. 

  4786.         c16toa(cookie->len, output);
    4787. 

  4787.         output += OPAQUE16_LEN;
    4788. 

  4788.         XMEMCPY(output, &cookie->data, cookie->len);
    4789. 

  4789.         return OPAQUE16_LEN + cookie->len;
    4790. 

  4790.     }
    4791. 

  4791. 

  4792.     return SANITY_MSG_E; /* ! */
    4793. 

  4793. }
    4794. 

  4794. 

  4795. /* Parse the Cookie extension.
    4796. 

  4796.  * In messages: ClientHello and HelloRetryRequest.
    4797. 

  4797.  *
    4798. 

  4798.  * ssl      The SSL/TLS object.
    4799. 

  4799.  * input    The extension data.
    4800. 

  4800.  * length   The length of the extension data.
    4801. 

  4801.  * msgType  The type of the message this extension is being parsed from.
    4802. 

  4802.  * returns 0 on success and other values indicate failure.
    4803. 

  4803.  */
    4804. 

  4804. static int TLSX_Cookie_Parse(WOLFSSL* ssl, byte* input, word16 length,
    4805. 

  4805.                                  byte msgType)
    4806. 

  4806. {
    4807. 

  4807.     word16  len;
    4808. 

  4808.     word16  idx = 0;
    4809. 

  4809.     TLSX*   extension;
    4810. 

  4810.     Cookie* cookie;
    4811. 

  4811. 

  4812.     if (msgType != client_hello && msgType != hello_retry_request)
    4813. 

  4813.         return SANITY_MSG_E;
    4814. 

  4814. 

  4815.     /* Message contains length and Cookie which must be at least one byte
    4816. 

  4816.      * in length.
    4817. 

  4817.      */
    4818. 

  4818.     if (length < OPAQUE16_LEN + 1)
    4819. 

  4819.         return BUFFER_E;
    4820. 

  4820.     ato16(input + idx, &len);
    4821. 

  4821.     idx += OPAQUE16_LEN;
    4822. 

  4822.     if (length - idx != len)
    4823. 

  4823.         return BUFFER_E;
    4824. 

  4824. 

  4825.     if (msgType == hello_retry_request)
    4826. 

  4826.         return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0);
    4827. 

  4827. 

  4828.     /* client_hello */
    4829. 

  4829.     extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
    4830. 

  4830.     if (extension == NULL)
    4831. 

  4831.         return HRR_COOKIE_ERROR;
    4832. 

  4832. 

  4833.     cookie = (Cookie*)extension->data;
    4834. 

  4834.     if (cookie->len != len || XMEMCMP(&cookie->data, input + idx, len) != 0)
    4835. 

  4835.         return HRR_COOKIE_ERROR;
    4836. 

  4836. 

  4837.     /* Request seen. */
    4838. 

  4838.     extension->resp = 0;
    4839. 

  4839. 

  4840.     return 0;
    4841. 

  4841. }
    4842. 

  4842. 

  4843. /* Use the data to create a new Cookie object in the extensions.
    4844. 

  4844.  *
    4845. 

  4845.  * ssl    SSL/TLS object.
    4846. 

  4846.  * data   Cookie data.
    4847. 

  4847.  * len    Length of cookie data in bytes.
    4848. 

  4848.  * mac    MAC data.
    4849. 

  4849.  * macSz  Length of MAC data in bytes.
    4850. 

  4850.  * resp   Indicates the extension will go into a response (HelloRetryRequest).
    4851. 

  4851.  * returns 0 on success and other values indicate failure.
    4852. 

  4852.  */
    4853. 

  4853. int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac,
    4854. 

  4854.                     byte macSz, int resp)
    4855. 

  4855. {
    4856. 

  4856.     int     ret = 0;
    4857. 

  4857.     TLSX*   extension;
    4858. 

  4858.     Cookie* cookie;
    4859. 

  4859. 

  4860.     /* Find the cookie extension if it exists. */
    4861. 

  4861.     extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
    4862. 

  4862.     if (extension == NULL) {
    4863. 

  4863.         /* Push new cookie extension. */
    4864. 

  4864.         ret = TLSX_Push(&ssl->extensions, TLSX_COOKIE, NULL, ssl->heap);
    4865. 

  4865.         if (ret != 0)
    4866. 

  4866.             return ret;
    4867. 

  4867. 

  4868.         extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
    4869. 

  4869.         if (extension == NULL)
    4870. 

  4870.             return MEMORY_E;
    4871. 

  4871.     }
    4872. 

  4872. 

  4873.     /* The Cookie structure has one byte for cookie data already. */
    4874. 

  4874.     cookie = (Cookie*)XMALLOC(sizeof(Cookie) + len + macSz - 1, ssl->heap,
    4875. 

  4875.                               DYNAMIC_TYPE_TLSX);
    4876. 

  4876.     if (cookie == NULL)
    4877. 

  4877.         return MEMORY_E;
    4878. 

  4878. 

  4879.     cookie->len = len + macSz;
    4880. 

  4880.     XMEMCPY(&cookie->data, data, len);
    4881. 

  4881.     if (mac != NULL)
    4882. 

  4882.         XMEMCPY(&cookie->data + len, mac, macSz);
    4883. 

  4883. 

  4884.     extension->data = (void*)cookie;
    4885. 

  4885.     extension->resp = (byte)resp;
    4886. 

  4886. 

  4887.     return 0;
    4888. 

  4888. }
    4889. 

  4889. 

  4890. #define CKE_FREE_ALL  TLSX_Cookie_FreeAll
    4891. 

  4891. #define CKE_GET_SIZE  TLSX_Cookie_GetSize
    4892. 

  4892. #define CKE_WRITE     TLSX_Cookie_Write
    4893. 

  4893. #define CKE_PARSE     TLSX_Cookie_Parse
    4894. 

  4894. 

  4895. #else
    4896. 

  4896. 

  4897. #define CKE_FREE_ALL(a, b)    0
    4898. 

  4898. #define CKE_GET_SIZE(a, b)    0
    4899. 

  4899. #define CKE_WRITE(a, b, c)    0
    4900. 

  4900. #define CKE_PARSE(a, b, c, d) 0
    4901. 

  4901. 

  4902. #endif
    4903. 

  4903. 

  4904. /******************************************************************************/
    4905. 

  4905. /* Sugnature Algorithms                                                       */
    4906. 

  4906. /******************************************************************************/
    4907. 

  4907. 

  4908. /* Return the size of the SignatureAlgorithms extension's data.
    4909. 

  4909.  *
    4910. 

  4910.  * data  Unused
    4911. 

  4911.  * returns the length of data that will be in the extension.
    4912. 

  4912.  */
    4913. 

  4913. static word16 TLSX_SignatureAlgorithms_GetSize(void* data)
    4914. 

  4914. {
    4915. 

  4915.     WOLFSSL* ssl = (WOLFSSL*)data;
    4916. 

  4916. 

  4917.     return OPAQUE16_LEN + ssl->suites->hashSigAlgoSz;
    4918. 

  4918. }
    4919. 

  4919. 

  4920. /* Creates a bit string of supported hash algorithms with RSA PSS.
    4921. 

  4921.  * The bit string is used when determining which signature algorithm to use
    4922. 

  4922.  * when creating the CertificateVerify message.
    4923. 

  4923.  * Note: Valid data has an even length as each signature algorithm is two bytes.
    4924. 

  4924.  *
    4925. 

  4925.  * ssl     The SSL/TLS object.
    4926. 

  4926.  * input   The buffer with the list of supported signature algorithms.
    4927. 

  4927.  * length  The length of the list in bytes.
    4928. 

  4928.  * returns 0 on success, BUFFER_ERROR when the length is not even.
    4929. 

  4929.  */
    4930. 

  4930. static int TLSX_SignatureAlgorithms_MapPss(WOLFSSL *ssl, byte* input,
    4931. 

  4931.                                                                   word16 length)
    4932. 

  4932. {
    4933. 

  4933.     word16 i;
    4934. 

  4934. 

  4935.     if ((length & 1) == 1)
    4936. 

  4936.         return BUFFER_ERROR;
    4937. 

  4937. 

  4938.     ssl->pssAlgo = 0;
    4939. 

  4939.     for (i = 0; i < length; i += 2) {
    4940. 

  4940.         if (input[i] == rsa_pss_sa_algo && input[i + 1] <= sha512_mac)
    4941. 

  4941.             ssl->pssAlgo |= 1 << input[i + 1];
    4942. 

  4942.     }
    4943. 

  4943. 

  4944.     return 0;
    4945. 

  4945. }
    4946. 

  4946. 

  4947. /* Writes the SignatureAlgorithms extension into the buffer.
    4948. 

  4948.  *
    4949. 

  4949.  * data    Unused
    4950. 

  4950.  * output  The buffer to write the extension into.
    4951. 

  4951.  * returns the length of data that was written.
    4952. 

  4952.  */
    4953. 

  4953. static word16 TLSX_SignatureAlgorithms_Write(void* data, byte* output)
    4954. 

  4954. {
    4955. 

  4955.     WOLFSSL* ssl = (WOLFSSL*)data;
    4956. 

  4956. 

  4957.     c16toa(ssl->suites->hashSigAlgoSz, output);
    4958. 

  4958.     XMEMCPY(output + OPAQUE16_LEN, ssl->suites->hashSigAlgo,
    4959. 

  4959.             ssl->suites->hashSigAlgoSz);
    4960. 

  4960. 

  4961.     TLSX_SignatureAlgorithms_MapPss(ssl, output + OPAQUE16_LEN,
    4962. 

  4962.                                     ssl->suites->hashSigAlgoSz);
    4963. 

  4963. 

  4964.     return OPAQUE16_LEN + ssl->suites->hashSigAlgoSz;
    4965. 

  4965. }
    4966. 

  4966. 

  4967. /* Parse the SignatureAlgorithms extension.
    4968. 

  4968.  *
    4969. 

  4969.  * ssl     The SSL/TLS object.
    4970. 

  4970.  * input   The buffer with the extension data.
    4971. 

  4971.  * length  The length of the extension data.
    4972. 

  4972.  * returns 0 on success, otherwise failure.
    4973. 

  4973.  */
    4974. 

  4974. static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, byte* input,
    4975. 

  4975.                                   word16 length, byte isRequest, Suites* suites)
    4976. 

  4976. {
    4977. 

  4977.     word16 len;
    4978. 

  4978. 

  4979.     if (!isRequest)
    4980. 

  4980.         return BUFFER_ERROR;
    4981. 

  4981. 

  4982.     /* Must contain a length and at least algorithm. */
    4983. 

  4983.     if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0)
    4984. 

  4984.         return BUFFER_ERROR;
    4985. 

  4985. 

  4986.     ato16(input, &len);
    4987. 

  4987.     input += OPAQUE16_LEN;
    4988. 

  4988. 

  4989.     /* Algorithm array must fill rest of data. */
    4990. 

  4990.     if (length != OPAQUE16_LEN + len)
    4991. 

  4991.         return BUFFER_ERROR;
    4992. 

  4992. 

  4993.     /* truncate hashSigAlgo list if too long */
    4994. 

  4994.     suites->hashSigAlgoSz = len;
    4995. 

  4995.     if (suites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
    4996. 

  4996.         WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating");
    4997. 

  4997.         suites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
    4998. 

  4998.     }
    4999. 

  4999.     XMEMCPY(suites->hashSigAlgo, input, suites->hashSigAlgoSz);
    5000. 

  5000. 

  5001.     return TLSX_SignatureAlgorithms_MapPss(ssl, input, len);
    5002. 

  5002. }
    5003. 

  5003. 

  5004. /* Sets a new SupportedVersions extension into the extension list.
    5005. 

  5005.  *
    5006. 

  5006.  * extensions  The list of extensions.
    5007. 

  5007.  * data        The extensions specific data.
    5008. 

  5008.  * heap        The heap used for allocation.
    5009. 

  5009.  * returns 0 on success, otherwise failure.
    5010. 

  5010.  */
    5011. 

  5011. static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data,
    5012. 

  5012.                                        void* heap)
    5013. 

  5013. {
    5014. 

  5014.     if (extensions == NULL)
    5015. 

  5015.         return BAD_FUNC_ARG;
    5016. 

  5016. 

  5017.     return TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS, (void *)data, heap);
    5018. 

  5018. }
    5019. 

  5019. 

  5020. #define SA_GET_SIZE  TLSX_SignatureAlgorithms_GetSize
    5021. 

  5021. #define SA_WRITE     TLSX_SignatureAlgorithms_Write
    5022. 

  5022. #define SA_PARSE     TLSX_SignatureAlgorithms_Parse
    5023. 

  5023. 

  5024. 

  5025. /******************************************************************************/
    5026. 

  5026. /* Key Share                                                                  */
    5027. 

  5027. /******************************************************************************/
    5028. 

  5028. 

  5029. #ifdef WOLFSSL_TLS13
    5030. 

  5030. #ifndef NO_DH
    5031. 

  5031. /* Create a key share entry using named Diffie-Hellman parameters group.
    5032. 

  5032.  * Generates a key pair.
    5033. 

  5033.  *
    5034. 

  5034.  * ssl   The SSL/TLS object.
    5035. 

  5035.  * kse   The key share entry object.
    5036. 

  5036.  * returns 0 on success, otherwise failure.
    5037. 

  5037.  */
    5038. 

  5038. static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse)
    5039. 

  5039. {
    5040. 

  5040.     int             ret;
    5041. 

  5041.     byte*           keyData;
    5042. 

  5042.     void*           key = NULL;
    5043. 

  5043.     word32          keySz;
    5044. 

  5044.     word32          dataSz;
    5045. 

  5045.     const DhParams* params;
    5046. 

  5046.     DhKey dhKey;
    5047. 

  5047. 

  5048.     /* TODO: [TLS13] The key size should come from wolfcrypt. */
    5049. 

  5049.     /* Pick the parameters from the named group. */
    5050. 

  5050.     switch (kse->group) {
    5051. 

  5051.     #ifdef HAVE_FFDHE_2048
    5052. 

  5052.         case WOLFSSL_FFDHE_2048:
    5053. 

  5053.             params = wc_Dh_ffdhe2048_Get();
    5054. 

  5054.             keySz = 29;
    5055. 

  5055.             break;
    5056. 

  5056.     #endif
    5057. 

  5057.     #ifdef HAVE_FFDHE_3072
    5058. 

  5058.         case WOLFSSL_FFDHE_3072:
    5059. 

  5059.             params = wc_Dh_ffdhe3072_Get();
    5060. 

  5060.             keySz = 34;
    5061. 

  5061.             break;
    5062. 

  5062.     #endif
    5063. 

  5063.     #ifdef HAVE_FFDHE_4096
    5064. 

  5064.         case WOLFSSL_FFDHE_4096:
    5065. 

  5065.             params = wc_Dh_ffdhe4096_Get();
    5066. 

  5066.             keySz = 39;
    5067. 

  5067.             break;
    5068. 

  5068.     #endif
    5069. 

  5069.     #ifdef HAVE_FFDHE_6144
    5070. 

  5070.         case WOLFSSL_FFDHE_6144:
    5071. 

  5071.             params = wc_Dh_ffdhe6144_Get();
    5072. 

  5072.             keySz = 46;
    5073. 

  5073.             break;
    5074. 

  5074.     #endif
    5075. 

  5075.     #ifdef HAVE_FFDHE_8192
    5076. 

  5076.         case WOLFSSL_FFDHE_8192:
    5077. 

  5077.             params = wc_Dh_ffdhe8192_Get();
    5078. 

  5078.             keySz = 52;
    5079. 

  5079.             break;
    5080. 

  5080.     #endif
    5081. 

  5081.         default:
    5082. 

  5082.             return BAD_FUNC_ARG;
    5083. 

  5083.     }
    5084. 

  5084. 

  5085.     ret = wc_InitDhKey_ex(&dhKey, ssl->heap, ssl->devId);
    5086. 

  5086.     if (ret != 0)
    5087. 

  5087.         return ret;
    5088. 

  5088. 

  5089.     /* Allocate space for the public key. */
    5090. 

  5090.     dataSz = params->p_len;
    5091. 

  5091.     keyData = (byte*)XMALLOC(dataSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5092. 

  5092.     if (keyData == NULL) {
    5093. 

  5093.         ret = MEMORY_E;
    5094. 

  5094.         goto end;
    5095. 

  5095.     }
    5096. 

  5096.     /* Allocate space for the private key. */
    5097. 

  5097.     key = (byte*)XMALLOC(keySz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
    5098. 

  5098.     if (key == NULL) {
    5099. 

  5099.         ret = MEMORY_E;
    5100. 

  5100.         goto end;
    5101. 

  5101.     }
    5102. 

  5102. 

  5103.     /* Set key */
    5104. 

  5104.     ret = wc_DhSetKey(&dhKey,
    5105. 

  5105.         (byte*)params->p, params->p_len,
    5106. 

  5106.         (byte*)params->g, params->g_len);
    5107. 

  5107.     if (ret != 0)
    5108. 

  5108.         goto end;
    5109. 

  5109. 

  5110.     /* Generate a new key pair. */
    5111. 

  5111.     ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng, (byte*)key, &keySz, keyData,
    5112. 

  5112.                                &dataSz);
    5113. 

  5113. #ifdef WOLFSSL_ASYNC_CRYPT
    5114. 

  5114.     /* TODO: Make this function non-blocking */
    5115. 

  5115.     if (ret == WC_PENDING_E) {
    5116. 

  5116.         ret = wc_AsyncWait(ret, &dhKey.asyncDev, WC_ASYNC_FLAG_NONE);
    5117. 

  5117.     }
    5118. 

  5118. #endif
    5119. 

  5119.     if (ret != 0)
    5120. 

  5120.         goto end;
    5121. 

  5121. 

  5122.     if (params->p_len != dataSz) {
    5123. 

  5123.         /* Pad the front of the key data with zeros. */
    5124. 

  5124.         XMEMMOVE(keyData + params->p_len - dataSz, keyData, dataSz);
    5125. 

  5125.         XMEMSET(keyData, 0, params->p_len - dataSz);
    5126. 

  5126.     }
    5127. 

  5127. 

  5128.     kse->ke = keyData;
    5129. 

  5129.     kse->keLen = params->p_len;
    5130. 

  5130.     kse->key = key;
    5131. 

  5131.     kse->keyLen = keySz;
    5132. 

  5132. 

  5133. #ifdef WOLFSSL_DEBUG_TLS
    5134. 

  5134.     WOLFSSL_MSG("Public DH Key");
    5135. 

  5135.     WOLFSSL_BUFFER(keyData, params->p_len);
    5136. 

  5136. #endif
    5137. 

  5137. 

  5138. end:
    5139. 

  5139. 

  5140.     wc_FreeDhKey(&dhKey);
    5141. 

  5141. 

  5142.     if (ret != 0) {
    5143. 

  5143.         /* Data owned by key share entry otherwise. */
    5144. 

  5144.         if (keyData != NULL)
    5145. 

  5145.             XFREE(keyData, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5146. 

  5146.         if (key != NULL)
    5147. 

  5147.             XFREE(key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
    5148. 

  5148.     }
    5149. 

  5149. 

  5150.     return ret;
    5151. 

  5151. }
    5152. 

  5152. #endif
    5153. 

  5153. 

  5154. #ifdef HAVE_ECC
    5155. 

  5155. /* Create a key share entry using named elliptic curve parameters group.
    5156. 

  5156.  * Generates a key pair.
    5157. 

  5157.  *
    5158. 

  5158.  * ssl   The SSL/TLS object.
    5159. 

  5159.  * kse   The key share entry object.
    5160. 

  5160.  * returns 0 on success, otherwise failure.
    5161. 

  5161.  */
    5162. 

  5162. static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
    5163. 

  5163. {
    5164. 

  5164.     int      ret;
    5165. 

  5165.     byte*    keyData = NULL;
    5166. 

  5166.     word32   dataSize;
    5167. 

  5167.     word32   keySize;
    5168. 

  5168.     ecc_key* eccKey = NULL;
    5169. 

  5169.     word16   curveId;
    5170. 

  5170. 

  5171.     /* TODO: [TLS13] The key sizes should come from wolfcrypt. */
    5172. 

  5172.     /* Translate named group to a curve id. */
    5173. 

  5173.     switch (kse->group) {
    5174. 

  5174.     #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
    5175. 

  5175.         #ifndef NO_ECC_SECP
    5176. 

  5176.         case WOLFSSL_ECC_SECP256R1:
    5177. 

  5177.             curveId = ECC_SECP256R1;
    5178. 

  5178.             keySize = 32;
    5179. 

  5179.             dataSize = keySize * 2 + 1;
    5180. 

  5180.             break;
    5181. 

  5181.         #endif /* !NO_ECC_SECP */
    5182. 

  5182.     #endif
    5183. 

  5183.     #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
    5184. 

  5184.         #ifndef NO_ECC_SECP
    5185. 

  5185.         case WOLFSSL_ECC_SECP384R1:
    5186. 

  5186.             curveId = ECC_SECP384R1;
    5187. 

  5187.             keySize = 48;
    5188. 

  5188.             dataSize = keySize * 2 + 1;
    5189. 

  5189.             break;
    5190. 

  5190.         #endif /* !NO_ECC_SECP */
    5191. 

  5191.     #endif
    5192. 

  5192.     #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
    5193. 

  5193.         #ifndef NO_ECC_SECP
    5194. 

  5194.         case WOLFSSL_ECC_SECP521R1:
    5195. 

  5195.             curveId = ECC_SECP521R1;
    5196. 

  5196.             keySize = 66;
    5197. 

  5197.             dataSize = keySize * 2 + 1;
    5198. 

  5198.             break;
    5199. 

  5199.         #endif /* !NO_ECC_SECP */
    5200. 

  5200.     #endif
    5201. 

  5201.     #ifdef HAVE_CURVE25519
    5202. 

  5202.         case WOLFSSL_ECC_X25519:
    5203. 

  5203.             {
    5204. 

  5204.                 curve25519_key* key;
    5205. 

  5205.                 /* Allocate an ECC key to hold private key. */
    5206. 

  5206.                 key = (curve25519_key*)XMALLOC(sizeof(curve25519_key),
    5207. 

  5207.                                            ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
    5208. 

  5208.                 if (key == NULL) {
    5209. 

  5209.                     WOLFSSL_MSG("EccTempKey Memory error");
    5210. 

  5210.                     return MEMORY_E;
    5211. 

  5211.                 }
    5212. 

  5212. 

  5213.                 dataSize = keySize = 32;
    5214. 

  5214. 

  5215.                 /* Make an ECC key. */
    5216. 

  5216.                 ret = wc_curve25519_init(key);
    5217. 

  5217.                 if (ret != 0)
    5218. 

  5218.                     goto end;
    5219. 

  5219.                 ret = wc_curve25519_make_key(ssl->rng, keySize, key);
    5220. 

  5220.                 if (ret != 0)
    5221. 

  5221.                     goto end;
    5222. 

  5222. 

  5223.                 /* Allocate space for the public key. */
    5224. 

  5224.                 keyData = (byte*)XMALLOC(dataSize, ssl->heap,
    5225. 

  5225.                                          DYNAMIC_TYPE_PUBLIC_KEY);
    5226. 

  5226.                 if (keyData == NULL) {
    5227. 

  5227.                     WOLFSSL_MSG("Key data Memory error");
    5228. 

  5228.                     ret = MEMORY_E;
    5229. 

  5229.                     goto end;
    5230. 

  5230.                 }
    5231. 

  5231. 

  5232.                 /* Export public key. */
    5233. 

  5233.                 if (wc_curve25519_export_public_ex(key, keyData, &dataSize,
    5234. 

  5234.                                                   EC25519_LITTLE_ENDIAN) != 0) {
    5235. 

  5235.                     ret = ECC_EXPORT_ERROR;
    5236. 

  5236.                     goto end;
    5237. 

  5237.                 }
    5238. 

  5238. 

  5239.                 kse->ke = keyData;
    5240. 

  5240.                 kse->keLen = dataSize;
    5241. 

  5241.                 kse->key = key;
    5242. 

  5242. 

  5243. #ifdef WOLFSSL_DEBUG_TLS
    5244. 

  5244.                 WOLFSSL_MSG("Public Curve25519 Key");
    5245. 

  5245.                 WOLFSSL_BUFFER(keyData, dataSize);
    5246. 

  5246. #endif
    5247. 

  5247. 

  5248.                 goto end;
    5249. 

  5249.             }
    5250. 

  5250.     #endif
    5251. 

  5251.     #ifdef HAVE_X448
    5252. 

  5252.         case WOLFSSL_ECC_X448:
    5253. 

  5253.             curveId = ECC_X448;
    5254. 

  5254.             dataSize = keySize = 56;
    5255. 

  5255.             break;
    5256. 

  5256.     #endif
    5257. 

  5257.         default:
    5258. 

  5258.             return BAD_FUNC_ARG;
    5259. 

  5259.     }
    5260. 

  5260. 

  5261.     /* Allocate an ECC key to hold private key. */
    5262. 

  5262.     eccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap,
    5263. 

  5263.                                DYNAMIC_TYPE_PRIVATE_KEY);
    5264. 

  5264.     if (eccKey == NULL) {
    5265. 

  5265.         WOLFSSL_MSG("EccTempKey Memory error");
    5266. 

  5266.         return MEMORY_E;
    5267. 

  5267.     }
    5268. 

  5268. 

  5269.     /* Make an ECC key. */
    5270. 

  5270.     ret = wc_ecc_init_ex(eccKey, ssl->heap, ssl->devId);
    5271. 

  5271.     if (ret != 0)
    5272. 

  5272.         goto end;
    5273. 

  5273.     ret = wc_ecc_make_key_ex(ssl->rng, keySize, eccKey, curveId);
    5274. 

  5274. #ifdef WOLFSSL_ASYNC_CRYPT
    5275. 

  5275.     /* TODO: Make this function non-blocking */
    5276. 

  5276.     if (ret == WC_PENDING_E) {
    5277. 

  5277.         ret = wc_AsyncWait(ret, &eccKey->asyncDev, WC_ASYNC_FLAG_NONE);
    5278. 

  5278.     }
    5279. 

  5279. #endif
    5280. 

  5280.     if (ret != 0)
    5281. 

  5281.         goto end;
    5282. 

  5282. 

  5283.     /* Allocate space for the public key. */
    5284. 

  5284.     keyData = (byte*)XMALLOC(dataSize, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5285. 

  5285.     if (keyData == NULL) {
    5286. 

  5286.         WOLFSSL_MSG("Key data Memory error");
    5287. 

  5287.         ret = MEMORY_E;
    5288. 

  5288.         goto end;
    5289. 

  5289.     }
    5290. 

  5290. 

  5291.     /* Export public key. */
    5292. 

  5292.     if (wc_ecc_export_x963(eccKey, keyData, &dataSize) != 0) {
    5293. 

  5293.         ret = ECC_EXPORT_ERROR;
    5294. 

  5294.         goto end;
    5295. 

  5295.     }
    5296. 

  5296. 

  5297.     kse->ke = keyData;
    5298. 

  5298.     kse->keLen = dataSize;
    5299. 

  5299.     kse->key = eccKey;
    5300. 

  5300. 

  5301. #ifdef WOLFSSL_DEBUG_TLS
    5302. 

  5302.     WOLFSSL_MSG("Public ECC Key");
    5303. 

  5303.     WOLFSSL_BUFFER(keyData, dataSize);
    5304. 

  5304. #endif
    5305. 

  5305. 

  5306. end:
    5307. 

  5307.     if (ret != 0) {
    5308. 

  5308.         /* Data owned by key share entry otherwise. */
    5309. 

  5309.         if (eccKey != NULL)
    5310. 

  5310.             XFREE(eccKey, ssl->heap, DYNAMIC_TYPE_TLSX);
    5311. 

  5311.         if (keyData != NULL)
    5312. 

  5312.             XFREE(keyData, ssl->heap, DYNAMIC_TYPE_TLSX);
    5313. 

  5313.     }
    5314. 

  5314.     return ret;
    5315. 

  5315. }
    5316. 

  5316. #endif /* HAVE_ECC */
    5317. 

  5317. 

  5318. /* Generate a secret/key using the key share entry.
    5319. 

  5319.  *
    5320. 

  5320.  * ssl  The SSL/TLS object.
    5321. 

  5321.  * kse  The key share entry holding peer data.
    5322. 

  5322.  */
    5323. 

  5323. static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
    5324. 

  5324. {
    5325. 

  5325. #ifndef NO_DH
    5326. 

  5326.     /* Named FFHE groups have a bit set to identify them. */
    5327. 

  5327.     if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK)
    5328. 

  5328.         return TLSX_KeyShare_GenDhKey(ssl, kse);
    5329. 

  5329. #endif
    5330. 

  5330. #ifdef HAVE_ECC
    5331. 

  5331.     return TLSX_KeyShare_GenEccKey(ssl, kse);
    5332. 

  5332. #else
    5333. 

  5333.     return NOT_COMPILED_IN;
    5334. 

  5334. #endif
    5335. 

  5335. }
    5336. 

  5336. 

  5337. /* Free the key share dynamic data.
    5338. 

  5338.  *
    5339. 

  5339.  * list  The linked list of key share entry objects.
    5340. 

  5340.  * heap  The heap used for allocation.
    5341. 

  5341.  */
    5342. 

  5342. static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
    5343. 

  5343. {
    5344. 

  5344.     KeyShareEntry* current;
    5345. 

  5345. 

  5346.     while ((current = list) != NULL) {
    5347. 

  5347.         list = current->next;
    5348. 

  5348. #ifdef HAVE_ECC
    5349. 

  5349.         if ((current->group & NAMED_DH_MASK) == 0) {
    5350. 

  5350.             if (current->group == WOLFSSL_ECC_X25519) {
    5351. 

  5351. #ifdef HAVE_CURVE25519
    5352. 

  5352. 

  5353. #endif
    5354. 

  5354.             }
    5355. 

  5355.             else {
    5356. 

  5356. #ifdef HAVE_ECC
    5357. 

  5357.                 wc_ecc_free((ecc_key*)(current->key));
    5358. 

  5358. #endif
    5359. 

  5359.             }
    5360. 

  5360.         }
    5361. 

  5361. #endif
    5362. 

  5362.         XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY);
    5363. 

  5363.         XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5364. 

  5364.         XFREE(current, heap, DYNAMIC_TYPE_TLSX);
    5365. 

  5365.     }
    5366. 

  5366. 

  5367.     (void)heap;
    5368. 

  5368. }
    5369. 

  5369. 

  5370. /* Get the size of the encoded key share extension.
    5371. 

  5371.  *
    5372. 

  5372.  * list     The linked list of key share extensions.
    5373. 

  5373.  * msgType  The type of the message this extension is being written into.
    5374. 

  5374.  * returns the number of bytes of the encoded key share extension.
    5375. 

  5375.  */
    5376. 

  5376. static word16 TLSX_KeyShare_GetSize(KeyShareEntry* list, byte msgType)
    5377. 

  5377. {
    5378. 

  5378.     int            len = 0;
    5379. 

  5379.     byte           isRequest = (msgType == client_hello);
    5380. 

  5380.     KeyShareEntry* current;
    5381. 

  5381. 

  5382.     /* The named group the server wants to use. */
    5383. 

  5383.     if (msgType == hello_retry_request)
    5384. 

  5384.         return OPAQUE16_LEN;
    5385. 

  5385. 

  5386.     /* List of key exchange groups. */
    5387. 

  5387.     if (isRequest)
    5388. 

  5388.         len += OPAQUE16_LEN;
    5389. 

  5389.     while ((current = list) != NULL) {
    5390. 

  5390.         list = current->next;
    5391. 

  5391. 

  5392.         if (!isRequest && current->key == NULL)
    5393. 

  5393.             continue;
    5394. 

  5394. 

  5395.         len += (int)(KE_GROUP_LEN + OPAQUE16_LEN + current->keLen);
    5396. 

  5396.     }
    5397. 

  5397. 

  5398.     return (word16)len;
    5399. 

  5399. }
    5400. 

  5400. 

  5401. /* Writes the key share extension into the output buffer.
    5402. 

  5402.  * Assumes that the the output buffer is big enough to hold data.
    5403. 

  5403.  *
    5404. 

  5404.  * list     The linked list of key share entries.
    5405. 

  5405.  * output   The buffer to write into.
    5406. 

  5406.  * msgType  The type of the message this extension is being written into.
    5407. 

  5407.  * returns the number of bytes written into the buffer.
    5408. 

  5408.  */
    5409. 

  5409. static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output,
    5410. 

  5410.                                   byte msgType)
    5411. 

  5411. {
    5412. 

  5412.     word16         i = 0;
    5413. 

  5413.     byte           isRequest = (msgType == client_hello);
    5414. 

  5414.     KeyShareEntry* current;
    5415. 

  5415. 

  5416.     if (msgType == hello_retry_request) {
    5417. 

  5417.         c16toa(list->group, output);
    5418. 

  5418.         return OPAQUE16_LEN;
    5419. 

  5419.     }
    5420. 

  5420. 

  5421.     /* ClientHello has a list but ServerHello is only the chosen. */
    5422. 

  5422.     if (isRequest)
    5423. 

  5423.         i += OPAQUE16_LEN;
    5424. 

  5424. 

  5425.     /* Write out all in the list. */
    5426. 

  5426.     while ((current = list) != NULL) {
    5427. 

  5427.         list = current->next;
    5428. 

  5428. 

  5429.         if (!isRequest && current->key == NULL)
    5430. 

  5430.             continue;
    5431. 

  5431. 

  5432.         c16toa(current->group, &output[i]);
    5433. 

  5433.         i += KE_GROUP_LEN;
    5434. 

  5434.         c16toa(current->keLen, &output[i]);
    5435. 

  5435.         i += OPAQUE16_LEN;
    5436. 

  5436.         XMEMCPY(&output[i], current->ke, current->keLen);
    5437. 

  5437.         i += current->keLen;
    5438. 

  5438.     }
    5439. 

  5439.     /* Write the length of the list if required. */
    5440. 

  5440.     if (isRequest)
    5441. 

  5441.         c16toa(i - OPAQUE16_LEN, output);
    5442. 

  5442. 

  5443.     return i;
    5444. 

  5444. }
    5445. 

  5445. 

  5446. /* Process the DH key share extension on the client side.
    5447. 

  5447.  *
    5448. 

  5448.  * ssl            The SSL/TLS object.
    5449. 

  5449.  * keyShareEntry  The key share entry object to use to calculate shared secret.
    5450. 

  5450.  * returns 0 on success and other values indicate failure.
    5451. 

  5451.  */
    5452. 

  5452. static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
    5453. 

  5453. {
    5454. 

  5454. #ifndef NO_DH
    5455. 

  5455.     int             ret;
    5456. 

  5456.     const DhParams* params;
    5457. 

  5457.     word16          i;
    5458. 

  5458.     byte            b;
    5459. 

  5459.     DhKey           dhKey;
    5460. 

  5460. 

  5461.     switch (keyShareEntry->group) {
    5462. 

  5462.     #ifdef HAVE_FFDHE_2048
    5463. 

  5463.         case WOLFSSL_FFDHE_2048:
    5464. 

  5464.             params = wc_Dh_ffdhe2048_Get();
    5465. 

  5465.             break;
    5466. 

  5466.     #endif
    5467. 

  5467.     #ifdef HAVE_FFDHE_3072
    5468. 

  5468.         case WOLFSSL_FFDHE_3072:
    5469. 

  5469.             params = wc_Dh_ffdhe3072_Get();
    5470. 

  5470.             break;
    5471. 

  5471.     #endif
    5472. 

  5472.     #ifdef HAVE_FFDHE_4096
    5473. 

  5473.         case WOLFSSL_FFDHE_4096:
    5474. 

  5474.             params = wc_Dh_ffdhe4096_Get();
    5475. 

  5475.             break;
    5476. 

  5476.     #endif
    5477. 

  5477.     #ifdef HAVE_FFDHE_6144
    5478. 

  5478.         case WOLFSSL_FFDHE_6144:
    5479. 

  5479.             params = wc_Dh_ffdhe6144_Get();
    5480. 

  5480.             break;
    5481. 

  5481.     #endif
    5482. 

  5482.     #ifdef HAVE_FFDHE_8192
    5483. 

  5483.         case WOLFSSL_FFDHE_8192:
    5484. 

  5484.             params = wc_Dh_ffdhe8192_Get();
    5485. 

  5485.             break;
    5486. 

  5486.     #endif
    5487. 

  5487.         default:
    5488. 

  5488.             return PEER_KEY_ERROR;
    5489. 

  5489.     }
    5490. 

  5490. 

  5491. #ifdef WOLFSSL_DEBUG_TLS
    5492. 

  5492.     WOLFSSL_MSG("Peer DH Key");
    5493. 

  5493.     WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
    5494. 

  5494. #endif
    5495. 

  5495. 

  5496.     if (params->p_len != keyShareEntry->keLen)
    5497. 

  5497.         return BUFFER_ERROR;
    5498. 

  5498.     ssl->options.dhKeySz = params->p_len;
    5499. 

  5499. 

  5500.     /* TODO: [TLS13] move this check down into wolfcrypt. */
    5501. 

  5501.     /* Check that public DH key is not 0 or 1. */
    5502. 

  5502.     b = 0;
    5503. 

  5503.     for (i = 0; i < params->p_len - 1; i++)
    5504. 

  5504.         b |= keyShareEntry->ke[i];
    5505. 

  5505.     if (b == 0 && (keyShareEntry->ke[i] == 0x00 ||
    5506. 

  5506.                    keyShareEntry->ke[i] == 0x01)) {
    5507. 

  5507.         return PEER_KEY_ERROR;
    5508. 

  5508.     }
    5509. 

  5509.     /* Check that public DH key is not mod, mod + 1 or mod - 1. */
    5510. 

  5510.     b = 0;
    5511. 

  5511.     for (i = 0; i < params->p_len - 1; i++)
    5512. 

  5512.         b |= params->p[i] ^ keyShareEntry->ke[i];
    5513. 

  5513.     if (b == 0 && (params->p[i]     == keyShareEntry->ke[i] ||
    5514. 

  5514.                    params->p[i] - 1 == keyShareEntry->ke[i] ||
    5515. 

  5515.                    params->p[i] + 1 == keyShareEntry->ke[i])) {
    5516. 

  5516.         return PEER_KEY_ERROR;
    5517. 

  5517.     }
    5518. 

  5518. 

  5519.     ret = wc_InitDhKey_ex(&dhKey, ssl->heap, ssl->devId);
    5520. 

  5520.     if (ret != 0)
    5521. 

  5521.         return ret;
    5522. 

  5522. 

  5523.     /* Set key */
    5524. 

  5524.     ret = wc_DhSetKey(&dhKey,
    5525. 

  5525.         (byte*)params->p, params->p_len,
    5526. 

  5526.         (byte*)params->g, params->g_len);
    5527. 

  5527.     if (ret != 0) {
    5528. 

  5528.         wc_FreeDhKey(&dhKey);
    5529. 

  5529.         return ret;
    5530. 

  5530.     }
    5531. 

  5531. 

  5532.     /* Derive secret from private key and peer's public key. */
    5533. 

  5533.     ret = wc_DhAgree(&dhKey,
    5534. 

  5534.         ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz,
    5535. 

  5535.         (const byte*)keyShareEntry->key, keyShareEntry->keyLen,
    5536. 

  5536.         keyShareEntry->ke, keyShareEntry->keLen);
    5537. 

  5537. #ifdef WOLFSSL_ASYNC_CRYPT
    5538. 

  5538.     /* TODO: Make this function non-blocking */
    5539. 

  5539.     if (ret == WC_PENDING_E) {
    5540. 

  5540.         ret = wc_AsyncWait(ret, &dhKey.asyncDev, WC_ASYNC_FLAG_NONE);
    5541. 

  5541.     }
    5542. 

  5542. #endif
    5543. 

  5543. 

  5544.     wc_FreeDhKey(&dhKey);
    5545. 

  5545. 

  5546.     return ret;
    5547. 

  5547. #else
    5548. 

  5548.     (void)ssl;
    5549. 

  5549.     (void)keyShareEntry;
    5550. 

  5550.     return PEER_KEY_ERROR;
    5551. 

  5551. #endif
    5552. 

  5552. }
    5553. 

  5553. 

  5554. /* Process the ECC key share extension on the client side.
    5555. 

  5555.  *
    5556. 

  5556.  * ssl            The SSL/TLS object.
    5557. 

  5557.  * keyShareEntry  The key share entry object to use to calculate shared secret.
    5558. 

  5558.  * returns 0 on success and other values indicate failure.
    5559. 

  5559.  */
    5560. 

  5560. static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
    5561. 

  5561. {
    5562. 

  5562.     int ret;
    5563. 

  5563. 

  5564. #ifdef HAVE_ECC
    5565. 

  5565.     int curveId;
    5566. 

  5566.     ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key;
    5567. 

  5567. 

  5568.     if (ssl->peerEccKey != NULL)
    5569. 

  5569.         wc_ecc_free(ssl->peerEccKey);
    5570. 

  5570. 

  5571.     ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap,
    5572. 

  5572.                                         DYNAMIC_TYPE_ECC);
    5573. 

  5573.     if (ssl->peerEccKey == NULL) {
    5574. 

  5574.         WOLFSSL_MSG("PeerEccKey Memory error");
    5575. 

  5575.         return MEMORY_ERROR;
    5576. 

  5576.     }
    5577. 

  5577.     ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId);
    5578. 

  5578.     if (ret != 0)
    5579. 

  5579.         return ret;
    5580. 

  5580. 

  5581.     /* find supported curve */
    5582. 

  5582.     switch (keyShareEntry->group) {
    5583. 

  5583.     #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
    5584. 

  5584.         #ifndef NO_ECC_SECP
    5585. 

  5585.         case WOLFSSL_ECC_SECP256R1:
    5586. 

  5586.             curveId = ECC_SECP256R1;
    5587. 

  5587.             break;
    5588. 

  5588.         #endif /* !NO_ECC_SECP */
    5589. 

  5589.     #endif
    5590. 

  5590.     #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
    5591. 

  5591.         #ifndef NO_ECC_SECP
    5592. 

  5592.         case WOLFSSL_ECC_SECP384R1:
    5593. 

  5593.             curveId = ECC_SECP384R1;
    5594. 

  5594.             break;
    5595. 

  5595.         #endif /* !NO_ECC_SECP */
    5596. 

  5596.     #endif
    5597. 

  5597.     #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
    5598. 

  5598.         #ifndef NO_ECC_SECP
    5599. 

  5599.         case WOLFSSL_ECC_SECP521R1:
    5600. 

  5600.             curveId = ECC_SECP521R1;
    5601. 

  5601.             break;
    5602. 

  5602.         #endif /* !NO_ECC_SECP */
    5603. 

  5603.     #endif
    5604. 

  5604.     #ifdef HAVE_CURVE25519
    5605. 

  5605.         case WOLFSSL_ECC_X25519:
    5606. 

  5606.             {
    5607. 

  5607.                 curve25519_key* key = (curve25519_key*)keyShareEntry->key;
    5608. 

  5608.                 curve25519_key* peerEccKey;
    5609. 

  5609. 

  5610.                 if (ssl->peerEccKey != NULL)
    5611. 

  5611.                     wc_ecc_free(ssl->peerEccKey);
    5612. 

  5612. 

  5613.                 peerEccKey = (curve25519_key*)XMALLOC(sizeof(curve25519_key),
    5614. 

  5614.                                                   ssl->heap, DYNAMIC_TYPE_TLSX);
    5615. 

  5615.                 if (peerEccKey == NULL) {
    5616. 

  5616.                     WOLFSSL_MSG("PeerEccKey Memory error");
    5617. 

  5617.                     return MEMORY_ERROR;
    5618. 

  5618.                 }
    5619. 

  5619.                 ret = wc_curve25519_init(peerEccKey);
    5620. 

  5620.                 if (ret != 0)
    5621. 

  5621.                     return ret;
    5622. 

  5622. #ifdef WOLFSSL_DEBUG_TLS
    5623. 

  5623.                 WOLFSSL_MSG("Peer Curve25519 Key");
    5624. 

  5624.                 WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
    5625. 

  5625. #endif
    5626. 

  5626. 

  5627.                 /* Point is validated by import function. */
    5628. 

  5628.                 if (wc_curve25519_import_public_ex(keyShareEntry->ke,
    5629. 

  5629.                                                keyShareEntry->keLen, peerEccKey,
    5630. 

  5630.                                                EC25519_LITTLE_ENDIAN) != 0) {
    5631. 

  5631.                     return ECC_PEERKEY_ERROR;
    5632. 

  5632.                 }
    5633. 

  5633. 

  5634.                 ssl->arrays->preMasterSz = ENCRYPT_LEN;
    5635. 

  5635.                 ret = wc_curve25519_shared_secret_ex(key, peerEccKey,
    5636. 

  5636.                     ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz,
    5637. 

  5637.                     EC25519_LITTLE_ENDIAN);
    5638. 

  5638.                 wc_curve25519_free(peerEccKey);
    5639. 

  5639.                 XFREE(peerEccKey, ssl->heap, DYNAMIC_TYPE_TLSX);
    5640. 

  5640.                 ssl->ecdhCurveOID = ECC_X25519_OID;
    5641. 

  5641.                 return ret;
    5642. 

  5642.             }
    5643. 

  5643.     #endif
    5644. 

  5644.     #ifdef HAVE_X448
    5645. 

  5645.         case WOLFSSL_ECC_X448:
    5646. 

  5646.             curveId = ECC_X448;
    5647. 

  5647.             break;
    5648. 

  5648.     #endif
    5649. 

  5649.         default:
    5650. 

  5650.             /* unsupported curve */
    5651. 

  5651.             return ECC_PEERKEY_ERROR;
    5652. 

  5652.     }
    5653. 

  5653. 

  5654. #ifdef WOLFSSL_DEBUG_TLS
    5655. 

  5655.     WOLFSSL_MSG("Peer ECC Key");
    5656. 

  5656.     WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
    5657. 

  5657. #endif
    5658. 

  5658. 

  5659.     /* Point is validated by import function. */
    5660. 

  5660.     if (wc_ecc_import_x963_ex(keyShareEntry->ke, keyShareEntry->keLen,
    5661. 

  5661.                               ssl->peerEccKey, curveId) != 0) {
    5662. 

  5662.         return ECC_PEERKEY_ERROR;
    5663. 

  5663.     }
    5664. 

  5664.     ssl->ecdhCurveOID = ssl->peerEccKey->dp->oidSum;
    5665. 

  5665. 

  5666.     ssl->arrays->preMasterSz = ENCRYPT_LEN;
    5667. 

  5667.     do {
    5668. 

  5668.     #if defined(WOLFSSL_ASYNC_CRYPT)
    5669. 

  5669.         ret = wc_AsyncWait(ret, &keyShareKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
    5670. 

  5670.     #endif
    5671. 

  5671.         if (ret >= 0)
    5672. 

  5672.             ret = wc_ecc_shared_secret(keyShareKey, ssl->peerEccKey,
    5673. 

  5673.                 ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
    5674. 

  5674.     } while (ret == WC_PENDING_E);
    5675. 

  5675. 

  5676. #if 0
    5677. 

  5677.     /* TODO: Switch to support async here and use: */
    5678. 

  5678.     ret = EccSharedSecret(ssl, keyShareEntry->key, ssl->peerEccKey,
    5679. 

  5679.         keyShareEntry->ke, &keyShareEntry->keLen,
    5680. 

  5680.         ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz,
    5681. 

  5681.         ssl->options.side,
    5682. 

  5682.     #ifdef HAVE_PK_CALLBACKS
    5683. 

  5683.         ssl->EccSharedSecretCtx
    5684. 

  5684.     #else
    5685. 

  5685.         NULL
    5686. 

  5686.     #endif
    5687. 

  5687.     );
    5688. 

  5688. #endif
    5689. 

  5689. 

  5690. 

  5691. #else
    5692. 

  5692.     (void)ssl;
    5693. 

  5693.     (void)keyShareEntry;
    5694. 

  5694. 

  5695.     ret = PEER_KEY_ERROR;
    5696. 

  5696. #endif /* HAVE_ECC */
    5697. 

  5697. 

  5698.     return ret;
    5699. 

  5699. }
    5700. 

  5700. 

  5701. /* Process the key share extension on the client side.
    5702. 

  5702.  *
    5703. 

  5703.  * ssl            The SSL/TLS object.
    5704. 

  5704.  * keyShareEntry  The key share entry object to use to calculate shared secret.
    5705. 

  5705.  * returns 0 on success and other values indicate failure.
    5706. 

  5706.  */
    5707. 

  5707. static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
    5708. 

  5708. {
    5709. 

  5709.     int ret;
    5710. 

  5710. 

  5711. #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    5712. 

  5712.     ssl->session.namedGroup = (byte)keyShareEntry->group;
    5713. 

  5713. #endif
    5714. 

  5714.     /* Use Key Share Data from server. */
    5715. 

  5715.     if (keyShareEntry->group & NAMED_DH_MASK)
    5716. 

  5716.         ret = TLSX_KeyShare_ProcessDh(ssl, keyShareEntry);
    5717. 

  5717.     else
    5718. 

  5718.         ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry);
    5719. 

  5719. 

  5720. #ifdef WOLFSSL_DEBUG_TLS
    5721. 

  5721.     WOLFSSL_MSG("KE Secret");
    5722. 

  5722.     WOLFSSL_BUFFER(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
    5723. 

  5723. #endif
    5724. 

  5724. 

  5725.     return ret;
    5726. 

  5726. }
    5727. 

  5727. 

  5728. /* Parse an entry of the KeyShare extension.
    5729. 

  5729.  *
    5730. 

  5730.  * ssl     The SSL/TLS object.
    5731. 

  5731.  * input   The extension data.
    5732. 

  5732.  * length  The length of the extension data.
    5733. 

  5733.  * kse     The new key share entry object.
    5734. 

  5734.  * returns a positive number to indicate amount of data parsed and a negative
    5735. 

  5735.  * number on error.
    5736. 

  5736.  */
    5737. 

  5737. static int TLSX_KeyShareEntry_Parse(WOLFSSL* ssl, byte* input, word16 length,
    5738. 

  5738.                                     KeyShareEntry **kse)
    5739. 

  5739. {
    5740. 

  5740.     int    ret;
    5741. 

  5741.     word16 group;
    5742. 

  5742.     word16 keLen;
    5743. 

  5743.     int    offset = 0;
    5744. 

  5744.     byte*  ke;
    5745. 

  5745. 

  5746.     if (length < OPAQUE16_LEN + OPAQUE16_LEN)
    5747. 

  5747.         return BUFFER_ERROR;
    5748. 

  5748.     /* Named group */
    5749. 

  5749.     ato16(&input[offset], &group);
    5750. 

  5750.     offset += OPAQUE16_LEN;
    5751. 

  5751.     /* Key exchange data - public key. */
    5752. 

  5752.     ato16(&input[offset], &keLen);
    5753. 

  5753.     offset += OPAQUE16_LEN;
    5754. 

  5754.     if (keLen < 1 || keLen > length - offset)
    5755. 

  5755.         return BUFFER_ERROR;
    5756. 

  5756. 

  5757.     /* Store a copy in the key share object. */
    5758. 

  5758.     ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5759. 

  5759.     if (ke == NULL)
    5760. 

  5760.         return MEMORY_E;
    5761. 

  5761.     XMEMCPY(ke, &input[offset], keLen);
    5762. 

  5762. 

  5763.     /* Populate a key share object in the extension. */
    5764. 

  5764.     ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse);
    5765. 

  5765.     if (ret != 0) {
    5766. 

  5766.         XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5767. 

  5767.         return ret;
    5768. 

  5768.     }
    5769. 

  5769. 

  5770.     /* Total length of the parsed data. */
    5771. 

  5771.     return offset + keLen;
    5772. 

  5772. }
    5773. 

  5773. 

  5774. /* Searches the groups sent for the specified named group.
    5775. 

  5775.  *
    5776. 

  5776.  * ssl   The SSL/TLS object.
    5777. 

  5777.  * name  The group name to match.
    5778. 

  5778.  * returns 1 when the extension has the group name and 0 otherwise.
    5779. 

  5779.  */
    5780. 

  5780. static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group)
    5781. 

  5781. {
    5782. 

  5782.     TLSX*          extension;
    5783. 

  5783.     KeyShareEntry* list;
    5784. 

  5784. 

  5785.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    5786. 

  5786.     if (extension == NULL)
    5787. 

  5787.         return 0;
    5788. 

  5788. 

  5789.     list = (KeyShareEntry*)extension->data;
    5790. 

  5790.     while (list != NULL) {
    5791. 

  5791.         if (list->group == group) {
    5792. 

  5792.             return 1;
    5793. 

  5793.         }
    5794. 

  5794.         list = list->next;
    5795. 

  5795.     }
    5796. 

  5796. 

  5797.     return 0;
    5798. 

  5798. }
    5799. 

  5799. 

  5800. 

  5801. /* Searches the supported groups extension for the specified named group.
    5802. 

  5802.  *
    5803. 

  5803.  * ssl   The SSL/TLS object.
    5804. 

  5804.  * name  The group name to match.
    5805. 

  5805.  * returns 1 when the extension has the group name and 0 otherwise.
    5806. 

  5806.  */
    5807. 

  5807. static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)
    5808. 

  5808. {
    5809. 

  5809. #ifdef HAVE_SUPPORTED_CURVES
    5810. 

  5810.     TLSX*          extension;
    5811. 

  5811.     SupportedCurve* curve = NULL;
    5812. 

  5812. 

  5813.     if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL)
    5814. 

  5814.         return 0;
    5815. 

  5815. 

  5816.     for (curve = (SupportedCurve*)extension->data; curve; curve = curve->next) {
    5817. 

  5817.         if (curve->name == name)
    5818. 

  5818.             return 1;
    5819. 

  5819.     }
    5820. 

  5820. #endif
    5821. 

  5821. 

  5822.     (void)ssl;
    5823. 

  5823.     (void)name;
    5824. 

  5824. 

  5825.     return 0;
    5826. 

  5826. }
    5827. 

  5827. 

  5828. 

  5829. /* Parse the KeyShare extension.
    5830. 

  5830.  * Different formats in different messages.
    5831. 

  5831.  *
    5832. 

  5832.  * ssl      The SSL/TLS object.
    5833. 

  5833.  * input    The extension data.
    5834. 

  5834.  * length   The length of the extension data.
    5835. 

  5835.  * msgType  The type of the message this extension is being parsed from.
    5836. 

  5836.  * returns 0 on success and other values indicate failure.
    5837. 

  5837.  */
    5838. 

  5838. static int TLSX_KeyShare_Parse(WOLFSSL* ssl, byte* input, word16 length,
    5839. 

  5839.                                byte msgType)
    5840. 

  5840. {
    5841. 

  5841.     int ret;
    5842. 

  5842.     KeyShareEntry *keyShareEntry;
    5843. 

  5843. 

  5844.     if (msgType == client_hello) {
    5845. 

  5845.         int offset = 0;
    5846. 

  5846.         word16 len;
    5847. 

  5847. 

  5848.         if (length < OPAQUE16_LEN)
    5849. 

  5849.             return BUFFER_ERROR;
    5850. 

  5850. 

  5851.         /* ClientHello contains zero or more key share entries. */
    5852. 

  5852.         ato16(input, &len);
    5853. 

  5853.         if (len != length - OPAQUE16_LEN)
    5854. 

  5854.             return BUFFER_ERROR;
    5855. 

  5855.         offset += OPAQUE16_LEN;
    5856. 

  5856. 

  5857.         while (offset < length) {
    5858. 

  5858.             ret = TLSX_KeyShareEntry_Parse(ssl, &input[offset], length,
    5859. 

  5859.                                            &keyShareEntry);
    5860. 

  5860.             if (ret < 0)
    5861. 

  5861.                 return ret;
    5862. 

  5862. 

  5863.             offset += ret;
    5864. 

  5864.         }
    5865. 

  5865. 

  5866.         ret = 0;
    5867. 

  5867.     }
    5868. 

  5868.     else if (msgType == server_hello) {
    5869. 

  5869.         int len;
    5870. 

  5870. 

  5871.         /* ServerHello contains one key share entry. */
    5872. 

  5872.         len = TLSX_KeyShareEntry_Parse(ssl, input, length, &keyShareEntry);
    5873. 

  5873.         if (len != length)
    5874. 

  5874.             return BUFFER_ERROR;
    5875. 

  5875. 

  5876.         /* Not in list sent if there isn't a private key. */
    5877. 

  5877.         if (keyShareEntry->key == NULL)
    5878. 

  5878.             return BAD_KEY_SHARE_DATA;
    5879. 

  5879. 

  5880.         /* Process the entry to calculate the secret. */
    5881. 

  5881.         ret = TLSX_KeyShare_Process(ssl, keyShareEntry);
    5882. 

  5882.     }
    5883. 

  5883.     else if (msgType == hello_retry_request) {
    5884. 

  5884.         word16 group;
    5885. 

  5885. 

  5886.         if (length != OPAQUE16_LEN)
    5887. 

  5887.             return BUFFER_ERROR;
    5888. 

  5888. 

  5889.         /* The data is the named group the server wants to use. */
    5890. 

  5890.         ato16(input, &group);
    5891. 

  5891. 

  5892.         /* Check the selected group was supported by ClientHello extensions. */
    5893. 

  5893.         if (!TLSX_SupportedGroups_Find(ssl, group))
    5894. 

  5894.             return BAD_KEY_SHARE_DATA;
    5895. 

  5895. 

  5896.         /* Check if the group was sent. */
    5897. 

  5897.         if (TLSX_KeyShare_Find(ssl, group))
    5898. 

  5898.             return BAD_KEY_SHARE_DATA;
    5899. 

  5899. 

  5900.         /* Try to use the server's group. */
    5901. 

  5901.         ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
    5902. 

  5902.     }
    5903. 

  5903.     else {
    5904. 

  5904.         /* Not a message type that is allowed to have this extension. */
    5905. 

  5905.         return SANITY_MSG_E;
    5906. 

  5906.     }
    5907. 

  5907. 

  5908.     return ret;
    5909. 

  5909. }
    5910. 

  5910. 

  5911. /* Create a new key share entry and put it into the list.
    5912. 

  5912.  *
    5913. 

  5913.  * list           The linked list of key share entries.
    5914. 

  5914.  * group          The named group.
    5915. 

  5915.  * heap           The memory to allocate with.
    5916. 

  5916.  * keyShareEntry  The new key share entry object.
    5917. 

  5917.  * returns 0 on success and other values indicate failure.
    5918. 

  5918.  */
    5919. 

  5919. static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap,
    5920. 

  5920.                              KeyShareEntry** keyShareEntry)
    5921. 

  5921. {
    5922. 

  5922.     KeyShareEntry* kse;
    5923. 

  5923. 

  5924.     kse = (KeyShareEntry*)XMALLOC(sizeof(KeyShareEntry), heap,
    5925. 

  5925.                                   DYNAMIC_TYPE_TLSX);
    5926. 

  5926.     if (kse == NULL)
    5927. 

  5927.         return MEMORY_E;
    5928. 

  5928. 

  5929.     XMEMSET(kse, 0, sizeof(*kse));
    5930. 

  5930.     kse->group = group;
    5931. 

  5931. 

  5932.     /* Add it to the back and maintain the links. */
    5933. 

  5933.     while (*list != NULL)
    5934. 

  5934.         list = &((*list)->next);
    5935. 

  5935.     *list = kse;
    5936. 

  5936.     *keyShareEntry = kse;
    5937. 

  5937. 

  5938.     return 0;
    5939. 

  5939. }
    5940. 

  5940. 

  5941. /* Use the data to create a new key share object in the extensions.
    5942. 

  5942.  *
    5943. 

  5943.  * ssl    The SSL/TLS object.
    5944. 

  5944.  * group  The named group.
    5945. 

  5945.  * len    The length of the public key data.
    5946. 

  5946.  * data   The public key data.
    5947. 

  5947.  * kse    The new key share entry object.
    5948. 

  5948.  * returns 0 on success and other values indicate failure.
    5949. 

  5949.  */
    5950. 

  5950. int TLSX_KeyShare_Use(WOLFSSL* ssl, word16 group, word16 len, byte* data,
    5951. 

  5951.                       KeyShareEntry **kse)
    5952. 

  5952. {
    5953. 

  5953.     int            ret = 0;
    5954. 

  5954.     TLSX*          extension;
    5955. 

  5955.     KeyShareEntry* keyShareEntry = NULL;
    5956. 

  5956. 

  5957.     /* Find the KeyShare extension if it exists. */
    5958. 

  5958.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    5959. 

  5959.     if (extension == NULL) {
    5960. 

  5960.         /* Push new KeyShare extension. */
    5961. 

  5961.         ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
    5962. 

  5962.         if (ret != 0)
    5963. 

  5963.             return ret;
    5964. 

  5964. 

  5965.         extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    5966. 

  5966.         if (extension == NULL)
    5967. 

  5967.             return MEMORY_E;
    5968. 

  5968.     }
    5969. 

  5969.     extension->resp = 0;
    5970. 

  5970. 

  5971.     /* Try to find the key share entry with this group. */
    5972. 

  5972.     keyShareEntry = (KeyShareEntry*)extension->data;
    5973. 

  5973.     while (keyShareEntry != NULL) {
    5974. 

  5974.         if (keyShareEntry->group == group)
    5975. 

  5975.             break;
    5976. 

  5976.         keyShareEntry = keyShareEntry->next;
    5977. 

  5977.     }
    5978. 

  5978. 

  5979.     /* Create a new key share entry if not found. */
    5980. 

  5980.     if (keyShareEntry == NULL) {
    5981. 

  5981.         ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, group,
    5982. 

  5982.                                 ssl->heap, &keyShareEntry);
    5983. 

  5983.         if (ret != 0)
    5984. 

  5984.             return ret;
    5985. 

  5985.     }
    5986. 

  5986. 

  5987.     if (data != NULL) {
    5988. 

  5988.         /* Keep the public key data and free when finished. */
    5989. 

  5989.         if (keyShareEntry->ke != NULL)
    5990. 

  5990.             XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    5991. 

  5991.         keyShareEntry->ke = data;
    5992. 

  5992.         keyShareEntry->keLen = len;
    5993. 

  5993.     }
    5994. 

  5994.     else {
    5995. 

  5995.         /* Generate a key pair. */
    5996. 

  5996.         ret = TLSX_KeyShare_GenKey(ssl, keyShareEntry);
    5997. 

  5997.         if (ret != 0)
    5998. 

  5998.             return ret;
    5999. 

  5999.     }
    6000. 

  6000. 

  6001.     if (kse != NULL)
    6002. 

  6002.         *kse = keyShareEntry;
    6003. 

  6003. 

  6004.     return 0;
    6005. 

  6005. }
    6006. 

  6006. 

  6007. /* Set an empty Key Share extension.
    6008. 

  6008.  *
    6009. 

  6009.  * ssl  The SSL/TLS object.
    6010. 

  6010.  * returns 0 on success and other values indicate failure.
    6011. 

  6011.  */
    6012. 

  6012. int TLSX_KeyShare_Empty(WOLFSSL* ssl)
    6013. 

  6013. {
    6014. 

  6014.     int   ret = 0;
    6015. 

  6015.     TLSX* extension;
    6016. 

  6016. 

  6017.     /* Find the KeyShare extension if it exists. */
    6018. 

  6018.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    6019. 

  6019.     if (extension == NULL) {
    6020. 

  6020.         /* Push new KeyShare extension. */
    6021. 

  6021.         ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
    6022. 

  6022.     }
    6023. 

  6023.     else if (extension->data != NULL) {
    6024. 

  6024.         TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
    6025. 

  6025.         extension->data = NULL;
    6026. 

  6026.     }
    6027. 

  6027. 

  6028.     return ret;
    6029. 

  6029. }
    6030. 

  6030. 

  6031. /* Returns whether this group is supported.
    6032. 

  6032.  *
    6033. 

  6033.  * namedGroup  The named group to check.
    6034. 

  6034.  * returns 1 when supported or 0 otherwise.
    6035. 

  6035.  */
    6036. 

  6036. static int TLSX_KeyShare_IsSupported(int namedGroup)
    6037. 

  6037. {
    6038. 

  6038.     switch (namedGroup) {
    6039. 

  6039.     #ifdef HAVE_FFDHE_2048
    6040. 

  6040.         case WOLFSSL_FFDHE_2048:
    6041. 

  6041.             break;
    6042. 

  6042.     #endif
    6043. 

  6043.     #ifdef HAVE_FFDHE_3072
    6044. 

  6044.         case WOLFSSL_FFDHE_3072:
    6045. 

  6045.             break;
    6046. 

  6046.     #endif
    6047. 

  6047.     #ifdef HAVE_FFDHE_4096
    6048. 

  6048.         case WOLFSSL_FFDHE_4096:
    6049. 

  6049.             break;
    6050. 

  6050.     #endif
    6051. 

  6051.     #ifdef HAVE_FFDHE_6144
    6052. 

  6052.         case WOLFSSL_FFDHE_6144:
    6053. 

  6053.             break;
    6054. 

  6054.     #endif
    6055. 

  6055.     #ifdef HAVE_FFDHE_8192
    6056. 

  6056.         case WOLFSSL_FFDHE_8192:
    6057. 

  6057.             break;
    6058. 

  6058.     #endif
    6059. 

  6059.     #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
    6060. 

  6060.         #ifndef NO_ECC_SECP
    6061. 

  6061.         case WOLFSSL_ECC_SECP256R1:
    6062. 

  6062.             break;
    6063. 

  6063.         #endif /* !NO_ECC_SECP */
    6064. 

  6064.     #endif
    6065. 

  6065.     #ifdef HAVE_CURVE25519
    6066. 

  6066.         case WOLFSSL_ECC_X25519:
    6067. 

  6067.             break;
    6068. 

  6068.     #endif
    6069. 

  6069.     #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
    6070. 

  6070.         #ifndef NO_ECC_SECP
    6071. 

  6071.         case WOLFSSL_ECC_SECP384R1:
    6072. 

  6072.             break;
    6073. 

  6073.         #endif /* !NO_ECC_SECP */
    6074. 

  6074.     #endif
    6075. 

  6075.     #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
    6076. 

  6076.         #ifndef NO_ECC_SECP
    6077. 

  6077.         case WOLFSSL_ECC_SECP521R1:
    6078. 

  6078.             break;
    6079. 

  6079.         #endif /* !NO_ECC_SECP */
    6080. 

  6080.     #endif
    6081. 

  6081.     #ifdef HAVE_X448
    6082. 

  6082.         case WOLFSSL_ECC_X448:
    6083. 

  6083.             break;
    6084. 

  6084.     #endif
    6085. 

  6085.         default:
    6086. 

  6086.             return 0;
    6087. 

  6087.     }
    6088. 

  6088. 

  6089.     return 1;
    6090. 

  6090. }
    6091. 

  6091. 

  6092. /* Set a key share that is supported by the client into extensions.
    6093. 

  6093.  *
    6094. 

  6094.  * ssl  The SSL/TLS object.
    6095. 

  6095.  * returns BAD_KEY_SHARE_DATA if no supported group has a key share,
    6096. 

  6096.  * 0 if a supported group has a key share and other values indicate an error.
    6097. 

  6097.  */
    6098. 

  6098. static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl)
    6099. 

  6099. {
    6100. 

  6100.     int            ret;
    6101. 

  6101. #ifdef HAVE_SUPPORTED_CURVES
    6102. 

  6102.     TLSX*          extension;
    6103. 

  6103.     SupportedCurve* curve = NULL;
    6104. 

  6104. 

  6105.     /* Use SupportedGroup's order. */
    6106. 

  6106.     extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
    6107. 

  6107.     if (extension != NULL)
    6108. 

  6108.         curve = (SupportedCurve*)extension->data;
    6109. 

  6109.     for (; curve != NULL; curve = curve->next) {
    6110. 

  6110.         if (TLSX_KeyShare_IsSupported(curve->name) &&
    6111. 

  6111.                 !TLSX_KeyShare_Find(ssl, curve->name)) {
    6112. 

  6112.             break;
    6113. 

  6113.         }
    6114. 

  6114.     }
    6115. 

  6115.     if (curve == NULL)
    6116. 

  6116.         return BAD_KEY_SHARE_DATA;
    6117. 

  6117. 

  6118.     /* Delete the old key share data list. */
    6119. 

  6119.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    6120. 

  6120.     if (extension != NULL) {
    6121. 

  6121.         TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
    6122. 

  6122.         extension->data = NULL;
    6123. 

  6123.     }
    6124. 

  6124. 

  6125.     /* Add in the chosen group. */
    6126. 

  6126.     ret = TLSX_KeyShare_Use(ssl, curve->name, 0, NULL, NULL);
    6127. 

  6127.     if (ret != 0)
    6128. 

  6128.         return ret;
    6129. 

  6129. 

  6130.     /* Set extension to be in reponse. */
    6131. 

  6131.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    6132. 

  6132.     extension->resp = 1;
    6133. 

  6133. #else
    6134. 

  6134. 

  6135.     (void)ssl;
    6136. 

  6136.     ret = NOT_COMPILED_IN;
    6137. 

  6137. #endif
    6138. 

  6138. 

  6139.     return ret;
    6140. 

  6140. }
    6141. 

  6141. 

  6142. /* Establish the secret based on the key shares received from the client.
    6143. 

  6143.  *
    6144. 

  6144.  * ssl  The SSL/TLS object.
    6145. 

  6145.  * returns 0 on success and other values indicate failure.
    6146. 

  6146.  */
    6147. 

  6147. int TLSX_KeyShare_Establish(WOLFSSL *ssl)
    6148. 

  6148. {
    6149. 

  6149.     int            ret;
    6150. 

  6150.     TLSX*          extension;
    6151. 

  6151.     KeyShareEntry* clientKSE = NULL;
    6152. 

  6152.     KeyShareEntry* serverKSE;
    6153. 

  6153.     KeyShareEntry* list = NULL;
    6154. 

  6154.     byte*          ke;
    6155. 

  6155.     word16         keLen;
    6156. 

  6156. 

  6157.     /* Find the KeyShare extension if it exists. */
    6158. 

  6158.     extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
    6159. 

  6159.     if (extension != NULL)
    6160. 

  6160.         list = (KeyShareEntry*)extension->data;
    6161. 

  6161. 

  6162.     if (extension && extension->resp == 1)
    6163. 

  6163.         return 0;
    6164. 

  6164. 

  6165.     /* TODO: [TLS13] Server's preference and sending back SupportedGroups */
    6166. 

  6166.     /* Use client's preference. */
    6167. 

  6167.     for (clientKSE = list; clientKSE != NULL; clientKSE = clientKSE->next) {
    6168. 

  6168.         /* Check consistency now - extensions in any order. */
    6169. 

  6169.         if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))
    6170. 

  6170.             return BAD_KEY_SHARE_DATA;
    6171. 

  6171. 

  6172.     #ifdef OPENSSL_EXTRA
    6173. 

  6173.         /* Check if server supports group. */
    6174. 

  6174.         if (ssl->ctx->disabledCurves & (1 << clientKSE->group))
    6175. 

  6175.             continue;
    6176. 

  6176.     #endif
    6177. 

  6177.         if (TLSX_KeyShare_IsSupported(clientKSE->group))
    6178. 

  6178.             break;
    6179. 

  6179.     }
    6180. 

  6180.     /* No supported group found - send HelloRetryRequest. */
    6181. 

  6181.     if (clientKSE == NULL) {
    6182. 

  6182.         ret = TLSX_KeyShare_SetSupported(ssl);
    6183. 

  6183.         /* Return KEY_SHARE_ERROR to indicate HelloRetryRequest required. */
    6184. 

  6184.         if (ret == 0)
    6185. 

  6185.             return KEY_SHARE_ERROR;
    6186. 

  6186.         return ret;
    6187. 

  6187.     }
    6188. 

  6188. 

  6189.     list = NULL;
    6190. 

  6190.     /* Generate a new key pair. */
    6191. 

  6191.     ret = TLSX_KeyShare_New(&list, clientKSE->group, ssl->heap, &serverKSE);
    6192. 

  6192.     if (ret != 0)
    6193. 

  6193.         return ret;
    6194. 

  6194.     ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
    6195. 

  6195.     if (ret != 0)
    6196. 

  6196.         return ret;
    6197. 

  6197. 

  6198.     /* Move private key to client entry. */
    6199. 

  6199.     if (clientKSE->key != NULL)
    6200. 

  6200.         XFREE(clientKSE->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
    6201. 

  6201.     clientKSE->key = serverKSE->key;
    6202. 

  6202.     serverKSE->key = NULL;
    6203. 

  6203.     clientKSE->keyLen = serverKSE->keyLen;
    6204. 

  6204. 

  6205.     /* Calculate secret. */
    6206. 

  6206.     ret = TLSX_KeyShare_Process(ssl, clientKSE);
    6207. 

  6207.     if (ret != 0)
    6208. 

  6208.         return ret;
    6209. 

  6209. 

  6210.     /* Swap public keys for sending to client. */
    6211. 

  6211.     ke = serverKSE->ke;
    6212. 

  6212.     keLen = serverKSE->keLen;
    6213. 

  6213.     serverKSE->ke = clientKSE->ke;
    6214. 

  6214.     serverKSE->keLen = clientKSE->keLen;
    6215. 

  6215.     clientKSE->ke = ke;
    6216. 

  6216.     clientKSE->keLen = keLen;
    6217. 

  6217. 

  6218.     extension->resp = 1;
    6219. 

  6219. 

  6220.     /* Dispose of temporary server extension. */
    6221. 

  6221.     TLSX_KeyShare_FreeAll(list, ssl->heap);
    6222. 

  6222. 

  6223.     return 0;
    6224. 

  6224. }
    6225. 

  6225. 

  6226. #define KS_FREE_ALL  TLSX_KeyShare_FreeAll
    6227. 

  6227. #define KS_GET_SIZE  TLSX_KeyShare_GetSize
    6228. 

  6228. #define KS_WRITE     TLSX_KeyShare_Write
    6229. 

  6229. #define KS_PARSE     TLSX_KeyShare_Parse
    6230. 

  6230. 

  6231. #else
    6232. 

  6232. 

  6233. #define KS_FREE_ALL(a, b)
    6234. 

  6234. #define KS_GET_SIZE(a, b)    0
    6235. 

  6235. #define KS_WRITE(a, b, c)    0
    6236. 

  6236. #define KS_PARSE(a, b, c, d) 0
    6237. 

  6237. 

  6238. #endif /* WOLFSSL_TLS13 */
    6239. 

  6239. 

  6240. /******************************************************************************/
    6241. 

  6241. /* Pre-Shared Key                                                             */
    6242. 

  6242. /******************************************************************************/
    6243. 

  6243. 

  6244. #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
    6245. 

  6245. /* Free the pre-shared key dynamic data.
    6246. 

  6246.  *
    6247. 

  6247.  * list  The linked list of key share entry objects.
    6248. 

  6248.  * heap  The heap used for allocation.
    6249. 

  6249.  */
    6250. 

  6250. static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap)
    6251. 

  6251. {
    6252. 

  6252.     PreSharedKey* current;
    6253. 

  6253. 

  6254.     while ((current = list) != NULL) {
    6255. 

  6255.         list = current->next;
    6256. 

  6256.         XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX);
    6257. 

  6257.         XFREE(current, heap, DYNAMIC_TYPE_TLSX);
    6258. 

  6258.     }
    6259. 

  6259. 

  6260.     (void)heap;
    6261. 

  6261. }
    6262. 

  6262. 

  6263. /* Get the size of the encoded pre shared key extension.
    6264. 

  6264.  *
    6265. 

  6265.  * list     The linked list of pre-shared key extensions.
    6266. 

  6266.  * msgType  The type of the message this extension is being written into.
    6267. 

  6267.  * returns the number of bytes of the encoded pre-shared key extension or
    6268. 

  6268.  * SANITY_MSG_E to indicate invalid message type.
    6269. 

  6269.  */
    6270. 

  6270. static word16 TLSX_PreSharedKey_GetSize(PreSharedKey* list, byte msgType)
    6271. 

  6271. {
    6272. 

  6272.     if (msgType == client_hello) {
    6273. 

  6273.         /* Length of identities + Length of binders. */
    6274. 

  6274.         word16 len = OPAQUE16_LEN + OPAQUE16_LEN;
    6275. 

  6275.         while (list != NULL) {
    6276. 

  6276.             /* Each entry has: identity, ticket age and binder. */
    6277. 

  6277.             len += OPAQUE16_LEN + list->identityLen + OPAQUE32_LEN +
    6278. 

  6278.                    OPAQUE8_LEN + list->binderLen;
    6279. 

  6279.             list = list->next;
    6280. 

  6280.         }
    6281. 

  6281.         return len;
    6282. 

  6282.     }
    6283. 

  6283. 

  6284.     if (msgType == server_hello) {
    6285. 

  6285.         return OPAQUE16_LEN;
    6286. 

  6286.     }
    6287. 

  6287. 

  6288.     return 0;
    6289. 

  6289. }
    6290. 

  6290. 

  6291. /* The number of bytes to be written for the binders.
    6292. 

  6292.  *
    6293. 

  6293.  * list     The linked list of pre-shared key extensions.
    6294. 

  6294.  * msgType  The type of the message this extension is being written into.
    6295. 

  6295.  * returns the number of bytes of the encoded pre-shared key extension or
    6296. 

  6296.  * SANITY_MSG_E to indicate invalid message type.
    6297. 

  6297.  */
    6298. 

  6298. word16 TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, byte msgType)
    6299. 

  6299. {
    6300. 

  6300.     word16 len;
    6301. 

  6301. 

  6302.     if (msgType != client_hello)
    6303. 

  6303.         return SANITY_MSG_E;
    6304. 

  6304. 

  6305.     /* Length of all binders. */
    6306. 

  6306.     len = OPAQUE16_LEN;
    6307. 

  6307.     while (list != NULL) {
    6308. 

  6308.         len += OPAQUE8_LEN + list->binderLen;
    6309. 

  6309.         list = list->next;
    6310. 

  6310.     }
    6311. 

  6311. 

  6312.     return len;
    6313. 

  6313. }
    6314. 

  6314. 

  6315. /* Writes the pre-shared key extension into the output buffer - binders only.
    6316. 

  6316.  * Assumes that the the output buffer is big enough to hold data.
    6317. 

  6317.  *
    6318. 

  6318.  * list     The linked list of key share entries.
    6319. 

  6319.  * output   The buffer to write into.
    6320. 

  6320.  * msgType  The type of the message this extension is being written into.
    6321. 

  6321.  * returns the number of bytes written into the buffer.
    6322. 

  6322.  */
    6323. 

  6323. word16 TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, byte* output,
    6324. 

  6324.                                       byte msgType)
    6325. 

  6325. {
    6326. 

  6326.     PreSharedKey* current = list;
    6327. 

  6327.     word16 idx = 0;
    6328. 

  6328.     word16 lenIdx;
    6329. 

  6329.     word16 len;
    6330. 

  6330. 

  6331.     if (msgType != client_hello)
    6332. 

  6332.         return SANITY_MSG_E;
    6333. 

  6333. 

  6334.     /* Skip length of all binders. */
    6335. 

  6335.     lenIdx = idx;
    6336. 

  6336.     idx += OPAQUE16_LEN;
    6337. 

  6337.     while (current != NULL) {
    6338. 

  6338.         /* Binder data length. */
    6339. 

  6339.         output[idx++] = current->binderLen;
    6340. 

  6340.         /* Binder data. */
    6341. 

  6341.         XMEMCPY(output + idx, current->binder, current->binderLen);
    6342. 

  6342.         idx += current->binderLen;
    6343. 

  6343. 

  6344.         current = current->next;
    6345. 

  6345.     }
    6346. 

  6346.     /* Length of the binders. */
    6347. 

  6347.     len = idx - lenIdx - OPAQUE16_LEN;
    6348. 

  6348.     c16toa(len, output + lenIdx);
    6349. 

  6349. 

  6350.     return idx;
    6351. 

  6351. }
    6352. 

  6352. 

  6353. 

  6354. /* Writes the pre-shared key extension into the output buffer.
    6355. 

  6355.  * Assumes that the the output buffer is big enough to hold data.
    6356. 

  6356.  *
    6357. 

  6357.  * list     The linked list of key share entries.
    6358. 

  6358.  * output   The buffer to write into.
    6359. 

  6359.  * msgType  The type of the message this extension is being written into.
    6360. 

  6360.  * returns the number of bytes written into the buffer.
    6361. 

  6361.  */
    6362. 

  6362. static word16 TLSX_PreSharedKey_Write(PreSharedKey* list, byte* output,
    6363. 

  6363.                                       byte msgType)
    6364. 

  6364. {
    6365. 

  6365.     if (msgType == client_hello) {
    6366. 

  6366.         PreSharedKey* current = list;
    6367. 

  6367.         word16 idx = 0;
    6368. 

  6368.         word16 lenIdx;
    6369. 

  6369.         word16 len;
    6370. 

  6370. 

  6371.         /* Write identites only. Binders after HMACing over this. */
    6372. 

  6372.         lenIdx = idx;
    6373. 

  6373.         idx += OPAQUE16_LEN;
    6374. 

  6374.         while (current != NULL) {
    6375. 

  6375.             /* Identity length */
    6376. 

  6376.             c16toa(current->identityLen, output + idx);
    6377. 

  6377.             idx += OPAQUE16_LEN;
    6378. 

  6378.             /* Identity data */
    6379. 

  6379.             XMEMCPY(output + idx, current->identity, current->identityLen);
    6380. 

  6380.             idx += current->identityLen;
    6381. 

  6381. 

  6382.             /* Obfuscated ticket age. */
    6383. 

  6383.             c32toa(current->ticketAge, output + idx);
    6384. 

  6384.             idx += OPAQUE32_LEN;
    6385. 

  6385. 

  6386.             current = current->next;
    6387. 

  6387.         }
    6388. 

  6388.         /* Length of the identites. */
    6389. 

  6389.         len = idx - lenIdx - OPAQUE16_LEN;
    6390. 

  6390.         c16toa(len, output + lenIdx);
    6391. 

  6391. 

  6392.         /* Don't include binders here.
    6393. 

  6393.          * The binders are based on the hash of all the ClientHello data up to
    6394. 

  6394.          * and include the identities written above.
    6395. 

  6395.          */
    6396. 

  6396.         idx += TLSX_PreSharedKey_GetSizeBinders(list, msgType);
    6397. 

  6397. 

  6398.         return idx;
    6399. 

  6399.     }
    6400. 

  6400. 

  6401.     if (msgType == server_hello) {
    6402. 

  6402.         word16 i;
    6403. 

  6403. 

  6404.         /* Find the index of the chosen identity. */
    6405. 

  6405.         for (i=0; list != NULL && !list->chosen; i++)
    6406. 

  6406.             list = list->next;
    6407. 

  6407.         if (list == NULL)
    6408. 

  6408.             return BUILD_MSG_ERROR;
    6409. 

  6409. 

  6410.         /* The index of the identity chosen by the server from the list supplied
    6411. 

  6411.          * by the client.
    6412. 

  6412.          */
    6413. 

  6413.         c16toa(i, output);
    6414. 

  6414.         return OPAQUE16_LEN;
    6415. 

  6415.     }
    6416. 

  6416. 

  6417.     return 0;
    6418. 

  6418. }
    6419. 

  6419. 

  6420. /* Parse the pre-shared key extension.
    6421. 

  6421.  * Different formats in different messages.
    6422. 

  6422.  *
    6423. 

  6423.  * ssl      The SSL/TLS object.
    6424. 

  6424.  * input    The extension data.
    6425. 

  6425.  * length   The length of the extension data.
    6426. 

  6426.  * msgType  The type of the message this extension is being parsed from.
    6427. 

  6427.  * returns 0 on success and other values indicate failure.
    6428. 

  6428.  */
    6429. 

  6429. static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, byte* input, word16 length,
    6430. 

  6430.                                    byte msgType)
    6431. 

  6431. {
    6432. 

  6432.     TLSX*         extension;
    6433. 

  6433.     PreSharedKey* list;
    6434. 

  6434. 

  6435.     if (msgType == client_hello) {
    6436. 

  6436.         int    ret;
    6437. 

  6437.         word16 len;
    6438. 

  6438.         word16 idx = 0;
    6439. 

  6439. 

  6440.         /* Length of identities and of binders. */
    6441. 

  6441.         if (length - idx < OPAQUE16_LEN + OPAQUE16_LEN)
    6442. 

  6442.             return BUFFER_E;
    6443. 

  6443. 

  6444.         /* Length of identities. */
    6445. 

  6445.         ato16(input + idx, &len);
    6446. 

  6446.         idx += OPAQUE16_LEN;
    6447. 

  6447.         if (len < MIN_PSK_ID_LEN || length - idx < len)
    6448. 

  6448.             return BUFFER_E;
    6449. 

  6449. 

  6450.         /* Create a pre-shared key object for each identity. */
    6451. 

  6451.         while (len > 0) {
    6452. 

  6452.             byte*  identity;
    6453. 

  6453.             word16 identityLen;
    6454. 

  6454.             word32 age;
    6455. 

  6455. 

  6456.             if (len < OPAQUE16_LEN)
    6457. 

  6457.                 return BUFFER_E;
    6458. 

  6458. 

  6459.             /* Length of identity. */
    6460. 

  6460.             ato16(input + idx, &identityLen);
    6461. 

  6461.             idx += OPAQUE16_LEN;
    6462. 

  6462.             if (len < OPAQUE16_LEN + identityLen + OPAQUE32_LEN)
    6463. 

  6463.                 return BUFFER_E;
    6464. 

  6464.             /* Cache identity pointer. */
    6465. 

  6465.             identity = input + idx;
    6466. 

  6466.             idx += identityLen;
    6467. 

  6467.             /* Ticket age. */
    6468. 

  6468.             ato32(input + idx, &age);
    6469. 

  6469.             idx += OPAQUE32_LEN;
    6470. 

  6470. 

  6471.             ret = TLSX_PreSharedKey_Use(ssl, identity, identityLen, age, no_mac,
    6472. 

  6472.                                         0, 0, 1, NULL);
    6473. 

  6473.             if (ret != 0)
    6474. 

  6474.                 return ret;
    6475. 

  6475. 

  6476.             /* Done with this identity. */
    6477. 

  6477.             len -= OPAQUE16_LEN + identityLen + OPAQUE32_LEN;
    6478. 

  6478.         }
    6479. 

  6479. 

  6480.         /* Find the list of identities sent to server. */
    6481. 

  6481.         extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
    6482. 

  6482.         if (extension == NULL)
    6483. 

  6483.             return PSK_KEY_ERROR;
    6484. 

  6484.         list = (PreSharedKey*)extension->data;
    6485. 

  6485. 

  6486.         /* Length of binders. */
    6487. 

  6487.         ato16(input + idx, &len);
    6488. 

  6488.         idx += OPAQUE16_LEN;
    6489. 

  6489.         if (len < MIN_PSK_BINDERS_LEN || length - idx < len)
    6490. 

  6490.             return BUFFER_E;
    6491. 

  6491. 

  6492.         /* Set binder for each identity. */
    6493. 

  6493.         while (list != NULL && len > 0) {
    6494. 

  6494.             /* Length of binder */
    6495. 

  6495.             list->binderLen = input[idx++];
    6496. 

  6496.             if (list->binderLen < WC_SHA256_DIGEST_SIZE ||
    6497. 

  6497.                     list->binderLen > WC_MAX_DIGEST_SIZE)
    6498. 

  6498.                 return BUFFER_E;
    6499. 

  6499.             if (len < OPAQUE8_LEN + list->binderLen)
    6500. 

  6500.                 return BUFFER_E;
    6501. 

  6501. 

  6502.             /* Copy binder into static buffer. */
    6503. 

  6503.             XMEMCPY(list->binder, input + idx, list->binderLen);
    6504. 

  6504.             idx += list->binderLen;
    6505. 

  6505. 

  6506.             /* Done with binder entry. */
    6507. 

  6507.             len -= OPAQUE8_LEN + list->binderLen;
    6508. 

  6508. 

  6509.             /* Next identity. */
    6510. 

  6510.             list = list->next;
    6511. 

  6511.         }
    6512. 

  6512.         if (list != NULL || len != 0)
    6513. 

  6513.             return BUFFER_E;
    6514. 

  6514. 

  6515.         return 0;
    6516. 

  6516.     }
    6517. 

  6517. 

  6518.     if (msgType == server_hello) {
    6519. 

  6519.         word16 idx;
    6520. 

  6520. 

  6521.         /* Index of identity chosen by server. */
    6522. 

  6522.         if (length != OPAQUE16_LEN)
    6523. 

  6523.             return BUFFER_E;
    6524. 

  6524.         ato16(input, &idx);
    6525. 

  6525. 

  6526.         /* Find the list of identities sent to server. */
    6527. 

  6527.         extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
    6528. 

  6528.         if (extension == NULL)
    6529. 

  6529.             return PSK_KEY_ERROR;
    6530. 

  6530.         list = (PreSharedKey*)extension->data;
    6531. 

  6531. 

  6532.         /* Mark the identity as chosen. */
    6533. 

  6533.         for (; list != NULL && idx > 0; idx--)
    6534. 

  6534.             list = list->next;
    6535. 

  6535.         if (list == NULL)
    6536. 

  6536.             return PSK_KEY_ERROR;
    6537. 

  6537.         list->chosen = 1;
    6538. 

  6538. 

  6539.     #ifdef HAVE_SESSION_TICKET
    6540. 

  6540.         if (list->resumption) {
    6541. 

  6541.            /* Check that the session's details are the same as the server's. */
    6542. 

  6542.            if (ssl->options.cipherSuite0  != ssl->session.cipherSuite0 ||
    6543. 

  6543.                ssl->options.cipherSuite   != ssl->session.cipherSuite  ||
    6544. 

  6544.                ssl->session.version.major != ssl->version.major        ||
    6545. 

  6545.                ssl->session.version.minor != ssl->version.minor        ) {
    6546. 

  6546.                return PSK_KEY_ERROR;
    6547. 

  6547.            }
    6548. 

  6548.         }
    6549. 

  6549.     #endif
    6550. 

  6550.         /* TODO: [TLS13] More checks of consistency.
    6551. 

  6551.          * the "key_share", and "signature_algorithms" extensions are
    6552. 

  6552.          * consistent with the indicated ke_modes and auth_modes values
    6553. 

  6553.          */
    6554. 

  6554. 

  6555.         return 0;
    6556. 

  6556.     }
    6557. 

  6557. 

  6558.     return SANITY_MSG_E;
    6559. 

  6559. }
    6560. 

  6560. 

  6561. /* Create a new pre-shared key and put it into the list.
    6562. 

  6562.  *
    6563. 

  6563.  * list          The linked list of pre-shared key.
    6564. 

  6564.  * identity      The identity.
    6565. 

  6565.  * len           The length of the identity data.
    6566. 

  6566.  * heap          The memory to allocate with.
    6567. 

  6567.  * preSharedKey  The new pre-shared key object.
    6568. 

  6568.  * returns 0 on success and other values indicate failure.
    6569. 

  6569.  */
    6570. 

  6570. static int TLSX_PreSharedKey_New(PreSharedKey** list, byte* identity,
    6571. 

  6571.                                  word16 len, void *heap,
    6572. 

  6572.                                  PreSharedKey** preSharedKey)
    6573. 

  6573. {
    6574. 

  6574.     PreSharedKey* psk;
    6575. 

  6575. 

  6576.     psk = (PreSharedKey*)XMALLOC(sizeof(PreSharedKey), heap, DYNAMIC_TYPE_TLSX);
    6577. 

  6577.     if (psk == NULL)
    6578. 

  6578.         return MEMORY_E;
    6579. 

  6579.     XMEMSET(psk, 0, sizeof(*psk));
    6580. 

  6580. 

  6581.     /* Make a copy of the identity data. */
    6582. 

  6582.     psk->identity = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
    6583. 

  6583.     if (psk->identity == NULL) {
    6584. 

  6584.         XFREE(psk, heap, DYNAMIC_TYPE_TLSX);
    6585. 

  6585.         return MEMORY_E;
    6586. 

  6586.     }
    6587. 

  6587.     XMEMCPY(psk->identity, identity, len);
    6588. 

  6588.     psk->identityLen = len;
    6589. 

  6589. 

  6590.     /* Add it to the end and maintain the links. */
    6591. 

  6591.     while (*list != NULL)
    6592. 

  6592.         list = &((*list)->next);
    6593. 

  6593.     *list = psk;
    6594. 

  6594.     *preSharedKey = psk;
    6595. 

  6595. 

  6596.     return 0;
    6597. 

  6597. }
    6598. 

  6598. 

  6599. static INLINE byte GetHmacLength(int hmac)
    6600. 

  6600. {
    6601. 

  6601.     switch (hmac) {
    6602. 

  6602.     #ifndef NO_SHA256
    6603. 

  6603.         case sha256_mac:
    6604. 

  6604.             return WC_SHA256_DIGEST_SIZE;
    6605. 

  6605.     #endif
    6606. 

  6606.     #ifdef WOLFSSL_SHA384
    6607. 

  6607.         case sha384_mac:
    6608. 

  6608.             return WC_SHA384_DIGEST_SIZE;
    6609. 

  6609.     #endif
    6610. 

  6610.     #ifdef WOLFSSL_SHA512
    6611. 

  6611.         case sha512_mac:
    6612. 

  6612.             return WC_SHA512_DIGEST_SIZE;
    6613. 

  6613.     #endif
    6614. 

  6614.     }
    6615. 

  6615.     return 0;
    6616. 

  6616. }
    6617. 

  6617. 

  6618. /* Use the data to create a new pre-shared key object in the extensions.
    6619. 

  6619.  *
    6620. 

  6620.  * ssl           The SSL/TLS object.
    6621. 

  6621.  * identity      The identity.
    6622. 

  6622.  * len           The length of the identity data.
    6623. 

  6623.  * age           The age of the identity.
    6624. 

  6624.  * hmac          The HMAC algorithm.
    6625. 

  6625.  * ciphersuite0  The first byte of the ciphersuite to use.
    6626. 

  6626.  * ciphersuite   The second byte of the ciphersuite to use.
    6627. 

  6627.  * resumption    The PSK is for resumption of a session.
    6628. 

  6628.  * preSharedKey  The new pre-shared key object.
    6629. 

  6629.  * returns 0 on success and other values indicate failure.
    6630. 

  6630.  */
    6631. 

  6631. int TLSX_PreSharedKey_Use(WOLFSSL* ssl, byte* identity, word16 len, word32 age,
    6632. 

  6632.                           byte hmac, byte cipherSuite0,
    6633. 

  6633.                           byte cipherSuite, byte resumption,
    6634. 

  6634.                           PreSharedKey **preSharedKey)
    6635. 

  6635. {
    6636. 

  6636.     int           ret = 0;
    6637. 

  6637.     TLSX*         extension;
    6638. 

  6638.     PreSharedKey* psk = NULL;
    6639. 

  6639. 

  6640.     /* Find the pre-shared key extension if it exists. */
    6641. 

  6641.     extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
    6642. 

  6642.     if (extension == NULL) {
    6643. 

  6643.         /* Push new pre-shared key extension. */
    6644. 

  6644.         ret = TLSX_Push(&ssl->extensions, TLSX_PRE_SHARED_KEY, NULL, ssl->heap);
    6645. 

  6645.         if (ret != 0)
    6646. 

  6646.             return ret;
    6647. 

  6647. 

  6648.         extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
    6649. 

  6649.         if (extension == NULL)
    6650. 

  6650.             return MEMORY_E;
    6651. 

  6651.     }
    6652. 

  6652. 

  6653.     /* Try to find the pre-shared key with this identity. */
    6654. 

  6654.     psk = (PreSharedKey*)extension->data;
    6655. 

  6655.     while (psk != NULL) {
    6656. 

  6656.         if ((psk->identityLen == len) &&
    6657. 

  6657.                (XMEMCMP(psk->identity, identity, len) == 0)) {
    6658. 

  6658.             break;
    6659. 

  6659.         }
    6660. 

  6660.         psk = psk->next;
    6661. 

  6661.     }
    6662. 

  6662. 

  6663.     /* Create a new pre-shared key object if not found. */
    6664. 

  6664.     if (psk == NULL) {
    6665. 

  6665.         ret = TLSX_PreSharedKey_New((PreSharedKey**)&extension->data, identity,
    6666. 

  6666.                                     len, ssl->heap, &psk);
    6667. 

  6667.         if (ret != 0)
    6668. 

  6668.             return ret;
    6669. 

  6669.     }
    6670. 

  6670. 

  6671.     /* Update/set age and HMAC algorithm. */
    6672. 

  6672.     psk->ticketAge    = age;
    6673. 

  6673.     psk->hmac         = hmac;
    6674. 

  6674.     psk->cipherSuite0 = cipherSuite0;
    6675. 

  6675.     psk->cipherSuite  = cipherSuite;
    6676. 

  6676.     psk->resumption   = resumption;
    6677. 

  6677.     psk->binderLen    = GetHmacLength(psk->hmac);
    6678. 

  6678. 

  6679.     if (preSharedKey != NULL)
    6680. 

  6680.         *preSharedKey = psk;
    6681. 

  6681. 

  6682.     return 0;
    6683. 

  6683. }
    6684. 

  6684. 

  6685. #define PSK_FREE_ALL  TLSX_PreSharedKey_FreeAll
    6686. 

  6686. #define PSK_GET_SIZE  TLSX_PreSharedKey_GetSize
    6687. 

  6687. #define PSK_WRITE     TLSX_PreSharedKey_Write
    6688. 

  6688. #define PSK_PARSE     TLSX_PreSharedKey_Parse
    6689. 

  6689. 

  6690. #else
    6691. 

  6691. 

  6692. #define PSK_FREE_ALL(a, b)
    6693. 

  6693. #define PSK_GET_SIZE(a, b)    0
    6694. 

  6694. #define PSK_WRITE(a, b, c)    0
    6695. 

  6695. #define PSK_PARSE(a, b, c, d) 0
    6696. 

  6696. 

  6697. #endif
    6698. 

  6698. 

  6699. /******************************************************************************/
    6700. 

  6700. /* PSK Key Exchange Modes                                                     */
    6701. 

  6701. /******************************************************************************/
    6702. 

  6702. 

  6703. #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
    6704. 

  6704. /* Get the size of the encoded PSK KE modes extension.
    6705. 

  6705.  * Only in ClientHello.
    6706. 

  6706.  *
    6707. 

  6707.  * modes    The PSK KE mode bit string.
    6708. 

  6708.  * msgType  The type of the message this extension is being written into.
    6709. 

  6709.  * returns the number of bytes of the encoded PSK KE mode extension.
    6710. 

  6710.  */
    6711. 

  6711. static word16 TLSX_PskKeModes_GetSize(byte modes, byte msgType)
    6712. 

  6712. {
    6713. 

  6713.     if (msgType == client_hello) {
    6714. 

  6714.         /* Format: Len | Modes* */
    6715. 

  6715.         word16 len = OPAQUE8_LEN;
    6716. 

  6716.         /* Check whether each possible mode is to be written. */
    6717. 

  6717.         if (modes & (1 << PSK_KE))
    6718. 

  6718.             len += OPAQUE8_LEN;
    6719. 

  6719.         if (modes & (1 << PSK_DHE_KE))
    6720. 

  6720.             len += OPAQUE8_LEN;
    6721. 

  6721.         return len;
    6722. 

  6722.     }
    6723. 

  6723. 

  6724.     return SANITY_MSG_E;
    6725. 

  6725. }
    6726. 

  6726. 

  6727. /* Writes the PSK KE modes extension into the output buffer.
    6728. 

  6728.  * Assumes that the the output buffer is big enough to hold data.
    6729. 

  6729.  * Only in ClientHello.
    6730. 

  6730.  *
    6731. 

  6731.  * modes    The PSK KE mode bit string.
    6732. 

  6732.  * output   The buffer to write into.
    6733. 

  6733.  * msgType  The type of the message this extension is being written into.
    6734. 

  6734.  * returns the number of bytes written into the buffer.
    6735. 

  6735.  */
    6736. 

  6736. static word16 TLSX_PskKeModes_Write(byte modes, byte* output, byte msgType)
    6737. 

  6737. {
    6738. 

  6738.     if (msgType == client_hello) {
    6739. 

  6739.         /* Format: Len | Modes* */
    6740. 

  6740.         int idx = OPAQUE8_LEN;
    6741. 

  6741. 

  6742.         /* Write out each possible mode. */
    6743. 

  6743.         if (modes & (1 << PSK_KE))
    6744. 

  6744.             output[idx++] = PSK_KE;
    6745. 

  6745.         if (modes & (1 << PSK_DHE_KE))
    6746. 

  6746.             output[idx++] = PSK_DHE_KE;
    6747. 

  6747.         /* Write out length of mode list. */
    6748. 

  6748.         output[0] = idx - OPAQUE8_LEN;
    6749. 

  6749. 

  6750.         return idx;
    6751. 

  6751.     }
    6752. 

  6752. 

  6753.     return SANITY_MSG_E;
    6754. 

  6754. }
    6755. 

  6755. 

  6756. /* Parse the PSK KE modes extension.
    6757. 

  6757.  * Only in ClientHello.
    6758. 

  6758.  *
    6759. 

  6759.  * ssl      The SSL/TLS object.
    6760. 

  6760.  * input    The extension data.
    6761. 

  6761.  * length   The length of the extension data.
    6762. 

  6762.  * msgType  The type of the message this extension is being parsed from.
    6763. 

  6763.  * returns 0 on success and other values indicate failure.
    6764. 

  6764.  */
    6765. 

  6765. static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, byte* input, word16 length,
    6766. 

  6766.                                  byte msgType)
    6767. 

  6767. {
    6768. 

  6768.     int    ret;
    6769. 

  6769. 

  6770.     if (msgType == client_hello) {
    6771. 

  6771.         /* Format: Len | Modes* */
    6772. 

  6772.         int   idx = 0;
    6773. 

  6773.         int   len;
    6774. 

  6774.         byte  modes = 0;
    6775. 

  6775. 

  6776.         /* Ensure length byte exists. */
    6777. 

  6777.         if (length < OPAQUE8_LEN)
    6778. 

  6778.             return BUFFER_E;
    6779. 

  6779. 

  6780.         /* Get length of mode list and ensure that is the only data. */
    6781. 

  6781.         len = input[0];
    6782. 

  6782.         if (length - OPAQUE8_LEN != len)
    6783. 

  6783.             return BUFFER_E;
    6784. 

  6784. 

  6785.         idx = OPAQUE8_LEN;
    6786. 

  6786.         /* Set a bit for each recognized modes. */
    6787. 

  6787.         while (len > 0) {
    6788. 

  6788.             /* Ignore unrecognized modes.  */
    6789. 

  6789.             if (input[idx] <= PSK_DHE_KE)
    6790. 

  6790.                modes |= 1 << input[idx];
    6791. 

  6791.             idx++;
    6792. 

  6792.             len--;
    6793. 

  6793.         }
    6794. 

  6794. 

  6795.         ret = TLSX_PskKeModes_Use(ssl, modes);
    6796. 

  6796.         if (ret != 0)
    6797. 

  6797.             return ret;
    6798. 

  6798. 

  6799.         return 0;
    6800. 

  6800.     }
    6801. 

  6801. 

  6802.     return SANITY_MSG_E;
    6803. 

  6803. }
    6804. 

  6804. 

  6805. /* Use the data to create a new PSK Key Exchange Modes object in the extensions.
    6806. 

  6806.  *
    6807. 

  6807.  * ssl    The SSL/TLS object.
    6808. 

  6808.  * modes  The PSK key exchange modes.
    6809. 

  6809.  * returns 0 on success and other values indicate failure.
    6810. 

  6810.  */
    6811. 

  6811. int TLSX_PskKeModes_Use(WOLFSSL* ssl, byte modes)
    6812. 

  6812. {
    6813. 

  6813.     int           ret = 0;
    6814. 

  6814.     TLSX*         extension;
    6815. 

  6815. 

  6816.     /* Find the PSK key exchange modes extension if it exists. */
    6817. 

  6817.     extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
    6818. 

  6818.     if (extension == NULL) {
    6819. 

  6819.         /* Push new PSK key exchange modes extension. */
    6820. 

  6820.         ret = TLSX_Push(&ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES, NULL,
    6821. 

  6821.             ssl->heap);
    6822. 

  6822.         if (ret != 0)
    6823. 

  6823.             return ret;
    6824. 

  6824. 

  6825.         extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
    6826. 

  6826.         if (extension == NULL)
    6827. 

  6827.             return MEMORY_E;
    6828. 

  6828.     }
    6829. 

  6829. 

  6830.     extension->val = modes;
    6831. 

  6831. 

  6832.     return 0;
    6833. 

  6833. }
    6834. 

  6834. 

  6835. #define PKM_GET_SIZE  TLSX_PskKeModes_GetSize
    6836. 

  6836. #define PKM_WRITE     TLSX_PskKeModes_Write
    6837. 

  6837. #define PKM_PARSE     TLSX_PskKeModes_Parse
    6838. 

  6838. 

  6839. #else
    6840. 

  6840. 

  6841. #define PKM_GET_SIZE(a, b)    0
    6842. 

  6842. #define PKM_WRITE(a, b, c)    0
    6843. 

  6843. #define PKM_PARSE(a, b, c, d) 0
    6844. 

  6844. 

  6845. #endif
    6846. 

  6846. 

  6847. /******************************************************************************/
    6848. 

  6848. /* Post-Handshake Authentication                                              */
    6849. 

  6849. /******************************************************************************/
    6850. 

  6850. 

  6851. #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
    6852. 

  6852. /* Get the size of the encoded Post-Hanshake Authentication extension.
    6853. 

  6853.  * Only in ClientHello.
    6854. 

  6854.  *
    6855. 

  6855.  * msgType  The type of the message this extension is being written into.
    6856. 

  6856.  * returns the number of bytes of the encoded Post-Hanshake Authentication
    6857. 

  6857.  * extension.
    6858. 

  6858.  */
    6859. 

  6859. static word16 TLSX_PostHandAuth_GetSize(byte msgType)
    6860. 

  6860. {
    6861. 

  6861.     if (msgType == client_hello)
    6862. 

  6862.         return OPAQUE8_LEN;
    6863. 

  6863. 

  6864.     return SANITY_MSG_E;
    6865. 

  6865. }
    6866. 

  6866. 

  6867. /* Writes the Post-Handshake Authentication extension into the output buffer.
    6868. 

  6868.  * Assumes that the the output buffer is big enough to hold data.
    6869. 

  6869.  * Only in ClientHello.
    6870. 

  6870.  *
    6871. 

  6871.  * output   The buffer to write into.
    6872. 

  6872.  * msgType  The type of the message this extension is being written into.
    6873. 

  6873.  * returns the number of bytes written into the buffer.
    6874. 

  6874.  */
    6875. 

  6875. static word16 TLSX_PostHandAuth_Write(byte* output, byte msgType)
    6876. 

  6876. {
    6877. 

  6877.     if (msgType == client_hello) {
    6878. 

  6878.         *output = 0;
    6879. 

  6879.         return OPAQUE8_LEN;
    6880. 

  6880.     }
    6881. 

  6881. 

  6882.     return SANITY_MSG_E;
    6883. 

  6883. }
    6884. 

  6884. 

  6885. /* Parse the Post-Handshake Authentication extension.
    6886. 

  6886.  * Only in ClientHello.
    6887. 

  6887.  *
    6888. 

  6888.  * ssl      The SSL/TLS object.
    6889. 

  6889.  * input    The extension data.
    6890. 

  6890.  * length   The length of the extension data.
    6891. 

  6891.  * msgType  The type of the message this extension is being parsed from.
    6892. 

  6892.  * returns 0 on success and other values indicate failure.
    6893. 

  6893.  */
    6894. 

  6894. static int TLSX_PostHandAuth_Parse(WOLFSSL* ssl, byte* input, word16 length,
    6895. 

  6895.                                  byte msgType)
    6896. 

  6896. {
    6897. 

  6897.     byte len;
    6898. 

  6898. 

  6899.     if (msgType == client_hello) {
    6900. 

  6900.         /* Ensure length byte exists. */
    6901. 

  6901.         if (length < OPAQUE8_LEN)
    6902. 

  6902.             return BUFFER_E;
    6903. 

  6903. 

  6904.         len = input[0];
    6905. 

  6905.         if (length - OPAQUE8_LEN != len || len != 0)
    6906. 

  6906.             return BUFFER_E;
    6907. 

  6907. 

  6908.         ssl->options.postHandshakeAuth = 1;
    6909. 

  6909.         return 0;
    6910. 

  6910.     }
    6911. 

  6911. 

  6912.     return SANITY_MSG_E;
    6913. 

  6913. }
    6914. 

  6914. 

  6915. /* Create a new Post-handshake authentication object in the extensions.
    6916. 

  6916.  *
    6917. 

  6917.  * ssl    The SSL/TLS object.
    6918. 

  6918.  * returns 0 on success and other values indicate failure.
    6919. 

  6919.  */
    6920. 

  6920. static int TLSX_PostHandAuth_Use(WOLFSSL* ssl)
    6921. 

  6921. {
    6922. 

  6922.     int   ret = 0;
    6923. 

  6923.     TLSX* extension;
    6924. 

  6924. 

  6925.     /* Find the PSK key exchange modes extension if it exists. */
    6926. 

  6926.     extension = TLSX_Find(ssl->extensions, TLSX_POST_HANDSHAKE_AUTH);
    6927. 

  6927.     if (extension == NULL) {
    6928. 

  6928.         /* Push new Post-handshake Authentication extension. */
    6929. 

  6929.         ret = TLSX_Push(&ssl->extensions, TLSX_POST_HANDSHAKE_AUTH, NULL,
    6930. 

  6930.             ssl->heap);
    6931. 

  6931.         if (ret != 0)
    6932. 

  6932.             return ret;
    6933. 

  6933.     }
    6934. 

  6934. 

  6935.     return 0;
    6936. 

  6936. }
    6937. 

  6937. 

  6938. #define PHA_GET_SIZE  TLSX_PostHandAuth_GetSize
    6939. 

  6939. #define PHA_WRITE     TLSX_PostHandAuth_Write
    6940. 

  6940. #define PHA_PARSE     TLSX_PostHandAuth_Parse
    6941. 

  6941. 

  6942. #else
    6943. 

  6943. 

  6944. #define PHA_GET_SIZE(a)       0
    6945. 

  6945. #define PHA_WRITE(a, b)       0
    6946. 

  6946. #define PHA_PARSE(a, b, c, d) 0
    6947. 

  6947. 

  6948. #endif
    6949. 

  6949. 

  6950. /******************************************************************************/
    6951. 

  6951. /* Early Data Indication                                                      */
    6952. 

  6952. /******************************************************************************/
    6953. 

  6953. 

  6954. #ifdef WOLFSSL_EARLY_DATA
    6955. 

  6955. /* Get the size of the encoded Early Data Indication extension.
    6956. 

  6956.  * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
    6957. 

  6957.  *
    6958. 

  6958.  * msgType  The type of the message this extension is being written into.
    6959. 

  6959.  * returns the number of bytes of the encoded Early Data Indication extension.
    6960. 

  6960.  */
    6961. 

  6961. static word16 TLSX_EarlyData_GetSize(byte msgType)
    6962. 

  6962. {
    6963. 

  6963.     if (msgType == client_hello || msgType == encrypted_extensions)
    6964. 

  6964.         return 0;
    6965. 

  6965.     if (msgType == session_ticket)
    6966. 

  6966.         return OPAQUE32_LEN;
    6967. 

  6967. 

  6968.     return SANITY_MSG_E;
    6969. 

  6969. }
    6970. 

  6970. 

  6971. /* Writes the Early Data Indicator extension into the output buffer.
    6972. 

  6972.  * Assumes that the the output buffer is big enough to hold data.
    6973. 

  6973.  * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
    6974. 

  6974.  *
    6975. 

  6975.  * max      The maximum early data size.
    6976. 

  6976.  * output   The buffer to write into.
    6977. 

  6977.  * msgType  The type of the message this extension is being written into.
    6978. 

  6978.  * returns the number of bytes written into the buffer.
    6979. 

  6979.  */
    6980. 

  6980. static word16 TLSX_EarlyData_Write(word32 max, byte* output, byte msgType)
    6981. 

  6981. {
    6982. 

  6982.     if (msgType == client_hello || msgType == encrypted_extensions) {
    6983. 

  6983.         return 0;
    6984. 

  6984.     }
    6985. 

  6985.     if (msgType == session_ticket) {
    6986. 

  6986.         c32toa(max, output);
    6987. 

  6987.         return OPAQUE32_LEN;
    6988. 

  6988.     }
    6989. 

  6989. 

  6990.     return SANITY_MSG_E;
    6991. 

  6991. }
    6992. 

  6992. 

  6993. /* Parse the Early Data Indicator extension.
    6994. 

  6994.  * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
    6995. 

  6995.  *
    6996. 

  6996.  * ssl      The SSL/TLS object.
    6997. 

  6997.  * input    The extension data.
    6998. 

  6998.  * length   The length of the extension data.
    6999. 

  6999.  * msgType  The type of the message this extension is being parsed from.
    7000. 

  7000.  * returns 0 on success and other values indicate failure.
    7001. 

  7001.  */
    7002. 

  7002. static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length,
    7003. 

  7003.                                  byte msgType)
    7004. 

  7004. {
    7005. 

  7005.     if (msgType == client_hello) {
    7006. 

  7006.         if (length != 0)
    7007. 

  7007.             return BUFFER_E;
    7008. 

  7008. 

  7009.         return TLSX_EarlyData_Use(ssl, 0);
    7010. 

  7010.     }
    7011. 

  7011.     if (msgType == encrypted_extensions) {
    7012. 

  7012.         if (length != 0)
    7013. 

  7013.             return BUFFER_E;
    7014. 

  7014. 

  7015.         return TLSX_EarlyData_Use(ssl, 1);
    7016. 

  7016.     }
    7017. 

  7017.     if (msgType == session_ticket) {
    7018. 

  7018.         word32 max;
    7019. 

  7019. 

  7020.         if (length != OPAQUE32_LEN)
    7021. 

  7021.             return BUFFER_E;
    7022. 

  7022.         ato32(input, &max);
    7023. 

  7023. 

  7024.         ssl->session.maxEarlyDataSz = max;
    7025. 

  7025.         return 0;
    7026. 

  7026.     }
    7027. 

  7027. 

  7028.     return SANITY_MSG_E;
    7029. 

  7029. }
    7030. 

  7030. 

  7031. /* Use the data to create a new Early Data object in the extensions.
    7032. 

  7032.  *
    7033. 

  7033.  * ssl  The SSL/TLS object.
    7034. 

  7034.  * max  The maximum early data size.
    7035. 

  7035.  * returns 0 on success and other values indicate failure.
    7036. 

  7036.  */
    7037. 

  7037. int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 max)
    7038. 

  7038. {
    7039. 

  7039.     int   ret = 0;
    7040. 

  7040.     TLSX* extension;
    7041. 

  7041. 

  7042.     /* Find the early data extension if it exists. */
    7043. 

  7043.     extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
    7044. 

  7044.     if (extension == NULL) {
    7045. 

  7045.         /* Push new early data extension. */
    7046. 

  7046.         ret = TLSX_Push(&ssl->extensions, TLSX_EARLY_DATA, NULL, ssl->heap);
    7047. 

  7047.         if (ret != 0)
    7048. 

  7048.             return ret;
    7049. 

  7049. 

  7050.         extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
    7051. 

  7051.         if (extension == NULL)
    7052. 

  7052.             return MEMORY_E;
    7053. 

  7053.     }
    7054. 

  7054. 

  7055.     extension->resp = 1;
    7056. 

  7056.     extension->val  = max;
    7057. 

  7057. 

  7058.     return 0;
    7059. 

  7059. }
    7060. 

  7060. 

  7061. #define EDI_GET_SIZE  TLSX_EarlyData_GetSize
    7062. 

  7062. #define EDI_WRITE     TLSX_EarlyData_Write
    7063. 

  7063. #define EDI_PARSE     TLSX_EarlyData_Parse
    7064. 

  7064. 

  7065. #else
    7066. 

  7066. 

  7067. #define EDI_GET_SIZE(a)       0
    7068. 

  7068. #define EDI_WRITE(a, b, c)    0
    7069. 

  7069. #define EDI_PARSE(a, b, c, d) 0
    7070. 

  7070. 

  7071. #endif
    7072. 

  7072. 

  7073. /******************************************************************************/
    7074. 

  7074. /* TLS Extensions Framework                                                   */
    7075. 

  7075. /******************************************************************************/
    7076. 

  7076. 

  7077. /** Finds an extension in the provided list. */
    7078. 

  7078. TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
    7079. 

  7079. {
    7080. 

  7080.     TLSX* extension = list;
    7081. 

  7081. 

  7082.     while (extension && extension->type != type)
    7083. 

  7083.         extension = extension->next;
    7084. 

  7084. 

  7085.     return extension;
    7086. 

  7086. }
    7087. 

  7087. 

  7088. /** Releases all extensions in the provided list. */
    7089. 

  7089. void TLSX_FreeAll(TLSX* list, void* heap)
    7090. 

  7090. {
    7091. 

  7091.     TLSX* extension;
    7092. 

  7092. 

  7093.     while ((extension = list)) {
    7094. 

  7094.         list = extension->next;
    7095. 

  7095. 

  7096.         switch (extension->type) {
    7097. 

  7097. 

  7098.             case TLSX_SERVER_NAME:
    7099. 

  7099.                 SNI_FREE_ALL((SNI*)extension->data, heap);
    7100. 

  7100.                 break;
    7101. 

  7101. 

  7102.             case TLSX_MAX_FRAGMENT_LENGTH:
    7103. 

  7103.                 MFL_FREE_ALL(extension->data, heap);
    7104. 

  7104.                 break;
    7105. 

  7105. 

  7106.             case TLSX_TRUNCATED_HMAC:
    7107. 

  7107.                 /* Nothing to do. */
    7108. 

  7108.                 break;
    7109. 

  7109. 

  7110.             case TLSX_SUPPORTED_GROUPS:
    7111. 

  7111.                 EC_FREE_ALL((SupportedCurve*)extension->data, heap);
    7112. 

  7112.                 break;
    7113. 

  7113. 

  7114.             case TLSX_EC_POINT_FORMATS:
    7115. 

  7115.                 PF_FREE_ALL((PointFormat*)extension->data, heap);
    7116. 

  7116.                 break;
    7117. 

  7117. 

  7118.             case TLSX_STATUS_REQUEST:
    7119. 

  7119.                 CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap);
    7120. 

  7120.                 break;
    7121. 

  7121. 

  7122.             case TLSX_STATUS_REQUEST_V2:
    7123. 

  7123.                 CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data,
    7124. 

  7124.                         heap);
    7125. 

  7125.                 break;
    7126. 

  7126. 

  7127.             case TLSX_RENEGOTIATION_INFO:
    7128. 

  7128.                 SCR_FREE_ALL(extension->data, heap);
    7129. 

  7129.                 break;
    7130. 

  7130. 

  7131.             case TLSX_SESSION_TICKET:
    7132. 

  7132.                 WOLF_STK_FREE(extension->data, heap);
    7133. 

  7133.                 break;
    7134. 

  7134. 

  7135.             case TLSX_QUANTUM_SAFE_HYBRID:
    7136. 

  7136.                 QSH_FREE_ALL((QSHScheme*)extension->data, heap);
    7137. 

  7137.                 break;
    7138. 

  7138. 

  7139.             case TLSX_APPLICATION_LAYER_PROTOCOL:
    7140. 

  7140.                 ALPN_FREE_ALL((ALPN*)extension->data, heap);
    7141. 

  7141.                 break;
    7142. 

  7142. 

  7143.             case TLSX_SIGNATURE_ALGORITHMS:
    7144. 

  7144.                 break;
    7145. 

  7145. 

  7146. #ifdef WOLFSSL_TLS13
    7147. 

  7147.             case TLSX_SUPPORTED_VERSIONS:
    7148. 

  7148.                 break;
    7149. 

  7149. 

  7150.             case TLSX_COOKIE:
    7151. 

  7151.                 CKE_FREE_ALL((Cookie*)extension->data, heap);
    7152. 

  7152.                 break;
    7153. 

  7153. 

  7154.             case TLSX_KEY_SHARE:
    7155. 

  7155.                 KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
    7156. 

  7156.                 break;
    7157. 

  7157. 

  7158.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    7159. 

  7159.             case TLSX_PRE_SHARED_KEY:
    7160. 

  7160.                 PSK_FREE_ALL((PreSharedKey*)extension->data, heap);
    7161. 

  7161.                 break;
    7162. 

  7162. 

  7163.             case TLSX_PSK_KEY_EXCHANGE_MODES:
    7164. 

  7164.                 break;
    7165. 

  7165.     #endif
    7166. 

  7166. 

  7167.     #ifdef WOLFSSL_EARLY_DATA
    7168. 

  7168.             case TLSX_EARLY_DATA:
    7169. 

  7169.                 break;
    7170. 

  7170.     #endif
    7171. 

  7171. 

  7172.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    7173. 

  7173.             case TLSX_POST_HANDSHAKE_AUTH:
    7174. 

  7174.                 break;
    7175. 

  7175.     #endif
    7176. 

  7176. #endif
    7177. 

  7177.         }
    7178. 

  7178. 

  7179.         XFREE(extension, heap, DYNAMIC_TYPE_TLSX);
    7180. 

  7180.     }
    7181. 

  7181. 

  7182.     (void)heap;
    7183. 

  7183. }
    7184. 

  7184. 

  7185. /** Checks if the tls extensions are supported based on the protocol version. */
    7186. 

  7186. int TLSX_SupportExtensions(WOLFSSL* ssl) {
    7187. 

  7187.     return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR);
    7188. 

  7188. }
    7189. 

  7189. 

  7190. /** Tells the buffered size of the extensions in a list. */
    7191. 

  7191. static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType)
    7192. 

  7192. {
    7193. 

  7193.     TLSX*  extension;
    7194. 

  7194.     word16 length = 0;
    7195. 

  7195.     byte   isRequest = (msgType == client_hello ||
    7196. 

  7196.                         msgType == certificate_request);
    7197. 

  7197. 

  7198.     while ((extension = list)) {
    7199. 

  7199.         list = extension->next;
    7200. 

  7200. 

  7201.         /* only extensions marked as response are sent back to the client. */
    7202. 

  7202.         if (!isRequest && !extension->resp)
    7203. 

  7203.             continue; /* skip! */
    7204. 

  7204. 

  7205.         /* ssl level extensions are expected to override ctx level ones. */
    7206. 

  7206.         if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
    7207. 

  7207.             continue; /* skip! */
    7208. 

  7208. 

  7209.         /* extension type + extension data length. */
    7210. 

  7210.         length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
    7211. 

  7211. 

  7212. 

  7213.         switch (extension->type) {
    7214. 

  7214. 

  7215.             case TLSX_SERVER_NAME:
    7216. 

  7216.                 /* SNI only sends the name on the request. */
    7217. 

  7217.                 if (isRequest)
    7218. 

  7218.                     length += SNI_GET_SIZE((SNI*)extension->data);
    7219. 

  7219.                 break;
    7220. 

  7220. 

  7221.             case TLSX_MAX_FRAGMENT_LENGTH:
    7222. 

  7222.                 length += MFL_GET_SIZE(extension->data);
    7223. 

  7223.                 break;
    7224. 

  7224. 

  7225.             case TLSX_TRUNCATED_HMAC:
    7226. 

  7226.                 /* always empty. */
    7227. 

  7227.                 break;
    7228. 

  7228. 

  7229.             case TLSX_SUPPORTED_GROUPS:
    7230. 

  7230.                 length += EC_GET_SIZE((SupportedCurve*)extension->data);
    7231. 

  7231.                 break;
    7232. 

  7232. 

  7233.             case TLSX_EC_POINT_FORMATS:
    7234. 

  7234.                 length += PF_GET_SIZE((PointFormat*)extension->data);
    7235. 

  7235.                 break;
    7236. 

  7236. 

  7237.             case TLSX_STATUS_REQUEST:
    7238. 

  7238.                 length += CSR_GET_SIZE(
    7239. 

  7239.                          (CertificateStatusRequest*)extension->data, isRequest);
    7240. 

  7240.                 break;
    7241. 

  7241. 

  7242.             case TLSX_STATUS_REQUEST_V2:
    7243. 

  7243.                 length += CSR2_GET_SIZE(
    7244. 

  7244.                         (CertificateStatusRequestItemV2*)extension->data,
    7245. 

  7245.                         isRequest);
    7246. 

  7246.                 break;
    7247. 

  7247. 

  7248.             case TLSX_RENEGOTIATION_INFO:
    7249. 

  7249.                 length += SCR_GET_SIZE((SecureRenegotiation*)extension->data,
    7250. 

  7250.                         isRequest);
    7251. 

  7251.                 break;
    7252. 

  7252. 

  7253.             case TLSX_SESSION_TICKET:
    7254. 

  7254.                 length += WOLF_STK_GET_SIZE((SessionTicket*)extension->data,
    7255. 

  7255.                         isRequest);
    7256. 

  7256.                 break;
    7257. 

  7257. 

  7258.             case TLSX_QUANTUM_SAFE_HYBRID:
    7259. 

  7259.                 length += QSH_GET_SIZE((QSHScheme*)extension->data, isRequest);
    7260. 

  7260.                 break;
    7261. 

  7261. 

  7262.             case TLSX_APPLICATION_LAYER_PROTOCOL:
    7263. 

  7263.                 length += ALPN_GET_SIZE((ALPN*)extension->data);
    7264. 

  7264.                 break;
    7265. 

  7265. 

  7266.             case TLSX_SIGNATURE_ALGORITHMS:
    7267. 

  7267.                 length += SA_GET_SIZE(extension->data);
    7268. 

  7268.                 break;
    7269. 

  7269. 

  7270. #ifdef WOLFSSL_TLS13
    7271. 

  7271.             case TLSX_SUPPORTED_VERSIONS:
    7272. 

  7272.                 length += SV_GET_SIZE(extension->data, msgType);
    7273. 

  7273.                 break;
    7274. 

  7274. 

  7275.             case TLSX_COOKIE:
    7276. 

  7276.                 length += CKE_GET_SIZE((Cookie*)extension->data, msgType);
    7277. 

  7277.                 break;
    7278. 

  7278. 

  7279.             case TLSX_KEY_SHARE:
    7280. 

  7280.                 length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
    7281. 

  7281.                 break;
    7282. 

  7282. 

  7283.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    7284. 

  7284.             case TLSX_PRE_SHARED_KEY:
    7285. 

  7285.                 length += PSK_GET_SIZE((PreSharedKey*)extension->data, msgType);
    7286. 

  7286.                 break;
    7287. 

  7287. 

  7288.             case TLSX_PSK_KEY_EXCHANGE_MODES:
    7289. 

  7289.                 length += PKM_GET_SIZE(extension->val, msgType);
    7290. 

  7290.                 break;
    7291. 

  7291.     #endif
    7292. 

  7292. 

  7293.     #ifdef WOLFSSL_EARLY_DATA
    7294. 

  7294.             case TLSX_EARLY_DATA:
    7295. 

  7295.                 length += EDI_GET_SIZE(msgType);
    7296. 

  7296.                 break;
    7297. 

  7297.     #endif
    7298. 

  7298. 

  7299.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    7300. 

  7300.             case TLSX_POST_HANDSHAKE_AUTH:
    7301. 

  7301.                 length += PHA_GET_SIZE(msgType);
    7302. 

  7302.                 break;
    7303. 

  7303.     #endif
    7304. 

  7304. #endif
    7305. 

  7305.         }
    7306. 

  7306. 

  7307.         /* marks the extension as processed so ctx level */
    7308. 

  7308.         /* extensions don't overlap with ssl level ones. */
    7309. 

  7309.         TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
    7310. 

  7310.     }
    7311. 

  7311. 

  7312.     return length;
    7313. 

  7313. }
    7314. 

  7314. 

  7315. /** Writes the extensions of a list in a buffer. */
    7316. 

  7316. static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
    7317. 

  7317.                          byte msgType)
    7318. 

  7318. {
    7319. 

  7319.     TLSX* extension;
    7320. 

  7320.     word16 offset = 0;
    7321. 

  7321.     word16 length_offset = 0;
    7322. 

  7322.     byte   isRequest = (msgType == client_hello ||
    7323. 

  7323.                         msgType == certificate_request);
    7324. 

  7324. 

  7325.     while ((extension = list)) {
    7326. 

  7326.         list = extension->next;
    7327. 

  7327. 

  7328.         /* only extensions marked as response are written in a response. */
    7329. 

  7329.         if (!isRequest && !extension->resp)
    7330. 

  7330.             continue; /* skip! */
    7331. 

  7331. 

  7332.         /* ssl level extensions are expected to override ctx level ones. */
    7333. 

  7333.         if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
    7334. 

  7334.             continue; /* skip! */
    7335. 

  7335. 

  7336.         /* writes extension type. */
    7337. 

  7337.         c16toa(extension->type, output + offset);
    7338. 

  7338.         offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
    7339. 

  7339.         length_offset = offset;
    7340. 

  7340. 

  7341.         /* extension data should be written internally. */
    7342. 

  7342.         switch (extension->type) {
    7343. 

  7343.             case TLSX_SERVER_NAME:
    7344. 

  7344.                 if (isRequest) {
    7345. 

  7345.                     WOLFSSL_MSG("SNI extension to write");
    7346. 

  7346.                     offset += SNI_WRITE((SNI*)extension->data, output + offset);
    7347. 

  7347.                 }
    7348. 

  7348.                 break;
    7349. 

  7349. 

  7350.             case TLSX_MAX_FRAGMENT_LENGTH:
    7351. 

  7351.                 WOLFSSL_MSG("Max Fragment Length extension to write");
    7352. 

  7352.                 offset += MFL_WRITE((byte*)extension->data, output + offset);
    7353. 

  7353.                 break;
    7354. 

  7354. 

  7355.             case TLSX_TRUNCATED_HMAC:
    7356. 

  7356.                 WOLFSSL_MSG("Truncated HMAC extension to write");
    7357. 

  7357.                 /* always empty. */
    7358. 

  7358.                 break;
    7359. 

  7359. 

  7360.             case TLSX_SUPPORTED_GROUPS:
    7361. 

  7361.                 WOLFSSL_MSG("Elliptic Curves extension to write");
    7362. 

  7362.                 offset += EC_WRITE((SupportedCurve*)extension->data,
    7363. 

  7363.                                     output + offset);
    7364. 

  7364.                 break;
    7365. 

  7365. 

  7366.             case TLSX_EC_POINT_FORMATS:
    7367. 

  7367.                 WOLFSSL_MSG("Point Formats extension to write");
    7368. 

  7368.                 offset += PF_WRITE((PointFormat*)extension->data,
    7369. 

  7369.                                     output + offset);
    7370. 

  7370.                 break;
    7371. 

  7371. 

  7372.             case TLSX_STATUS_REQUEST:
    7373. 

  7373.                 WOLFSSL_MSG("Certificate Status Request extension to write");
    7374. 

  7374.                 offset += CSR_WRITE((CertificateStatusRequest*)extension->data,
    7375. 

  7375.                         output + offset, isRequest);
    7376. 

  7376.                 break;
    7377. 

  7377. 

  7378.             case TLSX_STATUS_REQUEST_V2:
    7379. 

  7379.                 WOLFSSL_MSG("Certificate Status Request v2 extension to write");
    7380. 

  7380.                 offset += CSR2_WRITE(
    7381. 

  7381.                         (CertificateStatusRequestItemV2*)extension->data,
    7382. 

  7382.                         output + offset, isRequest);
    7383. 

  7383.                 break;
    7384. 

  7384. 

  7385.             case TLSX_RENEGOTIATION_INFO:
    7386. 

  7386.                 WOLFSSL_MSG("Secure Renegotiation extension to write");
    7387. 

  7387.                 offset += SCR_WRITE((SecureRenegotiation*)extension->data,
    7388. 

  7388.                         output + offset, isRequest);
    7389. 

  7389.                 break;
    7390. 

  7390. 

  7391.             case TLSX_SESSION_TICKET:
    7392. 

  7392.                 WOLFSSL_MSG("Session Ticket extension to write");
    7393. 

  7393.                 offset += WOLF_STK_WRITE((SessionTicket*)extension->data,
    7394. 

  7394.                         output + offset, isRequest);
    7395. 

  7395.                 break;
    7396. 

  7396. 

  7397.             case TLSX_QUANTUM_SAFE_HYBRID:
    7398. 

  7398.                 WOLFSSL_MSG("Quantum-Safe-Hybrid extension to write");
    7399. 

  7399.                 if (isRequest) {
    7400. 

  7400.                     offset += QSH_WRITE((QSHScheme*)extension->data, output + offset);
    7401. 

  7401.                 }
    7402. 

  7402.                 offset += QSHPK_WRITE((QSHScheme*)extension->data, output + offset);
    7403. 

  7403.                 offset += QSH_SERREQ(output + offset, isRequest);
    7404. 

  7404.                 break;
    7405. 

  7405. 

  7406.             case TLSX_APPLICATION_LAYER_PROTOCOL:
    7407. 

  7407.                 WOLFSSL_MSG("ALPN extension to write");
    7408. 

  7408.                 offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
    7409. 

  7409.                 break;
    7410. 

  7410. 

  7411.             case TLSX_SIGNATURE_ALGORITHMS:
    7412. 

  7412.                 WOLFSSL_MSG("Signature Algorithms extension to write");
    7413. 

  7413.                 offset += SA_WRITE(extension->data, output + offset);
    7414. 

  7414.                 break;
    7415. 

  7415. 

  7416. #ifdef WOLFSSL_TLS13
    7417. 

  7417.             case TLSX_SUPPORTED_VERSIONS:
    7418. 

  7418.                 WOLFSSL_MSG("Supported Versions extension to write");
    7419. 

  7419.                 offset += SV_WRITE(extension->data, output + offset, msgType);
    7420. 

  7420.                 break;
    7421. 

  7421. 

  7422.             case TLSX_COOKIE:
    7423. 

  7423.                 WOLFSSL_MSG("Cookie extension to write");
    7424. 

  7424.                 offset += CKE_WRITE((Cookie*)extension->data, output + offset,
    7425. 

  7425.                                     msgType);
    7426. 

  7426.                 break;
    7427. 

  7427. 

  7428.             case TLSX_KEY_SHARE:
    7429. 

  7429.                 WOLFSSL_MSG("Key Share extension to write");
    7430. 

  7430.                 offset += KS_WRITE((KeyShareEntry*)extension->data,
    7431. 

  7431.                                    output + offset, msgType);
    7432. 

  7432.                 break;
    7433. 

  7433. 

  7434.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    7435. 

  7435.             case TLSX_PRE_SHARED_KEY:
    7436. 

  7436.                 WOLFSSL_MSG("Pre-Shared Key extension to write");
    7437. 

  7437.                 offset += PSK_WRITE((PreSharedKey*)extension->data,
    7438. 

  7438.                                     output + offset, msgType);
    7439. 

  7439.                 break;
    7440. 

  7440. 

  7441.             case TLSX_PSK_KEY_EXCHANGE_MODES:
    7442. 

  7442.                 WOLFSSL_MSG("PSK Key Exchange Modes extension to write");
    7443. 

  7443.                 offset += PKM_WRITE(extension->val, output + offset, msgType);
    7444. 

  7444.                 break;
    7445. 

  7445.     #endif
    7446. 

  7446. 

  7447.     #ifdef WOLFSSL_EARLY_DATA
    7448. 

  7448.             case TLSX_EARLY_DATA:
    7449. 

  7449.                 WOLFSSL_MSG("Early Data extension to write");
    7450. 

  7450.                 offset += EDI_WRITE(extension->val, output + offset, msgType);
    7451. 

  7451.                 break;
    7452. 

  7452.     #endif
    7453. 

  7453. 

  7454.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    7455. 

  7455.             case TLSX_POST_HANDSHAKE_AUTH:
    7456. 

  7456.                 WOLFSSL_MSG("Post-Handshake Authentication extension to write");
    7457. 

  7457.                 offset += PHA_WRITE(output + offset, msgType);
    7458. 

  7458.                 break;
    7459. 

  7459.     #endif
    7460. 

  7460. #endif
    7461. 

  7461.         }
    7462. 

  7462. 

  7463.         /* writes extension data length. */
    7464. 

  7464.         c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN);
    7465. 

  7465. 

  7466.         /* marks the extension as processed so ctx level */
    7467. 

  7467.         /* extensions don't overlap with ssl level ones. */
    7468. 

  7468.         TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
    7469. 

  7469.     }
    7470. 

  7470. 

  7471.     return offset;
    7472. 

  7472. }
    7473. 

  7473. 

  7474. 

  7475. #if defined(HAVE_NTRU) && defined(HAVE_QSH)
    7476. 

  7476. 

  7477. static word32 GetEntropy(unsigned char* out, word32 num_bytes)
    7478. 

  7478. {
    7479. 

  7479.     int ret = 0;
    7480. 

  7480. 

  7481.     if (gRng == NULL) {
    7482. 

  7482.         if ((gRng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL,
    7483. 

  7483.                                                     DYNAMIC_TYPE_TLSX)) == NULL)
    7484. 

  7484.             return DRBG_OUT_OF_MEMORY;
    7485. 

  7485.         wc_InitRng(gRng);
    7486. 

  7486.     }
    7487. 

  7487. 

  7488.     if (gRngMutex == NULL) {
    7489. 

  7489.         if ((gRngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), NULL,
    7490. 

  7490.                                                     DYNAMIC_TYPE_TLSX)) == NULL)
    7491. 

  7491.             return DRBG_OUT_OF_MEMORY;
    7492. 

  7492.         wc_InitMutex(gRngMutex);
    7493. 

  7493.     }
    7494. 

  7494. 

  7495.     ret |= wc_LockMutex(gRngMutex);
    7496. 

  7496.     ret |= wc_RNG_GenerateBlock(gRng, out, num_bytes);
    7497. 

  7497.     ret |= wc_UnLockMutex(gRngMutex);
    7498. 

  7498. 

  7499.     if (ret != 0)
    7500. 

  7500.         return DRBG_ENTROPY_FAIL;
    7501. 

  7501. 

  7502.     return DRBG_OK;
    7503. 

  7503. }
    7504. 

  7504. #endif
    7505. 

  7505. 

  7506. 

  7507. #ifdef HAVE_QSH
    7508. 

  7508. static int TLSX_CreateQSHKey(WOLFSSL* ssl, int type)
    7509. 

  7509. {
    7510. 

  7510.     int ret;
    7511. 

  7511. 

  7512.     (void)ssl;
    7513. 

  7513. 

  7514.     switch (type) {
    7515. 

  7515. #ifdef HAVE_NTRU
    7516. 

  7516.         case WOLFSSL_NTRU_EESS439:
    7517. 

  7517.         case WOLFSSL_NTRU_EESS593:
    7518. 

  7518.         case WOLFSSL_NTRU_EESS743:
    7519. 

  7519.             ret = TLSX_CreateNtruKey(ssl, type);
    7520. 

  7520.             break;
    7521. 

  7521. #endif
    7522. 

  7522.         default:
    7523. 

  7523.             WOLFSSL_MSG("Unknown type for creating NTRU key");
    7524. 

  7524.             return -1;
    7525. 

  7525.     }
    7526. 

  7526. 

  7527.     return ret;
    7528. 

  7528. }
    7529. 

  7529. 

  7530. 

  7531. static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
    7532. 

  7532. {
    7533. 

  7533.     QSHKey* current;
    7534. 

  7534. 

  7535.     if (key == NULL)
    7536. 

  7536.         return BAD_FUNC_ARG;
    7537. 

  7537. 

  7538.     /* if no public key stored in key then do not add */
    7539. 

  7539.     if (key->pub.length == 0 || key->pub.buffer == NULL)
    7540. 

  7540.         return 0;
    7541. 

  7541. 

  7542.     /* first element to be added to the list */
    7543. 

  7543.     current = *list;
    7544. 

  7544.     if (current == NULL) {
    7545. 

  7545.         *list = key;
    7546. 

  7546.         return 0;
    7547. 

  7547.     }
    7548. 

  7548. 

  7549.     while (current->next) {
    7550. 

  7550.         /* can only have one of the key in the list */
    7551. 

  7551.         if (current->name == key->name)
    7552. 

  7552.             return -1;
    7553. 

  7553.         current = (QSHKey*)current->next;
    7554. 

  7554.     }
    7555. 

  7555. 

  7556.     current->next = (struct QSHKey*)key;
    7557. 

  7557. 

  7558.     return 0;
    7559. 

  7559. }
    7560. 

  7560. 

  7561. 

  7562. #if defined(HAVE_NTRU)
    7563. 

  7563. int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
    7564. 

  7564. {
    7565. 

  7565.     int ret = -1;
    7566. 

  7566.     int ntruType;
    7567. 

  7567. 

  7568.     /* variable declarations for NTRU*/
    7569. 

  7569.     QSHKey* temp = NULL;
    7570. 

  7570.     byte   public_key[1027];
    7571. 

  7571.     word16 public_key_len = sizeof(public_key);
    7572. 

  7572.     byte   private_key[1120];
    7573. 

  7573.     word16 private_key_len = sizeof(private_key);
    7574. 

  7574.     DRBG_HANDLE drbg;
    7575. 

  7575. 

  7576.     if (ssl == NULL)
    7577. 

  7577.         return BAD_FUNC_ARG;
    7578. 

  7578. 

  7579.     switch (type) {
    7580. 

  7580.         case WOLFSSL_NTRU_EESS439:
    7581. 

  7581.             ntruType = NTRU_EES439EP1;
    7582. 

  7582.             break;
    7583. 

  7583.         case WOLFSSL_NTRU_EESS593:
    7584. 

  7584.             ntruType = NTRU_EES593EP1;
    7585. 

  7585.             break;
    7586. 

  7586.         case WOLFSSL_NTRU_EESS743:
    7587. 

  7587.             ntruType = NTRU_EES743EP1;
    7588. 

  7588.             break;
    7589. 

  7589.         default:
    7590. 

  7590.             WOLFSSL_MSG("Unknown type for creating NTRU key");
    7591. 

  7591.             return -1;
    7592. 

  7592.     }
    7593. 

  7593.     ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg);
    7594. 

  7594.     if (ret != DRBG_OK) {
    7595. 

  7595.         WOLFSSL_MSG("NTRU drbg instantiate failed\n");
    7596. 

  7596.         return ret;
    7597. 

  7597.     }
    7598. 

  7598. 

  7599.     if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType,
    7600. 

  7600.                      &public_key_len, NULL, &private_key_len, NULL)) != NTRU_OK)
    7601. 

  7601.         return ret;
    7602. 

  7602. 

  7603.     if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType,
    7604. 

  7604.         &public_key_len, public_key, &private_key_len, private_key)) != NTRU_OK)
    7605. 

  7605.         return ret;
    7606. 

  7606. 

  7607.     ret = ntru_crypto_drbg_uninstantiate(drbg);
    7608. 

  7608.     if (ret != NTRU_OK) {
    7609. 

  7609.         WOLFSSL_MSG("NTRU drbg uninstantiate failed\n");
    7610. 

  7610.         return ret;
    7611. 

  7611.     }
    7612. 

  7612. 

  7613.     if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap,
    7614. 

  7614.                                                     DYNAMIC_TYPE_TLSX)) == NULL)
    7615. 

  7615.         return MEMORY_E;
    7616. 

  7616.     temp->name = type;
    7617. 

  7617.     temp->pub.length = public_key_len;
    7618. 

  7618.     temp->pub.buffer = (byte*)XMALLOC(public_key_len, ssl->heap,
    7619. 

  7619.                                 DYNAMIC_TYPE_PUBLIC_KEY);
    7620. 

  7620.     XMEMCPY(temp->pub.buffer, public_key, public_key_len);
    7621. 

  7621.     temp->pri.length = private_key_len;
    7622. 

  7622.     temp->pri.buffer = (byte*)XMALLOC(private_key_len, ssl->heap,
    7623. 

  7623.                                 DYNAMIC_TYPE_ARRAYS);
    7624. 

  7624.     XMEMCPY(temp->pri.buffer, private_key, private_key_len);
    7625. 

  7625.     temp->next = NULL;
    7626. 

  7626. 

  7627.     TLSX_AddQSHKey(&ssl->QSH_Key, temp);
    7628. 

  7628. 

  7629.     (void)ssl;
    7630. 

  7630.     (void)type;
    7631. 

  7631. 

  7632.     return ret;
    7633. 

  7633. }
    7634. 

  7634. #endif
    7635. 

  7635. 

  7636. 

  7637. /*
    7638. 

  7638.     Used to find a public key from the list of keys
    7639. 

  7639.     pubLen length of array
    7640. 

  7640.     name   input the name of the scheme looking for ie WOLFSSL_NTRU_ESSXXX
    7641. 

  7641. 

  7642.     returns a pointer to public key byte* or NULL if not found
    7643. 

  7643.  */
    7644. 

  7644. static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
    7645. 

  7645. {
    7646. 

  7646.     QSHKey* current = qsh;
    7647. 

  7647. 

  7648.     if (qsh == NULL || pubLen == NULL)
    7649. 

  7649.         return NULL;
    7650. 

  7650. 

  7651.     *pubLen = 0;
    7652. 

  7652. 

  7653.     while(current) {
    7654. 

  7654.         if (current->name == name) {
    7655. 

  7655.             *pubLen = current->pub.length;
    7656. 

  7656.             return current->pub.buffer;
    7657. 

  7657.         }
    7658. 

  7658.         current = (QSHKey*)current->next;
    7659. 

  7659.     }
    7660. 

  7660. 

  7661.     return NULL;
    7662. 

  7662. }
    7663. 

  7663. #endif /* HAVE_QSH */
    7664. 

  7664. 

  7665. int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
    7666. 

  7666. {
    7667. 

  7667.     int ret = 0;
    7668. 

  7668.     byte* public_key      = NULL;
    7669. 

  7669.     word16 public_key_len = 0;
    7670. 

  7670. #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
    7671. 

  7671.     int usingPSK = 0;
    7672. 

  7672. #endif
    7673. 

  7673. #ifdef HAVE_QSH
    7674. 

  7674.     TLSX* extension;
    7675. 

  7675.     QSHScheme* qsh;
    7676. 

  7676.     QSHScheme* next;
    7677. 

  7677. 

  7678.     /* add supported QSHSchemes */
    7679. 

  7679.     WOLFSSL_MSG("Adding supported QSH Schemes");
    7680. 

  7680. #endif
    7681. 

  7681. 

  7682.     /* server will add extension depending on whats parsed from client */
    7683. 

  7683.     if (!isServer) {
    7684. 

  7684. #ifdef HAVE_QSH
    7685. 

  7685.         /* test if user has set a specific scheme already */
    7686. 

  7686.         if (!ssl->user_set_QSHSchemes) {
    7687. 

  7687.             if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
    7688. 

  7688.                 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) {
    7689. 

  7689.                     WOLFSSL_MSG("Error creating ntru keys");
    7690. 

  7690.                     return ret;
    7691. 

  7691.                 }
    7692. 

  7692.                 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) {
    7693. 

  7693.                     WOLFSSL_MSG("Error creating ntru keys");
    7694. 

  7694.                     return ret;
    7695. 

  7695.                 }
    7696. 

  7696.                 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
    7697. 

  7697.                     WOLFSSL_MSG("Error creating ntru keys");
    7698. 

  7698.                     return ret;
    7699. 

  7699.                 }
    7700. 

  7700. 

  7701.             /* add NTRU 256 */
    7702. 

  7702.             public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
    7703. 

  7703.                     &public_key_len, WOLFSSL_NTRU_EESS743);
    7704. 

  7704.             }
    7705. 

  7705.             if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
    7706. 

  7706.                                   public_key, public_key_len, ssl->heap)
    7707. 

  7707.                                   != WOLFSSL_SUCCESS)
    7708. 

  7708.                 ret = -1;
    7709. 

  7709. 

  7710.             /* add NTRU 196 */
    7711. 

  7711.             if (ssl->sendQSHKeys) {
    7712. 

  7712.                 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
    7713. 

  7713.                     &public_key_len, WOLFSSL_NTRU_EESS593);
    7714. 

  7714.             }
    7715. 

  7715.             if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
    7716. 

  7716.                                   public_key, public_key_len, ssl->heap)
    7717. 

  7717.                                   != WOLFSSL_SUCCESS)
    7718. 

  7718.                 ret = -1;
    7719. 

  7719. 

  7720.             /* add NTRU 128 */
    7721. 

  7721.             if (ssl->sendQSHKeys) {
    7722. 

  7722.                 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
    7723. 

  7723.                     &public_key_len, WOLFSSL_NTRU_EESS439);
    7724. 

  7724.             }
    7725. 

  7725.             if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
    7726. 

  7726.                                   public_key, public_key_len, ssl->heap)
    7727. 

  7727.                                   != WOLFSSL_SUCCESS)
    7728. 

  7728.                 ret = -1;
    7729. 

  7729.         }
    7730. 

  7730.         else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
    7731. 

  7731.             /* for each scheme make a client key */
    7732. 

  7732.             extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
    7733. 

  7733.             if (extension) {
    7734. 

  7734.                 qsh = (QSHScheme*)extension->data;
    7735. 

  7735. 

  7736.                 while (qsh) {
    7737. 

  7737.                     if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0)
    7738. 

  7738.                         return ret;
    7739. 

  7739. 

  7740.                     /* get next now because qsh could be freed */
    7741. 

  7741.                     next = qsh->next;
    7742. 

  7742. 

  7743.                     /* find the public key created and add to extension*/
    7744. 

  7744.                     public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
    7745. 

  7745.                              &public_key_len, qsh->name);
    7746. 

  7746.                     if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name,
    7747. 

  7747.                                           public_key, public_key_len,
    7748. 

  7748.                                           ssl->heap) != WOLFSSL_SUCCESS)
    7749. 

  7749.                         ret = -1;
    7750. 

  7750.                     qsh = next;
    7751. 

  7751.                 }
    7752. 

  7752.             }
    7753. 

  7753.         }
    7754. 

  7754. #endif
    7755. 

  7755. 

  7756. #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
    7757. 

  7757.         if (!ssl->options.userCurves && !ssl->ctx->userCurves &&
    7758. 

  7758.                TLSX_Find(ssl->ctx->extensions, TLSX_SUPPORTED_GROUPS) == NULL) {
    7759. 

  7759. 

  7760.     #ifndef HAVE_FIPS
    7761. 

  7761.         #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
    7762. 

  7762.             #ifndef NO_ECC_SECP
    7763. 

  7763.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7764. 

  7764.                                               WOLFSSL_ECC_SECP160R1, ssl->heap);
    7765. 

  7765.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7766. 

  7766.             #endif
    7767. 

  7767.             #ifdef HAVE_ECC_SECPR2
    7768. 

  7768.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7769. 

  7769.                                               WOLFSSL_ECC_SECP160R2, ssl->heap);
    7770. 

  7770.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7771. 

  7771.             #endif
    7772. 

  7772.             #ifdef HAVE_ECC_KOBLITZ
    7773. 

  7773.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7774. 

  7774.                                               WOLFSSL_ECC_SECP160K1, ssl->heap);
    7775. 

  7775.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7776. 

  7776.             #endif
    7777. 

  7777.         #endif
    7778. 

  7778.         #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
    7779. 

  7779.             #ifndef NO_ECC_SECP
    7780. 

  7780.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7781. 

  7781.                                               WOLFSSL_ECC_SECP192R1, ssl->heap);
    7782. 

  7782.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7783. 

  7783.             #endif
    7784. 

  7784.             #ifdef HAVE_ECC_KOBLITZ
    7785. 

  7785.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7786. 

  7786.                                               WOLFSSL_ECC_SECP192K1, ssl->heap);
    7787. 

  7787.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7788. 

  7788.             #endif
    7789. 

  7789.         #endif
    7790. 

  7790.     #endif
    7791. 

  7791.         #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
    7792. 

  7792.             #ifndef NO_ECC_SECP
    7793. 

  7793.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7794. 

  7794.                                               WOLFSSL_ECC_SECP224R1, ssl->heap);
    7795. 

  7795.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7796. 

  7796.             #endif
    7797. 

  7797.             #ifdef HAVE_ECC_KOBLITZ
    7798. 

  7798.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7799. 

  7799.                                               WOLFSSL_ECC_SECP224K1, ssl->heap);
    7800. 

  7800.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7801. 

  7801.             #endif
    7802. 

  7802.         #endif
    7803. 

  7803.         #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
    7804. 

  7804.             #ifndef NO_ECC_SECP
    7805. 

  7805.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7806. 

  7806.                                               WOLFSSL_ECC_SECP256R1, ssl->heap);
    7807. 

  7807.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7808. 

  7808.             #endif
    7809. 

  7809.             #if defined(HAVE_CURVE25519)
    7810. 

  7810.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7811. 

  7811.                                                  WOLFSSL_ECC_X25519, ssl->heap);
    7812. 

  7812.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7813. 

  7813.             #endif
    7814. 

  7814.             #ifdef HAVE_ECC_KOBLITZ
    7815. 

  7815.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7816. 

  7816.                                               WOLFSSL_ECC_SECP256K1, ssl->heap);
    7817. 

  7817.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7818. 

  7818.             #endif
    7819. 

  7819.             #ifdef HAVE_ECC_BRAINPOOL
    7820. 

  7820.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7821. 

  7821.                                         WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap);
    7822. 

  7822.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7823. 

  7823.             #endif
    7824. 

  7824.         #endif
    7825. 

  7825.         #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
    7826. 

  7826.             #ifndef NO_ECC_SECP
    7827. 

  7827.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7828. 

  7828.                                               WOLFSSL_ECC_SECP384R1, ssl->heap);
    7829. 

  7829.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7830. 

  7830.             #endif
    7831. 

  7831.             #ifdef HAVE_ECC_BRAINPOOL
    7832. 

  7832.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7833. 

  7833.                                         WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap);
    7834. 

  7834.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7835. 

  7835.             #endif
    7836. 

  7836.         #endif
    7837. 

  7837.         #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
    7838. 

  7838.             #ifdef HAVE_ECC_BRAINPOOL
    7839. 

  7839.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7840. 

  7840.                                         WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
    7841. 

  7841.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7842. 

  7842.             #endif
    7843. 

  7843.         #endif
    7844. 

  7844.         #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
    7845. 

  7845.             #ifndef NO_ECC_SECP
    7846. 

  7846.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7847. 

  7847.                                               WOLFSSL_ECC_SECP521R1, ssl->heap);
    7848. 

  7848.                 if (ret != WOLFSSL_SUCCESS) return ret;
    7849. 

  7849.             #endif
    7850. 

  7850.         #endif
    7851. 

  7851.         }
    7852. 

  7852. #endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
    7853. 

  7853.     } /* is not server */
    7854. 

  7854. 

  7855.     WOLFSSL_MSG("Adding signature algorithms extension");
    7856. 

  7856.     if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
    7857. 

  7857.                                                                          != 0) {
    7858. 

  7858.             return ret;
    7859. 

  7859.     }
    7860. 

  7860. 

  7861.     #ifdef WOLFSSL_TLS13
    7862. 

  7862.         if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
    7863. 

  7863.             /* Add mandatory TLS v1.3 extension: supported version */
    7864. 

  7864.             WOLFSSL_MSG("Adding supported versions extension");
    7865. 

  7865.             if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl,
    7866. 

  7866.                                                  ssl->heap)) != 0)
    7867. 

  7867.                 return ret;
    7868. 

  7868. 

  7869. #ifdef HAVE_SUPPORTED_CURVES
    7870. 

  7870.             if (!ssl->options.userCurves && !ssl->ctx->userCurves &&
    7871. 

  7871.                 TLSX_Find(ssl->ctx->extensions, TLSX_SUPPORTED_GROUPS)
    7872. 

  7872.                                                                       == NULL) {
    7873. 

  7873.                 /* Add FFDHE supported groups. */
    7874. 

  7874.         #ifdef HAVE_FFDHE_2048
    7875. 

  7875.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7876. 

  7876.                                              WOLFSSL_FFDHE_2048, ssl->heap);
    7877. 

  7877.                 if (ret != WOLFSSL_SUCCESS)
    7878. 

  7878.                     return ret;
    7879. 

  7879.         #endif
    7880. 

  7880.         #ifdef HAVE_FFDHE_3072
    7881. 

  7881.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7882. 

  7882.                                              WOLFSSL_FFDHE_3072, ssl->heap);
    7883. 

  7883.                 if (ret != WOLFSSL_SUCCESS)
    7884. 

  7884.                     return ret;
    7885. 

  7885.         #endif
    7886. 

  7886.         #ifdef HAVE_FFDHE_4096
    7887. 

  7887.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7888. 

  7888.                                              WOLFSSL_FFDHE_4096, ssl->heap);
    7889. 

  7889.                 if (ret != WOLFSSL_SUCCESS)
    7890. 

  7890.                     return ret;
    7891. 

  7891.         #endif
    7892. 

  7892.         #ifdef HAVE_FFDHE_6144
    7893. 

  7893.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7894. 

  7894.                                              WOLFSSL_FFDHE_6144, ssl->heap);
    7895. 

  7895.                 if (ret != WOLFSSL_SUCCESS)
    7896. 

  7896.                     return ret;
    7897. 

  7897.         #endif
    7898. 

  7898.         #ifdef HAVE_FFDHE_8192
    7899. 

  7899.                 ret = TLSX_UseSupportedCurve(&ssl->extensions,
    7900. 

  7900.                                              WOLFSSL_FFDHE_8192, ssl->heap);
    7901. 

  7901.                 if (ret != WOLFSSL_SUCCESS)
    7902. 

  7902.                     return ret;
    7903. 

  7903.         #endif
    7904. 

  7904.                 ret = 0;
    7905. 

  7905.             }
    7906. 

  7906. #endif
    7907. 

  7907. 

  7908.             if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
    7909. 

  7909.         #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
    7910. 

  7910.                               defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
    7911. 

  7911.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL,
    7912. 

  7912.                                         NULL);
    7913. 

  7913.         #elif defined(HAVE_ECC) && defined(HAVE_CURVE25519)
    7914. 

  7914.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_X25519, 0, NULL, NULL);
    7915. 

  7915.         #elif defined(HAVE_ECC) && (!defined(NO_ECC384) || \
    7916. 

  7916.                               defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
    7917. 

  7917.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL,
    7918. 

  7918.                                         NULL);
    7919. 

  7919.         #elif defined(HAVE_ECC) && (!defined(NO_ECC521) || \
    7920. 

  7920.                               defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
    7921. 

  7921.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP521R1, 0, NULL,
    7922. 

  7922.                                         NULL);
    7923. 

  7923.         #elif defined(HAVE_FFDHE_2048)
    7924. 

  7924.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_2048, 0, NULL, NULL);
    7925. 

  7925.         #elif defined(HAVE_FFDHE_3072)
    7926. 

  7926.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_3072, 0, NULL, NULL);
    7927. 

  7927.         #elif defined(HAVE_FFDHE_4096)
    7928. 

  7928.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_4096, 0, NULL, NULL);
    7929. 

  7929.         #elif defined(HAVE_FFDHE_6144)
    7930. 

  7930.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_6144, 0, NULL, NULL);
    7931. 

  7931.         #elif defined(HAVE_FFDHE_8192)
    7932. 

  7932.                 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_8192, 0, NULL, NULL);
    7933. 

  7933.         #else
    7934. 

  7934.                 ret = KEY_SHARE_ERROR;
    7935. 

  7935.         #endif
    7936. 

  7936.                 if (ret != 0)
    7937. 

  7937.                     return ret;
    7938. 

  7938.             }
    7939. 

  7939. 

  7940.         #if defined(HAVE_SESSION_TICKET)
    7941. 

  7941.             if (ssl->options.resuming) {
    7942. 

  7942.                 WOLFSSL_SESSION* sess = &ssl->session;
    7943. 

  7943.                 word32           milli;
    7944. 

  7944. 

  7945.                 /* Determine the MAC algorithm for the cipher suite used. */
    7946. 

  7946.                 ssl->options.cipherSuite0 = sess->cipherSuite0;
    7947. 

  7947.                 ssl->options.cipherSuite  = sess->cipherSuite;
    7948. 

  7948.                 ret = SetCipherSpecs(ssl);
    7949. 

  7949.                 if (ret != 0)
    7950. 

  7950.                     return ret;
    7951. 

  7951.                 milli = TimeNowInMilliseconds() - sess->ticketSeen +
    7952. 

  7952.                         sess->ticketAdd;
    7953. 

  7953.                 /* Pre-shared key is mandatory extension for resumption. */
    7954. 

  7954.                 ret = TLSX_PreSharedKey_Use(ssl, sess->ticket, sess->ticketLen,
    7955. 

  7955.                                             milli, ssl->specs.mac_algorithm,
    7956. 

  7956.                                             ssl->options.cipherSuite0,
    7957. 

  7957.                                             ssl->options.cipherSuite, 1,
    7958. 

  7958.                                             NULL);
    7959. 

  7959.                 if (ret != 0)
    7960. 

  7960.                     return ret;
    7961. 

  7961. 

  7962.                 usingPSK = 1;
    7963. 

  7963.             }
    7964. 

  7964.         #endif
    7965. 

  7965.         #ifndef NO_PSK
    7966. 

  7966.             if (ssl->options.client_psk_cb != NULL) {
    7967. 

  7967.                 /* Default ciphersuite. */
    7968. 

  7968.                 byte cipherSuite0 = TLS13_BYTE;
    7969. 

  7969.                 byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
    7970. 

  7970. 

  7971.                 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
    7972. 

  7972.                         ssl->arrays->server_hint, ssl->arrays->client_identity,
    7973. 

  7973.                         MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
    7974. 

  7974.                 if (ssl->arrays->psk_keySz == 0 ||
    7975. 

  7975.                                      ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
    7976. 

  7976.                     return PSK_KEY_ERROR;
    7977. 

  7977.                 }
    7978. 

  7978.                 ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
    7979. 

  7979.                 /* TODO: Callback should be able to change ciphersuite. */
    7980. 

  7980.                 ssl->options.cipherSuite0 = cipherSuite0;
    7981. 

  7981.                 ssl->options.cipherSuite  = cipherSuite;
    7982. 

  7982.                 ret = SetCipherSpecs(ssl);
    7983. 

  7983.                 if (ret != 0)
    7984. 

  7984.                     return ret;
    7985. 

  7985. 

  7986.                 ret = TLSX_PreSharedKey_Use(ssl,
    7987. 

  7987.                                   (byte*)ssl->arrays->client_identity,
    7988. 

  7988.                                   (word16)XSTRLEN(ssl->arrays->client_identity),
    7989. 

  7989.                                   0, ssl->specs.mac_algorithm,
    7990. 

  7990.                                   cipherSuite0, cipherSuite, 0,
    7991. 

  7991.                                   NULL);
    7992. 

  7992.                 if (ret != 0)
    7993. 

  7993.                     return ret;
    7994. 

  7994. 

  7995.                 usingPSK = 1;
    7996. 

  7996.             }
    7997. 

  7997.         #endif
    7998. 

  7998.         #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    7999. 

  7999.             if (usingPSK) {
    8000. 

  8000.                 byte modes;
    8001. 

  8001. 

  8002.                 /* Pre-shared key modes: mandatory extension for resumption. */
    8003. 

  8003.                 modes = 1 << PSK_KE;
    8004. 

  8004.             #if !defined(NO_DH) || defined(HAVE_ECC)
    8005. 

  8005.                 if (!ssl->options.noPskDheKe)
    8006. 

  8006.                     modes |= 1 << PSK_DHE_KE;
    8007. 

  8007.             #endif
    8008. 

  8008.                 ret = TLSX_PskKeModes_Use(ssl, modes);
    8009. 

  8009.                 if (ret != 0)
    8010. 

  8010.                     return ret;
    8011. 

  8011.             }
    8012. 

  8012.         #endif
    8013. 

  8013.         #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
    8014. 

  8014.             if (!isServer && ssl->options.postHandshakeAuth) {
    8015. 

  8015.                 ret = TLSX_PostHandAuth_Use(ssl);
    8016. 

  8016.                 if (ret != 0)
    8017. 

  8017.                     return ret;
    8018. 

  8018.             }
    8019. 

  8019.         #endif
    8020. 

  8020.         }
    8021. 

  8021. 

  8022.     #endif
    8023. 

  8023. 

  8024.     (void)isServer;
    8025. 

  8025.     (void)public_key;
    8026. 

  8026.     (void)public_key_len;
    8027. 

  8027.     (void)ssl;
    8028. 

  8028. 

  8029.     if (ret == WOLFSSL_SUCCESS)
    8030. 

  8030.         ret = 0;
    8031. 

  8031. 

  8032.     return ret;
    8033. 

  8033. }
    8034. 

  8034. 

  8035. 

  8036. #ifndef NO_WOLFSSL_CLIENT
    8037. 

  8037. 

  8038. /** Tells the buffered size of extensions to be sent into the client hello. */
    8039. 

  8039. word16 TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType)
    8040. 

  8040. {
    8041. 

  8041.     word16 length = 0;
    8042. 

  8042.     byte semaphore[SEMAPHORE_SIZE] = {0};
    8043. 

  8043. 

  8044.     if (!TLSX_SupportExtensions(ssl))
    8045. 

  8045.         return 0;
    8046. 

  8046.     if (msgType == client_hello) {
    8047. 

  8047.         EC_VALIDATE_REQUEST(ssl, semaphore);
    8048. 

  8048.         PF_VALIDATE_REQUEST(ssl, semaphore);
    8049. 

  8049.         QSH_VALIDATE_REQUEST(ssl, semaphore);
    8050. 

  8050.         WOLF_STK_VALIDATE_REQUEST(ssl);
    8051. 

  8051.         if (ssl->suites->hashSigAlgoSz == 0)
    8052. 

  8052.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
    8053. 

  8053. #if defined(WOLFSSL_TLS13)
    8054. 

  8054.         if (!IsAtLeastTLSv1_2(ssl))
    8055. 

  8055.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8056. 

  8056.         if (!IsAtLeastTLSv1_3(ssl->version)) {
    8057. 

  8057.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8058. 

  8058.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8059. 

  8059.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8060. 

  8060.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
    8061. 

  8061.     #endif
    8062. 

  8062.     #ifdef WOLFSSL_EARLY_DATA
    8063. 

  8063.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
    8064. 

  8064.     #endif
    8065. 

  8065.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
    8066. 

  8066.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    8067. 

  8067.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
    8068. 

  8068.     #endif
    8069. 

  8069.         }
    8070. 

  8070. #endif
    8071. 

  8071.     #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
    8072. 

  8072.      || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
    8073. 

  8073.         if (!ssl->ctx->cm->ocspStaplingEnabled) {
    8074. 

  8074.             /* mark already sent, so it won't send it */
    8075. 

  8075.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8076. 

  8076.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
    8077. 

  8077.         }
    8078. 

  8078.     #endif
    8079. 

  8079.     }
    8080. 

  8080. #ifdef WOLFSSL_TLS13
    8081. 

  8081.     #ifndef NO_CERTS
    8082. 

  8082.     else if (msgType == certificate_request) {
    8083. 

  8083.         XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8084. 

  8084.         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
    8085. 

  8085.         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8086. 

  8086.         /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
    8087. 

  8087.          *       TLSX_CERTIFICATE_AUTHORITIES, OID_FILTERS
    8088. 

  8088.          */
    8089. 

  8089.     }
    8090. 

  8090.     #endif
    8091. 

  8091. #endif
    8092. 

  8092. 

  8093.     if (ssl->extensions)
    8094. 

  8094.         length += TLSX_GetSize(ssl->extensions, semaphore, msgType);
    8095. 

  8095.     if (ssl->ctx && ssl->ctx->extensions)
    8096. 

  8096.         length += TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType);
    8097. 

  8097. 

  8098. #ifdef HAVE_EXTENDED_MASTER
    8099. 

  8099.     if (msgType == client_hello && ssl->options.haveEMS &&
    8100. 

  8100.                                               !IsAtLeastTLSv1_3(ssl->version)) {
    8101. 

  8101.         length += HELLO_EXT_SZ;
    8102. 

  8102.     }
    8103. 

  8103. #endif
    8104. 

  8104. 

  8105.     if (length)
    8106. 

  8106.         length += OPAQUE16_LEN; /* for total length storage. */
    8107. 

  8107. 

  8108.     return length;
    8109. 

  8109. }
    8110. 

  8110. 

  8111. /** Writes the extensions to be sent into the client hello. */
    8112. 

  8112. word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType)
    8113. 

  8113. {
    8114. 

  8114.     word16 offset = 0;
    8115. 

  8115.     byte semaphore[SEMAPHORE_SIZE] = {0};
    8116. 

  8116. 

  8117.     if (!TLSX_SupportExtensions(ssl) || output == NULL)
    8118. 

  8118.         return 0;
    8119. 

  8119. 

  8120.     offset += OPAQUE16_LEN; /* extensions length */
    8121. 

  8121. 

  8122.     if (msgType == client_hello) {
    8123. 

  8123.         EC_VALIDATE_REQUEST(ssl, semaphore);
    8124. 

  8124.         PF_VALIDATE_REQUEST(ssl, semaphore);
    8125. 

  8125.         WOLF_STK_VALIDATE_REQUEST(ssl);
    8126. 

  8126.         QSH_VALIDATE_REQUEST(ssl, semaphore);
    8127. 

  8127.         if (ssl->suites->hashSigAlgoSz == 0)
    8128. 

  8128.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
    8129. 

  8129. #ifdef WOLFSSL_TLS13
    8130. 

  8130.         if (!IsAtLeastTLSv1_2(ssl))
    8131. 

  8131.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8132. 

  8132.         if (!IsAtLeastTLSv1_3(ssl->version)) {
    8133. 

  8133.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8134. 

  8134.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8135. 

  8135.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
    8136. 

  8136.     #endif
    8137. 

  8137.     #ifdef WOLFSSL_EARLY_DATA
    8138. 

  8138.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
    8139. 

  8139.     #endif
    8140. 

  8140.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
    8141. 

  8141.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    8142. 

  8142.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
    8143. 

  8143.     #endif
    8144. 

  8144.         }
    8145. 

  8145.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8146. 

  8146.         /* Must write Pre-shared Key extension at the end in TLS v1.3.
    8147. 

  8147.          * Must not write out Pre-shared Key extension in earlier versions of
    8148. 

  8148.          * protocol.
    8149. 

  8149.          */
    8150. 

  8150.         TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8151. 

  8151.     #endif
    8152. 

  8152. #endif
    8153. 

  8153.     #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
    8154. 

  8154.      || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
    8155. 

  8155.          /* mark already sent, so it won't send it */
    8156. 

  8156.         if (!ssl->ctx->cm->ocspStaplingEnabled) {
    8157. 

  8157.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8158. 

  8158.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
    8159. 

  8159.         }
    8160. 

  8160.     #endif
    8161. 

  8161.     }
    8162. 

  8162. #ifdef WOLFSSL_TLS13
    8163. 

  8163.     #ifndef NO_CERT
    8164. 

  8164.     else if (msgType == certificate_request) {
    8165. 

  8165.         XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8166. 

  8166.         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
    8167. 

  8167.         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8168. 

  8168.         /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
    8169. 

  8169.          *       TLSX_CERTIFICATE_AUTHORITIES, TLSX_OID_FILTERS
    8170. 

  8170.          */
    8171. 

  8171.     }
    8172. 

  8172.     #endif
    8173. 

  8173. #endif
    8174. 

  8174. 

  8175.     if (ssl->extensions) {
    8176. 

  8176.         offset += TLSX_Write(ssl->extensions, output + offset, semaphore,
    8177. 

  8177.                              msgType);
    8178. 

  8178.     }
    8179. 

  8179.     if (ssl->ctx && ssl->ctx->extensions) {
    8180. 

  8180.         offset += TLSX_Write(ssl->ctx->extensions, output + offset, semaphore,
    8181. 

  8181.                              msgType);
    8182. 

  8182.     }
    8183. 

  8183. 

  8184. #ifdef HAVE_EXTENDED_MASTER
    8185. 

  8185.     if (msgType == client_hello && ssl->options.haveEMS &&
    8186. 

  8186.                                               !IsAtLeastTLSv1_3(ssl->version)) {
    8187. 

  8187.         c16toa(HELLO_EXT_EXTMS, output + offset);
    8188. 

  8188.         offset += HELLO_EXT_TYPE_SZ;
    8189. 

  8189.         c16toa(0, output + offset);
    8190. 

  8190.         offset += HELLO_EXT_SZ_SZ;
    8191. 

  8191.     }
    8192. 

  8192. #endif
    8193. 

  8193. 

  8194. #ifdef WOLFSSL_TLS13
    8195. 

  8195.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8196. 

  8196.     if (msgType == client_hello && IsAtLeastTLSv1_3(ssl->version)) {
    8197. 

  8197.         /* Write out what we can of Pre-shared key extension.  */
    8198. 

  8198.         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8199. 

  8199.         offset += TLSX_Write(ssl->extensions, output + offset, semaphore,
    8200. 

  8200.                              client_hello);
    8201. 

  8201.     }
    8202. 

  8202.     #endif
    8203. 

  8203. #endif
    8204. 

  8204. 

  8205.     if (offset > OPAQUE16_LEN || msgType != client_hello)
    8206. 

  8206.         c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
    8207. 

  8207. 

  8208.     return offset;
    8209. 

  8209. }
    8210. 

  8210. 

  8211. #endif /* NO_WOLFSSL_CLIENT */
    8212. 

  8212. 

  8213. #ifndef NO_WOLFSSL_SERVER
    8214. 

  8214. 

  8215. /** Tells the buffered size of extensions to be sent into the server hello. */
    8216. 

  8216. word16 TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType)
    8217. 

  8217. {
    8218. 

  8218.     word16 length = 0;
    8219. 

  8219.     byte semaphore[SEMAPHORE_SIZE] = {0};
    8220. 

  8220. 

  8221.     switch (msgType) {
    8222. 

  8222.         case server_hello:
    8223. 

  8223.             PF_VALIDATE_RESPONSE(ssl, semaphore);
    8224. 

  8224. #ifdef WOLFSSL_TLS13
    8225. 

  8225.                 if (ssl->options.tls1_3) {
    8226. 

  8226.                     XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8227. 

  8227. #ifndef WOLFSSL_TLS13_DRAFT_18
    8228. 

  8228.                     TURN_OFF(semaphore,
    8229. 

  8229.                                      TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8230. 

  8230. #endif
    8231. 

  8231.                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8232. 

  8232.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8233. 

  8233.                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8234. 

  8234.     #endif
    8235. 

  8235.                 }
    8236. 

  8236.                 else {
    8237. 

  8237.                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8238. 

  8238.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8239. 

  8239.                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8240. 

  8240.     #endif
    8241. 

  8241.                 }
    8242. 

  8242. #endif
    8243. 

  8243.             break;
    8244. 

  8244. #ifdef WOLFSSL_TLS13
    8245. 

  8245.         case hello_retry_request:
    8246. 

  8246.             XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8247. 

  8247. #ifndef WOLFSSL_TLS13_DRAFT_18
    8248. 

  8248.                 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8249. 

  8249. #endif
    8250. 

  8250.             TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8251. 

  8251.             TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
    8252. 

  8252.             break;
    8253. 

  8253. #endif
    8254. 

  8254. #ifdef WOLFSSL_TLS13
    8255. 

  8255.         case encrypted_extensions:
    8256. 

  8256.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
    8257. 

  8257.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8258. 

  8258.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
    8259. 

  8259.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8260. 

  8260.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8261. 

  8261.             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8262. 

  8262.     #endif
    8263. 

  8263.             break;
    8264. 

  8264.     #ifdef WOLFSSL_EARLY_DATA
    8265. 

  8265.         case session_ticket:
    8266. 

  8266.             if (ssl->options.tls1_3) {
    8267. 

  8267.                 XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8268. 

  8268.                 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
    8269. 

  8269.             }
    8270. 

  8270.             break;
    8271. 

  8271.     #endif
    8272. 

  8272.     #ifndef NO_CERT
    8273. 

  8273.         case certificate:
    8274. 

  8274.             XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8275. 

  8275.             TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8276. 

  8276.             /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
    8277. 

  8277.              *       TLSX_SERVER_CERTIFICATE_TYPE
    8278. 

  8278.              */
    8279. 

  8279.             break;
    8280. 

  8280.     #endif
    8281. 

  8281. #endif
    8282. 

  8282.     }
    8283. 

  8283. 

  8284.     #ifdef HAVE_QSH
    8285. 

  8285.         /* change response if not using TLS_QSH */
    8286. 

  8286.         if (!ssl->options.haveQSH) {
    8287. 

  8287.             TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
    8288. 

  8288.             if (ext)
    8289. 

  8289.                 ext->resp = 0;
    8290. 

  8290.         }
    8291. 

  8291.     #endif
    8292. 

  8292. 

  8293. #ifdef HAVE_EXTENDED_MASTER
    8294. 

  8294.     if (ssl->options.haveEMS && msgType == server_hello)
    8295. 

  8295.         length += HELLO_EXT_SZ;
    8296. 

  8296. #endif
    8297. 

  8297. 

  8298.     if (TLSX_SupportExtensions(ssl))
    8299. 

  8299.         length += TLSX_GetSize(ssl->extensions, semaphore, msgType);
    8300. 

  8300. 

  8301.     /* All the response data is set at the ssl object only, so no ctx here. */
    8302. 

  8302. 

  8303.     if (length || msgType != server_hello)
    8304. 

  8304.         length += OPAQUE16_LEN; /* for total length storage. */
    8305. 

  8305. 

  8306.     return length;
    8307. 

  8307. }
    8308. 

  8308. 

  8309. /** Writes the server hello extensions into a buffer. */
    8310. 

  8310. word16 TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType)
    8311. 

  8311. {
    8312. 

  8312.     word16 offset = 0;
    8313. 

  8313. 

  8314.     if (TLSX_SupportExtensions(ssl) && output) {
    8315. 

  8315.         byte semaphore[SEMAPHORE_SIZE] = {0};
    8316. 

  8316. 

  8317.         switch (msgType) {
    8318. 

  8318.             case server_hello:
    8319. 

  8319.                 PF_VALIDATE_RESPONSE(ssl, semaphore);
    8320. 

  8320. #ifdef WOLFSSL_TLS13
    8321. 

  8321.                 if (ssl->options.tls1_3) {
    8322. 

  8322.                     XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8323. 

  8323. #ifndef WOLFSSL_TLS13_DRAFT_18
    8324. 

  8324.                     TURN_OFF(semaphore,
    8325. 

  8325.                                      TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8326. 

  8326. #endif
    8327. 

  8327.                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8328. 

  8328.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8329. 

  8329.                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8330. 

  8330.     #endif
    8331. 

  8331.                 }
    8332. 

  8332.                 else {
    8333. 

  8333.                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8334. 

  8334.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8335. 

  8335.                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8336. 

  8336.     #endif
    8337. 

  8337.                 }
    8338. 

  8338. #endif
    8339. 

  8339.                 break;
    8340. 

  8340. #ifdef WOLFSSL_TLS13
    8341. 

  8341.             case hello_retry_request:
    8342. 

  8342.                 XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8343. 

  8343. #ifndef WOLFSSL_TLS13_DRAFT_18
    8344. 

  8344.                 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8345. 

  8345. #endif
    8346. 

  8346.                 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8347. 

  8347.                 break;
    8348. 

  8348. #endif
    8349. 

  8349. #ifdef WOLFSSL_TLS13
    8350. 

  8350.             case encrypted_extensions:
    8351. 

  8351.                 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
    8352. 

  8352.                 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
    8353. 

  8353.                 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
    8354. 

  8354.                 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
    8355. 

  8355.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8356. 

  8356.                 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
    8357. 

  8357.     #endif
    8358. 

  8358.                 break;
    8359. 

  8359.     #ifndef NO_CERTS
    8360. 

  8360.             case certificate:
    8361. 

  8361.                 XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8362. 

  8362.                 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
    8363. 

  8363.                 /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
    8364. 

  8364.                  *       TLSX_SERVER_CERTIFICATE_TYPE
    8365. 

  8365.                  */
    8366. 

  8366.                 break;
    8367. 

  8367.     #endif
    8368. 

  8368.     #ifdef WOLFSSL_EARLY_DATA
    8369. 

  8369.             case session_ticket:
    8370. 

  8370.                 if (ssl->options.tls1_3) {
    8371. 

  8371.                     XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8372. 

  8372.                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
    8373. 

  8373.                 }
    8374. 

  8374.                 break;
    8375. 

  8375.     #endif
    8376. 

  8376. #endif
    8377. 

  8377.         }
    8378. 

  8378. 

  8379.         offset += OPAQUE16_LEN; /* extensions length */
    8380. 

  8380. 

  8381.         offset += TLSX_Write(ssl->extensions, output + offset, semaphore,
    8382. 

  8382.                              msgType);
    8383. 

  8383. 

  8384. #ifdef WOLFSSL_TLS13
    8385. 

  8385.         if (msgType == hello_retry_request) {
    8386. 

  8386.             XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
    8387. 

  8387.             TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
    8388. 

  8388.             offset += TLSX_Write(ssl->extensions, output + offset, semaphore,
    8389. 

  8389.                                  msgType);
    8390. 

  8390.         }
    8391. 

  8391. #endif
    8392. 

  8392. 

  8393. #ifdef HAVE_EXTENDED_MASTER
    8394. 

  8394.         if (ssl->options.haveEMS && msgType == server_hello) {
    8395. 

  8395.             c16toa(HELLO_EXT_EXTMS, output + offset);
    8396. 

  8396.             offset += HELLO_EXT_TYPE_SZ;
    8397. 

  8397.             c16toa(0, output + offset);
    8398. 

  8398.             offset += HELLO_EXT_SZ_SZ;
    8399. 

  8399.         }
    8400. 

  8400. #endif
    8401. 

  8401. 

  8402.         if (offset > OPAQUE16_LEN || msgType != server_hello)
    8403. 

  8403.             c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
    8404. 

  8404.     }
    8405. 

  8405. 

  8406.     return offset;
    8407. 

  8407. }
    8408. 

  8408. 

  8409. #endif /* NO_WOLFSSL_SERVER */
    8410. 

  8410. 

  8411. /** Parses a buffer of TLS extensions. */
    8412. 

  8412. int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
    8413. 

  8413.                                                                  Suites *suites)
    8414. 

  8414. {
    8415. 

  8415.     int ret = 0;
    8416. 

  8416.     word16 offset = 0;
    8417. 

  8417.     byte isRequest = (msgType == client_hello ||
    8418. 

  8418.                       msgType == certificate_request);
    8419. 

  8419. 

  8420. #ifdef HAVE_EXTENDED_MASTER
    8421. 

  8421.     byte pendingEMS = 0;
    8422. 

  8422. #endif
    8423. 

  8423. 

  8424.     if (!ssl || !input || (isRequest && !suites))
    8425. 

  8425.         return BAD_FUNC_ARG;
    8426. 

  8426. 

  8427.     while (ret == 0 && offset < length) {
    8428. 

  8428.         word16 type;
    8429. 

  8429.         word16 size;
    8430. 

  8430. 

  8431.         if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
    8432. 

  8432.             return BUFFER_ERROR;
    8433. 

  8433. 

  8434.         ato16(input + offset, &type);
    8435. 

  8435.         offset += HELLO_EXT_TYPE_SZ;
    8436. 

  8436. 

  8437.         ato16(input + offset, &size);
    8438. 

  8438.         offset += OPAQUE16_LEN;
    8439. 

  8439. 

  8440.         if (offset + size > length)
    8441. 

  8441.             return BUFFER_ERROR;
    8442. 

  8442. 

  8443.         switch (type) {
    8444. 

  8444.             case TLSX_SERVER_NAME:
    8445. 

  8445.                 WOLFSSL_MSG("SNI extension received");
    8446. 

  8446. 

  8447. #ifdef WOLFSSL_TLS13
    8448. 

  8448.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8449. 

  8449.                         msgType != client_hello &&
    8450. 

  8450.                         msgType != encrypted_extensions) {
    8451. 

  8451.                     return EXT_NOT_ALLOWED;
    8452. 

  8452.                 }
    8453. 

  8453. #endif
    8454. 

  8454.                 ret = SNI_PARSE(ssl, input + offset, size, isRequest);
    8455. 

  8455.                 break;
    8456. 

  8456. 

  8457.             case TLSX_MAX_FRAGMENT_LENGTH:
    8458. 

  8458.                 WOLFSSL_MSG("Max Fragment Length extension received");
    8459. 

  8459. 

  8460. #ifdef WOLFSSL_TLS13
    8461. 

  8461.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8462. 

  8462.                         msgType != client_hello &&
    8463. 

  8463.                         msgType != encrypted_extensions) {
    8464. 

  8464.                     return EXT_NOT_ALLOWED;
    8465. 

  8465.                 }
    8466. 

  8466. #endif
    8467. 

  8467.                 ret = MFL_PARSE(ssl, input + offset, size, isRequest);
    8468. 

  8468.                 break;
    8469. 

  8469. 

  8470.             case TLSX_TRUNCATED_HMAC:
    8471. 

  8471.                 WOLFSSL_MSG("Truncated HMAC extension received");
    8472. 

  8472. 

  8473. #ifdef WOLFSSL_TLS13
    8474. 

  8474.                 if (IsAtLeastTLSv1_3(ssl->version))
    8475. 

  8475.                     return EXT_NOT_ALLOWED;
    8476. 

  8476. #endif
    8477. 

  8477.                 ret = THM_PARSE(ssl, input + offset, size, isRequest);
    8478. 

  8478.                 break;
    8479. 

  8479. 

  8480.             case TLSX_SUPPORTED_GROUPS:
    8481. 

  8481.                 WOLFSSL_MSG("Elliptic Curves extension received");
    8482. 

  8482. 

  8483. #ifdef WOLFSSL_TLS13
    8484. 

  8484.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8485. 

  8485.                         msgType != client_hello &&
    8486. 

  8486.                         msgType != encrypted_extensions) {
    8487. 

  8487.                     return EXT_NOT_ALLOWED;
    8488. 

  8488.                 }
    8489. 

  8489. #endif
    8490. 

  8490.                 ret = EC_PARSE(ssl, input + offset, size, isRequest);
    8491. 

  8491.                 break;
    8492. 

  8492. 

  8493.             case TLSX_EC_POINT_FORMATS:
    8494. 

  8494.                 WOLFSSL_MSG("Point Formats extension received");
    8495. 

  8495. 

  8496. #ifdef WOLFSSL_TLS13
    8497. 

  8497.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8498. 

  8498.                         msgType != client_hello &&
    8499. 

  8499.                         msgType != encrypted_extensions) {
    8500. 

  8500.                     return EXT_NOT_ALLOWED;
    8501. 

  8501.                 }
    8502. 

  8502. #endif
    8503. 

  8503.                 ret = PF_PARSE(ssl, input + offset, size, isRequest);
    8504. 

  8504.                 break;
    8505. 

  8505. 

  8506.             case TLSX_STATUS_REQUEST:
    8507. 

  8507.                 WOLFSSL_MSG("Certificate Status Request extension received");
    8508. 

  8508. 

  8509. #ifdef WOLFSSL_TLS13
    8510. 

  8510.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8511. 

  8511.                         msgType != client_hello &&
    8512. 

  8512.                         msgType != encrypted_extensions) {
    8513. 

  8513.                     return EXT_NOT_ALLOWED;
    8514. 

  8514.                 }
    8515. 

  8515. #endif
    8516. 

  8516.                 ret = CSR_PARSE(ssl, input + offset, size, isRequest);
    8517. 

  8517.                 break;
    8518. 

  8518. 

  8519.             case TLSX_STATUS_REQUEST_V2:
    8520. 

  8520.                 WOLFSSL_MSG("Certificate Status Request v2 extension received");
    8521. 

  8521. 

  8522. #ifdef WOLFSSL_TLS13
    8523. 

  8523.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8524. 

  8524.                         msgType != client_hello &&
    8525. 

  8525.                         msgType != encrypted_extensions) {
    8526. 

  8526.                     return EXT_NOT_ALLOWED;
    8527. 

  8527.                 }
    8528. 

  8528. #endif
    8529. 

  8529.                 ret = CSR2_PARSE(ssl, input + offset, size, isRequest);
    8530. 

  8530.                 break;
    8531. 

  8531. 

  8532. #ifdef HAVE_EXTENDED_MASTER
    8533. 

  8533.             case HELLO_EXT_EXTMS:
    8534. 

  8534.                 WOLFSSL_MSG("Extended Master Secret extension received");
    8535. 

  8535. 

  8536. #ifdef WOLFSSL_TLS13
    8537. 

  8537.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8538. 

  8538.                         msgType != client_hello) {
    8539. 

  8539.                     return EXT_NOT_ALLOWED;
    8540. 

  8540.                 }
    8541. 

  8541. #endif
    8542. 

  8542. #ifndef NO_WOLFSSL_SERVER
    8543. 

  8543.                 if (isRequest && !IsAtLeastTLSv1_3(ssl->version))
    8544. 

  8544.                     ssl->options.haveEMS = 1;
    8545. 

  8545. #endif
    8546. 

  8546.                 pendingEMS = 1;
    8547. 

  8547.                 break;
    8548. 

  8548. #endif
    8549. 

  8549. 

  8550.             case TLSX_RENEGOTIATION_INFO:
    8551. 

  8551.                 WOLFSSL_MSG("Secure Renegotiation extension received");
    8552. 

  8552. 

  8553.                 ret = SCR_PARSE(ssl, input + offset, size, isRequest);
    8554. 

  8554.                 break;
    8555. 

  8555. 

  8556.             case TLSX_SESSION_TICKET:
    8557. 

  8557.                 WOLFSSL_MSG("Session Ticket extension received");
    8558. 

  8558. 

  8559. #ifdef WOLFSSL_TLS13
    8560. 

  8560.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8561. 

  8561.                         msgType != client_hello) {
    8562. 

  8562.                     return EXT_NOT_ALLOWED;
    8563. 

  8563.                 }
    8564. 

  8564. #endif
    8565. 

  8565.                 ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest);
    8566. 

  8566.                 break;
    8567. 

  8567. 

  8568.             case TLSX_QUANTUM_SAFE_HYBRID:
    8569. 

  8569.                 WOLFSSL_MSG("Quantum-Safe-Hybrid extension received");
    8570. 

  8570. 

  8571. #ifdef WOLFSSL_TLS13
    8572. 

  8572.                 if (IsAtLeastTLSv1_3(ssl->version))
    8573. 

  8573.                     return EXT_NOT_ALLOWED;
    8574. 

  8574. #endif
    8575. 

  8575.                 ret = QSH_PARSE(ssl, input + offset, size, isRequest);
    8576. 

  8576.                 break;
    8577. 

  8577. 

  8578.             case TLSX_APPLICATION_LAYER_PROTOCOL:
    8579. 

  8579.                 WOLFSSL_MSG("ALPN extension received");
    8580. 

  8580. 

  8581. #ifdef WOLFSSL_TLS13
    8582. 

  8582.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8583. 

  8583.                         msgType != client_hello &&
    8584. 

  8584.                         msgType != encrypted_extensions) {
    8585. 

  8585.                     return EXT_NOT_ALLOWED;
    8586. 

  8586.                 }
    8587. 

  8587. #endif
    8588. 

  8588.                 ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
    8589. 

  8589.                 break;
    8590. 

  8590. 

  8591.             case TLSX_SIGNATURE_ALGORITHMS:
    8592. 

  8592.                 WOLFSSL_MSG("Signature Algorithms extension received");
    8593. 

  8593. 

  8594.                 if (!IsAtLeastTLSv1_2(ssl))
    8595. 

  8595.                     break;
    8596. 

  8596. 

  8597. #ifdef WOLFSSL_TLS13
    8598. 

  8598.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8599. 

  8599.                         msgType != client_hello &&
    8600. 

  8600.                         msgType != certificate_request) {
    8601. 

  8601.                     return EXT_NOT_ALLOWED;
    8602. 

  8602.                 }
    8603. 

  8603. #endif
    8604. 

  8604.                 ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
    8605. 

  8605.                 break;
    8606. 

  8606. 

  8607. #ifdef WOLFSSL_TLS13
    8608. 

  8608.             case TLSX_SUPPORTED_VERSIONS:
    8609. 

  8609.                 WOLFSSL_MSG("Supported Versions extension received");
    8610. 

  8610. 

  8611.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8612. 

  8612. #ifdef WOLFSSL_TLS13_DRAFT_18
    8613. 

  8613.                         msgType != client_hello
    8614. 

  8614. #else
    8615. 

  8615.                         msgType != client_hello && msgType != server_hello &&
    8616. 

  8616.                         msgType != hello_retry_request
    8617. 

  8617. #endif
    8618. 

  8618.                    ) {
    8619. 

  8619.                     return EXT_NOT_ALLOWED;
    8620. 

  8620.                 }
    8621. 

  8621.                 ret = SV_PARSE(ssl, input + offset, size, msgType);
    8622. 

  8622.                 break;
    8623. 

  8623. 

  8624.             case TLSX_COOKIE:
    8625. 

  8625.                 WOLFSSL_MSG("Cookie extension received");
    8626. 

  8626. 

  8627.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8628. 

  8628.                     break;
    8629. 

  8629. 

  8630.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8631. 

  8631.                         msgType != client_hello &&
    8632. 

  8632.                         msgType != hello_retry_request) {
    8633. 

  8633.                     return EXT_NOT_ALLOWED;
    8634. 

  8634.                 }
    8635. 

  8635.                 ret = CKE_PARSE(ssl, input + offset, size, msgType);
    8636. 

  8636.                 break;
    8637. 

  8637. 

  8638.             case TLSX_KEY_SHARE:
    8639. 

  8639.                 WOLFSSL_MSG("Key Share extension received");
    8640. 

  8640. 

  8641.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8642. 

  8642.                     break;
    8643. 

  8643. 

  8644.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8645. 

  8645.                         msgType != client_hello && msgType != server_hello &&
    8646. 

  8646.                         msgType != hello_retry_request) {
    8647. 

  8647.                     return EXT_NOT_ALLOWED;
    8648. 

  8648.                 }
    8649. 

  8649.                 ret = KS_PARSE(ssl, input + offset, size, msgType);
    8650. 

  8650.                 break;
    8651. 

  8651. 

  8652.     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
    8653. 

  8653.             case TLSX_PRE_SHARED_KEY:
    8654. 

  8654.                 WOLFSSL_MSG("Pre-Shared Key extension received");
    8655. 

  8655. 

  8656.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8657. 

  8657.                     break;
    8658. 

  8658. 

  8659.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8660. 

  8660.                         msgType != client_hello && msgType != server_hello) {
    8661. 

  8661.                     return EXT_NOT_ALLOWED;
    8662. 

  8662.                 }
    8663. 

  8663.                 ret = PSK_PARSE(ssl, input + offset, size, msgType);
    8664. 

  8664.                 break;
    8665. 

  8665. 

  8666.             case TLSX_PSK_KEY_EXCHANGE_MODES:
    8667. 

  8667.                 WOLFSSL_MSG("PSK Key Exchange Modes extension received");
    8668. 

  8668. 

  8669.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8670. 

  8670.                     break;
    8671. 

  8671. 

  8672.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8673. 

  8673.                         msgType != client_hello) {
    8674. 

  8674.                     return EXT_NOT_ALLOWED;
    8675. 

  8675.                 }
    8676. 

  8676.                 ret = PKM_PARSE(ssl, input + offset, size, msgType);
    8677. 

  8677.                 break;
    8678. 

  8678.     #endif
    8679. 

  8679. 

  8680.     #ifdef WOLFSSL_EARLY_DATA
    8681. 

  8681.             case TLSX_EARLY_DATA:
    8682. 

  8682.                 WOLFSSL_MSG("Early Data extension received");
    8683. 

  8683. 

  8684.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8685. 

  8685.                     break;
    8686. 

  8686. 

  8687.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8688. 

  8688.                          msgType != client_hello && msgType != session_ticket &&
    8689. 

  8689.                          msgType != encrypted_extensions) {
    8690. 

  8690.                     return EXT_NOT_ALLOWED;
    8691. 

  8691.                 }
    8692. 

  8692.                 ret = EDI_PARSE(ssl, input + offset, size, msgType);
    8693. 

  8693.                 break;
    8694. 

  8694.     #endif
    8695. 

  8695. 

  8696.     #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    8697. 

  8697.             case TLSX_POST_HANDSHAKE_AUTH:
    8698. 

  8698.                 WOLFSSL_MSG("PSK Key Exchange Modes extension received");
    8699. 

  8699. 

  8700.                 if (!IsAtLeastTLSv1_3(ssl->version))
    8701. 

  8701.                     break;
    8702. 

  8702. 

  8703.                 if (IsAtLeastTLSv1_3(ssl->version) &&
    8704. 

  8704.                         msgType != client_hello) {
    8705. 

  8705.                     return EXT_NOT_ALLOWED;
    8706. 

  8706.                 }
    8707. 

  8707.                 ret = PHA_PARSE(ssl, input + offset, size, msgType);
    8708. 

  8708.                 break;
    8709. 

  8709.     #endif
    8710. 

  8710. #endif
    8711. 

  8711.         }
    8712. 

  8712. 

  8713.         /* offset should be updated here! */
    8714. 

  8714.         offset += size;
    8715. 

  8715.     }
    8716. 

  8716. 

  8717. #ifdef HAVE_EXTENDED_MASTER
    8718. 

  8718.     if (!isRequest && ssl->options.haveEMS && !pendingEMS)
    8719. 

  8719.         ssl->options.haveEMS = 0;
    8720. 

  8720. #endif
    8721. 

  8721. 

  8722.     if (ret == 0)
    8723. 

  8723.         ret = SNI_VERIFY_PARSE(ssl, isRequest);
    8724. 

  8724. 

  8725.     return ret;
    8726. 

  8726. }
    8727. 

  8727. 

  8728. /* undefining semaphore macros */
    8729. 

  8729. #undef IS_OFF
    8730. 

  8730. #undef TURN_ON
    8731. 

  8731. #undef SEMAPHORE_SIZE
    8732. 

  8732. 

  8733. #endif /* HAVE_TLS_EXTENSIONS */
    8734. 

  8734. 

  8735. #ifndef NO_WOLFSSL_CLIENT
    8736. 

  8736. 

  8737. #ifndef NO_OLD_TLS
    8738. 

  8738. 

  8739.     #ifdef WOLFSSL_ALLOW_TLSV10
    8740. 

  8740.     #ifdef OPENSSL_EXTRA
    8741. 

  8741.     /* Gets a WOLFSL_METHOD type that is not set as client or server
    8742. 

  8742.      *
    8743. 

  8743.      * Returns a pointer to a WOLFSSL_METHOD struct
    8744. 

  8744.      */
    8745. 

  8745.     WOLFSSL_METHOD* wolfTLSv1_method(void) {
    8746. 

  8746.         WOLFSSL_METHOD* m;
    8747. 

  8747.         WOLFSSL_ENTER("wolfTLSv1_method");
    8748. 

  8748.     #ifndef NO_WOLFSSL_CLIENT
    8749. 

  8749.         m = wolfTLSv1_client_method();
    8750. 

  8750.     #else
    8751. 

  8751.         m = wolfTLSv1_server_method();
    8752. 

  8752.     #endif
    8753. 

  8753.         if (m != NULL) {
    8754. 

  8754.             m->side = WOLFSSL_NEITHER_END;
    8755. 

  8755.         }
    8756. 

  8756. 

  8757.         return m;
    8758. 

  8758.     }
    8759. 

  8759.     #endif /* OPENSSL_EXTRA */
    8760. 

  8760. 

  8761.     WOLFSSL_METHOD* wolfTLSv1_client_method(void)
    8762. 

  8762.     {
    8763. 

  8763.         return wolfTLSv1_client_method_ex(NULL);
    8764. 

  8764.     }
    8765. 

  8765. 

  8766.     WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap)
    8767. 

  8767.     {
    8768. 

  8768.         WOLFSSL_METHOD* method =
    8769. 

  8769.                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8770. 

  8770.                                                      heap, DYNAMIC_TYPE_METHOD);
    8771. 

  8771.         if (method)
    8772. 

  8772.             InitSSL_Method(method, MakeTLSv1());
    8773. 

  8773.         return method;
    8774. 

  8774.     }
    8775. 

  8775.     #endif /* WOLFSSL_ALLOW_TLSV10 */
    8776. 

  8776. 

  8777.     WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
    8778. 

  8778.     {
    8779. 

  8779.         return wolfTLSv1_1_client_method_ex(NULL);
    8780. 

  8780.     }
    8781. 

  8781. 

  8782.     WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap)
    8783. 

  8783.     {
    8784. 

  8784.         WOLFSSL_METHOD* method =
    8785. 

  8785.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8786. 

  8786.                                                      heap, DYNAMIC_TYPE_METHOD);
    8787. 

  8787.         if (method)
    8788. 

  8788.             InitSSL_Method(method, MakeTLSv1_1());
    8789. 

  8789.         return method;
    8790. 

  8790.     }
    8791. 

  8791. 

  8792. #endif /* !NO_OLD_TLS */
    8793. 

  8793. 

  8794. 

  8795.     WOLFSSL_METHOD* wolfTLSv1_2_client_method(void)
    8796. 

  8796.     {
    8797. 

  8797.         return wolfTLSv1_2_client_method_ex(NULL);
    8798. 

  8798.     }
    8799. 

  8799. 

  8800.     WOLFSSL_METHOD* wolfTLSv1_2_client_method_ex(void* heap)
    8801. 

  8801.     {
    8802. 

  8802.         WOLFSSL_METHOD* method =
    8803. 

  8803.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8804. 

  8804.                                                      heap, DYNAMIC_TYPE_METHOD);
    8805. 

  8805.         (void)heap;
    8806. 

  8806.         if (method)
    8807. 

  8807.             InitSSL_Method(method, MakeTLSv1_2());
    8808. 

  8808.         return method;
    8809. 

  8809.     }
    8810. 

  8810. 

  8811. #ifdef WOLFSSL_TLS13
    8812. 

  8812.     /* The TLS v1.3 client method data.
    8813. 

  8813.      *
    8814. 

  8814.      * returns the method data for a TLS v1.3 client.
    8815. 

  8815.      */
    8816. 

  8816.     WOLFSSL_METHOD* wolfTLSv1_3_client_method(void)
    8817. 

  8817.     {
    8818. 

  8818.         return wolfTLSv1_3_client_method_ex(NULL);
    8819. 

  8819.     }
    8820. 

  8820. 

  8821.     /* The TLS v1.3 client method data.
    8822. 

  8822.      *
    8823. 

  8823.      * heap  The heap used for allocation.
    8824. 

  8824.      * returns the method data for a TLS v1.3 client.
    8825. 

  8825.      */
    8826. 

  8826.     WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap)
    8827. 

  8827.     {
    8828. 

  8828.         WOLFSSL_METHOD* method = (WOLFSSL_METHOD*)
    8829. 

  8829.                                  XMALLOC(sizeof(WOLFSSL_METHOD), heap,
    8830. 

  8830.                                          DYNAMIC_TYPE_METHOD);
    8831. 

  8831.         (void)heap;
    8832. 

  8832.         if (method)
    8833. 

  8833.             InitSSL_Method(method, MakeTLSv1_3());
    8834. 

  8834.         return method;
    8835. 

  8835.     }
    8836. 

  8836. #endif /* WOLFSSL_TLS13 */
    8837. 

  8837. 

  8838. 

  8839.     WOLFSSL_METHOD* wolfSSLv23_client_method(void)
    8840. 

  8840.     {
    8841. 

  8841.         return wolfSSLv23_client_method_ex(NULL);
    8842. 

  8842.     }
    8843. 

  8843. 

  8844. 

  8845.     WOLFSSL_METHOD* wolfSSLv23_client_method_ex(void* heap)
    8846. 

  8846.     {
    8847. 

  8847.         WOLFSSL_METHOD* method =
    8848. 

  8848.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8849. 

  8849.                                                      heap, DYNAMIC_TYPE_METHOD);
    8850. 

  8850.         (void)heap;
    8851. 

  8851.         if (method) {
    8852. 

  8852. #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
    8853. 

  8853. #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NGINX)
    8854. 

  8854.             InitSSL_Method(method, MakeTLSv1_3());
    8855. 

  8855. #else
    8856. 

  8856.             InitSSL_Method(method, MakeTLSv1_2());
    8857. 

  8857. #endif
    8858. 

  8858. #else
    8859. 

  8859.     #ifndef NO_OLD_TLS
    8860. 

  8860.             InitSSL_Method(method, MakeTLSv1_1());
    8861. 

  8861.     #endif
    8862. 

  8862. #endif
    8863. 

  8863. #ifndef NO_OLD_TLS
    8864. 

  8864.             method->downgrade = 1;
    8865. 

  8865. #endif
    8866. 

  8866.         }
    8867. 

  8867.         return method;
    8868. 

  8868.     }
    8869. 

  8869. 

  8870. #endif /* NO_WOLFSSL_CLIENT */
    8871. 

  8871. 

  8872. 

  8873. 

  8874. #ifndef NO_WOLFSSL_SERVER
    8875. 

  8875. 

  8876. #ifndef NO_OLD_TLS
    8877. 

  8877.     #ifdef WOLFSSL_ALLOW_TLSV10
    8878. 

  8878.     WOLFSSL_METHOD* wolfTLSv1_server_method(void)
    8879. 

  8879.     {
    8880. 

  8880.         return wolfTLSv1_server_method_ex(NULL);
    8881. 

  8881.     }
    8882. 

  8882. 

  8883.     WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap)
    8884. 

  8884.     {
    8885. 

  8885.         WOLFSSL_METHOD* method =
    8886. 

  8886.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8887. 

  8887.                                                      heap, DYNAMIC_TYPE_METHOD);
    8888. 

  8888.         if (method) {
    8889. 

  8889.             InitSSL_Method(method, MakeTLSv1());
    8890. 

  8890.             method->side = WOLFSSL_SERVER_END;
    8891. 

  8891.         }
    8892. 

  8892.         return method;
    8893. 

  8893.     }
    8894. 

  8894.     #endif /* WOLFSSL_ALLOW_TLSV10 */
    8895. 

  8895. 

  8896.     WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
    8897. 

  8897.     {
    8898. 

  8898.         return wolfTLSv1_1_server_method_ex(NULL);
    8899. 

  8899.     }
    8900. 

  8900. 

  8901.     WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap)
    8902. 

  8902.     {
    8903. 

  8903.         WOLFSSL_METHOD* method =
    8904. 

  8904.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8905. 

  8905.                                                      heap, DYNAMIC_TYPE_METHOD);
    8906. 

  8906.         if (method) {
    8907. 

  8907.             InitSSL_Method(method, MakeTLSv1_1());
    8908. 

  8908.             method->side = WOLFSSL_SERVER_END;
    8909. 

  8909.         }
    8910. 

  8910.         return method;
    8911. 

  8911.     }
    8912. 

  8912. #endif /* !NO_OLD_TLS */
    8913. 

  8913. 

  8914. 

  8915.     WOLFSSL_METHOD* wolfTLSv1_2_server_method(void)
    8916. 

  8916.     {
    8917. 

  8917.         return wolfTLSv1_2_server_method_ex(NULL);
    8918. 

  8918.     }
    8919. 

  8919. 

  8920.     WOLFSSL_METHOD* wolfTLSv1_2_server_method_ex(void* heap)
    8921. 

  8921.     {
    8922. 

  8922.         WOLFSSL_METHOD* method =
    8923. 

  8923.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8924. 

  8924.                                                      heap, DYNAMIC_TYPE_METHOD);
    8925. 

  8925.         (void)heap;
    8926. 

  8926.         if (method) {
    8927. 

  8927.             InitSSL_Method(method, MakeTLSv1_2());
    8928. 

  8928.             method->side = WOLFSSL_SERVER_END;
    8929. 

  8929.         }
    8930. 

  8930.         return method;
    8931. 

  8931.     }
    8932. 

  8932. 

  8933. #ifdef WOLFSSL_TLS13
    8934. 

  8934.     /* The TLS v1.3 server method data.
    8935. 

  8935.      *
    8936. 

  8936.      * returns the method data for a TLS v1.3 server.
    8937. 

  8937.      */
    8938. 

  8938.     WOLFSSL_METHOD* wolfTLSv1_3_server_method(void)
    8939. 

  8939.     {
    8940. 

  8940.         return wolfTLSv1_3_server_method_ex(NULL);
    8941. 

  8941.     }
    8942. 

  8942. 

  8943.     /* The TLS v1.3 server method data.
    8944. 

  8944.      *
    8945. 

  8945.      * heap  The heap used for allocation.
    8946. 

  8946.      * returns the method data for a TLS v1.3 server.
    8947. 

  8947.      */
    8948. 

  8948.     WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap)
    8949. 

  8949.     {
    8950. 

  8950.         WOLFSSL_METHOD* method =
    8951. 

  8951.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8952. 

  8952.                                                      heap, DYNAMIC_TYPE_METHOD);
    8953. 

  8953.         (void)heap;
    8954. 

  8954.         if (method) {
    8955. 

  8955.             InitSSL_Method(method, MakeTLSv1_3());
    8956. 

  8956.             method->side = WOLFSSL_SERVER_END;
    8957. 

  8957.         }
    8958. 

  8958.         return method;
    8959. 

  8959.     }
    8960. 

  8960. #endif /* WOLFSSL_TLS13 */
    8961. 

  8961. 

  8962.     WOLFSSL_METHOD* wolfSSLv23_server_method(void)
    8963. 

  8963.     {
    8964. 

  8964.         return wolfSSLv23_server_method_ex(NULL);
    8965. 

  8965.     }
    8966. 

  8966. 

  8967.     WOLFSSL_METHOD* wolfSSLv23_server_method_ex(void* heap)
    8968. 

  8968.     {
    8969. 

  8969.         WOLFSSL_METHOD* method =
    8970. 

  8970.                               (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
    8971. 

  8971.                                                      heap, DYNAMIC_TYPE_METHOD);
    8972. 

  8972.         (void)heap;
    8973. 

  8973.         if (method) {
    8974. 

  8974. #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
    8975. 

  8975. #ifdef WOLFSSL_TLS13
    8976. 

  8976.             InitSSL_Method(method, MakeTLSv1_3());
    8977. 

  8977. #else
    8978. 

  8978.             InitSSL_Method(method, MakeTLSv1_2());
    8979. 

  8979. #endif
    8980. 

  8980. #else
    8981. 

  8981.     #ifndef NO_OLD_TLS
    8982. 

  8982.             InitSSL_Method(method, MakeTLSv1_1());
    8983. 

  8983.     #else
    8984. 

  8984.             #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2
    8985. 

  8985.     #endif
    8986. 

  8986. #endif
    8987. 

  8987. #ifndef NO_OLD_TLS
    8988. 

  8988.             method->downgrade = 1;
    8989. 

  8989. #endif
    8990. 

  8990.             method->side      = WOLFSSL_SERVER_END;
    8991. 

  8991.         }
    8992. 

  8992.         return method;
    8993. 

  8993.     }
    8994. 

  8994. 

  8995. 

  8996. #endif /* NO_WOLFSSL_SERVER */
    8997. 

  8997. #endif /* NO_TLS */
    8998. 

  8998. #endif /* WOLFCRYPT_ONLY */
    8999.