1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998899990009001900290039004900590069007900890099010901190129013901490159016901790189019902090219022902390249025902690279028902990309031903290339034903590369037903890399040904190429043904490459046904790489049905090519052905390549055905690579058905990609061906290639064906590669067906890699070907190729073907490759076907790789079908090819082908390849085908690879088908990909091909290939094909590969097909890999100910191029103910491059106910791089109911091119112911391149115911691179118911991209121912291239124912591269127912891299130913191329133913491359136913791389139914091419142914391449145914691479148914991509151915291539154915591569157915891599160916191629163916491659166916791689169917091719172917391749175917691779178917991809181918291839184918591869187918891899190919191929193919491959196919791989199920092019202920392049205920692079208920992109211921292139214921592169217921892199220922192229223922492259226922792289229923092319232923392349235923692379238923992409241924292439244924592469247924892499250925192529253925492559256925792589259926092619262926392649265926692679268926992709271927292739274927592769277927892799280928192829283928492859286928792889289929092919292929392949295929692979298929993009301930293039304930593069307930893099310931193129313931493159316931793189319932093219322932393249325932693279328932993309331933293339334933593369337933893399340934193429343934493459346934793489349935093519352935393549355935693579358935993609361936293639364936593669367936893699370937193729373937493759376937793789379938093819382938393849385938693879388938993909391939293939394939593969397939893999400940194029403940494059406940794089409941094119412941394149415941694179418941994209421942294239424942594269427942894299430943194329433943494359436943794389439944094419442944394449445944694479448944994509451945294539454945594569457945894599460946194629463946494659466946794689469947094719472947394749475947694779478947994809481948294839484948594869487948894899490949194929493949494959496949794989499950095019502950395049505950695079508950995109511951295139514951595169517951895199520952195229523952495259526952795289529953095319532953395349535953695379538953995409541954295439544954595469547954895499550955195529553955495559556955795589559956095619562956395649565956695679568956995709571957295739574957595769577957895799580958195829583958495859586958795889589959095919592959395949595959695979598959996009601960296039604960596069607960896099610961196129613961496159616961796189619962096219622962396249625962696279628962996309631963296339634963596369637963896399640964196429643964496459646964796489649965096519652965396549655965696579658965996609661966296639664966596669667966896699670967196729673967496759676967796789679968096819682968396849685968696879688968996909691969296939694969596969697969896999700970197029703970497059706970797089709971097119712971397149715971697179718971997209721972297239724972597269727972897299730973197329733973497359736973797389739974097419742974397449745974697479748974997509751975297539754975597569757975897599760976197629763976497659766976797689769977097719772977397749775977697779778977997809781978297839784978597869787978897899790979197929793979497959796979797989799980098019802980398049805980698079808980998109811981298139814981598169817981898199820982198229823982498259826982798289829983098319832983398349835983698379838983998409841984298439844984598469847984898499850985198529853985498559856985798589859986098619862986398649865986698679868986998709871987298739874987598769877987898799880988198829883988498859886988798889889989098919892989398949895989698979898989999009901990299039904990599069907990899099910991199129913991499159916991799189919992099219922992399249925992699279928992999309931993299339934993599369937993899399940994199429943994499459946994799489949995099519952995399549955995699579958995999609961996299639964996599669967996899699970997199729973997499759976997799789979998099819982998399849985998699879988998999909991999299939994999599969997999899991000010001100021000310004100051000610007100081000910010100111001210013100141001510016100171001810019100201002110022100231002410025100261002710028100291003010031100321003310034100351003610037100381003910040100411004210043100441004510046100471004810049100501005110052100531005410055100561005710058100591006010061100621006310064100651006610067100681006910070100711007210073100741007510076100771007810079100801008110082100831008410085100861008710088100891009010091100921009310094100951009610097100981009910100101011010210103101041010510106101071010810109101101011110112101131011410115101161011710118101191012010121101221012310124101251012610127101281012910130101311013210133101341013510136101371013810139101401014110142101431014410145101461014710148101491015010151101521015310154101551015610157101581015910160101611016210163101641016510166101671016810169101701017110172101731017410175101761017710178101791018010181101821018310184101851018610187101881018910190101911019210193101941019510196101971019810199102001020110202102031020410205102061020710208102091021010211102121021310214102151021610217102181021910220102211022210223102241022510226102271022810229102301023110232102331023410235102361023710238102391024010241102421024310244102451024610247102481024910250102511025210253102541025510256102571025810259102601026110262102631026410265102661026710268102691027010271102721027310274102751027610277102781027910280102811028210283102841028510286102871028810289102901029110292102931029410295102961029710298102991030010301103021030310304103051030610307103081030910310103111031210313103141031510316103171031810319103201032110322103231032410325103261032710328103291033010331103321033310334103351033610337103381033910340103411034210343103441034510346103471034810349103501035110352103531035410355103561035710358103591036010361103621036310364103651036610367103681036910370103711037210373103741037510376103771037810379103801038110382103831038410385103861038710388103891039010391103921039310394103951039610397103981039910400104011040210403104041040510406104071040810409104101041110412104131041410415104161041710418104191042010421104221042310424104251042610427104281042910430104311043210433104341043510436104371043810439104401044110442104431044410445104461044710448104491045010451104521045310454104551045610457104581045910460104611046210463104641046510466104671046810469104701047110472104731047410475104761047710478104791048010481104821048310484104851048610487104881048910490104911049210493104941049510496104971049810499105001050110502105031050410505105061050710508105091051010511105121051310514105151051610517105181051910520105211052210523105241052510526105271052810529105301053110532105331053410535105361053710538105391054010541105421054310544105451054610547105481054910550105511055210553105541055510556105571055810559105601056110562105631056410565105661056710568105691057010571105721057310574105751057610577105781057910580105811058210583105841058510586105871058810589105901059110592105931059410595105961059710598105991060010601106021060310604106051060610607106081060910610106111061210613106141061510616106171061810619106201062110622106231062410625106261062710628106291063010631106321063310634106351063610637106381063910640106411064210643106441064510646106471064810649106501065110652106531065410655106561065710658106591066010661106621066310664106651066610667106681066910670106711067210673106741067510676106771067810679106801068110682106831068410685106861068710688106891069010691106921069310694106951069610697106981069910700107011070210703107041070510706107071070810709107101071110712107131071410715107161071710718107191072010721107221072310724107251072610727107281072910730107311073210733107341073510736107371073810739107401074110742107431074410745107461074710748107491075010751107521075310754107551075610757107581075910760107611076210763107641076510766107671076810769107701077110772107731077410775107761077710778107791078010781107821078310784107851078610787107881078910790107911079210793107941079510796107971079810799108001080110802108031080410805108061080710808108091081010811108121081310814108151081610817108181081910820108211082210823108241082510826108271082810829108301083110832108331083410835108361083710838108391084010841108421084310844108451084610847108481084910850108511085210853108541085510856108571085810859108601086110862108631086410865108661086710868108691087010871108721087310874108751087610877108781087910880108811088210883108841088510886108871088810889108901089110892108931089410895108961089710898108991090010901109021090310904109051090610907109081090910910109111091210913109141091510916109171091810919109201092110922109231092410925109261092710928109291093010931109321093310934109351093610937109381093910940109411094210943109441094510946109471094810949109501095110952109531095410955109561095710958109591096010961109621096310964109651096610967109681096910970109711097210973109741097510976109771097810979109801098110982109831098410985109861098710988109891099010991109921099310994109951099610997109981099911000110011100211003110041100511006110071100811009110101101111012110131101411015110161101711018110191102011021110221102311024110251102611027110281102911030110311103211033110341103511036110371103811039110401104111042110431104411045110461104711048110491105011051110521105311054110551105611057110581105911060110611106211063110641106511066110671106811069110701107111072110731107411075110761107711078110791108011081110821108311084110851108611087110881108911090110911109211093110941109511096110971109811099111001110111102111031110411105111061110711108111091111011111111121111311114111151111611117111181111911120111211112211123111241112511126111271112811129111301113111132111331113411135111361113711138111391114011141111421114311144111451114611147111481114911150111511115211153111541115511156111571115811159111601116111162111631116411165111661116711168111691117011171111721117311174111751117611177111781117911180111811118211183111841118511186111871118811189111901119111192111931119411195111961119711198111991120011201112021120311204112051120611207112081120911210112111121211213112141121511216112171121811219112201122111222112231122411225112261122711228112291123011231112321123311234112351123611237112381123911240112411124211243112441124511246112471124811249112501125111252112531125411255112561125711258112591126011261112621126311264112651126611267112681126911270112711127211273112741127511276112771127811279112801128111282112831128411285112861128711288112891129011291112921129311294112951129611297112981129911300113011130211303113041130511306113071130811309113101131111312113131131411315113161131711318113191132011321113221132311324113251132611327113281132911330113311133211333113341133511336113371133811339113401134111342113431134411345113461134711348113491135011351113521135311354113551135611357113581135911360113611136211363113641136511366113671136811369113701137111372113731137411375113761137711378113791138011381113821138311384113851138611387113881138911390113911139211393113941139511396113971139811399114001140111402114031140411405114061140711408114091141011411114121141311414114151141611417114181141911420114211142211423114241142511426114271142811429114301143111432114331143411435114361143711438114391144011441114421144311444114451144611447114481144911450114511145211453114541145511456114571145811459114601146111462114631146411465114661146711468114691147011471114721147311474114751147611477114781147911480114811148211483114841148511486114871148811489114901149111492114931149411495114961149711498114991150011501115021150311504115051150611507115081150911510115111151211513115141151511516115171151811519115201152111522115231152411525115261152711528115291153011531115321153311534115351153611537115381153911540115411154211543115441154511546115471154811549115501155111552115531155411555115561155711558115591156011561115621156311564115651156611567115681156911570115711157211573115741157511576115771157811579115801158111582115831158411585115861158711588115891159011591115921159311594115951159611597115981159911600116011160211603116041160511606116071160811609116101161111612116131161411615116161161711618116191162011621116221162311624116251162611627116281162911630116311163211633116341163511636116371163811639116401164111642116431164411645116461164711648116491165011651116521165311654116551165611657116581165911660116611166211663116641166511666116671166811669116701167111672116731167411675116761167711678116791168011681116821168311684116851168611687116881168911690116911169211693116941169511696116971169811699117001170111702117031170411705117061170711708117091171011711117121171311714117151171611717117181171911720117211172211723117241172511726117271172811729117301173111732117331173411735117361173711738117391174011741117421174311744117451174611747117481174911750117511175211753117541175511756117571175811759117601176111762117631176411765117661176711768117691177011771117721177311774117751177611777117781177911780117811178211783117841178511786117871178811789117901179111792117931179411795117961179711798117991180011801118021180311804118051180611807118081180911810118111181211813118141181511816118171181811819118201182111822118231182411825118261182711828118291183011831118321183311834118351183611837118381183911840118411184211843118441184511846118471184811849118501185111852118531185411855118561185711858118591186011861118621186311864118651186611867118681186911870118711187211873118741187511876118771187811879118801188111882118831188411885118861188711888118891189011891118921189311894118951189611897118981189911900119011190211903119041190511906119071190811909119101191111912119131191411915119161191711918119191192011921119221192311924119251192611927119281192911930119311193211933119341193511936119371193811939119401194111942119431194411945119461194711948119491195011951119521195311954119551195611957119581195911960119611196211963119641196511966119671196811969119701197111972119731197411975119761197711978119791198011981119821198311984119851198611987119881198911990119911199211993119941199511996119971199811999120001200112002120031200412005120061200712008120091201012011120121201312014120151201612017120181201912020120211202212023120241202512026120271202812029120301203112032120331203412035120361203712038120391204012041120421204312044120451204612047120481204912050120511205212053120541205512056120571205812059120601206112062120631206412065120661206712068120691207012071120721207312074120751207612077120781207912080120811208212083120841208512086120871208812089120901209112092120931209412095120961209712098120991210012101121021210312104121051210612107121081210912110121111211212113121141211512116121171211812119121201212112122121231212412125121261212712128121291213012131121321213312134121351213612137121381213912140121411214212143121441214512146121471214812149121501215112152121531215412155121561215712158121591216012161121621216312164121651216612167121681216912170121711217212173121741217512176121771217812179121801218112182121831218412185121861218712188121891219012191121921219312194121951219612197121981219912200122011220212203122041220512206122071220812209122101221112212122131221412215122161221712218122191222012221122221222312224122251222612227122281222912230122311223212233122341223512236122371223812239122401224112242122431224412245122461224712248122491225012251122521225312254122551225612257122581225912260122611226212263122641226512266122671226812269122701227112272122731227412275122761227712278122791228012281122821228312284122851228612287122881228912290122911229212293122941229512296122971229812299123001230112302123031230412305123061230712308123091231012311123121231312314123151231612317123181231912320123211232212323123241232512326123271232812329123301233112332123331233412335123361233712338123391234012341123421234312344123451234612347123481234912350123511235212353123541235512356123571235812359123601236112362123631236412365123661236712368123691237012371123721237312374123751237612377123781237912380123811238212383123841238512386123871238812389123901239112392123931239412395123961239712398123991240012401124021240312404124051240612407124081240912410124111241212413124141241512416124171241812419124201242112422124231242412425124261242712428124291243012431124321243312434124351243612437124381243912440124411244212443124441244512446124471244812449124501245112452124531245412455124561245712458124591246012461124621246312464124651246612467124681246912470124711247212473124741247512476124771247812479124801248112482124831248412485124861248712488124891249012491124921249312494124951249612497124981249912500125011250212503125041250512506125071250812509125101251112512125131251412515125161251712518125191252012521125221252312524125251252612527125281252912530125311253212533125341253512536125371253812539125401254112542125431254412545125461254712548125491255012551125521255312554125551255612557125581255912560125611256212563125641256512566125671256812569125701257112572125731257412575125761257712578125791258012581125821258312584125851258612587125881258912590125911259212593125941259512596125971259812599126001260112602126031260412605126061260712608126091261012611126121261312614126151261612617126181261912620126211262212623126241262512626126271262812629126301263112632126331263412635126361263712638126391264012641126421264312644126451264612647126481264912650126511265212653126541265512656126571265812659126601266112662126631266412665126661266712668126691267012671126721267312674126751267612677126781267912680126811268212683126841268512686126871268812689126901269112692126931269412695126961269712698126991270012701127021270312704127051270612707127081270912710127111271212713127141271512716127171271812719127201272112722127231272412725127261272712728127291273012731127321273312734127351273612737127381273912740127411274212743127441274512746127471274812749127501275112752127531275412755127561275712758127591276012761127621276312764127651276612767127681276912770127711277212773127741277512776127771277812779127801278112782127831278412785127861278712788127891279012791127921279312794127951279612797127981279912800128011280212803128041280512806128071280812809128101281112812128131281412815128161281712818128191282012821128221282312824128251282612827128281282912830128311283212833128341283512836128371283812839128401284112842128431284412845128461284712848128491285012851128521285312854128551285612857128581285912860128611286212863128641286512866128671286812869128701287112872128731287412875128761287712878128791288012881128821288312884128851288612887128881288912890128911289212893128941289512896128971289812899129001290112902129031290412905129061290712908129091291012911129121291312914129151291612917129181291912920129211292212923129241292512926129271292812929129301293112932129331293412935129361293712938129391294012941129421294312944129451294612947129481294912950129511295212953129541295512956129571295812959129601296112962129631296412965129661296712968129691297012971129721297312974129751297612977129781297912980129811298212983129841298512986129871298812989129901299112992129931299412995129961299712998129991300013001130021300313004130051300613007130081300913010130111301213013130141301513016130171301813019130201302113022130231302413025130261302713028130291303013031130321303313034130351303613037130381303913040130411304213043130441304513046130471304813049130501305113052130531305413055130561305713058130591306013061130621306313064130651306613067130681306913070130711307213073130741307513076130771307813079130801308113082130831308413085130861308713088130891309013091130921309313094130951309613097130981309913100131011310213103131041310513106131071310813109131101311113112131131311413115131161311713118131191312013121131221312313124131251312613127131281312913130131311313213133131341313513136131371313813139131401314113142131431314413145131461314713148131491315013151131521315313154131551315613157131581315913160131611316213163131641316513166131671316813169131701317113172131731317413175131761317713178131791318013181131821318313184131851318613187131881318913190131911319213193131941319513196131971319813199132001320113202132031320413205132061320713208132091321013211132121321313214132151321613217132181321913220132211322213223132241322513226132271322813229132301323113232132331323413235132361323713238132391324013241132421324313244132451324613247132481324913250132511325213253132541325513256132571325813259132601326113262132631326413265132661326713268132691327013271132721327313274132751327613277132781327913280132811328213283132841328513286132871328813289132901329113292132931329413295132961329713298132991330013301133021330313304133051330613307133081330913310133111331213313133141331513316133171331813319133201332113322133231332413325133261332713328133291333013331133321333313334133351333613337133381333913340133411334213343133441334513346133471334813349133501335113352133531335413355133561335713358133591336013361133621336313364133651336613367133681336913370133711337213373133741337513376133771337813379133801338113382133831338413385133861338713388133891339013391133921339313394133951339613397133981339913400134011340213403134041340513406134071340813409134101341113412134131341413415134161341713418134191342013421134221342313424134251342613427134281342913430134311343213433134341343513436134371343813439134401344113442134431344413445134461344713448134491345013451134521345313454134551345613457134581345913460134611346213463134641346513466134671346813469134701347113472134731347413475134761347713478134791348013481134821348313484134851348613487134881348913490134911349213493134941349513496134971349813499135001350113502135031350413505135061350713508135091351013511135121351313514135151351613517135181351913520135211352213523135241352513526135271352813529135301353113532135331353413535135361353713538135391354013541135421354313544135451354613547135481354913550135511355213553135541355513556135571355813559135601356113562135631356413565135661356713568135691357013571135721357313574135751357613577135781357913580135811358213583135841358513586135871358813589135901359113592135931359413595135961359713598135991360013601136021360313604136051360613607136081360913610136111361213613136141361513616136171361813619136201362113622136231362413625136261362713628136291363013631136321363313634136351363613637136381363913640136411364213643136441364513646136471364813649136501365113652136531365413655136561365713658136591366013661136621366313664136651366613667136681366913670136711367213673136741367513676136771367813679136801368113682136831368413685136861368713688136891369013691136921369313694136951369613697136981369913700137011370213703137041370513706137071370813709137101371113712137131371413715137161371713718137191372013721137221372313724137251372613727137281372913730137311373213733137341373513736137371373813739137401374113742137431374413745137461374713748137491375013751137521375313754137551375613757137581375913760137611376213763137641376513766137671376813769137701377113772137731377413775137761377713778137791378013781137821378313784137851378613787137881378913790137911379213793137941379513796137971379813799138001380113802138031380413805138061380713808138091381013811138121381313814138151381613817138181381913820138211382213823138241382513826138271382813829138301383113832138331383413835138361383713838138391384013841138421384313844138451384613847138481384913850138511385213853138541385513856138571385813859138601386113862138631386413865138661386713868138691387013871138721387313874138751387613877138781387913880138811388213883138841388513886138871388813889138901389113892138931389413895138961389713898138991390013901139021390313904139051390613907139081390913910139111391213913139141391513916139171391813919139201392113922139231392413925139261392713928139291393013931139321393313934139351393613937139381393913940139411394213943139441394513946139471394813949139501395113952139531395413955139561395713958139591396013961139621396313964139651396613967139681396913970139711397213973139741397513976139771397813979139801398113982139831398413985139861398713988139891399013991139921399313994139951399613997139981399914000140011400214003140041400514006140071400814009140101401114012140131401414015140161401714018140191402014021140221402314024140251402614027140281402914030140311403214033140341403514036140371403814039140401404114042140431404414045140461404714048140491405014051140521405314054140551405614057140581405914060140611406214063140641406514066140671406814069140701407114072140731407414075140761407714078140791408014081140821408314084140851408614087140881408914090140911409214093140941409514096140971409814099141001410114102141031410414105141061410714108141091411014111141121411314114141151411614117141181411914120141211412214123141241412514126141271412814129141301413114132141331413414135141361413714138141391414014141141421414314144141451414614147141481414914150141511415214153141541415514156141571415814159141601416114162141631416414165141661416714168141691417014171141721417314174141751417614177141781417914180141811418214183141841418514186141871418814189141901419114192141931419414195141961419714198141991420014201142021420314204142051420614207142081420914210142111421214213142141421514216142171421814219142201422114222142231422414225142261422714228142291423014231142321423314234142351423614237142381423914240142411424214243142441424514246142471424814249142501425114252142531425414255142561425714258142591426014261142621426314264142651426614267142681426914270142711427214273142741427514276142771427814279142801428114282142831428414285142861428714288142891429014291142921429314294142951429614297142981429914300143011430214303143041430514306143071430814309143101431114312143131431414315143161431714318143191432014321143221432314324143251432614327143281432914330143311433214333143341433514336143371433814339143401434114342143431434414345143461434714348143491435014351143521435314354143551435614357143581435914360143611436214363143641436514366143671436814369143701437114372143731437414375143761437714378143791438014381143821438314384143851438614387143881438914390143911439214393143941439514396143971439814399144001440114402144031440414405144061440714408144091441014411144121441314414144151441614417144181441914420144211442214423144241442514426144271442814429144301443114432144331443414435144361443714438144391444014441144421444314444144451444614447144481444914450144511445214453144541445514456144571445814459144601446114462144631446414465144661446714468144691447014471144721447314474144751447614477144781447914480144811448214483144841448514486144871448814489144901449114492144931449414495144961449714498144991450014501145021450314504145051450614507145081450914510145111451214513145141451514516145171451814519145201452114522145231452414525145261452714528145291453014531145321453314534145351453614537145381453914540145411454214543145441454514546145471454814549145501455114552145531455414555145561455714558145591456014561145621456314564145651456614567145681456914570145711457214573145741457514576145771457814579145801458114582145831458414585145861458714588145891459014591145921459314594145951459614597145981459914600146011460214603146041460514606146071460814609146101461114612146131461414615146161461714618146191462014621146221462314624146251462614627146281462914630146311463214633146341463514636146371463814639146401464114642146431464414645146461464714648146491465014651146521465314654146551465614657146581465914660146611466214663146641466514666146671466814669146701467114672146731467414675146761467714678146791468014681146821468314684146851468614687146881468914690146911469214693146941469514696146971469814699147001470114702147031470414705147061470714708147091471014711147121471314714147151471614717147181471914720147211472214723147241472514726147271472814729147301473114732147331473414735147361473714738147391474014741147421474314744147451474614747147481474914750147511475214753147541475514756147571475814759147601476114762147631476414765147661476714768147691477014771147721477314774147751477614777147781477914780147811478214783147841478514786147871478814789147901479114792147931479414795147961479714798147991480014801148021480314804148051480614807148081480914810148111481214813148141481514816148171481814819148201482114822148231482414825148261482714828148291483014831148321483314834148351483614837148381483914840148411484214843148441484514846148471484814849148501485114852148531485414855148561485714858148591486014861148621486314864148651486614867148681486914870148711487214873148741487514876148771487814879148801488114882148831488414885148861488714888148891489014891148921489314894148951489614897148981489914900149011490214903149041490514906149071490814909149101491114912149131491414915149161491714918149191492014921149221492314924149251492614927149281492914930149311493214933149341493514936149371493814939149401494114942149431494414945149461494714948149491495014951149521495314954149551495614957149581495914960149611496214963149641496514966149671496814969149701497114972149731497414975149761497714978149791498014981149821498314984149851498614987149881498914990149911499214993149941499514996149971499814999150001500115002150031500415005150061500715008150091501015011150121501315014150151501615017150181501915020150211502215023150241502515026150271502815029150301503115032150331503415035150361503715038150391504015041150421504315044150451504615047150481504915050150511505215053150541505515056150571505815059150601506115062150631506415065150661506715068150691507015071150721507315074150751507615077150781507915080150811508215083150841508515086150871508815089150901509115092150931509415095150961509715098150991510015101151021510315104151051510615107151081510915110151111511215113151141511515116151171511815119151201512115122151231512415125151261512715128151291513015131151321513315134151351513615137151381513915140151411514215143151441514515146151471514815149151501515115152151531515415155151561515715158151591516015161151621516315164151651516615167151681516915170151711517215173151741517515176151771517815179151801518115182151831518415185151861518715188151891519015191151921519315194151951519615197151981519915200152011520215203152041520515206152071520815209152101521115212152131521415215152161521715218152191522015221152221522315224152251522615227152281522915230152311523215233152341523515236152371523815239152401524115242152431524415245152461524715248152491525015251152521525315254152551525615257152581525915260152611526215263152641526515266152671526815269152701527115272152731527415275152761527715278152791528015281152821528315284152851528615287152881528915290152911529215293152941529515296152971529815299153001530115302153031530415305153061530715308153091531015311153121531315314153151531615317153181531915320153211532215323153241532515326153271532815329153301533115332153331533415335153361533715338153391534015341153421534315344153451534615347153481534915350153511535215353153541535515356153571535815359153601536115362153631536415365153661536715368153691537015371153721537315374153751537615377153781537915380153811538215383153841538515386153871538815389153901539115392153931539415395153961539715398153991540015401154021540315404154051540615407154081540915410154111541215413154141541515416154171541815419154201542115422154231542415425154261542715428154291543015431154321543315434154351543615437154381543915440154411544215443154441544515446154471544815449154501545115452154531545415455154561545715458154591546015461154621546315464154651546615467154681546915470154711547215473154741547515476154771547815479154801548115482154831548415485154861548715488154891549015491154921549315494154951549615497154981549915500155011550215503155041550515506155071550815509155101551115512155131551415515155161551715518155191552015521155221552315524155251552615527155281552915530155311553215533155341553515536155371553815539155401554115542155431554415545155461554715548155491555015551155521555315554155551555615557155581555915560155611556215563155641556515566155671556815569155701557115572155731557415575155761557715578155791558015581155821558315584155851558615587155881558915590155911559215593155941559515596155971559815599156001560115602156031560415605156061560715608156091561015611156121561315614156151561615617156181561915620156211562215623156241562515626156271562815629156301563115632156331563415635156361563715638156391564015641156421564315644156451564615647156481564915650156511565215653156541565515656156571565815659156601566115662156631566415665156661566715668156691567015671156721567315674156751567615677156781567915680156811568215683156841568515686156871568815689156901569115692156931569415695156961569715698156991570015701157021570315704157051570615707157081570915710157111571215713157141571515716157171571815719157201572115722157231572415725157261572715728157291573015731157321573315734157351573615737157381573915740157411574215743157441574515746157471574815749157501575115752157531575415755157561575715758157591576015761157621576315764157651576615767157681576915770157711577215773157741577515776157771577815779157801578115782157831578415785157861578715788157891579015791157921579315794157951579615797157981579915800158011580215803158041580515806158071580815809158101581115812158131581415815158161581715818158191582015821158221582315824158251582615827158281582915830158311583215833158341583515836158371583815839158401584115842158431584415845158461584715848158491585015851158521585315854158551585615857158581585915860158611586215863158641586515866158671586815869158701587115872158731587415875158761587715878158791588015881158821588315884158851588615887158881588915890158911589215893158941589515896158971589815899159001590115902159031590415905159061590715908159091591015911159121591315914159151591615917159181591915920159211592215923159241592515926159271592815929159301593115932159331593415935159361593715938159391594015941159421594315944159451594615947159481594915950159511595215953159541595515956159571595815959159601596115962159631596415965159661596715968159691597015971159721597315974159751597615977159781597915980159811598215983159841598515986159871598815989159901599115992159931599415995159961599715998159991600016001160021600316004160051600616007160081600916010160111601216013160141601516016160171601816019160201602116022160231602416025160261602716028160291603016031160321603316034160351603616037160381603916040160411604216043160441604516046160471604816049160501605116052160531605416055160561605716058160591606016061160621606316064160651606616067160681606916070160711607216073160741607516076160771607816079160801608116082160831608416085160861608716088160891609016091160921609316094160951609616097160981609916100161011610216103161041610516106161071610816109161101611116112161131611416115161161611716118161191612016121161221612316124161251612616127161281612916130161311613216133161341613516136161371613816139161401614116142161431614416145161461614716148161491615016151161521615316154161551615616157161581615916160161611616216163161641616516166161671616816169161701617116172161731617416175161761617716178161791618016181161821618316184161851618616187161881618916190161911619216193161941619516196161971619816199162001620116202162031620416205162061620716208162091621016211162121621316214162151621616217162181621916220162211622216223162241622516226162271622816229162301623116232162331623416235162361623716238162391624016241162421624316244162451624616247162481624916250162511625216253162541625516256162571625816259162601626116262162631626416265162661626716268162691627016271162721627316274162751627616277162781627916280162811628216283162841628516286162871628816289162901629116292162931629416295162961629716298162991630016301163021630316304163051630616307163081630916310163111631216313163141631516316163171631816319163201632116322163231632416325163261632716328163291633016331163321633316334163351633616337163381633916340163411634216343163441634516346163471634816349163501635116352163531635416355163561635716358163591636016361163621636316364163651636616367163681636916370163711637216373163741637516376163771637816379163801638116382163831638416385163861638716388163891639016391163921639316394163951639616397163981639916400164011640216403164041640516406164071640816409164101641116412164131641416415164161641716418164191642016421164221642316424164251642616427164281642916430164311643216433164341643516436164371643816439164401644116442164431644416445164461644716448164491645016451164521645316454164551645616457164581645916460164611646216463164641646516466164671646816469164701647116472164731647416475164761647716478164791648016481164821648316484164851648616487164881648916490164911649216493164941649516496164971649816499165001650116502165031650416505165061650716508165091651016511165121651316514165151651616517165181651916520165211652216523165241652516526165271652816529165301653116532165331653416535165361653716538165391654016541165421654316544165451654616547165481654916550165511655216553165541655516556165571655816559165601656116562165631656416565165661656716568165691657016571165721657316574165751657616577165781657916580165811658216583165841658516586165871658816589165901659116592165931659416595165961659716598165991660016601166021660316604166051660616607166081660916610166111661216613166141661516616166171661816619166201662116622166231662416625166261662716628166291663016631166321663316634166351663616637166381663916640166411664216643166441664516646166471664816649166501665116652166531665416655166561665716658166591666016661166621666316664166651666616667166681666916670166711667216673166741667516676166771667816679166801668116682166831668416685166861668716688166891669016691166921669316694166951669616697166981669916700167011670216703167041670516706167071670816709167101671116712167131671416715167161671716718167191672016721167221672316724167251672616727167281672916730167311673216733167341673516736167371673816739167401674116742167431674416745167461674716748167491675016751167521675316754167551675616757167581675916760167611676216763167641676516766167671676816769167701677116772167731677416775167761677716778167791678016781167821678316784167851678616787167881678916790167911679216793167941679516796167971679816799168001680116802168031680416805168061680716808168091681016811168121681316814168151681616817168181681916820168211682216823168241682516826168271682816829168301683116832168331683416835168361683716838168391684016841168421684316844168451684616847168481684916850168511685216853168541685516856168571685816859168601686116862168631686416865168661686716868168691687016871168721687316874168751687616877168781687916880168811688216883168841688516886168871688816889168901689116892168931689416895168961689716898168991690016901169021690316904169051690616907169081690916910169111691216913169141691516916169171691816919169201692116922169231692416925169261692716928169291693016931169321693316934169351693616937169381693916940169411694216943169441694516946169471694816949169501695116952169531695416955169561695716958169591696016961169621696316964169651696616967169681696916970169711697216973169741697516976169771697816979169801698116982169831698416985169861698716988169891699016991169921699316994169951699616997169981699917000170011700217003170041700517006170071700817009170101701117012170131701417015170161701717018170191702017021170221702317024170251702617027170281702917030170311703217033170341703517036170371703817039170401704117042170431704417045170461704717048170491705017051170521705317054170551705617057170581705917060170611706217063170641706517066170671706817069170701707117072170731707417075170761707717078170791708017081170821708317084170851708617087170881708917090170911709217093170941709517096170971709817099171001710117102171031710417105171061710717108171091711017111171121711317114171151711617117171181711917120171211712217123171241712517126171271712817129171301713117132171331713417135171361713717138171391714017141171421714317144171451714617147171481714917150171511715217153171541715517156171571715817159171601716117162171631716417165171661716717168171691717017171171721717317174171751717617177171781717917180171811718217183171841718517186171871718817189171901719117192171931719417195171961719717198171991720017201172021720317204172051720617207172081720917210172111721217213172141721517216172171721817219172201722117222172231722417225172261722717228172291723017231172321723317234172351723617237172381723917240172411724217243172441724517246172471724817249172501725117252172531725417255172561725717258172591726017261172621726317264172651726617267172681726917270172711727217273172741727517276172771727817279172801728117282172831728417285172861728717288172891729017291172921729317294172951729617297172981729917300173011730217303173041730517306173071730817309173101731117312173131731417315173161731717318173191732017321173221732317324173251732617327173281732917330173311733217333173341733517336173371733817339173401734117342173431734417345173461734717348173491735017351173521735317354173551735617357173581735917360173611736217363173641736517366173671736817369173701737117372173731737417375173761737717378173791738017381173821738317384173851738617387173881738917390173911739217393173941739517396173971739817399174001740117402174031740417405174061740717408174091741017411174121741317414174151741617417174181741917420174211742217423174241742517426174271742817429174301743117432174331743417435174361743717438174391744017441174421744317444174451744617447174481744917450174511745217453174541745517456174571745817459174601746117462174631746417465174661746717468174691747017471174721747317474174751747617477174781747917480174811748217483174841748517486174871748817489174901749117492174931749417495174961749717498174991750017501175021750317504175051750617507175081750917510175111751217513175141751517516175171751817519175201752117522175231752417525175261752717528175291753017531175321753317534175351753617537175381753917540175411754217543175441754517546175471754817549175501755117552175531755417555175561755717558175591756017561175621756317564175651756617567175681756917570175711757217573175741757517576175771757817579175801758117582175831758417585175861758717588175891759017591175921759317594175951759617597175981759917600176011760217603176041760517606176071760817609176101761117612176131761417615176161761717618176191762017621176221762317624176251762617627176281762917630176311763217633176341763517636176371763817639176401764117642176431764417645176461764717648176491765017651176521765317654176551765617657176581765917660176611766217663176641766517666176671766817669176701767117672176731767417675176761767717678176791768017681176821768317684176851768617687176881768917690176911769217693176941769517696176971769817699177001770117702177031770417705177061770717708177091771017711177121771317714177151771617717177181771917720177211772217723177241772517726177271772817729177301773117732177331773417735177361773717738177391774017741177421774317744177451774617747177481774917750177511775217753177541775517756177571775817759177601776117762177631776417765177661776717768177691777017771177721777317774177751777617777177781777917780177811778217783177841778517786177871778817789177901779117792177931779417795177961779717798177991780017801178021780317804178051780617807178081780917810178111781217813178141781517816178171781817819178201782117822178231782417825178261782717828178291783017831178321783317834178351783617837178381783917840178411784217843178441784517846178471784817849178501785117852178531785417855178561785717858178591786017861178621786317864178651786617867178681786917870178711787217873178741787517876178771787817879178801788117882178831788417885178861788717888178891789017891178921789317894178951789617897178981789917900179011790217903179041790517906179071790817909179101791117912179131791417915179161791717918179191792017921179221792317924179251792617927179281792917930179311793217933179341793517936179371793817939179401794117942179431794417945179461794717948179491795017951179521795317954179551795617957179581795917960179611796217963179641796517966179671796817969179701797117972179731797417975179761797717978179791798017981179821798317984179851798617987179881798917990179911799217993179941799517996179971799817999180001800118002180031800418005180061800718008180091801018011180121801318014180151801618017180181801918020180211802218023180241802518026180271802818029180301803118032180331803418035180361803718038180391804018041180421804318044180451804618047180481804918050180511805218053180541805518056180571805818059180601806118062180631806418065180661806718068180691807018071180721807318074180751807618077180781807918080180811808218083180841808518086180871808818089180901809118092180931809418095180961809718098180991810018101181021810318104181051810618107181081810918110181111811218113181141811518116181171811818119181201812118122181231812418125181261812718128181291813018131181321813318134181351813618137181381813918140181411814218143181441814518146181471814818149181501815118152181531815418155181561815718158181591816018161181621816318164181651816618167181681816918170181711817218173181741817518176181771817818179181801818118182181831818418185181861818718188181891819018191181921819318194181951819618197181981819918200182011820218203182041820518206182071820818209182101821118212182131821418215182161821718218182191822018221182221822318224182251822618227182281822918230182311823218233182341823518236182371823818239182401824118242182431824418245182461824718248182491825018251182521825318254182551825618257182581825918260182611826218263182641826518266182671826818269182701827118272182731827418275182761827718278182791828018281182821828318284182851828618287182881828918290182911829218293182941829518296182971829818299183001830118302183031830418305183061830718308183091831018311183121831318314183151831618317183181831918320183211832218323183241832518326183271832818329183301833118332183331833418335183361833718338183391834018341183421834318344183451834618347183481834918350183511835218353183541835518356183571835818359183601836118362183631836418365183661836718368183691837018371183721837318374183751837618377183781837918380183811838218383183841838518386183871838818389183901839118392183931839418395183961839718398183991840018401184021840318404184051840618407184081840918410184111841218413184141841518416184171841818419184201842118422184231842418425184261842718428184291843018431184321843318434184351843618437184381843918440184411844218443184441844518446184471844818449184501845118452184531845418455184561845718458184591846018461184621846318464184651846618467184681846918470184711847218473184741847518476184771847818479184801848118482184831848418485184861848718488184891849018491184921849318494184951849618497184981849918500185011850218503185041850518506185071850818509185101851118512185131851418515185161851718518185191852018521185221852318524185251852618527185281852918530185311853218533185341853518536185371853818539185401854118542185431854418545185461854718548185491855018551185521855318554185551855618557185581855918560185611856218563185641856518566185671856818569185701857118572185731857418575185761857718578185791858018581185821858318584185851858618587185881858918590185911859218593185941859518596185971859818599186001860118602186031860418605186061860718608186091861018611186121861318614186151861618617186181861918620186211862218623186241862518626186271862818629186301863118632186331863418635186361863718638186391864018641186421864318644186451864618647186481864918650186511865218653186541865518656186571865818659186601866118662186631866418665186661866718668186691867018671186721867318674186751867618677186781867918680186811868218683186841868518686186871868818689186901869118692186931869418695186961869718698186991870018701187021870318704187051870618707187081870918710187111871218713187141871518716187171871818719187201872118722187231872418725187261872718728187291873018731187321873318734187351873618737187381873918740187411874218743187441874518746187471874818749187501875118752187531875418755187561875718758187591876018761187621876318764187651876618767187681876918770187711877218773187741877518776187771877818779187801878118782187831878418785187861878718788187891879018791187921879318794187951879618797187981879918800188011880218803188041880518806188071880818809188101881118812188131881418815188161881718818188191882018821188221882318824188251882618827188281882918830188311883218833188341883518836188371883818839188401884118842188431884418845188461884718848188491885018851188521885318854188551885618857188581885918860188611886218863188641886518866188671886818869188701887118872188731887418875188761887718878188791888018881188821888318884188851888618887188881888918890188911889218893188941889518896188971889818899189001890118902189031890418905189061890718908189091891018911189121891318914189151891618917189181891918920189211892218923189241892518926189271892818929189301893118932189331893418935189361893718938189391894018941189421894318944189451894618947189481894918950189511895218953189541895518956189571895818959189601896118962189631896418965189661896718968189691897018971189721897318974189751897618977189781897918980189811898218983189841898518986189871898818989189901899118992189931899418995189961899718998189991900019001190021900319004190051900619007190081900919010190111901219013190141901519016190171901819019190201902119022190231902419025190261902719028190291903019031190321903319034190351903619037190381903919040190411904219043190441904519046190471904819049190501905119052190531905419055190561905719058190591906019061190621906319064190651906619067190681906919070190711907219073190741907519076190771907819079190801908119082190831908419085190861908719088190891909019091190921909319094190951909619097190981909919100191011910219103191041910519106191071910819109191101911119112191131911419115191161911719118191191912019121191221912319124191251912619127191281912919130191311913219133191341913519136191371913819139191401914119142191431914419145191461914719148191491915019151191521915319154191551915619157191581915919160191611916219163191641916519166191671916819169191701917119172191731917419175191761917719178191791918019181191821918319184191851918619187191881918919190191911919219193191941919519196191971919819199192001920119202192031920419205192061920719208192091921019211192121921319214192151921619217192181921919220192211922219223192241922519226192271922819229192301923119232192331923419235192361923719238192391924019241192421924319244192451924619247192481924919250192511925219253192541925519256192571925819259192601926119262192631926419265192661926719268192691927019271192721927319274192751927619277192781927919280192811928219283192841928519286192871928819289192901929119292192931929419295192961929719298192991930019301193021930319304193051930619307193081930919310193111931219313193141931519316193171931819319193201932119322193231932419325193261932719328193291933019331193321933319334193351933619337193381933919340193411934219343193441934519346193471934819349193501935119352193531935419355193561935719358193591936019361193621936319364193651936619367193681936919370193711937219373193741937519376193771937819379193801938119382193831938419385193861938719388193891939019391193921939319394193951939619397193981939919400194011940219403194041940519406194071940819409194101941119412194131941419415194161941719418194191942019421194221942319424194251942619427194281942919430194311943219433194341943519436194371943819439194401944119442194431944419445194461944719448194491945019451194521945319454194551945619457194581945919460194611946219463194641946519466194671946819469194701947119472194731947419475194761947719478194791948019481194821948319484194851948619487194881948919490194911949219493194941949519496194971949819499195001950119502195031950419505195061950719508195091951019511195121951319514195151951619517195181951919520195211952219523195241952519526195271952819529195301953119532195331953419535195361953719538195391954019541195421954319544195451954619547195481954919550195511955219553195541955519556195571955819559195601956119562195631956419565195661956719568195691957019571195721957319574195751957619577195781957919580195811958219583195841958519586195871958819589195901959119592195931959419595195961959719598195991960019601196021960319604196051960619607196081960919610196111961219613196141961519616196171961819619196201962119622196231962419625196261962719628196291963019631196321963319634196351963619637196381963919640196411964219643196441964519646196471964819649196501965119652196531965419655196561965719658196591966019661196621966319664196651966619667196681966919670196711967219673196741967519676196771967819679196801968119682196831968419685196861968719688196891969019691196921969319694196951969619697196981969919700197011970219703197041970519706197071970819709197101971119712197131971419715197161971719718197191972019721197221972319724197251972619727197281972919730197311973219733197341973519736197371973819739197401974119742197431974419745197461974719748197491975019751197521975319754197551975619757197581975919760197611976219763197641976519766197671976819769197701977119772197731977419775197761977719778197791978019781197821978319784197851978619787197881978919790197911979219793197941979519796197971979819799198001980119802198031980419805198061980719808198091981019811198121981319814198151981619817198181981919820198211982219823198241982519826198271982819829198301983119832198331983419835198361983719838198391984019841198421984319844198451984619847198481984919850198511985219853198541985519856198571985819859198601986119862198631986419865198661986719868198691987019871198721987319874198751987619877198781987919880198811988219883198841988519886198871988819889198901989119892198931989419895198961989719898198991990019901199021990319904199051990619907199081990919910199111991219913199141991519916199171991819919199201992119922199231992419925199261992719928199291993019931199321993319934199351993619937199381993919940199411994219943199441994519946199471994819949199501995119952199531995419955199561995719958199591996019961199621996319964199651996619967199681996919970199711997219973199741997519976199771997819979199801998119982199831998419985199861998719988199891999019991199921999319994199951999619997199981999920000200012000220003200042000520006200072000820009200102001120012200132001420015200162001720018200192002020021200222002320024200252002620027200282002920030200312003220033200342003520036200372003820039200402004120042200432004420045200462004720048200492005020051200522005320054200552005620057200582005920060200612006220063200642006520066200672006820069200702007120072200732007420075200762007720078200792008020081200822008320084200852008620087200882008920090200912009220093200942009520096200972009820099201002010120102201032010420105201062010720108201092011020111201122011320114201152011620117201182011920120201212012220123201242012520126201272012820129201302013120132201332013420135201362013720138201392014020141201422014320144201452014620147201482014920150201512015220153201542015520156201572015820159201602016120162201632016420165201662016720168201692017020171201722017320174201752017620177201782017920180201812018220183201842018520186201872018820189201902019120192201932019420195201962019720198201992020020201202022020320204202052020620207202082020920210202112021220213202142021520216202172021820219202202022120222202232022420225202262022720228202292023020231202322023320234202352023620237202382023920240202412024220243202442024520246202472024820249202502025120252202532025420255202562025720258202592026020261202622026320264202652026620267202682026920270202712027220273202742027520276202772027820279202802028120282202832028420285202862028720288202892029020291202922029320294202952029620297202982029920300203012030220303203042030520306203072030820309203102031120312203132031420315203162031720318203192032020321203222032320324203252032620327203282032920330203312033220333203342033520336203372033820339203402034120342203432034420345203462034720348203492035020351203522035320354203552035620357203582035920360203612036220363203642036520366203672036820369203702037120372203732037420375203762037720378203792038020381203822038320384203852038620387203882038920390203912039220393203942039520396203972039820399204002040120402204032040420405204062040720408204092041020411204122041320414204152041620417204182041920420204212042220423204242042520426204272042820429204302043120432204332043420435204362043720438204392044020441204422044320444204452044620447204482044920450204512045220453204542045520456204572045820459204602046120462204632046420465204662046720468204692047020471204722047320474204752047620477204782047920480204812048220483204842048520486204872048820489204902049120492204932049420495204962049720498204992050020501205022050320504205052050620507205082050920510205112051220513205142051520516205172051820519205202052120522205232052420525205262052720528205292053020531205322053320534205352053620537205382053920540205412054220543205442054520546205472054820549205502055120552205532055420555205562055720558205592056020561205622056320564205652056620567205682056920570205712057220573205742057520576205772057820579205802058120582205832058420585205862058720588205892059020591205922059320594205952059620597205982059920600206012060220603206042060520606206072060820609206102061120612206132061420615206162061720618206192062020621206222062320624206252062620627206282062920630206312063220633206342063520636206372063820639206402064120642206432064420645206462064720648206492065020651206522065320654206552065620657206582065920660206612066220663206642066520666206672066820669206702067120672206732067420675206762067720678206792068020681206822068320684206852068620687206882068920690206912069220693206942069520696206972069820699207002070120702207032070420705207062070720708207092071020711207122071320714207152071620717207182071920720207212072220723207242072520726207272072820729207302073120732207332073420735207362073720738207392074020741207422074320744207452074620747207482074920750207512075220753207542075520756207572075820759207602076120762207632076420765207662076720768207692077020771207722077320774207752077620777207782077920780207812078220783207842078520786207872078820789207902079120792207932079420795207962079720798207992080020801208022080320804208052080620807208082080920810208112081220813208142081520816208172081820819208202082120822208232082420825208262082720828208292083020831208322083320834208352083620837208382083920840208412084220843208442084520846208472084820849208502085120852208532085420855208562085720858208592086020861208622086320864208652086620867208682086920870208712087220873208742087520876208772087820879208802088120882208832088420885208862088720888208892089020891208922089320894208952089620897208982089920900209012090220903209042090520906209072090820909209102091120912209132091420915209162091720918209192092020921209222092320924209252092620927209282092920930209312093220933209342093520936209372093820939209402094120942209432094420945209462094720948209492095020951209522095320954209552095620957209582095920960209612096220963209642096520966209672096820969209702097120972209732097420975209762097720978209792098020981209822098320984209852098620987209882098920990209912099220993209942099520996209972099820999210002100121002210032100421005210062100721008210092101021011210122101321014210152101621017210182101921020210212102221023210242102521026210272102821029210302103121032210332103421035210362103721038210392104021041210422104321044210452104621047210482104921050210512105221053210542105521056210572105821059210602106121062210632106421065210662106721068210692107021071210722107321074210752107621077210782107921080210812108221083210842108521086210872108821089210902109121092210932109421095210962109721098210992110021101211022110321104211052110621107211082110921110211112111221113211142111521116211172111821119211202112121122211232112421125211262112721128211292113021131211322113321134211352113621137211382113921140211412114221143211442114521146211472114821149211502115121152211532115421155211562115721158211592116021161211622116321164211652116621167211682116921170211712117221173211742117521176211772117821179211802118121182211832118421185211862118721188211892119021191211922119321194211952119621197211982119921200212012120221203212042120521206212072120821209212102121121212212132121421215212162121721218212192122021221212222122321224212252122621227212282122921230212312123221233212342123521236212372123821239212402124121242212432124421245212462124721248212492125021251212522125321254212552125621257212582125921260212612126221263212642126521266212672126821269212702127121272212732127421275212762127721278212792128021281212822128321284212852128621287212882128921290212912129221293212942129521296212972129821299213002130121302213032130421305213062130721308213092131021311213122131321314213152131621317213182131921320213212132221323213242132521326213272132821329213302133121332213332133421335213362133721338213392134021341213422134321344213452134621347213482134921350213512135221353213542135521356213572135821359213602136121362213632136421365213662136721368213692137021371213722137321374213752137621377213782137921380213812138221383213842138521386213872138821389213902139121392213932139421395213962139721398213992140021401214022140321404214052140621407214082140921410214112141221413214142141521416214172141821419214202142121422214232142421425214262142721428214292143021431214322143321434214352143621437214382143921440214412144221443214442144521446214472144821449214502145121452214532145421455214562145721458214592146021461214622146321464214652146621467214682146921470214712147221473214742147521476214772147821479214802148121482214832148421485214862148721488214892149021491214922149321494214952149621497214982149921500215012150221503215042150521506215072150821509215102151121512215132151421515215162151721518215192152021521215222152321524215252152621527215282152921530215312153221533215342153521536215372153821539215402154121542215432154421545215462154721548215492155021551215522155321554215552155621557215582155921560215612156221563215642156521566215672156821569215702157121572215732157421575215762157721578215792158021581215822158321584215852158621587215882158921590215912159221593215942159521596215972159821599216002160121602216032160421605216062160721608216092161021611216122161321614216152161621617216182161921620216212162221623216242162521626216272162821629216302163121632216332163421635216362163721638216392164021641216422164321644216452164621647216482164921650216512165221653216542165521656216572165821659216602166121662216632166421665216662166721668216692167021671216722167321674216752167621677216782167921680216812168221683216842168521686216872168821689216902169121692216932169421695216962169721698216992170021701217022170321704217052170621707217082170921710217112171221713217142171521716217172171821719217202172121722217232172421725217262172721728217292173021731217322173321734217352173621737217382173921740217412174221743217442174521746217472174821749217502175121752217532175421755217562175721758217592176021761217622176321764217652176621767217682176921770217712177221773217742177521776217772177821779217802178121782217832178421785217862178721788217892179021791217922179321794217952179621797217982179921800218012180221803218042180521806218072180821809218102181121812218132181421815218162181721818218192182021821218222182321824218252182621827218282182921830218312183221833218342183521836218372183821839218402184121842218432184421845218462184721848218492185021851218522185321854218552185621857218582185921860218612186221863218642186521866218672186821869218702187121872218732187421875218762187721878218792188021881218822188321884218852188621887218882188921890218912189221893218942189521896218972189821899219002190121902219032190421905219062190721908219092191021911219122191321914219152191621917219182191921920219212192221923219242192521926219272192821929219302193121932219332193421935219362193721938219392194021941219422194321944219452194621947219482194921950219512195221953219542195521956219572195821959219602196121962219632196421965219662196721968219692197021971219722197321974219752197621977219782197921980219812198221983219842198521986219872198821989219902199121992219932199421995219962199721998219992200022001220022200322004220052200622007220082200922010220112201222013220142201522016220172201822019220202202122022220232202422025220262202722028220292203022031220322203322034220352203622037220382203922040220412204222043220442204522046220472204822049220502205122052220532205422055220562205722058220592206022061220622206322064220652206622067220682206922070220712207222073220742207522076220772207822079220802208122082220832208422085220862208722088220892209022091220922209322094220952209622097220982209922100221012210222103221042210522106221072210822109221102211122112221132211422115221162211722118221192212022121221222212322124221252212622127221282212922130221312213222133221342213522136221372213822139221402214122142221432214422145221462214722148221492215022151221522215322154221552215622157221582215922160221612216222163221642216522166221672216822169221702217122172221732217422175221762217722178221792218022181221822218322184221852218622187221882218922190221912219222193221942219522196221972219822199222002220122202222032220422205222062220722208222092221022211222122221322214222152221622217222182221922220222212222222223222242222522226222272222822229222302223122232222332223422235222362223722238222392224022241222422224322244222452224622247222482224922250222512225222253222542225522256222572225822259222602226122262222632226422265222662226722268222692227022271222722227322274222752227622277222782227922280222812228222283222842228522286222872228822289222902229122292222932229422295222962229722298222992230022301223022230322304223052230622307223082230922310223112231222313223142231522316223172231822319223202232122322223232232422325223262232722328223292233022331223322233322334223352233622337223382233922340223412234222343223442234522346223472234822349223502235122352223532235422355223562235722358223592236022361223622236322364223652236622367223682236922370223712237222373223742237522376223772237822379223802238122382223832238422385223862238722388223892239022391223922239322394223952239622397223982239922400224012240222403224042240522406224072240822409224102241122412224132241422415224162241722418224192242022421224222242322424224252242622427224282242922430224312243222433224342243522436224372243822439224402244122442224432244422445224462244722448224492245022451224522245322454224552245622457224582245922460224612246222463224642246522466224672246822469224702247122472224732247422475224762247722478224792248022481224822248322484224852248622487224882248922490224912249222493224942249522496224972249822499225002250122502225032250422505225062250722508225092251022511225122251322514225152251622517225182251922520225212252222523225242252522526225272252822529225302253122532225332253422535225362253722538225392254022541225422254322544225452254622547225482254922550225512255222553225542255522556225572255822559225602256122562225632256422565225662256722568225692257022571225722257322574225752257622577225782257922580225812258222583225842258522586225872258822589225902259122592225932259422595225962259722598225992260022601226022260322604226052260622607226082260922610226112261222613226142261522616226172261822619226202262122622226232262422625226262262722628226292263022631226322263322634226352263622637226382263922640226412264222643226442264522646226472264822649226502265122652226532265422655226562265722658226592266022661226622266322664226652266622667226682266922670226712267222673226742267522676226772267822679226802268122682226832268422685226862268722688226892269022691226922269322694226952269622697226982269922700227012270222703227042270522706227072270822709227102271122712227132271422715227162271722718227192272022721227222272322724227252272622727227282272922730227312273222733227342273522736227372273822739227402274122742227432274422745227462274722748227492275022751227522275322754227552275622757227582275922760227612276222763227642276522766227672276822769227702277122772227732277422775227762277722778227792278022781227822278322784227852278622787227882278922790227912279222793227942279522796227972279822799228002280122802228032280422805228062280722808228092281022811228122281322814228152281622817228182281922820228212282222823228242282522826228272282822829228302283122832228332283422835228362283722838228392284022841228422284322844228452284622847228482284922850228512285222853228542285522856228572285822859228602286122862228632286422865228662286722868228692287022871228722287322874228752287622877228782287922880228812288222883228842288522886228872288822889228902289122892228932289422895228962289722898228992290022901229022290322904229052290622907229082290922910229112291222913229142291522916229172291822919229202292122922229232292422925229262292722928229292293022931229322293322934229352293622937229382293922940229412294222943229442294522946229472294822949229502295122952229532295422955229562295722958229592296022961229622296322964229652296622967229682296922970229712297222973229742297522976229772297822979229802298122982229832298422985229862298722988229892299022991229922299322994229952299622997229982299923000230012300223003230042300523006230072300823009230102301123012230132301423015230162301723018230192302023021230222302323024230252302623027230282302923030230312303223033230342303523036230372303823039230402304123042230432304423045230462304723048230492305023051230522305323054230552305623057230582305923060230612306223063230642306523066230672306823069230702307123072230732307423075230762307723078230792308023081230822308323084230852308623087230882308923090230912309223093230942309523096230972309823099231002310123102231032310423105231062310723108231092311023111231122311323114231152311623117231182311923120231212312223123231242312523126231272312823129231302313123132231332313423135231362313723138231392314023141231422314323144231452314623147231482314923150231512315223153231542315523156231572315823159231602316123162231632316423165231662316723168231692317023171231722317323174231752317623177231782317923180231812318223183231842318523186231872318823189231902319123192231932319423195231962319723198231992320023201232022320323204232052320623207232082320923210232112321223213232142321523216232172321823219232202322123222232232322423225232262322723228232292323023231232322323323234232352323623237232382323923240232412324223243232442324523246232472324823249232502325123252232532325423255232562325723258232592326023261232622326323264232652326623267232682326923270232712327223273232742327523276232772327823279232802328123282232832328423285232862328723288232892329023291232922329323294232952329623297232982329923300233012330223303233042330523306233072330823309233102331123312233132331423315233162331723318233192332023321233222332323324233252332623327233282332923330233312333223333233342333523336233372333823339233402334123342233432334423345233462334723348233492335023351233522335323354233552335623357233582335923360233612336223363233642336523366233672336823369233702337123372233732337423375233762337723378233792338023381233822338323384233852338623387233882338923390233912339223393233942339523396233972339823399234002340123402234032340423405234062340723408234092341023411234122341323414234152341623417234182341923420234212342223423234242342523426234272342823429234302343123432234332343423435234362343723438234392344023441234422344323444234452344623447234482344923450234512345223453234542345523456234572345823459234602346123462234632346423465234662346723468234692347023471234722347323474234752347623477234782347923480234812348223483234842348523486234872348823489234902349123492234932349423495234962349723498234992350023501235022350323504235052350623507235082350923510235112351223513235142351523516235172351823519235202352123522235232352423525235262352723528235292353023531235322353323534235352353623537235382353923540235412354223543235442354523546235472354823549235502355123552235532355423555235562355723558235592356023561235622356323564235652356623567235682356923570235712357223573235742357523576235772357823579235802358123582235832358423585235862358723588235892359023591235922359323594235952359623597235982359923600236012360223603236042360523606236072360823609236102361123612236132361423615236162361723618236192362023621236222362323624236252362623627236282362923630236312363223633236342363523636236372363823639236402364123642236432364423645236462364723648236492365023651236522365323654236552365623657236582365923660236612366223663236642366523666236672366823669236702367123672236732367423675236762367723678236792368023681236822368323684236852368623687236882368923690236912369223693236942369523696236972369823699237002370123702237032370423705237062370723708237092371023711237122371323714237152371623717237182371923720237212372223723237242372523726237272372823729237302373123732237332373423735237362373723738237392374023741237422374323744237452374623747237482374923750237512375223753237542375523756237572375823759237602376123762237632376423765237662376723768237692377023771237722377323774237752377623777237782377923780237812378223783237842378523786237872378823789237902379123792237932379423795237962379723798237992380023801238022380323804238052380623807238082380923810238112381223813238142381523816238172381823819238202382123822238232382423825238262382723828238292383023831238322383323834238352383623837238382383923840238412384223843238442384523846238472384823849238502385123852238532385423855238562385723858238592386023861238622386323864238652386623867238682386923870238712387223873238742387523876238772387823879238802388123882238832388423885238862388723888238892389023891238922389323894238952389623897238982389923900239012390223903239042390523906239072390823909239102391123912239132391423915239162391723918239192392023921239222392323924239252392623927239282392923930239312393223933239342393523936239372393823939239402394123942239432394423945239462394723948239492395023951239522395323954239552395623957239582395923960239612396223963239642396523966239672396823969239702397123972239732397423975239762397723978239792398023981239822398323984239852398623987239882398923990239912399223993239942399523996239972399823999240002400124002240032400424005240062400724008240092401024011240122401324014240152401624017240182401924020240212402224023240242402524026240272402824029240302403124032240332403424035240362403724038240392404024041240422404324044240452404624047240482404924050240512405224053240542405524056240572405824059240602406124062240632406424065240662406724068240692407024071240722407324074240752407624077240782407924080240812408224083240842408524086240872408824089240902409124092240932409424095240962409724098240992410024101241022410324104241052410624107241082410924110241112411224113241142411524116241172411824119241202412124122241232412424125241262412724128241292413024131241322413324134241352413624137241382413924140241412414224143241442414524146241472414824149241502415124152241532415424155241562415724158241592416024161241622416324164241652416624167241682416924170241712417224173241742417524176241772417824179241802418124182241832418424185241862418724188241892419024191241922419324194241952419624197241982419924200242012420224203242042420524206242072420824209242102421124212242132421424215242162421724218242192422024221242222422324224242252422624227242282422924230242312423224233242342423524236242372423824239242402424124242242432424424245242462424724248242492425024251242522425324254242552425624257242582425924260242612426224263242642426524266242672426824269242702427124272242732427424275242762427724278242792428024281242822428324284242852428624287242882428924290242912429224293242942429524296242972429824299243002430124302243032430424305243062430724308243092431024311243122431324314243152431624317243182431924320243212432224323243242432524326243272432824329243302433124332243332433424335243362433724338243392434024341243422434324344243452434624347243482434924350243512435224353243542435524356243572435824359243602436124362243632436424365243662436724368243692437024371243722437324374243752437624377243782437924380243812438224383243842438524386243872438824389243902439124392243932439424395243962439724398243992440024401244022440324404244052440624407244082440924410244112441224413244142441524416244172441824419244202442124422244232442424425244262442724428244292443024431244322443324434244352443624437244382443924440244412444224443244442444524446244472444824449244502445124452244532445424455244562445724458244592446024461244622446324464244652446624467244682446924470244712447224473244742447524476244772447824479244802448124482244832448424485244862448724488244892449024491244922449324494244952449624497244982449924500245012450224503245042450524506245072450824509245102451124512245132451424515245162451724518245192452024521245222452324524245252452624527245282452924530245312453224533245342453524536245372453824539245402454124542245432454424545245462454724548245492455024551245522455324554245552455624557245582455924560245612456224563245642456524566245672456824569245702457124572245732457424575245762457724578245792458024581245822458324584245852458624587245882458924590245912459224593245942459524596245972459824599246002460124602246032460424605246062460724608246092461024611246122461324614246152461624617246182461924620246212462224623246242462524626246272462824629246302463124632246332463424635246362463724638246392464024641246422464324644246452464624647246482464924650246512465224653246542465524656246572465824659246602466124662246632466424665246662466724668246692467024671246722467324674246752467624677246782467924680246812468224683246842468524686246872468824689246902469124692246932469424695246962469724698246992470024701247022470324704247052470624707247082470924710247112471224713247142471524716247172471824719247202472124722247232472424725247262472724728247292473024731247322473324734247352473624737247382473924740247412474224743247442474524746247472474824749247502475124752247532475424755247562475724758247592476024761247622476324764247652476624767247682476924770247712477224773247742477524776247772477824779247802478124782247832478424785247862478724788247892479024791247922479324794247952479624797247982479924800248012480224803248042480524806248072480824809248102481124812248132481424815248162481724818248192482024821248222482324824248252482624827248282482924830248312483224833248342483524836248372483824839248402484124842248432484424845248462484724848248492485024851248522485324854248552485624857248582485924860248612486224863248642486524866248672486824869248702487124872248732487424875248762487724878248792488024881248822488324884248852488624887248882488924890248912489224893248942489524896248972489824899249002490124902249032490424905249062490724908249092491024911249122491324914249152491624917249182491924920249212492224923249242492524926249272492824929249302493124932249332493424935249362493724938249392494024941249422494324944249452494624947249482494924950249512495224953249542495524956249572495824959249602496124962249632496424965249662496724968249692497024971249722497324974249752497624977249782497924980249812498224983249842498524986249872498824989249902499124992249932499424995249962499724998249992500025001250022500325004250052500625007250082500925010250112501225013250142501525016250172501825019250202502125022250232502425025250262502725028250292503025031250322503325034250352503625037250382503925040250412504225043250442504525046250472504825049250502505125052250532505425055250562505725058250592506025061250622506325064250652506625067250682506925070250712507225073250742507525076250772507825079250802508125082250832508425085250862508725088250892509025091250922509325094250952509625097250982509925100251012510225103251042510525106251072510825109251102511125112251132511425115251162511725118251192512025121251222512325124251252512625127251282512925130251312513225133251342513525136251372513825139251402514125142251432514425145251462514725148251492515025151251522515325154251552515625157251582515925160251612516225163251642516525166251672516825169251702517125172251732517425175251762517725178251792518025181251822518325184251852518625187251882518925190251912519225193251942519525196251972519825199252002520125202252032520425205252062520725208252092521025211252122521325214252152521625217252182521925220252212522225223252242522525226252272522825229252302523125232252332523425235252362523725238252392524025241252422524325244252452524625247252482524925250252512525225253252542525525256252572525825259252602526125262252632526425265252662526725268252692527025271252722527325274252752527625277252782527925280252812528225283252842528525286252872528825289252902529125292252932529425295252962529725298252992530025301253022530325304253052530625307253082530925310253112531225313253142531525316253172531825319253202532125322253232532425325253262532725328253292533025331253322533325334253352533625337253382533925340253412534225343253442534525346253472534825349253502535125352253532535425355253562535725358253592536025361253622536325364253652536625367253682536925370253712537225373253742537525376253772537825379253802538125382253832538425385253862538725388253892539025391253922539325394253952539625397253982539925400254012540225403254042540525406254072540825409254102541125412254132541425415254162541725418254192542025421254222542325424254252542625427254282542925430254312543225433254342543525436254372543825439254402544125442254432544425445254462544725448254492545025451254522545325454254552545625457254582545925460254612546225463254642546525466254672546825469254702547125472254732547425475254762547725478254792548025481254822548325484254852548625487254882548925490254912549225493254942549525496254972549825499255002550125502255032550425505255062550725508255092551025511255122551325514255152551625517255182551925520255212552225523255242552525526255272552825529255302553125532255332553425535255362553725538255392554025541255422554325544255452554625547255482554925550255512555225553255542555525556255572555825559255602556125562255632556425565255662556725568255692557025571255722557325574255752557625577255782557925580255812558225583255842558525586255872558825589255902559125592255932559425595255962559725598255992560025601256022560325604256052560625607256082560925610256112561225613256142561525616256172561825619256202562125622256232562425625256262562725628256292563025631256322563325634256352563625637256382563925640256412564225643256442564525646256472564825649256502565125652256532565425655256562565725658256592566025661256622566325664256652566625667256682566925670256712567225673256742567525676256772567825679256802568125682256832568425685256862568725688256892569025691256922569325694256952569625697256982569925700257012570225703257042570525706257072570825709257102571125712257132571425715257162571725718257192572025721257222572325724257252572625727257282572925730257312573225733257342573525736257372573825739257402574125742257432574425745257462574725748257492575025751257522575325754257552575625757257582575925760257612576225763257642576525766257672576825769257702577125772257732577425775257762577725778257792578025781257822578325784257852578625787257882578925790257912579225793257942579525796257972579825799258002580125802258032580425805258062580725808258092581025811258122581325814258152581625817258182581925820258212582225823258242582525826258272582825829258302583125832258332583425835258362583725838258392584025841258422584325844258452584625847258482584925850258512585225853258542585525856258572585825859258602586125862258632586425865258662586725868258692587025871258722587325874258752587625877258782587925880258812588225883258842588525886258872588825889258902589125892258932589425895258962589725898258992590025901259022590325904259052590625907259082590925910259112591225913259142591525916259172591825919259202592125922259232592425925259262592725928259292593025931259322593325934259352593625937259382593925940259412594225943259442594525946259472594825949259502595125952259532595425955259562595725958259592596025961259622596325964259652596625967259682596925970259712597225973259742597525976259772597825979259802598125982259832598425985259862598725988259892599025991259922599325994259952599625997259982599926000260012600226003260042600526006260072600826009260102601126012260132601426015260162601726018260192602026021260222602326024260252602626027260282602926030260312603226033260342603526036260372603826039260402604126042260432604426045260462604726048260492605026051260522605326054260552605626057260582605926060260612606226063260642606526066260672606826069260702607126072260732607426075260762607726078260792608026081260822608326084260852608626087260882608926090260912609226093260942609526096260972609826099261002610126102261032610426105261062610726108261092611026111261122611326114261152611626117261182611926120261212612226123261242612526126261272612826129261302613126132261332613426135261362613726138261392614026141261422614326144261452614626147261482614926150261512615226153261542615526156261572615826159261602616126162261632616426165261662616726168261692617026171261722617326174261752617626177261782617926180261812618226183261842618526186261872618826189261902619126192261932619426195261962619726198261992620026201262022620326204262052620626207262082620926210262112621226213262142621526216262172621826219262202622126222262232622426225262262622726228262292623026231262322623326234262352623626237262382623926240262412624226243262442624526246262472624826249262502625126252262532625426255262562625726258262592626026261262622626326264262652626626267262682626926270262712627226273262742627526276262772627826279262802628126282262832628426285262862628726288262892629026291262922629326294262952629626297262982629926300263012630226303263042630526306263072630826309263102631126312263132631426315263162631726318263192632026321263222632326324263252632626327263282632926330263312633226333263342633526336263372633826339263402634126342263432634426345263462634726348263492635026351263522635326354263552635626357263582635926360263612636226363263642636526366263672636826369263702637126372263732637426375263762637726378263792638026381263822638326384263852638626387263882638926390263912639226393263942639526396263972639826399264002640126402264032640426405264062640726408264092641026411264122641326414264152641626417264182641926420264212642226423264242642526426264272642826429264302643126432264332643426435264362643726438264392644026441264422644326444264452644626447264482644926450264512645226453264542645526456264572645826459264602646126462264632646426465264662646726468264692647026471264722647326474264752647626477264782647926480264812648226483264842648526486264872648826489264902649126492264932649426495264962649726498264992650026501265022650326504265052650626507265082650926510265112651226513265142651526516265172651826519265202652126522265232652426525265262652726528265292653026531265322653326534265352653626537265382653926540265412654226543265442654526546265472654826549265502655126552265532655426555265562655726558265592656026561265622656326564265652656626567265682656926570265712657226573265742657526576265772657826579265802658126582265832658426585265862658726588265892659026591265922659326594265952659626597265982659926600266012660226603266042660526606266072660826609266102661126612266132661426615266162661726618266192662026621266222662326624266252662626627266282662926630266312663226633266342663526636266372663826639266402664126642266432664426645266462664726648266492665026651266522665326654266552665626657266582665926660266612666226663266642666526666266672666826669266702667126672266732667426675266762667726678266792668026681266822668326684266852668626687266882668926690266912669226693266942669526696266972669826699267002670126702267032670426705267062670726708267092671026711267122671326714267152671626717267182671926720267212672226723267242672526726267272672826729267302673126732267332673426735267362673726738267392674026741267422674326744267452674626747267482674926750267512675226753267542675526756267572675826759267602676126762267632676426765267662676726768267692677026771267722677326774267752677626777267782677926780267812678226783267842678526786267872678826789267902679126792267932679426795267962679726798267992680026801268022680326804268052680626807268082680926810268112681226813268142681526816268172681826819268202682126822268232682426825268262682726828268292683026831268322683326834268352683626837268382683926840268412684226843268442684526846268472684826849268502685126852268532685426855268562685726858268592686026861268622686326864268652686626867268682686926870268712687226873268742687526876268772687826879268802688126882268832688426885268862688726888268892689026891268922689326894268952689626897268982689926900269012690226903269042690526906269072690826909269102691126912269132691426915269162691726918269192692026921269222692326924269252692626927269282692926930269312693226933269342693526936269372693826939269402694126942269432694426945269462694726948269492695026951269522695326954269552695626957269582695926960269612696226963269642696526966269672696826969269702697126972269732697426975269762697726978269792698026981269822698326984269852698626987269882698926990269912699226993269942699526996269972699826999270002700127002270032700427005270062700727008270092701027011270122701327014270152701627017270182701927020270212702227023270242702527026270272702827029270302703127032270332703427035270362703727038270392704027041270422704327044270452704627047270482704927050270512705227053270542705527056270572705827059270602706127062270632706427065270662706727068270692707027071270722707327074270752707627077270782707927080270812708227083270842708527086270872708827089270902709127092270932709427095270962709727098270992710027101271022710327104271052710627107271082710927110271112711227113271142711527116271172711827119271202712127122271232712427125271262712727128271292713027131271322713327134271352713627137271382713927140271412714227143271442714527146271472714827149271502715127152271532715427155271562715727158271592716027161271622716327164271652716627167271682716927170271712717227173271742717527176271772717827179271802718127182271832718427185271862718727188271892719027191271922719327194271952719627197271982719927200272012720227203272042720527206272072720827209272102721127212272132721427215272162721727218272192722027221272222722327224272252722627227272282722927230272312723227233272342723527236272372723827239272402724127242272432724427245272462724727248272492725027251272522725327254272552725627257272582725927260272612726227263272642726527266272672726827269272702727127272272732727427275272762727727278272792728027281272822728327284272852728627287272882728927290272912729227293272942729527296272972729827299273002730127302273032730427305273062730727308273092731027311273122731327314273152731627317273182731927320273212732227323273242732527326273272732827329273302733127332273332733427335273362733727338273392734027341273422734327344273452734627347273482734927350273512735227353273542735527356273572735827359273602736127362273632736427365273662736727368273692737027371273722737327374273752737627377273782737927380273812738227383273842738527386273872738827389273902739127392273932739427395273962739727398273992740027401274022740327404274052740627407274082740927410274112741227413274142741527416274172741827419274202742127422274232742427425274262742727428274292743027431274322743327434274352743627437274382743927440274412744227443274442744527446274472744827449274502745127452274532745427455274562745727458274592746027461274622746327464274652746627467274682746927470274712747227473274742747527476274772747827479274802748127482274832748427485274862748727488274892749027491274922749327494274952749627497274982749927500275012750227503275042750527506275072750827509275102751127512275132751427515275162751727518275192752027521275222752327524275252752627527275282752927530275312753227533275342753527536275372753827539275402754127542275432754427545275462754727548275492755027551275522755327554275552755627557275582755927560275612756227563275642756527566275672756827569275702757127572275732757427575275762757727578275792758027581275822758327584275852758627587275882758927590275912759227593275942759527596275972759827599276002760127602276032760427605276062760727608276092761027611276122761327614276152761627617276182761927620276212762227623276242762527626276272762827629276302763127632276332763427635276362763727638276392764027641276422764327644276452764627647276482764927650276512765227653276542765527656276572765827659276602766127662276632766427665276662766727668276692767027671276722767327674276752767627677276782767927680276812768227683276842768527686276872768827689276902769127692276932769427695276962769727698276992770027701277022770327704277052770627707277082770927710277112771227713277142771527716277172771827719277202772127722277232772427725277262772727728277292773027731277322773327734277352773627737277382773927740277412774227743277442774527746277472774827749277502775127752277532775427755277562775727758277592776027761277622776327764277652776627767277682776927770277712777227773277742777527776277772777827779277802778127782277832778427785277862778727788277892779027791277922779327794277952779627797277982779927800278012780227803278042780527806278072780827809278102781127812278132781427815278162781727818278192782027821278222782327824278252782627827278282782927830278312783227833278342783527836278372783827839278402784127842278432784427845278462784727848278492785027851278522785327854278552785627857278582785927860278612786227863278642786527866278672786827869278702787127872278732787427875278762787727878278792788027881278822788327884278852788627887278882788927890278912789227893278942789527896278972789827899279002790127902279032790427905279062790727908279092791027911279122791327914279152791627917279182791927920279212792227923279242792527926279272792827929279302793127932279332793427935279362793727938279392794027941279422794327944279452794627947279482794927950279512795227953279542795527956279572795827959279602796127962279632796427965279662796727968279692797027971279722797327974279752797627977279782797927980279812798227983279842798527986279872798827989279902799127992279932799427995279962799727998279992800028001280022800328004280052800628007280082800928010280112801228013280142801528016280172801828019280202802128022280232802428025280262802728028280292803028031280322803328034280352803628037280382803928040280412804228043280442804528046280472804828049280502805128052280532805428055280562805728058280592806028061280622806328064280652806628067280682806928070280712807228073280742807528076280772807828079280802808128082280832808428085280862808728088280892809028091280922809328094280952809628097280982809928100281012810228103281042810528106281072810828109281102811128112281132811428115281162811728118281192812028121281222812328124281252812628127281282812928130281312813228133281342813528136281372813828139281402814128142281432814428145281462814728148281492815028151281522815328154281552815628157281582815928160281612816228163281642816528166281672816828169281702817128172281732817428175281762817728178281792818028181281822818328184281852818628187281882818928190281912819228193281942819528196281972819828199282002820128202282032820428205282062820728208282092821028211282122821328214282152821628217282182821928220282212822228223282242822528226282272822828229282302823128232282332823428235282362823728238282392824028241282422824328244282452824628247282482824928250282512825228253282542825528256282572825828259282602826128262282632826428265282662826728268282692827028271282722827328274282752827628277282782827928280282812828228283282842828528286282872828828289282902829128292282932829428295282962829728298282992830028301283022830328304283052830628307283082830928310283112831228313283142831528316283172831828319283202832128322283232832428325283262832728328283292833028331283322833328334283352833628337283382833928340283412834228343283442834528346283472834828349283502835128352283532835428355283562835728358283592836028361283622836328364283652836628367283682836928370283712837228373283742837528376283772837828379283802838128382283832838428385283862838728388283892839028391283922839328394283952839628397283982839928400284012840228403284042840528406284072840828409284102841128412284132841428415284162841728418284192842028421284222842328424284252842628427284282842928430284312843228433284342843528436284372843828439284402844128442284432844428445284462844728448284492845028451284522845328454284552845628457284582845928460284612846228463284642846528466284672846828469284702847128472284732847428475284762847728478284792848028481284822848328484284852848628487284882848928490284912849228493284942849528496284972849828499285002850128502285032850428505285062850728508285092851028511285122851328514285152851628517285182851928520285212852228523285242852528526285272852828529285302853128532285332853428535285362853728538285392854028541285422854328544285452854628547285482854928550285512855228553285542855528556285572855828559285602856128562285632856428565285662856728568285692857028571285722857328574285752857628577285782857928580285812858228583285842858528586285872858828589285902859128592285932859428595285962859728598285992860028601286022860328604286052860628607286082860928610286112861228613286142861528616286172861828619286202862128622286232862428625286262862728628286292863028631286322863328634286352863628637286382863928640286412864228643286442864528646286472864828649286502865128652286532865428655286562865728658286592866028661286622866328664286652866628667286682866928670286712867228673286742867528676286772867828679286802868128682286832868428685286862868728688286892869028691286922869328694286952869628697286982869928700287012870228703287042870528706287072870828709287102871128712287132871428715287162871728718287192872028721287222872328724287252872628727287282872928730287312873228733287342873528736287372873828739287402874128742287432874428745287462874728748287492875028751287522875328754287552875628757287582875928760287612876228763287642876528766287672876828769287702877128772287732877428775287762877728778287792878028781287822878328784287852878628787287882878928790287912879228793287942879528796287972879828799288002880128802288032880428805288062880728808288092881028811288122881328814288152881628817288182881928820288212882228823288242882528826288272882828829288302883128832288332883428835288362883728838288392884028841288422884328844288452884628847288482884928850288512885228853288542885528856288572885828859288602886128862288632886428865288662886728868288692887028871288722887328874288752887628877288782887928880288812888228883288842888528886288872888828889288902889128892288932889428895288962889728898288992890028901289022890328904289052890628907289082890928910289112891228913289142891528916289172891828919289202892128922289232892428925289262892728928289292893028931289322893328934289352893628937289382893928940289412894228943289442894528946289472894828949289502895128952289532895428955289562895728958289592896028961289622896328964289652896628967289682896928970289712897228973289742897528976289772897828979289802898128982289832898428985289862898728988289892899028991289922899328994289952899628997289982899929000290012900229003290042900529006290072900829009290102901129012290132901429015290162901729018290192902029021290222902329024290252902629027290282902929030290312903229033290342903529036290372903829039290402904129042290432904429045290462904729048290492905029051290522905329054290552905629057290582905929060290612906229063290642906529066290672906829069290702907129072290732907429075290762907729078290792908029081290822908329084290852908629087290882908929090290912909229093290942909529096290972909829099291002910129102291032910429105291062910729108291092911029111291122911329114291152911629117291182911929120291212912229123291242912529126291272912829129291302913129132291332913429135291362913729138291392914029141291422914329144291452914629147291482914929150291512915229153291542915529156291572915829159291602916129162291632916429165291662916729168291692917029171291722917329174291752917629177291782917929180291812918229183291842918529186291872918829189291902919129192291932919429195291962919729198291992920029201292022920329204292052920629207292082920929210292112921229213292142921529216292172921829219292202922129222292232922429225292262922729228292292923029231292322923329234292352923629237292382923929240292412924229243292442924529246292472924829249292502925129252292532925429255292562925729258292592926029261292622926329264292652926629267292682926929270292712927229273292742927529276292772927829279292802928129282292832928429285292862928729288292892929029291292922929329294292952929629297292982929929300293012930229303293042930529306293072930829309293102931129312293132931429315293162931729318293192932029321293222932329324293252932629327293282932929330293312933229333293342933529336293372933829339293402934129342293432934429345293462934729348293492935029351293522935329354293552935629357293582935929360293612936229363293642936529366293672936829369293702937129372293732937429375293762937729378293792938029381293822938329384293852938629387293882938929390293912939229393293942939529396293972939829399294002940129402294032940429405294062940729408294092941029411294122941329414294152941629417294182941929420294212942229423294242942529426294272942829429294302943129432294332943429435294362943729438294392944029441294422944329444294452944629447294482944929450294512945229453294542945529456294572945829459294602946129462294632946429465294662946729468294692947029471294722947329474294752947629477294782947929480294812948229483294842948529486294872948829489294902949129492294932949429495294962949729498294992950029501295022950329504295052950629507295082950929510295112951229513295142951529516295172951829519295202952129522295232952429525295262952729528295292953029531295322953329534295352953629537295382953929540295412954229543295442954529546295472954829549295502955129552295532955429555295562955729558295592956029561295622956329564295652956629567295682956929570295712957229573295742957529576295772957829579295802958129582295832958429585295862958729588295892959029591295922959329594295952959629597295982959929600296012960229603296042960529606296072960829609296102961129612296132961429615296162961729618296192962029621296222962329624296252962629627296282962929630296312963229633296342963529636296372963829639296402964129642296432964429645296462964729648296492965029651296522965329654296552965629657296582965929660296612966229663296642966529666296672966829669296702967129672296732967429675296762967729678296792968029681296822968329684296852968629687296882968929690296912969229693296942969529696296972969829699297002970129702297032970429705297062970729708297092971029711297122971329714297152971629717297182971929720297212972229723297242972529726297272972829729297302973129732297332973429735297362973729738297392974029741297422974329744297452974629747297482974929750297512975229753297542975529756297572975829759297602976129762297632976429765297662976729768297692977029771297722977329774297752977629777297782977929780297812978229783297842978529786297872978829789297902979129792297932979429795297962979729798297992980029801298022980329804298052980629807298082980929810298112981229813298142981529816298172981829819298202982129822298232982429825298262982729828298292983029831298322983329834298352983629837298382983929840298412984229843298442984529846298472984829849298502985129852298532985429855298562985729858298592986029861298622986329864298652986629867298682986929870298712987229873298742987529876298772987829879298802988129882298832988429885298862988729888298892989029891298922989329894298952989629897298982989929900299012990229903299042990529906299072990829909299102991129912299132991429915299162991729918299192992029921299222992329924299252992629927299282992929930299312993229933299342993529936299372993829939299402994129942299432994429945299462994729948299492995029951299522995329954299552995629957299582995929960299612996229963299642996529966299672996829969299702997129972299732997429975299762997729978299792998029981299822998329984299852998629987299882998929990299912999229993299942999529996299972999829999300003000130002300033000430005300063000730008300093001030011300123001330014300153001630017300183001930020300213002230023300243002530026300273002830029300303003130032300333003430035300363003730038300393004030041300423004330044300453004630047300483004930050300513005230053300543005530056300573005830059300603006130062300633006430065300663006730068300693007030071300723007330074300753007630077300783007930080300813008230083300843008530086300873008830089300903009130092300933009430095300963009730098300993010030101301023010330104301053010630107301083010930110301113011230113301143011530116301173011830119301203012130122301233012430125301263012730128301293013030131301323013330134301353013630137301383013930140301413014230143301443014530146301473014830149301503015130152301533015430155301563015730158301593016030161301623016330164301653016630167301683016930170301713017230173301743017530176301773017830179301803018130182301833018430185301863018730188301893019030191301923019330194301953019630197301983019930200302013020230203302043020530206302073020830209302103021130212302133021430215302163021730218302193022030221302223022330224302253022630227302283022930230302313023230233302343023530236302373023830239302403024130242302433024430245302463024730248302493025030251302523025330254302553025630257302583025930260302613026230263302643026530266302673026830269302703027130272302733027430275302763027730278302793028030281302823028330284302853028630287302883028930290302913029230293302943029530296302973029830299303003030130302303033030430305303063030730308303093031030311303123031330314303153031630317303183031930320303213032230323303243032530326303273032830329303303033130332303333033430335303363033730338303393034030341303423034330344303453034630347303483034930350303513035230353303543035530356303573035830359303603036130362303633036430365303663036730368303693037030371303723037330374303753037630377303783037930380303813038230383303843038530386303873038830389303903039130392303933039430395303963039730398303993040030401304023040330404304053040630407304083040930410304113041230413304143041530416304173041830419304203042130422304233042430425304263042730428304293043030431304323043330434304353043630437304383043930440304413044230443304443044530446304473044830449304503045130452304533045430455304563045730458304593046030461304623046330464304653046630467304683046930470304713047230473304743047530476304773047830479304803048130482304833048430485304863048730488304893049030491304923049330494304953049630497304983049930500305013050230503305043050530506305073050830509305103051130512305133051430515305163051730518305193052030521305223052330524305253052630527305283052930530305313053230533305343053530536305373053830539305403054130542305433054430545305463054730548305493055030551305523055330554305553055630557305583055930560305613056230563305643056530566305673056830569305703057130572305733057430575305763057730578305793058030581305823058330584305853058630587305883058930590305913059230593305943059530596305973059830599306003060130602306033060430605306063060730608306093061030611306123061330614306153061630617306183061930620306213062230623306243062530626306273062830629306303063130632306333063430635306363063730638306393064030641306423064330644306453064630647306483064930650306513065230653306543065530656306573065830659306603066130662306633066430665306663066730668306693067030671306723067330674306753067630677306783067930680306813068230683306843068530686306873068830689306903069130692306933069430695306963069730698306993070030701307023070330704307053070630707307083070930710307113071230713307143071530716307173071830719307203072130722307233072430725307263072730728307293073030731307323073330734307353073630737307383073930740307413074230743307443074530746307473074830749307503075130752307533075430755307563075730758307593076030761307623076330764307653076630767307683076930770307713077230773307743077530776307773077830779307803078130782307833078430785307863078730788307893079030791307923079330794307953079630797307983079930800308013080230803308043080530806308073080830809308103081130812308133081430815308163081730818308193082030821308223082330824308253082630827308283082930830308313083230833308343083530836308373083830839308403084130842308433084430845308463084730848308493085030851308523085330854308553085630857308583085930860308613086230863308643086530866308673086830869308703087130872308733087430875308763087730878308793088030881308823088330884308853088630887308883088930890308913089230893308943089530896308973089830899309003090130902309033090430905309063090730908309093091030911309123091330914309153091630917309183091930920309213092230923309243092530926309273092830929309303093130932309333093430935309363093730938309393094030941309423094330944309453094630947309483094930950309513095230953309543095530956309573095830959309603096130962309633096430965309663096730968309693097030971309723097330974309753097630977309783097930980309813098230983309843098530986309873098830989309903099130992309933099430995309963099730998309993100031001310023100331004310053100631007310083100931010310113101231013310143101531016310173101831019310203102131022310233102431025310263102731028310293103031031310323103331034310353103631037310383103931040310413104231043310443104531046310473104831049310503105131052310533105431055310563105731058310593106031061310623106331064310653106631067310683106931070310713107231073310743107531076310773107831079310803108131082310833108431085310863108731088310893109031091310923109331094310953109631097310983109931100311013110231103311043110531106311073110831109311103111131112311133111431115311163111731118311193112031121311223112331124311253112631127311283112931130311313113231133311343113531136311373113831139311403114131142311433114431145311463114731148311493115031151311523115331154311553115631157311583115931160311613116231163311643116531166311673116831169311703117131172311733117431175311763117731178311793118031181311823118331184311853118631187311883118931190311913119231193311943119531196311973119831199312003120131202312033120431205312063120731208312093121031211312123121331214312153121631217312183121931220312213122231223312243122531226312273122831229312303123131232312333123431235312363123731238312393124031241312423124331244312453124631247312483124931250312513125231253312543125531256312573125831259312603126131262312633126431265312663126731268312693127031271312723127331274312753127631277312783127931280312813128231283312843128531286312873128831289312903129131292312933129431295312963129731298312993130031301313023130331304313053130631307313083130931310313113131231313313143131531316313173131831319313203132131322313233132431325313263132731328313293133031331313323133331334313353133631337313383133931340313413134231343313443134531346313473134831349313503135131352313533135431355313563135731358313593136031361313623136331364313653136631367313683136931370313713137231373313743137531376313773137831379313803138131382313833138431385313863138731388313893139031391313923139331394313953139631397313983139931400314013140231403314043140531406314073140831409314103141131412314133141431415314163141731418314193142031421314223142331424314253142631427314283142931430314313143231433314343143531436314373143831439314403144131442314433144431445314463144731448314493145031451314523145331454314553145631457314583145931460314613146231463314643146531466314673146831469314703147131472314733147431475314763147731478314793148031481314823148331484314853148631487314883148931490314913149231493314943149531496314973149831499315003150131502315033150431505315063150731508315093151031511315123151331514315153151631517315183151931520315213152231523315243152531526315273152831529315303153131532315333153431535315363153731538315393154031541315423154331544315453154631547315483154931550315513155231553315543155531556315573155831559315603156131562315633156431565315663156731568315693157031571315723157331574315753157631577315783157931580315813158231583315843158531586315873158831589315903159131592315933159431595315963159731598315993160031601316023160331604316053160631607316083160931610316113161231613316143161531616316173161831619316203162131622316233162431625316263162731628316293163031631316323163331634316353163631637316383163931640316413164231643316443164531646316473164831649316503165131652316533165431655316563165731658316593166031661316623166331664316653166631667316683166931670316713167231673316743167531676316773167831679316803168131682316833168431685316863168731688316893169031691316923169331694316953169631697316983169931700317013170231703317043170531706317073170831709317103171131712317133171431715317163171731718317193172031721317223172331724317253172631727317283172931730317313173231733317343173531736317373173831739317403174131742317433174431745317463174731748317493175031751317523175331754317553175631757317583175931760317613176231763317643176531766317673176831769317703177131772317733177431775317763177731778317793178031781317823178331784317853178631787317883178931790317913179231793317943179531796317973179831799318003180131802318033180431805318063180731808318093181031811318123181331814318153181631817318183181931820318213182231823318243182531826318273182831829318303183131832318333183431835318363183731838318393184031841318423184331844318453184631847318483184931850318513185231853318543185531856318573185831859318603186131862318633186431865318663186731868318693187031871318723187331874318753187631877318783187931880318813188231883318843188531886318873188831889318903189131892318933189431895318963189731898318993190031901319023190331904319053190631907319083190931910319113191231913319143191531916319173191831919319203192131922319233192431925319263192731928319293193031931319323193331934319353193631937319383193931940319413194231943319443194531946319473194831949319503195131952319533195431955319563195731958319593196031961319623196331964319653196631967319683196931970319713197231973319743197531976319773197831979319803198131982319833198431985319863198731988319893199031991319923199331994319953199631997319983199932000320013200232003320043200532006320073200832009320103201132012320133201432015320163201732018320193202032021320223202332024320253202632027320283202932030320313203232033320343203532036320373203832039320403204132042320433204432045320463204732048320493205032051320523205332054320553205632057320583205932060320613206232063320643206532066320673206832069320703207132072320733207432075320763207732078320793208032081320823208332084320853208632087320883208932090320913209232093320943209532096320973209832099321003210132102321033210432105321063210732108321093211032111321123211332114321153211632117321183211932120321213212232123321243212532126321273212832129321303213132132321333213432135321363213732138321393214032141321423214332144321453214632147321483214932150321513215232153321543215532156321573215832159321603216132162321633216432165321663216732168321693217032171321723217332174321753217632177321783217932180321813218232183321843218532186321873218832189321903219132192321933219432195321963219732198321993220032201322023220332204322053220632207322083220932210322113221232213322143221532216322173221832219322203222132222322233222432225322263222732228322293223032231322323223332234322353223632237322383223932240322413224232243322443224532246322473224832249322503225132252322533225432255322563225732258322593226032261322623226332264322653226632267322683226932270322713227232273322743227532276322773227832279322803228132282322833228432285322863228732288322893229032291322923229332294322953229632297322983229932300323013230232303323043230532306323073230832309323103231132312323133231432315323163231732318323193232032321323223232332324323253232632327323283232932330323313233232333323343233532336323373233832339323403234132342323433234432345323463234732348323493235032351323523235332354323553235632357323583235932360323613236232363323643236532366323673236832369323703237132372323733237432375323763237732378323793238032381323823238332384323853238632387323883238932390323913239232393323943239532396323973239832399324003240132402324033240432405324063240732408324093241032411324123241332414324153241632417324183241932420324213242232423324243242532426324273242832429324303243132432324333243432435324363243732438324393244032441324423244332444324453244632447324483244932450324513245232453324543245532456324573245832459324603246132462324633246432465324663246732468324693247032471324723247332474324753247632477324783247932480324813248232483324843248532486324873248832489324903249132492324933249432495324963249732498324993250032501325023250332504325053250632507325083250932510325113251232513325143251532516325173251832519325203252132522325233252432525325263252732528325293253032531325323253332534325353253632537325383253932540325413254232543325443254532546325473254832549325503255132552325533255432555325563255732558325593256032561325623256332564325653256632567325683256932570325713257232573325743257532576325773257832579325803258132582325833258432585325863258732588325893259032591325923259332594325953259632597325983259932600326013260232603326043260532606326073260832609326103261132612326133261432615326163261732618326193262032621326223262332624326253262632627326283262932630326313263232633326343263532636326373263832639326403264132642326433264432645326463264732648326493265032651326523265332654326553265632657326583265932660326613266232663326643266532666326673266832669326703267132672326733267432675326763267732678326793268032681326823268332684326853268632687326883268932690326913269232693326943269532696326973269832699327003270132702327033270432705327063270732708327093271032711327123271332714327153271632717327183271932720327213272232723327243272532726327273272832729327303273132732327333273432735327363273732738327393274032741327423274332744327453274632747327483274932750327513275232753327543275532756327573275832759327603276132762327633276432765327663276732768327693277032771327723277332774327753277632777327783277932780327813278232783327843278532786327873278832789327903279132792327933279432795327963279732798327993280032801328023280332804328053280632807328083280932810328113281232813328143281532816328173281832819328203282132822328233282432825328263282732828328293283032831328323283332834328353283632837328383283932840328413284232843328443284532846328473284832849328503285132852328533285432855328563285732858328593286032861328623286332864328653286632867328683286932870328713287232873328743287532876328773287832879328803288132882328833288432885328863288732888328893289032891328923289332894328953289632897328983289932900329013290232903329043290532906329073290832909329103291132912329133291432915329163291732918329193292032921329223292332924329253292632927329283292932930329313293232933329343293532936329373293832939329403294132942329433294432945329463294732948329493295032951329523295332954329553295632957329583295932960329613296232963329643296532966329673296832969329703297132972329733297432975329763297732978329793298032981329823298332984329853298632987329883298932990329913299232993329943299532996329973299832999330003300133002330033300433005330063300733008330093301033011330123301333014330153301633017330183301933020330213302233023330243302533026330273302833029330303303133032330333303433035330363303733038330393304033041330423304333044330453304633047330483304933050330513305233053330543305533056330573305833059330603306133062330633306433065330663306733068330693307033071330723307333074330753307633077330783307933080330813308233083330843308533086330873308833089330903309133092330933309433095330963309733098330993310033101331023310333104331053310633107331083310933110331113311233113331143311533116331173311833119331203312133122331233312433125331263312733128331293313033131331323313333134331353313633137331383313933140331413314233143331443314533146331473314833149331503315133152331533315433155331563315733158331593316033161331623316333164331653316633167331683316933170331713317233173331743317533176331773317833179331803318133182331833318433185331863318733188331893319033191331923319333194331953319633197331983319933200332013320233203332043320533206332073320833209332103321133212332133321433215332163321733218332193322033221332223322333224332253322633227332283322933230332313323233233332343323533236332373323833239332403324133242332433324433245332463324733248332493325033251332523325333254332553325633257332583325933260332613326233263332643326533266332673326833269332703327133272332733327433275332763327733278332793328033281332823328333284332853328633287332883328933290332913329233293332943329533296332973329833299333003330133302333033330433305333063330733308333093331033311333123331333314333153331633317333183331933320333213332233323333243332533326333273332833329333303333133332333333333433335333363333733338333393334033341333423334333344333453334633347333483334933350333513335233353333543335533356333573335833359333603336133362333633336433365333663336733368333693337033371333723337333374333753337633377333783337933380333813338233383333843338533386333873338833389333903339133392333933339433395333963339733398333993340033401334023340333404334053340633407334083340933410334113341233413334143341533416334173341833419334203342133422334233342433425334263342733428334293343033431334323343333434334353343633437334383343933440334413344233443334443344533446334473344833449334503345133452334533345433455334563345733458334593346033461334623346333464334653346633467334683346933470334713347233473334743347533476334773347833479334803348133482334833348433485334863348733488334893349033491334923349333494334953349633497334983349933500335013350233503335043350533506335073350833509335103351133512335133351433515335163351733518335193352033521335223352333524335253352633527335283352933530335313353233533335343353533536335373353833539335403354133542335433354433545335463354733548335493355033551335523355333554335553355633557335583355933560335613356233563335643356533566335673356833569335703357133572335733357433575335763357733578335793358033581335823358333584335853358633587335883358933590335913359233593335943359533596335973359833599336003360133602336033360433605336063360733608336093361033611336123361333614336153361633617336183361933620336213362233623336243362533626336273362833629336303363133632336333363433635336363363733638336393364033641336423364333644336453364633647336483364933650336513365233653336543365533656336573365833659336603366133662336633366433665336663366733668336693367033671336723367333674336753367633677336783367933680336813368233683336843368533686336873368833689336903369133692336933369433695336963369733698336993370033701337023370333704337053370633707337083370933710337113371233713337143371533716337173371833719337203372133722337233372433725337263372733728337293373033731337323373333734337353373633737337383373933740337413374233743337443374533746337473374833749337503375133752337533375433755337563375733758337593376033761337623376333764337653376633767337683376933770337713377233773337743377533776337773377833779337803378133782337833378433785337863378733788337893379033791337923379333794337953379633797337983379933800338013380233803338043380533806338073380833809338103381133812338133381433815338163381733818338193382033821338223382333824338253382633827338283382933830338313383233833338343383533836338373383833839338403384133842338433384433845338463384733848338493385033851338523385333854338553385633857338583385933860338613386233863338643386533866338673386833869338703387133872338733387433875338763387733878338793388033881338823388333884338853388633887338883388933890338913389233893338943389533896338973389833899339003390133902339033390433905339063390733908339093391033911339123391333914339153391633917339183391933920339213392233923339243392533926339273392833929339303393133932339333393433935339363393733938339393394033941339423394333944339453394633947339483394933950339513395233953339543395533956339573395833959339603396133962339633396433965339663396733968339693397033971339723397333974339753397633977339783397933980339813398233983339843398533986339873398833989339903399133992339933399433995339963399733998339993400034001340023400334004340053400634007340083400934010340113401234013340143401534016340173401834019340203402134022340233402434025340263402734028340293403034031340323403334034340353403634037340383403934040340413404234043340443404534046340473404834049340503405134052340533405434055340563405734058340593406034061340623406334064340653406634067340683406934070340713407234073340743407534076340773407834079340803408134082340833408434085340863408734088340893409034091340923409334094340953409634097340983409934100341013410234103341043410534106341073410834109341103411134112341133411434115341163411734118341193412034121341223412334124341253412634127341283412934130341313413234133341343413534136341373413834139341403414134142341433414434145341463414734148341493415034151341523415334154341553415634157341583415934160341613416234163341643416534166341673416834169341703417134172341733417434175341763417734178341793418034181341823418334184341853418634187341883418934190341913419234193341943419534196341973419834199342003420134202342033420434205342063420734208342093421034211342123421334214342153421634217342183421934220342213422234223342243422534226342273422834229342303423134232342333423434235342363423734238342393424034241342423424334244342453424634247342483424934250342513425234253342543425534256342573425834259342603426134262342633426434265342663426734268342693427034271342723427334274342753427634277342783427934280342813428234283342843428534286342873428834289342903429134292342933429434295342963429734298342993430034301343023430334304343053430634307343083430934310343113431234313343143431534316343173431834319343203432134322343233432434325343263432734328343293433034331343323433334334343353433634337343383433934340343413434234343343443434534346343473434834349343503435134352343533435434355343563435734358343593436034361343623436334364343653436634367343683436934370343713437234373343743437534376343773437834379343803438134382343833438434385343863438734388343893439034391343923439334394343953439634397343983439934400344013440234403344043440534406344073440834409344103441134412344133441434415344163441734418344193442034421344223442334424344253442634427344283442934430344313443234433344343443534436344373443834439344403444134442344433444434445344463444734448344493445034451344523445334454344553445634457344583445934460344613446234463344643446534466344673446834469344703447134472344733447434475344763447734478344793448034481344823448334484344853448634487344883448934490344913449234493344943449534496344973449834499345003450134502345033450434505345063450734508345093451034511345123451334514345153451634517345183451934520345213452234523345243452534526345273452834529345303453134532345333453434535345363453734538345393454034541345423454334544345453454634547345483454934550345513455234553345543455534556345573455834559345603456134562345633456434565345663456734568345693457034571345723457334574345753457634577345783457934580345813458234583345843458534586345873458834589345903459134592345933459434595345963459734598345993460034601346023460334604346053460634607346083460934610346113461234613346143461534616346173461834619346203462134622346233462434625346263462734628346293463034631346323463334634346353463634637346383463934640346413464234643346443464534646346473464834649346503465134652346533465434655346563465734658346593466034661346623466334664346653466634667346683466934670346713467234673346743467534676346773467834679346803468134682346833468434685346863468734688346893469034691346923469334694346953469634697346983469934700347013470234703347043470534706347073470834709347103471134712347133471434715347163471734718347193472034721347223472334724347253472634727347283472934730347313473234733347343473534736347373473834739347403474134742347433474434745347463474734748347493475034751347523475334754347553475634757347583475934760347613476234763347643476534766347673476834769347703477134772347733477434775347763477734778347793478034781347823478334784347853478634787347883478934790347913479234793347943479534796347973479834799348003480134802348033480434805348063480734808348093481034811348123481334814348153481634817348183481934820348213482234823348243482534826348273482834829348303483134832348333483434835348363483734838348393484034841348423484334844348453484634847348483484934850348513485234853348543485534856348573485834859348603486134862348633486434865348663486734868348693487034871348723487334874348753487634877348783487934880348813488234883348843488534886348873488834889348903489134892348933489434895348963489734898348993490034901349023490334904349053490634907349083490934910349113491234913349143491534916349173491834919349203492134922349233492434925349263492734928349293493034931349323493334934349353493634937349383493934940349413494234943349443494534946349473494834949349503495134952349533495434955349563495734958349593496034961349623496334964349653496634967349683496934970349713497234973349743497534976349773497834979349803498134982349833498434985349863498734988349893499034991349923499334994349953499634997349983499935000350013500235003350043500535006350073500835009350103501135012350133501435015350163501735018350193502035021350223502335024350253502635027350283502935030350313503235033350343503535036350373503835039350403504135042350433504435045350463504735048350493505035051350523505335054350553505635057350583505935060350613506235063350643506535066350673506835069350703507135072350733507435075350763507735078350793508035081350823508335084350853508635087350883508935090350913509235093350943509535096350973509835099351003510135102351033510435105351063510735108351093511035111351123511335114351153511635117351183511935120351213512235123351243512535126351273512835129351303513135132351333513435135351363513735138351393514035141351423514335144351453514635147351483514935150351513515235153351543515535156351573515835159351603516135162351633516435165351663516735168351693517035171351723517335174351753517635177351783517935180351813518235183351843518535186351873518835189351903519135192351933519435195351963519735198351993520035201352023520335204352053520635207352083520935210352113521235213352143521535216352173521835219352203522135222352233522435225352263522735228352293523035231352323523335234352353523635237352383523935240352413524235243352443524535246352473524835249352503525135252352533525435255352563525735258352593526035261352623526335264352653526635267352683526935270352713527235273352743527535276352773527835279352803528135282352833528435285352863528735288352893529035291352923529335294352953529635297352983529935300353013530235303353043530535306353073530835309353103531135312353133531435315353163531735318353193532035321353223532335324353253532635327353283532935330353313533235333353343533535336353373533835339353403534135342353433534435345353463534735348353493535035351353523535335354353553535635357353583535935360353613536235363353643536535366353673536835369353703537135372353733537435375353763537735378353793538035381353823538335384353853538635387353883538935390353913539235393353943539535396353973539835399354003540135402354033540435405354063540735408354093541035411354123541335414354153541635417354183541935420354213542235423354243542535426354273542835429354303543135432354333543435435354363543735438354393544035441354423544335444354453544635447354483544935450354513545235453354543545535456354573545835459354603546135462354633546435465354663546735468354693547035471354723547335474354753547635477354783547935480354813548235483354843548535486354873548835489354903549135492354933549435495354963549735498354993550035501355023550335504355053550635507355083550935510355113551235513355143551535516355173551835519355203552135522355233552435525355263552735528355293553035531355323553335534355353553635537355383553935540355413554235543355443554535546355473554835549355503555135552355533555435555355563555735558355593556035561355623556335564355653556635567355683556935570355713557235573355743557535576355773557835579355803558135582355833558435585355863558735588355893559035591355923559335594355953559635597355983559935600356013560235603356043560535606356073560835609356103561135612356133561435615356163561735618356193562035621356223562335624356253562635627356283562935630356313563235633356343563535636356373563835639356403564135642356433564435645356463564735648356493565035651356523565335654356553565635657356583565935660356613566235663356643566535666356673566835669356703567135672356733567435675356763567735678356793568035681356823568335684356853568635687356883568935690356913569235693356943569535696356973569835699357003570135702357033570435705357063570735708357093571035711357123571335714357153571635717357183571935720357213572235723357243572535726357273572835729357303573135732357333573435735357363573735738357393574035741357423574335744357453574635747357483574935750357513575235753357543575535756357573575835759357603576135762357633576435765357663576735768357693577035771357723577335774357753577635777357783577935780357813578235783357843578535786357873578835789357903579135792357933579435795357963579735798357993580035801358023580335804358053580635807358083580935810358113581235813358143581535816358173581835819358203582135822358233582435825358263582735828358293583035831358323583335834358353583635837358383583935840358413584235843358443584535846358473584835849358503585135852358533585435855358563585735858358593586035861358623586335864358653586635867358683586935870358713587235873358743587535876358773587835879358803588135882358833588435885358863588735888358893589035891358923589335894358953589635897358983589935900359013590235903359043590535906359073590835909359103591135912359133591435915359163591735918359193592035921359223592335924359253592635927359283592935930359313593235933359343593535936359373593835939359403594135942359433594435945359463594735948359493595035951359523595335954359553595635957359583595935960359613596235963359643596535966359673596835969359703597135972359733597435975359763597735978359793598035981359823598335984359853598635987359883598935990359913599235993359943599535996359973599835999360003600136002360033600436005360063600736008360093601036011360123601336014360153601636017360183601936020360213602236023360243602536026360273602836029360303603136032360333603436035360363603736038360393604036041360423604336044360453604636047360483604936050360513605236053360543605536056360573605836059360603606136062360633606436065360663606736068360693607036071360723607336074360753607636077360783607936080360813608236083360843608536086360873608836089360903609136092360933609436095360963609736098360993610036101361023610336104361053610636107361083610936110361113611236113361143611536116361173611836119361203612136122361233612436125361263612736128361293613036131361323613336134361353613636137361383613936140361413614236143361443614536146361473614836149361503615136152361533615436155361563615736158361593616036161361623616336164361653616636167361683616936170361713617236173361743617536176361773617836179361803618136182361833618436185361863618736188361893619036191361923619336194361953619636197361983619936200362013620236203362043620536206362073620836209362103621136212362133621436215362163621736218362193622036221362223622336224362253622636227362283622936230362313623236233362343623536236362373623836239362403624136242362433624436245362463624736248362493625036251362523625336254362553625636257362583625936260362613626236263362643626536266362673626836269362703627136272362733627436275362763627736278362793628036281362823628336284362853628636287362883628936290362913629236293362943629536296362973629836299363003630136302363033630436305363063630736308363093631036311363123631336314363153631636317363183631936320363213632236323363243632536326363273632836329363303633136332363333633436335363363633736338363393634036341363423634336344363453634636347363483634936350363513635236353363543635536356363573635836359363603636136362363633636436365363663636736368363693637036371363723637336374363753637636377363783637936380363813638236383363843638536386363873638836389363903639136392363933639436395363963639736398363993640036401364023640336404364053640636407364083640936410364113641236413364143641536416364173641836419364203642136422364233642436425364263642736428364293643036431364323643336434364353643636437364383643936440364413644236443364443644536446364473644836449364503645136452364533645436455364563645736458364593646036461364623646336464364653646636467364683646936470364713647236473364743647536476364773647836479364803648136482364833648436485364863648736488364893649036491364923649336494364953649636497364983649936500365013650236503365043650536506365073650836509365103651136512365133651436515365163651736518365193652036521365223652336524365253652636527365283652936530365313653236533365343653536536365373653836539365403654136542365433654436545365463654736548365493655036551365523655336554365553655636557365583655936560365613656236563365643656536566365673656836569365703657136572365733657436575365763657736578365793658036581365823658336584365853658636587365883658936590365913659236593365943659536596365973659836599366003660136602366033660436605366063660736608366093661036611366123661336614366153661636617366183661936620366213662236623366243662536626366273662836629366303663136632366333663436635366363663736638366393664036641366423664336644366453664636647366483664936650366513665236653366543665536656366573665836659366603666136662366633666436665366663666736668366693667036671366723667336674366753667636677366783667936680366813668236683366843668536686366873668836689366903669136692366933669436695366963669736698366993670036701367023670336704367053670636707367083670936710367113671236713367143671536716367173671836719367203672136722367233672436725367263672736728367293673036731367323673336734367353673636737367383673936740367413674236743367443674536746367473674836749367503675136752367533675436755367563675736758367593676036761367623676336764367653676636767367683676936770367713677236773367743677536776367773677836779367803678136782367833678436785367863678736788367893679036791367923679336794367953679636797367983679936800368013680236803368043680536806368073680836809368103681136812368133681436815368163681736818368193682036821368223682336824368253682636827368283682936830368313683236833368343683536836368373683836839368403684136842368433684436845368463684736848368493685036851368523685336854368553685636857368583685936860368613686236863368643686536866368673686836869368703687136872368733687436875368763687736878368793688036881368823688336884368853688636887368883688936890368913689236893368943689536896368973689836899369003690136902369033690436905369063690736908369093691036911369123691336914369153691636917369183691936920369213692236923369243692536926369273692836929369303693136932369333693436935369363693736938369393694036941369423694336944369453694636947369483694936950369513695236953369543695536956369573695836959369603696136962369633696436965369663696736968369693697036971369723697336974369753697636977369783697936980369813698236983369843698536986369873698836989369903699136992369933699436995369963699736998369993700037001370023700337004370053700637007370083700937010370113701237013370143701537016370173701837019370203702137022370233702437025370263702737028370293703037031370323703337034370353703637037370383703937040370413704237043370443704537046370473704837049370503705137052370533705437055370563705737058370593706037061370623706337064370653706637067370683706937070370713707237073370743707537076370773707837079370803708137082370833708437085370863708737088370893709037091370923709337094370953709637097370983709937100371013710237103371043710537106371073710837109371103711137112371133711437115371163711737118371193712037121371223712337124371253712637127371283712937130371313713237133371343713537136371373713837139371403714137142371433714437145371463714737148371493715037151371523715337154371553715637157371583715937160371613716237163371643716537166371673716837169371703717137172371733717437175371763717737178371793718037181371823718337184371853718637187371883718937190371913719237193371943719537196371973719837199372003720137202372033720437205372063720737208372093721037211372123721337214372153721637217372183721937220372213722237223372243722537226372273722837229372303723137232372333723437235372363723737238372393724037241372423724337244372453724637247372483724937250372513725237253372543725537256372573725837259372603726137262372633726437265372663726737268372693727037271372723727337274372753727637277372783727937280372813728237283372843728537286372873728837289372903729137292372933729437295372963729737298372993730037301373023730337304373053730637307373083730937310373113731237313373143731537316373173731837319373203732137322373233732437325373263732737328373293733037331373323733337334373353733637337373383733937340373413734237343373443734537346373473734837349373503735137352373533735437355373563735737358373593736037361373623736337364373653736637367373683736937370373713737237373373743737537376373773737837379373803738137382373833738437385373863738737388373893739037391373923739337394373953739637397373983739937400374013740237403374043740537406374073740837409374103741137412374133741437415374163741737418374193742037421374223742337424374253742637427374283742937430374313743237433374343743537436374373743837439374403744137442374433744437445374463744737448374493745037451374523745337454374553745637457374583745937460374613746237463374643746537466374673746837469374703747137472374733747437475374763747737478374793748037481374823748337484374853748637487374883748937490374913749237493374943749537496374973749837499375003750137502375033750437505375063750737508375093751037511375123751337514375153751637517375183751937520375213752237523375243752537526375273752837529375303753137532375333753437535375363753737538375393754037541375423754337544375453754637547375483754937550375513755237553375543755537556375573755837559375603756137562375633756437565375663756737568375693757037571375723757337574375753757637577375783757937580375813758237583375843758537586375873758837589375903759137592375933759437595375963759737598375993760037601376023760337604376053760637607376083760937610376113761237613376143761537616376173761837619376203762137622376233762437625376263762737628376293763037631376323763337634376353763637637376383763937640376413764237643376443764537646376473764837649376503765137652376533765437655376563765737658376593766037661376623766337664376653766637667376683766937670376713767237673376743767537676376773767837679376803768137682376833768437685376863768737688376893769037691376923769337694376953769637697376983769937700377013770237703377043770537706377073770837709377103771137712377133771437715377163771737718377193772037721377223772337724377253772637727377283772937730377313773237733377343773537736377373773837739377403774137742377433774437745377463774737748377493775037751377523775337754377553775637757377583775937760 |
- /* internal.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- /*
- * WOLFSSL_SMALL_CERT_VERIFY:
- * Verify the certificate signature without using DecodedCert. Doubles up
- * on some code but allows smaller peak heap memory usage.
- * Cannot be used with WOLFSSL_NONBLOCK_OCSP.
- * WOLFSSL_ALT_CERT_CHAINS:
- * Allows CA's to be presented by peer, but not part of a valid chain.
- * Default wolfSSL behavior is to require validation of all presented peer
- * certificates. This also allows loading intermediate CA's as trusted
- * and ignoring no signer failures for CA's up the chain to root.
- * WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT:
- * Enable resending the previous DTLS handshake flight only on a network
- * read timeout. By default we resend in two more cases, when we receive:
- * - an out of order last msg of the peer's flight
- * - a duplicate of the first msg from the peer's flight
- * WOLFSSL_NO_DEF_TICKET_ENC_CB:
- * No default ticket encryption callback.
- * Server only.
- * Application must set its own callback to use session tickets.
- * WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
- * Use ChaCha20-Poly1305 to encrypt/decrypt session tickets in default
- * callback. Default algorithm if none defined and algorithms compiled in.
- * Server only.
- * WOLFSSL_TICKET_ENC_AES128_GCM
- * Use AES128-GCM to encrypt/decrypt session tickets in default callback.
- * Server only. Default algorithm if ChaCha20/Poly1305 not compiled in.
- * WOLFSSL_TICKET_ENC_AES256_GCM
- * Use AES256-GCM to encrypt/decrypt session tickets in default callback.
- * Server only.
- * WOLFSSL_TICKET_DECRYPT_NO_CREATE
- * Default callback will not request creation of new ticket on successful
- * decryption.
- * Server only.
- * WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
- * Once a normal TLS 1.3 handshake is complete, a session ticket message
- * may be received by a client. To support detecting this, peek will
- * return WOLFSSL_ERROR_WANT_READ.
- * This define turns off this behaviour.
- * WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
- * Verify hostname/ip address using alternate name (SAN) only and do not
- * use the common name. Forces use of the alternate name, so certificates
- * missing SAN will be rejected during the handshake
- * WOLFSSL_CHECK_SIG_FAULTS
- * Verifies the ECC signature after signing in case of faults in the
- * calculation of the signature. Useful when signature fault injection is a
- * possible attack.
- * WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
- * Ignore the AEAD limits for messages specified in the RFC. After
- * reaching the limit, we initiate a key update. We enforce the AEAD limits
- * by default.
- * https://www.rfc-editor.org/rfc/rfc8446#section-5.5
- * https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits
- * WOLFSSL_HARDEN_TLS
- * Implement the recommendations specified in RFC9325. This macro needs to
- * be defined to the desired number of bits of security. The currently
- * implemented values are 112 and 128 bits. The following macros disable
- * certain checks.
- * - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
- * - WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
- * - WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
- * - WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
- * - WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES
- */
- #ifdef EXTERNAL_OPTS_OPENVPN
- #error EXTERNAL_OPTS_OPENVPN should not be defined\
- when building wolfSSL
- #endif
- #ifndef WOLFCRYPT_ONLY
- #include <wolfssl/internal.h>
- #include <wolfssl/error-ssl.h>
- #include <wolfssl/wolfcrypt/asn.h>
- #include <wolfssl/wolfcrypt/dh.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA)
- #include <wolfssl/wolfcrypt/srp.h>
- #endif
- #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
- #include <wolfssl/wolfcrypt/coding.h>
- #endif
- #ifdef HAVE_LIBZ
- #include "zlib.h"
- #endif
- #ifdef WOLFSSL_QNX_CAAM
- /* included to get CAAM devId value */
- #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
- #endif
- #if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || \
- defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
- #ifndef NO_STDIO_FILESYSTEM
- #ifdef FUSION_RTOS
- #include <fclstdio.h>
- #else
- #include <stdio.h>
- #endif
- #endif
- #endif
- #ifdef __sun
- #include <sys/filio.h>
- #endif
- #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
- #ifdef _MSC_VER
- /* disable for while(0) cases at the .c level for now */
- #pragma warning(disable:4127)
- #endif
- #if defined(WOLFSSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS)
- #error \
- WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
- #endif
- #if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION)
- #error Cannot use both secure-renegotiation and renegotiation-indication
- #endif
- #ifndef WOLFSSL_NO_TLS12
- #ifndef NO_WOLFSSL_CLIENT
- static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size);
- #ifndef NO_CERTS
- static int DoCertificateRequest(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size);
- #endif
- #ifdef HAVE_SESSION_TICKET
- static int DoSessionTicket(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size);
- #endif
- #endif
- #ifndef NO_WOLFSSL_SERVER
- static int DoClientKeyExchange(WOLFSSL* ssl, byte* input,
- word32* inOutIdx, word32 size);
- #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- static int DoCertificateVerify(WOLFSSL* ssl, byte* input,
- word32* inOutIdx, word32 size);
- #endif
- #endif /* !NO_WOLFSSL_SERVER */
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
- static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
- TicketEncCbCtx* keyCtx);
- static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
- static int DefTicketEncCb(WOLFSSL* ssl,
- byte key_name[WOLFSSL_TICKET_NAME_SZ],
- byte iv[WOLFSSL_TICKET_IV_SZ],
- byte mac[WOLFSSL_TICKET_MAC_SZ],
- int enc, byte* ticket, int inLen, int* outLen,
- void* userCtx);
- #endif
- #endif
- #ifdef WOLFSSL_DTLS
- static int _DtlsCheckWindow(WOLFSSL* ssl);
- static int _DtlsUpdateWindow(WOLFSSL* ssl);
- #endif
- #ifdef WOLFSSL_DTLS13
- #ifndef WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT
- #define WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT 0
- #endif
- #endif /* WOLFSSL_DTLS13 */
- enum processReply {
- doProcessInit = 0,
- #ifndef NO_WOLFSSL_SERVER
- runProcessOldClientHello,
- #endif
- getRecordLayerHeader,
- getData,
- verifyEncryptedMessage,
- decryptMessage,
- verifyMessage,
- runProcessingOneRecord,
- runProcessingOneMessage
- };
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
- /* Server random bytes for TLS v1.3 described downgrade protection mechanism. */
- static const byte tls13Downgrade[7] = {
- 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44
- };
- #define TLS13_DOWNGRADE_SZ sizeof(tls13Downgrade)
- #endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
- #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY)
- static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
- int padLen, int content, int verify, int epochOrder);
- #endif
- #endif /* !WOLFSSL_NO_TLS12 */
- #if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
- #include <wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h>
- #endif
- #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
- static int SessionSecret_callback(WOLFSSL* ssl, void* secret,
- int* secretSz, void* ctx);
- #ifdef WOLFSSL_TLS13
- static int SessionSecret_callback_Tls13(WOLFSSL* ssl, int id,
- const unsigned char* secret, int secretSz, void* ctx);
- #endif
- /* Label string for client random. */
- #define SSC_CR "CLIENT_RANDOM"
- /*
- * This function builds up string for key-logging then call user's
- * key-log-callback to pass the string for TLS1.2 and older.
- * The user's key-logging callback has been set via
- * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
- * "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
- * parameter
- * - ssl: WOLFSSL object
- * - secret: pointer to the buffer holding master-secret
- * - secretSz: size of secret
- * - ctx: not used
- * returns 0 on success, negative value on failure.
- */
- static int SessionSecret_callback(WOLFSSL* ssl, void* secret,
- int* secretSz, void* ctx)
- {
- wolfSSL_CTX_keylog_cb_func logCb = NULL;
- int msSz;
- int hasVal;
- int i;
- const char* label = SSC_CR;
- int labelSz = sizeof(SSC_CR);
- int buffSz;
- byte* log = NULL;
- word32 outSz;
- int idx;
- int ret;
- (void)ctx;
- if (ssl == NULL || secret == NULL || *secretSz == 0)
- return BAD_FUNC_ARG;
- if (ssl->arrays == NULL)
- return BAD_FUNC_ARG;
- /* get the user-callback func from CTX*/
- logCb = ssl->ctx->keyLogCb;
- if (logCb == NULL)
- return 0;
- /* need to make sure the given master-secret has a meaningful value */
- msSz = *secretSz;
- hasVal = 0;
- for (i = 0; i < msSz; i++) {
- if (*((byte*)secret) != 0) {
- hasVal = 1;
- break;
- }
- }
- if (hasVal == 0)
- return 0; /* master-secret looks invalid */
- /* build up a hex-decoded keylog string
- "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
- note that each keylog string does not have CR/LF.
- */
- buffSz = labelSz + (RAN_LEN * 2) + 1 + ((*secretSz) * 2) + 1;
- log = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
- if (log == NULL)
- return MEMORY_E;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SessionSecret log", log, buffSz);
- #endif
- XMEMSET(log, 0, buffSz);
- XMEMCPY(log, label, labelSz -1); /* put label w/o terminator */
- log[labelSz - 1] = ' '; /* '\0' -> ' ' */
- idx = labelSz;
- outSz = buffSz - idx;
- if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
- log + idx, &outSz)) == 0) {
- idx += (outSz - 1); /* reduce terminator byte */
- outSz = buffSz - idx;
- if (outSz > 1) {
- log[idx++] = ' '; /* add space*/
- outSz = buffSz - idx;
- if ((ret = Base16_Encode((byte*)secret, *secretSz,
- log + idx, &outSz)) == 0) {
- /* pass the log to the client callback*/
- logCb(ssl, (char*)log);
- ret = 0;
- }
- }
- else
- ret = MEMORY_E;
- }
- /* Zero out Base16 encoded secret and other data. */
- ForceZero(log, buffSz);
- XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
- return ret;
- }
- #if defined(WOLFSSL_TLS13)
- /* Label string for client early traffic secret. */
- #define SSC_TLS13_CETS "CLIENT_EARLY_TRAFFIC_SECRET"
- /* Label string for client handshake traffic secret. */
- #define SSC_TLS13_CHTS "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
- /* Label string for server handshake traffic secret. */
- #define SSC_TLS13_SHTS "SERVER_HANDSHAKE_TRAFFIC_SECRET"
- /* Label string for client traffic secret. */
- #define SSC_TLS13_CTS "CLIENT_TRAFFIC_SECRET_0"
- /* Label string for server traffic secret. */
- #define SSC_TLS13_STS "SERVER_TRAFFIC_SECRET_0"
- /* Label string for early exporter secret. */
- #define SSC_TLS13_EES "EARLY_EXPORTER_SECRET"
- /* Label string for exporter secret. */
- #define SSC_TLS13_ES "EXPORTER_SECRET"
- /*
- * This function builds up string for key-logging then call user's
- * key-log-callback to pass the string for TLS1.3.
- * The user's key-logging callback has been set via
- * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
- * "<Label> <hex-encoded client random> <hex-encoded secret>"
- *
- * parameter
- * - ssl: WOLFSSL object
- * - id: type of secret for logging
- * - secret: pointer to the buffer holding secret
- * - secretSz: size of secret
- * - ctx: not used
- * returns 0 on success, negative value on failure.
- */
- static int SessionSecret_callback_Tls13(WOLFSSL* ssl, int id,
- const unsigned char* secret, int secretSz, void* ctx)
- {
- wolfSSL_CTX_keylog_cb_func logCb = NULL;
- const char* label;
- int labelSz = 0;
- int buffSz = 0;
- byte* log = NULL;
- word32 outSz;
- int idx;
- int ret;
- (void)ctx;
- if (ssl == NULL || secret == NULL || secretSz == 0)
- return BAD_FUNC_ARG;
- if (ssl->arrays == NULL)
- return BAD_FUNC_ARG;
- /* get the user-callback func from CTX*/
- logCb = ssl->ctx->keyLogCb;
- if (logCb == NULL)
- return 0;
- switch (id) {
- case CLIENT_EARLY_TRAFFIC_SECRET:
- labelSz = sizeof(SSC_TLS13_CETS);
- label = SSC_TLS13_CETS;
- break;
- case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
- labelSz = sizeof(SSC_TLS13_CHTS);
- label = SSC_TLS13_CHTS;
- break;
- case SERVER_HANDSHAKE_TRAFFIC_SECRET:
- labelSz = sizeof(SSC_TLS13_SHTS);
- label = SSC_TLS13_SHTS;
- break;
- case CLIENT_TRAFFIC_SECRET:
- labelSz = sizeof(SSC_TLS13_CTS);
- label = SSC_TLS13_CTS;
- break;
- case SERVER_TRAFFIC_SECRET:
- labelSz = sizeof(SSC_TLS13_STS);
- label = SSC_TLS13_STS;
- break;
- case EARLY_EXPORTER_SECRET:
- labelSz = sizeof(SSC_TLS13_EES);
- label = SSC_TLS13_EES;
- break;
- case EXPORTER_SECRET:
- labelSz = sizeof(SSC_TLS13_ES);
- label = SSC_TLS13_ES;
- break;
- default:
- return BAD_FUNC_ARG;
- }
- /* prepare a log string for passing user callback
- * "<Label> <hex-encoded client random> <hex-encoded secret>" */
- buffSz = labelSz + (RAN_LEN * 2) + 1 + secretSz * 2 + 1;
- log = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
- if (log == NULL)
- return MEMORY_E;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SessionSecret log", log, buffSz);
- #endif
- XMEMSET(log, 0, buffSz);
- XMEMCPY(log, label, labelSz - 1); /* put label w/o terminator */
- log[labelSz - 1] = ' '; /* '\0' -> ' ' */
- idx = labelSz;
- outSz = buffSz - idx;
- if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
- log + idx, &outSz)) == 0) {
- idx += (outSz - 1); /* reduce terminator byte */
- outSz = buffSz - idx;
- if (outSz >1) {
- log[idx++] = ' '; /* add space*/
- outSz = buffSz - idx;
- if ((ret = Base16_Encode((byte*)secret, secretSz,
- log + idx, &outSz)) == 0) {
- logCb(ssl, (char*)log);
- ret = 0;
- }
- }
- else
- ret = MEMORY_E;
- }
- /* Zero out Base16 encoded secret and other data. */
- ForceZero(log, buffSz);
- XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
- return ret;
- }
- #endif /* WOLFSSL_TLS13*/
- #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK*/
- int IsTLS(const WOLFSSL* ssl)
- {
- if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR)
- return 1;
- return 0;
- }
- int IsAtLeastTLSv1_2(const WOLFSSL* ssl)
- {
- if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR)
- return 1;
- #ifdef WOLFSSL_DTLS
- if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR)
- return 1;
- #endif
- return 0;
- }
- int IsAtLeastTLSv1_3(const ProtocolVersion pv)
- {
- int ret;
- ret = (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR);
- #ifdef WOLFSSL_DTLS13
- if (ret == 0 && pv.major == DTLS_MAJOR && pv.minor <= DTLSv1_3_MINOR)
- return 1;
- #endif
- return ret;
- }
- int IsEncryptionOn(WOLFSSL* ssl, int isSend)
- {
- #ifdef WOLFSSL_DTLS
- /* For DTLS, epoch 0 is always not encrypted. */
- if (ssl->options.dtls && !isSend) {
- if (!IsAtLeastTLSv1_3(ssl->version) && ssl->keys.curEpoch == 0)
- return 0;
- #ifdef WOLFSSL_DTLS13
- else if (IsAtLeastTLSv1_3(ssl->version)
- && w64IsZero(ssl->keys.curEpoch64))
- return 0;
- #endif /* WOLFSSL_DTLS13 */
- }
- #endif /* WOLFSSL_DTLS */
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) {
- return 0;
- }
- #endif
- return ssl->keys.encryptionOn &&
- (isSend ? ssl->encrypt.setup : ssl->decrypt.setup);
- }
- #ifdef WOLFSSL_DTLS
- /* Stream Control Transmission Protocol */
- /* If SCTP is not enabled returns the state of the dtls option.
- * If SCTP is enabled returns dtls && !sctp. */
- int IsDtlsNotSctpMode(WOLFSSL* ssl)
- {
- #ifdef WOLFSSL_SCTP
- return ssl->options.dtls && !ssl->options.dtlsSctp;
- #else
- return ssl->options.dtls;
- #endif
- }
- #if !defined(WOLFSSL_NO_TLS12) && !defined(NO_WOLFSSL_SERVER)
- /* Secure Real-time Transport Protocol */
- /* If SRTP is not enabled returns the state of the dtls option.
- * If SRTP is enabled returns dtls && !dtlsSrtpProfiles. */
- int IsDtlsNotSrtpMode(WOLFSSL* ssl)
- {
- #ifdef WOLFSSL_SRTP
- return ssl->options.dtls && !ssl->dtlsSrtpProfiles;
- #else
- return ssl->options.dtls;
- #endif
- }
- #endif /* !WOLFSSL_NO_TLS12 && !NO_WOLFSSL_SERVER */
- #endif /* WOLFSSL_DTLS */
- #ifdef HAVE_LIBZ
- /* alloc user allocs to work with zlib */
- static void* myAlloc(void* opaque, unsigned int item, unsigned int size)
- {
- (void)opaque;
- return (void *)XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ);
- }
- static void myFree(void* opaque, void* memory)
- {
- (void)opaque;
- XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ);
- }
- /* init zlib comp/decomp streams, 0 on success */
- static int InitStreams(WOLFSSL* ssl)
- {
- ssl->c_stream.zalloc = (alloc_func)myAlloc;
- ssl->c_stream.zfree = (free_func)myFree;
- ssl->c_stream.opaque = (voidpf)ssl->heap;
- if (deflateInit(&ssl->c_stream, Z_DEFAULT_COMPRESSION) != Z_OK)
- return ZLIB_INIT_ERROR;
- ssl->didStreamInit = 1;
- ssl->d_stream.zalloc = (alloc_func)myAlloc;
- ssl->d_stream.zfree = (free_func)myFree;
- ssl->d_stream.opaque = (voidpf)ssl->heap;
- if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR;
- return 0;
- }
- static void FreeStreams(WOLFSSL* ssl)
- {
- if (ssl->didStreamInit) {
- deflateEnd(&ssl->c_stream);
- inflateEnd(&ssl->d_stream);
- }
- }
- /* compress in to out, return out size or error */
- static int myCompress(WOLFSSL* ssl, byte* in, int inSz, byte* out, int outSz)
- {
- int err;
- int currTotal = (int)ssl->c_stream.total_out;
- ssl->c_stream.next_in = in;
- ssl->c_stream.avail_in = inSz;
- ssl->c_stream.next_out = out;
- ssl->c_stream.avail_out = outSz;
- err = deflate(&ssl->c_stream, Z_SYNC_FLUSH);
- if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR;
- return (int)ssl->c_stream.total_out - currTotal;
- }
- /* decompress in to out, return out size or error */
- static int myDeCompress(WOLFSSL* ssl, byte* in,int inSz, byte* out,int outSz)
- {
- int err;
- int currTotal = (int)ssl->d_stream.total_out;
- ssl->d_stream.next_in = in;
- ssl->d_stream.avail_in = inSz;
- ssl->d_stream.next_out = out;
- ssl->d_stream.avail_out = outSz;
- err = inflate(&ssl->d_stream, Z_SYNC_FLUSH);
- if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR;
- return (int)ssl->d_stream.total_out - currTotal;
- }
- #endif /* HAVE_LIBZ */
- #ifdef WOLFSSL_SESSION_EXPORT
- /**
- * serializes the cipher specs struct for exporting
- * @return the amount written to 'exp' buffer
- */
- static int ExportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
- int type)
- {
- word32 idx = 0;
- CipherSpecs* specs;
- WOLFSSL_ENTER("ExportCipherSpecState");
- if (exp == NULL || ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- specs = &ssl->specs;
- if (WOLFSSL_EXPORT_SPC_SZ > len) {
- return BUFFER_E;
- }
- XMEMSET(exp, 0, WOLFSSL_EXPORT_SPC_SZ);
- c16toa(specs->key_size, exp + idx); idx += OPAQUE16_LEN;
- c16toa(specs->iv_size, exp + idx); idx += OPAQUE16_LEN;
- c16toa(specs->block_size, exp + idx); idx += OPAQUE16_LEN;
- c16toa(specs->aead_mac_size, exp + idx); idx += OPAQUE16_LEN;
- exp[idx++] = specs->bulk_cipher_algorithm;
- exp[idx++] = specs->cipher_type;
- exp[idx++] = specs->mac_algorithm;
- exp[idx++] = specs->kea;
- exp[idx++] = specs->sig_algo;
- exp[idx++] = specs->hash_size;
- exp[idx++] = specs->pad_size;
- exp[idx++] = specs->static_ecdh;
- if (idx != WOLFSSL_EXPORT_SPC_SZ) {
- WOLFSSL_MSG("WOLFSSL_EXPORT_SPC_SZ needs updated and export version");
- return DTLS_EXPORT_VER_E;
- }
- /* send over state of AES too */
- if (type == WOLFSSL_EXPORT_TLS &&
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
- byte *pt = (byte*)ssl->encrypt.aes->reg;
- if ((idx + 2*AES_BLOCK_SIZE) > len) {
- WOLFSSL_MSG("Can not fit AES state into buffer");
- return BUFFER_E;
- }
- XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE);
- idx += AES_BLOCK_SIZE;
- pt = (byte*)ssl->decrypt.aes->reg;
- XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE);
- idx += AES_BLOCK_SIZE;
- }
- WOLFSSL_LEAVE("ExportCipherSpecState", idx);
- (void)ver;
- return idx;
- }
- /* serializes the key struct for exporting */
- static int ExportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
- byte small, int type)
- {
- word32 idx = 0;
- byte sz;
- Keys* keys;
- WOLFSSL_ENTER("ExportKeyState");
- if (exp == NULL || ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- keys = &(ssl->keys);
- if (DTLS_EXPORT_MIN_KEY_SZ > len) {
- WOLFSSL_MSG("Buffer not large enough for minimum key struct size");
- return BUFFER_E;
- }
- XMEMSET(exp, 0, DTLS_EXPORT_MIN_KEY_SZ);
- c32toa(keys->peer_sequence_number_hi, exp + idx); idx += OPAQUE32_LEN;
- c32toa(keys->peer_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN;
- c32toa(keys->sequence_number_hi, exp + idx); idx += OPAQUE32_LEN;
- c32toa(keys->sequence_number_lo, exp + idx); idx += OPAQUE32_LEN;
- #if defined(WOLFSSL_DTLS)
- if (type == WOLFSSL_EXPORT_DTLS) {
- c16toa(keys->peerSeq[0].nextEpoch, exp + idx); idx += OPAQUE16_LEN;
- c16toa(keys->peerSeq[0].nextSeq_hi, exp + idx); idx += OPAQUE16_LEN;
- c32toa(keys->peerSeq[0].nextSeq_lo, exp + idx); idx += OPAQUE32_LEN;
- c16toa(keys->curEpoch, exp + idx); idx += OPAQUE16_LEN;
- c16toa(keys->curSeq_hi, exp + idx); idx += OPAQUE16_LEN;
- c32toa(keys->curSeq_lo, exp + idx); idx += OPAQUE32_LEN;
- c16toa(keys->peerSeq[0].prevSeq_hi, exp + idx); idx += OPAQUE16_LEN;
- c32toa(keys->peerSeq[0].prevSeq_lo, exp + idx); idx += OPAQUE32_LEN;
- c16toa(keys->dtls_peer_handshake_number, exp + idx);
- idx += OPAQUE16_LEN;
- c16toa(keys->dtls_expected_peer_handshake_number, exp + idx);
- idx += OPAQUE16_LEN;
- c16toa(keys->dtls_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN;
- c32toa(keys->dtls_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN;
- c16toa(keys->dtls_prev_sequence_number_hi, exp + idx);
- idx += OPAQUE16_LEN;
- c32toa(keys->dtls_prev_sequence_number_lo, exp + idx);
- idx += OPAQUE32_LEN;
- c16toa(keys->dtls_epoch, exp + idx); idx += OPAQUE16_LEN;
- c16toa(keys->dtls_handshake_number, exp + idx); idx += OPAQUE16_LEN;
- }
- #endif
- c32toa(keys->encryptSz, exp + idx); idx += OPAQUE32_LEN;
- c32toa(keys->padSz, exp + idx); idx += OPAQUE32_LEN;
- exp[idx++] = keys->encryptionOn;
- exp[idx++] = keys->decryptedCur;
- /* from here on the buffer needs checked because is variable length that
- * can be larger than DTLS_EXPORT_MIN_KEY_SZ */
- #ifdef WOLFSSL_DTLS
- if (type == WOLFSSL_EXPORT_DTLS) {
- word32 i;
- if ((OPAQUE16_LEN * 2) + idx +
- (2 * (WOLFSSL_DTLS_WINDOW_WORDS * OPAQUE32_LEN)) > len) {
- WOLFSSL_MSG("Buffer not large enough for WOLFSSL_DTLS_WINDOW_WORDS");
- return BUFFER_E;
- }
- c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN;
- for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
- c32toa(keys->peerSeq[0].window[i], exp + idx);
- idx += OPAQUE32_LEN;
- }
- c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN;
- for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
- c32toa(keys->peerSeq[0].prevWindow[i], exp + idx);
- idx += OPAQUE32_LEN;
- }
- }
- #endif
- if (idx >= len) {
- WOLFSSL_MSG("Buffer not large enough for truncated hmac flag");
- return BUFFER_E;
- }
- #ifdef HAVE_TRUNCATED_HMAC
- sz = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ: ssl->specs.hash_size;
- exp[idx++] = ssl->truncated_hmac;
- #else
- sz = ssl->specs.hash_size;
- exp[idx++] = 0; /* no truncated hmac */
- #endif
- sz = (small)? 0: sz;
- if (idx + (sz * 2) + OPAQUE8_LEN > len) {
- WOLFSSL_MSG("Buffer not large enough for MAC secret");
- return BUFFER_E;
- }
- exp[idx++] = sz;
- if (sz > 0) {
- #ifndef WOLFSSL_AEAD_ONLY
- XMEMCPY(exp + idx, keys->client_write_MAC_secret, sz); idx += sz;
- XMEMCPY(exp + idx, keys->server_write_MAC_secret, sz); idx += sz;
- #else
- XMEMSET(exp + idx, 0, sz); idx += sz;
- XMEMSET(exp + idx, 0, sz); idx += sz;
- #endif
- }
- sz = (small)? 0: ssl->specs.key_size;
- if (idx + (sz * 2) + OPAQUE8_LEN > len) {
- WOLFSSL_MSG("Buffer not large enough for write key");
- return BUFFER_E;
- }
- exp[idx++] = sz;
- if (sz > 0) {
- XMEMCPY(exp + idx, keys->client_write_key, sz); idx += sz;
- XMEMCPY(exp + idx, keys->server_write_key, sz); idx += sz;
- }
- sz = (small)? 0: ssl->specs.iv_size;
- if (idx + (sz * 2) + OPAQUE8_LEN + AEAD_MAX_EXP_SZ > len) {
- WOLFSSL_MSG("Buffer not large enough for IVs");
- return BUFFER_E;
- }
- exp[idx++] = sz;
- if (sz > 0) {
- XMEMCPY(exp + idx, keys->client_write_IV, sz); idx += sz;
- XMEMCPY(exp + idx, keys->server_write_IV, sz); idx += sz;
- }
- XMEMCPY(exp + idx, keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
- idx += AEAD_MAX_EXP_SZ;
- sz = (small)? 0: AEAD_MAX_IMP_SZ;
- if (idx + (sz * 2) + OPAQUE8_LEN > len) {
- WOLFSSL_MSG("Buffer not large enough for imp IVs");
- return BUFFER_E;
- }
- exp[idx++] = sz;
- if (sz > 0) {
- XMEMCPY(exp + idx, keys->aead_enc_imp_IV, sz); idx += sz;
- XMEMCPY(exp + idx, keys->aead_dec_imp_IV, sz); idx += sz;
- }
- /* DTLS_EXPORT_KEY_SZ is max value. idx size can vary */
- if (idx > DTLS_EXPORT_KEY_SZ) {
- WOLFSSL_MSG("DTLS_EXPORT_KEY_SZ needs updated and export version");
- return DTLS_EXPORT_VER_E;
- }
- WOLFSSL_LEAVE("ExportKeyState", idx);
- (void)ver;
- (void)type;
- return idx;
- }
- /**
- * Imports the buffer 'exp' into the 'ssl' CipherSpec structure.
- * @param ssl WOLFSSL structure to import into
- * @param exp input buffer to read from
- * @param len length of exp buffer
- * @param ver version of import buffer found
- * @param type flag for importing a TLS session or DTLS
- *
- * @return size of exp buffer consumed on success and negative value on fail
- */
- static int ImportCipherSpecState(WOLFSSL* ssl, const byte* exp, word32 len,
- byte ver, int type)
- {
- word32 idx = 0;
- CipherSpecs* specs;
- word32 tmp_seq_peer_lo;
- word32 tmp_seq_peer_hi;
- word32 tmp_seq_lo;
- word32 tmp_seq_hi;
- WOLFSSL_ENTER("ImportCipherSpecState");
- if (exp == NULL || ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- specs= &(ssl->specs);
- if (WOLFSSL_EXPORT_SPC_SZ > len) {
- WOLFSSL_MSG("Buffer not large enough for max spec struct size");
- return BUFFER_E;
- }
- ato16(exp + idx, &specs->key_size); idx += OPAQUE16_LEN;
- ato16(exp + idx, &specs->iv_size); idx += OPAQUE16_LEN;
- ato16(exp + idx, &specs->block_size); idx += OPAQUE16_LEN;
- ato16(exp + idx, &specs->aead_mac_size); idx += OPAQUE16_LEN;
- specs->bulk_cipher_algorithm = exp[idx++];
- specs->cipher_type = exp[idx++];
- specs->mac_algorithm = exp[idx++];
- specs->kea = exp[idx++];
- specs->sig_algo = exp[idx++];
- specs->hash_size = exp[idx++];
- specs->pad_size = exp[idx++];
- specs->static_ecdh = exp[idx++];
- if (specs->pad_size != PAD_MD5 && specs->pad_size != PAD_SHA) {
- WOLFSSL_MSG("Importing bad or unknown pad size");
- return BAD_STATE_E;
- }
- /* temporarily save the sequence numbers */
- tmp_seq_peer_lo = ssl->keys.peer_sequence_number_lo;
- tmp_seq_peer_hi = ssl->keys.peer_sequence_number_hi;
- tmp_seq_lo = ssl->keys.sequence_number_lo;
- tmp_seq_hi = ssl->keys.sequence_number_hi;
- SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE);
- /* reset sequence numbers after setting keys */
- ssl->keys.peer_sequence_number_lo = tmp_seq_peer_lo;
- ssl->keys.peer_sequence_number_hi = tmp_seq_peer_hi;
- ssl->keys.sequence_number_lo = tmp_seq_lo;
- ssl->keys.sequence_number_hi = tmp_seq_hi;
- if (type == WOLFSSL_EXPORT_TLS &&
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
- byte *pt = (byte*)ssl->encrypt.aes->reg;
- XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE);
- idx += AES_BLOCK_SIZE;
- pt = (byte*)ssl->decrypt.aes->reg;
- XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE);
- idx += AES_BLOCK_SIZE;
- }
- WOLFSSL_LEAVE("ImportCipherSpecState", idx);
- (void)ver;
- return idx;
- }
- /**
- * Import the Key structure
- *
- * @param ssl WOLFSSL structure to import into
- * @param exp buffer to read Key values from
- * @param len max length of buffer 'exp'
- * @param ver version of import buffer found
- * @param type flag for TLS vs DTLS
- *
- * @return amount of data read from exp on success or negative on fail
- */
- static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
- int type)
- {
- word32 idx = 0;
- byte sz;
- Keys *keys;
- WOLFSSL_ENTER("ImportKeyState");
- if (exp == NULL || ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- keys = &(ssl->keys);
- /* check minimum length -- includes byte used for size indicators */
- if (len < DTLS_EXPORT_MIN_KEY_SZ) {
- WOLFSSL_MSG("Buffer not large enough for minimum expected size");
- return BUFFER_E;
- }
- ato32(exp + idx, &keys->peer_sequence_number_hi); idx += OPAQUE32_LEN;
- ato32(exp + idx, &keys->peer_sequence_number_lo); idx += OPAQUE32_LEN;
- ato32(exp + idx, &keys->sequence_number_hi); idx += OPAQUE32_LEN;
- ato32(exp + idx, &keys->sequence_number_lo); idx += OPAQUE32_LEN;
- #if defined(WOLFSSL_DTLS)
- if (type == WOLFSSL_EXPORT_DTLS) {
- ato16(exp + idx, &keys->peerSeq[0].nextEpoch); idx += OPAQUE16_LEN;
- ato16(exp + idx, &keys->peerSeq[0].nextSeq_hi); idx += OPAQUE16_LEN;
- ato32(exp + idx, &keys->peerSeq[0].nextSeq_lo); idx += OPAQUE32_LEN;
- ato16(exp + idx, &keys->curEpoch); idx += OPAQUE16_LEN;
- ato16(exp + idx, &keys->curSeq_hi); idx += OPAQUE16_LEN;
- ato32(exp + idx, &keys->curSeq_lo); idx += OPAQUE32_LEN;
- ato16(exp + idx, &keys->peerSeq[0].prevSeq_hi); idx += OPAQUE16_LEN;
- ato32(exp + idx, &keys->peerSeq[0].prevSeq_lo); idx += OPAQUE32_LEN;
- ato16(exp + idx, &keys->dtls_peer_handshake_number);
- idx += OPAQUE16_LEN;
- ato16(exp + idx, &keys->dtls_expected_peer_handshake_number);
- idx += OPAQUE16_LEN;
- ato16(exp + idx, &keys->dtls_sequence_number_hi); idx += OPAQUE16_LEN;
- ato32(exp + idx, &keys->dtls_sequence_number_lo); idx += OPAQUE32_LEN;
- ato16(exp + idx, &keys->dtls_prev_sequence_number_hi);
- idx += OPAQUE16_LEN;
- ato32(exp + idx, &keys->dtls_prev_sequence_number_lo);
- idx += OPAQUE32_LEN;
- ato16(exp + idx, &keys->dtls_epoch); idx += OPAQUE16_LEN;
- ato16(exp + idx, &keys->dtls_handshake_number); idx += OPAQUE16_LEN;
- }
- #endif
- ato32(exp + idx, &keys->encryptSz); idx += OPAQUE32_LEN;
- ato32(exp + idx, &keys->padSz); idx += OPAQUE32_LEN;
- keys->encryptionOn = exp[idx++];
- keys->decryptedCur = exp[idx++];
- #if defined(WOLFSSL_DTLS)
- if (type == WOLFSSL_EXPORT_DTLS) {
- word16 i, wordCount, wordAdj = 0;
- /* do window */
- ato16(exp + idx, &wordCount);
- idx += OPAQUE16_LEN;
- if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) {
- wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
- wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32);
- }
- XMEMSET(keys->peerSeq[0].window, 0xFF, DTLS_SEQ_SZ);
- for (i = 0; i < wordCount; i++) {
- ato32(exp + idx, &keys->peerSeq[0].window[i]);
- idx += OPAQUE32_LEN;
- }
- idx += wordAdj;
- /* do prevWindow */
- ato16(exp + idx, &wordCount);
- idx += OPAQUE16_LEN;
- if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) {
- wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
- wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32);
- }
- XMEMSET(keys->peerSeq[0].prevWindow, 0xFF, DTLS_SEQ_SZ);
- for (i = 0; i < wordCount; i++) {
- ato32(exp + idx, &keys->peerSeq[0].prevWindow[i]);
- idx += OPAQUE32_LEN;
- }
- idx += wordAdj;
- }
- #endif
- #ifdef HAVE_TRUNCATED_HMAC
- ssl->truncated_hmac = exp[idx++];
- #else
- idx++; /* no truncated hmac */
- #endif
- sz = exp[idx++];
- #ifndef WOLFSSL_AEAD_ONLY
- if (sz > sizeof(keys->client_write_MAC_secret) || (sz * 2) + idx > len) {
- WOLFSSL_MSG("Buffer not large enough for MAC import");
- return BUFFER_E;
- }
- if (sz > 0) {
- XMEMCPY(keys->client_write_MAC_secret, exp + idx, sz); idx += sz;
- XMEMCPY(keys->server_write_MAC_secret, exp + idx, sz); idx += sz;
- }
- #else
- if (sz + idx > len) {
- return BUFFER_E;
- }
- idx += sz; idx += sz;
- #endif
- sz = exp[idx++];
- if (sz > sizeof(keys->client_write_key) || (sz * 2) + idx > len) {
- WOLFSSL_MSG("Buffer not large enough for key import");
- return BUFFER_E;
- }
- if (sz > 0) {
- XMEMCPY(keys->client_write_key, exp + idx, sz); idx += sz;
- XMEMCPY(keys->server_write_key, exp + idx, sz); idx += sz;
- }
- sz = exp[idx++];
- if (sz > sizeof(keys->client_write_IV) || (sz * 2) + idx > len) {
- WOLFSSL_MSG("Buffer not large enough for write IV import");
- return BUFFER_E;
- }
- if (sz > 0) {
- XMEMCPY(keys->client_write_IV, exp + idx, sz); idx += sz;
- XMEMCPY(keys->server_write_IV, exp + idx, sz); idx += sz;
- }
- XMEMCPY(keys->aead_exp_IV, exp + idx, AEAD_MAX_EXP_SZ);
- idx += AEAD_MAX_EXP_SZ;
- sz = exp[idx++];
- if (sz > sizeof(keys->aead_enc_imp_IV) || (sz * 2) + idx > len) {
- WOLFSSL_MSG("Buffer not large enough for imp IV import");
- return BUFFER_E;
- }
- if (sz > 0) {
- XMEMCPY(keys->aead_enc_imp_IV, exp + idx, sz); idx += sz;
- XMEMCPY(keys->aead_dec_imp_IV, exp + idx, sz); idx += sz;
- }
- WOLFSSL_LEAVE("ImportKeyState", idx);
- (void)ver;
- (void)type;
- return idx;
- }
- /* copy over necessary information from Options struct to buffer
- * On success returns size of buffer used on failure returns a negative value */
- static int ExportOptions(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
- int type)
- {
- int idx = 0;
- word16 zero = 0;
- Options *options;
- WOLFSSL_ENTER("ExportOptions");
- if (ssl == NULL || exp == NULL || len < DTLS_EXPORT_OPT_SZ) {
- return BAD_FUNC_ARG;
- }
- options = &ssl->options;
- if (options == NULL) {
- return BAD_FUNC_ARG;
- }
- XMEMSET(exp, 0, DTLS_EXPORT_OPT_SZ);
- /* these options are kept and sent to indicate verify status and strength
- * of handshake */
- exp[idx++] = options->sendVerify;
- exp[idx++] = options->verifyPeer;
- exp[idx++] = options->verifyNone;
- exp[idx++] = options->downgrade;
- #ifndef NO_DH
- c16toa(options->minDhKeySz, exp + idx); idx += OPAQUE16_LEN;
- c16toa(options->maxDhKeySz, exp + idx); idx += OPAQUE16_LEN;
- c16toa(options->dhKeySz, exp + idx); idx += OPAQUE16_LEN;
- #else
- c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
- c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
- c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
- #endif
- #ifndef NO_RSA
- c16toa((word16)(options->minRsaKeySz), exp + idx); idx += OPAQUE16_LEN;
- #else
- c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
- #endif
- #ifdef HAVE_ECC
- c16toa((word16)(options->minEccKeySz), exp + idx); idx += OPAQUE16_LEN;
- #else
- c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
- #endif
- /* these options are kept to indicate state and behavior */
- #ifndef NO_PSK
- exp[idx++] = options->havePSK;
- #else
- exp[idx++] = 0;
- #endif
- exp[idx++] = options->sessionCacheOff;
- exp[idx++] = options->sessionCacheFlushOff;
- exp[idx++] = options->side;
- exp[idx++] = options->resuming;
- exp[idx++] = options->haveSessionId;
- exp[idx++] = options->tls;
- exp[idx++] = options->tls1_1;
- exp[idx++] = options->dtls;
- exp[idx++] = options->connReset;
- exp[idx++] = options->isClosed;
- exp[idx++] = options->closeNotify;
- exp[idx++] = options->sentNotify;
- exp[idx++] = options->usingCompression;
- exp[idx++] = options->haveRSA;
- exp[idx++] = options->haveECC;
- exp[idx++] = options->haveDH;
- exp[idx++] = 0; /* Historical: haveNTRU */
- exp[idx++] = 0; /* Historical: haveQSH */
- exp[idx++] = options->haveECDSAsig;
- exp[idx++] = options->haveStaticECC;
- exp[idx++] = options->havePeerVerify;
- exp[idx++] = options->usingPSK_cipher;
- exp[idx++] = options->usingAnon_cipher;
- exp[idx++] = 0; /* Historical: options->sendAlertState */
- exp[idx++] = options->partialWrite;
- exp[idx++] = options->quietShutdown;
- exp[idx++] = options->groupMessages;
- #ifdef HAVE_POLY1305
- exp[idx++] = options->oldPoly;
- #else
- exp[idx++] = 0;
- #endif
- #ifdef HAVE_ANON
- exp[idx++] = options->haveAnon;
- #else
- exp[idx++] = 0;
- #endif
- #ifdef HAVE_SESSION_TICKET
- exp[idx++] = options->createTicket;
- exp[idx++] = options->useTicket;
- exp[idx++] = options->noTicketTls12;
- #ifdef WOLFSSL_TLS13
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- exp[idx++] = options->noTicketTls13;
- }
- #else
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- exp[idx++] = 0;
- }
- #endif
- #else
- exp[idx++] = 0;
- exp[idx++] = 0;
- exp[idx++] = 0;
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- exp[idx++] = 0;
- }
- #endif
- exp[idx++] = options->processReply;
- exp[idx++] = options->cipherSuite0;
- exp[idx++] = options->cipherSuite;
- exp[idx++] = options->serverState;
- exp[idx++] = options->clientState;
- exp[idx++] = options->handShakeState;
- exp[idx++] = options->handShakeDone;
- exp[idx++] = options->minDowngrade;
- exp[idx++] = options->connectState;
- exp[idx++] = options->acceptState;
- exp[idx++] = options->asyncState;
- if (type == WOLFSSL_EXPORT_TLS) {
- #ifdef HAVE_ENCRYPT_THEN_MAC
- exp[idx++] = options->disallowEncThenMac;
- exp[idx++] = options->encThenMac;
- exp[idx++] = options->startedETMRead;
- exp[idx++] = options->startedETMWrite;
- #else
- exp[idx++] = 0;
- exp[idx++] = 0;
- exp[idx++] = 0;
- exp[idx++] = 0;
- #endif
- }
- /* version of connection */
- exp[idx++] = ssl->version.major;
- exp[idx++] = ssl->version.minor;
- (void)zero;
- /* check if changes were made and notify of need to update export version */
- switch (ver) {
- case WOLFSSL_EXPORT_VERSION_3:
- if (idx != DTLS_EXPORT_OPT_SZ_3) {
- WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export");
- return DTLS_EXPORT_VER_E;
- }
- break;
- case WOLFSSL_EXPORT_VERSION:
- if (idx != DTLS_EXPORT_OPT_SZ && type == WOLFSSL_EXPORT_DTLS) {
- WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export");
- return DTLS_EXPORT_VER_E;
- }
- break;
- default:
- WOLFSSL_MSG("New version case needs added to wolfSSL export");
- return DTLS_EXPORT_VER_E;
- }
- WOLFSSL_LEAVE("ExportOptions", idx);
- (void)type;
- return idx;
- }
- /* copy items from Export struct to Options struct
- * On success returns size of buffer used on failure returns a negative value */
- static int ImportOptions(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
- int type)
- {
- int idx = 0;
- Options* options = &ssl->options;
- switch (ver) {
- case WOLFSSL_EXPORT_VERSION:
- if (len < DTLS_EXPORT_OPT_SZ) {
- WOLFSSL_MSG("Sanity check on buffer size failed");
- return BAD_FUNC_ARG;
- }
- break;
- case WOLFSSL_EXPORT_VERSION_3:
- if (len < DTLS_EXPORT_OPT_SZ_3) {
- WOLFSSL_MSG("Sanity check on buffer size failed");
- return BAD_FUNC_ARG;
- }
- break;
- default:
- WOLFSSL_MSG("Export version not supported");
- return BAD_FUNC_ARG;
- }
- if (exp == NULL || options == NULL) {
- return BAD_FUNC_ARG;
- }
- /* these options are kept and sent to indicate verify status and strength
- * of handshake */
- options->sendVerify = exp[idx++];
- options->verifyPeer = exp[idx++];
- options->verifyNone = exp[idx++];
- options->downgrade = exp[idx++];
- #ifndef NO_DH
- ato16(exp + idx, &(options->minDhKeySz)); idx += OPAQUE16_LEN;
- ato16(exp + idx, &(options->maxDhKeySz)); idx += OPAQUE16_LEN;
- ato16(exp + idx, &(options->dhKeySz)); idx += OPAQUE16_LEN;
- #else
- idx += OPAQUE16_LEN;
- idx += OPAQUE16_LEN;
- idx += OPAQUE16_LEN;
- #endif
- #ifndef NO_RSA
- ato16(exp + idx, (word16*)&(options->minRsaKeySz)); idx += OPAQUE16_LEN;
- #else
- idx += OPAQUE16_LEN;
- #endif
- #ifdef HAVE_ECC
- ato16(exp + idx, (word16*)&(options->minEccKeySz)); idx += OPAQUE16_LEN;
- #else
- idx += OPAQUE16_LEN;
- #endif
- /* these options are kept to indicate state and behavior */
- #ifndef NO_PSK
- options->havePSK = exp[idx++];
- #else
- idx++;
- #endif
- options->sessionCacheOff = exp[idx++];
- options->sessionCacheFlushOff = exp[idx++];
- options->side = exp[idx++];
- options->resuming = exp[idx++];
- options->haveSessionId = exp[idx++];
- options->tls = exp[idx++];
- options->tls1_1 = exp[idx++];
- options->dtls = exp[idx++];
- options->connReset = exp[idx++];
- options->isClosed = exp[idx++];
- options->closeNotify = exp[idx++];
- options->sentNotify = exp[idx++];
- options->usingCompression = exp[idx++];
- options->haveRSA = exp[idx++];
- options->haveECC = exp[idx++];
- options->haveDH = exp[idx++];
- idx++; /* Historical: haveNTRU */
- idx++; /* Historical: haveQSH */
- options->haveECDSAsig = exp[idx++];
- options->haveStaticECC = exp[idx++];
- options->havePeerVerify = exp[idx++];
- options->usingPSK_cipher = exp[idx++];
- options->usingAnon_cipher = exp[idx++];
- idx++; /* Historical: options->sendAlertState */
- options->partialWrite = exp[idx++];
- options->quietShutdown = exp[idx++];
- options->groupMessages = exp[idx++];
- #ifdef HAVE_POLY1305
- options->oldPoly = exp[idx++]; /* set when to use old rfc way of poly*/
- #else
- idx++;
- #endif
- #ifdef HAVE_ANON
- options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */
- #else
- idx++;
- #endif
- #ifdef HAVE_SESSION_TICKET
- options->createTicket = exp[idx++]; /* Server to create new Ticket */
- options->useTicket = exp[idx++]; /* Use Ticket not session cache */
- options->noTicketTls12 = exp[idx++]; /* Server won't create new Ticket */
- #ifdef WOLFSSL_TLS13
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- options->noTicketTls13 = exp[idx++];/* Server won't create new Ticket */
- }
- #else
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- idx++;
- }
- #endif
- #else
- idx++;
- idx++;
- idx++;
- if (ver > WOLFSSL_EXPORT_VERSION_3) {
- idx++;
- }
- #endif
- options->processReply = exp[idx++];
- options->cipherSuite0 = exp[idx++];
- options->cipherSuite = exp[idx++];
- options->serverState = exp[idx++];
- options->clientState = exp[idx++];
- options->handShakeState = exp[idx++];
- options->handShakeDone = exp[idx++];
- options->minDowngrade = exp[idx++];
- options->connectState = exp[idx++];
- options->acceptState = exp[idx++];
- options->asyncState = exp[idx++];
- if (type == WOLFSSL_EXPORT_TLS) {
- #ifdef HAVE_ENCRYPT_THEN_MAC
- options->disallowEncThenMac = exp[idx++];
- options->encThenMac = exp[idx++];
- options->startedETMRead = exp[idx++];
- options->startedETMWrite = exp[idx++];
- #else
- idx++;
- idx++;
- idx++;
- idx++;
- #endif
- }
- /* version of connection */
- if (ssl->version.major != exp[idx++] || ssl->version.minor != exp[idx++]) {
- WOLFSSL_MSG("Version mismatch ie DTLS v1 vs v1.2");
- return VERSION_ERROR;
- }
- /* set TLS 1.3 flag in options if this was a TLS 1.3 connection */
- if (ssl->version.major == SSLv3_MAJOR &&
- ssl->version.minor == TLSv1_3_MINOR) {
- options->tls1_3 = 1;
- }
- return idx;
- }
- #ifndef WOLFSSL_SESSION_EXPORT_NOPEER
- static int ExportPeerInfo(WOLFSSL* ssl, byte* exp, word32 len, byte ver)
- {
- int idx = 0;
- int ipSz = MAX_EXPORT_IP; /* start as max size */
- int fam = 0;
- word16 port = 0;
- char ip[MAX_EXPORT_IP];
- if (ver != WOLFSSL_EXPORT_VERSION) {
- WOLFSSL_MSG("Export version not supported");
- return BAD_FUNC_ARG;
- }
- if (ssl == NULL || exp == NULL ||
- len < (sizeof(ip) + 3 * WOLFSSL_EXPORT_LEN)) {
- return BAD_FUNC_ARG;
- }
- if (ssl->ctx->CBGetPeer == NULL) {
- WOLFSSL_MSG("No get peer call back set");
- return BAD_FUNC_ARG;
- }
- if (ssl->ctx->CBGetPeer(ssl, ip, &ipSz, &port, &fam) != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("Get peer callback error");
- return SOCKET_ERROR_E;
- }
- /* check that ipSz/fam is not negative or too large since user can set cb */
- if (ipSz < 0 || ipSz > MAX_EXPORT_IP || fam < 0) {
- WOLFSSL_MSG("Bad ipSz or fam returned from get peer callback");
- return SOCKET_ERROR_E;
- }
- c16toa((word16)fam, exp + idx); idx += WOLFSSL_EXPORT_LEN;
- c16toa((word16)ipSz, exp + idx); idx += WOLFSSL_EXPORT_LEN;
- XMEMCPY(exp + idx, ip, ipSz); idx += ipSz;
- c16toa(port, exp + idx); idx += WOLFSSL_EXPORT_LEN;
- return idx;
- }
- #endif /* !WOLFSSL_SESSION_EXPORT_NOPEER */
- static int ImportPeerInfo(WOLFSSL* ssl, const byte* buf, word32 len, byte ver)
- {
- word16 idx = 0;
- word16 ipSz;
- word16 fam;
- word16 port;
- char ip[MAX_EXPORT_IP];
- if (ver != WOLFSSL_EXPORT_VERSION && ver != WOLFSSL_EXPORT_VERSION_3) {
- WOLFSSL_MSG("Export version not supported");
- return BAD_FUNC_ARG;
- }
- if (len == 0) {
- WOLFSSL_MSG("No peer info sent");
- return 0;
- }
- if (ssl == NULL || buf == NULL || len < 3 * WOLFSSL_EXPORT_LEN) {
- return BAD_FUNC_ARG;
- }
- /* import sin family */
- ato16(buf + idx, &fam); idx += WOLFSSL_EXPORT_LEN;
- /* import ip address idx, and ipSz are unsigned but cast for enum */
- ato16(buf + idx, &ipSz); idx += WOLFSSL_EXPORT_LEN;
- if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + WOLFSSL_EXPORT_LEN) > len) {
- return BUFFER_E;
- }
- XMEMSET(ip, 0, sizeof(ip));
- XMEMCPY(ip, buf + idx, ipSz); idx += ipSz;
- ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */
- ato16(buf + idx, &port); idx += WOLFSSL_EXPORT_LEN;
- /* sanity check for a function to call, then use it to import peer info */
- if (ssl->ctx->CBSetPeer == NULL) {
- WOLFSSL_MSG("No set peer function");
- return BAD_FUNC_ARG;
- }
- if (ssl->ctx->CBSetPeer(ssl, ip, ipSz, port, fam) != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("Error setting peer info");
- return SOCKET_ERROR_E;
- }
- return idx;
- }
- #ifdef WOLFSSL_DTLS
- /* WOLFSSL_LOCAL function that serializes the current WOLFSSL session state only
- * buf is used to hold the serialized WOLFSSL struct and sz is the size of buf
- * passed in.
- * On success returns the size of serialized session state.*/
- int wolfSSL_dtls_export_state_internal(WOLFSSL* ssl, byte* buf, word32 sz)
- {
- int ret;
- word32 idx = 0;
- word32 totalLen = 0;
- WOLFSSL_ENTER("wolfSSL_dtls_export_state_internal");
- if (buf == NULL || ssl == NULL) {
- WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", BAD_FUNC_ARG);
- return BAD_FUNC_ARG;
- }
- totalLen += WOLFSSL_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */
- /* each of the following have a 2 byte length before data */
- totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_MIN_KEY_SZ;
- if (totalLen > sz) {
- WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", BUFFER_E);
- return BUFFER_E;
- }
- buf[idx++] = (byte)DTLS_EXPORT_STATE_PRO;
- buf[idx++] = ((byte)DTLS_EXPORT_STATE_PRO & 0xF0) |
- ((byte)WOLFSSL_EXPORT_VERSION & 0X0F);
- idx += WOLFSSL_EXPORT_LEN; /* leave room for total length */
- /* export keys struct and dtls state -- variable length stored in ret */
- idx += WOLFSSL_EXPORT_LEN; /* leave room for length */
- if ((ret = ExportKeyState(ssl, buf + idx, sz - idx,
- WOLFSSL_EXPORT_VERSION, 1, WOLFSSL_EXPORT_DTLS)) < 0) {
- WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", ret);
- return ret;
- }
- c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN); idx += ret;
- /* place total length of exported buffer minus 2 bytes protocol/version */
- c16toa((word16)(idx - WOLFSSL_EXPORT_LEN), buf + WOLFSSL_EXPORT_LEN);
- #ifdef WOLFSSL_SESSION_EXPORT_DEBUG
- /* if compiled with debug options then print the version, protocol, size */
- {
- char debug[256];
- XSNPRINTF(debug, sizeof(debug), "Exporting DTLS session state\n"
- "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
- , (int)WOLFSSL_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2);
- WOLFSSL_MSG(debug);
- }
- #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
- WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", idx);
- return idx;
- }
- /* On success return amount of buffer consumed */
- int wolfSSL_dtls_import_state_internal(WOLFSSL* ssl, const byte* buf, word32 sz)
- {
- word32 idx = 0;
- word16 length = 0;
- int version;
- int ret;
- WOLFSSL_ENTER("wolfSSL_dtls_import_state_internal");
- /* check at least enough room for protocol and length */
- if (sz < WOLFSSL_EXPORT_LEN * 2 || ssl == NULL) {
- WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", BAD_FUNC_ARG);
- return BAD_FUNC_ARG;
- }
- if (buf[idx++] != (byte)DTLS_EXPORT_STATE_PRO ||
- (buf[idx] & 0xF0) != ((byte)DTLS_EXPORT_PRO & 0xF0)) {
- WOLFSSL_MSG("Incorrect protocol");
- return BAD_FUNC_ARG;
- }
- version = buf[idx++] & 0x0F;
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length > sz - WOLFSSL_EXPORT_LEN) { /* subtract 2 for protocol */
- WOLFSSL_MSG("Buffer size sanity check failed");
- return BUFFER_E;
- }
- #ifdef WOLFSSL_SESSION_EXPORT_DEBUG
- /* if compiled with debug options then print the version, protocol, size */
- {
- char debug[256];
- XSNPRINTF(debug, sizeof(debug), "Importing DTLS session state\n"
- "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
- , (int)version, buf[0], (buf[1] >> 4), length);
- WOLFSSL_MSG(debug);
- }
- #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
- /* perform sanity checks and extract Options information used */
- switch (version) {
- case WOLFSSL_EXPORT_VERSION:
- break;
- default:
- WOLFSSL_MSG("Bad export state version");
- return BAD_FUNC_ARG;
- }
- /* perform sanity checks and extract Keys struct */
- if (WOLFSSL_EXPORT_LEN + idx > sz) {
- WOLFSSL_MSG("Import Key struct error");
- return BUFFER_E;
- }
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) {
- WOLFSSL_MSG("Import Key struct error");
- return BUFFER_E;
- }
- if ((ret = ImportKeyState(ssl, buf + idx, length, version,
- WOLFSSL_EXPORT_DTLS)) < 0) {
- WOLFSSL_MSG("Import Key struct error");
- WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", ret);
- return ret;
- }
- idx += ret;
- WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", ret);
- return idx;
- }
- #endif /* WOLFSSL_DTLS */
- /**
- * Imports a serialized buffer (both TLS and DTLS)
- *
- * @param ssl WOLFSSL structure to import into
- * @param buf buffer containing serialized session
- * @param sz size of buffer 'buf'
- * @param type flag for TLS or DTLS
- *
- * @return the size of serialized buffer on success
- */
- int wolfSSL_session_import_internal(WOLFSSL* ssl, const unsigned char* buf,
- unsigned int sz, int type)
- {
- word32 idx = 0;
- word16 length = 0;
- int version = 0;
- int ret = 0;
- int optSz = 0;
- int rc;
- WOLFSSL_ENTER("wolfSSL_session_import_internal");
- /* check at least enough room for protocol and length */
- if (sz < WOLFSSL_EXPORT_LEN * 2 || ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- /* Check if is TLS export protocol */
- if (ret == 0) {
- byte validProto = 0; /* did we find a valid protocol */
- if (buf[idx] == (byte)TLS_EXPORT_PRO &&
- (buf[idx + 1] & 0xF0) == ((byte)TLS_EXPORT_PRO & 0xF0)) {
- validProto = 1;
- }
- /* Check if is DTLS export protocol */
- if (buf[idx] == (byte)DTLS_EXPORT_PRO &&
- (buf[idx + 1] & 0xF0) == ((byte)DTLS_EXPORT_PRO & 0xF0)) {
- validProto = 1;
- }
- if (validProto == 0) {
- #ifdef WOLFSSL_DTLS
- /* check if importing state only */
- return wolfSSL_dtls_import_state_internal(ssl, buf, sz);
- #else
- WOLFSSL_MSG("Invalid serialized session protocol value");
- ret = BAD_FUNC_ARG;
- #endif
- }
- idx += 1;
- }
- if (ret == 0) {
- version = buf[idx++] & 0x0F;
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length > sz - WOLFSSL_EXPORT_LEN) { /* subtract 2 for protocol */
- ret = BUFFER_E;
- }
- }
- /* if compiled with debug options then print the version, protocol, size */
- #ifdef WOLFSSL_SESSION_EXPORT_DEBUG
- {
- char debug[256];
- XSNPRINTF(debug, sizeof(debug), "Importing DTLS session\n"
- "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
- , (int)version, buf[0], (buf[1] >> 4), length);
- WOLFSSL_MSG(debug);
- }
- #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
- /* perform sanity checks and extract Options information used */
- if (ret == 0) {
- switch (version) {
- case WOLFSSL_EXPORT_VERSION:
- if (type == WOLFSSL_EXPORT_DTLS) {
- optSz = DTLS_EXPORT_OPT_SZ;
- }
- else {
- optSz = TLS_EXPORT_OPT_SZ;
- }
- break;
- case WOLFSSL_EXPORT_VERSION_3:
- WOLFSSL_MSG("Importing older version 3");
- optSz = DTLS_EXPORT_OPT_SZ_3;
- break;
- default:
- WOLFSSL_MSG("Bad export version");
- ret = BAD_FUNC_ARG;
- }
- }
- if (ret == 0 && (WOLFSSL_EXPORT_LEN + optSz + idx > sz)) {
- WOLFSSL_MSG("Import Options struct error");
- ret = BUFFER_E;
- }
- if (ret == 0) {
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length != optSz) {
- WOLFSSL_MSG("Import Options struct error");
- ret = BUFFER_E;
- }
- }
- if (ret == 0) {
- rc = ImportOptions(ssl, buf + idx, length, version, type);
- if (rc < 0) {
- WOLFSSL_MSG("Import Options struct error");
- ret = rc;
- }
- else {
- idx += length;
- }
- }
- /* perform sanity checks and extract Keys struct */
- if (ret == 0 && (WOLFSSL_EXPORT_LEN + idx > sz)) {
- WOLFSSL_MSG("Import Key struct error");
- ret = BUFFER_E;
- }
- if (ret == 0) {
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) {
- WOLFSSL_MSG("Import Key struct error");
- ret = BUFFER_E;
- }
- }
- if (ret == 0) {
- rc = ImportKeyState(ssl, buf + idx, length, version, type);
- if (rc < 0) {
- WOLFSSL_MSG("Import Key struct error");
- ret = rc;
- }
- else {
- idx += rc;
- }
- }
- /* perform sanity checks and extract CipherSpecs struct */
- if (ret == 0 && (WOLFSSL_EXPORT_LEN + WOLFSSL_EXPORT_SPC_SZ + idx > sz)) {
- WOLFSSL_MSG("Import CipherSpecs struct error");
- ret = BUFFER_E;
- }
- if (ret == 0) {
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (length != WOLFSSL_EXPORT_SPC_SZ) {
- WOLFSSL_MSG("Import CipherSpecs struct error");
- ret = BUFFER_E;
- }
- }
- if (ret == 0) {
- rc = ImportCipherSpecState(ssl, buf + idx, length, version, type);
- if (rc < 0) {
- WOLFSSL_MSG("Import CipherSpecs struct error");
- ret = rc;
- }
- else {
- idx += rc;
- }
- }
- /* perform sanity checks and extract DTLS peer info */
- if (ret == 0 && (WOLFSSL_EXPORT_LEN + idx > sz)) {
- WOLFSSL_MSG("Import DTLS peer info error");
- ret = BUFFER_E;
- }
- if (ret == 0) {
- ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
- if (idx + length > sz) {
- WOLFSSL_MSG("Import DTLS peer info error");
- ret = BUFFER_E;
- }
- }
- if (ret == 0) {
- rc = ImportPeerInfo(ssl, buf + idx, length, version);
- if (rc < 0) {
- WOLFSSL_MSG("Import Peer Addr error");
- ret = rc;
- }
- else {
- idx += rc;
- }
- }
- /* make sure is a valid suite used */
- if (ret == 0 && wolfSSL_get_cipher(ssl) == NULL) {
- WOLFSSL_MSG("Can not match cipher suite imported");
- ret = MATCH_SUITE_ERROR;
- }
- #ifndef WOLFSSL_AEAD_ONLY
- /* set hmac function to use when verifying */
- if (ret == 0 && (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 ||
- ssl->options.dtls == 1)) {
- #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- !defined(WOLFSSL_RENESAS_TSIP_TLS)
- ssl->hmac = TLS_hmac;
- #else
- ssl->hmac = Renesas_cmn_TLS_hmac;
- #endif
- }
- /* do not allow stream ciphers with DTLS, except for NULL cipher */
- if (ret == 0 && ssl->specs.cipher_type == stream &&
- ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
- WOLFSSL_MSG("Can not import stream ciphers for DTLS");
- ret = SANITY_CIPHER_E;
- }
- #endif /* !WOLFSSL_AEAD_ONLY */
- if (ret != 0) {
- idx = ret;
- }
- WOLFSSL_LEAVE("wolfSSL_session_import_internal", idx);
- return idx;
- }
- /**
- * Handles serializing the session information.
- *
- * @param ssl WOLFSSL structure to serialize session from
- * @param buf output buffer to hold serialized session
- * @param sz the size of buffer 'buf', if too small then gets updated
- * @param type if the input WOLFSSL structure is expected to be TLS or DTLS
- * 1 for yes is TLS and 0 for no is DTLS
- *
- * @return the size of serialized buffer on success and negative values on fail
- */
- int wolfSSL_session_export_internal(WOLFSSL* ssl, byte* buf, word32* sz,
- int type)
- {
- int ret = 0;
- word32 idx = 0;
- word32 totalLen = 0;
- WOLFSSL_ENTER("wolfSSL_session_export_internal");
- if (ssl == NULL) {
- WOLFSSL_MSG("unexpected null argument");
- ret = BAD_FUNC_ARG;
- }
- if (ret == 0) {
- totalLen += WOLFSSL_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */
- /* each of the following have a 2 byte length before data */
- totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_OPT_SZ;
- totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_KEY_SZ;
- totalLen += WOLFSSL_EXPORT_LEN + WOLFSSL_EXPORT_SPC_SZ;
- #ifdef WOLFSSL_DTLS
- if (type == WOLFSSL_EXPORT_DTLS) {
- totalLen += WOLFSSL_EXPORT_LEN + ssl->buffers.dtlsCtx.peer.sz;
- }
- #endif
- }
- /* check is at least the minimum size needed, TLS cipher states add more */
- if (ret == 0 && (totalLen > *sz || buf == NULL)) {
- WOLFSSL_MSG("export buffer was too small or null");
- *sz = totalLen;
- /* possible AES state needed */
- if (type == WOLFSSL_EXPORT_TLS) {
- *sz += AES_BLOCK_SIZE*2;
- }
- ret = LENGTH_ONLY_E;
- }
- if (ret == 0) {
- buf[idx++] = (byte)(type == WOLFSSL_EXPORT_TLS)? TLS_EXPORT_PRO :
- DTLS_EXPORT_PRO;
- buf[idx++] = ((byte)((type == WOLFSSL_EXPORT_TLS)? TLS_EXPORT_PRO :
- DTLS_EXPORT_PRO) & 0xF0)
- | ((byte)WOLFSSL_EXPORT_VERSION & 0X0F);
- idx += WOLFSSL_EXPORT_LEN; /* leave spot for length of total buffer */
- idx += WOLFSSL_EXPORT_LEN;
- ret = ExportOptions(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION,
- type);
- if (ret >= 0) {
- c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN);
- idx += ret;
- ret = 0;
- }
- }
- /* export keys struct and dtls state -- variable length stored in ret */
- if (ret == 0) {
- idx += WOLFSSL_EXPORT_LEN; /* leave room for length */
- ret = ExportKeyState(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION,
- 0, type);
- if (ret >= 0) {
- c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN); idx += ret;
- ret = 0;
- }
- }
- /* export of cipher specs struct */
- if (ret == 0) {
- c16toa((word16)WOLFSSL_EXPORT_SPC_SZ, buf + idx);
- idx += WOLFSSL_EXPORT_LEN;
- ret = ExportCipherSpecState(ssl, buf + idx, *sz - idx,
- WOLFSSL_EXPORT_VERSION, type);
- if (ret >= 0) {
- idx += ret;
- ret = 0;
- }
- }
- /* export of peer information */
- if (ret == 0) {
- idx += WOLFSSL_EXPORT_LEN;
- #ifdef WOLFSSL_SESSION_EXPORT_NOPEER
- ret = 0; /* not saving peer port/ip information */
- #else
- ret = ExportPeerInfo(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION);
- #endif
- if (ret >= 0) {
- c16toa(ret, buf + idx - WOLFSSL_EXPORT_LEN);
- idx += ret;
- ret = 0;
- }
- }
- if (ret != 0 && ret != LENGTH_ONLY_E && buf != NULL) {
- /*in a fail case clear the buffer which could contain partial key info*/
- XMEMSET(buf, 0, *sz);
- }
- /* place total length of exported buffer minus 2 bytes protocol/version */
- if (ret == 0) {
- c16toa((word16)(idx - WOLFSSL_EXPORT_LEN), buf + WOLFSSL_EXPORT_LEN);
- ret = idx;
- #ifdef WOLFSSL_SESSION_EXPORT_DEBUG
- {
- char debug[256];
- XSNPRINTF(debug, sizeof(debug), "Exporting TLS session\n"
- "\tVersion : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
- ,(int)WOLFSSL_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2);
- WOLFSSL_MSG(debug);
- }
- #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
- }
- if (ret >= 0) {
- *sz = ret;
- }
- WOLFSSL_LEAVE("wolfSSL_session_export_internal", ret);
- return ret;
- }
- #endif /* WOLFSSL_SESSION_EXPORT */
- void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv)
- {
- method->version = pv;
- method->side = WOLFSSL_CLIENT_END;
- method->downgrade = 0;
- }
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) || \
- defined(WOLFSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
- int InitSSL_Side(WOLFSSL* ssl, word16 side)
- {
- if (ssl == NULL)
- return BAD_FUNC_ARG;
- /* set side */
- ssl->options.side = side;
- /* reset options that are side specific */
- #ifdef HAVE_ECC
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.haveECDSAsig = 1; /* always on client side */
- ssl->options.haveECC = 1; /* server turns on with ECC key cert */
- ssl->options.haveStaticECC = 1; /* server can turn on by loading key */
- }
- #elif defined(HAVE_ED25519) || defined(HAVE_ED448)
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.haveECDSAsig = 1; /* always on client side */
- ssl->options.haveECC = 1; /* server turns on with ECC key cert */
- }
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.haveFalconSig = 1; /* always on client side */
- }
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.haveDilithiumSig = 1; /* always on client side */
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT)
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if ((ssl->ctx->method->version.major == SSLv3_MAJOR) &&
- (ssl->ctx->method->version.minor >= TLSv1_MINOR)) {
- ssl->options.haveEMS = 1;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->ctx->method->version.major == DTLS_MAJOR)
- ssl->options.haveEMS = 1;
- #endif /* WOLFSSL_DTLS */
- }
- #endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */
- #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
- if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
- int ret;
- ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
- if (ret != 0) {
- WOLFSSL_MSG("DTLS Cookie Secret error");
- return ret;
- }
- }
- #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
- return InitSSL_Suites(ssl);
- }
- #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
- /* Initialize SSL context, return 0 on success */
- int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
- {
- int ret = 0;
- XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX));
- ctx->method = method;
- ctx->heap = ctx; /* defaults to self */
- ctx->timeout = WOLFSSL_SESSION_TIMEOUT;
- #ifdef WOLFSSL_DTLS
- if (method->version.major == DTLS_MAJOR) {
- ctx->minDowngrade = WOLFSSL_MIN_DTLS_DOWNGRADE;
- }
- else
- #endif /* WOLFSSL_DTLS */
- {
- /* current default: TLSv1_MINOR */
- ctx->minDowngrade = WOLFSSL_MIN_DOWNGRADE;
- }
- wolfSSL_RefInit(&ctx->ref, &ret);
- #ifdef WOLFSSL_REFCNT_ERROR_RETURN
- if (ret < 0) {
- WOLFSSL_MSG("Mutex error on CTX init");
- ctx->err = CTX_INIT_MUTEX_E;
- WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- #else
- (void)ret;
- #endif
- #ifndef NO_CERTS
- ctx->privateKeyDevId = INVALID_DEVID;
- #endif
- #ifndef NO_DH
- ctx->minDhKeySz = MIN_DHKEY_SZ;
- ctx->maxDhKeySz = MAX_DHKEY_SZ;
- #endif
- #ifndef NO_RSA
- ctx->minRsaKeySz = MIN_RSAKEY_SZ;
- #endif
- #ifdef HAVE_ECC
- ctx->minEccKeySz = MIN_ECCKEY_SZ;
- ctx->eccTempKeySz = ECDHE_SIZE;
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- ctx->minFalconKeySz = MIN_FALCONKEY_SZ;
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- ctx->minDilithiumKeySz = MIN_DILITHIUMKEY_SZ;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- ctx->verifyDepth = MAX_CHAIN_DEPTH;
- #ifdef OPENSSL_EXTRA
- ctx->cbioFlag = WOLFSSL_CBIO_NONE;
- #endif
- #ifdef HAVE_NETX
- ctx->CBIORecv = NetX_Receive;
- ctx->CBIOSend = NetX_Send;
- #elif defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
- ctx->CBIORecv = Mynewt_Receive;
- ctx->CBIOSend = Mynewt_Send;
- #elif defined WOLFSSL_LWIP_NATIVE
- ctx->CBIORecv = LwIPNativeReceive;
- ctx->CBIOSend = LwIPNativeSend;
- #elif defined(WOLFSSL_GNRC)
- ctx->CBIORecv = GNRC_ReceiveFrom;
- ctx->CBIOSend = GNRC_SendTo;
- #elif defined WOLFSSL_ISOTP
- ctx->CBIORecv = ISOTP_Receive;
- ctx->CBIOSend = ISOTP_Send;
- #elif !defined(WOLFSSL_USER_IO)
- #ifdef MICRIUM
- ctx->CBIORecv = MicriumReceive;
- ctx->CBIOSend = MicriumSend;
- #ifdef WOLFSSL_DTLS
- if (method->version.major == DTLS_MAJOR) {
- ctx->CBIORecv = MicriumReceiveFrom;
- ctx->CBIOSend = MicriumSendTo;
- }
- #ifdef WOLFSSL_SESSION_EXPORT
- #error Micrium port does not support DTLS session export yet
- #endif
- #endif
- #elif defined WOLFSSL_UIP
- ctx->CBIORecv = uIPReceive;
- ctx->CBIOSend = uIPSend;
- #ifdef WOLFSSL_DTLS
- if (method->version.major == DTLS_MAJOR) {
- ctx->CBIOSendTo = uIPSendTo;
- ctx->CBIORecvFrom = uIPRecvFrom;
- }
- #endif
- #else
- ctx->CBIORecv = EmbedReceive;
- ctx->CBIOSend = EmbedSend;
- #ifdef WOLFSSL_SESSION_EXPORT
- ctx->CBGetPeer = EmbedGetPeer;
- ctx->CBSetPeer = EmbedSetPeer;
- #endif
- #ifdef WOLFSSL_DTLS
- if (method->version.major == DTLS_MAJOR) {
- ctx->CBIORecv = EmbedReceiveFrom;
- ctx->CBIOSend = EmbedSendTo;
- }
- #endif
- #endif /* MICRIUM */
- #endif /* WOLFSSL_USER_IO */
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- if (method->side == WOLFSSL_CLIENT_END)
- ctx->haveFalconSig = 1; /* always on client side */
- /* server can turn on by loading key */
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- if (method->side == WOLFSSL_CLIENT_END)
- ctx->haveDilithiumSig = 1; /* always on client side */
- /* server can turn on by loading key */
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifdef HAVE_ECC
- if (method->side == WOLFSSL_CLIENT_END) {
- ctx->haveECDSAsig = 1; /* always on client side */
- ctx->haveECC = 1; /* server turns on with ECC key cert */
- ctx->haveStaticECC = 1; /* server can turn on by loading key */
- }
- #elif defined(HAVE_ED25519) || defined(HAVE_ED448)
- if (method->side == WOLFSSL_CLIENT_END) {
- ctx->haveECDSAsig = 1; /* always on client side */
- ctx->haveECC = 1; /* server turns on with ECC key cert */
- }
- #endif
- #ifdef WOLFSSL_QNX_CAAM
- /* default to try using CAAM when built */
- ctx->devId = WOLFSSL_CAAM_DEVID;
- #else
- ctx->devId = INVALID_DEVID;
- #endif
- #if defined(WOLFSSL_DTLS)
- #ifdef WOLFSSL_SCTP
- ctx->dtlsMtuSz = MAX_RECORD_SIZE;
- #elif defined(WOLFSSL_DTLS_MTU)
- ctx->dtlsMtuSz = MAX_MTU;
- #endif
- #endif
- #ifndef NO_CERTS
- ctx->cm = wolfSSL_CertManagerNew_ex(heap);
- if (ctx->cm == NULL) {
- WOLFSSL_MSG("Bad Cert Manager New");
- WOLFSSL_ERROR_VERBOSE(BAD_CERT_MANAGER_ERROR);
- return BAD_CERT_MANAGER_ERROR;
- }
- #ifdef OPENSSL_EXTRA
- /* setup WOLFSSL_X509_STORE */
- ctx->x509_store.cm = ctx->cm;
- /* set pointer back to x509 store */
- ctx->cm->x509_store_p = &ctx->x509_store;
- /* WOLFSSL_X509_VERIFY_PARAM */
- if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
- sizeof(WOLFSSL_X509_VERIFY_PARAM),
- heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
- WOLFSSL_MSG("ctx->param memory error");
- return MEMORY_E;
- }
- XMEMSET(ctx->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
- /* WOLFSSL_X509_LOOKUP */
- if ((ctx->x509_store.lookup.dirs =
- (WOLFSSL_BY_DIR*)XMALLOC(sizeof(WOLFSSL_BY_DIR),
- heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
- WOLFSSL_MSG("ctx-x509_store.lookup.dir memory allocation error");
- XFREE(ctx->param, heap, DYNAMIC_TYPE_OPENSSL);
- ctx->param = NULL;
- return MEMORY_E;
- }
- XMEMSET(ctx->x509_store.lookup.dirs, 0, sizeof(WOLFSSL_BY_DIR));
- if (wc_InitMutex(&ctx->x509_store.lookup.dirs->lock) != 0) {
- WOLFSSL_MSG("Bad mutex init");
- XFREE(ctx->param, heap, DYNAMIC_TYPE_OPENSSL);
- ctx->param = NULL;
- XFREE(ctx->x509_store.lookup.dirs, heap, DYNAMIC_TYPE_OPENSSL);
- ctx->x509_store.lookup.dirs = NULL;
- WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- #endif
- #endif
- #if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT)
- if (method->side == WOLFSSL_CLIENT_END) {
- if ((method->version.major == SSLv3_MAJOR) &&
- (method->version.minor >= TLSv1_MINOR)) {
- ctx->haveEMS = 1;
- }
- #ifdef WOLFSSL_DTLS
- if (method->version.major == DTLS_MAJOR)
- ctx->haveEMS = 1;
- #endif /* WOLFSSL_DTLS */
- }
- #endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */
- #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
- #ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB
- ret = TicketEncCbCtx_Init(ctx, &ctx->ticketKeyCtx);
- if (ret != 0) return ret;
- ctx->ticketEncCb = DefTicketEncCb;
- ctx->ticketEncCtx = (void*)&ctx->ticketKeyCtx;
- #endif
- ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT;
- #if defined(WOLFSSL_TLS13)
- ctx->maxTicketTls13 = 1; /* default to sending a session ticket if compiled
- in */
- #endif
- #endif
- #ifdef WOLFSSL_EARLY_DATA
- ctx->maxEarlyDataSz = MAX_EARLY_DATA_SZ;
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- #if defined(WOLFSSL_TLS13) && !defined(HAVE_SUPPORTED_CURVES)
- ctx->noPskDheKe = 1;
- #endif
- #endif
- #if defined(WOLFSSL_QT) && !defined(NO_PSK)
- /* Qt retrieves supported cipher list at initialization
- * from get_cipher_compat().
- * Qt doesn't allow to use a cipher if it is not in the supported list.
- * Therefore, we need to enable PSK cipher at the beginning.
- */
- ctx->havePSK = 1;
- #endif
- ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */
- #ifdef HAVE_WOLF_EVENT
- ret = wolfEventQueue_Init(&ctx->event_queue);
- #endif /* HAVE_WOLF_EVENT */
- #ifdef WOLFSSL_MAXQ10XX_TLS
- /* Let maxq10xx know what TLS version we are using. */
- ctx->devId = MAXQ_DEVICE_ID;
- maxq10xx_SetupPkCallbacks(ctx, &method->version);
- #endif /* WOLFSSL_MAXQ10XX_TLS */
- return ret;
- }
- #ifdef HAVE_EX_DATA_CLEANUP_HOOKS
- void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data)
- {
- int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]);
- for (--n_ex_data; n_ex_data >= 0; --n_ex_data) {
- if (ex_data->ex_data[n_ex_data] != NULL)
- (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data,
- NULL, NULL);
- }
- }
- #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
- #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
- /* free all ech configs in the list */
- static void FreeEchConfigs(WOLFSSL_EchConfig* configs, void* heap)
- {
- WOLFSSL_EchConfig* working_config = configs;
- WOLFSSL_EchConfig* next_config;
- while (working_config != NULL) {
- next_config = working_config->next;
- XFREE(working_config->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(working_config->publicName, heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (working_config->raw != NULL)
- XFREE(working_config->raw, heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (working_config->receiverPrivkey != NULL) {
- wc_HpkeFreeKey(NULL, working_config->kemId,
- working_config->receiverPrivkey, heap);
- }
- XFREE(working_config, heap, DYNAMIC_TYPE_TMP_BUFFER);
- working_config = next_config;
- }
- (void)heap;
- }
- #endif
- /* In case contexts are held in array and don't want to free actual ctx. */
- /* The allocations done in InitSSL_Ctx must be free'd with ctx->onHeapHint
- * logic. A WOLFSSL_CTX can be assigned a static memory heap hint using
- * wolfSSL_CTX_load_static_memory after CTX creation, which means variables
- * allocated in InitSSL_Ctx were allocated from heap and should be free'd with
- * a NULL heap hint. */
- void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
- {
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && \
- defined(HAVE_TLS_EXTENSIONS) && !defined(NO_WOLFSSL_SERVER)
- int i;
- #endif
- void* heapAtCTXInit = ctx->heap;
- #ifdef WOLFSSL_STATIC_MEMORY
- if (ctx->onHeapHint == 0) {
- heapAtCTXInit = NULL;
- }
- #endif
- #ifdef HAVE_EX_DATA_CLEANUP_HOOKS
- wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data);
- #endif
- #ifdef HAVE_WOLF_EVENT
- wolfEventQueue_Free(&ctx->event_queue);
- #endif /* HAVE_WOLF_EVENT */
- XFREE(ctx->method, heapAtCTXInit, DYNAMIC_TYPE_METHOD);
- ctx->method = NULL;
- if (ctx->suites) {
- XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES);
- ctx->suites = NULL;
- }
- #ifndef NO_DH
- XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ctx->serverDH_G.buffer = NULL;
- XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ctx->serverDH_P.buffer = NULL;
- #endif /* !NO_DH */
- #ifdef SINGLE_THREADED
- if (ctx->rng) {
- wc_FreeRng(ctx->rng);
- XFREE(ctx->rng, ctx->heap, DYNAMIC_TYPE_RNG);
- ctx->rng = NULL;
- }
- #endif /* SINGLE_THREADED */
- #ifndef NO_CERTS
- if (ctx->privateKey != NULL && ctx->privateKey->buffer != NULL) {
- ForceZero(ctx->privateKey->buffer, ctx->privateKey->length);
- }
- FreeDer(&ctx->privateKey);
- #ifdef OPENSSL_ALL
- wolfSSL_EVP_PKEY_free(ctx->privateKeyPKey);
- #endif
- FreeDer(&ctx->certificate);
- #ifdef KEEP_OUR_CERT
- if (ctx->ourCert && ctx->ownOurCert) {
- wolfSSL_X509_free(ctx->ourCert);
- ctx->ourCert = NULL;
- }
- #endif /* KEEP_OUR_CERT */
- FreeDer(&ctx->certChain);
- wolfSSL_CertManagerFree(ctx->cm);
- ctx->cm = NULL;
- #ifdef OPENSSL_ALL
- if (ctx->x509_store.objs != NULL) {
- wolfSSL_sk_X509_OBJECT_pop_free(ctx->x509_store.objs, NULL);
- ctx->x509_store.objs = NULL;
- }
- #endif
- #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
- defined(WOLFSSL_WPAS_SMALL)
- wolfSSL_X509_STORE_free(ctx->x509_store_pt);
- #endif
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
- wolfSSL_sk_X509_NAME_pop_free(ctx->ca_names, NULL);
- ctx->ca_names = NULL;
- #endif
- #ifdef OPENSSL_EXTRA
- if (ctx->x509Chain) {
- wolfSSL_sk_X509_pop_free(ctx->x509Chain, NULL);
- ctx->x509Chain = NULL;
- }
- #endif
- #endif /* !NO_CERTS */
- #ifdef HAVE_TLS_EXTENSIONS
- #if !defined(NO_TLS)
- TLSX_FreeAll(ctx->extensions, ctx->heap);
- #endif /* !NO_TLS */
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
- || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- if (ctx->certOcspRequest) {
- FreeOcspRequest(ctx->certOcspRequest);
- XFREE(ctx->certOcspRequest, ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- }
- #endif
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- for (i = 0; i < MAX_CHAIN_DEPTH; i++) {
- if (ctx->chainOcspRequest[i]) {
- FreeOcspRequest(ctx->chainOcspRequest[i]);
- XFREE(ctx->chainOcspRequest[i], ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- ctx->chainOcspRequest[i] = NULL;
- }
- }
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
- #endif /* !NO_WOLFSSL_SERVER */
- #endif /* HAVE_TLS_EXTENSIONS */
- #ifdef OPENSSL_EXTRA
- if (ctx->alpn_cli_protos) {
- XFREE((void*)ctx->alpn_cli_protos, ctx->heap, DYNAMIC_TYPE_OPENSSL);
- ctx->alpn_cli_protos = NULL;
- }
- if (ctx->param) {
- XFREE(ctx->param, heapAtCTXInit, DYNAMIC_TYPE_OPENSSL);
- ctx->param = NULL;
- }
- if (ctx->x509_store.lookup.dirs) {
- #if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- if (ctx->x509_store.lookup.dirs->dir_entry) {
- wolfSSL_sk_BY_DIR_entry_free(ctx->x509_store.lookup.dirs->dir_entry);
- }
- #endif
- wc_FreeMutex(&ctx->x509_store.lookup.dirs->lock);
- XFREE(ctx->x509_store.lookup.dirs, heapAtCTXInit, DYNAMIC_TYPE_OPENSSL);
- }
- #endif
- #ifdef WOLFSSL_STATIC_EPHEMERAL
- #ifndef NO_DH
- FreeDer(&ctx->staticKE.dhKey);
- #endif
- #ifdef HAVE_ECC
- FreeDer(&ctx->staticKE.ecKey);
- #endif
- #ifdef HAVE_CURVE25519
- FreeDer(&ctx->staticKE.x25519Key);
- #endif
- #ifdef HAVE_CURVE448
- FreeDer(&ctx->staticKE.x448Key);
- #endif
- #ifndef SINGLE_THREADED
- if (ctx->staticKELockInit) {
- wc_FreeMutex(&ctx->staticKELock);
- ctx->staticKELockInit = 0;
- }
- #endif
- #endif
- #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
- FreeEchConfigs(ctx->echConfigs, ctx->heap);
- ctx->echConfigs = NULL;
- #endif
- (void)heapAtCTXInit;
- }
- #ifdef WOLFSSL_STATIC_MEMORY
- static void SSL_CtxResourceFreeStaticMem(void* heap)
- {
- if (heap != NULL
- #ifdef WOLFSSL_HEAP_TEST
- /* avoid dereferencing a test value */
- && heap != (void*)WOLFSSL_HEAP_TEST
- #endif
- ) {
- WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap;
- WOLFSSL_HEAP* mem = hint->memory;
- wc_FreeMutex(&mem->memory_mutex);
- }
- }
- #endif /* WOLFSSL_STATIC_MEMORY */
- void FreeSSL_Ctx(WOLFSSL_CTX* ctx)
- {
- int isZero;
- int ret;
- void* heap = ctx->heap;
- #ifdef WOLFSSL_STATIC_MEMORY
- if (ctx->onHeapHint == 0) {
- heap = NULL;
- }
- #endif
- /* decrement CTX reference count */
- wolfSSL_RefDec(&ctx->ref, &isZero, &ret);
- #ifdef WOLFSSL_REFCNT_ERROR_RETURN
- if (ret < 0) {
- /* check error state, if mutex error code then mutex init failed but
- * CTX was still malloc'd */
- if (ctx->err == CTX_INIT_MUTEX_E) {
- SSL_CtxResourceFree(ctx);
- XFREE(ctx, heap, DYNAMIC_TYPE_CTX);
- #ifdef WOLFSSL_STATIC_MEMORY
- SSL_CtxResourceFreeStaticMem(heap);
- #endif
- }
- return;
- }
- #else
- (void)ret;
- #endif
- if (isZero) {
- WOLFSSL_MSG("CTX ref count down to 0, doing full free");
- SSL_CtxResourceFree(ctx);
- #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
- !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
- TicketEncCbCtx_Free(&ctx->ticketKeyCtx);
- #endif
- wolfSSL_RefFree(&ctx->ref);
- XFREE(ctx, heap, DYNAMIC_TYPE_CTX);
- #ifdef WOLFSSL_STATIC_MEMORY
- SSL_CtxResourceFreeStaticMem(heap);
- #endif
- }
- else {
- WOLFSSL_MSG("CTX ref count not 0 yet, no free");
- }
- (void)heap; /* not used in some builds */
- }
- /* Set cipher pointers to null */
- void InitCiphers(WOLFSSL* ssl)
- {
- #ifdef BUILD_ARC4
- ssl->encrypt.arc4 = NULL;
- ssl->decrypt.arc4 = NULL;
- #endif
- #ifdef BUILD_DES3
- ssl->encrypt.des3 = NULL;
- ssl->decrypt.des3 = NULL;
- #endif
- #ifdef BUILD_AES
- ssl->encrypt.aes = NULL;
- ssl->decrypt.aes = NULL;
- #endif
- #ifdef HAVE_CAMELLIA
- ssl->encrypt.cam = NULL;
- ssl->decrypt.cam = NULL;
- #endif
- #ifdef HAVE_CHACHA
- ssl->encrypt.chacha = NULL;
- ssl->decrypt.chacha = NULL;
- #endif
- #if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
- ssl->auth.poly1305 = NULL;
- #endif
- ssl->encrypt.setup = 0;
- ssl->decrypt.setup = 0;
- #ifdef HAVE_ONE_TIME_AUTH
- ssl->auth.setup = 0;
- #endif
- #ifdef WOLFSSL_DTLS13
- XMEMSET(&ssl->dtlsRecordNumberEncrypt, 0,
- sizeof(ssl->dtlsRecordNumberEncrypt));
- XMEMSET(&ssl->dtlsRecordNumberDecrypt, 0,
- sizeof(ssl->dtlsRecordNumberEncrypt));
- #endif /* WOLFSSL_DTLS13 */
- }
- /* Free ciphers */
- void FreeCiphers(WOLFSSL* ssl)
- {
- (void)ssl;
- #ifdef BUILD_ARC4
- wc_Arc4Free(ssl->encrypt.arc4);
- wc_Arc4Free(ssl->decrypt.arc4);
- XFREE(ssl->encrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #ifdef BUILD_DES3
- wc_Des3Free(ssl->encrypt.des3);
- wc_Des3Free(ssl->decrypt.des3);
- XFREE(ssl->encrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #if defined(BUILD_AES) || defined(BUILD_AESGCM) /* See: InitKeys() in keys.c
- * on addition of BUILD_AESGCM
- * check (enc->aes, dec->aes) */
- wc_AesFree(ssl->encrypt.aes);
- wc_AesFree(ssl->decrypt.aes);
- #if (defined(BUILD_AESGCM) || defined(HAVE_AESCCM)) && \
- !defined(WOLFSSL_NO_TLS12)
- XFREE(ssl->decrypt.additional, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- XFREE(ssl->encrypt.additional, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #endif
- XFREE(ssl->encrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #ifdef CIPHER_NONCE
- XFREE(ssl->decrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- XFREE(ssl->encrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #endif
- #ifdef HAVE_CAMELLIA
- XFREE(ssl->encrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #ifdef HAVE_CHACHA
- if (ssl->encrypt.chacha)
- ForceZero(ssl->encrypt.chacha, sizeof(ChaCha));
- if (ssl->decrypt.chacha)
- ForceZero(ssl->decrypt.chacha, sizeof(ChaCha));
- XFREE(ssl->encrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
- if (ssl->auth.poly1305)
- ForceZero(ssl->auth.poly1305, sizeof(Poly1305));
- XFREE(ssl->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
- wc_HmacFree(ssl->encrypt.hmac);
- wc_HmacFree(ssl->decrypt.hmac);
- XFREE(ssl->encrypt.hmac, ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->decrypt.hmac, ssl->heap, DYNAMIC_TYPE_CIPHER);
- #endif
- #ifdef WOLFSSL_DTLS13
- #ifdef BUILD_AES
- if (ssl->dtlsRecordNumberEncrypt.aes != NULL) {
- wc_AesFree(ssl->dtlsRecordNumberEncrypt.aes);
- XFREE(ssl->dtlsRecordNumberEncrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
- ssl->dtlsRecordNumberEncrypt.aes = NULL;
- }
- if (ssl->dtlsRecordNumberDecrypt.aes != NULL) {
- wc_AesFree(ssl->dtlsRecordNumberDecrypt.aes);
- XFREE(ssl->dtlsRecordNumberDecrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
- ssl->dtlsRecordNumberDecrypt.aes = NULL;
- }
- #endif /* BUILD_AES */
- #ifdef HAVE_CHACHA
- XFREE(ssl->dtlsRecordNumberEncrypt.chacha,
- ssl->heap, DYNAMIC_TYPE_CIPHER);
- XFREE(ssl->dtlsRecordNumberDecrypt.chacha,
- ssl->heap, DYNAMIC_TYPE_CIPHER);
- ssl->dtlsRecordNumberEncrypt.chacha = NULL;
- ssl->dtlsRecordNumberDecrypt.chacha = NULL;
- #endif /* HAVE_CHACHA */
- #endif /* WOLFSSL_DTLS13 */
- }
- void InitCipherSpecs(CipherSpecs* cs)
- {
- XMEMSET(cs, 0, sizeof(CipherSpecs));
- cs->bulk_cipher_algorithm = INVALID_BYTE;
- cs->cipher_type = INVALID_BYTE;
- cs->mac_algorithm = INVALID_BYTE;
- cs->kea = INVALID_BYTE;
- cs->sig_algo = INVALID_BYTE;
- }
- #if defined(USE_ECDSA_KEYSZ_HASH_ALGO) || (defined(WOLFSSL_TLS13) && \
- defined(HAVE_ECC))
- static int GetMacDigestSize(byte macAlgo)
- {
- switch (macAlgo) {
- #ifndef NO_SHA
- case sha_mac:
- return WC_SHA_DIGEST_SIZE;
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- return WC_SHA256_DIGEST_SIZE;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- return WC_SHA384_DIGEST_SIZE;
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- return WC_SHA512_DIGEST_SIZE;
- #endif
- default:
- break;
- }
- return NOT_COMPILED_IN;
- }
- #endif /* USE_ECDSA_KEYSZ_HASH_ALGO */
- #define ADD_HASH_SIG_ALGO(out, inOutIdx, major, minor) \
- do { \
- if ((out) != NULL) { \
- (out)[*(inOutIdx) ] = (major); \
- (out)[*(inOutIdx) + 1] = (minor); \
- } \
- *(inOutIdx) += 2; \
- } while (0)
- static WC_INLINE void AddSuiteHashSigAlgo(byte* hashSigAlgo, byte macAlgo,
- byte sigAlgo, int keySz, word16* inOutIdx)
- {
- int addSigAlgo = 1;
- #ifdef USE_ECDSA_KEYSZ_HASH_ALGO
- if (sigAlgo == ecc_dsa_sa_algo) {
- int digestSz = GetMacDigestSize(macAlgo);
- /* do not add sig/algos with digest size larger than key size */
- if (digestSz <= 0 || (keySz > 0 && digestSz > keySz)) {
- addSigAlgo = 0;
- }
- }
- #else
- (void)keySz;
- #endif /* USE_ECDSA_KEYSZ_HASH_ALGO */
- if (addSigAlgo) {
- #ifdef HAVE_ED25519
- if (sigAlgo == ed25519_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- ED25519_SA_MAJOR, ED25519_SA_MINOR);
- }
- else
- #endif
- #ifdef HAVE_ED448
- if (sigAlgo == ed448_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- ED448_SA_MAJOR, ED448_SA_MINOR);
- }
- else
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- if (sigAlgo == falcon_level1_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- FALCON_LEVEL1_SA_MAJOR, FALCON_LEVEL1_SA_MINOR);
- }
- else
- if (sigAlgo == falcon_level5_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- FALCON_LEVEL5_SA_MAJOR, FALCON_LEVEL5_SA_MINOR);
- }
- else
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- if (sigAlgo == dilithium_level2_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- DILITHIUM_LEVEL2_SA_MAJOR, DILITHIUM_LEVEL2_SA_MINOR);
- }
- else
- if (sigAlgo == dilithium_level3_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- DILITHIUM_LEVEL3_SA_MAJOR, DILITHIUM_LEVEL3_SA_MINOR);
- }
- else
- if (sigAlgo == dilithium_level5_sa_algo) {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx,
- DILITHIUM_LEVEL5_SA_MAJOR, DILITHIUM_LEVEL5_SA_MINOR);
- }
- else
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifdef WC_RSA_PSS
- if (sigAlgo == rsa_pss_sa_algo) {
- /* RSA PSS is sig then mac */
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx, sigAlgo, macAlgo);
- #ifdef WOLFSSL_TLS13
- /* Add the certificate algorithm as well */
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx, sigAlgo,
- PSS_RSAE_TO_PSS_PSS(macAlgo));
- #endif
- }
- else
- #endif
- {
- ADD_HASH_SIG_ALGO(hashSigAlgo, inOutIdx, macAlgo, sigAlgo);
- }
- }
- }
- void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
- int haveFalconSig, int haveDilithiumSig, int haveAnon, int tls1_2,
- int keySz)
- {
- InitSuitesHashSigAlgo_ex(suites->hashSigAlgo, haveECDSAsig, haveRSAsig,
- haveFalconSig, haveDilithiumSig, haveAnon, tls1_2, keySz,
- &suites->hashSigAlgoSz);
- }
- void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig,
- int haveRSAsig, int haveFalconSig, int haveDilithiumSig, int haveAnon,
- int tls1_2, int keySz, word16* len)
- {
- word16 idx = 0;
- (void)tls1_2;
- (void)keySz;
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- if (haveECDSAsig) {
- #ifdef HAVE_ECC
- #ifdef WOLFSSL_SHA512
- AddSuiteHashSigAlgo(hashSigAlgo, sha512_mac, ecc_dsa_sa_algo, keySz,
- &idx);
- #endif
- #ifdef WOLFSSL_SHA384
- AddSuiteHashSigAlgo(hashSigAlgo, sha384_mac, ecc_dsa_sa_algo, keySz,
- &idx);
- #endif
- #ifndef NO_SHA256
- AddSuiteHashSigAlgo(hashSigAlgo, sha256_mac, ecc_dsa_sa_algo, keySz,
- &idx);
- #endif
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- AddSuiteHashSigAlgo(hashSigAlgo, sha_mac, ecc_dsa_sa_algo, keySz, &idx);
- #endif
- #endif
- #ifdef HAVE_ED25519
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, ed25519_sa_algo, keySz, &idx);
- #endif
- #ifdef HAVE_ED448
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, ed448_sa_algo, keySz, &idx);
- #endif
- }
- #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
- if (haveFalconSig) {
- #if defined(HAVE_PQC)
- #ifdef HAVE_FALCON
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, falcon_level1_sa_algo, keySz,
- &idx);
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, falcon_level5_sa_algo, keySz,
- &idx);
- #endif /* HAVE_FALCON */
- #endif /* HAVE_PQC */
- }
- if (haveDilithiumSig) {
- #if defined(HAVE_PQC)
- #ifdef HAVE_DILITHIUM
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, dilithium_level2_sa_algo,
- keySz, &idx);
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, dilithium_level3_sa_algo,
- keySz, &idx);
- AddSuiteHashSigAlgo(hashSigAlgo, no_mac, dilithium_level5_sa_algo,
- keySz, &idx);
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- }
- if (haveRSAsig) {
- #ifdef WC_RSA_PSS
- if (tls1_2) {
- #ifdef WOLFSSL_SHA512
- AddSuiteHashSigAlgo(hashSigAlgo, sha512_mac, rsa_pss_sa_algo, keySz,
- &idx);
- #endif
- #ifdef WOLFSSL_SHA384
- AddSuiteHashSigAlgo(hashSigAlgo, sha384_mac, rsa_pss_sa_algo, keySz,
- &idx);
- #endif
- #ifndef NO_SHA256
- AddSuiteHashSigAlgo(hashSigAlgo, sha256_mac, rsa_pss_sa_algo, keySz,
- &idx);
- #endif
- }
- #endif
- #ifdef WOLFSSL_SHA512
- AddSuiteHashSigAlgo(hashSigAlgo, sha512_mac, rsa_sa_algo, keySz, &idx);
- #endif
- #ifdef WOLFSSL_SHA384
- AddSuiteHashSigAlgo(hashSigAlgo, sha384_mac, rsa_sa_algo, keySz, &idx);
- #endif
- #ifndef NO_SHA256
- AddSuiteHashSigAlgo(hashSigAlgo, sha256_mac, rsa_sa_algo, keySz, &idx);
- #endif
- #ifdef WOLFSSL_SHA224
- AddSuiteHashSigAlgo(hashSigAlgo, sha224_mac, rsa_sa_algo, keySz, &idx);
- #endif
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- AddSuiteHashSigAlgo(hashSigAlgo, sha_mac, rsa_sa_algo, keySz, &idx);
- #endif
- }
- #ifdef HAVE_ANON
- if (haveAnon) {
- AddSuiteHashSigAlgo(hashSigAlgo, sha_mac, anonymous_sa_algo, keySz,
- &idx);
- }
- #endif
- (void)haveAnon;
- (void)haveECDSAsig;
- *len = idx;
- }
- int AllocateCtxSuites(WOLFSSL_CTX* ctx)
- {
- if (ctx->suites == NULL) {
- ctx->suites = (Suites*)XMALLOC(sizeof(Suites), ctx->heap,
- DYNAMIC_TYPE_SUITES);
- if (ctx->suites == NULL) {
- WOLFSSL_MSG("Memory alloc for Suites failed");
- return MEMORY_ERROR;
- }
- XMEMSET(ctx->suites, 0, sizeof(Suites));
- }
- return 0;
- }
- /* Call this when the ssl object needs to have its own ssl->suites object */
- int AllocateSuites(WOLFSSL* ssl)
- {
- if (ssl->suites == NULL) {
- ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
- DYNAMIC_TYPE_SUITES);
- if (ssl->suites == NULL) {
- WOLFSSL_MSG("Suites Memory error");
- return MEMORY_ERROR;
- }
- if (ssl->ctx != NULL && ssl->ctx->suites != NULL)
- XMEMCPY(ssl->suites, ssl->ctx->suites, sizeof(Suites));
- else
- XMEMSET(ssl->suites, 0, sizeof(Suites));
- }
- return 0;
- }
- void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
- word16 havePSK, word16 haveDH, word16 haveECDSAsig,
- word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
- word16 haveFalconSig, word16 haveDilithiumSig, word16 haveAnon,
- word16 haveNull, int side)
- {
- word16 idx = 0;
- int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
- int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR;
- #ifdef WOLFSSL_TLS13
- int tls1_3 = IsAtLeastTLSv1_3(pv);
- #endif
- int dtls = 0;
- int haveRSAsig = 1;
- #ifdef WOLFSSL_DTLS
- /* If DTLS v1.2 or later than set tls1_2 flag */
- if (pv.major == DTLS_MAJOR && pv.minor <= DTLSv1_2_MINOR) {
- tls1_2 = 1;
- }
- #endif
- (void)tls; /* shut up compiler */
- (void)tls1_2;
- (void)dtls;
- (void)haveDH;
- (void)havePSK;
- (void)haveStaticRSA;
- (void)haveStaticECC;
- (void)haveECC;
- (void)side;
- (void)haveRSA; /* some builds won't read */
- (void)haveRSAsig; /* non ecc builds won't read */
- (void)haveAnon; /* anon ciphers optional */
- (void)haveNull;
- (void)haveFalconSig;
- (void)haveDilithiumSig;
- if (suites == NULL) {
- WOLFSSL_MSG("InitSuites pointer error");
- return;
- }
- if (suites->setSuites)
- return; /* trust user settings, don't override */
- #ifdef WOLFSSL_TLS13
- #ifdef BUILD_TLS_AES_128_GCM_SHA256
- if (tls1_3) {
- suites->suites[idx++] = TLS13_BYTE;
- suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_AES_256_GCM_SHA384
- if (tls1_3) {
- suites->suites[idx++] = TLS13_BYTE;
- suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
- if (tls1_3) {
- suites->suites[idx++] = TLS13_BYTE;
- suites->suites[idx++] = TLS_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_SHA256
- if (tls1_3) {
- suites->suites[idx++] = TLS13_BYTE;
- suites->suites[idx++] = TLS_AES_128_CCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
- if (tls1_3) {
- suites->suites[idx++] = TLS13_BYTE;
- suites->suites[idx++] = TLS_AES_128_CCM_8_SHA256;
- }
- #endif
- #ifdef HAVE_NULL_CIPHER
- #ifdef BUILD_TLS_SHA256_SHA256
- if (tls1_3 && haveNull) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_SHA256_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_SHA384_SHA384
- if (tls1_3 && haveNull) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_SHA384_SHA384;
- }
- #endif
- #endif
- #endif /* WOLFSSL_TLS13 */
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_RSA)
- if (side == WOLFSSL_SERVER_END && haveStaticECC) {
- haveRSA = 0; /* can't do RSA with ECDSA key */
- }
- if (side == WOLFSSL_SERVER_END && haveECDSAsig) {
- haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */
- }
- #endif /* !NO_WOLFSSL_SERVER */
- #ifdef WOLFSSL_DTLS
- if (pv.major == DTLS_MAJOR) {
- dtls = 1;
- tls = 1;
- /* May be dead assignments dependent upon configuration */
- (void) dtls;
- (void) tls;
- tls1_2 = pv.minor <= DTLSv1_2_MINOR;
- }
- #endif
- #ifdef HAVE_RENEGOTIATION_INDICATION
- if (side == WOLFSSL_CLIENT_END) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveDH && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
- if (tls1_2 && haveDH && haveAnon) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
- if (tls1_2 && haveDH && haveAnon) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
- if (tls1_2 && haveDH && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
- if (tls1_2 && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_256_GCM_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
- if (tls1_2 && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- /* Place as higher priority for MYSQL */
- #if defined(WOLFSSL_MYSQL_COMPATIBLE)
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- if (tls && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- if (tls1_2 && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- if (tls1_2 && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- if (tls1_2 && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- if (tls1_2 && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- if (tls && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- if (tls && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- if (tls && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- if (tls && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- if (!dtls && tls && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- if (!dtls && tls && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- if (tls && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- if (tls && haveECC && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- if (tls && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- if (tls && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- if (tls && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- if (tls && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- if (!dtls && tls && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
- if (!dtls && tls && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- if (tls && haveRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- if (tls && haveRSAsig && haveStaticECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
- if (tls1_2 && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
- if (tls1_2 && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && haveRSA)
- #else
- if (tls && haveDH && haveRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && haveRSA)
- #else
- if (tls && haveDH && haveRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- /* Place as higher priority for MYSQL testing */
- #if !defined(WOLFSSL_MYSQL_COMPATIBLE)
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- if (tls && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- if (tls && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- if (tls && haveDH && haveRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveRSA && haveStaticRSA)
- #else
- if (tls && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveRSA && haveStaticRSA)
- #else
- if (tls && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
- if (tls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
- if (tls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- if (tls1_2 && haveECC) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] =
- TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- if (tls1_2 && haveRSA) {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
- if (tls && haveECC && haveNull) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_MD5
- if (tls && haveRSA && haveNull && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_NULL_MD5;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
- if (tls && haveRSA && haveNull && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveRSA && haveNull && haveStaticRSA)
- #else
- if (tls && haveRSA && haveNull && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
- if (tls && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && havePSK)
- #else
- if (tls && haveDH && havePSK)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && havePSK)
- #else
- if (tls && haveDH && havePSK)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls1 && havePSK)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
- if (tls && havePSK) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
- if (tls && haveDH && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
- if (tls && haveDH && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CCM;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = CHACHA_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK)
- #else
- if (tls && havePSK)
- #endif
- {
- suites->suites[idx++] = ECDHE_PSK_BYTE;
- suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
- if (tls && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
- if (tls && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
- if (tls && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
- if (tls && havePSK) {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && havePSK)
- #else
- if (tls && haveDH && havePSK && haveNull)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK && haveNull)
- #else
- if (tls && havePSK && haveNull)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA384;
- }
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK && haveNull)
- #else
- if (tls && havePSK && haveNull)
- #endif
- {
- suites->suites[idx++] = ECC_BYTE;
- suites->suites[idx++] = TLS_ECDHE_PSK_WITH_NULL_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && havePSK && haveNull)
- #else
- if (tls && haveDH && havePSK && haveNull)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && havePSK && haveNull)
- #else
- if (tls && havePSK && haveNull)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
- if (tls && havePSK && haveNull) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
- }
- #endif
- #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
- if (!dtls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
- }
- #endif
- #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
- if (!dtls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
- }
- #endif
- #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
- if (haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- if (tls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- if (tls && haveDH && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- if (tls && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- if (tls && haveDH && haveRSA && haveStaticRSA) {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveRSA && haveStaticRSA)
- #else
- if (tls && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
- #else
- if (tls && haveDH && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveRSA && haveStaticRSA)
- #else
- if (tls && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256;
- }
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
- if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
- #else
- if (tls && haveDH && haveRSA && haveStaticRSA)
- #endif
- {
- suites->suites[idx++] = CIPHER_BYTE;
- suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256;
- }
- #endif
- #endif /* !WOLFSSL_NO_TLS12 */
- suites->suiteSz = idx;
- if (suites->hashSigAlgoSz == 0) {
- InitSuitesHashSigAlgo(suites, haveECDSAsig | haveECC,
- haveRSAsig | haveRSA, haveFalconSig,
- haveDilithiumSig, 0, tls1_2, keySz);
- }
- }
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) || \
- (!defined(NO_WOLFSSL_CLIENT) && (!defined(NO_DH) || defined(HAVE_ECC)))
- /* Decode the signature algorithm.
- *
- * input The encoded signature algorithm.
- * hashalgo The hash algorithm.
- * hsType The signature type.
- */
- static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
- {
- *hsType = invalid_sa_algo;
- switch (input[0]) {
- case NEW_SA_MAJOR:
- #ifdef HAVE_ED25519
- /* ED25519: 0x0807 */
- if (input[1] == ED25519_SA_MINOR) {
- *hsType = ed25519_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- else
- #endif
- #ifdef HAVE_ED448
- /* ED448: 0x0808 */
- if (input[1] == ED448_SA_MINOR) {
- *hsType = ed448_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- else
- #endif
- #ifdef WC_RSA_PSS
- /* PSS PSS signatures: 0x080[9-b] */
- if (input[1] >= pss_sha256 && input[1] <= pss_sha512) {
- *hsType = rsa_pss_pss_algo;
- *hashAlgo = PSS_PSS_HASH_TO_MAC(input[1]);
- }
- else
- #endif
- {
- *hsType = input[0];
- *hashAlgo = input[1];
- }
- break;
- #ifdef HAVE_PQC
- case PQC_SA_MAJOR:
- /* Hash performed as part of sign/verify operation. */
- #ifdef HAVE_FALCON
- if (input[1] == FALCON_LEVEL1_SA_MINOR) {
- *hsType = falcon_level1_sa_algo;
- *hashAlgo = sha512_mac;
- }
- else if (input[1] == FALCON_LEVEL5_SA_MINOR) {
- *hsType = falcon_level5_sa_algo;
- *hashAlgo = sha512_mac;
- }
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
- *hsType = dilithium_level2_sa_algo;
- *hashAlgo = sha512_mac;
- }
- else if (input[1] == DILITHIUM_LEVEL3_SA_MINOR) {
- *hsType = dilithium_level3_sa_algo;
- *hashAlgo = sha512_mac;
- }
- else if (input[1] == DILITHIUM_LEVEL5_SA_MINOR) {
- *hsType = dilithium_level5_sa_algo;
- *hashAlgo = sha512_mac;
- }
- #endif /* HAVE_DILITHIUM */
- break;
- #endif
- default:
- *hashAlgo = input[0];
- *hsType = input[1];
- break;
- }
- }
- #endif /* !NO_WOLFSSL_SERVER || !NO_CERTS */
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
- #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS))
- static enum wc_HashType HashAlgoToType(int hashAlgo)
- {
- switch (hashAlgo) {
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- return WC_HASH_TYPE_SHA512;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- return WC_HASH_TYPE_SHA384;
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- return WC_HASH_TYPE_SHA256;
- #endif
- #ifdef WOLFSSL_SHA224
- case sha224_mac:
- return WC_HASH_TYPE_SHA224;
- #endif
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- case sha_mac:
- return WC_HASH_TYPE_SHA;
- #endif
- default:
- WOLFSSL_MSG("Bad hash sig algo");
- break;
- }
- return WC_HASH_TYPE_NONE;
- }
- #endif /* !NO_DH || HAVE_ECC || (!NO_RSA && WC_RSA_PSS) */
- #endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifndef NO_CERTS
- void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap)
- {
- (void)dynamicFlag;
- if (name != NULL) {
- XMEMSET(name, 0, sizeof(WOLFSSL_X509_NAME));
- name->name = name->staticName;
- name->heap = heap;
- name->dynamicName = 0;
- }
- }
- void FreeX509Name(WOLFSSL_X509_NAME* name)
- {
- if (name != NULL) {
- if (name->dynamicName) {
- XFREE(name->name, name->heap, DYNAMIC_TYPE_SUBJECT_CN);
- name->name = NULL;
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- {
- int i;
- for (i = 0; i < MAX_NAME_ENTRIES; i++) {
- if (name->entry[i].object != NULL)
- wolfSSL_ASN1_OBJECT_free(name->entry[i].object);
- if (name->entry[i].value != NULL)
- wolfSSL_ASN1_STRING_free(name->entry[i].value);
- XMEMSET(&name->entry[i], 0, sizeof(WOLFSSL_X509_NAME_ENTRY));
- }
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- #ifdef OPENSSL_ALL
- if (name->entries) {
- wolfSSL_sk_X509_NAME_ENTRY_free(name->entries);
- name->entries = NULL;
- }
- #endif
- }
- }
- /* Initialize wolfSSL X509 type */
- void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap)
- {
- if (x509 == NULL) {
- WOLFSSL_MSG("Null parameter passed in!");
- return;
- }
- XMEMSET(x509, 0, sizeof(WOLFSSL_X509));
- x509->heap = heap;
- InitX509Name(&x509->issuer, 0, heap);
- InitX509Name(&x509->subject, 0, heap);
- x509->dynamicMemory = (byte)dynamicFlag;
- #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
- {
- int ret;
- wolfSSL_RefInit(&x509->ref, &ret);
- (void)ret;
- }
- #endif
- }
- /* Free wolfSSL X509 type */
- void FreeX509(WOLFSSL_X509* x509)
- {
- #if defined(WOLFSSL_CERT_REQ) && defined(OPENSSL_ALL) \
- && defined( WOLFSSL_CUSTOM_OID)
- int idx;
- #endif /* WOLFSSL_CERT_REQ && OPENSSL_ALL && WOLFSSL_CUSTOM_OID */
- if (x509 == NULL)
- return;
- FreeX509Name(&x509->issuer);
- FreeX509Name(&x509->subject);
- if (x509->pubKey.buffer) {
- XFREE(x509->pubKey.buffer, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- x509->pubKey.buffer = NULL;
- }
- FreeDer(&x509->derCert);
- XFREE(x509->sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE);
- x509->sig.buffer = NULL;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (x509->authKeyIdSrc != NULL) {
- XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
- }
- else {
- XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
- }
- x509->authKeyIdSrc = NULL;
- x509->authKeyId = NULL;
- XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->subjKeyId = NULL;
- if (x509->authInfo != NULL) {
- XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->authInfo = NULL;
- }
- if (x509->rawCRLInfo != NULL) {
- XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->rawCRLInfo = NULL;
- }
- if (x509->CRLInfo != NULL) {
- XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->CRLInfo = NULL;
- }
- #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
- defined(WOLFSSL_QT)
- if (x509->authInfoCaIssuer != NULL) {
- XFREE(x509->authInfoCaIssuer, x509->heap, DYNAMIC_TYPE_X509_EXT);
- }
- if (x509->ext_sk != NULL) {
- wolfSSL_sk_X509_EXTENSION_pop_free(x509->ext_sk, NULL);
- }
- if (x509->ext_sk_full != NULL) {
- wolfSSL_sk_X509_EXTENSION_pop_free(x509->ext_sk_full, NULL);
- }
- #endif /* OPENSSL_ALL || WOLFSSL_QT */
- #ifdef OPENSSL_EXTRA
- /* Free serialNumber that was set by wolfSSL_X509_get_serialNumber */
- if (x509->serialNumber != NULL) {
- wolfSSL_ASN1_INTEGER_free(x509->serialNumber);
- }
- #endif
- if (x509->extKeyUsageSrc != NULL) {
- XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->extKeyUsageSrc= NULL;
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- #if defined(OPENSSL_ALL)
- if (x509->algor.algorithm) {
- wolfSSL_ASN1_OBJECT_free(x509->algor.algorithm);
- x509->algor.algorithm = NULL;
- }
- if (x509->key.algor) {
- wolfSSL_X509_ALGOR_free(x509->key.algor);
- x509->key.algor = NULL;
- }
- if (x509->key.pkey) {
- wolfSSL_EVP_PKEY_free(x509->key.pkey);
- x509->key.pkey = NULL;
- }
- if (x509->subjAltNameSrc != NULL) {
- XFREE(x509->subjAltNameSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
- x509->subjAltNameSrc= NULL;
- }
- #endif /* OPENSSL_ALL */
- #if defined(WOLFSSL_CERT_REQ) && defined(OPENSSL_ALL)
- if (x509->reqAttributes) {
- wolfSSL_sk_pop_free(x509->reqAttributes, NULL);
- }
- #ifdef WOLFSSL_CUSTOM_OID
- for (idx = 0; idx < x509->customExtCount; idx++) {
- XFREE(x509->custom_exts[idx].oid, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- XFREE(x509->custom_exts[idx].val, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- }
- #endif /* WOLFSSL_CUSTOM_OID */
- #endif /* WOLFSSL_CERT_REQ && OPENSSL_ALL */
- if (x509->altNames) {
- FreeAltNames(x509->altNames, x509->heap);
- x509->altNames = NULL;
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
- wolfSSL_RefFree(&x509->ref);
- #endif
- }
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
- #if !defined(WOLFSSL_NO_TLS12)
- /* Encode the signature algorithm into buffer.
- *
- * hashalgo The hash algorithm.
- * hsType The signature type.
- * output The buffer to encode into.
- */
- static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
- {
- switch (hsType) {
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- output[0] = hashAlgo;
- output[1] = ecc_dsa_sa_algo;
- break;
- #endif
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- output[0] = ED25519_SA_MAJOR;
- output[1] = ED25519_SA_MINOR;
- (void)hashAlgo;
- break;
- #endif
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- output[0] = ED448_SA_MAJOR;
- output[1] = ED448_SA_MINOR;
- (void)hashAlgo;
- break;
- #endif
- #ifndef NO_RSA
- case rsa_sa_algo:
- output[0] = hashAlgo;
- output[1] = rsa_sa_algo;
- break;
- #ifdef WC_RSA_PSS
- /* PSS signatures: 0x080[4-6] */
- case rsa_pss_sa_algo:
- output[0] = rsa_pss_sa_algo;
- output[1] = hashAlgo;
- break;
- #endif
- #endif
- default:
- break;
- }
- (void)hashAlgo;
- (void)output;
- }
- #endif
- #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- static void SetDigest(WOLFSSL* ssl, int hashAlgo)
- {
- switch (hashAlgo) {
- #ifndef NO_SHA
- case sha_mac:
- ssl->options.dontFreeDigest = 1;
- ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
- ssl->buffers.digest.length = WC_SHA_DIGEST_SIZE;
- break;
- #endif /* !NO_SHA */
- #ifndef NO_SHA256
- case sha256_mac:
- ssl->options.dontFreeDigest = 1;
- ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256;
- ssl->buffers.digest.length = WC_SHA256_DIGEST_SIZE;
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ssl->options.dontFreeDigest = 1;
- ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384;
- ssl->buffers.digest.length = WC_SHA384_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- ssl->options.dontFreeDigest = 1;
- ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512;
- ssl->buffers.digest.length = WC_SHA512_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SHA512 */
- default:
- break;
- } /* switch */
- }
- #endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_NO_CLIENT_AUTH */
- #endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
- #endif /* !NO_CERTS */
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- static word32 MacSize(WOLFSSL* ssl)
- {
- #ifdef HAVE_TRUNCATED_HMAC
- word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
- : ssl->specs.hash_size;
- #else
- word32 digestSz = ssl->specs.hash_size;
- #endif
- return digestSz;
- }
- #endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
- #ifndef NO_RSA
- #if !defined(WOLFSSL_NO_TLS12) || \
- (defined(WC_RSA_PSS) && defined(HAVE_PK_CALLBACKS))
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
- static int TypeHash(int hashAlgo)
- {
- switch (hashAlgo) {
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- return SHA512h;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- return SHA384h;
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- return SHA256h;
- #endif
- #ifdef WOLFSSL_SHA224
- case sha224_mac:
- return SHA224h;
- #endif
- #ifndef NO_SHA
- case sha_mac:
- return SHAh;
- #endif
- default:
- break;
- }
- return 0;
- }
- #endif /* !NO_WOLFSSL_SERVER && !NO_WOLFSSL_CLIENT */
- #endif /* !WOLFSSL_NO_TLS12 */
- #if defined(WC_RSA_PSS)
- int ConvertHashPss(int hashAlgo, enum wc_HashType* hashType, int* mgf)
- {
- switch (hashAlgo) {
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- *hashType = WC_HASH_TYPE_SHA512;
- if (mgf != NULL)
- *mgf = WC_MGF1SHA512;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- *hashType = WC_HASH_TYPE_SHA384;
- if (mgf != NULL)
- *mgf = WC_MGF1SHA384;
- break;
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- *hashType = WC_HASH_TYPE_SHA256;
- if (mgf != NULL)
- *mgf = WC_MGF1SHA256;
- break;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- return 0;
- }
- #endif
- #if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
- word32* outSz, int sigAlgo, int hashAlgo, RsaKey* key,
- DerBuffer* keyBufInfo)
- {
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- (void)sigAlgo;
- (void)hashAlgo;
- WOLFSSL_ENTER("RsaSign");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- if (key) {
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- }
- #endif
- #if defined(WC_RSA_PSS)
- if (sigAlgo == rsa_pss_sa_algo) {
- enum wc_HashType hashType = WC_HASH_TYPE_NONE;
- int mgf = 0;
- ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
- if (ret != 0)
- return ret;
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx->RsaPssSignCb) {
- void* ctx = wolfSSL_GetRsaPssSignCtx(ssl);
- ret = ssl->ctx->RsaPssSignCb(ssl, in, inSz, out, outSz,
- TypeHash(hashAlgo), mgf,
- keyBuf, keySz, ctx);
- }
- else
- #endif
- {
- ret = wc_RsaPSS_Sign(in, inSz, out, *outSz, hashType, mgf, key,
- ssl->rng);
- }
- }
- else
- #endif
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx->RsaSignCb) {
- void* ctx = wolfSSL_GetRsaSignCtx(ssl);
- ret = ssl->ctx->RsaSignCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
- ctx);
- }
- else
- #endif /*HAVE_PK_CALLBACKS */
- ret = wc_RsaSSL_Sign(in, inSz, out, *outSz, key, ssl->rng);
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (key && ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- /* For positive response return in outSz */
- if (ret > 0) {
- *outSz = ret;
- ret = 0;
- }
- WOLFSSL_LEAVE("RsaSign", ret);
- return ret;
- }
- #endif
- int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo,
- int hashAlgo, RsaKey* key, buffer* keyBufInfo)
- {
- int ret = SIG_VERIFY_E;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- (void)sigAlgo;
- (void)hashAlgo;
- WOLFSSL_ENTER("RsaVerify");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #if defined(WC_RSA_PSS)
- if (sigAlgo == rsa_pss_sa_algo) {
- enum wc_HashType hashType = WC_HASH_TYPE_NONE;
- int mgf = 0;
- ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
- if (ret != 0)
- return ret;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaPssVerifyCb) {
- void* ctx = wolfSSL_GetRsaPssVerifyCtx(ssl);
- ret = ssl->ctx->RsaPssVerifyCb(ssl, in, inSz, out,
- TypeHash(hashAlgo), mgf,
- keyBuf, keySz, ctx);
- }
- else
- #endif /*HAVE_PK_CALLBACKS */
- ret = wc_RsaPSS_VerifyInline(in, inSz, out, hashType, mgf, key);
- }
- else
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaVerifyCb) {
- void* ctx = wolfSSL_GetRsaVerifyCtx(ssl);
- ret = ssl->ctx->RsaVerifyCb(ssl, in, inSz, out, keyBuf, keySz, ctx);
- }
- #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- !defined(WOLFSSL_RENESAS_TSIP_TLS)
- else
- #else
- if (!ssl->ctx->RsaVerifyCb || ret == CRYPTOCB_UNAVAILABLE)
- #endif
- #endif /*HAVE_PK_CALLBACKS */
- {
- ret = wc_RsaSSL_VerifyInline(in, inSz, out, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("RsaVerify", ret);
- return ret;
- }
- /* Verify RSA signature, 0 on success */
- /* This function is used to check the sign result */
- int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
- const byte* plain, word32 plainSz, int sigAlgo, int hashAlgo, RsaKey* key,
- DerBuffer* keyBufInfo)
- {
- byte* out = NULL; /* inline result */
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- (void)sigAlgo;
- (void)hashAlgo;
- WOLFSSL_ENTER("VerifyRsaSign");
- if (verifySig == NULL || plain == NULL) {
- return BAD_FUNC_ARG;
- }
- if (sigSz > ENCRYPT_LEN) {
- WOLFSSL_MSG("Signature buffer too big");
- return BUFFER_E;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- if (key) {
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- }
- #endif
- #if defined(WC_RSA_PSS)
- if (sigAlgo == rsa_pss_sa_algo) {
- enum wc_HashType hashType = WC_HASH_TYPE_NONE;
- int mgf = 0;
- ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
- if (ret != 0)
- return ret;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaPssSignCheckCb) {
- /* The key buffer includes private/public portion,
- but only public is used */
- /* If HSM hardware is checking the signature result you can
- optionally skip the sign check and return 0 */
- /* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
- void* ctx = wolfSSL_GetRsaPssSignCtx(ssl);
- ret = ssl->ctx->RsaPssSignCheckCb(ssl, verifySig, sigSz, &out,
- TypeHash(hashAlgo), mgf,
- keyBuf, keySz, ctx);
- if (ret > 0) {
- ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret,
- hashType);
- if (ret != 0) {
- ret = VERIFY_CERT_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_RsaPSS_VerifyInline(verifySig, sigSz, &out, hashType, mgf,
- key);
- if (ret > 0) {
- #ifdef HAVE_SELFTEST
- ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret,
- hashType);
- #else
- ret = wc_RsaPSS_CheckPadding_ex(plain, plainSz, out, ret,
- hashType, -1,
- mp_count_bits(&key->n));
- #endif
- if (ret != 0) {
- ret = VERIFY_CERT_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- }
- else
- #endif /* WC_RSA_PSS */
- {
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaSignCheckCb) {
- /* The key buffer includes private/public portion,
- but only public is used */
- /* If HSM hardware is checking the signature result you can
- optionally skip the sign check and return 0 */
- /* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
- void* ctx = wolfSSL_GetRsaSignCtx(ssl);
- ret = ssl->ctx->RsaSignCheckCb(ssl, verifySig, sigSz, &out,
- keyBuf, keySz, ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key);
- }
- if (ret > 0) {
- if (ret != (int)plainSz || !out ||
- XMEMCMP(plain, out, plainSz) != 0) {
- WOLFSSL_MSG("RSA Signature verification failed");
- ret = RSA_SIGN_FAULT;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ret = 0; /* RSA reset */
- }
- }
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (key && ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("VerifyRsaSign", ret);
- return ret;
- }
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
- RsaKey* key, DerBuffer* keyBufInfo)
- {
- byte *outTmp;
- byte mask;
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("RsaDec");
- outTmp = *out;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaDecCb) {
- void* ctx = wolfSSL_GetRsaDecCtx(ssl);
- ret = ssl->ctx->RsaDecCb(ssl, in, inSz, &outTmp, keyBuf, keySz, ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- #ifdef WC_RSA_BLINDING
- ret = wc_RsaSetRNG(key, ssl->rng);
- if (ret != 0)
- return ret;
- #endif
- ret = wc_RsaPrivateDecryptInline(in, inSz, &outTmp, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- mask = ctMaskGT(ret, 0);
- *outSz = (word32)(ret & (int)(sword8)mask);
- ret &= (int)(sword8)(~mask);
- /* Copy pointer */
- ctMaskCopy(mask, (byte*)out, (byte*)&outTmp, sizeof(*out));
- WOLFSSL_LEAVE("RsaDec", ret);
- return ret;
- }
- #endif /* !NO_WOLFSSL_SERVER) || !WOLFSSL_NO_CLIENT_AUTH */
- int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, word32* outSz,
- RsaKey* key, buffer* keyBufInfo)
- {
- int ret = BAD_FUNC_ARG;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("RsaEnc");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaEncCb) {
- void* ctx = wolfSSL_GetRsaEncCtx(ssl);
- ret = ssl->ctx->RsaEncCb(ssl, in, inSz, out, outSz, keyBuf, keySz, ctx);
- }
- #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- !defined(WOLFSSL_RENESAS_TSIP_TLS)
- else
- #else
- if (!ssl->ctx->RsaEncCb || ret == CRYPTOCB_UNAVAILABLE)
- #endif
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_RsaPublicEncrypt(in, inSz, out, *outSz, key, ssl->rng);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- /* For positive response return in outSz */
- if (ret > 0) {
- *outSz = ret;
- ret = 0;
- }
- WOLFSSL_LEAVE("RsaEnc", ret);
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #endif /* NO_RSA */
- #ifdef HAVE_ECC
- int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
- word32* outSz, ecc_key* key, DerBuffer* keyBufInfo)
- {
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("EccSign");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- if (key) {
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- }
- #endif
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx->EccSignCb) {
- void* ctx = wolfSSL_GetEccSignCtx(ssl);
- if (ctx == NULL) {
- /* Try to get the WOLFSSL_CTX EccSignCtx*/
- ctx = wolfSSL_CTX_GetEccSignCtx(ssl->ctx);
- }
- ret = ssl->ctx->EccSignCb(ssl, in, inSz, out, outSz, keyBuf,
- keySz, ctx);
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- if (ret == CRYPTOCB_UNAVAILABLE) {
- ret = wc_ecc_sign_hash(in, inSz, out, outSz, ssl->rng, key);
- }
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ecc_sign_hash(in, inSz, out, outSz, ssl->rng, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (key && ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("EccSign", ret);
- return ret;
- }
- int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out,
- word32 outSz, ecc_key* key, buffer* keyBufInfo)
- {
- int ret = SIG_VERIFY_E;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("EccVerify");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->EccVerifyCb) {
- void* ctx = wolfSSL_GetEccVerifyCtx(ssl);
- ret = ssl->ctx->EccVerifyCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
- &ssl->eccVerifyRes, ctx);
- }
- #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- !defined(WOLFSSL_RENESAS_TSIP_TLS) && \
- !defined(WOLFSSL_MAXQ108X)
- else
- #else
- if (!ssl->ctx->EccVerifyCb || ret == CRYPTOCB_UNAVAILABLE)
- #endif
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ecc_verify_hash(in, inSz, out, outSz, &ssl->eccVerifyRes, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- {
- if (ret != 0 || ssl->eccVerifyRes == 0) {
- if (ret == 0) {
- ret = VERIFY_SIGN_ERROR;
- }
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ret = 0;
- }
- }
- WOLFSSL_LEAVE("EccVerify", ret);
- return ret;
- }
- int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key,
- byte* pubKeyDer, word32* pubKeySz, byte* out, word32* outlen,
- int side)
- {
- int ret;
- #ifdef WOLFSSL_ASYNC_CRYPT
- WC_ASYNC_DEV* asyncDev = NULL;
- #endif
- (void)ssl;
- (void)pubKeyDer;
- (void)pubKeySz;
- (void)side;
- WOLFSSL_ENTER("EccSharedSecret");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- if (priv_key != NULL) {
- asyncDev = &priv_key->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- }
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->EccSharedSecretCb) {
- void* ctx = wolfSSL_GetEccSharedSecretCtx(ssl);
- ecc_key* otherKey = (side == WOLFSSL_CLIENT_END) ? pub_key : priv_key;
- ret = ssl->ctx->EccSharedSecretCb(ssl, otherKey, pubKeyDer,
- pubKeySz, out, outlen, side, ctx);
- }
- else
- #endif
- {
- #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
- !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2)) && \
- !defined(HAVE_SELFTEST)
- ret = wc_ecc_set_rng(priv_key, ssl->rng);
- if (ret == 0)
- #endif
- {
- PRIVATE_KEY_UNLOCK();
- ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen);
- PRIVATE_KEY_LOCK();
- }
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("EccSharedSecret", ret);
- return ret;
- }
- int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer)
- {
- int ret = 0;
- int keySz = 0;
- int ecc_curve = ECC_CURVE_DEF;
- WOLFSSL_ENTER("EccMakeKey");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- return ret;
- #endif
- /* get key size */
- if (peer == NULL || peer->dp == NULL) {
- keySz = ssl->eccTempKeySz;
- /* get curve type */
- if (ssl->ecdhCurveOID > 0) {
- ecc_curve = wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL);
- }
- }
- else {
- keySz = peer->dp->size;
- ecc_curve = peer->dp->id;
- }
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->EccKeyGenCb) {
- void* ctx = wolfSSL_GetEccKeyGenCtx(ssl);
- ret = ssl->ctx->EccKeyGenCb(ssl, key, keySz, ecc_curve, ctx);
- }
- else
- #endif
- {
- ret = wc_ecc_make_key_ex(ssl->rng, keySz, key, ecc_curve);
- }
- /* make sure the curve is set for TLS */
- if (ret == 0 && key->dp) {
- ssl->ecdhCurveOID = key->dp->oidSum;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- ssl->namedGroup = 0;
- #endif
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("EccMakeKey", ret);
- return ret;
- }
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- /* Check whether the key contains a public key.
- * If not then pull it out of the leaf certificate.
- *
- * ssl SSL/TLS object.
- * returns MEMORY_E when unable to allocate memory, a parsing error, otherwise
- * 0 on success.
- */
- int Ed25519CheckPubKey(WOLFSSL* ssl)
- {
- #ifndef HAVE_ED25519_KEY_IMPORT
- (void)ssl;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED25519_KEY_IMPORT */
- ed25519_key* key = (ed25519_key*)ssl->hsKey;
- int ret = 0;
- /* Public key required for signing. */
- if (key != NULL && !key->pubKeySet) {
- const unsigned char* pubKey;
- word32 pubKeySz;
- ret = wc_CertGetPubKey(ssl->buffers.certificate->buffer,
- ssl->buffers.certificate->length, &pubKey, &pubKeySz);
- if (ret == 0) {
- ret = wc_ed25519_import_public(pubKey, pubKeySz, key);
- }
- }
- return ret;
- #endif /* HAVE_ED25519_KEY_IMPORT */
- }
- /* Sign the data using EdDSA and key using Ed25519.
- *
- * ssl SSL object.
- * in Data or message to sign.
- * inSz Length of the data.
- * out Buffer to hold signature.
- * outSz On entry, size of the buffer. On exit, the size of the signature.
- * key The private Ed25519 key data.
- * keySz The length of the private key data in bytes.
- * ctx The callback context.
- * returns 0 on success, otherwise the value is an error.
- */
- int Ed25519Sign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
- word32* outSz, ed25519_key* key, DerBuffer* keyBufInfo)
- {
- #ifndef HAVE_ED25519_SIGN
- (void)ssl;
- (void)in;
- (void)inSz;
- (void)out;
- (void)outSz;
- (void)key;
- (void)keyBufInfo;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED25519_SIGN */
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("Ed25519Sign");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx->Ed25519SignCb) {
- void* ctx = wolfSSL_GetEd25519SignCtx(ssl);
- ret = ssl->ctx->Ed25519SignCb(ssl, in, inSz, out, outSz, keyBuf,
- keySz, ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ed25519_sign_msg(in, inSz, out, outSz, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("Ed25519Sign", ret);
- return ret;
- #endif /* HAVE_ED25519_SIGN */
- }
- /* Verify the data using EdDSA and key using Ed25519.
- *
- * ssl SSL object.
- * in Signature data.
- * inSz Length of the signature data in bytes.
- * msg Message to verify.
- * outSz Length of message in bytes.
- * key The public Ed25519 key data.
- * keySz The length of the private key data in bytes.
- * ctx The callback context.
- * returns 0 on success, otherwise the value is an error.
- */
- int Ed25519Verify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* msg,
- word32 msgSz, ed25519_key* key, buffer* keyBufInfo)
- {
- #ifndef HAVE_ED25519_VERIFY
- (void)ssl;
- (void)in;
- (void)inSz;
- (void)msg;
- (void)msgSz;
- (void)key;
- (void)keyBufInfo;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED25519_VERIFY */
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("Ed25519Verify");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->Ed25519VerifyCb) {
- void* ctx = wolfSSL_GetEd25519VerifyCtx(ssl);
- ret = ssl->ctx->Ed25519VerifyCb(ssl, in, inSz, msg, msgSz, keyBuf,
- keySz, &ssl->eccVerifyRes, ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ed25519_verify_msg(in, inSz, msg, msgSz,
- &ssl->eccVerifyRes, key);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- {
- ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0;
- }
- WOLFSSL_LEAVE("Ed25519Verify", ret);
- return ret;
- #endif /* HAVE_ED25519_VERIFY */
- }
- #endif /* HAVE_ED25519 */
- #ifndef WOLFSSL_NO_TLS12
- #ifdef HAVE_CURVE25519
- #ifdef HAVE_PK_CALLBACKS
- /* Gets X25519 key for shared secret callback testing
- * Client side: returns peer key
- * Server side: returns private key
- */
- static int X25519GetKey(WOLFSSL* ssl, curve25519_key** otherKey)
- {
- int ret = NO_PEER_KEY;
- struct curve25519_key* tmpKey = NULL;
- if (ssl == NULL || otherKey == NULL) {
- return BAD_FUNC_ARG;
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (!ssl->peerX25519Key || !ssl->peerX25519KeyPresent ||
- !ssl->peerX25519Key->dp) {
- return NO_PEER_KEY;
- }
- tmpKey = (struct curve25519_key*)ssl->peerX25519Key;
- }
- else if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (!ssl->eccTempKeyPresent) {
- return NO_PRIVATE_KEY;
- }
- tmpKey = (struct curve25519_key*)ssl->eccTempKey;
- }
- if (tmpKey) {
- *otherKey = (curve25519_key *)tmpKey;
- ret = 0;
- }
- return ret;
- }
- #endif /* HAVE_PK_CALLBACKS */
- static int X25519SharedSecret(WOLFSSL* ssl, curve25519_key* priv_key,
- curve25519_key* pub_key, byte* pubKeyDer, word32* pubKeySz,
- byte* out, word32* outlen, int side)
- {
- int ret;
- (void)ssl;
- (void)pubKeyDer;
- (void)pubKeySz;
- (void)side;
- WOLFSSL_ENTER("X25519SharedSecret");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &priv_key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->X25519SharedSecretCb) {
- curve25519_key* otherKey = NULL;
- ret = X25519GetKey(ssl, &otherKey);
- if (ret == 0) {
- void* ctx = wolfSSL_GetX25519SharedSecretCtx(ssl);
- ret = ssl->ctx->X25519SharedSecretCb(ssl, otherKey, pubKeyDer,
- pubKeySz, out, outlen, side, ctx);
- }
- }
- else
- #endif
- {
- ret = wc_curve25519_shared_secret_ex(priv_key, pub_key, out, outlen,
- EC25519_LITTLE_ENDIAN);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("X25519SharedSecret", ret);
- return ret;
- }
- static int X25519MakeKey(WOLFSSL* ssl, curve25519_key* key,
- curve25519_key* peer)
- {
- int ret = 0;
- (void)peer;
- WOLFSSL_ENTER("X25519MakeKey");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->X25519KeyGenCb) {
- void* ctx = wolfSSL_GetX25519KeyGenCtx(ssl);
- ret = ssl->ctx->X25519KeyGenCb(ssl, key, CURVE25519_KEYSIZE, ctx);
- }
- else
- #endif
- {
- ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key);
- }
- if (ret == 0) {
- ssl->ecdhCurveOID = ECC_X25519_OID;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- ssl->namedGroup = 0;
- #endif
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("X25519MakeKey", ret);
- return ret;
- }
- #endif /* HAVE_CURVE25519 */
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifdef HAVE_ED448
- /* Check whether the key contains a public key.
- * If not then pull it out of the leaf certificate.
- *
- * ssl SSL/TLS object.
- * returns MEMORY_E when unable to allocate memory, a parsing error, otherwise
- * 0 on success.
- */
- int Ed448CheckPubKey(WOLFSSL* ssl)
- {
- #ifndef HAVE_ED448_KEY_IMPORT
- (void)ssl;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED448_KEY_IMPORT */
- ed448_key* key = (ed448_key*)ssl->hsKey;
- int ret = 0;
- /* Public key required for signing. */
- if (key != NULL && !key->pubKeySet) {
- const unsigned char* pubKey;
- word32 pubKeySz;
- ret = wc_CertGetPubKey(ssl->buffers.certificate->buffer,
- ssl->buffers.certificate->length, &pubKey, &pubKeySz);
- if (ret == 0) {
- ret = wc_ed448_import_public(pubKey, pubKeySz, key);
- }
- }
- return ret;
- #endif /* HAVE_ED448_KEY_IMPORT */
- }
- /* Sign the data using EdDSA and key using Ed448.
- *
- * ssl SSL object.
- * in Data or message to sign.
- * inSz Length of the data.
- * out Buffer to hold signature.
- * outSz On entry, size of the buffer. On exit, the size of the signature.
- * key The private Ed448 key data.
- * keySz The length of the private key data in bytes.
- * ctx The callback context.
- * returns 0 on success, otherwise the value is an error.
- */
- int Ed448Sign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
- word32* outSz, ed448_key* key, DerBuffer* keyBufInfo)
- {
- #ifndef HAVE_ED448_SIGN
- (void)ssl;
- (void)in;
- (void)inSz;
- (void)out;
- (void)outSz;
- (void)key;
- (void)keyBufInfo;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED448_SIGN */
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("Ed448Sign");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx->Ed448SignCb) {
- void* ctx = wolfSSL_GetEd448SignCtx(ssl);
- ret = ssl->ctx->Ed448SignCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
- ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ed448_sign_msg(in, inSz, out, outSz, key, NULL, 0);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("Ed448Sign", ret);
- return ret;
- #endif /* HAVE_ED448_SIGN */
- }
- /* Verify the data using EdDSA and key using Ed448.
- *
- * ssl SSL object.
- * in Signature data.
- * inSz Length of the signature data in bytes.
- * msg Message to verify.
- * outSz Length of message in bytes.
- * key The public Ed448 key data.
- * keySz The length of the private key data in bytes.
- * ctx The callback context.
- * returns 0 on success, otherwise the value is an error.
- */
- int Ed448Verify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* msg,
- word32 msgSz, ed448_key* key, buffer* keyBufInfo)
- {
- #ifndef HAVE_ED448_VERIFY
- (void)ssl;
- (void)in;
- (void)inSz;
- (void)msg;
- (void)msgSz;
- (void)key;
- (void)keyBufInfo;
- return NOT_COMPILED_IN;
- #else /* HAVE_ED448_VERIFY */
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- const byte* keyBuf = NULL;
- word32 keySz = 0;
- if (keyBufInfo) {
- keyBuf = keyBufInfo->buffer;
- keySz = keyBufInfo->length;
- }
- #endif
- (void)ssl;
- (void)keyBufInfo;
- WOLFSSL_ENTER("Ed448Verify");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->Ed448VerifyCb) {
- void* ctx = wolfSSL_GetEd448VerifyCtx(ssl);
- ret = ssl->ctx->Ed448VerifyCb(ssl, in, inSz, msg, msgSz, keyBuf, keySz,
- &ssl->eccVerifyRes, ctx);
- }
- else
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = wc_ed448_verify_msg(in, inSz, msg, msgSz, &ssl->eccVerifyRes, key,
- NULL, 0);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- {
- ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0;
- }
- WOLFSSL_LEAVE("Ed448Verify", ret);
- return ret;
- #endif /* HAVE_ED448_VERIFY */
- }
- #endif /* HAVE_ED448 */
- #ifndef WOLFSSL_NO_TLS12
- #ifdef HAVE_CURVE448
- #ifdef HAVE_PK_CALLBACKS
- /* Gets X448 key for shared secret callback testing
- * Client side: returns peer key
- * Server side: returns private key
- */
- static int X448GetKey(WOLFSSL* ssl, curve448_key** otherKey)
- {
- int ret = NO_PEER_KEY;
- struct curve448_key* tmpKey = NULL;
- if (ssl == NULL || otherKey == NULL) {
- return BAD_FUNC_ARG;
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (!ssl->peerX448Key || !ssl->peerX448KeyPresent) {
- return NO_PEER_KEY;
- }
- tmpKey = (struct curve448_key*)ssl->peerX448Key;
- }
- else if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (!ssl->eccTempKeyPresent) {
- return NO_PRIVATE_KEY;
- }
- tmpKey = (struct curve448_key*)ssl->eccTempKey;
- }
- if (tmpKey) {
- *otherKey = (curve448_key *)tmpKey;
- ret = 0;
- }
- return ret;
- }
- #endif /* HAVE_PK_CALLBACKS */
- static int X448SharedSecret(WOLFSSL* ssl, curve448_key* priv_key,
- curve448_key* pub_key, byte* pubKeyDer,
- word32* pubKeySz, byte* out, word32* outlen,
- int side)
- {
- int ret;
- (void)ssl;
- (void)pubKeyDer;
- (void)pubKeySz;
- (void)side;
- WOLFSSL_ENTER("X448SharedSecret");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &priv_key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->X448SharedSecretCb) {
- curve448_key* otherKey = NULL;
- ret = X448GetKey(ssl, &otherKey);
- if (ret == 0) {
- void* ctx = wolfSSL_GetX448SharedSecretCtx(ssl);
- ret = ssl->ctx->X448SharedSecretCb(ssl, otherKey, pubKeyDer,
- pubKeySz, out, outlen, side, ctx);
- }
- }
- else
- #endif
- {
- ret = wc_curve448_shared_secret_ex(priv_key, pub_key, out, outlen,
- EC448_LITTLE_ENDIAN);
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("X448SharedSecret", ret);
- return ret;
- }
- static int X448MakeKey(WOLFSSL* ssl, curve448_key* key, curve448_key* peer)
- {
- int ret = 0;
- (void)peer;
- WOLFSSL_ENTER("X448MakeKey");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->X448KeyGenCb) {
- void* ctx = wolfSSL_GetX448KeyGenCtx(ssl);
- ret = ssl->ctx->X448KeyGenCb(ssl, key, CURVE448_KEY_SIZE, ctx);
- }
- else
- #endif
- {
- ret = wc_curve448_make_key(ssl->rng, CURVE448_KEY_SIZE, key);
- }
- if (ret == 0) {
- ssl->ecdhCurveOID = ECC_X448_OID;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- ssl->namedGroup = 0;
- #endif
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("X448MakeKey", ret);
- return ret;
- }
- #endif /* HAVE_CURVE448 */
- #endif /* !WOLFSSL_NO_TLS12 */
- #if !defined(NO_CERTS) || !defined(NO_PSK)
- #if !defined(NO_DH)
- int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey,
- byte* priv, word32* privSz,
- byte* pub, word32* pubSz)
- {
- int ret;
- WOLFSSL_ENTER("DhGenKeyPair");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- return ret;
- #endif
- #if defined(HAVE_PK_CALLBACKS)
- ret = NOT_COMPILED_IN;
- if (ssl && ssl->ctx && ssl->ctx->DhGenerateKeyPairCb) {
- ret = ssl->ctx->DhGenerateKeyPairCb(dhKey, ssl->rng, priv, privSz,
- pub, pubSz);
- }
- if (ret == NOT_COMPILED_IN)
- #endif
- {
- PRIVATE_KEY_UNLOCK();
- ret = wc_DhGenerateKeyPair(dhKey, ssl->rng, priv, privSz, pub, pubSz);
- PRIVATE_KEY_LOCK();
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("DhGenKeyPair", ret);
- return ret;
- }
- int DhAgree(WOLFSSL* ssl, DhKey* dhKey,
- const byte* priv, word32 privSz,
- const byte* otherPub, word32 otherPubSz,
- byte* agree, word32* agreeSz,
- const byte* prime, word32 primeSz)
- {
- int ret;
- (void)ssl;
- WOLFSSL_ENTER("DhAgree");
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- return ret;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->DhAgreeCb) {
- void* ctx = wolfSSL_GetDhAgreeCtx(ssl);
- WOLFSSL_MSG("Calling DhAgree Callback Function");
- ret = ssl->ctx->DhAgreeCb(ssl, dhKey, priv, privSz,
- otherPub, otherPubSz, agree, agreeSz, ctx);
- }
- else
- #endif
- {
- #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
- /* check the public key has valid number */
- if (dhKey != NULL && (prime == NULL || primeSz == 0)) {
- /* wc_DhCheckPubKey does not do exponentiation */
- ret = wc_DhCheckPubKey(dhKey, otherPub, otherPubSz);
- }
- else {
- ret = wc_DhCheckPubValue(prime, primeSz, otherPub, otherPubSz);
- }
- if (ret != 0) {
- /* translate to valid error (wc_DhCheckPubValue returns MP_VAL -1) */
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- #ifdef OPENSSL_EXTRA
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- }
- else
- #endif
- {
- PRIVATE_KEY_UNLOCK();
- ret = wc_DhAgree(dhKey, agree, agreeSz, priv, privSz, otherPub,
- otherPubSz);
- PRIVATE_KEY_LOCK();
- }
- }
- /* Handle async pending response */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- WOLFSSL_LEAVE("DhAgree", ret);
- (void)prime;
- (void)primeSz;
- return ret;
- }
- #endif /* !NO_DH */
- #endif /* !NO_CERTS || !NO_PSK */
- #ifdef HAVE_PK_CALLBACKS
- int wolfSSL_IsPrivatePkSet(WOLFSSL* ssl)
- {
- int pkcbset = 0;
- (void)ssl;
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- !defined(NO_RSA)
- if (0
- #ifdef HAVE_ECC
- || (ssl->ctx->EccSignCb != NULL &&
- ssl->buffers.keyType == ecc_dsa_sa_algo)
- #endif
- #ifdef HAVE_ED25519
- || (ssl->ctx->Ed25519SignCb != NULL &&
- ssl->buffers.keyType == ed25519_sa_algo)
- #endif
- #ifdef HAVE_ED448
- || (ssl->ctx->Ed448SignCb != NULL &&
- ssl->buffers.keyType == ed448_sa_algo)
- #endif
- #ifndef NO_RSA
- || (ssl->ctx->RsaSignCb != NULL && ssl->buffers.keyType == rsa_sa_algo)
- || (ssl->ctx->RsaDecCb != NULL && ssl->buffers.keyType == rsa_kea)
- #ifdef WC_RSA_PSS
- || (ssl->ctx->RsaPssSignCb != NULL &&
- ssl->buffers.keyType == rsa_pss_sa_algo)
- #endif
- #endif
- ) {
- pkcbset = 1;
- }
- #endif
- return pkcbset;
- }
- int wolfSSL_CTX_IsPrivatePkSet(WOLFSSL_CTX* ctx)
- {
- int pkcbset = 0;
- (void)ctx;
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- !defined(NO_RSA)
- if (0
- #ifdef HAVE_ECC
- || ctx->EccSignCb != NULL
- #endif
- #ifdef HAVE_ED25519
- || ctx->Ed25519SignCb != NULL
- #endif
- #ifdef HAVE_ED448
- || ctx->Ed448SignCb != NULL
- #endif
- #ifndef NO_RSA
- || ctx->RsaSignCb != NULL
- || ctx->RsaDecCb != NULL
- #ifdef WC_RSA_PSS
- || ctx->RsaPssSignCb != NULL
- #endif
- #endif
- ) {
- pkcbset = 1;
- }
- #endif
- return pkcbset;
- }
- #endif /* HAVE_PK_CALLBACKS */
- static void InitSuites_EitherSide(Suites* suites, ProtocolVersion pv, int keySz,
- word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveECDSAsig,
- word16 haveECC, word16 haveStaticECC,
- word16 haveFalconSig, word16 haveDilithiumSig, word16 haveAnon,
- int side)
- {
- /* make sure server has DH parms, and add PSK if there */
- if (side == WOLFSSL_SERVER_END) {
- InitSuites(suites, pv, keySz, haveRSA, havePSK, haveDH, haveECDSAsig,
- haveECC, TRUE, haveStaticECC, haveFalconSig,
- haveDilithiumSig, haveAnon, TRUE, side);
- }
- else {
- InitSuites(suites, pv, keySz, haveRSA, havePSK, TRUE, haveECDSAsig,
- haveECC, TRUE, haveStaticECC, haveFalconSig,
- haveDilithiumSig, haveAnon, TRUE, side);
- }
- }
- void InitSSL_CTX_Suites(WOLFSSL_CTX* ctx)
- {
- int keySz = 0;
- byte havePSK = 0;
- byte haveAnon = 0;
- byte haveRSA = 0;
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- #ifndef NO_PSK
- havePSK = ctx->havePSK;
- #endif /* NO_PSK */
- #ifdef HAVE_ANON
- haveAnon = ctx->haveAnon;
- #endif /* HAVE_ANON*/
- #ifndef NO_CERTS
- keySz = ctx->privateKeySz;
- #endif
- InitSuites_EitherSide(ctx->suites, ctx->method->version, keySz,
- haveRSA, havePSK, ctx->haveDH, ctx->haveECDSAsig, ctx->haveECC,
- ctx->haveStaticECC, ctx->haveFalconSig, ctx->haveDilithiumSig,
- haveAnon, ctx->method->side);
- }
- int InitSSL_Suites(WOLFSSL* ssl)
- {
- int keySz = 0;
- byte havePSK = 0;
- byte haveAnon = 0;
- byte haveRSA = 0;
- byte haveMcast = 0;
- (void)haveAnon; /* Squash unused var warnings */
- (void)haveMcast;
- if (!ssl)
- return BAD_FUNC_ARG;
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- #ifndef NO_PSK
- havePSK = (byte)ssl->options.havePSK;
- #endif /* NO_PSK */
- #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
- #ifdef HAVE_ANON
- haveAnon = (byte)ssl->options.haveAnon;
- #endif /* HAVE_ANON*/
- #ifdef WOLFSSL_MULTICAST
- haveMcast = (byte)ssl->options.haveMcast;
- #endif /* WOLFSSL_MULTICAST */
- #endif /* !NO_CERTS && !WOLFSSL_SESSION_EXPORT */
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->options.side == WOLFSSL_SERVER_END)
- ssl->options.maxEarlyDataSz = ssl->ctx->maxEarlyDataSz;
- #endif
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- ssl->options.cacheMessages = ssl->options.side == WOLFSSL_SERVER_END ||
- ssl->buffers.keyType == ed25519_sa_algo ||
- ssl->buffers.keyType == ed448_sa_algo;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- if (ssl->suites != NULL) {
- InitSuites_EitherSide(ssl->suites, ssl->version, keySz, haveRSA,
- havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
- ssl->options.haveAnon, ssl->options.side);
- }
- #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
- /* make sure server has cert and key unless using PSK, Anon, or
- * Multicast. This should be true even if just switching ssl ctx */
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- !havePSK && !haveAnon && !haveMcast) {
- /* server certificate must be loaded */
- if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) {
- WOLFSSL_MSG("Server missing certificate");
- WOLFSSL_ERROR_VERBOSE(NO_PRIVATE_KEY);
- return NO_PRIVATE_KEY;
- }
- if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
- /* allow no private key if using existing key */
- #ifdef WOLF_PRIVATE_KEY_ID
- if (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- ) {
- WOLFSSL_MSG("Allowing no server private key (external)");
- }
- else
- #endif
- {
- WOLFSSL_MSG("Server missing private key");
- WOLFSSL_ERROR_VERBOSE(NO_PRIVATE_KEY);
- return NO_PRIVATE_KEY;
- }
- }
- }
- #endif
- return WOLFSSL_SUCCESS;
- }
- /* This function inherits a WOLFSSL_CTX's fields into an SSL object.
- It is used during initialization and to switch an ssl's CTX with
- wolfSSL_Set_SSL_CTX. Requires ssl->suites alloc and ssl-arrays with PSK
- unless writeDup is on.
- ssl object to initialize
- ctx parent factory
- writeDup flag indicating this is a write dup only
- WOLFSSL_SUCCESS return value on success */
- int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
- {
- int ret;
- byte newSSL;
- WOLFSSL_ENTER("SetSSL_CTX");
- if (!ssl || !ctx)
- return BAD_FUNC_ARG;
- newSSL = ssl->ctx == NULL; /* Assign after null check */
- #ifndef NO_PSK
- if (ctx->server_hint[0] && ssl->arrays == NULL && !writeDup) {
- return BAD_FUNC_ARG; /* needed for copy below */
- }
- #endif
- /* decrement previous CTX reference count if exists.
- * This should only happen if switching ctxs!*/
- if (!newSSL) {
- WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
- wolfSSL_CTX_free(ssl->ctx);
- }
- /* increment CTX reference count */
- wolfSSL_RefInc(&ctx->ref, &ret);
- #ifdef WOLFSSL_REFCNT_ERROR_RETURN
- if (ret < 0) {
- return ret;
- }
- #else
- (void)ret;
- #endif
- ret = WOLFSSL_SUCCESS; /* set default ret */
- ssl->ctx = ctx; /* only for passing to calls, options could change */
- /* Don't change version on a SSL object that has already started a
- * handshake */
- if (!ssl->msgsReceived.got_client_hello &&
- !ssl->msgsReceived.got_server_hello)
- ssl->version = ctx->method->version;
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
- ssl->options.mask = ctx->mask;
- ssl->options.minProto = ctx->minProto;
- ssl->options.maxProto = ctx->maxProto;
- #endif
- #ifdef OPENSSL_EXTRA
- #ifdef WOLFSSL_TLS13
- if (ssl->version.minor == TLSv1_3_MINOR &&
- (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
- if (!ctx->method->downgrade) {
- WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not "
- "allowed and downgrading disabled.");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading");
- ssl->version.minor = TLSv1_2_MINOR;
- }
- #endif
- if (ssl->version.minor == TLSv1_2_MINOR &&
- (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
- if (!ctx->method->downgrade) {
- WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not "
- "allowed and downgrading disabled.");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
- ssl->version.minor = TLSv1_1_MINOR;
- }
- if (ssl->version.minor == TLSv1_1_MINOR &&
- (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
- if (!ctx->method->downgrade) {
- WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not "
- "allowed and downgrading disabled.");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
- ssl->options.tls1_1 = 0;
- ssl->version.minor = TLSv1_MINOR;
- }
- if (ssl->version.minor == TLSv1_MINOR &&
- (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
- if (!ctx->method->downgrade) {
- WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not "
- "allowed and downgrading disabled.");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- ssl->version.minor = SSLv3_MINOR;
- }
- if (ssl->version.minor == SSLv3_MINOR &&
- (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
- WOLFSSL_MSG("\tError, option set to not allow SSLv3");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- if (ssl->version.minor < ssl->options.minDowngrade) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- #endif
- #ifdef HAVE_ECC
- ssl->eccTempKeySz = ctx->eccTempKeySz;
- ssl->ecdhCurveOID = ctx->ecdhCurveOID;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- ssl->pkCurveOID = ctx->pkCurveOID;
- #endif
- #ifdef OPENSSL_EXTRA
- ssl->CBIS = ctx->CBIS;
- #endif
- ssl->timeout = ctx->timeout;
- ssl->verifyCallback = ctx->verifyCallback;
- /* If we are setting the ctx on an already initialized SSL object
- * then we possibly already have a side defined. Don't overwrite unless
- * the context has a well defined role. */
- if (newSSL || ctx->method->side != WOLFSSL_NEITHER_END)
- ssl->options.side = ctx->method->side;
- ssl->options.downgrade = ctx->method->downgrade;
- ssl->options.minDowngrade = ctx->minDowngrade;
- ssl->options.haveRSA = ctx->haveRSA;
- ssl->options.haveDH = ctx->haveDH;
- ssl->options.haveECDSAsig = ctx->haveECDSAsig;
- ssl->options.haveECC = ctx->haveECC;
- ssl->options.haveStaticECC = ctx->haveStaticECC;
- ssl->options.haveFalconSig = ctx->haveFalconSig;
- ssl->options.haveDilithiumSig = ctx->haveDilithiumSig;
- #ifndef NO_PSK
- ssl->options.havePSK = ctx->havePSK;
- ssl->options.client_psk_cb = ctx->client_psk_cb;
- ssl->options.server_psk_cb = ctx->server_psk_cb;
- ssl->options.psk_ctx = ctx->psk_ctx;
- #ifdef WOLFSSL_TLS13
- ssl->options.client_psk_cs_cb = ctx->client_psk_cs_cb;
- ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb;
- ssl->options.server_psk_tls13_cb = ctx->server_psk_tls13_cb;
- #endif
- #endif /* NO_PSK */
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->options.side == WOLFSSL_SERVER_END)
- ssl->options.maxEarlyDataSz = ctx->maxEarlyDataSz;
- #endif
- #ifdef HAVE_ANON
- ssl->options.haveAnon = ctx->haveAnon;
- #endif
- #ifndef NO_DH
- ssl->options.minDhKeySz = ctx->minDhKeySz;
- ssl->options.maxDhKeySz = ctx->maxDhKeySz;
- #endif
- #ifndef NO_RSA
- ssl->options.minRsaKeySz = ctx->minRsaKeySz;
- #endif
- #ifdef HAVE_ECC
- ssl->options.minEccKeySz = ctx->minEccKeySz;
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- ssl->options.minFalconKeySz = ctx->minFalconKeySz;
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- ssl->options.minDilithiumKeySz = ctx->minDilithiumKeySz;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- ssl->options.verifyDepth = ctx->verifyDepth;
- #endif
- ssl->options.sessionCacheOff = ctx->sessionCacheOff;
- ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
- #ifdef HAVE_EXT_CACHE
- ssl->options.internalCacheOff = ctx->internalCacheOff;
- ssl->options.internalCacheLookupOff = ctx->internalCacheLookupOff;
- #endif
- ssl->options.verifyPeer = ctx->verifyPeer;
- ssl->options.verifyNone = ctx->verifyNone;
- ssl->options.failNoCert = ctx->failNoCert;
- ssl->options.failNoCertxPSK = ctx->failNoCertxPSK;
- ssl->options.sendVerify = ctx->sendVerify;
- ssl->options.partialWrite = ctx->partialWrite;
- ssl->options.quietShutdown = ctx->quietShutdown;
- ssl->options.groupMessages = ctx->groupMessages;
- #ifndef NO_DH
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- ssl->options.dhKeyTested = ctx->dhKeyTested;
- #endif
- ssl->buffers.serverDH_P = ctx->serverDH_P;
- ssl->buffers.serverDH_G = ctx->serverDH_G;
- #endif
- #ifndef NO_CERTS
- /* ctx still owns certificate, certChain, key, dh, and cm */
- ssl->buffers.certificate = ctx->certificate;
- ssl->buffers.certChain = ctx->certChain;
- #ifdef WOLFSSL_TLS13
- ssl->buffers.certChainCnt = ctx->certChainCnt;
- #endif
- ssl->buffers.key = ctx->privateKey;
- ssl->buffers.keyType = ctx->privateKeyType;
- ssl->buffers.keyId = ctx->privateKeyId;
- ssl->buffers.keyLabel = ctx->privateKeyLabel;
- ssl->buffers.keySz = ctx->privateKeySz;
- ssl->buffers.keyDevId = ctx->privateKeyDevId;
- #endif
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- ssl->options.cacheMessages = ssl->options.side == WOLFSSL_SERVER_END ||
- ssl->buffers.keyType == ed25519_sa_algo ||
- ssl->buffers.keyType == ed448_sa_algo;
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->devId = ctx->devId;
- #endif
- if (writeDup == 0) {
- #ifndef NO_PSK
- if (ctx->server_hint[0]) { /* set in CTX */
- XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,
- sizeof(ssl->arrays->server_hint));
- ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
- }
- #endif /* NO_PSK */
- if (ssl->suites != NULL) {
- if (ctx->suites == NULL)
- XMEMSET(ssl->suites, 0, sizeof(Suites));
- else
- XMEMCPY(ssl->suites, ctx->suites, sizeof(Suites));
- }
- if (ssl->options.side != WOLFSSL_NEITHER_END) {
- /* Defer initializing suites until accept or connect */
- ret = InitSSL_Suites(ssl);
- }
- } /* writeDup check */
- if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) {
- WOLFSSL_MSG("wolfSSL_set_options error");
- return BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SESSION_EXPORT
- #ifdef WOLFSSL_DTLS
- ssl->dtls_export = ctx->dtls_export; /* export function for session */
- #endif
- #endif
- #ifdef WOLFSSL_WOLFSENTRY_HOOKS
- ssl->AcceptFilter = ctx->AcceptFilter;
- ssl->AcceptFilter_arg = ctx->AcceptFilter_arg;
- ssl->ConnectFilter = ctx->ConnectFilter;
- ssl->ConnectFilter_arg = ctx->ConnectFilter_arg;
- #endif
- #ifdef OPENSSL_EXTRA
- ssl->readAhead = ctx->readAhead;
- #endif
- #if defined(OPENSSL_EXTRA) && !defined(NO_BIO)
- /* Don't change recv callback if currently using BIO's */
- if (ssl->CBIORecv != BioReceive)
- #endif
- ssl->CBIORecv = ctx->CBIORecv;
- #if defined(OPENSSL_EXTRA) && !defined(NO_BIO)
- /* Don't change send callback if currently using BIO's */
- if (ssl->CBIOSend != BioSend)
- #endif
- ssl->CBIOSend = ctx->CBIOSend;
- ssl->verifyDepth = ctx->verifyDepth;
- return ret;
- }
- int InitHandshakeHashes(WOLFSSL* ssl)
- {
- int ret;
- /* make sure existing handshake hashes are free'd */
- if (ssl->hsHashes != NULL) {
- FreeHandshakeHashes(ssl);
- }
- /* allocate handshake hashes */
- ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap,
- DYNAMIC_TYPE_HASHES);
- if (ssl->hsHashes == NULL) {
- WOLFSSL_MSG("HS_Hashes Memory error");
- return MEMORY_E;
- }
- XMEMSET(ssl->hsHashes, 0, sizeof(HS_Hashes));
- #ifndef NO_OLD_TLS
- #ifndef NO_MD5
- ret = wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HASH_FLAGS
- wc_Md5SetFlags(&ssl->hsHashes->hashMd5, WC_HASH_FLAG_WILLCOPY);
- #endif
- #endif
- #ifndef NO_SHA
- ret = wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HASH_FLAGS
- wc_ShaSetFlags(&ssl->hsHashes->hashSha, WC_HASH_FLAG_WILLCOPY);
- #endif
- #endif
- #endif /* !NO_OLD_TLS */
- #ifndef NO_SHA256
- ret = wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HASH_FLAGS
- wc_Sha256SetFlags(&ssl->hsHashes->hashSha256, WC_HASH_FLAG_WILLCOPY);
- #endif
- #endif
- #ifdef WOLFSSL_SHA384
- ret = wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HASH_FLAGS
- wc_Sha384SetFlags(&ssl->hsHashes->hashSha384, WC_HASH_FLAG_WILLCOPY);
- #endif
- #endif
- #ifdef WOLFSSL_SHA512
- ret = wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HASH_FLAGS
- wc_Sha512SetFlags(&ssl->hsHashes->hashSha512, WC_HASH_FLAG_WILLCOPY);
- #endif
- #endif
- return ret;
- }
- void FreeHandshakeHashes(WOLFSSL* ssl)
- {
- if (ssl->hsHashes) {
- #ifndef NO_OLD_TLS
- #ifndef NO_MD5
- wc_Md5Free(&ssl->hsHashes->hashMd5);
- #endif
- #ifndef NO_SHA
- wc_ShaFree(&ssl->hsHashes->hashSha);
- #endif
- #endif /* !NO_OLD_TLS */
- #ifndef NO_SHA256
- wc_Sha256Free(&ssl->hsHashes->hashSha256);
- #endif
- #ifdef WOLFSSL_SHA384
- wc_Sha384Free(&ssl->hsHashes->hashSha384);
- #endif
- #ifdef WOLFSSL_SHA512
- wc_Sha512Free(&ssl->hsHashes->hashSha512);
- #endif
- #if (defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
- !defined(WOLFSSL_NO_CLIENT_AUTH)
- if (ssl->hsHashes->messages != NULL) {
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
- ssl->hsHashes->messages = NULL;
- }
- #endif
- XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
- ssl->hsHashes = NULL;
- }
- }
- /* copy the hashes from source to a newly made destination return status */
- int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,
- HS_Hashes** destination)
- {
- int ret = 0;
- HS_Hashes* tmpHashes;
- if (source == NULL)
- return BAD_FUNC_ARG;
- /* save the original so we can put it back afterward */
- tmpHashes = ssl->hsHashes;
- ssl->hsHashes = NULL;
- InitHandshakeHashes(ssl);
- *destination = ssl->hsHashes;
- ssl->hsHashes = tmpHashes;
- /* now copy the source contents to the destination */
- #ifndef NO_OLD_TLS
- #ifndef NO_SHA
- ret = wc_ShaCopy(&source->hashSha, &(*destination)->hashSha);
- #endif
- #ifndef NO_MD5
- if (ret == 0)
- ret = wc_Md5Copy(&source->hashMd5, &(*destination)->hashMd5);
- #endif
- #endif /* !NO_OLD_TLS */
- #ifndef NO_SHA256
- if (ret == 0)
- ret = wc_Sha256Copy(&source->hashSha256,
- &(*destination)->hashSha256);
- #endif
- #ifdef WOLFSSL_SHA384
- if (ret == 0)
- ret = wc_Sha384Copy(&source->hashSha384,
- &(*destination)->hashSha384);
- #endif
- #ifdef WOLFSSL_SHA512
- if (ret == 0)
- ret = wc_Sha512Copy(&source->hashSha512,
- &(*destination)->hashSha512);
- #endif
- #if (defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
- !defined(WOLFSSL_NO_CLIENT_AUTH)
- if (ret == 0 && source->messages != NULL) {
- (*destination)->messages = (byte*)XMALLOC(source->length, ssl->heap,
- DYNAMIC_TYPE_HASHES);
- (*destination)->length = source->length;
- (*destination)->prevLen = source->prevLen;
- if ((*destination)->messages == NULL) {
- ret = MEMORY_E;
- }
- else {
- XMEMCPY((*destination)->messages, source->messages,
- source->length);
- }
- }
- #endif
- return ret;
- }
- /* called if user attempts to re-use WOLFSSL object for a new session.
- * For example wolfSSL_clear() is called then wolfSSL_connect or accept */
- int ReinitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
- {
- int ret = 0;
- WOLFSSL_ENTER("ReinitSSL");
- /* arrays */
- if (!writeDup && ssl->arrays == NULL) {
- ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
- DYNAMIC_TYPE_ARRAYS);
- if (ssl->arrays == NULL) {
- WOLFSSL_MSG("Arrays Memory error");
- return MEMORY_E;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SSL Arrays", ssl->arrays, sizeof(*ssl->arrays));
- #endif
- XMEMSET(ssl->arrays, 0, sizeof(Arrays));
- #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN, ssl->heap,
- DYNAMIC_TYPE_SECRET);
- if (ssl->arrays->preMasterSecret == NULL) {
- return MEMORY_E;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SSL Arrays", ssl->arrays->preMasterSecret, ENCRYPT_LEN);
- #endif
- XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
- #endif
- }
- /* RNG */
- #ifdef SINGLE_THREADED
- if (ssl->rng == NULL) {
- ssl->rng = ctx->rng; /* CTX may have one, if so use it */
- }
- #endif
- if (ssl->rng == NULL) {
- ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap,DYNAMIC_TYPE_RNG);
- if (ssl->rng == NULL) {
- WOLFSSL_MSG("RNG Memory error");
- return MEMORY_E;
- }
- XMEMSET(ssl->rng, 0, sizeof(WC_RNG));
- ssl->options.weOwnRng = 1;
- /* FIPS RNG API does not accept a heap hint */
- #ifndef HAVE_FIPS
- if ( (ret = wc_InitRng_ex(ssl->rng, ssl->heap, ssl->devId)) != 0) {
- WOLFSSL_MSG("RNG Init error");
- return ret;
- }
- #else
- if ( (ret = wc_InitRng(ssl->rng)) != 0) {
- WOLFSSL_MSG("RNG Init error");
- return ret;
- }
- #endif
- }
- (void)ctx;
- ssl->options.shutdownDone = 0;
- if (ssl->session != NULL)
- ssl->session->side = (byte)ssl->options.side;
- return ret;
- }
- /* init everything to 0, NULL, default values before calling anything that may
- fail so that destructor has a "good" state to cleanup
- ssl object to initialize
- ctx parent factory
- writeDup flag indicating this is a write dup only
- 0 on success */
- int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
- {
- int ret;
- XMEMSET(ssl, 0, sizeof(WOLFSSL));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SSL Keys", &ssl->keys, sizeof(ssl->keys));
- #ifdef WOLFSSL_TLS13
- wc_MemZero_Add("SSL client secret", &ssl->clientSecret,
- sizeof(ssl->clientSecret));
- wc_MemZero_Add("SSL client secret", &ssl->serverSecret,
- sizeof(ssl->serverSecret));
- #endif
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- wc_MemZero_Add("ClientFinished hash", &ssl->clientFinished,
- TLS_FINISHED_SZ_MAX);
- wc_MemZero_Add("ServerFinished hash", &ssl->serverFinished,
- TLS_FINISHED_SZ_MAX);
- #endif
- #endif
- #if defined(WOLFSSL_STATIC_MEMORY)
- if (ctx->heap != NULL) {
- WOLFSSL_HEAP_HINT* ssl_hint;
- WOLFSSL_HEAP_HINT* ctx_hint;
- /* avoid dereferencing a test value */
- #ifdef WOLFSSL_HEAP_TEST
- if (ctx->heap == (void*)WOLFSSL_HEAP_TEST) {
- ssl->heap = ctx->heap;
- }
- else {
- #endif
- ssl->heap = (WOLFSSL_HEAP_HINT*)XMALLOC(sizeof(WOLFSSL_HEAP_HINT),
- ctx->heap, DYNAMIC_TYPE_SSL);
- if (ssl->heap == NULL) {
- return MEMORY_E;
- }
- XMEMSET(ssl->heap, 0, sizeof(WOLFSSL_HEAP_HINT));
- ssl_hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap));
- ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap));
- /* lock and check IO count / handshake count */
- if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
- WOLFSSL_MSG("Bad memory_mutex lock");
- XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
- ssl->heap = NULL; /* free and set to NULL for IO counter */
- WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- if (ctx_hint->memory->maxHa > 0 &&
- ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) {
- WOLFSSL_MSG("At max number of handshakes for static memory");
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
- ssl->heap = NULL; /* free and set to NULL for IO counter */
- return MEMORY_E;
- }
- if (ctx_hint->memory->maxIO > 0 &&
- ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) {
- WOLFSSL_MSG("At max number of IO allowed for static memory");
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
- ssl->heap = NULL; /* free and set to NULL for IO counter */
- return MEMORY_E;
- }
- ctx_hint->memory->curIO++;
- ctx_hint->memory->curHa++;
- ssl_hint->memory = ctx_hint->memory;
- ssl_hint->haFlag = 1;
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- /* check if tracking stats */
- if (ctx_hint->memory->flag & WOLFMEM_TRACK_STATS) {
- ssl_hint->stats = (WOLFSSL_MEM_CONN_STATS*)XMALLOC(
- sizeof(WOLFSSL_MEM_CONN_STATS), ctx->heap, DYNAMIC_TYPE_SSL);
- if (ssl_hint->stats == NULL) {
- return MEMORY_E;
- }
- XMEMSET(ssl_hint->stats, 0, sizeof(WOLFSSL_MEM_CONN_STATS));
- }
- /* check if using fixed IO buffers */
- if (ctx_hint->memory->flag & WOLFMEM_IO_POOL_FIXED) {
- if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
- WOLFSSL_MSG("Bad memory_mutex lock");
- WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- if (SetFixedIO(ctx_hint->memory, &(ssl_hint->inBuf)) != 1) {
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- return MEMORY_E;
- }
- if (SetFixedIO(ctx_hint->memory, &(ssl_hint->outBuf)) != 1) {
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- return MEMORY_E;
- }
- if (ssl_hint->outBuf == NULL || ssl_hint->inBuf == NULL) {
- WOLFSSL_MSG("Not enough memory to create fixed IO buffers");
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- return MEMORY_E;
- }
- wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
- }
- #ifdef WOLFSSL_HEAP_TEST
- }
- #endif
- }
- else {
- ssl->heap = ctx->heap;
- }
- #else
- ssl->heap = ctx->heap; /* carry over user heap without static memory */
- #endif /* WOLFSSL_STATIC_MEMORY */
- ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
- ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
- ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
- ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
- #ifdef KEEP_PEER_CERT
- InitX509(&ssl->peerCert, 0, ssl->heap);
- #endif
- ssl->rfd = -1; /* set to invalid descriptor */
- ssl->wfd = -1;
- ssl->devId = ctx->devId; /* device for async HW (from wolfAsync_DevOpen) */
- /* initialize states */
- ssl->options.serverState = NULL_STATE;
- ssl->options.clientState = NULL_STATE;
- ssl->options.connectState = CONNECT_BEGIN;
- ssl->options.acceptState = ACCEPT_BEGIN;
- ssl->options.handShakeState = NULL_STATE;
- ssl->options.processReply = doProcessInit;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- ssl->options.buildMsgState = BUILD_MSG_BEGIN;
- ssl->encrypt.state = CIPHER_STATE_BEGIN;
- ssl->decrypt.state = CIPHER_STATE_BEGIN;
- #ifndef NO_DH
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- ssl->options.dhDoKeyTest = 1;
- #endif
- #endif
- #ifdef WOLFSSL_DTLS
- #ifdef WOLFSSL_SCTP
- ssl->options.dtlsSctp = ctx->dtlsSctp;
- #endif
- #ifdef WOLFSSL_SRTP
- ssl->dtlsSrtpProfiles = ctx->dtlsSrtpProfiles;
- #endif
- #if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
- ssl->dtlsMtuSz = ctx->dtlsMtuSz;
- /* Add some bytes so that we can operate with slight difference
- * in set MTU size on each peer */
- ssl->dtls_expected_rx = ssl->dtlsMtuSz +
- DTLS_MTU_ADDITIONAL_READ_BUFFER;
- #else
- ssl->dtls_expected_rx = MAX_MTU;
- #endif
- ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT;
- ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX;
- ssl->dtls_timeout = ssl->dtls_timeout_init;
- ssl->buffers.dtlsCtx.rfd = -1;
- ssl->buffers.dtlsCtx.wfd = -1;
- ssl->IOCB_ReadCtx = &ssl->buffers.dtlsCtx; /* prevent invalid pointer access if not */
- ssl->IOCB_WriteCtx = &ssl->buffers.dtlsCtx; /* correctly set */
- #else
- #ifdef HAVE_NETX
- ssl->IOCB_ReadCtx = &ssl->nxCtx; /* default NetX IO ctx, same for read */
- ssl->IOCB_WriteCtx = &ssl->nxCtx; /* and write */
- #elif defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
- ssl->mnCtx = mynewt_ctx_new();
- if(!ssl->mnCtx) {
- return MEMORY_E;
- }
- ssl->IOCB_ReadCtx = ssl->mnCtx; /* default Mynewt IO ctx, same for read */
- ssl->IOCB_WriteCtx = ssl->mnCtx; /* and write */
- #elif defined (WOLFSSL_GNRC)
- ssl->IOCB_ReadCtx = ssl->gnrcCtx;
- ssl->IOCB_WriteCtx = ssl->gnrcCtx;
- #else
- ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */
- ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */
- #endif
- #endif
- #ifndef WOLFSSL_AEAD_ONLY
- #ifndef NO_OLD_TLS
- ssl->hmac = SSL_hmac; /* default to SSLv3 */
- #elif !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS)
- #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- !defined(WOLFSSL_RENESAS_TSIP_TLS)
- ssl->hmac = TLS_hmac;
- #else
- ssl->hmac = Renesas_cmn_TLS_hmac;
- #endif
- #endif
- #endif
- #if defined(WOLFSSL_OPENVPN) && defined(HAVE_KEYING_MATERIAL)
- /* Save arrays by default for OpenVPN */
- ssl->options.saveArrays = 1;
- #endif
- ssl->cipher.ssl = ssl;
- #ifdef HAVE_EXTENDED_MASTER
- ssl->options.haveEMS = ctx->haveEMS;
- #endif
- ssl->options.useClientOrder = ctx->useClientOrder;
- ssl->options.mutualAuth = ctx->mutualAuth;
- #ifdef WOLFSSL_TLS13
- #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
- ssl->options.maxTicketTls13 = ctx->maxTicketTls13;
- #endif
- #ifdef HAVE_SESSION_TICKET
- ssl->options.noTicketTls13 = ctx->noTicketTls13;
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ssl->options.noPskDheKe = ctx->noPskDheKe;
- #ifdef HAVE_SUPPORTED_CURVES
- ssl->options.onlyPskDheKe = ctx->onlyPskDheKe;
- #endif /* HAVE_SUPPORTED_CURVES */
- #endif /* HAVE_SESSION_TICKET || !NO_PSK */
- #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
- ssl->options.verifyPostHandshake = ctx->verifyPostHandshake;
- #endif
- if (ctx->numGroups > 0) {
- XMEMCPY(ssl->group, ctx->group, sizeof(*ctx->group) * ctx->numGroups);
- ssl->numGroups = ctx->numGroups;
- }
- #endif
- #ifdef HAVE_TLS_EXTENSIONS
- #ifdef HAVE_MAX_FRAGMENT
- ssl->max_fragment = MAX_RECORD_SIZE;
- #endif
- #ifdef HAVE_ALPN
- ssl->alpn_peer_requested = NULL;
- ssl->alpn_peer_requested_length = 0;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
- ssl->alpnSelect = ctx->alpnSelect;
- ssl->alpnSelectArg = ctx->alpnSelectArg;
- #endif
- #if !defined(NO_BIO) && defined(OPENSSL_EXTRA)
- if (ctx->alpn_cli_protos != NULL && ctx->alpn_cli_protos_len > 0) {
- ret = wolfSSL_set_alpn_protos(ssl, ctx->alpn_cli_protos,
- ctx->alpn_cli_protos_len);
- #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
- if (ret) {
- #else
- if (!ret) {
- #endif
- WOLFSSL_MSG("failed to set alpn protos to ssl object");
- return ret;
- }
- }
- #endif
- #endif
- #ifdef HAVE_SUPPORTED_CURVES
- ssl->options.userCurves = ctx->userCurves;
- #endif
- #endif /* HAVE_TLS_EXTENSIONS */
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- ssl->options.disallowEncThenMac = ctx->disallowEncThenMac;
- #endif
- /* default alert state (none) */
- ssl->alert_history.last_rx.code = -1;
- ssl->alert_history.last_rx.level = -1;
- ssl->alert_history.last_tx.code = -1;
- ssl->alert_history.last_tx.level = -1;
- #ifdef OPENSSL_EXTRA
- /* copy over application session context ID */
- ssl->sessionCtxSz = ctx->sessionCtxSz;
- XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz);
- ssl->cbioFlag = ctx->cbioFlag;
- ssl->protoMsgCb = ctx->protoMsgCb;
- ssl->protoMsgCtx = ctx->protoMsgCtx;
- /* follow default behavior of setting toInfoOn similar to
- * wolfSSL_set_msg_callback when the callback is set */
- if (ctx->protoMsgCb != NULL) {
- ssl->toInfoOn = 1;
- }
- ssl->disabledCurves = ctx->disabledCurves;
- #endif
- InitCiphers(ssl);
- InitCipherSpecs(&ssl->specs);
- /* all done with init, now can return errors, call other stuff */
- if ((ret = ReinitSSL(ssl, ctx, writeDup)) != 0) {
- return ret;
- }
- if (!writeDup) {
- #ifdef OPENSSL_EXTRA
- if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
- sizeof(WOLFSSL_X509_VERIFY_PARAM),
- ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
- WOLFSSL_MSG("ssl->param memory error");
- return MEMORY_E;
- }
- XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
- #endif
- if (ctx->suites == NULL) {
- /* suites */
- ret = AllocateCtxSuites(ctx);
- if (ret != 0)
- return ret;
- InitSSL_CTX_Suites(ctx);
- }
- #ifdef OPENSSL_ALL
- ssl->suitesStack = NULL;
- #endif
- } /* !writeDup */
- /* Initialize SSL with the appropriate fields from it's ctx */
- /* requires valid arrays and suites unless writeDup ing */
- if ((ret = SetSSL_CTX(ssl, ctx, writeDup)) != WOLFSSL_SUCCESS)
- return ret;
- ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
- #ifdef HAVE_WRITE_DUP
- if (writeDup) {
- /* all done */
- return 0;
- }
- #endif
- /* hsHashes */
- ret = InitHandshakeHashes(ssl);
- if (ret != 0)
- return ret;
- #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
- if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
- if (!IsAtLeastTLSv1_3(ssl->version)) {
- ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
- if (ret != 0) {
- WOLFSSL_MSG("DTLS Cookie Secret error");
- return ret;
- }
- }
- #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
- else {
- ret = wolfSSL_send_hrr_cookie(ssl, NULL, 0);
- if (ret != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("DTLS1.3 Cookie secret error");
- return ret;
- }
- }
- #endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
- }
- #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
- #ifdef HAVE_SECRET_CALLBACK
- ssl->sessionSecretCb = NULL;
- ssl->sessionSecretCtx = NULL;
- #ifdef WOLFSSL_TLS13
- ssl->tls13SecretCb = NULL;
- ssl->tls13SecretCtx = NULL;
- #endif
- #endif
- #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
- if (ctx->keyLogCb != NULL) {
- ssl->keyLogCb = SessionSecret_callback;
- #if defined(WOLFSSL_TLS13)
- ssl->tls13KeyLogCb = SessionSecret_callback_Tls13;
- #endif /*WOLFSSL_TLS13*/
- }
- #endif /*OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
- ssl->session = wolfSSL_NewSession(ssl->heap);
- if (ssl->session == NULL) {
- WOLFSSL_MSG("SSL Session Memory error");
- return MEMORY_E;
- }
- #ifdef HAVE_SESSION_TICKET
- ssl->options.noTicketTls12 = ctx->noTicketTls12;
- #endif
- #ifdef WOLFSSL_MULTICAST
- if (ctx->haveMcast) {
- int i;
- ssl->options.haveMcast = 1;
- ssl->options.mcastID = ctx->mcastID;
- /* Force the state to look like handshake has completed. */
- /* Keying material is supplied externally. */
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- ssl->options.connectState = SECOND_REPLY_DONE;
- ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- for (i = 0; i < WOLFSSL_DTLS_PEERSEQ_SZ; i++)
- ssl->keys.peerSeq[i].peerId = INVALID_PEER_ID;
- }
- #endif
- #if defined(HAVE_SECURE_RENEGOTIATION) || \
- defined(HAVE_SERVER_RENEGOTIATION_INFO)
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- int useSecureReneg = ssl->ctx->useSecureReneg;
- /* use secure renegotiation by default (not recommend) */
- #if defined(WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT) || \
- (defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \
- !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK))
- useSecureReneg = 1;
- #endif
- if (useSecureReneg) {
- ret = wolfSSL_UseSecureRenegotiation(ssl);
- if (ret != WOLFSSL_SUCCESS)
- return ret;
- }
- }
- #endif /* HAVE_SECURE_RENEGOTIATION */
- #ifdef WOLFSSL_DTLS13
- /* setup 0 (un-protected) epoch */
- ssl->dtls13Epochs[0].isValid = 1;
- ssl->dtls13Epochs[0].side = ENCRYPT_AND_DECRYPT_SIDE;
- ssl->dtls13EncryptEpoch = &ssl->dtls13Epochs[0];
- ssl->dtls13DecryptEpoch = &ssl->dtls13Epochs[0];
- ssl->options.dtls13SendMoreAcks = WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT;
- ssl->dtls13Rtx.rtxRecordTailPtr = &ssl->dtls13Rtx.rtxRecords;
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_QUIC
- if (ctx->quic.method) {
- ret = wolfSSL_set_quic_method(ssl, ctx->quic.method);
- if (ret != WOLFSSL_SUCCESS)
- return ret;
- }
- #endif
- #if defined(WOLFSSL_MAXQ10XX_TLS)
- ret = wolfSSL_maxq10xx_load_certificate(ssl);
- if (ret != WOLFSSL_SUCCESS)
- return ret;
- #endif
- return 0;
- }
- /* free use of temporary arrays */
- void FreeArrays(WOLFSSL* ssl, int keep)
- {
- if (ssl->arrays) {
- if (keep && !IsAtLeastTLSv1_3(ssl->version)) {
- /* keeps session id for user retrieval */
- XMEMCPY(ssl->session->sessionID, ssl->arrays->sessionID, ID_LEN);
- ssl->session->sessionIDSz = ssl->arrays->sessionIDSz;
- }
- if (ssl->arrays->preMasterSecret) {
- ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
- XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
- ssl->arrays->preMasterSecret = NULL;
- }
- XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
- ssl->arrays->pendingMsg = NULL;
- ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */
- }
- XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
- ssl->arrays = NULL;
- }
- void FreeKey(WOLFSSL* ssl, int type, void** pKey)
- {
- if (ssl && pKey && *pKey) {
- switch (type) {
- #ifndef NO_RSA
- case DYNAMIC_TYPE_RSA:
- wc_FreeRsaKey((RsaKey*)*pKey);
- break;
- #endif /* ! NO_RSA */
- #ifdef HAVE_ECC
- case DYNAMIC_TYPE_ECC:
- #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
- defined(WC_ASYNC_ENABLE_ECC)
- if (((ecc_key*)*pKey)->nb_ctx != NULL) {
- XFREE(((ecc_key*)*pKey)->nb_ctx, ((ecc_key*)*pKey)->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- }
- #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
- WC_ASYNC_ENABLE_ECC */
- wc_ecc_free((ecc_key*)*pKey);
- break;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case DYNAMIC_TYPE_ED25519:
- wc_ed25519_free((ed25519_key*)*pKey);
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_CURVE25519
- case DYNAMIC_TYPE_CURVE25519:
- wc_curve25519_free((curve25519_key*)*pKey);
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_ED448
- case DYNAMIC_TYPE_ED448:
- wc_ed448_free((ed448_key*)*pKey);
- break;
- #endif /* HAVE_ED448 */
- #ifdef HAVE_CURVE448
- case DYNAMIC_TYPE_CURVE448:
- wc_curve448_free((curve448_key*)*pKey);
- break;
- #endif /* HAVE_CURVE448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case DYNAMIC_TYPE_FALCON:
- wc_falcon_free((falcon_key*)*pKey);
- break;
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DYNAMIC_TYPE_DILITHIUM:
- wc_dilithium_free((dilithium_key*)*pKey);
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifndef NO_DH
- case DYNAMIC_TYPE_DH:
- wc_FreeDhKey((DhKey*)*pKey);
- break;
- #endif /* !NO_DH */
- default:
- break;
- }
- XFREE(*pKey, ssl->heap, type);
- /* Reset pointer */
- *pKey = NULL;
- }
- }
- int AllocKey(WOLFSSL* ssl, int type, void** pKey)
- {
- int ret = BAD_FUNC_ARG;
- int sz = 0;
- #ifdef HAVE_ECC
- ecc_key* eccKey;
- #endif /* HAVE_ECC */
- #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
- defined(WC_ASYNC_ENABLE_ECC)
- ecc_nb_ctx_t* nbCtx;
- #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && WC_ASYNC_ENABLE_ECC*/
- if (ssl == NULL || pKey == NULL) {
- return BAD_FUNC_ARG;
- }
- /* Sanity check key destination */
- if (*pKey != NULL) {
- WOLFSSL_MSG("Key already present!");
- return BAD_STATE_E;
- }
- /* Determine size */
- switch (type) {
- #ifndef NO_RSA
- case DYNAMIC_TYPE_RSA:
- sz = sizeof(RsaKey);
- break;
- #endif /* ! NO_RSA */
- #ifdef HAVE_ECC
- case DYNAMIC_TYPE_ECC:
- sz = sizeof(ecc_key);
- break;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case DYNAMIC_TYPE_ED25519:
- sz = sizeof(ed25519_key);
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_CURVE25519
- case DYNAMIC_TYPE_CURVE25519:
- sz = sizeof(curve25519_key);
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_ED448
- case DYNAMIC_TYPE_ED448:
- sz = sizeof(ed448_key);
- break;
- #endif /* HAVE_ED448 */
- #ifdef HAVE_CURVE448
- case DYNAMIC_TYPE_CURVE448:
- sz = sizeof(curve448_key);
- break;
- #endif /* HAVE_CURVE448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case DYNAMIC_TYPE_FALCON:
- sz = sizeof(falcon_key);
- break;
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DYNAMIC_TYPE_DILITHIUM:
- sz = sizeof(dilithium_key);
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifndef NO_DH
- case DYNAMIC_TYPE_DH:
- sz = sizeof(DhKey);
- break;
- #endif /* !NO_DH */
- default:
- return BAD_FUNC_ARG;
- }
- /* Allocate memory for key */
- *pKey = (void *)XMALLOC(sz, ssl->heap, type);
- if (*pKey == NULL) {
- return MEMORY_E;
- }
- /* Initialize key */
- switch (type) {
- #ifndef NO_RSA
- case DYNAMIC_TYPE_RSA:
- ret = wc_InitRsaKey_ex((RsaKey*)*pKey, ssl->heap, ssl->devId);
- break;
- #endif /* ! NO_RSA */
- #ifdef HAVE_ECC
- case DYNAMIC_TYPE_ECC:
- eccKey = (ecc_key*)*pKey;
- ret = wc_ecc_init_ex(eccKey, ssl->heap, ssl->devId);
- if (ret == 0) {
- #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
- defined(WC_ASYNC_ENABLE_ECC)
- nbCtx = (ecc_nb_ctx_t*)XMALLOC(sizeof(ecc_nb_ctx_t),
- eccKey->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (nbCtx == NULL) {
- ret = MEMORY_E;
- }
- else {
- ret = wc_ecc_set_nonblock(eccKey, nbCtx);
- if (ret != 0) {
- XFREE(nbCtx, eccKey->heap, DYNAMIC_TYPE_TMP_BUFFER);
- }
- }
- #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
- WC_ASYNC_ENABLE_ECC */
- }
- break;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case DYNAMIC_TYPE_ED25519:
- wc_ed25519_init_ex((ed25519_key*)*pKey, ssl->heap, ssl->devId);
- ret = 0;
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_CURVE25519
- case DYNAMIC_TYPE_CURVE25519:
- wc_curve25519_init_ex((curve25519_key*)*pKey, ssl->heap, ssl->devId);
- ret = 0;
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_ED448
- case DYNAMIC_TYPE_ED448:
- wc_ed448_init_ex((ed448_key*)*pKey, ssl->heap, ssl->devId);
- ret = 0;
- break;
- #endif /* HAVE_CURVE448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case DYNAMIC_TYPE_FALCON:
- wc_falcon_init((falcon_key*)*pKey);
- ret = 0;
- break;
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DYNAMIC_TYPE_DILITHIUM:
- wc_dilithium_init((dilithium_key*)*pKey);
- ret = 0;
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifdef HAVE_CURVE448
- case DYNAMIC_TYPE_CURVE448:
- wc_curve448_init((curve448_key*)*pKey);
- ret = 0;
- break;
- #endif /* HAVE_CURVE448 */
- #ifndef NO_DH
- case DYNAMIC_TYPE_DH:
- ret = wc_InitDhKey_ex((DhKey*)*pKey, ssl->heap, ssl->devId);
- break;
- #endif /* !NO_DH */
- default:
- return BAD_FUNC_ARG;
- }
- /* On error free handshake key */
- if (ret != 0) {
- FreeKey(ssl, type, pKey);
- }
- return ret;
- }
- #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_CURVE25519) || defined(HAVE_ED448) || \
- defined(HAVE_CURVE448) || (defined(HAVE_PQC) && defined(HAVE_FALCON)) || \
- (defined(HAVE_PQC) && defined(HAVE_DILITHIUM))
- static int ReuseKey(WOLFSSL* ssl, int type, void* pKey)
- {
- int ret = 0;
- (void)ssl;
- switch (type) {
- #ifndef NO_RSA
- case DYNAMIC_TYPE_RSA:
- wc_FreeRsaKey((RsaKey*)pKey);
- ret = wc_InitRsaKey_ex((RsaKey*)pKey, ssl->heap, ssl->devId);
- break;
- #endif /* ! NO_RSA */
- #ifdef HAVE_ECC
- case DYNAMIC_TYPE_ECC:
- wc_ecc_free((ecc_key*)pKey);
- ret = wc_ecc_init_ex((ecc_key*)pKey, ssl->heap, ssl->devId);
- break;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case DYNAMIC_TYPE_ED25519:
- wc_ed25519_free((ed25519_key*)pKey);
- ret = wc_ed25519_init_ex((ed25519_key*)pKey, ssl->heap,
- ssl->devId);
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_CURVE25519
- case DYNAMIC_TYPE_CURVE25519:
- wc_curve25519_free((curve25519_key*)pKey);
- ret = wc_curve25519_init_ex((curve25519_key*)pKey, ssl->heap,
- ssl->devId);
- break;
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_ED448
- case DYNAMIC_TYPE_ED448:
- wc_ed448_free((ed448_key*)pKey);
- ret = wc_ed448_init_ex((ed448_key*)pKey, ssl->heap, ssl->devId);
- break;
- #endif /* HAVE_CURVE448 */
- #ifdef HAVE_CURVE448
- case DYNAMIC_TYPE_CURVE448:
- wc_curve448_free((curve448_key*)pKey);
- ret = wc_curve448_init((curve448_key*)pKey);
- break;
- #endif /* HAVE_CURVE448 */
- #if defined(HAVE_PQC) && defined(HAVE_FALCON)
- case DYNAMIC_TYPE_FALCON:
- wc_falcon_free((falcon_key*)pKey);
- ret = wc_falcon_init((falcon_key*)pKey);
- break;
- #endif /* HAVE_PQC && HAVE_FALCON */
- #ifndef NO_DH
- case DYNAMIC_TYPE_DH:
- wc_FreeDhKey((DhKey*)pKey);
- ret = wc_InitDhKey_ex((DhKey*)pKey, ssl->heap, ssl->devId);
- break;
- #endif /* !NO_DH */
- default:
- return BAD_FUNC_ARG;
- }
- return ret;
- }
- #endif
- #ifdef WOLFSSL_ASYNC_IO
- void FreeAsyncCtx(WOLFSSL* ssl, byte freeAsync)
- {
- if (ssl->async != NULL) {
- if (ssl->async->freeArgs != NULL) {
- ssl->async->freeArgs(ssl, ssl->async->args);
- ssl->async->freeArgs = NULL;
- }
- #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WOLFSSL_NO_TLS12)
- if (ssl->options.buildArgsSet) {
- FreeBuildMsgArgs(ssl, &ssl->async->buildArgs);
- ssl->options.buildArgsSet = 0;
- }
- #endif
- if (freeAsync) {
- XFREE(ssl->async, ssl->heap, DYNAMIC_TYPE_ASYNC);
- ssl->async = NULL;
- }
- }
- }
- #endif
- void FreeKeyExchange(WOLFSSL* ssl)
- {
- /* Cleanup signature buffer */
- if (ssl->buffers.sig.buffer) {
- XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- ssl->buffers.sig.buffer = NULL;
- ssl->buffers.sig.length = 0;
- }
- /* Cleanup digest buffer */
- if (ssl->buffers.digest.buffer) {
- /* Only free if digest buffer was not set using SetDigest */
- if (!ssl->options.dontFreeDigest) {
- XFREE(ssl->buffers.digest.buffer, ssl->heap, DYNAMIC_TYPE_DIGEST);
- }
- ssl->buffers.digest.buffer = NULL;
- ssl->buffers.digest.length = 0;
- ssl->options.dontFreeDigest = 0;
- }
- /* Free handshake key */
- FreeKey(ssl, ssl->hsType, &ssl->hsKey);
- #ifndef NO_DH
- /* Free temp DH key */
- FreeKey(ssl, DYNAMIC_TYPE_DH, (void**)&ssl->buffers.serverDH_Key);
- #endif
- }
- /* Free up all memory used by Suites structure from WOLFSSL */
- void FreeSuites(WOLFSSL* ssl)
- {
- #ifdef OPENSSL_ALL
- if (ssl->suitesStack != NULL) {
- /* Enough to free stack structure since WOLFSSL_CIPHER
- * isn't allocated separately. */
- wolfSSL_sk_SSL_CIPHER_free(ssl->suitesStack);
- ssl->suitesStack = NULL;
- }
- #endif
- XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES);
- ssl->suites = NULL;
- }
- /* In case holding SSL object in array and don't want to free actual ssl */
- void SSL_ResourceFree(WOLFSSL* ssl)
- {
- /* Note: any resources used during the handshake should be released in the
- * function FreeHandshakeResources(). Be careful with the special cases
- * like the RNG which may optionally be kept for the whole session. (For
- * example with the RNG, it isn't used beyond the handshake except when
- * using stream ciphers where it is retained. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("Free'ing server ssl");
- }
- else {
- WOLFSSL_MSG("Free'ing client ssl");
- }
- #ifdef HAVE_EX_DATA_CLEANUP_HOOKS
- wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data);
- #endif
- FreeCiphers(ssl);
- FreeArrays(ssl, 0);
- FreeKeyExchange(ssl);
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 1);
- #endif
- if (ssl->options.weOwnRng) {
- wc_FreeRng(ssl->rng);
- XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
- }
- FreeSuites(ssl);
- FreeHandshakeHashes(ssl);
- XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
- /* clear keys struct after session */
- ForceZero(&ssl->keys, sizeof(Keys));
- #ifdef WOLFSSL_TLS13
- ForceZero(&ssl->clientSecret, sizeof(ssl->clientSecret));
- ForceZero(&ssl->serverSecret, sizeof(ssl->serverSecret));
- #if defined(HAVE_ECH)
- if (ssl->options.useEch == 1) {
- FreeEchConfigs(ssl->echConfigs, ssl->heap);
- ssl->echConfigs = NULL;
- /* free the ech specific hashes */
- ssl->hsHashes = ssl->hsHashesEch;
- FreeHandshakeHashes(ssl);
- ssl->options.useEch = 0;
- }
- #endif /* HAVE_ECH */
- #endif /* WOLFSSL_TLS13 */
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- ForceZero(&ssl->clientFinished, TLS_FINISHED_SZ_MAX);
- ForceZero(&ssl->serverFinished, TLS_FINISHED_SZ_MAX);
- ssl->serverFinished_len = 0;
- ssl->clientFinished_len = 0;
- #endif
- #ifndef NO_DH
- if (ssl->buffers.serverDH_Priv.buffer != NULL) {
- ForceZero(ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length);
- }
- XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
- XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- /* parameters (p,g) may be owned by ctx */
- if (ssl->buffers.weOwnDH) {
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- #endif /* !NO_DH */
- #ifndef NO_CERTS
- ssl->keepCert = 0; /* make sure certificate is free'd */
- wolfSSL_UnloadCertsKeys(ssl);
- #endif
- #ifndef NO_RSA
- FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
- ssl->peerRsaKeyPresent = 0;
- #endif
- #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT)
- XFREE(ssl->peerSceTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA);
- Renesas_cmn_Cleanup(ssl);
- #endif
- if (ssl->buffers.inputBuffer.dynamicFlag)
- ShrinkInputBuffer(ssl, FORCED_FREE);
- if (ssl->buffers.outputBuffer.dynamicFlag)
- ShrinkOutputBuffer(ssl);
- #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
- if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
- ForceZero(ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- }
- XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap,
- DYNAMIC_TYPE_COOKIE_PWD);
- #endif
- #ifdef WOLFSSL_DTLS
- DtlsMsgPoolReset(ssl);
- if (ssl->dtls_rx_msg_list != NULL) {
- DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap);
- ssl->dtls_rx_msg_list = NULL;
- ssl->dtls_rx_msg_list_sz = 0;
- }
- XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR);
- ssl->buffers.dtlsCtx.peer.sa = NULL;
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->buffers.dtlsCookieSecret.buffer != NULL) {
- ForceZero(ssl->buffers.dtlsCookieSecret.buffer,
- ssl->buffers.dtlsCookieSecret.length);
- }
- XFREE(ssl->buffers.dtlsCookieSecret.buffer, ssl->heap,
- DYNAMIC_TYPE_COOKIE_PWD);
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->dtls13ClientHello != NULL) {
- XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
- ssl->dtls13ClientHello = NULL;
- ssl->dtls13ClientHelloSz = 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- #endif /* WOLFSSL_DTLS */
- #ifdef OPENSSL_EXTRA
- #ifndef NO_BIO
- /* Don't free if there was/is a previous element in the chain.
- * This means that this BIO was part of a chain that will be
- * free'd separately. */
- if (ssl->biord != ssl->biowr) /* only free write if different */
- if (ssl->biowr != NULL && ssl->biowr->prev == NULL)
- wolfSSL_BIO_free(ssl->biowr);
- if (ssl->biord != NULL && ssl->biord->prev == NULL)
- wolfSSL_BIO_free(ssl->biord);
- ssl->biowr = NULL;
- ssl->biord = NULL;
- #endif
- #endif
- #ifdef HAVE_LIBZ
- FreeStreams(ssl);
- #endif
- #ifdef HAVE_ECC
- FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
- ssl->peerEccDsaKeyPresent = 0;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) ||defined(HAVE_CURVE448)
- {
- int dtype = 0;
- #ifdef HAVE_ECC
- dtype = DYNAMIC_TYPE_ECC;
- #endif
- #ifdef HAVE_CURVE25519
- if (ssl->peerX25519KeyPresent
- #ifdef HAVE_ECC
- || ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE25519
- #endif /* HAVE_ECC */
- )
- {
- dtype = DYNAMIC_TYPE_CURVE25519;
- }
- #endif /* HAVE_CURVE25519 */
- #ifdef HAVE_CURVE448
- if (ssl->peerX448KeyPresent
- #ifdef HAVE_ECC
- || ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE448
- #endif /* HAVE_ECC */
- )
- {
- dtype = DYNAMIC_TYPE_CURVE448;
- }
- #endif /* HAVE_CURVE448 */
- FreeKey(ssl, dtype, (void**)&ssl->eccTempKey);
- ssl->eccTempKeyPresent = 0;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifdef HAVE_CURVE25519
- FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- #endif
- #ifdef HAVE_ED25519
- FreeKey(ssl, DYNAMIC_TYPE_ED25519, (void**)&ssl->peerEd25519Key);
- ssl->peerEd25519KeyPresent = 0;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->buffers.peerEd25519Key.buffer != NULL) {
- XFREE(ssl->buffers.peerEd25519Key.buffer, ssl->heap,
- DYNAMIC_TYPE_ED25519);
- ssl->buffers.peerEd25519Key.buffer = NULL;
- }
- #endif
- #endif
- #ifdef HAVE_CURVE448
- FreeKey(ssl, DYNAMIC_TYPE_CURVE448, (void**)&ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- #endif
- #ifdef HAVE_ED448
- FreeKey(ssl, DYNAMIC_TYPE_ED448, (void**)&ssl->peerEd448Key);
- ssl->peerEd448KeyPresent = 0;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->buffers.peerEd448Key.buffer != NULL) {
- XFREE(ssl->buffers.peerEd448Key.buffer, ssl->heap,
- DYNAMIC_TYPE_ED448);
- ssl->buffers.peerEd448Key.buffer = NULL;
- }
- #endif
- #endif
- #if defined(HAVE_PQC) && defined(HAVE_FALCON)
- FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
- ssl->peerFalconKeyPresent = 0;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- #ifdef HAVE_ECC
- XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
- #endif /* HAVE_ECC */
- #ifndef NO_RSA
- XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
- #endif /* NO_RSA */
- #endif /* HAVE_PK_CALLBACKS */
- #ifdef HAVE_TLS_EXTENSIONS
- #if !defined(NO_TLS)
- TLSX_FreeAll(ssl->extensions, ssl->heap);
- #endif /* !NO_TLS */
- #ifdef HAVE_ALPN
- if (ssl->alpn_peer_requested != NULL) {
- XFREE(ssl->alpn_peer_requested, ssl->heap, DYNAMIC_TYPE_ALPN);
- ssl->alpn_peer_requested = NULL;
- ssl->alpn_peer_requested_length = 0;
- }
- #endif
- #endif /* HAVE_TLS_EXTENSIONS */
- #if defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
- if (ssl->mnCtx) {
- mynewt_ctx_clear(ssl->mnCtx);
- ssl->mnCtx = NULL;
- }
- #endif
- #ifdef HAVE_NETX
- if (ssl->nxCtx.nxPacket)
- nx_packet_release(ssl->nxCtx.nxPacket);
- #endif
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
- if (ssl->x509_store_pt)
- wolfSSL_X509_STORE_free(ssl->x509_store_pt);
- #endif
- #ifdef KEEP_PEER_CERT
- FreeX509(&ssl->peerCert);
- #endif
- if (ssl->session != NULL)
- wolfSSL_FreeSession(ssl->ctx, ssl->session);
- #ifdef HAVE_WRITE_DUP
- if (ssl->dupWrite) {
- FreeWriteDup(ssl);
- }
- #endif
- #ifdef OPENSSL_EXTRA
- if (ssl->param) {
- XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL);
- }
- #endif
- #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- while (ssl->certReqCtx != NULL) {
- CertReqCtx* curr = ssl->certReqCtx;
- ssl->certReqCtx = curr->next;
- XFREE(curr, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- }
- #endif
- #ifdef WOLFSSL_STATIC_EPHEMERAL
- #ifndef NO_DH
- FreeDer(&ssl->staticKE.dhKey);
- #endif
- #ifdef HAVE_ECC
- FreeDer(&ssl->staticKE.ecKey);
- #endif
- #ifdef HAVE_CURVE25519
- FreeDer(&ssl->staticKE.x25519Key);
- #endif
- #ifdef HAVE_CURVE448
- FreeDer(&ssl->staticKE.x448Key);
- #endif
- #endif
- #ifdef WOLFSSL_STATIC_MEMORY
- /* check if using fixed io buffers and free them */
- if (ssl->heap != NULL) {
- #ifdef WOLFSSL_HEAP_TEST
- /* avoid dereferencing a test value */
- if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) {
- #endif
- WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap;
- WOLFSSL_HEAP* ctx_heap;
- void* heap = ssl->ctx ? ssl->ctx->heap : ssl->heap;
- ctx_heap = ssl_hint->memory;
- if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) {
- WOLFSSL_MSG("Bad memory_mutex lock");
- }
- ctx_heap->curIO--;
- if (FreeFixedIO(ctx_heap, &(ssl_hint->outBuf)) != 1) {
- WOLFSSL_MSG("Error freeing fixed output buffer");
- }
- if (FreeFixedIO(ctx_heap, &(ssl_hint->inBuf)) != 1) {
- WOLFSSL_MSG("Error freeing fixed output buffer");
- }
- if (ssl_hint->haFlag) { /* check if handshake count has been decreased*/
- ctx_heap->curHa--;
- }
- wc_UnLockMutex(&(ctx_heap->memory_mutex));
- /* check if tracking stats */
- if (ctx_heap->flag & WOLFMEM_TRACK_STATS) {
- XFREE(ssl_hint->stats, heap, DYNAMIC_TYPE_SSL);
- }
- XFREE(ssl->heap, heap, DYNAMIC_TYPE_SSL);
- #ifdef WOLFSSL_HEAP_TEST
- }
- #endif
- }
- #endif /* WOLFSSL_STATIC_MEMORY */
- #ifdef OPENSSL_EXTRA
- /* Enough to free stack structure since WOLFSSL_CIPHER
- * isn't allocated separately. */
- wolfSSL_sk_CIPHER_free(ssl->supportedCiphers);
- wolfSSL_sk_X509_pop_free(ssl->peerCertChain, NULL);
- #ifdef KEEP_OUR_CERT
- wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
- #endif
- #endif
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
- wolfSSL_sk_X509_NAME_pop_free(ssl->ca_names, NULL);
- ssl->ca_names = NULL;
- #endif
- #ifdef WOLFSSL_DTLS13
- Dtls13FreeFsmResources(ssl);
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_QUIC
- wolfSSL_quic_free(ssl);
- #endif
- }
- /* Free any handshake resources no longer needed */
- void FreeHandshakeResources(WOLFSSL* ssl)
- {
- WOLFSSL_ENTER("FreeHandshakeResources");
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* DTLS_POOL (DTLSv1.3 flushes the queue autonomously) */
- if(!IsAtLeastTLSv1_3(ssl->version)) {
- DtlsMsgPoolReset(ssl);
- DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap);
- ssl->dtls_rx_msg_list = NULL;
- ssl->dtls_rx_msg_list_sz = 0;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->dtls13ClientHello != NULL) {
- XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
- ssl->dtls13ClientHello = NULL;
- ssl->dtls13ClientHelloSz = 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- #endif
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
- WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources");
- return;
- }
- #endif
- /* input buffer */
- if (ssl->buffers.inputBuffer.dynamicFlag)
- ShrinkInputBuffer(ssl, NO_FORCED_FREE);
- #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- if (!ssl->options.tls1_3)
- #endif
- {
- #ifndef OPENSSL_EXTRA
- /* free suites unless using compatibility layer */
- FreeSuites(ssl);
- #endif
- /* hsHashes */
- FreeHandshakeHashes(ssl);
- }
- /* RNG */
- if (ssl->options.tls1_1 == 0
- #ifndef WOLFSSL_AEAD_ONLY
- || ssl->specs.cipher_type == stream
- #endif
- #if defined(WOLFSSL_TLS13)
- /* Post-handshake auth requires random on client side for TLS 1.3.
- * Session ticket requires random on server side.
- */
- #if !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && !defined(HAVE_SESSION_TICKET)
- || ssl->options.tls1_3
- #elif !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && defined(HAVE_SESSION_TICKET)
- || (ssl->options.tls1_3 && ssl->options.side == WOLFSSL_CLIENT_END)
- #elif !defined(HAVE_SESSION_TICKET)
- || (ssl->options.tls1_3 && ssl->options.side == WOLFSSL_SERVER_END)
- #endif
- #endif
- ) {
- if (ssl->options.weOwnRng) {
- wc_FreeRng(ssl->rng);
- XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
- ssl->rng = NULL;
- ssl->options.weOwnRng = 0;
- }
- }
- #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
- defined(HAVE_SESSION_TICKET)
- if (!ssl->options.tls1_3)
- #endif
- /* arrays */
- if (ssl->options.saveArrays == 0)
- FreeArrays(ssl, 1);
- #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- if (!ssl->options.tls1_3 || ssl->options.side == WOLFSSL_CLIENT_END)
- #endif
- {
- #ifndef NO_RSA
- /* peerRsaKey */
- FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
- ssl->peerRsaKeyPresent = 0;
- #endif
- #ifdef HAVE_ECC
- FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
- ssl->peerEccDsaKeyPresent = 0;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- FreeKey(ssl, DYNAMIC_TYPE_ED25519, (void**)&ssl->peerEd25519Key);
- ssl->peerEd25519KeyPresent = 0;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- FreeKey(ssl, DYNAMIC_TYPE_ED448, (void**)&ssl->peerEd448Key);
- ssl->peerEd448KeyPresent = 0;
- #endif /* HAVE_ED448 */
- #if defined(HAVE_PQC) && defined(HAVE_FALCON)
- FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
- ssl->peerFalconKeyPresent = 0;
- #endif /* HAVE_PQC */
- }
- #ifdef HAVE_ECC
- FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- {
- int dtype;
- #ifdef HAVE_ECC
- dtype = DYNAMIC_TYPE_ECC;
- #elif defined(HAVE_CURVE25519)
- dtype = DYNAMIC_TYPE_CURVE25519;
- #else
- dtype = DYNAMIC_TYPE_CURVE448;
- #endif
- #if defined(HAVE_ECC) && defined(HAVE_CURVE25519)
- if (ssl->peerX25519KeyPresent ||
- ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE25519)
- {
- dtype = DYNAMIC_TYPE_CURVE25519;
- }
- #endif
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \
- defined(HAVE_CURVE448)
- if (ssl->peerX448KeyPresent ||
- ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE448)
- {
- dtype = DYNAMIC_TYPE_CURVE448;
- }
- #endif
- FreeKey(ssl, dtype, (void**)&ssl->eccTempKey);
- ssl->eccTempKeyPresent = 0;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifdef HAVE_CURVE25519
- FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- #endif
- #ifdef HAVE_CURVE448
- FreeKey(ssl, DYNAMIC_TYPE_CURVE448, (void**)&ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- #endif
- #ifndef NO_DH
- if (ssl->buffers.serverDH_Priv.buffer) {
- ForceZero(ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length);
- }
- XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
- ssl->buffers.serverDH_Priv.buffer = NULL;
- XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_Pub.buffer = NULL;
- /* parameters (p,g) may be owned by ctx */
- if (ssl->buffers.weOwnDH) {
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- }
- #endif /* !NO_DH */
- #ifndef NO_CERTS
- wolfSSL_UnloadCertsKeys(ssl);
- #endif
- #ifdef HAVE_PK_CALLBACKS
- #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- if (!ssl->options.tls1_3 || ssl->options.side == WOLFSSL_CLIENT_END)
- #endif
- {
- #ifdef HAVE_ECC
- XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
- ssl->buffers.peerEccDsaKey.buffer = NULL;
- #endif /* HAVE_ECC */
- #ifndef NO_RSA
- XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
- ssl->buffers.peerRsaKey.buffer = NULL;
- #endif /* NO_RSA */
- #ifdef HAVE_ED25519
- XFREE(ssl->buffers.peerEd25519Key.buffer, ssl->heap,
- DYNAMIC_TYPE_ED25519);
- ssl->buffers.peerEd25519Key.buffer = NULL;
- #endif
- #ifdef HAVE_ED448
- XFREE(ssl->buffers.peerEd448Key.buffer, ssl->heap, DYNAMIC_TYPE_ED448);
- ssl->buffers.peerEd448Key.buffer = NULL;
- #endif
- }
- #endif /* HAVE_PK_CALLBACKS */
- #if defined(HAVE_TLS_EXTENSIONS) && !defined(HAVE_SNI) && \
- !defined(NO_TLS) && !defined(HAVE_ALPN) && !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
- !defined(WOLFSSL_DTLS_CID)
- /* Some extensions need to be kept for post-handshake querying. */
- TLSX_FreeAll(ssl->extensions, ssl->heap);
- ssl->extensions = NULL;
- #endif
- #ifdef WOLFSSL_STATIC_MEMORY
- /* when done with handshake decrement current handshake count */
- if (ssl->heap != NULL) {
- #ifdef WOLFSSL_HEAP_TEST
- /* avoid dereferencing a test value */
- if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) {
- #endif
- WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap;
- WOLFSSL_HEAP* ctx_heap;
- ctx_heap = ssl_hint->memory;
- if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) {
- WOLFSSL_MSG("Bad memory_mutex lock");
- }
- ctx_heap->curHa--;
- ssl_hint->haFlag = 0; /* set to zero since handshake has been dec */
- wc_UnLockMutex(&(ctx_heap->memory_mutex));
- #ifdef WOLFSSL_HEAP_TEST
- }
- #endif
- }
- #endif /* WOLFSSL_STATIC_MEMORY */
- }
- /* heap argument is the heap hint used when creating SSL */
- void FreeSSL(WOLFSSL* ssl, void* heap)
- {
- WOLFSSL_CTX* ctx = ssl->ctx;
- SSL_ResourceFree(ssl);
- XFREE(ssl, heap, DYNAMIC_TYPE_SSL);
- if (ctx)
- FreeSSL_Ctx(ctx); /* will decrement and free underlying CTX if 0 */
- (void)heap;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(ssl, sizeof(*ssl));
- #endif
- }
- #if !defined(NO_OLD_TLS) || defined(WOLFSSL_DTLS) || \
- !defined(WOLFSSL_NO_TLS12) || \
- ((defined(HAVE_CHACHA) || defined(HAVE_AESCCM) || defined(HAVE_AESGCM)) \
- && defined(HAVE_AEAD))
- #if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12)
- static WC_INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
- {
- if (verify) {
- seq[0] = ssl->keys.peer_sequence_number_hi;
- seq[1] = ssl->keys.peer_sequence_number_lo++;
- if (seq[1] > ssl->keys.peer_sequence_number_lo) {
- /* handle rollover */
- ssl->keys.peer_sequence_number_hi++;
- }
- }
- else {
- seq[0] = ssl->keys.sequence_number_hi;
- seq[1] = ssl->keys.sequence_number_lo++;
- if (seq[1] > ssl->keys.sequence_number_lo) {
- /* handle rollover */
- ssl->keys.sequence_number_hi++;
- }
- }
- }
- #endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */
- #ifdef WOLFSSL_DTLS
- static WC_INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2])
- {
- #ifdef HAVE_SECURE_RENEGOTIATION
- order = DtlsCheckOrder(ssl, order);
- #endif
- if (order == PREV_ORDER) {
- /* Previous epoch case */
- if (ssl->options.haveMcast) {
- #ifdef WOLFSSL_MULTICAST
- seq[0] = (((word32)ssl->keys.dtls_epoch - 1) << 16) |
- (ssl->options.mcastID << 8) |
- (ssl->keys.dtls_prev_sequence_number_hi & 0xFF);
- #endif
- }
- else
- seq[0] = (((word32)ssl->keys.dtls_epoch - 1) << 16) |
- (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF);
- seq[1] = ssl->keys.dtls_prev_sequence_number_lo;
- }
- else if (order == PEER_ORDER) {
- if (ssl->options.haveMcast) {
- #ifdef WOLFSSL_MULTICAST
- seq[0] = ((word32)ssl->keys.curEpoch << 16) |
- (ssl->keys.curPeerId << 8) |
- (ssl->keys.curSeq_hi & 0xFF);
- #endif
- }
- else
- seq[0] = ((word32)ssl->keys.curEpoch << 16) |
- (ssl->keys.curSeq_hi & 0xFFFF);
- seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */
- }
- else {
- if (ssl->options.haveMcast) {
- #ifdef WOLFSSL_MULTICAST
- seq[0] = ((word32)ssl->keys.dtls_epoch << 16) |
- (ssl->options.mcastID << 8) |
- (ssl->keys.dtls_sequence_number_hi & 0xFF);
- #endif
- }
- else
- seq[0] = ((word32)ssl->keys.dtls_epoch << 16) |
- (ssl->keys.dtls_sequence_number_hi & 0xFFFF);
- seq[1] = ssl->keys.dtls_sequence_number_lo;
- }
- }
- static WC_INLINE void DtlsSEQIncrement(WOLFSSL* ssl, int order)
- {
- word32 seq;
- #ifdef HAVE_SECURE_RENEGOTIATION
- order = DtlsCheckOrder(ssl, order);
- #endif
- if (order == PREV_ORDER) {
- seq = ssl->keys.dtls_prev_sequence_number_lo++;
- if (seq > ssl->keys.dtls_prev_sequence_number_lo) {
- /* handle rollover */
- ssl->keys.dtls_prev_sequence_number_hi++;
- }
- }
- else if (order == PEER_ORDER) {
- seq = ssl->keys.peer_sequence_number_lo++;
- if (seq > ssl->keys.peer_sequence_number_lo) {
- /* handle rollover */
- ssl->keys.peer_sequence_number_hi++;
- }
- }
- else {
- seq = ssl->keys.dtls_sequence_number_lo++;
- if (seq > ssl->keys.dtls_sequence_number_lo) {
- /* handle rollover */
- ssl->keys.dtls_sequence_number_hi++;
- }
- }
- }
- #endif /* WOLFSSL_DTLS */
- #if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12)
- void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
- {
- word32 seq[2] = {0, 0};
- if (!ssl->options.dtls) {
- GetSEQIncrement(ssl, verifyOrder, seq);
- }
- else {
- #ifdef WOLFSSL_DTLS
- DtlsGetSEQ(ssl, verifyOrder, seq);
- #endif
- }
- c32toa(seq[0], out);
- c32toa(seq[1], out + OPAQUE32_LEN);
- }
- #endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */
- #endif /* !NO_OLD_TLS || WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 ||
- * ((HAVE_CHACHA || HAVE_AESCCM || HAVE_AESGCM) && HAVE_AEAD) */
- #ifdef WOLFSSL_DTLS
- /* functions for managing DTLS datagram reordering */
- /* Need to allocate space for the handshake message header. The hashing
- * routines assume the message pointer is still within the buffer that
- * has the headers, and will include those headers in the hash. The store
- * routines need to take that into account as well. New will allocate
- * extra space for the headers. */
- DtlsMsg* DtlsMsgNew(word32 sz, byte tx, void* heap)
- {
- DtlsMsg* msg;
- WOLFSSL_ENTER("DtlsMsgNew");
- (void)heap;
- msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG);
- if (msg != NULL) {
- XMEMSET(msg, 0, sizeof(DtlsMsg));
- msg->sz = sz;
- msg->type = no_shake;
- if (tx) {
- msg->raw = msg->fullMsg =
- (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ, heap,
- DYNAMIC_TYPE_DTLS_FRAG);
- msg->ready = 1;
- if (msg->raw == NULL) {
- DtlsMsgDelete(msg, heap);
- msg = NULL;
- }
- }
- }
- return msg;
- }
- void DtlsMsgDelete(DtlsMsg* item, void* heap)
- {
- (void)heap;
- WOLFSSL_ENTER("DtlsMsgDelete");
- if (item != NULL) {
- while (item->fragBucketList != NULL) {
- DtlsFragBucket* next = item->fragBucketList->m.m.next;
- DtlsMsgDestroyFragBucket(item->fragBucketList, heap);
- item->fragBucketList = next;
- }
- if (item->raw != NULL)
- XFREE(item->raw, heap, DYNAMIC_TYPE_DTLS_FRAG);
- XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG);
- }
- }
- void DtlsMsgListDelete(DtlsMsg* head, void* heap)
- {
- DtlsMsg* next;
- WOLFSSL_ENTER("DtlsMsgListDelete");
- while (head) {
- next = head->next;
- DtlsMsgDelete(head, heap);
- head = next;
- }
- }
- /**
- * Drop messages when they are no longer going to be retransmitted
- */
- void DtlsTxMsgListClean(WOLFSSL* ssl)
- {
- DtlsMsg* head = ssl->dtls_tx_msg_list;
- DtlsMsg* next;
- WOLFSSL_ENTER("DtlsTxMsgListClean");
- while (head) {
- next = head->next;
- if (VerifyForTxDtlsMsgDelete(ssl, head))
- DtlsMsgDelete(head, ssl->heap);
- else
- /* Stored packets should be in order so break on first failed
- * verify */
- break;
- ssl->dtls_tx_msg_list_sz--;
- head = next;
- }
- ssl->dtls_tx_msg_list = head;
- }
- static DtlsFragBucket* DtlsMsgCreateFragBucket(word32 offset, const byte* data,
- word32 dataSz, void* heap)
- {
- DtlsFragBucket* bucket =
- (DtlsFragBucket*)XMALLOC(sizeof(DtlsFragBucket) + dataSz, heap,
- DYNAMIC_TYPE_DTLS_FRAG);
- if (bucket != NULL) {
- XMEMSET(bucket, 0, sizeof(*bucket));
- bucket->m.m.next = NULL;
- bucket->m.m.offset = offset;
- bucket->m.m.sz = dataSz;
- if (data != NULL)
- XMEMCPY(bucket->buf, data, dataSz);
- }
- (void)heap;
- return bucket;
- }
- void DtlsMsgDestroyFragBucket(DtlsFragBucket* fragBucket, void* heap)
- {
- (void)heap;
- XFREE(fragBucket, heap, DYNAMIC_TYPE_DTLS_FRAG);
- }
- /*
- * data overlaps with cur but is before next.
- * data + dataSz has to end before or inside next. next can be NULL.
- */
- static DtlsFragBucket* DtlsMsgCombineFragBuckets(DtlsMsg* msg,
- DtlsFragBucket* cur, DtlsFragBucket* next, word32 offset,
- const byte* data, word32 dataSz, void* heap)
- {
- word32 offsetEnd = offset + dataSz;
- word32 newOffset = min(cur->m.m.offset, offset);
- word32 newOffsetEnd;
- word32 newSz;
- word32 overlapSz = cur->m.m.sz;
- DtlsFragBucket** chosenBucket;
- DtlsFragBucket* newBucket;
- DtlsFragBucket* otherBucket;
- byte combineNext = FALSE;
- if (next != NULL && offsetEnd >= next->m.m.offset)
- combineNext = TRUE;
- if (combineNext)
- newOffsetEnd = next->m.m.offset + next->m.m.sz;
- else
- newOffsetEnd = max(cur->m.m.offset + cur->m.m.sz, offsetEnd);
- newSz = newOffsetEnd - newOffset;
- /* Expand the larger bucket if data bridges the gap between cur and next */
- if (!combineNext || cur->m.m.sz >= next->m.m.sz) {
- chosenBucket = &cur;
- otherBucket = next;
- }
- else {
- chosenBucket = &next;
- otherBucket = cur;
- }
- {
- #ifdef XREALLOC
- DtlsFragBucket* tmp = (DtlsFragBucket*)XREALLOC(*chosenBucket,
- sizeof(DtlsFragBucket) + newSz, heap, DYNAMIC_TYPE_DTLS_FRAG);
- #else
- DtlsFragBucket* tmp = (DtlsFragBucket*)XMALLOC(
- sizeof(DtlsFragBucket) + newSz, heap, DYNAMIC_TYPE_DTLS_FRAG);
- #endif
- if (tmp == NULL)
- return NULL;
- #ifndef XREALLOC
- XMEMCPY(tmp, *chosenBucket, sizeof(DtlsFragBucket) +
- (*chosenBucket)->m.m.sz);
- #endif
- if (chosenBucket == &next) {
- /* Update the link */
- DtlsFragBucket* beforeNext = cur;
- while (beforeNext->m.m.next != next)
- beforeNext = beforeNext->m.m.next;
- beforeNext->m.m.next = tmp;
- }
- #ifndef XREALLOC
- XFREE(*chosenBucket, heap, DYNAMIC_TYPE_DTLS_FRAG);
- #endif
- newBucket = *chosenBucket = tmp;
- }
- if (combineNext) {
- /* Put next first since it will always be at the end. Use memmove since
- * newBucket may be next. */
- XMEMMOVE(newBucket->buf + (next->m.m.offset - newOffset), next->buf,
- next->m.m.sz);
- /* memory after newOffsetEnd is already copied. Don't do extra work. */
- newOffsetEnd = next->m.m.offset;
- }
- if (newOffset == offset) {
- /* data comes first */
- if (newOffsetEnd <= offsetEnd) {
- /* data encompasses cur. only copy data */
- XMEMCPY(newBucket->buf, data,
- min(dataSz, newOffsetEnd - newOffset));
- }
- else {
- /* data -> cur. memcpy as much possible as its faster. */
- XMEMMOVE(newBucket->buf + dataSz, cur->buf,
- cur->m.m.sz - (offsetEnd - cur->m.m.offset));
- XMEMCPY(newBucket->buf, data, dataSz);
- }
- }
- else {
- /* cur -> data */
- word32 curOffsetEnd = cur->m.m.offset + cur->m.m.sz;
- if (newBucket != cur)
- XMEMCPY(newBucket->buf, cur->buf, cur->m.m.sz);
- XMEMCPY(newBucket->buf + cur->m.m.sz,
- data + (curOffsetEnd - offset),
- newOffsetEnd - curOffsetEnd);
- }
- /* FINALLY the newBucket is populated correctly */
- /* All buckets up to and including next (if combining) have to be free'd */
- {
- DtlsFragBucket* toFree = cur->m.m.next;
- while (toFree != next) {
- DtlsFragBucket* n = toFree->m.m.next;
- overlapSz += toFree->m.m.sz;
- DtlsMsgDestroyFragBucket(toFree, heap);
- msg->fragBucketListCount--;
- toFree = n;
- }
- if (combineNext) {
- newBucket->m.m.next = next->m.m.next;
- overlapSz += next->m.m.sz;
- DtlsMsgDestroyFragBucket(otherBucket, heap);
- msg->fragBucketListCount--;
- }
- else {
- newBucket->m.m.next = next;
- }
- }
- /* Adjust size in msg */
- msg->bytesReceived += newSz - overlapSz;
- newBucket->m.m.offset = newOffset;
- newBucket->m.m.sz = newSz;
- return newBucket;
- }
- static void DtlsMsgAssembleCompleteMessage(DtlsMsg* msg)
- {
- DtlsHandShakeHeader* dtls;
- /* We have received all necessary fragments. Reconstruct the header. */
- if (msg->fragBucketListCount != 1 || msg->fragBucketList->m.m.offset != 0 ||
- msg->fragBucketList->m.m.sz != msg->sz) {
- WOLFSSL_MSG("Major error in fragment assembly logic");
- return;
- }
- /* Re-cycle the DtlsFragBucket as the buffer that holds the complete
- * handshake message and the header. */
- msg->raw = (byte*)msg->fragBucketList;
- msg->fullMsg = msg->fragBucketList->buf;
- msg->ready = 1;
- /* frag->padding makes sure we can fit the entire DTLS handshake header
- * before frag->buf */
- /* note the dtls pointer needs to be computed from msg->fragBucketList, not
- * from msg->fragBucketList->buf, to avoid a pointerOutOfBounds access
- * detected by cppcheck.
- *
- * also note, the (void *) intermediate cast is necessary to avoid a
- * potential -Wcast-align around alignment of DtlsHandShakeHeader exceeding
- * alignment of char.
- */
- dtls = (DtlsHandShakeHeader*)(void *)((char *)msg->fragBucketList
- + OFFSETOF(DtlsFragBucket,buf)
- - DTLS_HANDSHAKE_HEADER_SZ);
- msg->fragBucketList = NULL;
- msg->fragBucketListCount = 0;
- dtls->type = msg->type;
- c32to24(msg->sz, dtls->length);
- c16toa((word16)msg->seq, dtls->message_seq);
- c32to24(0, dtls->fragment_offset);
- c32to24(msg->sz, dtls->fragment_length);
- }
- int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte type,
- word32 fragOffset, word32 fragSz, void* heap, word32 totalLen)
- {
- word32 fragOffsetEnd = fragOffset + fragSz;
- WOLFSSL_ENTER("DtlsMsgSet");
- if (msg == NULL || data == NULL || msg->sz != totalLen ||
- fragOffsetEnd > totalLen) {
- WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG);
- return BAD_FUNC_ARG;
- }
- if (msg->ready)
- return 0; /* msg is already complete */
- if (msg->type != no_shake) {
- /* msg is already populated with the correct seq, epoch, and type */
- if (msg->type != type || msg->epoch != epoch || msg->seq != seq) {
- WOLFSSL_ERROR_VERBOSE(SEQUENCE_ERROR);
- return SEQUENCE_ERROR;
- }
- }
- else {
- msg->type = type;
- msg->epoch = epoch;
- msg->seq = seq;
- }
- if (msg->fragBucketList == NULL) {
- /* Clean list. Create first fragment. */
- msg->fragBucketList = DtlsMsgCreateFragBucket(fragOffset, data, fragSz, heap);
- if (msg->fragBucketList != NULL) {
- msg->bytesReceived = fragSz;
- msg->fragBucketListCount++;
- }
- else {
- return MEMORY_ERROR;
- }
- }
- else {
- /* See if we can expand any existing bucket to fit this new data into */
- DtlsFragBucket* prev = NULL;
- DtlsFragBucket* cur = msg->fragBucketList;
- byte done = 0;
- for (; cur != NULL; prev = cur, cur = cur->m.m.next) {
- word32 curOffset = cur->m.m.offset;
- word32 curEnd = cur->m.m.offset + cur->m.m.sz;
- if (fragOffset >= curOffset && fragOffsetEnd <= curEnd) {
- /* We already have this fragment */
- done = 1;
- break;
- }
- else if (fragOffset <= curEnd) {
- /* found place to store fragment */
- break;
- }
- }
- if (!done) {
- if (cur == NULL) {
- /* We reached the end of the list. data is after and disjointed
- * from anything we have received so far. */
- if (msg->fragBucketListCount >= DTLS_FRAG_POOL_SZ) {
- WOLFSSL_ERROR_VERBOSE(DTLS_TOO_MANY_FRAGMENTS_E);
- return DTLS_TOO_MANY_FRAGMENTS_E;
- }
- prev->m.m.next =
- DtlsMsgCreateFragBucket(fragOffset, data, fragSz, heap);
- if (prev->m.m.next != NULL) {
- msg->bytesReceived += fragSz;
- msg->fragBucketListCount++;
- }
- }
- else if (prev == NULL && fragOffsetEnd < cur->m.m.offset) {
- /* This is the new first fragment we have received */
- if (msg->fragBucketListCount >= DTLS_FRAG_POOL_SZ) {
- WOLFSSL_ERROR_VERBOSE(DTLS_TOO_MANY_FRAGMENTS_E);
- return DTLS_TOO_MANY_FRAGMENTS_E;
- }
- msg->fragBucketList = DtlsMsgCreateFragBucket(fragOffset, data,
- fragSz, heap);
- if (msg->fragBucketList != NULL) {
- msg->fragBucketList->m.m.next = cur;
- msg->bytesReceived += fragSz;
- msg->fragBucketListCount++;
- }
- else {
- /* reset on error */
- msg->fragBucketList = cur;
- }
- }
- else {
- /* Find if this fragment overlaps with any more */
- DtlsFragBucket* next = cur->m.m.next;
- DtlsFragBucket** prev_next = prev != NULL
- ? &prev->m.m.next : &msg->fragBucketList;
- while (next != NULL &&
- (next->m.m.offset + next->m.m.sz) <= fragOffsetEnd)
- next = next->m.m.next;
- /* We can combine the buckets */
- *prev_next = DtlsMsgCombineFragBuckets(msg, cur, next,
- fragOffset, data, fragSz, heap);
- if (*prev_next == NULL) /* reset on error */
- *prev_next = cur;
- }
- }
- }
- if (msg->bytesReceived == msg->sz)
- DtlsMsgAssembleCompleteMessage(msg);
- return 0;
- }
- DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq)
- {
- WOLFSSL_ENTER("DtlsMsgFind");
- while (head != NULL && !(head->epoch == epoch && head->seq == seq)) {
- head = head->next;
- }
- return head;
- }
- void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq, const byte* data,
- word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap)
- {
- /* See if seq exists in the list. If it isn't in the list, make
- * a new item of size dataSz, copy fragSz bytes from data to msg->msg
- * starting at offset fragOffset, and add fragSz to msg->fragSz. If
- * the seq is in the list and it isn't full, copy fragSz bytes from
- * data to msg->msg starting at offset fragOffset, and add fragSz to
- * msg->fragSz. Insertions take into account data already in the list
- * in case there are overlaps in the handshake message due to retransmit
- * messages. The new item should be inserted into the list in its
- * proper position.
- *
- * 1. Find seq in list, or where seq should go in list. If seq not in
- * list, create new item and insert into list. Either case, keep
- * pointer to item.
- * 2. Copy the data from the message to the stored message where it
- * belongs without overlaps.
- */
- DtlsMsg* head = ssl->dtls_rx_msg_list;
- WOLFSSL_ENTER("DtlsMsgStore");
- if (head != NULL) {
- DtlsMsg* cur = DtlsMsgFind(head, epoch, seq);
- if (cur == NULL) {
- cur = DtlsMsgNew(dataSz, 0, heap);
- if (cur != NULL) {
- if (DtlsMsgSet(cur, seq, epoch, data, type,
- fragOffset, fragSz, heap, dataSz) < 0) {
- DtlsMsgDelete(cur, heap);
- }
- else {
- ssl->dtls_rx_msg_list_sz++;
- head = DtlsMsgInsert(head, cur);
- }
- }
- }
- else {
- /* If this fails, the data is just dropped. */
- DtlsMsgSet(cur, seq, epoch, data, type, fragOffset,
- fragSz, heap, dataSz);
- }
- }
- else {
- head = DtlsMsgNew(dataSz, 0, heap);
- if (DtlsMsgSet(head, seq, epoch, data, type, fragOffset,
- fragSz, heap, dataSz) < 0) {
- DtlsMsgDelete(head, heap);
- head = NULL;
- }
- else {
- ssl->dtls_rx_msg_list_sz++;
- }
- }
- ssl->dtls_rx_msg_list = head;
- }
- /* DtlsMsgInsert() is an in-order insert. */
- DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)
- {
- WOLFSSL_ENTER("DtlsMsgInsert");
- if (head == NULL || (item->epoch <= head->epoch &&
- item->seq < head->seq)) {
- item->next = head;
- head = item;
- }
- else if (head->next == NULL) {
- head->next = item;
- }
- else {
- DtlsMsg* cur = head->next;
- DtlsMsg* prev = head;
- while (cur) {
- if (item->epoch <= cur->epoch &&
- item->seq < cur->seq) {
- item->next = cur;
- prev->next = item;
- break;
- }
- prev = cur;
- cur = cur->next;
- }
- if (cur == NULL) {
- prev->next = item;
- }
- }
- return head;
- }
- /**
- * DtlsMsgPoolSave() adds the message to the end of the stored transmit
- * list. Must be called BEFORE BuildMessage or DtlsSEQIncrement or
- * anything else that increments ssl->keys.dtls_handshake_number.
- */
- int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz,
- enum HandShakeType type)
- {
- DtlsMsg* item;
- int ret = 0;
- WOLFSSL_ENTER("DtlsMsgPoolSave");
- if (ssl->dtls_tx_msg_list_sz > DTLS_POOL_SZ) {
- WOLFSSL_ERROR(DTLS_POOL_SZ_E);
- return DTLS_POOL_SZ_E;
- }
- item = DtlsMsgNew(dataSz, 1, ssl->heap);
- if (item != NULL) {
- DtlsMsg* cur = ssl->dtls_tx_msg_list;
- XMEMCPY(item->raw, data, dataSz);
- item->epoch = ssl->keys.dtls_epoch;
- item->seq = ssl->keys.dtls_handshake_number;
- item->type = type;
- if (cur == NULL)
- ssl->dtls_tx_msg_list = item;
- else {
- while (cur->next)
- cur = cur->next;
- cur->next = item;
- }
- ssl->dtls_tx_msg_list_sz++;
- }
- else
- ret = MEMORY_E;
- WOLFSSL_LEAVE("DtlsMsgPoolSave()", ret);
- return ret;
- }
- /* DtlsMsgPoolTimeout() updates the timeout time. */
- int DtlsMsgPoolTimeout(WOLFSSL* ssl)
- {
- int result = -1;
- WOLFSSL_ENTER("DtlsMsgPoolTimeout");
- if (ssl->dtls_timeout < ssl->dtls_timeout_max) {
- ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER;
- result = 0;
- }
- WOLFSSL_LEAVE("DtlsMsgPoolTimeout()", result);
- return result;
- }
- /* DtlsMsgPoolReset() deletes the stored transmit list. */
- void DtlsMsgPoolReset(WOLFSSL* ssl)
- {
- WOLFSSL_ENTER("DtlsMsgPoolReset");
- if (ssl->dtls_tx_msg_list) {
- DtlsMsgListDelete(ssl->dtls_tx_msg_list, ssl->heap);
- ssl->dtls_tx_msg_list = NULL;
- ssl->dtls_tx_msg = NULL;
- ssl->dtls_tx_msg_list_sz = 0;
- }
- }
- int VerifyForDtlsMsgPoolSend(WOLFSSL* ssl, byte type, word32 fragOffset)
- {
- /**
- * only the first message from previous flight should be valid
- * to be used for triggering retransmission of whole DtlsMsgPool.
- * change cipher suite type is not verified here
- */
- return ((fragOffset == 0) &&
- (((ssl->options.side == WOLFSSL_SERVER_END) &&
- ((type == client_hello) ||
- ((ssl->options.verifyPeer) && (type == certificate)) ||
- ((!ssl->options.verifyPeer) && (type == client_key_exchange)))) ||
- ((ssl->options.side == WOLFSSL_CLIENT_END) &&
- (type == hello_request || type == server_hello))));
- }
- /**
- * Verify if message `item` from `ssl->dtls_tx_msg_list` should be deleted
- * depending on the current state of the handshake negotiation.
- */
- int VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* item)
- {
- WOLFSSL_ENTER("VerifyForTxDtlsMsgDelete");
- if (item->epoch < ssl->keys.dtls_epoch - 1)
- /* Messages not from current or previous epoch can be deleted */
- return 1;
- switch (ssl->options.side) {
- case WOLFSSL_CLIENT_END:
- if (item->type == client_hello &&
- ssl->options.serverState >= SERVER_HELLODONE_COMPLETE)
- return 1; /* client can forget first client_hello if received full
- * flight of packets from server */
- else
- return 0;
- case WOLFSSL_SERVER_END:
- if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE &&
- item->type == hello_request)
- return 1; /* Server can forget HelloRequest if client sent a valid
- * ClientHello */
- if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE &&
- item->type <= server_hello_done)
- return 1; /* server can forget everything up to ServerHelloDone if
- * a client finished message has been received and
- * successfully processed */
- else
- return 0;
- default:
- return 0;
- }
- }
- /* DtlsMsgPoolSend() will send the stored transmit list. The stored list is
- * updated with new sequence numbers, and will be re-encrypted if needed. */
- int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket)
- {
- int ret = 0;
- DtlsMsg* pool;
- WOLFSSL_ENTER("DtlsMsgPoolSend");
- pool = ssl->dtls_tx_msg == NULL ? ssl->dtls_tx_msg_list : ssl->dtls_tx_msg;
- if (pool != NULL) {
- if ((ssl->options.side == WOLFSSL_SERVER_END &&
- !(ssl->options.acceptState == ACCEPT_BEGIN_RENEG ||
- ssl->options.acceptState == SERVER_HELLO_DONE ||
- ssl->options.acceptState == ACCEPT_FINISHED_DONE ||
- ssl->options.acceptState == ACCEPT_THIRD_REPLY_DONE)) ||
- (ssl->options.side == WOLFSSL_CLIENT_END &&
- !(ssl->options.connectState == CLIENT_HELLO_SENT ||
- ssl->options.connectState == HELLO_AGAIN_REPLY ||
- ssl->options.connectState == FINISHED_DONE ||
- ssl->options.connectState == SECOND_REPLY_DONE))) {
- WOLFSSL_ERROR(DTLS_RETX_OVER_TX);
- ssl->error = DTLS_RETX_OVER_TX;
- return WOLFSSL_FATAL_ERROR;
- }
- while (pool != NULL) {
- int epochOrder;
- if (pool->epoch == 0) {
- DtlsRecordLayerHeader* dtls;
- dtls = (DtlsRecordLayerHeader*)pool->raw;
- /* If the stored record's epoch is 0, and the currently set
- * epoch is 0, use the "current order" sequence number.
- * If the stored record's epoch is 0 and the currently set
- * epoch is not 0, the stored record is considered a "previous
- * order" sequence number. */
- epochOrder = (ssl->keys.dtls_epoch == 0) ?
- CUR_ORDER : PREV_ORDER;
- WriteSEQ(ssl, epochOrder, dtls->sequence_number);
- DtlsSEQIncrement(ssl, epochOrder);
- if ((ret = CheckAvailableSize(ssl, pool->sz)) != 0) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- XMEMCPY(ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.idx +
- ssl->buffers.outputBuffer.length,
- pool->raw, pool->sz);
- ssl->buffers.outputBuffer.length += pool->sz;
- }
- else {
- /* Handle sending packets from previous epoch */
- byte* input;
- byte* output;
- int inputSz, sendSz;
- input = pool->raw;
- inputSz = pool->sz;
- sendSz = inputSz + cipherExtraData(ssl);
- #ifdef HAVE_SECURE_RENEGOTIATION
- /*
- * CUR_ORDER will use ssl->secure_renegotiation from epoch 2+.
- * ssl->keys otherwise
- * PREV_ORDER will always use ssl->keys
- */
- if (DtlsSCRKeysSet(ssl)) {
- if (pool->epoch == ssl->secure_renegotiation->tmp_keys.dtls_epoch)
- epochOrder = CUR_ORDER;
- else
- epochOrder = PREV_ORDER;
- }
- else {
- epochOrder = CUR_ORDER;
- }
- #else
- epochOrder = CUR_ORDER;
- #endif
- /* add back in record header space from saved pool size */
- sendSz += DTLS_RECORD_HEADER_SZ;
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- if (inputSz != ENUM_LEN)
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 0, 0, 0, epochOrder);
- else
- /* inputSz == ENUM_LEN must mean that this is a change cipher
- * spec message */
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- change_cipher_spec, 0, 0, 0, epochOrder);
- if (sendSz < 0) {
- WOLFSSL_ERROR(BUILD_MSG_ERROR);
- return BUILD_MSG_ERROR;
- }
- ssl->buffers.outputBuffer.length += sendSz;
- }
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- /**
- * on server side, retransmission is being triggered only by sending
- * first message of given flight, in order to trigger client
- * to retransmit its whole flight. Sending the whole previous flight
- * could lead to retransmission of previous client flight for each
- * server message from previous flight. Therefore one message should
- * be enough to do the trick.
- */
- if (sendOnlyFirstPacket &&
- ssl->options.side == WOLFSSL_SERVER_END)
- pool = NULL;
- else
- pool = pool->next;
- ssl->dtls_tx_msg = pool;
- }
- if (ret == 0 && ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- }
- WOLFSSL_LEAVE("DtlsMsgPoolSend()", ret);
- return ret;
- }
- #endif /* WOLFSSL_DTLS */
- #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
- ProtocolVersion MakeSSLv3(void)
- {
- ProtocolVersion pv;
- pv.major = SSLv3_MAJOR;
- pv.minor = SSLv3_MINOR;
- return pv;
- }
- #endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */
- #ifdef WOLFSSL_DTLS
- ProtocolVersion MakeDTLSv1(void)
- {
- ProtocolVersion pv;
- pv.major = DTLS_MAJOR;
- pv.minor = DTLS_MINOR;
- return pv;
- }
- #ifndef WOLFSSL_NO_TLS12
- ProtocolVersion MakeDTLSv1_2(void)
- {
- ProtocolVersion pv;
- pv.major = DTLS_MAJOR;
- pv.minor = DTLSv1_2_MINOR;
- return pv;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifdef WOLFSSL_DTLS13
- ProtocolVersion MakeDTLSv1_3(void)
- {
- ProtocolVersion pv;
- pv.major = DTLS_MAJOR;
- pv.minor = DTLSv1_3_MINOR;
- return pv;
- }
- #endif /* WOLFSSL_DTLS13 */
- #endif /* WOLFSSL_DTLS */
- #ifndef NO_ASN_TIME
- #if defined(USER_TICKS)
- #if 0
- word32 LowResTimer(void)
- {
- /*
- write your own clock tick function if don't want time(0)
- needs second accuracy but doesn't have to correlated to EPOCH
- */
- }
- #endif
- #elif defined(TIME_OVERRIDES)
- #if !defined(NO_ASN) && !defined(NO_ASN_TIME)
- /* use same asn time overrides unless user wants tick override above */
- word32 LowResTimer(void)
- {
- return (word32) wc_Time(0);
- }
- #else
- #ifndef HAVE_TIME_T_TYPE
- typedef long time_t;
- #endif
- extern time_t XTIME(time_t * timer);
- word32 LowResTimer(void)
- {
- return (word32) XTIME(0);
- }
- #endif
- #elif defined(USE_WINDOWS_API)
- word32 LowResTimer(void)
- {
- static int init = 0;
- static LARGE_INTEGER freq;
- LARGE_INTEGER count;
- if (!init) {
- QueryPerformanceFrequency(&freq);
- init = 1;
- }
- QueryPerformanceCounter(&count);
- return (word32)(count.QuadPart / freq.QuadPart);
- }
- #elif defined(HAVE_RTP_SYS)
- #include "rtptime.h"
- word32 LowResTimer(void)
- {
- return (word32)rtp_get_system_sec();
- }
- #elif defined(WOLFSSL_DEOS)
- word32 LowResTimer(void)
- {
- const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
- const volatile word32 *systemTickPtr = systemTickPointer();
- return (word32) *systemTickPtr/systemTickTimeInHz;
- }
- #elif defined(MICRIUM)
- word32 LowResTimer(void)
- {
- OS_TICK ticks = 0;
- OS_ERR err;
- ticks = OSTimeGet(&err);
- return (word32) (ticks / OSCfg_TickRate_Hz);
- }
- #elif defined(MICROCHIP_TCPIP_V5)
- word32 LowResTimer(void)
- {
- return (word32) (TickGet() / TICKS_PER_SECOND);
- }
- #elif defined(MICROCHIP_TCPIP)
- #if defined(MICROCHIP_MPLAB_HARMONY)
- #include <system/tmr/sys_tmr.h>
- word32 LowResTimer(void)
- {
- return (word32) (SYS_TMR_TickCountGet() /
- SYS_TMR_TickCounterFrequencyGet());
- }
- #else
- word32 LowResTimer(void)
- {
- return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet());
- }
- #endif
- #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
- word32 LowResTimer(void)
- {
- TIME_STRUCT mqxTime;
- _time_get_elapsed(&mqxTime);
- return (word32) mqxTime.SECONDS;
- }
- #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
- #include "include/task.h"
- unsigned int LowResTimer(void)
- {
- return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ);
- }
- #elif defined(FREERTOS)
- #include "task.h"
- unsigned int LowResTimer(void)
- {
- return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ);
- }
- #elif defined(FREESCALE_KSDK_BM)
- #include "lwip/sys.h" /* lwIP */
- word32 LowResTimer(void)
- {
- return sys_now()/1000;
- }
- #elif defined(WOLFSSL_TIRTOS)
- word32 LowResTimer(void)
- {
- return (word32) Seconds_get();
- }
- #elif defined(WOLFSSL_XILINX)
- #include "xrtcpsu.h"
- word32 LowResTimer(void)
- {
- XRtcPsu_Config* con;
- XRtcPsu rtc;
- con = XRtcPsu_LookupConfig(XPAR_XRTCPSU_0_DEVICE_ID);
- if (con != NULL) {
- if (XRtcPsu_CfgInitialize(&rtc, con, con->BaseAddr)
- == XST_SUCCESS) {
- return (word32)XRtcPsu_GetCurrentTime(&rtc);
- }
- else {
- WOLFSSL_MSG("Unable to initialize RTC");
- }
- }
- return 0;
- }
- #elif defined(WOLFSSL_UTASKER)
- word32 LowResTimer(void)
- {
- return (word32)(uTaskerSystemTick / TICK_RESOLUTION);
- }
- #elif defined(WOLFSSL_NUCLEUS_1_2)
- #define NU_TICKS_PER_SECOND 100
- word32 LowResTimer(void)
- {
- /* returns number of 10ms ticks, so 100 ticks/sec */
- return NU_Retrieve_Clock() / NU_TICKS_PER_SECOND;
- }
- #elif defined(WOLFSSL_APACHE_MYNEWT)
- #include "os/os_time.h"
- word32 LowResTimer(void)
- {
- word32 now;
- struct os_timeval tv;
- os_gettimeofday(&tv, NULL);
- now = (word32)tv.tv_sec;
- return now;
- }
- #elif defined(WOLFSSL_ZEPHYR)
- word32 LowResTimer(void)
- {
- return k_uptime_get() / 1000;
- }
- #elif defined(WOLFSSL_LINUXKM)
- word32 LowResTimer(void)
- {
- return (word32)time(NULL);
- }
- #else
- /* Posix style time */
- #if !defined(USER_TIME) && !defined(USE_WOLF_TM)
- #include <time.h>
- #endif
- word32 LowResTimer(void)
- {
- #if !defined(NO_ASN) && !defined(NO_ASN_TIME)
- return (word32)wc_Time(0);
- #else
- return (word32)XTIME(0);
- #endif
- }
- #endif
- #else
- /* user must supply timer function to return elapsed seconds:
- * word32 LowResTimer(void);
- */
- #endif /* !NO_ASN_TIME */
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- /* Store the message for use with CertificateVerify using EdDSA.
- *
- * ssl SSL/TLS object.
- * data Message to store.
- * sz Size of message to store.
- * returns MEMORY_E if not able to reallocate, otherwise 0.
- */
- static int EdDSA_Update(WOLFSSL* ssl, const byte* data, int sz)
- {
- int ret = 0;
- byte* msgs;
- if (ssl->options.cacheMessages) {
- msgs = (byte*)XMALLOC(ssl->hsHashes->length + sz, ssl->heap,
- DYNAMIC_TYPE_HASHES);
- if (msgs == NULL)
- ret = MEMORY_E;
- if ((ret == 0) && (ssl->hsHashes->messages != NULL)) {
- XMEMCPY(msgs, ssl->hsHashes->messages, ssl->hsHashes->length);
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
- }
- if (ret == 0) {
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("Handshake messages", msgs,
- ssl->hsHashes->length + sz);
- #endif
- ssl->hsHashes->messages = msgs;
- XMEMCPY(msgs + ssl->hsHashes->length, data, sz);
- ssl->hsHashes->prevLen = ssl->hsHashes->length;
- ssl->hsHashes->length += sz;
- }
- }
- return ret;
- }
- #endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */
- int HashRaw(WOLFSSL* ssl, const byte* data, int sz)
- {
- int ret = 0;
- #ifdef WOLFSSL_DEBUG_TLS
- byte digest[WC_MAX_DIGEST_SIZE];
- WOLFSSL_MSG("HashRaw:");
- WOLFSSL_MSG("Data:");
- WOLFSSL_BUFFER(data, sz);
- WOLFSSL_MSG("Hashes:");
- #endif
- (void)data;
- (void)sz;
- if (ssl->hsHashes == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_StoreMessage(ssl, data, sz);
- if (ret != 0 && ret != CRYPTOCB_UNAVAILABLE) {
- return ret;
- }
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- #ifndef NO_OLD_TLS
- #ifndef NO_SHA
- wc_ShaUpdate(&ssl->hsHashes->hashSha, data, sz);
- #endif
- #ifndef NO_MD5
- wc_Md5Update(&ssl->hsHashes->hashMd5, data, sz);
- #endif
- #endif /* NO_OLD_TLS */
- if (IsAtLeastTLSv1_2(ssl)) {
- #ifndef NO_SHA256
- ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, data, sz);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Sha256");
- wc_Sha256GetHash(&ssl->hsHashes->hashSha256, digest);
- WOLFSSL_BUFFER(digest, WC_SHA256_DIGEST_SIZE);
- #endif
- #endif
- #ifdef WOLFSSL_SHA384
- ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, data, sz);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Sha384");
- wc_Sha384GetHash(&ssl->hsHashes->hashSha384, digest);
- WOLFSSL_BUFFER(digest, WC_SHA384_DIGEST_SIZE);
- #endif
- #endif
- #ifdef WOLFSSL_SHA512
- ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, data, sz);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Sha512");
- wc_Sha512GetHash(&ssl->hsHashes->hashSha512, digest);
- WOLFSSL_BUFFER(digest, WC_SHA512_DIGEST_SIZE);
- #endif
- #endif
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- ret = EdDSA_Update(ssl, data, sz);
- if (ret != 0)
- return ret;
- #endif
- }
- return ret;
- }
- /* add output to md5 and sha handshake hashes, exclude record header */
- int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz)
- {
- const byte* adj;
- if (ssl->hsHashes == NULL)
- return BAD_FUNC_ARG;
- adj = output + RECORD_HEADER_SZ + ivSz;
- sz -= RECORD_HEADER_SZ;
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx);
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if (IsAtLeastTLSv1_3(ssl->version)) {
- #ifdef WOLFSSL_DTLS13
- word16 dtls_record_extra;
- dtls_record_extra = Dtls13GetRlHeaderLength(ssl, (byte)IsEncryptionOn(ssl, 1));
- dtls_record_extra -= RECORD_HEADER_SZ;
- adj += dtls_record_extra;
- sz -= dtls_record_extra;
- #endif /* WOLFSSL_DTLS13 */
- } else {
- adj += DTLS_RECORD_EXTRA;
- sz -= DTLS_RECORD_EXTRA;
- }
- }
- #endif
- return HashRaw(ssl, adj, sz);
- }
- /* add input to md5 and sha handshake hashes, include handshake header */
- int HashInput(WOLFSSL* ssl, const byte* input, int sz)
- {
- const byte* adj;
- if (ssl->hsHashes == NULL) {
- return BAD_FUNC_ARG;
- }
- adj = input - HANDSHAKE_HEADER_SZ;
- sz += HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- adj -= DTLS_HANDSHAKE_EXTRA;
- sz += DTLS_HANDSHAKE_EXTRA;
- #ifdef WOLFSSL_DTLS13
- if (IsAtLeastTLSv1_3(ssl->version))
- return Dtls13HashHandshake(ssl, adj, (word16)sz);
- #endif /* WOLFSSL_DTLS13 */
- }
- #endif
- return HashRaw(ssl, adj, sz);
- }
- /* add record layer header for message */
- static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl, int epochOrder)
- {
- RecordLayerHeader* rl;
- (void)epochOrder;
- /* record layer header */
- rl = (RecordLayerHeader*)output;
- if (rl == NULL) {
- return;
- }
- rl->type = type;
- rl->pvMajor = ssl->version.major; /* type and version same in each */
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version)) {
- rl->pvMinor = TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- rl->pvMinor = DTLSv1_2_MINOR;
- #endif /* WOLFSSL_DTLS */
- }
- else
- #endif
- rl->pvMinor = ssl->version.minor;
- #ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE
- if (ssl->options.side == WOLFSSL_CLIENT_END
- && ssl->options.connectState == CONNECT_BEGIN
- && !ssl->options.resuming) {
- rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade
- : ssl->version.minor;
- }
- #endif
- if (!ssl->options.dtls) {
- c16toa((word16)length, rl->length);
- }
- else {
- #ifdef WOLFSSL_DTLS
- DtlsRecordLayerHeader* dtls;
- /* dtls record layer header extensions */
- dtls = (DtlsRecordLayerHeader*)output;
- WriteSEQ(ssl, epochOrder, dtls->sequence_number);
- c16toa((word16)length, dtls->length);
- #endif
- }
- }
- #if !defined(WOLFSSL_NO_TLS12) || (defined(HAVE_SESSION_TICKET) && \
- !defined(NO_WOLFSSL_SERVER))
- /* add handshake header for message */
- static void AddHandShakeHeader(byte* output, word32 length,
- word32 fragOffset, word32 fragLength,
- byte type, WOLFSSL* ssl)
- {
- HandShakeHeader* hs;
- (void)fragOffset;
- (void)fragLength;
- (void)ssl;
- /* handshake header */
- hs = (HandShakeHeader*)output;
- if (hs == NULL)
- return;
- hs->type = type;
- c32to24(length, hs->length); /* type and length same for each */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- DtlsHandShakeHeader* dtls;
- /* dtls handshake header extensions */
- dtls = (DtlsHandShakeHeader*)output;
- c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq);
- c32to24(fragOffset, dtls->fragment_offset);
- c32to24(fragLength, dtls->fragment_length);
- }
- #endif
- }
- /* add both headers for handshake message */
- static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl)
- {
- word32 lengthAdj = HANDSHAKE_HEADER_SZ;
- word32 outputAdj = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- lengthAdj += DTLS_HANDSHAKE_EXTRA;
- outputAdj += DTLS_RECORD_EXTRA;
- }
- #endif
- AddRecordHeader(output, length + lengthAdj, handshake, ssl, CUR_ORDER);
- AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
- }
- #endif /* !WOLFSSL_NO_TLS12 || (HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER) */
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
- !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
- defined(WOLFSSL_DTLS)
- static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
- word32 length, byte type, WOLFSSL* ssl)
- {
- word32 lengthAdj = HANDSHAKE_HEADER_SZ;
- word32 outputAdj = RECORD_HEADER_SZ;
- (void)fragSz;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- lengthAdj += DTLS_HANDSHAKE_EXTRA;
- outputAdj += DTLS_RECORD_EXTRA;
- }
- #endif
- AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl, CUR_ORDER);
- AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl);
- }
- #endif /* NO_CERTS */
- #if !defined(NO_WOLFSSL_SERVER) || \
- (!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
- !defined(WOLFSSL_NO_CLIENT_AUTH))
- /**
- * Send the handshake message. This function handles fragmenting the message
- * so that it will fit into the desired MTU or the max fragment size.
- * @param ssl Connection object
- * @param input Input starting at the record layer header. This function
- * assumes that the appropriate record and handshake headers
- * are present. These headers must assume no fragmentation.
- * That is handled here.
- * @param inputSz Length of message excluding headers (this is the total
- * length of all fragments)
- * @param type Type of message being sent
- * @return 0 on success and negative otherwise
- */
- static int SendHandshakeMsg(WOLFSSL* ssl, byte* input, word32 inputSz,
- enum HandShakeType type, const char* packetName)
- {
- int maxFrag;
- int ret = 0;
- int headerSz;
- WOLFSSL_ENTER("SendHandshakeMsg");
- (void)type;
- (void)packetName;
- if (ssl == NULL || input == NULL)
- return BAD_FUNC_ARG;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- headerSz = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
- else
- #endif
- {
- /* In TLS we send one handshake header in total, not one
- * per fragment like in DTLS. The handshake header should
- * already be in the input buffer. */
- inputSz += HANDSHAKE_HEADER_SZ;
- headerSz = RECORD_HEADER_SZ;
- }
- maxFrag = wolfSSL_GetMaxFragSize(ssl, (int)inputSz);
- /* Make sure input is not the ssl output buffer as this
- * function doesn't handle that */
- if (input >= ssl->buffers.outputBuffer.buffer &&
- input < ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.bufferSize) {
- WOLFSSL_MSG("Can't use output buffer for input in SendHandshakeMsg");
- return BAD_FUNC_ARG;
- }
- if (!ssl->options.buildingMsg) {
- /* Hash it before the loop as we modify the input with
- * encryption on */
- ret = HashOutput(ssl, input, headerSz + (int)inputSz, 0);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DTLS
- /* Decrement msg number so that we continue to use the
- * same msg number for this msg */
- if (ssl->options.dtls)
- ssl->keys.dtls_handshake_number--;
- #endif
- }
- while (ssl->fragOffset < inputSz) {
- byte* output;
- int outputSz;
- byte* data = input + ssl->fragOffset + headerSz;
- word32 fragSz = (word32)maxFrag;
- ssl->options.buildingMsg = 1;
- if (inputSz - ssl->fragOffset < fragSz)
- fragSz = inputSz - ssl->fragOffset;
- /* check for available size */
- outputSz = headerSz + fragSz;
- if (IsEncryptionOn(ssl, 1))
- outputSz += cipherExtraData(ssl);
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
- return ret;
- if (ssl->buffers.outputBuffer.buffer == NULL)
- return MEMORY_E;
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- if (IsEncryptionOn(ssl, 1)) {
- /* First we need to add the fragment header ourselves.
- * We do this in the input to minimize allocations */
- int dataSz = (int)fragSz;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- data -= DTLS_HANDSHAKE_HEADER_SZ;
- dataSz += DTLS_HANDSHAKE_HEADER_SZ;
- AddHandShakeHeader(data, inputSz, ssl->fragOffset, fragSz,
- type, ssl);
- ssl->keys.dtls_handshake_number--;
- }
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, data,
- fragSz + DTLS_HANDSHAKE_HEADER_SZ, type))
- != 0)
- return ret;
- #endif
- ret = BuildMessage(ssl, output, outputSz,
- data, dataSz, handshake, 0, 0, 0, CUR_ORDER);
- if (ret >= 0)
- outputSz = ret;
- else
- return ret;
- ret = 0;
- }
- else {
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- AddFragHeaders(output, fragSz, ssl->fragOffset,
- inputSz, type, ssl);
- else
- #endif
- AddRecordHeader(output, fragSz, handshake, ssl, CUR_ORDER);
- XMEMCPY(output + headerSz, data, fragSz);
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- ssl->keys.dtls_handshake_number--;
- DtlsSEQIncrement(ssl, CUR_ORDER);
- }
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, headerSz + fragSz,
- type)) != 0) {
- return ret;
- }
- }
- #endif
- }
- ssl->buffers.outputBuffer.length += outputSz;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) {
- AddPacketName(ssl, packetName);
- }
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, packetName, handshake,
- output, outputSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->fragOffset += fragSz;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- if (ret != 0)
- return ret;
- }
- #ifdef WOLFSSL_DTLS
- /* Increment msg number once we sent all fragments */
- if (ssl->options.dtls)
- ssl->keys.dtls_handshake_number++;
- #endif
- ssl->fragOffset = 0;
- ssl->options.buildingMsg = 0;
- return ret;
- }
- #endif /* !NO_WOLFSSL_SERVER || (!NO_WOLFSSL_CLIENT && !NO_CERTS &&
- * !WOLFSSL_NO_CLIENT_AUTH) */
- #endif /* !WOLFSSL_NO_TLS12 */
- /* return bytes received, -1 on error */
- static int wolfSSLReceive(WOLFSSL* ssl, byte* buf, word32 sz)
- {
- int recvd;
- int retryLimit = WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS;
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- /* QUIC only "reads" from data provided by the application
- * via wolfSSL_provide_quic_data(). Transfer from there
- * into the inputBuffer. */
- return wolfSSL_quic_receive(ssl, buf, sz);
- }
- #endif
- if (ssl->CBIORecv == NULL) {
- WOLFSSL_MSG("Your IO Recv callback is null, please set");
- return -1;
- }
- retry:
- recvd = ssl->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx);
- if (recvd < 0) {
- switch (recvd) {
- case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */
- #ifdef WOLFSSL_APACHE_HTTPD
- #ifndef NO_BIO
- if (ssl->biord) {
- /* If retry and read flags are set, return WANT_READ */
- if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_READ) &&
- (ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
- return WANT_READ;
- }
- }
- #endif
- #endif
- return -1;
- case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */
- if (retryLimit > 0 && ssl->ctx->autoRetry &&
- !ssl->options.handShakeDone && !ssl->options.dtls) {
- retryLimit--;
- goto retry;
- }
- return WANT_READ;
- case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */
- #ifdef USE_WINDOWS_API
- if (ssl->options.dtls) {
- goto retry;
- }
- #endif
- ssl->options.connReset = 1;
- return -1;
- case WOLFSSL_CBIO_ERR_ISR: /* interrupt */
- /* see if we got our timeout */
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->toInfoOn) {
- struct itimerval timeout;
- getitimer(ITIMER_REAL, &timeout);
- if (timeout.it_value.tv_sec == 0 &&
- timeout.it_value.tv_usec == 0) {
- XSTRNCPY(ssl->timeoutInfo.timeoutName,
- "recv() timeout", MAX_TIMEOUT_NAME_SZ);
- ssl->timeoutInfo.timeoutName[
- MAX_TIMEOUT_NAME_SZ] = '\0';
- WOLFSSL_MSG("Got our timeout");
- return WANT_READ;
- }
- }
- #endif
- goto retry;
- case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* peer closed connection */
- ssl->options.isClosed = 1;
- return -1;
- case WOLFSSL_CBIO_ERR_TIMEOUT:
- #ifdef WOLFSSL_DTLS
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
- /* TODO: support WANT_WRITE here */
- if (Dtls13RtxTimeout(ssl) < 0) {
- WOLFSSL_MSG(
- "Error trying to retransmit DTLS buffered message");
- return -1;
- }
- goto retry;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (IsDtlsNotSctpMode(ssl) &&
- ssl->options.handShakeState != HANDSHAKE_DONE &&
- DtlsMsgPoolTimeout(ssl) == 0 &&
- DtlsMsgPoolSend(ssl, 0) == 0) {
- /* retry read for DTLS during handshake only */
- goto retry;
- }
- #endif
- return -1;
- default:
- WOLFSSL_MSG("Unexpected recv return code");
- return recvd;
- }
- }
- return recvd;
- }
- /* Switch dynamic output buffer back to static, buffer is assumed clear */
- void ShrinkOutputBuffer(WOLFSSL* ssl)
- {
- WOLFSSL_MSG("Shrinking output buffer");
- XFREE(ssl->buffers.outputBuffer.buffer - ssl->buffers.outputBuffer.offset,
- ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
- ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
- ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
- ssl->buffers.outputBuffer.dynamicFlag = 0;
- ssl->buffers.outputBuffer.offset = 0;
- }
- /* Switch dynamic input buffer back to static, keep any remaining input */
- /* forced free means cleaning up */
- /* Be *CAREFUL* where this function is called. ProcessReply relies on
- * inputBuffer.idx *NOT* changing inside the ProcessReply function. ProcessReply
- * calls ShrinkInputBuffer itself when it is safe to do so. Don't overuse it. */
- void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree)
- {
- int usedLength = ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx;
- if (!forcedFree && (usedLength > STATIC_BUFFER_LEN ||
- ssl->buffers.clearOutputBuffer.length > 0))
- return;
- WOLFSSL_MSG("Shrinking input buffer");
- if (!forcedFree && usedLength > 0) {
- XMEMCPY(ssl->buffers.inputBuffer.staticBuffer,
- ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
- usedLength);
- }
- ForceZero(ssl->buffers.inputBuffer.buffer,
- ssl->buffers.inputBuffer.length);
- XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
- ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
- ssl->buffers.inputBuffer.dynamicFlag = 0;
- ssl->buffers.inputBuffer.offset = 0;
- ssl->buffers.inputBuffer.idx = 0;
- ssl->buffers.inputBuffer.length = usedLength;
- }
- int SendBuffered(WOLFSSL* ssl)
- {
- if (ssl->CBIOSend == NULL && !WOLFSSL_IS_QUIC(ssl)) {
- WOLFSSL_MSG("Your IO Send callback is null, please set");
- return SOCKET_ERROR_E;
- }
- #ifdef WOLFSSL_DEBUG_TLS
- if (ssl->buffers.outputBuffer.idx == 0) {
- WOLFSSL_MSG("Data to send");
- WOLFSSL_BUFFER(ssl->buffers.outputBuffer.buffer,
- ssl->buffers.outputBuffer.length);
- }
- #endif
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- return wolfSSL_quic_send(ssl);
- }
- #endif
- while (ssl->buffers.outputBuffer.length > 0) {
- int sent = ssl->CBIOSend(ssl,
- (char*)ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.idx,
- (int)ssl->buffers.outputBuffer.length,
- ssl->IOCB_WriteCtx);
- if (sent < 0) {
- switch (sent) {
- case WOLFSSL_CBIO_ERR_WANT_WRITE: /* would block */
- return WANT_WRITE;
- case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */
- ssl->options.connReset = 1;
- break;
- case WOLFSSL_CBIO_ERR_ISR: /* interrupt */
- /* see if we got our timeout */
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->toInfoOn) {
- struct itimerval timeout;
- getitimer(ITIMER_REAL, &timeout);
- if (timeout.it_value.tv_sec == 0 &&
- timeout.it_value.tv_usec == 0) {
- XSTRNCPY(ssl->timeoutInfo.timeoutName,
- "send() timeout", MAX_TIMEOUT_NAME_SZ);
- ssl->timeoutInfo.timeoutName[
- MAX_TIMEOUT_NAME_SZ] = '\0';
- WOLFSSL_MSG("Got our timeout");
- return WANT_WRITE;
- }
- }
- #endif
- continue;
- case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* epipe / conn closed */
- ssl->options.connReset = 1; /* treat same as reset */
- break;
- default:
- return SOCKET_ERROR_E;
- }
- return SOCKET_ERROR_E;
- }
- if (sent > (int)ssl->buffers.outputBuffer.length) {
- WOLFSSL_MSG("SendBuffered() out of bounds read");
- return SEND_OOB_READ_E;
- }
- ssl->buffers.outputBuffer.idx += sent;
- ssl->buffers.outputBuffer.length -= sent;
- }
- ssl->buffers.outputBuffer.idx = 0;
- if (ssl->buffers.outputBuffer.dynamicFlag)
- ShrinkOutputBuffer(ssl);
- return 0;
- }
- /* Grow the output buffer */
- static WC_INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size)
- {
- byte* tmp;
- #if WOLFSSL_GENERAL_ALIGNMENT > 0
- byte hdrSz = ssl->options.dtls ? DTLS_RECORD_HEADER_SZ :
- RECORD_HEADER_SZ;
- byte align = WOLFSSL_GENERAL_ALIGNMENT;
- #else
- const byte align = WOLFSSL_GENERAL_ALIGNMENT;
- #endif
- #if WOLFSSL_GENERAL_ALIGNMENT > 0
- /* the encrypted data will be offset from the front of the buffer by
- the header, if the user wants encrypted alignment they need
- to define their alignment requirement */
- while (align < hdrSz)
- align *= 2;
- #endif
- tmp = (byte*)XMALLOC(size + ssl->buffers.outputBuffer.length + align,
- ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
- WOLFSSL_MSG("growing output buffer");
- if (tmp == NULL)
- return MEMORY_E;
- #if WOLFSSL_GENERAL_ALIGNMENT > 0
- if (align)
- tmp += align - hdrSz;
- #endif
- #ifdef WOLFSSL_STATIC_MEMORY
- /* can be from IO memory pool which does not need copy if same buffer */
- if (ssl->buffers.outputBuffer.length &&
- tmp == ssl->buffers.outputBuffer.buffer) {
- ssl->buffers.outputBuffer.bufferSize =
- size + ssl->buffers.outputBuffer.length;
- return 0;
- }
- #endif
- if (ssl->buffers.outputBuffer.length)
- XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer,
- ssl->buffers.outputBuffer.length);
- if (ssl->buffers.outputBuffer.dynamicFlag) {
- XFREE(ssl->buffers.outputBuffer.buffer -
- ssl->buffers.outputBuffer.offset, ssl->heap,
- DYNAMIC_TYPE_OUT_BUFFER);
- }
- ssl->buffers.outputBuffer.dynamicFlag = 1;
- #if WOLFSSL_GENERAL_ALIGNMENT > 0
- if (align)
- ssl->buffers.outputBuffer.offset = align - hdrSz;
- else
- #endif
- ssl->buffers.outputBuffer.offset = 0;
- ssl->buffers.outputBuffer.buffer = tmp;
- ssl->buffers.outputBuffer.bufferSize = size +
- ssl->buffers.outputBuffer.length;
- return 0;
- }
- /* Grow the input buffer, should only be to read cert or big app data */
- int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength)
- {
- byte* tmp;
- #if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
- byte align = ssl->options.dtls ? WOLFSSL_GENERAL_ALIGNMENT : 0;
- byte hdrSz = DTLS_RECORD_HEADER_SZ;
- #else
- const byte align = WOLFSSL_GENERAL_ALIGNMENT;
- #endif
- #if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
- /* the encrypted data will be offset from the front of the buffer by
- the dtls record header, if the user wants encrypted alignment they need
- to define their alignment requirement. in tls we read record header
- to get size of record and put actual data back at front, so don't need */
- if (align) {
- while (align < hdrSz)
- align *= 2;
- }
- #endif
- if (usedLength < 0 || size < 0) {
- WOLFSSL_MSG("GrowInputBuffer() called with negative number");
- return BAD_FUNC_ARG;
- }
- tmp = (byte*)XMALLOC(size + usedLength + align,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- WOLFSSL_MSG("growing input buffer");
- if (tmp == NULL)
- return MEMORY_E;
- #if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
- if (align)
- tmp += align - hdrSz;
- #endif
- #ifdef WOLFSSL_STATIC_MEMORY
- /* can be from IO memory pool which does not need copy if same buffer */
- if (usedLength && tmp == ssl->buffers.inputBuffer.buffer) {
- ssl->buffers.inputBuffer.bufferSize = size + usedLength;
- ssl->buffers.inputBuffer.idx = 0;
- ssl->buffers.inputBuffer.length = usedLength;
- return 0;
- }
- #endif
- if (usedLength)
- XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.idx, usedLength);
- if (ssl->buffers.inputBuffer.dynamicFlag) {
- if (IsEncryptionOn(ssl, 1)) {
- ForceZero(ssl->buffers.inputBuffer.buffer,
- ssl->buffers.inputBuffer.length);
- }
- XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- }
- ssl->buffers.inputBuffer.dynamicFlag = 1;
- #if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
- if (align)
- ssl->buffers.inputBuffer.offset = align - hdrSz;
- else
- #endif
- ssl->buffers.inputBuffer.offset = 0;
- ssl->buffers.inputBuffer.buffer = tmp;
- ssl->buffers.inputBuffer.bufferSize = size + usedLength;
- ssl->buffers.inputBuffer.idx = 0;
- ssl->buffers.inputBuffer.length = usedLength;
- return 0;
- }
- /* Check available size into output buffer, make room if needed.
- * This function needs to be called before anything gets put
- * into the output buffers since it flushes pending data if it
- * predicts that the msg will exceed MTU. */
- int CheckAvailableSize(WOLFSSL *ssl, int size)
- {
- if (size < 0) {
- WOLFSSL_MSG("CheckAvailableSize() called with negative number");
- return BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if (size + ssl->buffers.outputBuffer.length -
- ssl->buffers.outputBuffer.idx >
- #if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
- ssl->dtlsMtuSz
- #else
- ssl->dtls_expected_rx
- #endif
- ) {
- int ret;
- WOLFSSL_MSG("CheckAvailableSize() flushing buffer "
- "to make room for new message");
- if ((ret = SendBuffered(ssl)) != 0) {
- return ret;
- }
- }
- if (size > (int)
- #if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
- ssl->dtlsMtuSz
- #else
- ssl->dtls_expected_rx
- #endif
- #ifdef WOLFSSL_DTLS13
- /* DTLS1.3 uses the output buffer to store the full message and deal
- with fragmentation later in dtls13HandshakeSend() */
- && !IsAtLeastTLSv1_3(ssl->version)
- #endif /* WOLFSSL_DTLS13 */
- ) {
- WOLFSSL_MSG("CheckAvailableSize() called with size greater than MTU.");
- return DTLS_SIZE_ERROR;
- }
- }
- #endif
- if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length
- < (word32)size) {
- if (GrowOutputBuffer(ssl, size) < 0)
- return MEMORY_E;
- }
- return 0;
- }
- #ifdef WOLFSSL_DTLS13
- static int GetInputData(WOLFSSL *ssl, word32 size);
- static int GetDtls13RecordHeader(WOLFSSL* ssl, word32* inOutIdx,
- RecordLayerHeader* rh, word16* size)
- {
- Dtls13UnifiedHdrInfo hdrInfo;
- w64wrapper epochNumber;
- byte epochBits;
- int readSize;
- int ret;
- readSize = ssl->buffers.inputBuffer.length - *inOutIdx;
- if (readSize < DTLS_UNIFIED_HEADER_MIN_SZ)
- return BUFFER_ERROR;
- epochBits = *(ssl->buffers.inputBuffer.buffer + *inOutIdx) & EE_MASK;
- ret = Dtls13ReconstructEpochNumber(ssl, epochBits, &epochNumber);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG_EX("reconstructed epoch number: %ld",
- epochNumber);
- #endif /* WOLFSSL_DEBUG_TLS */
- /* protected records always use unified_headers in DTLSv1.3 */
- if (w64IsZero(epochNumber))
- return SEQUENCE_ERROR;
- if (ssl->dtls13DecryptEpoch == NULL)
- return BAD_STATE_E;
- #ifdef WOLFSSL_EARLY_DATA
- if (w64Equal(epochNumber, w64From32(0x0, DTLS13_EPOCH_EARLYDATA)) &&
- ssl->options.handShakeDone) {
- WOLFSSL_MSG("discarding early data after handshake");
- return SEQUENCE_ERROR;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (!w64Equal(ssl->dtls13DecryptEpoch->epochNumber, epochNumber)) {
- ret = Dtls13SetEpochKeys(ssl, epochNumber, DECRYPT_SIDE_ONLY);
- if (ret != 0)
- return SEQUENCE_ERROR;
- }
- ret = Dtls13GetUnifiedHeaderSize(ssl,
- *(ssl->buffers.inputBuffer.buffer+*inOutIdx), &ssl->dtls13CurRlLength);
- if (ret != 0)
- return ret;
- if (readSize < ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE) {
- /* when using DTLS over a medium that does not guarantee that a full
- * message is received in a single read, we may end up without the full
- * header and minimum ciphertext to decrypt record sequence numbers */
- ret = GetInputData(ssl, ssl->dtls13CurRlLength + DTLS13_RN_MASK_SIZE);
- if (ret != 0)
- return ret;
- readSize = ssl->buffers.inputBuffer.length - *inOutIdx;
- }
- ret = Dtls13ParseUnifiedRecordLayer(ssl,
- ssl->buffers.inputBuffer.buffer + *inOutIdx, (word16)readSize,
- &hdrInfo);
- if (ret != 0)
- return ret;
- *size = hdrInfo.recordLength;
- c16toa(*size, rh->length);
- /* type is implicit */
- rh->type = application_data;
- /* version is implicit */
- rh->pvMajor = ssl->version.major;
- rh->pvMinor = DTLSv1_2_MINOR;
- ssl->keys.curEpoch64 = epochNumber;
- ret = Dtls13ReconstructSeqNumber(ssl, &hdrInfo, &ssl->keys.curSeq);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG_EX("reconstructed seq number: %ld",
- ssl->keys.curSeq);
- #endif /* WOLFSSL_DEBUG_TLS */
- XMEMCPY(ssl->dtls13CurRL, ssl->buffers.inputBuffer.buffer + *inOutIdx,
- ssl->dtls13CurRlLength);
- *inOutIdx += ssl->dtls13CurRlLength;
- return 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_DTLS
- static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
- RecordLayerHeader* rh, word16* size)
- {
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, ssl->buffers.inputBuffer.buffer + *inOutIdx,
- DTLS_RECORD_HEADER_SZ, FUZZ_HEAD, ssl->fuzzerCtx);
- #endif
- #ifdef WOLFSSL_DTLS13
- int ret;
- if (Dtls13IsUnifiedHeader(*(ssl->buffers.inputBuffer.buffer + *inOutIdx))) {
- /* version 1.3 already negotiated */
- if (ssl->options.tls1_3) {
- ret = GetDtls13RecordHeader(ssl, inOutIdx, rh, size);
- if (ret == 0 || ret != SEQUENCE_ERROR || ret != DTLS_CID_ERROR)
- return ret;
- }
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END
- && ssl->options.serverState < SERVER_HELLO_COMPLETE
- && IsAtLeastTLSv1_3(ssl->version)
- && !ssl->options.handShakeDone) {
- /* we may have lost ServerHello. Try to send a empty ACK to shortcut
- Server retransmission timer */
- ssl->dtls13Rtx.sendAcks = 1;
- }
- #endif
- return SEQUENCE_ERROR;
- }
- /* not a unified header, check that we have at least
- * DTLS_RECORD_HEADER_SZ */
- if (ssl->buffers.inputBuffer.length - *inOutIdx < DTLS_RECORD_HEADER_SZ) {
- ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ);
- if (ret != 0)
- return LENGTH_ERROR;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* type and version in same spot */
- XMEMCPY(rh, ssl->buffers.inputBuffer.buffer + *inOutIdx,
- ENUM_LEN + VERSION_SZ);
- *inOutIdx += ENUM_LEN + VERSION_SZ;
- ato16(ssl->buffers.inputBuffer.buffer + *inOutIdx, &ssl->keys.curEpoch);
- #ifdef WOLFSSL_DTLS13
- /* only non protected message can use the DTLSPlaintext record header */
- if (IsAtLeastTLSv1_3(ssl->version)) {
- if (ssl->keys.curEpoch != 0)
- return SEQUENCE_ERROR;
- w64Zero(&ssl->keys.curEpoch64);
- if (!w64IsZero(ssl->dtls13DecryptEpoch->epochNumber))
- Dtls13SetEpochKeys(ssl, ssl->keys.curEpoch64, DECRYPT_SIDE_ONLY);
- }
- #endif /* WOLFSSL_DTLS13 */
- *inOutIdx += OPAQUE16_LEN;
- if (ssl->options.haveMcast) {
- #ifdef WOLFSSL_MULTICAST
- ssl->keys.curPeerId = ssl->buffers.inputBuffer.buffer[*inOutIdx];
- ssl->keys.curSeq_hi = ssl->buffers.inputBuffer.buffer[*inOutIdx+1];
- #endif
- }
- else
- ato16(ssl->buffers.inputBuffer.buffer + *inOutIdx, &ssl->keys.curSeq_hi);
- *inOutIdx += OPAQUE16_LEN;
- ato32(ssl->buffers.inputBuffer.buffer + *inOutIdx, &ssl->keys.curSeq_lo);
- *inOutIdx += OPAQUE32_LEN; /* advance past rest of seq */
- #ifdef WOLFSSL_DTLS13
- /* DTLSv1.3 PlainText records use DTLSv1.2 sequence number encoding. Update
- the DTLv1.3 word64 version as well */
- ssl->keys.curSeq = w64From32(ssl->keys.curSeq_hi, ssl->keys.curSeq_lo);
- #endif /* WOLFSSL_DTLS13 */
- ato16(ssl->buffers.inputBuffer.buffer + *inOutIdx, size);
- *inOutIdx += LENGTH_SZ;
- return 0;
- }
- #endif /* WOLFSSL_DTLS */
- /* do all verify and sanity checks on record header */
- static int GetRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
- RecordLayerHeader* rh, word16 *size)
- {
- byte tls12minor = 0;
- #ifdef OPENSSL_ALL
- word32 start = *inOutIdx;
- #endif
- (void)tls12minor;
- if (!ssl->options.dtls) {
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, ssl->buffers.inputBuffer.buffer + *inOutIdx,
- RECORD_HEADER_SZ, FUZZ_HEAD, ssl->fuzzerCtx);
- #endif
- XMEMCPY(rh, ssl->buffers.inputBuffer.buffer + *inOutIdx, RECORD_HEADER_SZ);
- *inOutIdx += RECORD_HEADER_SZ;
- ato16(rh->length, size);
- }
- else {
- #ifdef WOLFSSL_DTLS
- int ret = GetDtlsRecordHeader(ssl, inOutIdx, rh, size);
- if (ret != 0)
- return ret;
- #endif
- }
- #ifdef WOLFSSL_DTLS
- /* DTLSv1.3 MUST check window after deprotecting to avoid timing channel
- (RFC9147 Section 4.5.1) */
- if (IsDtlsNotSctpMode(ssl) && !IsAtLeastTLSv1_3(ssl->version)) {
- if (!_DtlsCheckWindow(ssl) ||
- (rh->type == application_data && ssl->keys.curEpoch == 0) ||
- (rh->type == alert && ssl->options.handShakeDone &&
- ssl->keys.curEpoch == 0 && ssl->keys.dtls_epoch != 0)) {
- WOLFSSL_LEAVE("GetRecordHeader()", SEQUENCE_ERROR);
- return SEQUENCE_ERROR;
- }
- }
- #endif
- #if defined(WOLFSSL_DTLS13) || defined(WOLFSSL_TLS13)
- tls12minor = TLSv1_2_MINOR;
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- tls12minor = DTLSv1_2_MINOR;
- #endif /* WOLFSSL_DTLS13 */
- /* catch version mismatch */
- #ifndef WOLFSSL_TLS13
- if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor)
- #else
- if (rh->pvMajor != ssl->version.major ||
- (rh->pvMinor != ssl->version.minor &&
- (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != tls12minor)
- ))
- #endif
- {
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE)
- WOLFSSL_MSG("Client attempting to connect with different version");
- else if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->options.downgrade &&
- ssl->options.connectState < FIRST_REPLY_DONE)
- WOLFSSL_MSG("Server attempting to accept with different version");
- else if (ssl->options.dtls && rh->type == handshake)
- /* Check the DTLS handshake message RH version later. */
- WOLFSSL_MSG("DTLS handshake, skip RH version number check");
- #ifdef WOLFSSL_DTLS13
- else if (ssl->options.dtls && !ssl->options.handShakeDone) {
- /* we may have lost the ServerHello and this is a unified record
- before version been negotiated */
- if (Dtls13IsUnifiedHeader(*ssl->buffers.inputBuffer.buffer)) {
- return SEQUENCE_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- else {
- WOLFSSL_MSG("SSL version error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR; /* only use requested version */
- }
- }
- /* record layer length check */
- #ifdef HAVE_MAX_FRAGMENT
- if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- #else
- if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- #endif
- if (*size == 0 && rh->type != application_data) {
- WOLFSSL_MSG("0 length, non-app data record.");
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- /* verify record type here as well */
- switch (rh->type) {
- case handshake:
- case change_cipher_spec:
- case application_data:
- case alert:
- #ifdef WOLFSSL_DTLS13
- case ack:
- #endif /* WOLFSSL_DTLS13 */
- break;
- case no_type:
- default:
- #ifdef OPENSSL_ALL
- if (!ssl->options.dtls) {
- char *method = (char*)ssl->buffers.inputBuffer.buffer + start;
- /* Attempt to identify if this is a plain HTTP request.
- * No size checks because this function assumes at least
- * RECORD_HEADER_SZ size of data has been read which is
- * also the longest string comparison in this if. */
- if (XSTRNCMP(method, "GET ", XSTR_SIZEOF("GET ")) == 0 ||
- XSTRNCMP(method, "POST ", XSTR_SIZEOF("POST ")) == 0 ||
- XSTRNCMP(method, "HEAD ", XSTR_SIZEOF("HEAD ")) == 0 ||
- XSTRNCMP(method, "PUT ", XSTR_SIZEOF("PUT ")) == 0) {
- WOLFSSL_MSG("Plain HTTP request detected");
- return SSL_R_HTTP_REQUEST;
- }
- }
- #endif
- WOLFSSL_MSG("Unknown Record Type");
- WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
- return UNKNOWN_RECORD_TYPE;
- }
- /* haven't decrypted this record yet */
- ssl->keys.decryptedCur = 0;
- return 0;
- }
- #ifndef WOLFSSL_NO_TLS12
- static int GetHandShakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- byte *type, word32 *size, word32 totalSz)
- {
- const byte *ptr = input + *inOutIdx;
- (void)ssl;
- *inOutIdx += HANDSHAKE_HEADER_SZ;
- if (*inOutIdx > totalSz)
- return BUFFER_E;
- *type = ptr[0];
- c24to32(&ptr[1], size);
- return 0;
- }
- #endif
- #ifdef WOLFSSL_DTLS
- int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, byte *type, word32 *size,
- word32 *fragOffset, word32 *fragSz,
- word32 totalSz)
- {
- word32 idx = *inOutIdx;
- *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA;
- if (*inOutIdx > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- *type = input[idx++];
- c24to32(input + idx, size);
- idx += OPAQUE24_LEN;
- ato16(input + idx, &ssl->keys.dtls_peer_handshake_number);
- idx += DTLS_HANDSHAKE_SEQ_SZ;
- c24to32(input + idx, fragOffset);
- idx += DTLS_HANDSHAKE_FRAG_SZ;
- c24to32(input + idx, fragSz);
- if ((ssl->curRL.pvMajor != ssl->version.major) ||
- (!IsAtLeastTLSv1_3(ssl->version) && ssl->curRL.pvMinor != ssl->version.minor) ||
- (IsAtLeastTLSv1_3(ssl->version) && ssl->curRL.pvMinor != DTLSv1_2_MINOR)
- ) {
- if (*type != client_hello && *type != hello_verify_request && *type != server_hello) {
- WOLFSSL_ERROR(VERSION_ERROR);
- return VERSION_ERROR;
- }
- else {
- WOLFSSL_MSG("DTLS Handshake ignoring hello or verify version");
- }
- }
- return 0;
- }
- #endif
- #if !defined(NO_OLD_TLS) || \
- (defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLS_SHA1))
- /* fill with MD5 pad size since biggest required */
- static const byte PAD1[PAD_MD5] =
- { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
- 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
- 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
- 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
- 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
- 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
- };
- static const byte PAD2[PAD_MD5] =
- { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
- 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
- 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
- 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
- 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
- 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
- };
- #endif /* !NO_OLD_TLS || (NO_OLD_TLS && WOLFSSL_ALLOW_TLS_SHA1) */
- #ifndef NO_OLD_TLS
- /* calculate MD5 hash for finished */
- #ifdef WOLFSSL_TI_HASH
- #include <wolfssl/wolfcrypt/hash.h>
- #endif
- static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
- {
- int ret;
- byte md5_result[WC_MD5_DIGEST_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- wc_Md5* md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), ssl->heap, DYNAMIC_TYPE_HASHCTX);
- if (md5 == NULL)
- return MEMORY_E;
- #else
- wc_Md5 md5[1];
- #endif
- /* make md5 inner */
- ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5);
- if (ret == 0)
- ret = wc_Md5Update(md5, sender, SIZEOF_SENDER);
- if (ret == 0)
- ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_Md5Update(md5, PAD1, PAD_MD5);
- if (ret == 0)
- ret = wc_Md5Final(md5, md5_result);
- /* make md5 outer */
- if (ret == 0) {
- ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId);
- if (ret == 0) {
- ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_Md5Update(md5, PAD2, PAD_MD5);
- if (ret == 0)
- ret = wc_Md5Update(md5, md5_result, WC_MD5_DIGEST_SIZE);
- if (ret == 0)
- ret = wc_Md5Final(md5, hashes->md5);
- wc_Md5Free(md5);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #endif
- return ret;
- }
- /* calculate SHA hash for finished */
- static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
- {
- int ret;
- byte sha_result[WC_SHA_DIGEST_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- wc_Sha* sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), ssl->heap, DYNAMIC_TYPE_HASHCTX);
- if (sha == NULL)
- return MEMORY_E;
- #else
- wc_Sha sha[1];
- #endif
- /* make sha inner */
- ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */
- if (ret == 0)
- ret = wc_ShaUpdate(sha, sender, SIZEOF_SENDER);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, PAD1, PAD_SHA);
- if (ret == 0)
- ret = wc_ShaFinal(sha, sha_result);
- /* make sha outer */
- if (ret == 0) {
- ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId);
- if (ret == 0) {
- ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, PAD2, PAD_SHA);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, sha_result, WC_SHA_DIGEST_SIZE);
- if (ret == 0)
- ret = wc_ShaFinal(sha, hashes->sha);
- wc_ShaFree(sha);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #endif
- return ret;
- }
- #endif
- #ifndef WOLFSSL_NO_TLS12
- /* Finished doesn't support SHA512, not SHA512 cipher suites yet */
- static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
- {
- int ret = 0;
- if (ssl == NULL)
- return BAD_FUNC_ARG;
- #ifndef NO_TLS
- if (ssl->options.tls) {
- ret = BuildTlsFinished(ssl, hashes, sender);
- }
- #else
- (void)hashes;
- (void)sender;
- #endif
- #ifndef NO_OLD_TLS
- if (!ssl->options.tls) {
- ret = BuildMD5(ssl, hashes, sender);
- if (ret == 0) {
- ret = BuildSHA(ssl, hashes, sender);
- }
- }
- #endif
- return ret;
- }
- #endif /* WOLFSSL_NO_TLS12 */
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
- /* cipher requirements */
- enum {
- REQUIRES_RSA,
- REQUIRES_DHE,
- REQUIRES_ECC,
- REQUIRES_ECC_STATIC,
- REQUIRES_PSK,
- REQUIRES_RSA_SIG,
- REQUIRES_AEAD
- };
- /* Does this cipher suite (first, second) have the requirement
- an ephemeral key exchange will still require the key for signing
- the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */
- static int CipherRequires(byte first, byte second, int requirement)
- {
- (void)requirement;
- #ifndef WOLFSSL_NO_TLS12
- #ifdef HAVE_CHACHA
- if (first == CHACHA_BYTE) {
- switch (second) {
- case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- }
- if (requirement == REQUIRES_AEAD)
- return 1;
- }
- #endif /* HAVE_CHACHA */
- /* ECC extensions */
- if (first == ECC_BYTE) {
- switch (second) {
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- #ifndef NO_RSA
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- break;
- #ifndef NO_DES3
- case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- break;
- #endif /* !NO_DES3 */
- #ifndef NO_RC4
- case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_RC4_128_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- break;
- #endif /* !NO_RC4 */
- #endif /* NO_RSA */
- #ifndef NO_DES3
- case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- #endif /* !NO_DES3 */
- #ifndef NO_RC4
- case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- #endif /* !NO_RC4 */
- #ifndef NO_RSA
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- break;
- #endif /* !NO_RSA */
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_ECC)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_ECC)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_RSA
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifdef HAVE_AESCCM
- case TLS_RSA_WITH_AES_128_CCM_8 :
- case TLS_RSA_WITH_AES_256_CCM_8 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #endif /* HAVE_AESCCM */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 :
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #endif /* !NO_RSA */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- case TLS_ECDHE_ECDSA_WITH_AES_128_CCM :
- case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 :
- case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 :
- if (requirement == REQUIRES_ECC)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
- if (requirement == REQUIRES_ECC)
- return 1;
- if (requirement == REQUIRES_ECC_STATIC)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_PSK
- case TLS_PSK_WITH_AES_128_CCM:
- case TLS_PSK_WITH_AES_256_CCM:
- case TLS_PSK_WITH_AES_128_CCM_8:
- case TLS_PSK_WITH_AES_256_CCM_8:
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_DHE_PSK_WITH_AES_128_CCM:
- case TLS_DHE_PSK_WITH_AES_256_CCM:
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #endif /* !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- case TLS_ECDHE_ECDSA_WITH_NULL_SHA :
- if (requirement == REQUIRES_ECC)
- return 1;
- break;
- case TLS_ECDHE_PSK_WITH_NULL_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
- case TLS_SHA256_SHA256:
- break;
- case TLS_SHA384_SHA384:
- break;
- #endif
- default:
- WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC");
- return 0;
- } /* switch */
- } /* if */
- /* ECC extensions */
- if (first == ECDHE_PSK_BYTE) {
- switch (second) {
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- case TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC PSK");
- return 0;
- } /* switch */
- } /* if */
- #endif /* !WOLFSSL_NO_TLS12 */
- /* Distinct TLS v1.3 cipher suites with cipher and digest only. */
- if (first == TLS13_BYTE) {
- switch (second) {
- #ifdef WOLFSSL_TLS13
- case TLS_AES_128_GCM_SHA256:
- case TLS_AES_256_GCM_SHA384:
- case TLS_CHACHA20_POLY1305_SHA256:
- case TLS_AES_128_CCM_SHA256:
- case TLS_AES_128_CCM_8_SHA256:
- break;
- #endif
- default:
- WOLFSSL_MSG("Unsupported cipher suite, CipherRequires "
- "TLS v1.3");
- return 0;
- }
- }
- #ifndef WOLFSSL_NO_TLS12
- if (first != ECC_BYTE && first != CHACHA_BYTE &&
- first != TLS13_BYTE && first != ECDHE_PSK_BYTE) {
- /* normal suites */
- switch (second) {
- #ifndef NO_RSA
- #ifndef NO_RC4
- case SSL_RSA_WITH_RC4_128_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case SSL_RSA_WITH_RC4_128_MD5 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- #endif /* NO_RC4 */
- case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_RSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_RSA_WITH_AES_128_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_RSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_RSA_WITH_AES_256_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_RSA_WITH_NULL_MD5 :
- case TLS_RSA_WITH_NULL_SHA :
- case TLS_RSA_WITH_NULL_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- #endif /* !NO_RSA */
- #ifndef NO_PSK
- case TLS_PSK_WITH_AES_128_GCM_SHA256 :
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_PSK_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_PSK_WITH_AES_128_CBC_SHA256 :
- case TLS_PSK_WITH_AES_256_CBC_SHA384 :
- case TLS_PSK_WITH_AES_128_CBC_SHA :
- case TLS_PSK_WITH_AES_256_CBC_SHA :
- case TLS_PSK_WITH_NULL_SHA384 :
- case TLS_PSK_WITH_NULL_SHA256 :
- case TLS_PSK_WITH_NULL_SHA :
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
- case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_DHE)
- return 1;
- if (requirement == REQUIRES_PSK)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
- case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
- case TLS_DHE_PSK_WITH_NULL_SHA384 :
- case TLS_DHE_PSK_WITH_NULL_SHA256 :
- if (requirement == REQUIRES_DHE)
- return 1;
- if (requirement == REQUIRES_PSK)
- return 1;
- break;
- #endif /* NO_PSK */
- #ifndef NO_RSA
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_RSA_WITH_AES_128_GCM_SHA256 :
- case TLS_RSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
- case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #ifdef HAVE_CAMELLIA
- case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA :
- case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
- case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
- case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- break;
- case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA :
- case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA :
- case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
- case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- #endif /* HAVE_CAMELLIA */
- case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
- if (requirement == REQUIRES_RSA)
- return 1;
- if (requirement == REQUIRES_RSA_SIG)
- return 1;
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- #endif
- #ifdef HAVE_ANON
- case TLS_DH_anon_WITH_AES_128_CBC_SHA :
- if (requirement == REQUIRES_DHE)
- return 1;
- break;
- case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
- if (requirement == REQUIRES_DHE)
- return 1;
- if (requirement == REQUIRES_AEAD)
- return 1;
- break;
- #endif
- #ifdef WOLFSSL_MULTICAST
- case WDM_WITH_NULL_SHA256 :
- break;
- #endif
- default:
- WOLFSSL_MSG("Unsupported cipher suite, CipherRequires");
- return 0;
- } /* switch */
- } /* if ECC / Normal suites else */
- #endif /* !WOLFSSL_NO_TLS12 */
- return 0;
- }
- #endif /* !NO_WOLFSSL_SERVER && !NO_WOLFSSL_CLIENT */
- #ifndef NO_CERTS
- /* Match names with wildcards, each wildcard can represent a single name
- component or fragment but not multiple names, i.e.,
- *.z.com matches y.z.com but not x.y.z.com
- return 1 on success */
- int MatchDomainName(const char* pattern, int len, const char* str)
- {
- int ret = 0;
- if (pattern == NULL || str == NULL || len <= 0)
- return 0;
- while (len > 0) {
- char p = (char)XTOLOWER((unsigned char)*pattern++);
- if (p == '\0')
- break;
- if (p == '*') {
- char s;
- while (--len > 0 &&
- (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*') {
- }
- if (len == 0)
- p = '\0';
- while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') {
- if (s == p)
- break;
- if (s == '.')
- return 0;
- str++;
- }
- }
- else {
- if (p != (char)XTOLOWER((unsigned char) *str))
- return 0;
- }
- if (len > 0) {
- str++;
- len--;
- }
- }
- if (*str == '\0' && len == 0) {
- ret = 1; /* success */
- }
- return ret;
- }
- /* Check that alternative names, if they exists, match the domain.
- * Fail if there are wild patterns and they didn't match.
- * Check the common name if no alternative names matched.
- *
- * dCert Decoded cert to get the alternative names from.
- * domain Domain name to compare against.
- * checkCN Whether to check the common name.
- * returns 1 : match was found.
- * 0 : no match found.
- * -1 : No matches and wild pattern match failed.
- */
- int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
- {
- int match = 0;
- DNS_entry* altName = NULL;
- char *buf;
- word32 len;
- WOLFSSL_MSG("Checking AltNames");
- if (dCert)
- altName = dCert->altNames;
- if (checkCN != NULL) {
- *checkCN = (altName == NULL) ? 1 : 0;
- }
- while (altName) {
- WOLFSSL_MSG("\tindividual AltName check");
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
- if (altName->type == ASN_IP_TYPE) {
- buf = altName->ipString;
- len = (word32)XSTRLEN(buf);
- }
- else
- #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
- {
- buf = altName->name;
- len = altName->len;
- }
- if (MatchDomainName(buf, len, domain)) {
- match = 1;
- if (checkCN != NULL) {
- *checkCN = 0;
- }
- WOLFSSL_MSG("\tmatch found");
- break;
- }
- /* No matches and wild pattern match failed. */
- else if (buf && (len >=1) && (buf[0] == '*')) {
- match = -1;
- WOLFSSL_MSG("\twildcard match failed");
- }
- altName = altName->next;
- }
- return match;
- }
- /* Check the domain name matches the subject alternative name or the subject
- * name.
- *
- * dcert Decoded certificate.
- * domainName The domain name.
- * domainNameLen The length of the domain name.
- * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success.
- */
- int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen)
- {
- int checkCN;
- int ret = DOMAIN_NAME_MISMATCH;
- /* Assume name is NUL terminated. */
- (void)domainNameLen;
- if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
- WOLFSSL_MSG("DomainName match on alt names failed");
- }
- else {
- ret = 0;
- }
- #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
- if (checkCN == 1) {
- if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
- domainName) == 1) {
- ret = 0;
- }
- else {
- WOLFSSL_MSG("DomainName match on common name failed");
- }
- }
- #endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
- return ret;
- }
- int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
- {
- WOLFSSL_MSG("Checking IPAddr");
- return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc));
- }
- #ifdef SESSION_CERTS
- static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
- byte* certBuf, word32 certSz)
- {
- if (chain->count < MAX_CHAIN_DEPTH &&
- certSz < MAX_X509_SIZE) {
- chain->certs[chain->count].length = certSz;
- XMEMCPY(chain->certs[chain->count].buffer, certBuf, certSz);
- chain->count++;
- }
- else {
- WOLFSSL_MSG("Couldn't store chain cert for session");
- }
- }
- #endif
- #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
- defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- static void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
- {
- if (nameType == SUBJECT) {
- XSTRNCPY(name->name, dCert->subject, ASN_NAME_MAX);
- name->name[ASN_NAME_MAX - 1] = '\0';
- name->sz = (int)XSTRLEN(name->name) + 1;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- name->rawLen = min(dCert->subjectRawLen, ASN_NAME_MAX);
- XMEMCPY(name->raw, dCert->subjectRaw, name->rawLen);
- #endif
- }
- else {
- XSTRNCPY(name->name, dCert->issuer, ASN_NAME_MAX);
- name->name[ASN_NAME_MAX - 1] = '\0';
- name->sz = (int)XSTRLEN(name->name) + 1;
- #if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) \
- && (defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT))
- name->rawLen = min(dCert->issuerRawLen, ASN_NAME_MAX);
- if (name->rawLen) {
- XMEMCPY(name->raw, dCert->issuerRaw, name->rawLen);
- }
- #endif
- }
- }
- #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
- !defined(IGNORE_NAME_CONSTRAINTS)
- /* copies over additional alt names such as dirName
- * returns 0 on success
- */
- static int CopyAdditionalAltNames(DNS_entry** to, DNS_entry* from, int type,
- void* heap)
- {
- DNS_entry* cur = from;
- if (to == NULL) {
- return BAD_FUNC_ARG;
- }
- while (cur != NULL) {
- if (cur->type == type) {
- DNS_entry* dnsEntry;
- int strLen = cur->len;
- dnsEntry = AltNameNew(heap);
- if (dnsEntry == NULL) {
- WOLFSSL_MSG("\tOut of Memory");
- return MEMORY_E;
- }
- dnsEntry->type = type;
- dnsEntry->name = (char*)XMALLOC(strLen + 1, heap,
- DYNAMIC_TYPE_ALTNAME);
- if (dnsEntry->name == NULL) {
- WOLFSSL_MSG("\tOut of Memory");
- XFREE(dnsEntry, heap, DYNAMIC_TYPE_ALTNAME);
- return MEMORY_E;
- }
- dnsEntry->len = strLen;
- XMEMCPY(dnsEntry->name, cur->name, strLen);
- dnsEntry->name[strLen] = '\0';
- dnsEntry->next = *to;
- *to = dnsEntry;
- }
- cur = cur->next;
- }
- return 0;
- }
- #endif /* OPENSSL_EXTRA */
- #ifdef WOLFSSL_CERT_REQ
- static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert)
- {
- int ret = 0;
- if (dCert->cPwd) {
- if (dCert->cPwdLen < CTC_NAME_SIZE) {
- XMEMCPY(x509->challengePw, dCert->cPwd, dCert->cPwdLen);
- x509->challengePw[dCert->cPwdLen] = '\0';
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_pkcs9_challengePassword,
- MBSTRING_ASC,
- (const byte*)dCert->cPwd,
- dCert->cPwdLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- }
- else {
- WOLFSSL_MSG("Challenge password too long");
- ret = MEMORY_E;
- }
- }
- if (dCert->contentType) {
- if (dCert->contentTypeLen < CTC_NAME_SIZE) {
- XMEMCPY(x509->contentType, dCert->contentType, dCert->contentTypeLen);
- x509->contentType[dCert->contentTypeLen] = '\0';
- }
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_pkcs9_contentType,
- MBSTRING_ASC,
- (const byte*)dCert->contentType,
- dCert->contentTypeLen) !=
- WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- }
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
- if (dCert->sNum) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_serialNumber,
- MBSTRING_ASC,
- (const byte*)dCert->sNum,
- dCert->sNumLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (dCert->unstructuredName) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_pkcs9_unstructuredName,
- MBSTRING_ASC,
- (const byte*)dCert->unstructuredName,
- dCert->unstructuredNameLen)
- != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (dCert->surname) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_surname,
- MBSTRING_ASC,
- (const byte*)dCert->surname,
- dCert->surnameLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (dCert->givenName) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_givenName,
- MBSTRING_ASC,
- (const byte*)dCert->givenName,
- dCert->givenNameLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (dCert->dnQualifier) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_dnQualifier,
- MBSTRING_ASC,
- (const byte*)dCert->dnQualifier,
- dCert->dnQualifierLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (dCert->initials) {
- if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
- NID_initials,
- MBSTRING_ASC,
- (const byte*)dCert->initials,
- dCert->initialsLen) != WOLFSSL_SUCCESS) {
- ret = REQ_ATTRIBUTE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif /* OPENSSL_ALL */
- return ret;
- }
- #endif /* WOLFSSL_CERT_REQ */
- /* Copy parts X509 needs from Decoded cert, 0 on success */
- /* The same DecodedCert cannot be copied to WOLFSSL_X509 twice otherwise the
- * altNames pointers could be free'd by second x509 still active by first */
- int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
- {
- int ret = 0;
- if (x509 == NULL || dCert == NULL ||
- dCert->subjectCNLen < 0)
- return BAD_FUNC_ARG;
- if (x509->issuer.name == NULL || x509->subject.name == NULL) {
- WOLFSSL_MSG("Either init was not called on X509 or programming error");
- WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG);
- return BAD_FUNC_ARG;
- }
- x509->version = dCert->version + 1;
- CopyDecodedName(&x509->issuer, dCert, ISSUER);
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (dCert->issuerName != NULL) {
- wolfSSL_X509_set_issuer_name(x509,
- (WOLFSSL_X509_NAME*)dCert->issuerName);
- x509->issuer.x509 = x509;
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- CopyDecodedName(&x509->subject, dCert, SUBJECT);
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (dCert->subjectName != NULL) {
- wolfSSL_X509_set_subject_name(x509,
- (WOLFSSL_X509_NAME*)dCert->subjectName);
- x509->subject.x509 = x509;
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE);
- x509->serialSz = dCert->serialSz;
- if (dCert->subjectCN && dCert->subjectCNLen < ASN_NAME_MAX) {
- XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen);
- x509->subjectCN[dCert->subjectCNLen] = '\0';
- }
- else
- x509->subjectCN[0] = '\0';
- #ifdef WOLFSSL_CERT_REQ
- x509->isCSR = dCert->isCSR;
- /* CSR attributes */
- if (x509->isCSR) {
- ret = CopyREQAttributes(x509, dCert);
- }
- #endif /* WOLFSSL_CERT_REQ */
- #ifdef WOLFSSL_SEP
- {
- int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE);
- if (minSz > 0) {
- x509->deviceTypeSz = minSz;
- XMEMCPY(x509->deviceType, dCert->deviceType, minSz);
- }
- else
- x509->deviceTypeSz = 0;
- minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE);
- if (minSz > 0) {
- x509->hwTypeSz = minSz;
- XMEMCPY(x509->hwType, dCert->hwType, minSz);
- }
- else
- x509->hwTypeSz = 0;
- minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE);
- if (minSz > 0) {
- x509->hwSerialNumSz = minSz;
- XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz);
- }
- else
- x509->hwSerialNumSz = 0;
- }
- #endif /* WOLFSSL_SEP */
- {
- int minSz;
- if (dCert->beforeDateLen > 0) {
- minSz = min(dCert->beforeDate[1], MAX_DATE_SZ);
- x509->notBefore.type = dCert->beforeDate[0];
- x509->notBefore.length = minSz;
- XMEMCPY(x509->notBefore.data, &dCert->beforeDate[2], minSz);
- }
- else
- x509->notBefore.length = 0;
- if (dCert->afterDateLen > 0) {
- minSz = min(dCert->afterDate[1], MAX_DATE_SZ);
- x509->notAfter.type = dCert->afterDate[0];
- x509->notAfter.length = minSz;
- XMEMCPY(x509->notAfter.data, &dCert->afterDate[2], minSz);
- }
- else
- x509->notAfter.length = 0;
- }
- if (dCert->publicKey != NULL && dCert->pubKeySize != 0) {
- x509->pubKey.buffer = (byte*)XMALLOC(
- dCert->pubKeySize, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (x509->pubKey.buffer != NULL) {
- x509->pubKeyOID = dCert->keyOID;
- x509->pubKey.length = dCert->pubKeySize;
- XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize);
- }
- else
- ret = MEMORY_E;
- #if defined(OPENSSL_ALL)
- if (ret == 0) {
- x509->key.pubKeyOID = dCert->keyOID;
- if (!x509->key.algor) {
- x509->key.algor = wolfSSL_X509_ALGOR_new();
- } else {
- wolfSSL_ASN1_OBJECT_free(x509->key.algor->algorithm);
- }
- if (!x509->key.algor) {
- ret = MEMORY_E;
- } else {
- if (!(x509->key.algor->algorithm =
- wolfSSL_OBJ_nid2obj(oid2nid(dCert->keyOID, oidKeyType)))) {
- ret = PUBLIC_KEY_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- wolfSSL_EVP_PKEY_free(x509->key.pkey);
- if (!(x509->key.pkey = wolfSSL_d2i_PUBKEY(NULL,
- &dCert->publicKey,
- dCert->pubKeySize))) {
- ret = PUBLIC_KEY_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif
- }
- if (dCert->signature != NULL && dCert->sigLength != 0 &&
- dCert->sigLength <= MAX_ENCODED_SIG_SZ) {
- x509->sig.buffer = (byte*)XMALLOC(
- dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE);
- if (x509->sig.buffer == NULL) {
- ret = MEMORY_E;
- }
- else {
- XMEMCPY(x509->sig.buffer, dCert->signature, dCert->sigLength);
- x509->sig.length = dCert->sigLength;
- x509->sigOID = dCert->signatureOID;
- }
- #if defined(OPENSSL_ALL)
- wolfSSL_ASN1_OBJECT_free(x509->algor.algorithm);
- if (!(x509->algor.algorithm =
- wolfSSL_OBJ_nid2obj(oid2nid(dCert->signatureOID, oidSigType)))) {
- ret = PUBLIC_KEY_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- }
- /* if der contains original source buffer then store for potential
- * retrieval */
- if (dCert->source != NULL && dCert->maxIdx > 0) {
- if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, x509->heap)
- == 0) {
- XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx);
- }
- else {
- ret = MEMORY_E;
- }
- }
- x509->altNames = dCert->altNames;
- dCert->weOwnAltNames = 0;
- #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
- !defined(IGNORE_NAME_CONSTRAINTS)
- /* add copies of email names from dCert to X509 */
- if (CopyAdditionalAltNames(&x509->altNames, dCert->altEmailNames,
- ASN_RFC822_TYPE, x509->heap) != 0) {
- return MEMORY_E;
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- #if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS)
- /* add copies of alternate directory names from dCert to X509 */
- if (CopyAdditionalAltNames(&x509->altNames, dCert->altDirNames,
- ASN_DIR_TYPE, x509->heap) != 0) {
- return MEMORY_E;
- }
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- x509->altNamesNext = x509->altNames; /* index hint */
- x509->isCa = dCert->isCA;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- x509->pathLength = dCert->pathLength;
- x509->keyUsage = dCert->extKeyUsage;
- x509->CRLdistSet = dCert->extCRLdistSet;
- x509->CRLdistCrit = dCert->extCRLdistCrit;
- if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) {
- x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->rawCRLInfo != NULL) {
- XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz);
- x509->rawCRLInfoSz = dCert->extCrlInfoRawSz;
- }
- else {
- ret = MEMORY_E;
- }
- }
- if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) {
- x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->CRLInfo != NULL) {
- XMEMCPY(x509->CRLInfo, dCert->extCrlInfo, dCert->extCrlInfoSz);
- x509->CRLInfoSz = dCert->extCrlInfoSz;
- }
- else {
- ret = MEMORY_E;
- }
- }
- x509->authInfoSet = dCert->extAuthInfoSet;
- x509->authInfoCrit = dCert->extAuthInfoCrit;
- if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) {
- x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->authInfo != NULL) {
- XMEMCPY(x509->authInfo, dCert->extAuthInfo, dCert->extAuthInfoSz);
- x509->authInfoSz = dCert->extAuthInfoSz;
- }
- else {
- ret = MEMORY_E;
- }
- }
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
- if (dCert->extAuthInfoCaIssuer != NULL && dCert->extAuthInfoCaIssuerSz > 0) {
- x509->authInfoCaIssuer = (byte*)XMALLOC(dCert->extAuthInfoCaIssuerSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->authInfoCaIssuer != NULL) {
- XMEMCPY(x509->authInfoCaIssuer, dCert->extAuthInfoCaIssuer, dCert->extAuthInfoCaIssuerSz);
- x509->authInfoCaIssuerSz = dCert->extAuthInfoCaIssuerSz;
- }
- else {
- ret = MEMORY_E;
- }
- }
- #endif
- x509->basicConstSet = dCert->extBasicConstSet;
- x509->basicConstCrit = dCert->extBasicConstCrit;
- x509->basicConstPlSet = dCert->pathLengthSet;
- x509->subjAltNameSet = dCert->extSubjAltNameSet;
- x509->subjAltNameCrit = dCert->extSubjAltNameCrit;
- x509->authKeyIdSet = dCert->extAuthKeyIdSet;
- x509->authKeyIdCrit = dCert->extAuthKeyIdCrit;
- if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) {
- #ifdef WOLFSSL_AKID_NAME
- if (dCert->extRawAuthKeyIdSrc != NULL &&
- dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc &&
- dCert->extAuthKeyIdSrc <
- (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) {
- /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */
- x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz,
- x509->heap, DYNAMIC_TYPE_X509_EXT);
- if (x509->authKeyIdSrc != NULL) {
- XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc,
- dCert->extRawAuthKeyIdSz);
- x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz;
- /* Set authKeyId to same offset inside authKeyIdSrc */
- x509->authKeyId = x509->authKeyIdSrc +
- (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc);
- x509->authKeyIdSz = dCert->extAuthKeyIdSz;
- }
- else
- ret = MEMORY_E;
- }
- #else
- x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->authKeyId != NULL) {
- XMEMCPY(x509->authKeyId,
- dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz);
- x509->authKeyIdSz = dCert->extAuthKeyIdSz;
- }
- #endif
- else
- ret = MEMORY_E;
- }
- x509->subjKeyIdSet = dCert->extSubjKeyIdSet;
- x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit;
- if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) {
- x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->subjKeyId != NULL) {
- XMEMCPY(x509->subjKeyId,
- dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz);
- x509->subjKeyIdSz = dCert->extSubjKeyIdSz;
- }
- else
- ret = MEMORY_E;
- }
- x509->keyUsageSet = dCert->extKeyUsageSet;
- x509->keyUsageCrit = dCert->extKeyUsageCrit;
- if (dCert->extExtKeyUsageSrc != NULL && dCert->extExtKeyUsageSz > 0) {
- x509->extKeyUsageSrc = (byte*)XMALLOC(dCert->extExtKeyUsageSz,
- x509->heap, DYNAMIC_TYPE_X509_EXT);
- if (x509->extKeyUsageSrc != NULL) {
- XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc,
- dCert->extExtKeyUsageSz);
- x509->extKeyUsage = dCert->extExtKeyUsage;
- x509->extKeyUsageSz = dCert->extExtKeyUsageSz;
- x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit;
- x509->extKeyUsageCount = dCert->extExtKeyUsageCount;
- }
- else {
- ret = MEMORY_E;
- }
- }
- #ifndef IGNORE_NETSCAPE_CERT_TYPE
- x509->nsCertType = dCert->nsCertType;
- #endif
- #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
- x509->certPolicySet = dCert->extCertPolicySet;
- x509->certPolicyCrit = dCert->extCertPolicyCrit;
- #endif /* WOLFSSL_SEP || WOLFSSL_QT */
- #ifdef WOLFSSL_CERT_EXT
- {
- int i;
- for (i = 0; i < dCert->extCertPoliciesNb && i < MAX_CERTPOL_NB; i++)
- XMEMCPY(x509->certPolicies[i], dCert->extCertPolicies[i],
- MAX_CERTPOL_SZ);
- x509->certPoliciesNb = dCert->extCertPoliciesNb;
- }
- #endif /* WOLFSSL_CERT_EXT */
- #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
- #ifdef OPENSSL_ALL
- if (dCert->extSubjAltNameSrc != NULL && dCert->extSubjAltNameSz != 0) {
- x509->subjAltNameSrc = (byte*)XMALLOC(dCert->extSubjAltNameSz, x509->heap,
- DYNAMIC_TYPE_X509_EXT);
- if (x509->subjAltNameSrc != NULL) {
- XMEMCPY(x509->subjAltNameSrc,
- dCert->extSubjAltNameSrc, dCert->extSubjAltNameSz);
- x509->subjAltNameSz = dCert->extSubjAltNameSz;
- }
- else
- ret = MEMORY_E;
- }
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- x509->pkCurveOID = dCert->pkCurveOID;
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- return ret;
- }
- #endif /* KEEP_PEER_CERT || SESSION_CERTS */
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
- (defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(WOLFSSL_NO_TLS12))
- static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 status_length)
- {
- int ret = 0;
- OcspRequest* request;
- #ifdef WOLFSSL_SMALL_STACK
- CertStatus* status;
- OcspEntry* single;
- OcspResponse* response;
- #else
- CertStatus status[1];
- OcspEntry single[1];
- OcspResponse response[1];
- #endif
- WOLFSSL_ENTER("ProcessCSR");
- do {
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
- if (ssl->status_request) {
- request = (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
- ssl->status_request = 0;
- break;
- }
- #endif
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- if (ssl->status_request_v2) {
- request = (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions,
- WOLFSSL_CSR2_OCSP, 0);
- ssl->status_request_v2 = 0;
- break;
- }
- #endif
- return BUFFER_ERROR;
- } while(0);
- if (request == NULL)
- return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */
- #ifdef WOLFSSL_SMALL_STACK
- status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
- DYNAMIC_TYPE_OCSP_STATUS);
- single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
- DYNAMIC_TYPE_OCSP_ENTRY);
- response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (status == NULL || single == NULL || response == NULL) {
- if (status)
- XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
- if (single)
- XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
- if (response)
- XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- return MEMORY_ERROR;
- }
- #endif
- InitOcspResponse(response, single, status, input +*inOutIdx, status_length, ssl->heap);
- if (OcspResponseDecode(response, SSL_CM(ssl), ssl->heap, 0) != 0)
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- else if (CompareOcspReqResp(request, response) != 0)
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- else if (response->responseStatus != OCSP_SUCCESSFUL)
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- else if (response->single->status->status == CERT_REVOKED)
- ret = OCSP_CERT_REVOKED;
- else if (response->single->status->status != CERT_GOOD)
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- else {
- XMEMCPY(ssl->ocspProducedDate, response->producedDate, sizeof ssl->ocspProducedDate);
- ssl->ocspProducedDateFormat = response->producedDateFormat;
- }
- *inOutIdx += status_length;
- FreeOcspResponse(response);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
- XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
- XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- #endif
- WOLFSSL_LEAVE("ProcessCSR", ret);
- return ret;
- }
- #endif
- #ifdef HAVE_PK_CALLBACKS
- #ifdef HAVE_ECC
- static int SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz,
- const unsigned char* hash, unsigned int hashSz,
- const unsigned char* keyDer, unsigned int keySz,
- int* result, void* ctx)
- {
- int ret = NOT_COMPILED_IN;
- WOLFSSL* ssl = (WOLFSSL*)ctx;
- if (ssl && ssl->ctx->EccVerifyCb) {
- ret = ssl->ctx->EccVerifyCb(ssl, sig, sigSz, hash, hashSz,
- keyDer, keySz, result, ssl->EccVerifyCtx);
- }
- return ret;
- }
- #endif
- #ifndef NO_RSA
- static int SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz,
- unsigned char** out, const unsigned char* keyDer, unsigned int keySz,
- void* ctx)
- {
- int ret = NOT_COMPILED_IN;
- WOLFSSL* ssl = (WOLFSSL*)ctx;
- if (ssl && ssl->ctx->RsaVerifyCb) {
- ret = ssl->ctx->RsaVerifyCb(ssl, sig, sigSz, out, keyDer, keySz,
- ssl->RsaVerifyCtx);
- }
- return ret;
- }
- #endif
- int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx)
- {
- if (ssl == NULL || sigCtx == NULL)
- return BAD_FUNC_ARG;
- /* only setup the verify callback if a PK is set */
- #ifdef HAVE_ECC
- #if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
- sigCtx->pkCbEcc = Renesas_cmn_SigPkCbEccVerify;
- sigCtx->pkCtxEcc = (void*)&sigCtx->CertAtt;
- (void)SigPkCbEccVerify;
- #else
- if (ssl->ctx->EccVerifyCb) {
- sigCtx->pkCbEcc = SigPkCbEccVerify;
- sigCtx->pkCtxEcc = ssl;
- }
- #endif
- #endif
- #ifndef NO_RSA
- /* only setup the verify callback if a PK is set */
- #if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
- sigCtx->pkCbRsa = Renesas_cmn_SigPkCbRsaVerify;
- sigCtx->pkCtxRsa = (void*)&sigCtx->CertAtt;
- (void)SigPkCbRsaVerify;
- #else
- if (ssl->ctx->RsaVerifyCb) {
- sigCtx->pkCbRsa = SigPkCbRsaVerify;
- sigCtx->pkCtxRsa = ssl;
- }
- #endif
- #endif
- return 0;
- }
- #endif /* HAVE_PK_CALLBACKS */
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- void DoCertFatalAlert(WOLFSSL* ssl, int ret)
- {
- int alertWhy;
- if (ssl == NULL || ret == 0) {
- return;
- }
- WOLFSSL_ERROR(ret);
- /* Determine alert reason */
- alertWhy = bad_certificate;
- if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) {
- alertWhy = certificate_expired;
- } else if (ret == ASN_NO_SIGNER_E) {
- alertWhy = unknown_ca;
- }
- #ifdef OPENSSL_EXTRA
- else if (ret == CRL_CERT_REVOKED) {
- alertWhy = certificate_revoked;
- }
- #endif
- else if (ret == NO_PEER_CERT) {
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3) {
- alertWhy = certificate_required;
- }
- else
- #endif
- {
- alertWhy = handshake_failure;
- }
- }
- /* send fatal alert and mark connection closed */
- SendAlert(ssl, alert_fatal, alertWhy); /* try to send */
- ssl->options.isClosed = 1;
- }
- /* WOLFSSL_ALWAYS_VERIFY_CB: Use verify callback for success or failure cases */
- /* WOLFSSL_VERIFY_CB_ALL_CERTS: Issue callback for all intermediate certificates */
- /* Callback is issued for certificate presented in TLS Certificate (11) packet.
- * The intermediates are done first then peer leaf cert last. Use the
- * store->error_depth member to determine index (0=peer, >1 intermediates)
- */
- int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
- ProcPeerCertArgs* args)
- {
- int verify_ok = 0, use_cb = 0;
- void *heap;
- if (cm == NULL) {
- return BAD_FUNC_ARG;
- }
- heap = (ssl != NULL) ? ssl->heap : cm->heap;
- /* Determine if verify was okay */
- if (ret == 0) {
- verify_ok = 1;
- }
- /* Determine if verify callback should be used */
- if (ret != 0) {
- if ((ssl != NULL) && (!ssl->options.verifyNone)) {
- use_cb = 1; /* always report errors */
- }
- }
- #ifdef WOLFSSL_ALWAYS_VERIFY_CB
- /* always use verify callback on peer leaf cert */
- if (args->certIdx == 0) {
- use_cb = 1;
- }
- #endif
- #ifdef WOLFSSL_VERIFY_CB_ALL_CERTS
- /* perform verify callback on other intermediate certs (not just peer) */
- if (args->certIdx > 0) {
- use_cb = 1;
- }
- #endif
- #if defined(OPENSSL_EXTRA)
- /* Perform domain and IP check only for the leaf certificate */
- if (args->certIdx == 0) {
- /* perform domain name check on the peer certificate */
- if (args->dCertInit && args->dCert && (ssl != NULL) &&
- ssl->param && ssl->param->hostName[0]) {
- /* If altNames names is present, then subject common name is ignored */
- if (args->dCert->altNames != NULL) {
- if (CheckForAltNames(args->dCert, ssl->param->hostName, NULL) != 1) {
- if (ret == 0) {
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
- else {
- if (args->dCert->subjectCN) {
- if (MatchDomainName(args->dCert->subjectCN,
- args->dCert->subjectCNLen,
- ssl->param->hostName) == 0) {
- if (ret == 0) {
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- }
- #else
- else {
- if (ret == 0) {
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
- }
- /* perform IP address check on the peer certificate */
- if ((args->dCertInit != 0) && (args->dCert != NULL) && (ssl != NULL) &&
- (ssl->param != NULL) && (XSTRLEN(ssl->param->ipasc) > 0)) {
- if (CheckIPAddr(args->dCert, ssl->param->ipasc) != 0) {
- if (ret == 0) {
- ret = IPADDR_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- }
- #endif
- /* if verify callback has been set */
- if ((use_cb && (ssl != NULL) && ((ssl->verifyCallback != NULL)
- #ifdef OPENSSL_ALL
- || (ssl->ctx->verifyCertCb != NULL)
- #endif
- ))
- #ifndef NO_WOLFSSL_CM_VERIFY
- || (cm->verifyCallback != NULL)
- #endif
- ) {
- int verifyFail = 0;
- #ifdef WOLFSSL_SMALL_STACK
- WOLFSSL_X509_STORE_CTX* store;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- WOLFSSL_X509* x509;
- #endif
- char* domain = NULL;
- #else
- WOLFSSL_X509_STORE_CTX store[1];
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- WOLFSSL_X509 x509[1];
- #endif
- char domain[ASN_NAME_MAX];
- #endif
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- int x509Free = 0;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- store = (WOLFSSL_X509_STORE_CTX*)XMALLOC(
- sizeof(WOLFSSL_X509_STORE_CTX), heap, DYNAMIC_TYPE_X509_STORE);
- if (store == NULL) {
- return MEMORY_E;
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap,
- DYNAMIC_TYPE_X509);
- if (x509 == NULL) {
- XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
- return MEMORY_E;
- }
- #endif
- domain = (char*)XMALLOC(ASN_NAME_MAX, heap, DYNAMIC_TYPE_STRING);
- if (domain == NULL) {
- XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- XFREE(x509, heap, DYNAMIC_TYPE_X509);
- #endif
- return MEMORY_E;
- }
- #endif /* WOLFSSL_SMALL_STACK */
- XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX));
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- XMEMSET(x509, 0, sizeof(WOLFSSL_X509));
- #endif
- domain[0] = '\0';
- /* build subject CN as string to return in store */
- if (args->dCertInit && args->dCert && args->dCert->subjectCN) {
- int subjectCNLen = args->dCert->subjectCNLen;
- if (subjectCNLen > ASN_NAME_MAX-1)
- subjectCNLen = ASN_NAME_MAX-1;
- if (subjectCNLen > 0) {
- XMEMCPY(domain, args->dCert->subjectCN, subjectCNLen);
- domain[subjectCNLen] = '\0';
- }
- }
- #ifndef OPENSSL_COMPATIBLE_DEFAULTS
- store->error = ret;
- #else
- store->error = GetX509Error(ret);
- #endif
- store->error_depth = args->certIdx;
- store->discardSessionCerts = 0;
- store->domain = domain;
- if (ssl != NULL) {
- if (ssl->verifyCbCtx != NULL) {
- /* Use the WOLFSSL user context if set */
- store->userCtx = ssl->verifyCbCtx;
- }
- else {
- /* Else use the WOLFSSL_CTX user context */
- store->userCtx = ssl->ctx->verifyCbCtx;
- }
- }
- else {
- store->userCtx = cm;
- }
- store->certs = args->certs;
- store->totalCerts = args->totalCerts;
- #if defined(HAVE_EX_DATA) && \
- (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
- if (wolfSSL_CRYPTO_set_ex_data(&store->ex_data, 0, ssl)
- != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("Failed to store ssl context in WOLFSSL_X509_STORE_CTX");
- }
- #endif
- if (ssl != NULL) {
- #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
- store->store = SSL_STORE(ssl);
- #if defined(OPENSSL_EXTRA)
- store->depth = args->count;
- store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
- sizeof(WOLFSSL_X509_VERIFY_PARAM),
- heap, DYNAMIC_TYPE_OPENSSL);
- if (store->param == NULL) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(domain, heap, DYNAMIC_TYPE_STRING);
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- XFREE(x509, heap, DYNAMIC_TYPE_X509);
- #endif
- XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
- #endif
- return MEMORY_E;
- }
- XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
- /* Overwrite with non-default param values in SSL */
- if (ssl->param) {
- if (ssl->param->check_time)
- store->param->check_time = ssl->param->check_time;
- if (ssl->param->flags)
- store->param->flags = ssl->param->flags;
- if (ssl->param->hostName[0])
- XMEMCPY(store->param->hostName, ssl->param->hostName,
- WOLFSSL_HOST_NAME_MAX);
- }
- #endif /* defined(OPENSSL_EXTRA) */
- #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- #ifdef KEEP_PEER_CERT
- if (args->certIdx == 0) {
- store->current_cert = &ssl->peerCert; /* use existing X509 */
- }
- else
- #endif
- {
- InitX509(x509, 0, heap);
- if (CopyDecodedToX509(x509, args->dCert) == 0) {
- store->current_cert = x509;
- x509Free = 1;
- }
- else {
- FreeX509(x509);
- }
- }
- #endif
- #ifdef SESSION_CERTS
- store->sesChain = &ssl->session->chain;
- #endif
- }
- #ifndef NO_WOLFSSL_CM_VERIFY
- /* non-zero return code indicates failure override */
- if (cm->verifyCallback != NULL) {
- store->userCtx = cm;
- if (cm->verifyCallback(verify_ok, store)) {
- if (ret != 0) {
- WOLFSSL_MSG("Verify CM callback overriding error!");
- ret = 0;
- }
- }
- else {
- verifyFail = 1;
- }
- }
- #endif
- if (ssl != NULL) {
- #ifdef OPENSSL_ALL
- /* non-zero return code indicates failure override */
- if (ssl->ctx->verifyCertCb) {
- if (ssl->ctx->verifyCertCb(store, ssl->ctx->verifyCertCbArg)) {
- if (ret != 0) {
- WOLFSSL_MSG("Verify Cert callback overriding error!");
- ret = 0;
- }
- }
- else {
- verifyFail = 1;
- }
- }
- #endif
- /* non-zero return code indicates failure override */
- if (ssl->verifyCallback) {
- if (ssl->verifyCallback(verify_ok, store)) {
- if (ret != 0) {
- WOLFSSL_MSG("Verify callback overriding error!");
- ret = 0;
- }
- }
- else {
- verifyFail = 1;
- }
- }
- }
- if (verifyFail) {
- /* induce error if one not present */
- if (ret == 0) {
- ret = VERIFY_CERT_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- /* mark as verify error */
- args->verifyErr = 1;
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (x509Free) {
- FreeX509(x509);
- }
- #endif
- #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
- wolfSSL_sk_X509_pop_free(store->chain, NULL);
- store->chain = NULL;
- #endif
- #ifdef SESSION_CERTS
- if ((ssl != NULL) && (store->discardSessionCerts)) {
- WOLFSSL_MSG("Verify callback requested discard sess certs");
- ssl->session->chain.count = 0;
- #ifdef WOLFSSL_ALT_CERT_CHAINS
- ssl->session->altChain.count = 0;
- #endif
- }
- #endif /* SESSION_CERTS */
- #ifdef OPENSSL_EXTRA
- if ((ssl != NULL) && (store->param)) {
- XFREE(store->param, heap, DYNAMIC_TYPE_OPENSSL);
- }
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(domain, heap, DYNAMIC_TYPE_STRING);
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- XFREE(x509, heap, DYNAMIC_TYPE_X509);
- #endif
- XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
- #endif
- }
- (void)heap;
- return ret;
- }
- static void FreeProcPeerCertArgs(WOLFSSL* ssl, void* pArgs)
- {
- ProcPeerCertArgs* args = (ProcPeerCertArgs*)pArgs;
- (void)ssl;
- if (args->certs) {
- XFREE(args->certs, ssl->heap, DYNAMIC_TYPE_DER);
- args->certs = NULL;
- }
- #ifdef WOLFSSL_TLS13
- if (args->exts) {
- XFREE(args->exts, ssl->heap, DYNAMIC_TYPE_CERT_EXT);
- args->exts = NULL;
- }
- #endif
- if (args->dCert) {
- if (args->dCertInit) {
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- }
- XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
- args->dCert = NULL;
- }
- }
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
- (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
- !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- /* load certificate file which has the form <hash>.(r)N[0..N] */
- /* in the folder. */
- /* (r), in the case of CRL file */
- /* @param store a pointer to X509_STORE structure */
- /* @param issuer a pointer to X509_NAME that presents an issuer */
- /* @param type X509_LU_X509 or X509_LU_CRL */
- /* @return WOLFSSL_SUCCESS on successful, otherwise WOLFSSL_FAILURE */
- int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
- {
- const int MAX_SUFFIX = 10;/* The number comes from CA_TABLE_SIZE=10 */
- int ret = WOLFSSL_SUCCESS;
- WOLFSSL_X509_LOOKUP* lookup;
- WOLFSSL_BY_DIR_entry* entry;
- WOLFSSL_BY_DIR_HASH hash_tmp;
- WOLFSSL_BY_DIR_HASH* ph = NULL;
- WOLFSSL_X509* x509;
- unsigned long hash = 0;
- char* filename = NULL;
- const char* post = "";
- byte* pbuf = NULL;
- int len, num, i, idx;
- int suffix = 0;
- int retHash = NOT_COMPILED_IN;
- byte dgt[WC_MAX_DIGEST_SIZE];
- WOLFSSL_ENTER("LoadCertByIssuer");
- /* sanity check */
- if (store == NULL || issuer == NULL || (type != X509_LU_X509 && type != X509_LU_CRL)) {
- return WOLFSSL_FAILURE;
- }
- lookup = &store->lookup;
- if (lookup->dirs == NULL || lookup->type != 1) {
- return WOLFSSL_FAILURE;
- }
- len = wolfSSL_i2d_X509_NAME_canon(issuer, &pbuf);
- if (len > 0) {
- #ifndef NO_SHA
- retHash = wc_ShaHash((const byte*)pbuf, len, dgt);
- #endif
- if (retHash == 0) {
- /* 4 bytes in little endian as unsigned long */
- hash = (((unsigned long)dgt[3] << 24) |
- ((unsigned long)dgt[2] << 16) |
- ((unsigned long)dgt[1] << 8) |
- ((unsigned long)dgt[0]));
- } else {
- WOLFSSL_MSG("failed hash operation");
- return WOLFSSL_FAILURE;
- }
- wolfSSL_OPENSSL_free(pbuf);
- }
- /* try to load each hashed name file in path */
- #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- if (type == X509_LU_CRL) {
- post = "r";
- }
- num = wolfSSL_sk_BY_DIR_entry_num(lookup->dirs->dir_entry);
- for (i=0; i<num; i++) {
- entry = wolfSSL_sk_BY_DIR_entry_value(lookup->dirs->dir_entry, i);
- if (type == X509_LU_CRL && entry->hashes != NULL &&
- wolfSSL_sk_BY_DIR_HASH_num(entry->hashes) > 0) {
- /* lock the list */
- if (wc_LockMutex(&lookup->dirs->lock) != 0) {
- WOLFSSL_MSG("wc_LockMutex cdir Lock error");
- return BAD_MUTEX_E;
- }
- hash_tmp.hash_value = hash;
- idx = wolfSSL_sk_BY_DIR_HASH_find(entry->hashes, &hash_tmp);
- if (idx >= 0) {
- WOLFSSL_MSG("find hashed CRL in list");
- ph = wolfSSL_sk_BY_DIR_HASH_value(entry->hashes, idx);
- suffix = ph->last_suffix;
- } else {
- ph = NULL;
- suffix = 0;
- }
- wc_UnLockMutex(&lookup->dirs->lock);
- }
- /* Additional buffer length for file name memory allocation : */
- /* / <hashvalue>.(r)N\0 */
- /*|1| 8 |1|1|1|1| => 13 */
- len = (int)XSTRLEN(entry->dir_name) + 13;
- if (filename != NULL) {
- XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- filename = (char*)XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL);
- if (filename == NULL) {
- WOLFSSL_MSG("memory allocation error");
- return MEMORY_E;
- }
- /* set as FAILURE, if successfully loading cert of CRL, this becomes */
- /* WOLFSSL_SUCCESS */
- ret = WOLFSSL_FAILURE;
- for (; suffix < MAX_SUFFIX; suffix++) {
- /* /folder-path/<hash>.(r)N[0..9] */
- if (XSNPRINTF(filename, len, "%s/%08lx.%s%d", entry->dir_name,
- hash, post, suffix)
- >= len)
- {
- WOLFSSL_MSG("buffer overrun in LoadCertByIssuer");
- ret = BUFFER_E;
- break;
- }
- if(wc_FileExists(filename) == 0/*0 file exists */) {
- if (type == X509_LU_X509) {
- x509 = wolfSSL_X509_load_certificate_file(filename,
- WOLFSSL_FILETYPE_PEM);
- if (x509 != NULL) {
- ret = wolfSSL_X509_STORE_add_cert(store, x509);
- wolfSSL_X509_free(x509);
- } else {
- WOLFSSL_MSG("failed to load certificate");
- ret = WOLFSSL_FAILURE;
- break;
- }
- }
- else if (type == X509_LU_CRL) {
- #if defined(HAVE_CRL)
- ret = wolfSSL_X509_load_crl_file(&store->lookup, filename,
- entry->dir_type);
- if (ret != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("failed to load CRL");
- break;
- }
- #else
- WOLFSSL_MSG("CRL is not supported");
- ret = WOLFSSL_FAILURE;
- break;
- #endif /* HAVE_CRL */
- }
- } else
- break;
- }
- if (ret != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("not found file");
- ret = WOLFSSL_FAILURE;
- } else {
- if (type == X509_LU_CRL) {
- if (wc_LockMutex(&lookup->dirs->lock) != 0) {
- WOLFSSL_MSG("wc_LockMutex cdir Lock error");
- XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
- WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
- return BAD_MUTEX_E;
- }
- if (ph == NULL) {
- ph = wolfSSL_BY_DIR_HASH_new();
- if (ph == NULL) {
- WOLFSSL_MSG("failed to allocate hash stack");
- ret = WOLFSSL_FAILURE;
- } else {
- ph->hash_value = hash;
- ph->last_suffix = suffix;
- ret = wolfSSL_sk_BY_DIR_HASH_push(entry->hashes, ph);
- }
- }
- wc_UnLockMutex(&lookup->dirs->lock);
- }
- }
- XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- #else
- (void) type;
- (void) ret;
- (void) x509;
- (void) filename;
- (void) suffix;
- (void) num;
- (void) i;
- ret = WOLFSSL_NOT_IMPLEMENTED;
- #endif
- WOLFSSL_LEAVE("LoadCertByIssuer", ret);
- return ret;
- }
- #endif
- static int ProcessPeerCertParse(WOLFSSL* ssl, ProcPeerCertArgs* args,
- int certType, int verify, byte** pSubjectHash, int* pAlreadySigner)
- {
- int ret = 0;
- buffer* cert;
- byte* subjectHash = NULL;
- int alreadySigner = 0;
- #ifdef WOLFSSL_SMALL_CERT_VERIFY
- int sigRet = 0;
- #endif
- if (ssl == NULL || args == NULL
- #ifndef WOLFSSL_SMALL_CERT_VERIFY
- || args->dCert == NULL
- #endif
- ) {
- return BAD_FUNC_ARG;
- }
- PRAGMA_GCC_DIAG_PUSH
- PRAGMA_GCC("GCC diagnostic ignored \"-Wstrict-overflow\"")
- /* Surrounded in gcc pragma to avoid -Werror=strict-overflow when the
- * compiler optimizes out the check and assumes no underflow. Keeping the
- * check in place to handle multiple build configurations and future
- * changes. */
- /* check to make sure certificate index is valid */
- if (args->certIdx > args->count)
- return BUFFER_E;
- PRAGMA_GCC_DIAG_POP
- /* check if returning from non-blocking OCSP */
- /* skip this section because cert is already initialized and parsed */
- #ifdef WOLFSSL_NONBLOCK_OCSP
- if (args->lastErr == OCSP_WANT_READ) {
- args->lastErr = 0; /* clear error */
- return 0;
- }
- #endif
- #ifdef WOLFSSL_TRUST_PEER_CERT
- /* we have trusted peer */
- if (args->haveTrustPeer) {
- return 0;
- }
- #endif
- /* get certificate buffer */
- cert = &args->certs[args->certIdx];
- #ifdef WOLFSSL_SMALL_CERT_VERIFY
- if (verify == VERIFY) {
- /* for small cert verify, release decoded cert during signature check to
- reduce peak memory usage */
- if (args->dCert != NULL) {
- if (args->dCertInit) {
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- }
- XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
- args->dCert = NULL;
- }
- /* perform cert parsing and signature check */
- sigRet = CheckCertSignature(cert->buffer, cert->length,
- ssl->heap, SSL_CM(ssl));
- /* fail on errors here after the ParseCertRelative call, so dCert is populated */
- /* verify name only in ParseCertRelative below, signature check done */
- verify = VERIFY_NAME;
- }
- #endif /* WOLFSSL_SMALL_CERT_VERIFY */
- /* make sure the decoded cert structure is allocated and initialized */
- if (!args->dCertInit
- #ifdef WOLFSSL_SMALL_CERT_VERIFY
- || args->dCert == NULL
- #endif
- ) {
- #ifdef WOLFSSL_SMALL_CERT_VERIFY
- if (args->dCert == NULL) {
- args->dCert = (DecodedCert*)XMALLOC(
- sizeof(DecodedCert), ssl->heap,
- DYNAMIC_TYPE_DCERT);
- if (args->dCert == NULL) {
- return MEMORY_E;
- }
- }
- #endif
- InitDecodedCert(args->dCert, cert->buffer, cert->length, ssl->heap);
- args->dCertInit = 1;
- args->dCert->sigCtx.devId = ssl->devId;
- #ifdef WOLFSSL_ASYNC_CRYPT
- args->dCert->sigCtx.asyncCtx = ssl;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- /* setup the PK callback context */
- ret = InitSigPkCb(ssl, &args->dCert->sigCtx);
- if (ret != 0)
- return ret;
- #endif
- }
- /* Parse Certificate */
- ret = ParseCertRelative(args->dCert, certType, verify, SSL_CM(ssl));
- /* perform below checks for date failure cases */
- if (ret == 0 || ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) {
- /* get subject and determine if already loaded */
- #ifndef NO_SKID
- if (args->dCert->extAuthKeyIdSet)
- subjectHash = args->dCert->extSubjKeyId;
- else
- #endif
- subjectHash = args->dCert->subjectHash;
- alreadySigner = AlreadySigner(SSL_CM(ssl), subjectHash);
- }
- #ifdef WOLFSSL_SMALL_CERT_VERIFY
- /* get signature check failures from above */
- if (ret == 0)
- ret = sigRet;
- #endif
- if (pSubjectHash)
- *pSubjectHash = subjectHash;
- if (pAlreadySigner)
- *pAlreadySigner = alreadySigner;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl,
- args->dCert->sigCtx.asyncDev);
- }
- #endif
- #if defined(WOLFSSL_PUBLIC_ASN) && defined(HAVE_PK_CALLBACKS)
- /* This block gives the callback a chance to process the peer cert.
- * If there is no callback set or it returns NOT_COMPILED_IN, then the
- * original return code is returned. */
- if (ssl->ctx && ssl->ctx->ProcessPeerCertCb) {
- int new_ret = ssl->ctx->ProcessPeerCertCb(ssl, args->dCert);
- if (new_ret != NOT_COMPILED_IN) {
- ret = new_ret;
- }
- }
- #endif /* WOLFSSL_PUBLIC_ASN && HAVE_PK_CALLBACKS */
- return ret;
- }
- /* Check key sizes for certs. Is redundant check since
- ProcessBuffer also performs this check. */
- static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
- {
- int ret = 0;
- if (ssl->options.verifyNone) {
- return ret;
- }
- switch (args->dCert->keyOID) {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case RSAPSSk:
- #endif
- case RSAk:
- if (ssl->options.minRsaKeySz < 0 ||
- args->dCert->pubKeySize <
- (word16)ssl->options.minRsaKeySz) {
- WOLFSSL_MSG(
- "RSA key size in cert chain error");
- ret = RSA_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ECDSAk:
- if (ssl->options.minEccKeySz < 0 ||
- args->dCert->pubKeySize <
- (word16)ssl->options.minEccKeySz) {
- WOLFSSL_MSG(
- "ECC key size in cert chain error");
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case ED25519k:
- if (ssl->options.minEccKeySz < 0 ||
- ED25519_KEY_SIZE < (word16)ssl->options.minEccKeySz) {
- WOLFSSL_MSG(
- "ECC key size in cert chain error");
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- case ED448k:
- if (ssl->options.minEccKeySz < 0 ||
- ED448_KEY_SIZE < (word16)ssl->options.minEccKeySz) {
- WOLFSSL_MSG(
- "ECC key size in cert chain error");
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- #endif /* HAVE_ED448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case FALCON_LEVEL1k:
- if (ssl->options.minFalconKeySz < 0 ||
- FALCON_LEVEL1_KEY_SIZE < (word16)ssl->options.minFalconKeySz) {
- WOLFSSL_MSG("Falcon key size in cert chain error");
- ret = FALCON_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- case FALCON_LEVEL5k:
- if (ssl->options.minFalconKeySz < 0 ||
- FALCON_LEVEL5_KEY_SIZE < (word16)ssl->options.minFalconKeySz) {
- WOLFSSL_MSG("Falcon key size in cert chain error");
- ret = FALCON_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- break;
- #endif /* HAVE_FALCON */
- #endif /* HAVE_PQC */
- #if defined(HAVE_DILITHIUM)
- case DILITHIUM_LEVEL2k:
- if (ssl->options.minDilithiumKeySz < 0 ||
- DILITHIUM_LEVEL2_KEY_SIZE
- < (word16)ssl->options.minDilithiumKeySz) {
- WOLFSSL_MSG("Dilithium key size in cert chain error");
- ret = DILITHIUM_KEY_SIZE_E;
- }
- break;
- case DILITHIUM_LEVEL3k:
- if (ssl->options.minDilithiumKeySz < 0 ||
- DILITHIUM_LEVEL3_KEY_SIZE
- < (word16)ssl->options.minDilithiumKeySz) {
- WOLFSSL_MSG( "Dilithium key size in cert chain error");
- ret = DILITHIUM_KEY_SIZE_E;
- }
- break;
- case DILITHIUM_LEVEL5k:
- if (ssl->options.minDilithiumKeySz < 0 ||
- DILITHIUM_LEVEL5_KEY_SIZE
- < (word16)ssl->options.minDilithiumKeySz) {
- WOLFSSL_MSG("Dilithium key size in cert chain error");
- ret = DILITHIUM_KEY_SIZE_E;
- }
- break;
- #endif /* HAVE_DILITHIUM */
- default:
- WOLFSSL_MSG("Key size not checked");
- /* key not being checked for size if not in
- switch */
- break;
- }
- return ret;
- }
- int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- int ret = 0;
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- ProcPeerCertArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #elif defined(WOLFSSL_SMALL_STACK)
- ProcPeerCertArgs* args = NULL;
- #else
- ProcPeerCertArgs args[1];
- #endif
- byte* subjectHash = NULL;
- int alreadySigner = 0;
- WOLFSSL_ENTER("ProcessPeerCerts");
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_ppc);
- }
- args = (ProcPeerCertArgs*)ssl->async->args;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_ppc;
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- #ifdef WOLFSSL_NONBLOCK_OCSP
- if (ssl->error == OCSP_WANT_READ) {
- /* Re-entry after non-blocking OCSP */
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* if async operationg not pending, reset error code */
- if (ret == WC_NOT_PENDING_E)
- ret = 0;
- #endif
- }
- else
- #endif /* WOLFSSL_NONBLOCK_OCSP */
- #elif defined(WOLFSSL_SMALL_STACK)
- args = (ProcPeerCertArgs*)XMALLOC(
- sizeof(ProcPeerCertArgs), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (args == NULL) {
- ERROR_OUT(MEMORY_E, exit_ppc);
- }
- #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(ProcPeerCertArgs));
- args->idx = *inOutIdx;
- args->begin = *inOutIdx;
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- ssl->async->freeArgs = FreeProcPeerCertArgs;
- #endif
- }
- switch (ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- word32 listSz;
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "Certificate");
- if (ssl->toInfoOn)
- AddLateName("Certificate", &ssl->timeoutInfo);
- #endif
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3) {
- byte ctxSz;
- /* Certificate Request Context */
- if ((args->idx - args->begin) + OPAQUE8_LEN > totalSz)
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- ctxSz = *(input + args->idx);
- args->idx++;
- if ((args->idx - args->begin) + ctxSz > totalSz)
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- #ifndef NO_WOLFSSL_CLIENT
- /* Must be empty when received from server. */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (ctxSz != 0) {
- WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
- ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
- }
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- /* Must contain value sent in request. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (ssl->options.handShakeState != HANDSHAKE_DONE &&
- ctxSz != 0) {
- WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
- ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
- }
- else if (ssl->options.handShakeState == HANDSHAKE_DONE) {
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- CertReqCtx* curr = ssl->certReqCtx;
- CertReqCtx* prev = NULL;
- while (curr != NULL) {
- if ((ctxSz == curr->len) &&
- XMEMCMP(&curr->ctx, input + args->idx, ctxSz)
- == 0) {
- if (prev != NULL)
- prev->next = curr->next;
- else
- ssl->certReqCtx = curr->next;
- XFREE(curr, ssl->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- break;
- }
- prev = curr;
- curr = curr->next;
- }
- if (curr == NULL)
- #endif
- {
- WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
- ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
- }
- }
- }
- #endif
- args->idx += ctxSz;
- /* allocate buffer for cert extensions */
- args->exts = (buffer*)XMALLOC(sizeof(buffer) *
- MAX_CHAIN_DEPTH, ssl->heap, DYNAMIC_TYPE_CERT_EXT);
- if (args->exts == NULL) {
- ERROR_OUT(MEMORY_E, exit_ppc);
- }
- }
- #endif
- /* allocate buffer for certs */
- args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH,
- ssl->heap, DYNAMIC_TYPE_DER);
- if (args->certs == NULL) {
- ERROR_OUT(MEMORY_E, exit_ppc);
- }
- XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH);
- /* Certificate List */
- if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- c24to32(input + args->idx, &listSz);
- args->idx += OPAQUE24_LEN;
- if (listSz > MAX_CERTIFICATE_SZ) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- if ((args->idx - args->begin) + listSz != totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- WOLFSSL_MSG("Loading peer's cert chain");
- /* first put cert chain into buffer so can verify top down
- we're sent bottom up */
- while (listSz) {
- word32 certSz;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (args->totalCerts >= MAX_CHAIN_DEPTH) {
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet =
- WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
- ret = MAX_CHAIN_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH");
- break; /* break out to avoid reading more certs then buffer
- * can hold */
- }
- #else
- if (args->totalCerts >= ssl->verifyDepth ||
- args->totalCerts >= MAX_CHAIN_DEPTH) {
- WOLFSSL_ERROR_VERBOSE(MAX_CHAIN_ERROR);
- ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
- }
- #endif
- if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- c24to32(input + args->idx, &certSz);
- args->idx += OPAQUE24_LEN;
- if ((args->idx - args->begin) + certSz > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- args->certs[args->totalCerts].length = certSz;
- args->certs[args->totalCerts].buffer = input + args->idx;
- #ifdef SESSION_CERTS
- AddSessionCertToChain(&ssl->session->chain,
- input + args->idx, certSz);
- #endif /* SESSION_CERTS */
- args->idx += certSz;
- listSz -= certSz + CERT_HEADER_SZ;
- #ifdef WOLFSSL_TLS13
- /* Extensions */
- if (ssl->options.tls1_3) {
- word16 extSz;
- if (args->exts == NULL) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- ato16(input + args->idx, &extSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + extSz > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_ppc);
- }
- /* Store extension data info for later processing. */
- args->exts[args->totalCerts].length = extSz;
- args->exts[args->totalCerts].buffer = input + args->idx;
- args->idx += extSz;
- listSz -= extSz + OPAQUE16_LEN;
- WOLFSSL_MSG_EX("\tParsing %d bytes of cert extensions",
- args->exts[args->totalCerts].length);
- #if !defined(NO_TLS)
- ret = TLSX_Parse(ssl, args->exts[args->totalCerts].buffer,
- (word16)args->exts[args->totalCerts].length,
- certificate, NULL);
- #endif /* !NO_TLS */
- if (ret < 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- ERROR_OUT(ret, exit_ppc);
- }
- }
- #endif
- args->totalCerts++;
- WOLFSSL_MSG("\tPut another cert into chain");
- } /* while (listSz) */
- args->count = args->totalCerts;
- args->certIdx = 0; /* select peer cert (first one) */
- if (args->count == 0) {
- /* Empty certificate message. */
- if ((ssl->options.side == WOLFSSL_SERVER_END) &&
- (ssl->options.mutualAuth || (ssl->options.failNoCert &&
- IsAtLeastTLSv1_3(ssl->version)))) {
- WOLFSSL_MSG("No peer cert from Client");
- ret = NO_PEER_CERT;
- WOLFSSL_ERROR_VERBOSE(ret);
- DoCertFatalAlert(ssl, ret);
- }
- else if ((ssl->options.side == WOLFSSL_CLIENT_END) &&
- IsAtLeastTLSv1_3(ssl->version)) {
- WOLFSSL_MSG("No peer cert from Server");
- ret = NO_PEER_CERT;
- WOLFSSL_ERROR_VERBOSE(ret);
- SendAlert(ssl, alert_fatal, decode_error);
- }
- }
- args->dCertInit = 0;
- #ifndef WOLFSSL_SMALL_CERT_VERIFY
- args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
- DYNAMIC_TYPE_DCERT);
- if (args->dCert == NULL) {
- ERROR_OUT(MEMORY_E, exit_ppc);
- }
- XMEMSET(args->dCert, 0, sizeof(DecodedCert));
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- if (args->count > 0) {
- /* check for trusted peer and get untrustedDepth */
- #if defined(WOLFSSL_TRUST_PEER_CERT) || defined(OPENSSL_EXTRA)
- if (args->certIdx == 0) {
- #ifdef WOLFSSL_TRUST_PEER_CERT
- TrustedPeerCert* tp;
- #endif
- ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, NO_VERIFY,
- &subjectHash, &alreadySigner);
- if (ret != 0)
- goto exit_ppc;
- #ifdef OPENSSL_EXTRA
- /* Determine untrusted depth */
- if (!alreadySigner && (!args->dCert ||
- !args->dCertInit || !args->dCert->selfSigned)) {
- args->untrustedDepth = 1;
- }
- #endif
- #ifdef WOLFSSL_TRUST_PEER_CERT
- tp = GetTrustedPeer(SSL_CM(ssl), args->dCert);
- WOLFSSL_MSG("Checking for trusted peer cert");
- if (tp && MatchTrustedPeer(tp, args->dCert)) {
- WOLFSSL_MSG("Found matching trusted peer cert");
- args->haveTrustPeer = 1;
- }
- else if (tp == NULL) {
- /* no trusted peer cert */
- WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
- }
- else {
- WOLFSSL_MSG("Trusted peer cert did not match!");
- }
- if (!args->haveTrustPeer)
- #endif
- {
- /* free cert if not trusted peer */
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- }
- }
- #endif /* WOLFSSL_TRUST_PEER_CERT || OPENSSL_EXTRA */
- /* check certificate up to peer's first */
- /* do not verify chain if trusted peer cert found */
- while (args->count > 1
- #ifdef WOLFSSL_TRUST_PEER_CERT
- && !args->haveTrustPeer
- #endif /* WOLFSSL_TRUST_PEER_CERT */
- ) {
- int skipAddCA = 0;
- /* select last certificate */
- args->certIdx = args->count - 1;
- ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
- !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
- &subjectHash, &alreadySigner);
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
- (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
- !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
- WOLFSSL_MSG("try to load certificate if hash dir is set");
- ret = LoadCertByIssuer(SSL_STORE(ssl),
- (WOLFSSL_X509_NAME*)args->dCert->issuerName,
- X509_LU_X509);
- if (ret == WOLFSSL_SUCCESS) {
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- /* once again */
- ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
- !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
- &subjectHash, &alreadySigner);
- }
- else {
- ret = ASN_NO_SIGNER_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- goto exit_ppc;
- #endif
- if (ret == 0) {
- ret = ProcessPeerCertCheckKey(ssl, args);
- }
- if (ret == 0 && args->dCert->isCA == 0) {
- WOLFSSL_MSG("Chain cert is not a CA, not adding as one");
- }
- else if (ret == 0 && ssl->options.verifyNone) {
- WOLFSSL_MSG("Chain cert not verified by option, "
- "not adding as CA");
- }
- else if (ret == 0) {
- #ifdef OPENSSL_EXTRA
- if (args->certIdx > args->untrustedDepth) {
- args->untrustedDepth = (char)args->certIdx + 1;
- }
- #endif
- if (alreadySigner) {
- WOLFSSL_MSG("Verified CA from chain and already had it");
- }
- }
- else {
- WOLFSSL_MSG("Failed to verify CA from chain");
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_INVALID_CA;
- #endif
- }
- if (ret == 0) {
- #ifdef HAVE_OCSP
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- if (ssl->status_request_v2) {
- ret = TLSX_CSR2_InitRequests(ssl->extensions,
- args->dCert, 0, ssl->heap);
- }
- else /* skips OCSP and force CRL check */
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
- if (SSL_CM(ssl)->ocspEnabled &&
- SSL_CM(ssl)->ocspCheckAll) {
- WOLFSSL_MSG("Doing Non Leaf OCSP check");
- ret = CheckCertOCSP_ex(SSL_CM(ssl)->ocsp,
- args->dCert, NULL, ssl);
- #ifdef WOLFSSL_NONBLOCK_OCSP
- if (ret == OCSP_WANT_READ) {
- args->lastErr = ret;
- goto exit_ppc;
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("\tOCSP Lookup not ok");
- }
- }
- #endif /* HAVE_OCSP */
- #ifdef HAVE_CRL
- if (SSL_CM(ssl)->crlEnabled &&
- SSL_CM(ssl)->crlCheckAll) {
- int doCrlLookup = 1;
- #ifdef HAVE_OCSP
- if (SSL_CM(ssl)->ocspEnabled &&
- SSL_CM(ssl)->ocspCheckAll) {
- /* If the cert status is unknown to the OCSP
- responder, do a CRL lookup. If any other
- error, skip the CRL lookup and fail the
- certificate. */
- doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
- }
- #endif /* HAVE_OCSP */
- if (doCrlLookup) {
- WOLFSSL_MSG("Doing Non Leaf CRL check");
- ret = CheckCertCRL(SSL_CM(ssl)->crl,
- args->dCert);
- #ifdef WOLFSSL_NONBLOCK_OCSP
- /* The CRL lookup I/O callback is using the
- * same WOULD_BLOCK error code as OCSP's I/O
- * callback, and it is enabling it using the
- * same flag. */
- if (ret == OCSP_WANT_READ) {
- args->lastErr = ret;
- goto exit_ppc;
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("\tCRL check not ok");
- }
- }
- }
- #endif /* HAVE_CRL */
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ret == 0 &&
- /* extend the limit "+1" until reaching
- * an ultimately trusted issuer.*/
- args->count > (ssl->verifyDepth + 1)) {
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet =
- WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
- ret = MAX_CHAIN_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- #ifdef WOLFSSL_ALT_CERT_CHAINS
- /* For alternate cert chain, its okay for a CA cert to fail
- with ASN_NO_SIGNER_E here. The "alternate" certificate
- chain mode only requires that the peer certificate
- validate to a trusted CA */
- if (ret != 0 && args->dCert->isCA) {
- if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
- if (!ssl->options.usingAltCertChain) {
- WOLFSSL_MSG("Trying alternate cert chain");
- ssl->options.usingAltCertChain = 1;
- }
- ret = 0; /* clear errors and continue */
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- ssl->peerVerifyRet = 0;
- #endif
- args->verifyErr = 0;
- /* do not add to certificate manager */
- skipAddCA = 1;
- }
- }
- #endif /* WOLFSSL_ALT_CERT_CHAINS */
- /* Do verify callback */
- ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
- if (ssl->options.verifyNone &&
- (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
- ret == CRL_CERT_DATE_ERR)) {
- WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
- ret = ssl->error = 0;
- }
- #ifdef WOLFSSL_ALT_CERT_CHAINS
- if (ret != 0 && args->dCert->isCA) {
- /* do not add to certificate manager */
- skipAddCA = 1;
- }
- #endif
- /* If valid CA then add to Certificate Manager */
- if (ret == 0 && args->dCert->isCA &&
- !ssl->options.verifyNone && !skipAddCA) {
- buffer* cert = &args->certs[args->certIdx];
- /* Is valid CA */
- #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
- /* if using alternate chain, store the cert used */
- if (ssl->options.usingAltCertChain) {
- AddSessionCertToChain(&ssl->session->altChain,
- cert->buffer, cert->length);
- }
- #endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
- if (!alreadySigner) {
- DerBuffer* add = NULL;
- ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap);
- if (ret < 0)
- goto exit_ppc;
- XMEMCPY(add->buffer, cert->buffer, cert->length);
- /* CA already verified above in ParseCertRelative */
- WOLFSSL_MSG("Adding CA from chain");
- ret = AddCA(SSL_CM(ssl), &add, WOLFSSL_CHAIN_CA,
- NO_VERIFY);
- if (ret == WOLFSSL_SUCCESS) {
- ret = 0;
- }
- }
- }
- /* Handle error codes */
- ssl->error = ret; /* Report SSL error or clear error if
- * callback overrides. */
- if (ret != 0) {
- if (!ssl->options.verifyNone) {
- WOLFSSL_ERROR_VERBOSE(ret);
- DoCertFatalAlert(ssl, ret);
- }
- if (args->lastErr == 0) {
- args->lastErr = ret; /* save error from last time */
- ret = 0; /* reset error */
- }
- }
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- args->count--;
- } /* while (count > 0 && !args->haveTrustPeer) */
- } /* if (count > 0) */
- /* Check for error */
- if (ret != 0) {
- goto exit_ppc;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- /* peer's, may not have one if blank client cert sent by TLSv1.2 */
- if (args->count > 0) {
- WOLFSSL_MSG("Verifying Peer's cert");
- /* select peer cert (first one) */
- args->certIdx = 0;
- ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
- !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
- &subjectHash, &alreadySigner);
- #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
- (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
- !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
- int lastErr = ret; /* save error from last time */
- WOLFSSL_MSG("try to load certificate if hash dir is set");
- ret = LoadCertByIssuer(SSL_STORE(ssl),
- (WOLFSSL_X509_NAME*)args->dCert->issuerName,
- X509_LU_X509);
- if (ret == WOLFSSL_SUCCESS) {
- FreeDecodedCert(args->dCert);
- args->dCertInit = 0;
- /* once again */
- ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
- !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
- &subjectHash, &alreadySigner);
- }
- else {
- ret = lastErr; /* restore error */
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- goto exit_ppc;
- #endif
- if (ret == 0) {
- WOLFSSL_MSG("Verified Peer's cert");
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet = WOLFSSL_X509_V_OK;
- #endif
- #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
- /* if using alternate chain, store the cert used */
- if (ssl->options.usingAltCertChain) {
- buffer* cert = &args->certs[args->certIdx];
- AddSessionCertToChain(&ssl->session->altChain,
- cert->buffer, cert->length);
- }
- #endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
- #ifndef OPENSSL_COMPATIBLE_DEFAULTS
- /* Check peer's certificate version number. TLS 1.2 / 1.3
- * requires the clients certificate be version 3 unless a
- * different version has been negotiated using RFC 7250.
- * OpenSSL doesn't appear to be performing this check.
- * For TLS 1.3 see RFC8446 Section 4.4.2.3 */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (args->dCert->version != WOLFSSL_X509_V3) {
- WOLFSSL_MSG("Peers certificate was not version 3!");
- args->lastErr = ASN_VERSION_E;
- /* setting last error but not considering it fatal
- * giving the user a chance to override */
- }
- }
- #endif
- /* check if fatal error */
- if (args->verifyErr) {
- args->fatal = 1;
- ret = args->lastErr;
- }
- else {
- args->fatal = 0;
- }
- }
- else if (ret == ASN_PARSE_E || ret == BUFFER_E) {
- WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
- #if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA) || \
- defined(OPENSSL_EXTRA_X509_SMALL)
- DoCertFatalAlert(ssl, ret);
- #endif
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED;
- #endif
- args->fatal = 1;
- }
- else {
- WOLFSSL_MSG("Failed to verify Peer's cert");
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
- if (ret == ASN_BEFORE_DATE_E) {
- ssl->peerVerifyRet =
- (unsigned long)WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID;
- }
- else if (ret == ASN_AFTER_DATE_E) {
- ssl->peerVerifyRet =
- (unsigned long)WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
- }
- else {
- ssl->peerVerifyRet =
- (unsigned long)
- WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
- }
- }
- #endif
- if (ssl->verifyCallback) {
- WOLFSSL_MSG(
- "\tCallback override available, will continue");
- /* check if fatal error */
- args->fatal = (args->verifyErr) ? 1 : 0;
- if (args->fatal)
- DoCertFatalAlert(ssl, ret);
- }
- else {
- WOLFSSL_MSG("\tNo callback override available, fatal");
- args->fatal = 1;
- DoCertFatalAlert(ssl, ret);
- }
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (args->fatal == 0 && !IsAtLeastTLSv1_3(ssl->version)
- && ssl->secure_renegotiation
- && ssl->secure_renegotiation->enabled) {
- if (IsEncryptionOn(ssl, 0)) {
- /* compare against previous time */
- if (ssl->secure_renegotiation->subject_hash_set) {
- if (XMEMCMP(args->dCert->subjectHash,
- ssl->secure_renegotiation->subject_hash,
- KEYID_SIZE) != 0) {
- WOLFSSL_MSG(
- "Peer sent different cert during scr, fatal");
- args->fatal = 1;
- ret = SCR_DIFFERENT_CERT_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- /* cache peer's hash */
- if (args->fatal == 0) {
- XMEMCPY(ssl->secure_renegotiation->subject_hash,
- args->dCert->subjectHash, KEYID_SIZE);
- ssl->secure_renegotiation->subject_hash_set = 1;
- }
- }
- #endif /* HAVE_SECURE_RENEGOTIATION */
- } /* if (count > 0) */
- /* Check for error */
- if (args->fatal && ret != 0) {
- goto exit_ppc;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- if (args->count > 0) {
- #if defined(HAVE_OCSP) || defined(HAVE_CRL)
- /* only attempt to check OCSP or CRL if not previous error such
- * as ASN_BEFORE_DATE_E or ASN_AFTER_DATE_E */
- if (args->fatal == 0 && ret == 0) {
- int doLookup = 1;
- WOLFSSL_MSG("Checking if ocsp needed");
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
- if (ssl->status_request) {
- args->fatal = (TLSX_CSR_InitRequest(ssl->extensions,
- args->dCert, ssl->heap) != 0);
- doLookup = 0;
- WOLFSSL_MSG("\tHave status request");
- #if defined(WOLFSSL_TLS13)
- if (ssl->options.tls1_3) {
- TLSX* ext = TLSX_Find(ssl->extensions,
- TLSX_STATUS_REQUEST);
- if (ext != NULL) {
- word32 idx = 0;
- CertificateStatusRequest* csr =
- (CertificateStatusRequest*)ext->data;
- ret = ProcessCSR(ssl, csr->response.buffer,
- &idx, csr->response.length);
- if (ret < 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- goto exit_ppc;
- }
- }
- }
- #endif
- }
- /* Ensure a stapling response was seen */
- else if (ssl->options.tls1_3 &&
- SSL_CM(ssl)->ocspMustStaple) {
- ret = OCSP_CERT_UNKNOWN;
- goto exit_ppc;
- }
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- if (ssl->status_request_v2) {
- args->fatal = (TLSX_CSR2_InitRequests(ssl->extensions,
- args->dCert, 1, ssl->heap) != 0);
- doLookup = 0;
- WOLFSSL_MSG("\tHave status request v2");
- }
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
- }
- #ifdef HAVE_OCSP
- if (doLookup && SSL_CM(ssl)->ocspEnabled) {
- WOLFSSL_MSG("Doing Leaf OCSP check");
- ret = CheckCertOCSP_ex(SSL_CM(ssl)->ocsp,
- args->dCert, NULL, ssl);
- #ifdef WOLFSSL_NONBLOCK_OCSP
- if (ret == OCSP_WANT_READ) {
- goto exit_ppc;
- }
- #endif
- doLookup = (ret == OCSP_CERT_UNKNOWN);
- if (ret != 0) {
- WOLFSSL_MSG("\tOCSP Lookup not ok");
- args->fatal = 0;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) {
- /* Return first cert error here */
- ssl->peerVerifyRet =
- ret == OCSP_CERT_REVOKED
- ? WOLFSSL_X509_V_ERR_CERT_REVOKED
- : WOLFSSL_X509_V_ERR_CERT_REJECTED;
- }
- #endif
- }
- }
- #endif /* HAVE_OCSP */
- #ifdef HAVE_CRL
- if (ret == 0 && doLookup && SSL_CM(ssl)->crlEnabled) {
- WOLFSSL_MSG("Doing Leaf CRL check");
- ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
- #ifdef WOLFSSL_NONBLOCK_OCSP
- /* The CRL lookup I/O callback is using the
- * same WOULD_BLOCK error code as OCSP's I/O
- * callback, and it is enabling it using the
- * same flag. */
- if (ret == OCSP_WANT_READ) {
- goto exit_ppc;
- }
- #endif
- if (ret != 0) {
- WOLFSSL_MSG("\tCRL check not ok");
- args->fatal = 0;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- if (ssl->peerVerifyRet == 0) {
- /* Return first cert error here */
- ssl->peerVerifyRet =
- ret == CRL_CERT_REVOKED
- ? WOLFSSL_X509_V_ERR_CERT_REVOKED
- : WOLFSSL_X509_V_ERR_CERT_REJECTED;;
- }
- #endif
- }
- }
- #endif /* HAVE_CRL */
- (void)doLookup;
- }
- #endif /* HAVE_OCSP || HAVE_CRL */
- #ifdef KEEP_PEER_CERT
- if (args->fatal == 0) {
- int copyRet = 0;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- if (ssl->options.handShakeDone) {
- FreeX509(&ssl->peerCert);
- InitX509(&ssl->peerCert, 0, ssl->heap);
- }
- else
- #endif
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation &&
- ssl->secure_renegotiation->enabled) {
- /* free old peer cert */
- FreeX509(&ssl->peerCert);
- InitX509(&ssl->peerCert, 0, ssl->heap);
- }
- else
- #endif
- {
- }
- /* set X509 format for peer cert */
- copyRet = CopyDecodedToX509(&ssl->peerCert, args->dCert);
- if (copyRet == MEMORY_E) {
- args->fatal = 1;
- }
- }
- #endif /* KEEP_PEER_CERT */
- #ifndef IGNORE_KEY_EXTENSIONS
- #if defined(OPENSSL_EXTRA)
- /* when compatibility layer is turned on and no verify is
- * set then ignore the certificate key extension */
- if (args->dCert->extKeyUsageSet &&
- args->dCert->extKeyUsageCrit == 0 &&
- ssl->options.verifyNone) {
- WOLFSSL_MSG("Not verifying certificate key usage");
- }
- else
- #endif
- if (args->dCert->extKeyUsageSet) {
- if ((ssl->specs.kea == rsa_kea) &&
- (ssl->options.side == WOLFSSL_CLIENT_END) &&
- (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
- ret = KEYUSE_ENCIPHER_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- if ((ssl->specs.kea != rsa_kea) &&
- (ssl->specs.sig_algo == rsa_sa_algo ||
- (ssl->specs.sig_algo == ecc_dsa_sa_algo &&
- !ssl->specs.static_ecdh)) &&
- (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
- WOLFSSL_MSG("KeyUse Digital Sig not set");
- ret = KEYUSE_SIGNATURE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #if defined(OPENSSL_EXTRA)
- /* when compatibility layer is turned on and no verify is
- * set then ignore the certificate key extension */
- if (args->dCert->extExtKeyUsageSet &&
- args->dCert->extExtKeyUsageCrit == 0 &&
- ssl->options.verifyNone) {
- WOLFSSL_MSG("Not verifying certificate ext key usage");
- }
- else
- #endif
- if (args->dCert->extExtKeyUsageSet) {
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if ((args->dCert->extExtKeyUsage &
- (EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) {
- WOLFSSL_MSG("ExtKeyUse Server Auth not set");
- ret = EXTKEYUSE_AUTH_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- else {
- if ((args->dCert->extExtKeyUsage &
- (EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) {
- WOLFSSL_MSG("ExtKeyUse Client Auth not set");
- ret = EXTKEYUSE_AUTH_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- }
- #endif /* IGNORE_KEY_EXTENSIONS */
- if (args->fatal) {
- ssl->error = ret;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- SendAlert(ssl, alert_fatal, bad_certificate);
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED;
- #endif
- goto exit_ppc;
- }
- /* Certificate validated and stored. */
- ssl->options.havePeerCert = 1;
- #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA)
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->specs.sig_algo == rsa_kea) {
- /* CLIENT: No ServerKeyExchange message sent by server. */
- ssl->options.peerAuthGood = 1;
- }
- #endif
- #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_ECC)
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->specs.static_ecdh) {
- /* CLIENT: No ServerKeyExchange message sent by server. */
- ssl->options.peerAuthGood = 1;
- }
- #endif
- if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
- #ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
- /* Per RFC 5280 section 4.2.1.6, "Whenever such identities
- * are to be bound into a certificate, the subject
- * alternative name extension MUST be used." */
- if (args->dCert->altNames) {
- if (CheckForAltNames(args->dCert,
- (char*)ssl->buffers.domainName.buffer,
- NULL) != 1) {
- WOLFSSL_MSG("DomainName match on alt names failed");
- /* try to get peer key still */
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- else {
- if (MatchDomainName(
- args->dCert->subjectCN,
- args->dCert->subjectCNLen,
- (char*)ssl->buffers.domainName.buffer) == 0) {
- WOLFSSL_MSG("DomainName match on common name failed");
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #else /* WOLFSSL_ALL_NO_CN_IN_SAN */
- /* Old behavior. */
- if (MatchDomainName(args->dCert->subjectCN,
- args->dCert->subjectCNLen,
- (char*)ssl->buffers.domainName.buffer) == 0) {
- WOLFSSL_MSG("DomainName match on common name failed");
- if (CheckForAltNames(args->dCert,
- (char*)ssl->buffers.domainName.buffer,
- NULL) != 1) {
- WOLFSSL_MSG(
- "DomainName match on alt names failed too");
- /* try to get peer key still */
- ret = DOMAIN_NAME_MISMATCH;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif /* WOLFSSL_ALL_NO_CN_IN_SAN */
- }
- /* decode peer key */
- switch (args->dCert->keyOID) {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case RSAPSSk:
- #endif
- case RSAk:
- {
- word32 keyIdx = 0;
- int keyRet = 0;
- if (ssl->peerRsaKey == NULL) {
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA,
- (void**)&ssl->peerRsaKey);
- } else if (ssl->peerRsaKeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_RSA,
- ssl->peerRsaKey);
- ssl->peerRsaKeyPresent = 0;
- }
- if (keyRet != 0 || wc_RsaPublicKeyDecode(
- args->dCert->publicKey, &keyIdx, ssl->peerRsaKey,
- args->dCert->pubKeySize) != 0) {
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ssl->peerRsaKeyPresent = 1;
- #if defined(WOLFSSL_RENESAS_TSIP_TLS) || \
- defined(WOLFSSL_RENESAS_SCEPROTECT)
- /* copy encrypted tsip key index into ssl object */
- if (args->dCert->sce_tsip_encRsaKeyIdx) {
- if (!ssl->peerSceTsipEncRsaKeyIndex) {
- ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC(
- TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY,
- ssl->heap, DYNAMIC_TYPE_RSA);
- if (!ssl->peerSceTsipEncRsaKeyIndex) {
- args->lastErr = MEMORY_E;
- goto exit_ppc;
- }
- }
- XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex,
- args->dCert->sce_tsip_encRsaKeyIdx,
- TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY);
- }
- #endif
- #ifdef HAVE_PK_CALLBACKS
- #if defined(HAVE_SECURE_RENEGOTIATION) || \
- defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- if (ssl->buffers.peerRsaKey.buffer) {
- XFREE(ssl->buffers.peerRsaKey.buffer,
- ssl->heap, DYNAMIC_TYPE_RSA);
- ssl->buffers.peerRsaKey.buffer = NULL;
- }
- #endif
- ssl->buffers.peerRsaKey.buffer =
- (byte*)XMALLOC(args->dCert->pubKeySize,
- ssl->heap, DYNAMIC_TYPE_RSA);
- if (ssl->buffers.peerRsaKey.buffer == NULL) {
- ret = MEMORY_ERROR;
- }
- else {
- XMEMCPY(ssl->buffers.peerRsaKey.buffer,
- args->dCert->publicKey,
- args->dCert->pubKeySize);
- ssl->buffers.peerRsaKey.length =
- args->dCert->pubKeySize;
- }
- #endif /* HAVE_PK_CALLBACKS */
- }
- /* check size of peer RSA key */
- if (ret == 0 && ssl->peerRsaKeyPresent &&
- !ssl->options.verifyNone &&
- wc_RsaEncryptSize(ssl->peerRsaKey)
- < ssl->options.minRsaKeySz) {
- ret = RSA_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Peer RSA key is too small");
- }
- break;
- }
- #endif /* NO_RSA */
- #ifdef HAVE_ECC
- case ECDSAk:
- {
- int keyRet = 0;
- word32 idx = 0;
- #if defined(WOLFSSL_RENESAS_SCEPROTECT) || \
- defined(WOLFSSL_RENESAS_TSIP_TLS)
- /* copy encrypted tsip/sce key index into ssl object */
- if (args->dCert->sce_tsip_encRsaKeyIdx) {
- if (!ssl->peerSceTsipEncRsaKeyIndex) {
- ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC(
- TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY,
- ssl->heap, DYNAMIC_TYPE_RSA);
- if (!ssl->peerSceTsipEncRsaKeyIndex) {
- args->lastErr = MEMORY_E;
- ERROR_OUT(MEMORY_ERROR, exit_ppc);
- }
- }
- XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex,
- args->dCert->sce_tsip_encRsaKeyIdx,
- TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY);
- }
- #endif
- if (ssl->peerEccDsaKey == NULL) {
- /* alloc/init on demand */
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccDsaKey);
- } else if (ssl->peerEccDsaKeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
- ssl->peerEccDsaKey);
- ssl->peerEccDsaKeyPresent = 0;
- }
- if (keyRet != 0 ||
- wc_EccPublicKeyDecode(args->dCert->publicKey, &idx,
- ssl->peerEccDsaKey,
- args->dCert->pubKeySize) != 0) {
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ssl->peerEccDsaKeyPresent = 1;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->buffers.peerEccDsaKey.buffer)
- XFREE(ssl->buffers.peerEccDsaKey.buffer,
- ssl->heap, DYNAMIC_TYPE_ECC);
- ssl->buffers.peerEccDsaKey.buffer =
- (byte*)XMALLOC(args->dCert->pubKeySize,
- ssl->heap, DYNAMIC_TYPE_ECC);
- if (ssl->buffers.peerEccDsaKey.buffer == NULL) {
- ERROR_OUT(MEMORY_ERROR, exit_ppc);
- }
- else {
- XMEMCPY(ssl->buffers.peerEccDsaKey.buffer,
- args->dCert->publicKey,
- args->dCert->pubKeySize);
- ssl->buffers.peerEccDsaKey.length =
- args->dCert->pubKeySize;
- }
- #endif /* HAVE_PK_CALLBACKS */
- }
- /* check size of peer ECC key */
- if (ret == 0 && ssl->peerEccDsaKeyPresent &&
- !ssl->options.verifyNone &&
- wc_ecc_size(ssl->peerEccDsaKey)
- < ssl->options.minEccKeySz) {
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Peer ECC key is too small");
- }
- /* populate curve oid - if missing */
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
- ssl->ecdhCurveOID = args->dCert->pkCurveOID;
- break;
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
- case ED25519k:
- {
- int keyRet = 0;
- if (ssl->peerEd25519Key == NULL) {
- /* alloc/init on demand */
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_ED25519,
- (void**)&ssl->peerEd25519Key);
- } else if (ssl->peerEd25519KeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ED25519,
- ssl->peerEd25519Key);
- ssl->peerEd25519KeyPresent = 0;
- }
- if (keyRet != 0 ||
- wc_ed25519_import_public(args->dCert->publicKey,
- args->dCert->pubKeySize,
- ssl->peerEd25519Key)
- != 0) {
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ssl->peerEd25519KeyPresent = 1;
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.peerEd25519Key.buffer =
- (byte*)XMALLOC(args->dCert->pubKeySize,
- ssl->heap, DYNAMIC_TYPE_ED25519);
- if (ssl->buffers.peerEd25519Key.buffer == NULL) {
- ERROR_OUT(MEMORY_ERROR, exit_ppc);
- }
- else {
- XMEMCPY(ssl->buffers.peerEd25519Key.buffer,
- args->dCert->publicKey,
- args->dCert->pubKeySize);
- ssl->buffers.peerEd25519Key.length =
- args->dCert->pubKeySize;
- }
- #endif /*HAVE_PK_CALLBACKS */
- }
- /* check size of peer ECC key */
- if (ret == 0 && ssl->peerEd25519KeyPresent &&
- !ssl->options.verifyNone &&
- ED25519_KEY_SIZE < ssl->options.minEccKeySz) {
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Peer ECC key is too small");
- }
- /* populate curve oid - if missing */
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
- ssl->ecdhCurveOID = ECC_X25519_OID;
- break;
- }
- #endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
- #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
- case ED448k:
- {
- int keyRet = 0;
- if (ssl->peerEd448Key == NULL) {
- /* alloc/init on demand */
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_ED448,
- (void**)&ssl->peerEd448Key);
- } else if (ssl->peerEd448KeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ED448,
- ssl->peerEd448Key);
- ssl->peerEd448KeyPresent = 0;
- }
- if (keyRet != 0 ||
- wc_ed448_import_public(args->dCert->publicKey,
- args->dCert->pubKeySize,
- ssl->peerEd448Key) != 0) {
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ssl->peerEd448KeyPresent = 1;
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.peerEd448Key.buffer =
- (byte*)XMALLOC(args->dCert->pubKeySize,
- ssl->heap, DYNAMIC_TYPE_ED448);
- if (ssl->buffers.peerEd448Key.buffer == NULL) {
- ERROR_OUT(MEMORY_ERROR, exit_ppc);
- }
- else {
- XMEMCPY(ssl->buffers.peerEd448Key.buffer,
- args->dCert->publicKey,
- args->dCert->pubKeySize);
- ssl->buffers.peerEd448Key.length =
- args->dCert->pubKeySize;
- }
- #endif /*HAVE_PK_CALLBACKS */
- }
- /* check size of peer ECC key */
- if (ret == 0 && ssl->peerEd448KeyPresent &&
- !ssl->options.verifyNone &&
- ED448_KEY_SIZE < ssl->options.minEccKeySz) {
- ret = ECC_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Peer ECC key is too small");
- }
- /* populate curve oid - if missing */
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
- ssl->ecdhCurveOID = ECC_X448_OID;
- break;
- }
- #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case FALCON_LEVEL1k:
- case FALCON_LEVEL5k:
- {
- int keyRet = 0;
- if (ssl->peerFalconKey == NULL) {
- /* alloc/init on demand */
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_FALCON,
- (void**)&ssl->peerFalconKey);
- } else if (ssl->peerFalconKeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_FALCON,
- ssl->peerFalconKey);
- ssl->peerFalconKeyPresent = 0;
- }
- if (keyRet == 0) {
- if (args->dCert->keyOID == FALCON_LEVEL1k) {
- keyRet = wc_falcon_set_level(ssl->peerFalconKey,
- 1);
- }
- else {
- keyRet = wc_falcon_set_level(ssl->peerFalconKey,
- 5);
- }
- }
- if (keyRet != 0 ||
- wc_falcon_import_public(args->dCert->publicKey,
- args->dCert->pubKeySize,
- ssl->peerFalconKey) != 0) {
- ret = PEER_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- else {
- ssl->peerFalconKeyPresent = 1;
- }
- /* check size of peer Falcon key */
- if (ret == 0 && ssl->peerFalconKeyPresent &&
- !ssl->options.verifyNone &&
- FALCON_MAX_KEY_SIZE <
- ssl->options.minFalconKeySz) {
- ret = FALCON_KEY_SIZE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- WOLFSSL_MSG("Peer Falcon key is too small");
- }
- break;
- }
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DILITHIUM_LEVEL2k:
- case DILITHIUM_LEVEL3k:
- case DILITHIUM_LEVEL5k:
- {
- int keyRet = 0;
- if (ssl->peerDilithiumKey == NULL) {
- /* alloc/init on demand */
- keyRet = AllocKey(ssl, DYNAMIC_TYPE_DILITHIUM,
- (void**)&ssl->peerDilithiumKey);
- } else if (ssl->peerDilithiumKeyPresent) {
- keyRet = ReuseKey(ssl, DYNAMIC_TYPE_DILITHIUM,
- ssl->peerDilithiumKey);
- ssl->peerDilithiumKeyPresent = 0;
- }
- if (keyRet == 0) {
- if (args->dCert->keyOID == DILITHIUM_LEVEL2k) {
- keyRet = wc_dilithium_set_level(
- ssl->peerDilithiumKey, 2);
- }
- else if (args->dCert->keyOID == DILITHIUM_LEVEL3k) {
- keyRet = wc_dilithium_set_level(
- ssl->peerDilithiumKey, 3);
- }
- else if (args->dCert->keyOID == DILITHIUM_LEVEL5k) {
- keyRet = wc_dilithium_set_level(
- ssl->peerDilithiumKey, 5);
- }
- }
- if (keyRet != 0 ||
- wc_dilithium_import_public(args->dCert->publicKey,
- args->dCert->pubKeySize,
- ssl->peerDilithiumKey)
- != 0) {
- ret = PEER_KEY_ERROR;
- }
- else {
- ssl->peerDilithiumKeyPresent = 1;
- }
- /* check size of peer Dilithium key */
- if (ret == 0 && ssl->peerDilithiumKeyPresent &&
- !ssl->options.verifyNone &&
- DILITHIUM_MAX_KEY_SIZE <
- ssl->options.minDilithiumKeySz) {
- ret = DILITHIUM_KEY_SIZE_E;
- WOLFSSL_MSG("Peer Dilithium key is too small");
- }
- break;
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- default:
- break;
- }
- /* args->dCert free'd in function cleanup after callback */
- } /* if (count > 0) */
- /* Check for error */
- if (args->fatal && ret != 0) {
- goto exit_ppc;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- /* load last error */
- if (args->lastErr != 0 && ret == 0) {
- ret = args->lastErr;
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- /* limit compliant with OpenSSL verify Depth + 1
- * OpenSSL tries to expand the chain one longer than limit until
- * reaching an ultimately trusted issuer. Becoming failure if
- * we hit the limit, with WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG
- */
- if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
- if (ssl->peerVerifyRet == 0) /* Return first cert error here */
- ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
- ret = MAX_CHAIN_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- /* Do verify callback */
- ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
- if (ssl->options.verifyNone &&
- (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
- ret == CRL_CERT_DATE_ERR)) {
- WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
- ret = ssl->error = 0;
- }
- if (ret != 0) {
- if (!ssl->options.verifyNone) {
- DoCertFatalAlert(ssl, ret);
- }
- ssl->error = ret; /* Report SSL error */
- }
- if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.serverState = SERVER_CERT_COMPLETE;
- }
- if (IsEncryptionOn(ssl, 0)) {
- args->idx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- args->idx += MacSize(ssl);
- #endif
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- /* Set final index */
- *inOutIdx = args->idx;
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- break;
- } /* switch(ssl->options.asyncState) */
- exit_ppc:
- WOLFSSL_LEAVE("ProcessPeerCerts", ret);
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- if (ret == WC_PENDING_E || ret == OCSP_WANT_READ) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_certificate = 0;
- return ret;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #elif defined(WOLFSSL_SMALL_STACK)
- if (args)
- {
- FreeProcPeerCertArgs(ssl, args);
- }
- #else
- FreeProcPeerCertArgs(ssl, args);
- #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP || WOLFSSL_SMALL_STACK */
- #if !defined(WOLFSSL_ASYNC_CRYPT) && defined(WOLFSSL_SMALL_STACK)
- XFREE(args, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- FreeKeyExchange(ssl);
- return ret;
- }
- #endif
- #ifndef WOLFSSL_NO_TLS12
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- /* handle processing of certificate (11) */
- static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 size)
- {
- int ret;
- WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
- WOLFSSL_ENTER("DoCertificate");
- #ifdef SESSION_CERTS
- /* Reset the session cert chain count in case the session resume failed. */
- ssl->session->chain.count = 0;
- #ifdef WOLFSSL_ALT_CERT_CHAINS
- ssl->session->altChain.count = 0;
- #endif
- #endif /* SESSION_CERTS */
- ret = ProcessPeerCerts(ssl, input, inOutIdx, size);
- #ifdef OPENSSL_EXTRA
- ssl->options.serverState = SERVER_CERT_COMPLETE;
- #endif
- WOLFSSL_LEAVE("DoCertificate", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
- return ret;
- }
- /* handle processing of certificate_status (22) */
- static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 size)
- {
- int ret = 0;
- byte status_type;
- word32 status_length;
- WOLFSSL_START(WC_FUNC_CERTIFICATE_STATUS_DO);
- WOLFSSL_ENTER("DoCertificateStatus");
- if (size < ENUM_LEN + OPAQUE24_LEN)
- return BUFFER_ERROR;
- status_type = input[(*inOutIdx)++];
- c24to32(input + *inOutIdx, &status_length);
- *inOutIdx += OPAQUE24_LEN;
- if (size != ENUM_LEN + OPAQUE24_LEN + status_length)
- return BUFFER_ERROR;
- switch (status_type) {
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
- || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */
- case WOLFSSL_CSR2_OCSP:
- ret = ProcessCSR(ssl, input, inOutIdx, status_length);
- break;
- #endif
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- case WOLFSSL_CSR2_OCSP_MULTI: {
- OcspRequest* request;
- word32 list_length = status_length;
- byte idx = 0;
- #ifdef WOLFSSL_SMALL_STACK
- CertStatus* status;
- OcspEntry* single;
- OcspResponse* response;
- #else
- CertStatus status[1];
- OcspEntry single[1];
- OcspResponse response[1];
- #endif
- do {
- if (ssl->status_request_v2) {
- ssl->status_request_v2 = 0;
- break;
- }
- return BUFFER_ERROR;
- } while(0);
- #ifdef WOLFSSL_SMALL_STACK
- status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
- DYNAMIC_TYPE_OCSP_STATUS);
- single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
- DYNAMIC_TYPE_OCSP_ENTRY);
- response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (status == NULL || single == NULL || response == NULL) {
- if (status)
- XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
- if (single)
- XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
- if (response)
- XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- return MEMORY_ERROR;
- }
- #endif
- while (list_length && ret == 0) {
- if (OPAQUE24_LEN > list_length) {
- ret = BUFFER_ERROR;
- break;
- }
- c24to32(input + *inOutIdx, &status_length);
- *inOutIdx += OPAQUE24_LEN;
- list_length -= OPAQUE24_LEN;
- if (status_length > list_length) {
- ret = BUFFER_ERROR;
- break;
- }
- if (status_length) {
- InitOcspResponse(response, single, status, input +*inOutIdx,
- status_length, ssl->heap);
- if ((OcspResponseDecode(response, SSL_CM(ssl), ssl->heap,
- 0) != 0)
- || (response->responseStatus != OCSP_SUCCESSFUL)
- || (response->single->status->status != CERT_GOOD))
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- while (ret == 0) {
- request = (OcspRequest*)TLSX_CSR2_GetRequest(
- ssl->extensions, status_type, idx++);
- if (request == NULL)
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- else if (CompareOcspReqResp(request, response) == 0)
- break;
- else if (idx == 1) /* server cert must be OK */
- ret = BAD_CERTIFICATE_STATUS_ERROR;
- }
- FreeOcspResponse(response);
- *inOutIdx += status_length;
- list_length -= status_length;
- }
- }
- ssl->status_request_v2 = 0;
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS);
- XFREE(single, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
- #endif
- }
- break;
- #endif
- default:
- ret = BUFFER_ERROR;
- }
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- SendAlert(ssl, alert_fatal, bad_certificate_status_response);
- }
- if (IsEncryptionOn(ssl, 0)) {
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + ssl->keys.padSz + digestSz > size)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz + digestSz;
- }
- else
- #endif
- {
- if (*inOutIdx + ssl->keys.padSz > size)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz;
- }
- }
- WOLFSSL_LEAVE("DoCertificateStatus", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_STATUS_DO);
- return ret;
- }
- #endif
- #endif /* !WOLFSSL_NO_TLS12 */
- #endif /* !NO_CERTS */
- #ifndef WOLFSSL_NO_TLS12
- static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 size, word32 totalSz)
- {
- (void)input;
- WOLFSSL_START(WC_FUNC_HELLO_REQUEST_DO);
- WOLFSSL_ENTER("DoHelloRequest");
- if (size) /* must be 0 */
- return BUFFER_ERROR;
- if (IsEncryptionOn(ssl, 0)) {
- /* If size == totalSz then we are in DtlsMsgDrain so no need to worry
- * about padding */
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- if (size != totalSz &&
- *inOutIdx + ssl->keys.padSz + digestSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz + digestSz;
- }
- else
- #endif
- {
- /* access beyond input + size should be checked against totalSz */
- if (size != totalSz &&
- *inOutIdx + ssl->keys.padSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz;
- }
- }
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- SendAlert(ssl, alert_fatal, unexpected_message); /* try */
- WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
- return FATAL_ERROR;
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- else if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
- ssl->secure_renegotiation->startScr = 1;
- WOLFSSL_LEAVE("DoHelloRequest", 0);
- WOLFSSL_END(WC_FUNC_HELLO_REQUEST_DO);
- return 0;
- }
- #endif
- else {
- return SendAlert(ssl, alert_warning, no_renegotiation);
- }
- }
- int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
- word32 totalSz, int sniff)
- {
- word32 finishedSz = (ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ);
- WOLFSSL_START(WC_FUNC_FINISHED_DO);
- WOLFSSL_ENTER("DoFinished");
- if (finishedSz != size)
- return BUFFER_ERROR;
- /* check against totalSz
- * If size == totalSz then we are in DtlsMsgDrain so no need to worry about
- * padding */
- if (size != totalSz) {
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- if (*inOutIdx + size + ssl->keys.padSz + MacSize(ssl) > totalSz)
- return BUFFER_E;
- }
- else
- #endif
- {
- if (*inOutIdx + size + ssl->keys.padSz > totalSz)
- return BUFFER_E;
- }
- }
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
- if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
- #endif
- if (sniff == NO_SNIFF) {
- if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){
- WOLFSSL_MSG("Verify finished error on hashes");
- WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
- return VERIFY_FINISHED_ERROR;
- }
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation) {
- /* save peer's state */
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- XMEMCPY(ssl->secure_renegotiation->server_verify_data,
- input + *inOutIdx, TLS_FINISHED_SZ);
- else
- XMEMCPY(ssl->secure_renegotiation->client_verify_data,
- input + *inOutIdx, TLS_FINISHED_SZ);
- ssl->secure_renegotiation->verifySet = 1;
- }
- #endif
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- XMEMCPY(ssl->serverFinished,
- input + *inOutIdx, TLS_FINISHED_SZ);
- ssl->serverFinished_len = TLS_FINISHED_SZ;
- }
- else {
- XMEMCPY(ssl->clientFinished,
- input + *inOutIdx, TLS_FINISHED_SZ);
- ssl->clientFinished_len = TLS_FINISHED_SZ;
- }
- #endif
- /* force input exhaustion at ProcessReply consuming padSz */
- *inOutIdx += size + ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- *inOutIdx += MacSize(ssl);
- #endif
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- #ifdef OPENSSL_EXTRA
- ssl->cbmode = SSL_CB_MODE_WRITE;
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- #endif
- if (!ssl->options.resuming) {
- #ifdef OPENSSL_EXTRA
- if (ssl->CBIS != NULL) {
- ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS);
- }
- #endif
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- }
- else {
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- #ifdef OPENSSL_EXTRA
- ssl->cbmode = SSL_CB_MODE_READ;
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- #endif
- if (ssl->options.resuming) {
- #ifdef OPENSSL_EXTRA
- if (ssl->CBIS != NULL) {
- ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS);
- }
- #endif
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if ((!ssl->options.resuming && ssl->options.side == WOLFSSL_CLIENT_END) ||
- (ssl->options.resuming && ssl->options.side == WOLFSSL_SERVER_END)){
- DtlsMsgPoolReset(ssl);
- ssl->keys.dtls_handshake_number = 0;
- ssl->keys.dtls_expected_peer_handshake_number = 0;
- }
- }
- #endif
- WOLFSSL_LEAVE("DoFinished", 0);
- WOLFSSL_END(WC_FUNC_FINISHED_DO);
- return 0;
- }
- /* Make sure no duplicates, no fast forward, or other problems; 0 on success */
- static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
- {
- /* verify not a duplicate, mark received, check state */
- switch (type) {
- #ifndef NO_WOLFSSL_CLIENT
- case hello_request:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("HelloRequest received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_hello_request) {
- WOLFSSL_MSG("Duplicate HelloRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_hello_request = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_SERVER
- case client_hello:
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- WOLFSSL_MSG("ClientHello received by client");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_client_hello) {
- WOLFSSL_MSG("Duplicate ClientHello received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_client_hello = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case server_hello:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("ServerHello received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_server_hello) {
- WOLFSSL_MSG("Duplicate ServerHello received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_server_hello = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case hello_verify_request:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("HelloVerifyRequest received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_hello_verify_request) {
- WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_hello_verify_request = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case session_ticket:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("SessionTicket received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_session_ticket) {
- WOLFSSL_MSG("Duplicate SessionTicket received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_session_ticket = 1;
- break;
- #endif
- case certificate:
- if (ssl->msgsReceived.got_certificate) {
- WOLFSSL_MSG("Duplicate Certificate received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate = 1;
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if ( ssl->msgsReceived.got_server_hello == 0) {
- WOLFSSL_MSG("No ServerHello before Cert");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if ( ssl->msgsReceived.got_client_hello == 0) {
- WOLFSSL_MSG("No ClientHello before Cert");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- #endif
- break;
- #ifndef NO_WOLFSSL_CLIENT
- case certificate_status:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("CertificateStatus received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_certificate_status) {
- WOLFSSL_MSG("Duplicate CertificateStatus received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate_status = 1;
- if (ssl->msgsReceived.got_certificate == 0) {
- WOLFSSL_MSG("No Certificate before CertificateStatus");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->msgsReceived.got_server_key_exchange != 0) {
- WOLFSSL_MSG("CertificateStatus after ServerKeyExchange");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case server_key_exchange:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("ServerKeyExchange received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_server_key_exchange) {
- WOLFSSL_MSG("Duplicate ServerKeyExchange received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_server_key_exchange = 1;
- if (ssl->msgsReceived.got_server_hello == 0) {
- WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->msgsReceived.got_certificate_status == 0) {
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
- if (ssl->status_request) {
- int ret;
- WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
- if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0)
- return ret;
- }
- #endif
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- if (ssl->status_request_v2) {
- int ret;
- WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
- if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0)
- return ret;
- }
- #endif
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
- defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- /* Check that a status request extension was seen as the
- * CertificateStatus wasn't when an OCSP staple is required.
- */
- if (
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
- !ssl->status_request &&
- #endif
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- !ssl->status_request_v2 &&
- #endif
- SSL_CM(ssl)->ocspMustStaple) {
- WOLFSSL_ERROR_VERBOSE(OCSP_CERT_UNKNOWN);
- return OCSP_CERT_UNKNOWN;
- }
- #endif
- }
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case certificate_request:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("CertificateRequest received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_certificate_request) {
- WOLFSSL_MSG("Duplicate CertificateRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate_request = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case server_hello_done:
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("ServerHelloDone received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_server_hello_done) {
- WOLFSSL_MSG("Duplicate ServerHelloDone received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_server_hello_done = 1;
- if (ssl->msgsReceived.got_certificate == 0) {
- if (ssl->specs.kea == psk_kea ||
- ssl->specs.kea == dhe_psk_kea ||
- ssl->specs.kea == ecdhe_psk_kea ||
- ssl->options.usingAnon_cipher) {
- WOLFSSL_MSG("No Cert required");
- }
- else {
- WOLFSSL_MSG("No Certificate before ServerHelloDone");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- if (ssl->msgsReceived.got_server_key_exchange == 0) {
- int pskNoServerHint = 0; /* not required in this case */
- #ifndef NO_PSK
- if (ssl->specs.kea == psk_kea &&
- ssl->arrays != NULL &&
- ssl->arrays->server_hint[0] == 0)
- pskNoServerHint = 1;
- #endif
- if (ssl->specs.static_ecdh == 1 ||
- ssl->specs.kea == rsa_kea ||
- pskNoServerHint) {
- WOLFSSL_MSG("No KeyExchange required");
- }
- else {
- WOLFSSL_MSG("No ServerKeyExchange before ServerDone");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- break;
- #endif
- #ifndef NO_WOLFSSL_SERVER
- case certificate_verify:
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- WOLFSSL_MSG("CertificateVerify received by client");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_certificate_verify) {
- WOLFSSL_MSG("Duplicate CertificateVerify received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate_verify = 1;
- if ( ssl->msgsReceived.got_certificate == 0) {
- WOLFSSL_MSG("No Cert before CertVerify");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- break;
- #endif
- #ifndef NO_WOLFSSL_SERVER
- case client_key_exchange:
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- WOLFSSL_MSG("ClientKeyExchange received by client");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- if (ssl->msgsReceived.got_client_key_exchange) {
- WOLFSSL_MSG("Duplicate ClientKeyExchange received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_client_key_exchange = 1;
- if (ssl->msgsReceived.got_client_hello == 0) {
- WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- break;
- #endif
- case finished:
- if (ssl->msgsReceived.got_finished) {
- WOLFSSL_MSG("Duplicate Finished received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if (ssl->keys.curEpoch == 0) {
- WOLFSSL_MSG("Finished received with epoch 0");
- WOLFSSL_ERROR_VERBOSE(SEQUENCE_ERROR);
- return SEQUENCE_ERROR;
- }
- }
- #endif
- ssl->msgsReceived.got_finished = 1;
- if (ssl->msgsReceived.got_change_cipher == 0) {
- WOLFSSL_MSG("Finished received before ChangeCipher");
- WOLFSSL_ERROR_VERBOSE(NO_CHANGE_CIPHER_E);
- return NO_CHANGE_CIPHER_E;
- }
- break;
- case change_cipher_hs:
- if (ssl->msgsReceived.got_change_cipher) {
- WOLFSSL_MSG("Duplicate ChangeCipher received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- /* DTLS is going to ignore the CCS message if the client key
- * exchange message wasn't received yet. */
- if (!ssl->options.dtls)
- ssl->msgsReceived.got_change_cipher = 1;
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (!ssl->options.resuming) {
- if (ssl->msgsReceived.got_server_hello_done == 0) {
- WOLFSSL_MSG("No ServerHelloDone before ChangeCipher");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- else {
- if (ssl->msgsReceived.got_server_hello == 0) {
- WOLFSSL_MSG("No ServerHello before ChangeCipher on "
- "Resume");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- #ifdef HAVE_SESSION_TICKET
- if (ssl->expect_session_ticket) {
- WOLFSSL_MSG("Expected session ticket missing");
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- WOLFSSL_ERROR_VERBOSE(SESSION_TICKET_EXPECT_E);
- return SESSION_TICKET_EXPECT_E;
- }
- #endif
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (!ssl->options.resuming &&
- ssl->msgsReceived.got_client_key_exchange == 0) {
- WOLFSSL_MSG("No ClientKeyExchange before ChangeCipher");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #ifndef NO_CERTS
- if (ssl->options.verifyPeer &&
- ssl->options.havePeerCert) {
- if (!ssl->options.havePeerVerify ||
- !ssl->msgsReceived.got_certificate_verify) {
- WOLFSSL_MSG("client didn't send cert verify");
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- WOLFSSL_ERROR_VERBOSE(NO_PEER_VERIFY);
- return NO_PEER_VERIFY;
- }
- }
- #endif
- }
- #endif
- if (ssl->options.dtls)
- ssl->msgsReceived.got_change_cipher = 1;
- break;
- default:
- WOLFSSL_MSG("Unknown message type");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- return 0;
- }
- static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- byte type, word32 size, word32 totalSz)
- {
- int ret = 0;
- word32 expectedIdx;
- WOLFSSL_ENTER("DoHandShakeMsgType");
- #ifdef WOLFSSL_TLS13
- if (type == hello_retry_request) {
- return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- }
- #endif
- /* make sure can read the message */
- if (*inOutIdx + size > totalSz) {
- WOLFSSL_MSG("Incomplete Data");
- WOLFSSL_ERROR_VERBOSE(INCOMPLETE_DATA);
- return INCOMPLETE_DATA;
- }
- expectedIdx = *inOutIdx + size +
- (ssl->keys.encryptionOn ? ssl->keys.padSz : 0);
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead && ssl->keys.encryptionOn)
- expectedIdx += MacSize(ssl);
- #endif
- #if !defined(NO_WOLFSSL_SERVER) && \
- defined(HAVE_SECURE_RENEGOTIATION) && \
- defined(HAVE_SERVER_RENEGOTIATION_INFO)
- if (ssl->options.handShakeDone && type == client_hello &&
- ssl->secure_renegotiation &&
- ssl->secure_renegotiation->enabled)
- {
- WOLFSSL_MSG("Reset handshake state");
- XMEMSET(&ssl->msgsReceived, 0, sizeof(MsgsReceived));
- ssl->options.serverState = NULL_STATE;
- ssl->options.clientState = NULL_STATE;
- ssl->options.connectState = CONNECT_BEGIN;
- ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
- ssl->options.handShakeState = NULL_STATE;
- ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
- ret = InitHandshakeHashes(ssl);
- if (ret != 0)
- return ret;
- }
- #endif
- /* sanity check msg received */
- if ( (ret = SanityCheckMsgReceived(ssl, type)) != 0) {
- WOLFSSL_MSG("Sanity Check on handshake message type received failed");
- return ret;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- /* add name later, add the handshake header part back on and record layer
- * header */
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, 0, handshake, input + *inOutIdx -
- HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ, READ_PROTO,
- RECORD_HEADER_SZ, ssl->heap);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_CALLBACKS
- AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
- #endif
- }
- #endif
- if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){
- WOLFSSL_MSG("HandShake message after handshake complete");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls == 0 &&
- ssl->options.serverState == NULL_STATE && type != server_hello) {
- WOLFSSL_MSG("First server message not server hello");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls &&
- type == server_hello_done &&
- ssl->options.serverState < SERVER_HELLO_COMPLETE) {
- WOLFSSL_MSG("Server hello done received before server hello in DTLS");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.clientState == NULL_STATE && type != client_hello) {
- WOLFSSL_MSG("First client message not client hello");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* above checks handshake state */
- /* hello_request not hashed */
- if (type != hello_request
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->error != WC_PENDING_E
- #endif
- #ifdef WOLFSSL_NONBLOCK_OCSP
- && ssl->error != OCSP_WANT_READ
- #endif
- ) {
- ret = HashInput(ssl, input + *inOutIdx, size);
- if (ret != 0) {
- WOLFSSL_MSG("Incomplete handshake hashes");
- return ret;
- }
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- switch (type) {
- case certificate:
- case server_key_exchange:
- case certificate_request:
- case server_hello_done:
- if (ssl->options.resuming) {
- #ifdef WOLFSSL_WPAS
- /* This can occur when ssl->sessionSecretCb is set. EAP-FAST
- * (RFC 4851) allows for detecting server session resumption
- * based on the msg received after the ServerHello. */
- WOLFSSL_MSG("Not resuming as thought");
- ssl->options.resuming = 0;
- /* No longer resuming, reset peer authentication state. */
- ssl->options.peerAuthGood = 0;
- #else
- /* Fatal error. Only try to send an alert. RFC 5246 does not
- * allow for reverting back to a full handshake after the
- * server has indicated the intention to do a resumption. */
- (void)SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- #endif
- }
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ssl->CBIS != NULL){
- ssl->cbmode = SSL_CB_MODE_READ;
- ssl->cbtype = type;
- ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS);
- }
- #endif
- switch (type) {
- case hello_request:
- WOLFSSL_MSG("processing hello request");
- ret = DoHelloRequest(ssl, input, inOutIdx, size, totalSz);
- break;
- #ifndef NO_WOLFSSL_CLIENT
- case hello_verify_request:
- WOLFSSL_MSG("processing hello verify request");
- ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size);
- if (IsEncryptionOn(ssl, 0)) {
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz + digestSz;
- }
- else
- #endif
- {
- /* access beyond input + size should be checked against totalSz
- */
- if (*inOutIdx + ssl->keys.padSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz;
- }
- }
- break;
- case server_hello:
- WOLFSSL_MSG("processing server hello");
- ret = DoServerHello(ssl, input, inOutIdx, size);
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
- IsAtLeastTLSv1_3(ssl->version)) {
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- if (ret != WC_PENDING_E && ret != OCSP_WANT_READ)
- #endif
- {
- ssl->options.cacheMessages = 0;
- if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap,
- DYNAMIC_TYPE_HASHES);
- ssl->hsHashes->messages = NULL;
- }
- }
- }
- #endif
- break;
- #ifndef NO_CERTS
- case certificate_request:
- WOLFSSL_MSG("processing certificate request");
- ret = DoCertificateRequest(ssl, input, inOutIdx, size);
- break;
- #endif
- case server_key_exchange:
- WOLFSSL_MSG("processing server key exchange");
- ret = DoServerKeyExchange(ssl, input, inOutIdx, size);
- break;
- #ifdef HAVE_SESSION_TICKET
- case session_ticket:
- WOLFSSL_MSG("processing session ticket");
- ret = DoSessionTicket(ssl, input, inOutIdx, size);
- break;
- #endif /* HAVE_SESSION_TICKET */
- #endif
- #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
- !defined(WOLFSSL_NO_CLIENT_AUTH))
- case certificate:
- WOLFSSL_MSG("processing certificate");
- ret = DoCertificate(ssl, input, inOutIdx, size);
- break;
- case certificate_status:
- WOLFSSL_MSG("processing certificate status");
- ret = DoCertificateStatus(ssl, input, inOutIdx, size);
- break;
- #endif
- case server_hello_done:
- WOLFSSL_MSG("processing server hello done");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ServerHelloDone");
- if (ssl->toInfoOn)
- AddLateName("ServerHelloDone", &ssl->timeoutInfo);
- #endif
- ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
- if (IsEncryptionOn(ssl, 0)) {
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- *inOutIdx += MacSize(ssl);
- #endif
- }
- break;
- case finished:
- WOLFSSL_MSG("processing finished");
- ret = DoFinished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
- break;
- #ifndef NO_WOLFSSL_SERVER
- case client_hello:
- WOLFSSL_MSG("processing client hello");
- ret = DoClientHello(ssl, input, inOutIdx, size);
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- if (ssl->options.resuming || !ssl->options.verifyPeer || \
- !IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version)) {
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- if (ret != WC_PENDING_E && ret != OCSP_WANT_READ)
- #endif
- {
- ssl->options.cacheMessages = 0;
- if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
- ssl->hsHashes->messages = NULL;
- }
- }
- }
- #endif
- /* If size == totalSz then we are in DtlsMsgDrain so no need to worry
- * about padding */
- if (IsEncryptionOn(ssl, 0)) {
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- if (size != totalSz &&
- *inOutIdx + ssl->keys.padSz + digestSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz + digestSz;
- }
- else
- #endif
- {
- /* access beyond input + size should be checked against totalSz
- */
- if (size != totalSz &&
- *inOutIdx + ssl->keys.padSz > totalSz)
- return BUFFER_E;
- *inOutIdx += ssl->keys.padSz;
- }
- }
- break;
- case client_key_exchange:
- WOLFSSL_MSG("processing client key exchange");
- ret = DoClientKeyExchange(ssl, input, inOutIdx, size);
- break;
- #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- case certificate_verify:
- WOLFSSL_MSG("processing certificate verify");
- ret = DoCertificateVerify(ssl, input, inOutIdx, size);
- break;
- #endif /* (!NO_RSA || ECC || ED25519 || ED448) && !WOLFSSL_NO_CLIENT_AUTH */
- #endif /* !NO_WOLFSSL_SERVER */
- default:
- WOLFSSL_MSG("Unknown handshake message type");
- ret = UNKNOWN_HANDSHAKE_TYPE;
- break;
- }
- if (ret == 0 && expectedIdx != *inOutIdx) {
- WOLFSSL_MSG("Extra data in handshake message");
- if (!ssl->options.dtls)
- SendAlert(ssl, alert_fatal, decode_error);
- ret = DECODE_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- /* if async, offset index so this msg will be processed again */
- if ((ret == WC_PENDING_E || ret == OCSP_WANT_READ) && *inOutIdx > 0) {
- *inOutIdx -= HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- *inOutIdx -= DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- }
- /* make sure async error is cleared */
- if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
- ssl->error = 0;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
- #ifdef WOLFSSL_DTLS
- if (ret == 0) {
- if (type == client_hello) {
- /* Advance expected number only if cookie exchange complete */
- if (ssl->msgsReceived.got_client_hello)
- ssl->keys.dtls_expected_peer_handshake_number =
- ssl->keys.dtls_peer_handshake_number + 1;
- }
- else if (type != finished) {
- ssl->keys.dtls_expected_peer_handshake_number++;
- }
- }
- #endif
- WOLFSSL_LEAVE("DoHandShakeMsgType()", ret);
- return ret;
- }
- static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- int ret = 0;
- word32 inputLength;
- WOLFSSL_ENTER("DoHandShakeMsg");
- if (ssl->arrays == NULL) {
- byte type;
- word32 size;
- if (GetHandShakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- return DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
- }
- inputLength = ssl->buffers.inputBuffer.length - *inOutIdx;
- /* If there is a pending fragmented handshake message,
- * pending message size will be non-zero. */
- if (ssl->arrays->pendingMsgSz == 0) {
- byte type;
- word32 size;
- if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size,
- totalSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- /* Cap the maximum size of a handshake message to something reasonable.
- * By default is the maximum size of a certificate message assuming
- * nine 2048-bit RSA certificates in the chain. */
- if (size > MAX_HANDSHAKE_SZ) {
- WOLFSSL_MSG("Handshake message too large");
- WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR);
- return HANDSHAKE_SIZE_ERROR;
- }
- /* size is the size of the certificate message payload */
- if (inputLength - HANDSHAKE_HEADER_SZ < size) {
- ssl->arrays->pendingMsgType = type;
- ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
- ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
- ssl->heap,
- DYNAMIC_TYPE_ARRAYS);
- if (ssl->arrays->pendingMsg == NULL)
- return MEMORY_E;
- XMEMCPY(ssl->arrays->pendingMsg,
- input + *inOutIdx - HANDSHAKE_HEADER_SZ,
- inputLength);
- ssl->arrays->pendingMsgOffset = inputLength;
- *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ;
- return 0;
- }
- ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
- }
- else {
- word32 pendSz =
- ssl->arrays->pendingMsgSz - ssl->arrays->pendingMsgOffset;
- /* Catch the case where there may be the remainder of a fragmented
- * handshake message and the next handshake message in the same
- * record. */
- if (inputLength > pendSz)
- inputLength = pendSz;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->error != WC_PENDING_E)
- #endif
- {
- /* for async this copy was already done, do not replace, since
- * contents may have been changed for inline operations */
- XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
- input + *inOutIdx, inputLength);
- }
- ssl->arrays->pendingMsgOffset += inputLength;
- *inOutIdx += inputLength;
- if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
- {
- word32 idx = HANDSHAKE_HEADER_SZ;
- ret = DoHandShakeMsgType(ssl,
- ssl->arrays->pendingMsg,
- &idx, ssl->arrays->pendingMsgType,
- ssl->arrays->pendingMsgSz - idx,
- ssl->arrays->pendingMsgSz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- /* setup to process fragment again */
- ssl->arrays->pendingMsgOffset -= inputLength;
- *inOutIdx -= inputLength;
- }
- else
- #endif
- {
- XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
- ssl->arrays->pendingMsg = NULL;
- ssl->arrays->pendingMsgSz = 0;
- }
- }
- }
- WOLFSSL_LEAVE("DoHandShakeMsg()", ret);
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifdef WOLFSSL_EXTRA_ALERTS
- void SendFatalAlertOnly(WOLFSSL *ssl, int error)
- {
- int why;
- /* already sent a more specific fatal alert */
- if (ssl->alert_history.last_tx.level == alert_fatal)
- return;
- switch (error) {
- /* not fatal errors */
- case WANT_WRITE:
- case WANT_READ:
- case ZERO_RETURN:
- #ifdef WOLFSSL_ASYNC_CRYPT
- case WC_PENDING_E:
- #endif
- return;
- /* peer already disconnected and ssl is possibly in bad state
- * don't try to send an alert */
- case SOCKET_ERROR_E:
- return;
- case BUFFER_ERROR:
- case ASN_PARSE_E:
- case COMPRESSION_ERROR:
- why = decode_error;
- break;
- case MATCH_SUITE_ERROR:
- why = illegal_parameter;
- break;
- case VERIFY_FINISHED_ERROR:
- case SIG_VERIFY_E:
- why = decrypt_error;
- break;
- case DUPLICATE_MSG_E:
- case NO_CHANGE_CIPHER_E:
- case OUT_OF_ORDER_E:
- why = unexpected_message;
- break;
- case ECC_OUT_OF_RANGE_E:
- why = bad_record_mac;
- break;
- case VERSION_ERROR:
- default:
- why = handshake_failure;
- break;
- }
- SendAlert(ssl, alert_fatal, why);
- }
- #else
- void SendFatalAlertOnly(WOLFSSL *ssl, int error)
- {
- (void)ssl;
- (void)error;
- /* no op */
- }
- #endif /* WOLFSSL_EXTRA_ALERTS */
- #ifdef WOLFSSL_DTLS
- static int _DtlsCheckWindow(WOLFSSL* ssl)
- {
- word32* window;
- word16 cur_hi, next_hi;
- word32 cur_lo, next_lo, diff;
- int curLT;
- WOLFSSL_DTLS_PEERSEQ* peerSeq = NULL;
- if (!ssl->options.haveMcast)
- peerSeq = ssl->keys.peerSeq;
- else {
- #ifdef WOLFSSL_MULTICAST
- WOLFSSL_DTLS_PEERSEQ* p;
- int i;
- for (i = 0, p = ssl->keys.peerSeq;
- i < WOLFSSL_DTLS_PEERSEQ_SZ;
- i++, p++) {
- if (p->peerId == ssl->keys.curPeerId) {
- peerSeq = p;
- break;
- }
- }
- #endif
- }
- if (peerSeq == NULL) {
- WOLFSSL_MSG("Could not find peer sequence");
- return 0;
- }
- if (ssl->keys.curEpoch == peerSeq->nextEpoch) {
- next_hi = peerSeq->nextSeq_hi;
- next_lo = peerSeq->nextSeq_lo;
- window = peerSeq->window;
- }
- else if (ssl->keys.curEpoch == peerSeq->nextEpoch - 1) {
- next_hi = peerSeq->prevSeq_hi;
- next_lo = peerSeq->prevSeq_lo;
- window = peerSeq->prevWindow;
- }
- else {
- return 0;
- }
- cur_hi = ssl->keys.curSeq_hi;
- cur_lo = ssl->keys.curSeq_lo;
- /* If the difference between next and cur is > 2^32, way outside window. */
- if ((cur_hi > next_hi + 1) || (next_hi > cur_hi + 1)) {
- WOLFSSL_MSG("Current record from way too far in the future.");
- return 0;
- }
- if (cur_hi == next_hi) {
- curLT = cur_lo < next_lo;
- diff = curLT ? next_lo - cur_lo : cur_lo - next_lo;
- }
- else {
- curLT = cur_hi < next_hi;
- diff = curLT ? cur_lo - next_lo : next_lo - cur_lo;
- }
- /* Check to see that the next value is greater than the number of messages
- * trackable in the window, and that the difference between the next
- * expected sequence number and the received sequence number is inside the
- * window. */
- if ((next_hi || next_lo > DTLS_SEQ_BITS) &&
- curLT && (diff > DTLS_SEQ_BITS)) {
- WOLFSSL_MSG("Current record sequence number from the past.");
- return 0;
- }
- #ifdef WOLFSSL_DTLS_DISALLOW_FUTURE
- else if (!curLT && (diff > DTLS_SEQ_BITS)) {
- WOLFSSL_MSG("Rejecting message too far into the future.");
- return 0;
- }
- #endif
- else if (curLT) {
- word32 idx;
- word32 newDiff;
- if (diff == 0) {
- WOLFSSL_MSG("DTLS sanity check failed");
- return 0;
- }
- diff--;
- idx = diff / DTLS_WORD_BITS;
- newDiff = diff % DTLS_WORD_BITS;
- /* verify idx is valid for window array */
- if (idx >= WOLFSSL_DTLS_WINDOW_WORDS) {
- WOLFSSL_MSG("Invalid DTLS windows index");
- return 0;
- }
- if (window[idx] & (1 << newDiff)) {
- WOLFSSL_MSG("Current record sequence number already received.");
- return 0;
- }
- }
- return 1;
- }
- #ifdef WOLFSSL_DTLS13
- static WC_INLINE int Dtls13CheckWindow(WOLFSSL* ssl)
- {
- w64wrapper nextSeq, seq;
- w64wrapper diff64;
- word32 *window;
- int wordOffset;
- int wordIndex;
- word32 diff;
- if (ssl->dtls13DecryptEpoch == NULL) {
- WOLFSSL_MSG("Can't find decrypting epoch");
- return 0;
- }
- nextSeq = ssl->dtls13DecryptEpoch->nextPeerSeqNumber;
- window = ssl->dtls13DecryptEpoch->window;
- seq = ssl->keys.curSeq;
- if (w64GTE(seq, nextSeq))
- return 1;
- /* seq < nextSeq, nextSeq - seq */
- diff64 = w64Sub(nextSeq, seq);
- /* diff >= DTLS_SEQ_BITS, outside of the window */
- if (w64GT(diff64, w64From32(0, DTLS_SEQ_BITS)))
- return 0;
- /* we are assuming DTLS_SEQ_BITS <= 2**32 */
- diff = w64GetLow32(diff64);
- /* zero based index */
- diff--;
- wordIndex = ((int)diff) / DTLS_WORD_BITS;
- wordOffset = ((int)diff) % DTLS_WORD_BITS;
- if (window[wordIndex] & (1 << wordOffset))
- return 0;
- return 1;
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_MULTICAST
- static WC_INLINE word32 UpdateHighwaterMark(word32 cur, word32 first,
- word32 second, word32 high)
- {
- word32 newCur = 0;
- if (cur < first)
- newCur = first;
- else if (cur < second)
- newCur = second;
- else if (cur < high)
- newCur = high;
- return newCur;
- }
- #endif /* WOLFSSL_MULTICAST */
- /* diff is the difference between the message sequence and the
- * expected sequence number. 0 is special where it is an overflow. */
- static void _DtlsUpdateWindowGTSeq(word32 diff, word32* window)
- {
- word32 oldWindow[WOLFSSL_DTLS_WINDOW_WORDS];
- if (diff == 0 || diff >= DTLS_SEQ_BITS)
- XMEMSET(window, 0, DTLS_SEQ_SZ);
- else {
- word32 i;
- word32 temp = 0;
- word32 idx = diff / DTLS_WORD_BITS;
- diff %= DTLS_WORD_BITS;
- XMEMCPY(oldWindow, window, sizeof(oldWindow));
- for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
- if (i < idx)
- window[i] = 0;
- else {
- temp |= (oldWindow[i-idx] << diff);
- window[i] = temp;
- if (diff > 0)
- temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - diff);
- else
- temp = 0;
- }
- }
- }
- window[0] |= 1;
- }
- int wolfSSL_DtlsUpdateWindow(word16 cur_hi, word32 cur_lo,
- word16* next_hi, word32* next_lo, word32 *window)
- {
- word32 diff;
- int curLT;
- if (cur_hi == *next_hi) {
- curLT = cur_lo < *next_lo;
- diff = curLT ? *next_lo - cur_lo : cur_lo - *next_lo;
- }
- else {
- if (cur_hi > *next_hi + 1) {
- /* reset window */
- _DtlsUpdateWindowGTSeq(0, window);
- *next_lo = cur_lo + 1;
- if (*next_lo == 0)
- *next_hi = cur_hi + 1;
- else
- *next_hi = cur_hi;
- return 1;
- }
- else if (*next_hi > cur_hi + 1) {
- return 1;
- }
- else {
- curLT = cur_hi < *next_hi;
- if (curLT) {
- if (*next_lo < DTLS_SEQ_BITS &&
- cur_lo >= (((word32)0xFFFFFFFF) - DTLS_SEQ_BITS)) {
- /* diff here can still result in a difference that can not
- * be stored in the window. The index is checked against
- * WOLFSSL_DTLS_WINDOW_WORDS later. */
- diff = *next_lo + ((word32)0xFFFFFFFF - cur_lo) + 1;
- }
- else {
- /* Too far back to update */
- return 1;
- }
- }
- else {
- if (*next_lo >= (((word32)0xFFFFFFFF) - DTLS_SEQ_BITS) &&
- cur_lo < DTLS_SEQ_BITS) {
- /* diff here can still result in a difference that can not
- * be stored in the window. The index is checked against
- * WOLFSSL_DTLS_WINDOW_WORDS later. */
- diff = cur_lo - *next_lo;
- }
- else {
- _DtlsUpdateWindowGTSeq(0, window);
- *next_lo = cur_lo + 1;
- if (*next_lo == 0)
- *next_hi = cur_hi + 1;
- else
- *next_hi = cur_hi;
- return 1;
- }
- }
- }
- }
- if (curLT) {
- word32 idx;
- diff--;
- idx = diff / DTLS_WORD_BITS;
- diff %= DTLS_WORD_BITS;
- if (idx < WOLFSSL_DTLS_WINDOW_WORDS)
- window[idx] |= (1 << diff);
- }
- else {
- _DtlsUpdateWindowGTSeq(diff + 1, window);
- *next_lo = cur_lo + 1;
- if (*next_lo == 0)
- *next_hi = cur_hi + 1;
- else
- *next_hi = cur_hi;
- }
- return 1;
- }
- static int _DtlsUpdateWindow(WOLFSSL* ssl)
- {
- WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq;
- word16 *next_hi;
- word32 *next_lo;
- word32* window;
- #ifdef WOLFSSL_MULTICAST
- word32 cur_lo = ssl->keys.curSeq_lo;
- if (ssl->options.haveMcast) {
- WOLFSSL_DTLS_PEERSEQ* p;
- int i;
- peerSeq = NULL;
- for (i = 0, p = ssl->keys.peerSeq;
- i < WOLFSSL_DTLS_PEERSEQ_SZ;
- i++, p++) {
- if (p->peerId == ssl->keys.curPeerId) {
- peerSeq = p;
- break;
- }
- }
- if (peerSeq == NULL) {
- WOLFSSL_MSG("Couldn't find that peer ID to update window.");
- return 0;
- }
- if (p->highwaterMark && cur_lo >= p->highwaterMark) {
- int cbError = 0;
- if (ssl->ctx->mcastHwCb)
- cbError = ssl->ctx->mcastHwCb(p->peerId,
- ssl->ctx->mcastMaxSeq,
- cur_lo, ssl->mcastHwCbCtx);
- if (cbError) {
- WOLFSSL_MSG("Multicast highwater callback returned an error.");
- return MCAST_HIGHWATER_CB_E;
- }
- p->highwaterMark = UpdateHighwaterMark(cur_lo,
- ssl->ctx->mcastFirstSeq,
- ssl->ctx->mcastSecondSeq,
- ssl->ctx->mcastMaxSeq);
- }
- }
- #endif
- if (ssl->keys.curEpoch == peerSeq->nextEpoch) {
- next_hi = &peerSeq->nextSeq_hi;
- next_lo = &peerSeq->nextSeq_lo;
- window = peerSeq->window;
- }
- else {
- next_hi = &peerSeq->prevSeq_hi;
- next_lo = &peerSeq->prevSeq_lo;
- window = peerSeq->prevWindow;
- }
- return wolfSSL_DtlsUpdateWindow(ssl->keys.curSeq_hi, ssl->keys.curSeq_lo,
- next_hi, next_lo, window);
- }
- #ifdef WOLFSSL_DTLS13
- static WC_INLINE int Dtls13UpdateWindow(WOLFSSL* ssl)
- {
- w64wrapper nextSeq, seq;
- w64wrapper diff64;
- word32 *window;
- int wordOffset;
- int wordIndex;
- word32 diff;
- if (ssl->dtls13DecryptEpoch == NULL) {
- WOLFSSL_MSG("Can't find decrypting Epoch");
- return BAD_STATE_E;
- }
- nextSeq = ssl->dtls13DecryptEpoch->nextPeerSeqNumber;
- window = ssl->dtls13DecryptEpoch->window;
- seq = ssl->keys.curSeq;
- /* seq < nextSeq */
- if (w64LT(seq, nextSeq)) {
- diff64 = w64Sub(nextSeq, seq);
- /* zero based index */
- w64Decrement(&diff64);
- /* FIXME: check that diff64 < DTLS_WORDS_BITS */
- diff = w64GetLow32(diff64);
- wordIndex = ((int)diff) / DTLS_WORD_BITS;
- wordOffset = ((int)diff) % DTLS_WORD_BITS;
- if (wordIndex >= WOLFSSL_DTLS_WINDOW_WORDS) {
- WOLFSSL_MSG("Invalid sequence number to Dtls13UpdateWindow");
- return BAD_STATE_E;
- }
- window[wordIndex] |= (1 << wordOffset);
- return 1;
- }
- /* seq >= nextSeq, seq - nextSeq */
- diff64 = w64Sub(seq, nextSeq);
- /* as we are considering nextSeq inside the window, we should add + 1 */
- w64Increment(&diff64);
- _DtlsUpdateWindowGTSeq(w64GetLow32(diff64), window);
- w64Increment(&seq);
- ssl->dtls13DecryptEpoch->nextPeerSeqNumber = seq;
- return 1;
- }
- #endif /* WOLFSSL_DTLS13 */
- int DtlsMsgDrain(WOLFSSL* ssl)
- {
- DtlsMsg* item = ssl->dtls_rx_msg_list;
- int ret = 0;
- WOLFSSL_ENTER("DtlsMsgDrain");
- /* While there is an item in the store list, and it is the expected
- * message, and it is complete, and there hasn't been an error in the
- * last message... */
- while (item != NULL &&
- ssl->keys.dtls_expected_peer_handshake_number == item->seq &&
- item->ready && ret == 0) {
- word32 idx = 0;
- #ifdef WOLFSSL_NO_TLS12
- ret = DoTls13HandShakeMsgType(ssl, item->fullMsg, &idx, item->type,
- item->sz, item->sz);
- #else
- ret = DoHandShakeMsgType(ssl, item->fullMsg, &idx, item->type,
- item->sz, item->sz);
- #endif
- if (ret == 0) {
- DtlsTxMsgListClean(ssl);
- }
- else if (!IsAtLeastTLSv1_3(ssl->version)) {
- SendFatalAlertOnly(ssl, ret);
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- break;
- }
- #endif
- ssl->dtls_rx_msg_list = item->next;
- DtlsMsgDelete(item, ssl->heap);
- item = ssl->dtls_rx_msg_list;
- ssl->dtls_rx_msg_list_sz--;
- }
- WOLFSSL_LEAVE("DtlsMsgDrain()", ret);
- return ret;
- }
- static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- byte type;
- word32 size;
- word32 fragOffset, fragSz;
- int ret = 0;
- int ignoreFinished = 0;
- WOLFSSL_ENTER("DoDtlsHandShakeMsg");
- /* parse header */
- if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type,
- &size, &fragOffset, &fragSz, totalSz) != 0) {
- WOLFSSL_ERROR(PARSE_ERROR);
- return PARSE_ERROR;
- }
- /* Cap the maximum size of a handshake message to something reasonable.
- * By default is the maximum size of a certificate message assuming
- * nine 2048-bit RSA certificates in the chain. */
- if (size > MAX_HANDSHAKE_SZ) {
- WOLFSSL_MSG("Handshake message too large");
- return HANDSHAKE_SIZE_ERROR;
- }
- /* check that we have complete fragment */
- if (*inOutIdx + fragSz > totalSz) {
- WOLFSSL_ERROR(INCOMPLETE_DATA);
- return INCOMPLETE_DATA;
- }
- /* check that the fragment is contained in the message */
- if (fragOffset + fragSz > size) {
- WOLFSSL_ERROR(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- if (type == finished && ssl->keys.dtls_peer_handshake_number >=
- ssl->keys.dtls_expected_peer_handshake_number &&
- ssl->keys.curEpoch == ssl->keys.dtls_epoch) {
- /* finished msg should be ignore from the current epoch
- * if it comes from a previous handshake */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ignoreFinished = ssl->options.connectState < FINISHED_DONE;
- }
- else {
- ignoreFinished = ssl->options.acceptState < ACCEPT_FINISHED_DONE;
- }
- }
- #if !defined(NO_WOLFSSL_SERVER)
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE &&
- type != client_hello) {
- WOLFSSL_MSG("Ignoring other messages before we verify a ClientHello");
- *inOutIdx = totalSz;
- return 0;
- }
- #endif
- /* Check the handshake sequence number first. If out of order,
- * add the current message to the list. If the message is in order,
- * but it is a fragment, add the current message to the list, then
- * check the head of the list to see if it is complete, if so, pop
- * it out as the current message. If the message is complete and in
- * order, process it. Check the head of the list to see if it is in
- * order, if so, process it. (Repeat until list exhausted.) If the
- * head is out of order, return for more processing.
- */
- if (ssl->keys.dtls_peer_handshake_number >
- ssl->keys.dtls_expected_peer_handshake_number &&
- /* Only client_hello shouldn't be ignored if the handshake
- * num is greater */
- (type == client_hello ||
- ssl->options.handShakeState != HANDSHAKE_DONE) &&
- !ignoreFinished) {
- /* Current message is out of order. It will get stored in the list.
- * Storing also takes care of defragmentation. If the messages is a
- * client hello, we need to process this out of order; the server
- * is not supposed to keep state, but the second client hello will
- * have a different handshake sequence number than is expected, and
- * the server shouldn't be expecting any particular handshake sequence
- * number. (If the cookie changes multiple times in quick succession,
- * the client could be sending multiple new client hello messages
- * with newer and newer cookies.) */
- if (type != client_hello) {
- WOLFSSL_MSG("Current message is out of order");
- if (ssl->dtls_rx_msg_list_sz >= DTLS_POOL_SZ) {
- WOLFSSL_MSG("Reached rx msg limit error");
- return DTLS_TOO_MANY_FRAGMENTS_E;
- }
- DtlsMsgStore(ssl, ssl->keys.curEpoch,
- ssl->keys.dtls_peer_handshake_number,
- input + *inOutIdx, size, type,
- fragOffset, fragSz, ssl->heap);
- *inOutIdx += fragSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- *inOutIdx += digestSz;
- }
- else
- #endif
- {
- if (*inOutIdx + ssl->keys.padSz > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- }
- *inOutIdx += ssl->keys.padSz;
- ret = 0;
- #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
- /* If we receive an out of order last flight msg then retransmit */
- if (type == server_hello_done || type == finished) {
- ret = DtlsMsgPoolSend(ssl, 0);
- }
- #endif
- }
- else {
- if (fragSz < size) {
- /* a fragmented ClientHello, very probably forged or
- erroneous. Even if the packet is valid, we don't want to save
- state while processing a ClientHello to avoid DoS attacks */
- WOLFSSL_MSG("Ignoring datagram with fragmented ClientHello");
- *inOutIdx = totalSz;
- }
- else {
- #ifdef WOLFSSL_NO_TLS12
- ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- #else
- ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- #endif
- }
- }
- }
- else if (ssl->keys.dtls_peer_handshake_number <
- ssl->keys.dtls_expected_peer_handshake_number ||
- /* ignore all handshake messages if we are done with the
- * handshake */
- (ssl->keys.dtls_peer_handshake_number >
- ssl->keys.dtls_expected_peer_handshake_number &&
- ssl->options.handShakeState == HANDSHAKE_DONE) ||
- ignoreFinished) {
- /* Already saw this message and processed it. It can be ignored. */
- WOLFSSL_MSG("Already saw this message and processed it");
- *inOutIdx += fragSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- *inOutIdx += digestSz;
- }
- else
- #endif
- {
- if (*inOutIdx + ssl->keys.padSz > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- }
- #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
- if (IsDtlsNotSctpMode(ssl) &&
- VerifyForDtlsMsgPoolSend(ssl, type, fragOffset)) {
- ret = DtlsMsgPoolSend(ssl, 0);
- }
- #endif
- *inOutIdx += ssl->keys.padSz;
- }
- else if (fragSz < size) {
- /* Since this branch is in order, but fragmented, dtls_rx_msg_list will
- * be pointing to the message with this fragment in it. Check it to see
- * if it is completed. */
- WOLFSSL_MSG("Branch is in order, but fragmented");
- if (type == client_hello) {
- WOLFSSL_MSG("Ignoring datagram with fragmented ClientHello");
- *inOutIdx = totalSz;
- return 0;
- }
- if (ssl->dtls_rx_msg_list_sz >= DTLS_POOL_SZ) {
- WOLFSSL_MSG("Reached rx msg limit error");
- WOLFSSL_ERROR(DTLS_TOO_MANY_FRAGMENTS_E);
- return DTLS_TOO_MANY_FRAGMENTS_E;
- }
- DtlsMsgStore(ssl, ssl->keys.curEpoch,
- ssl->keys.dtls_peer_handshake_number,
- input + *inOutIdx, size, type,
- fragOffset, fragSz, ssl->heap);
- *inOutIdx += fragSz;
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + digestSz > totalSz) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- *inOutIdx += digestSz;
- }
- #endif
- ret = 0;
- if (ssl->dtls_rx_msg_list != NULL && ssl->dtls_rx_msg_list->ready)
- ret = DtlsMsgDrain(ssl);
- }
- else {
- /* This branch is in order next, and a complete message. On success
- * clean the tx list. */
- WOLFSSL_MSG("Branch is in order and a complete message");
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->devId != INVALID_DEVID) {
- word32 idx = *inOutIdx;
- if (ssl->dtls_rx_msg_list_sz >= DTLS_POOL_SZ) {
- WOLFSSL_ERROR(BUFFER_ERROR);
- return BUFFER_ERROR;
- }
- if (idx + fragSz + ssl->keys.padSz > totalSz)
- return BUFFER_E;
- *inOutIdx = idx + fragSz + ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
- word32 digestSz = MacSize(ssl);
- if (*inOutIdx + digestSz > totalSz)
- return BUFFER_E;
- *inOutIdx += digestSz;
- }
- #endif
- /* In async mode always store the message and process it with
- * DtlsMsgDrain because in case of a WC_PENDING_E it will be
- * easier this way. */
- if (ssl->dtls_rx_msg_list_sz >= DTLS_POOL_SZ) {
- WOLFSSL_MSG("Reached rx msg limit error");
- return DTLS_TOO_MANY_FRAGMENTS_E;
- }
- DtlsMsgStore(ssl, ssl->keys.curEpoch,
- ssl->keys.dtls_peer_handshake_number,
- input + idx, size, type,
- fragOffset, fragSz, ssl->heap);
- ret = DtlsMsgDrain(ssl);
- }
- else
- #endif
- {
- #ifdef WOLFSSL_NO_TLS12
- ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- #else
- ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
- #endif
- if (ret == 0) {
- DtlsTxMsgListClean(ssl);
- if (ssl->dtls_rx_msg_list != NULL) {
- ret = DtlsMsgDrain(ssl);
- }
- }
- }
- }
- WOLFSSL_LEAVE("DoDtlsHandShakeMsg()", ret);
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifndef WOLFSSL_NO_TLS12
- #ifdef HAVE_AEAD
- #if (!defined(NO_PUBLIC_GCM_SET_IV) && \
- ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \
- (defined(HAVE_POLY1305) && defined(HAVE_CHACHA))
- static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
- {
- int i;
- for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) {
- if (++ssl->keys.aead_exp_IV[i]) return;
- }
- }
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_CHAPOL_AEAD)
- /* Used for the older version of creating AEAD tags with Poly1305 */
- static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out,
- byte* cipher, word16 sz, byte* tag)
- {
- int ret = 0;
- int msglen = (sz - ssl->specs.aead_mac_size);
- word32 keySz = 32;
- byte padding[8]; /* used to temporarily store lengths */
- #ifdef CHACHA_AEAD_TEST
- printf("Using old version of poly1305 input.\n");
- #endif
- if (msglen < 0)
- return INPUT_CASE_ERROR;
- if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0)
- return ret;
- if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional,
- AEAD_AUTH_DATA_SZ)) != 0)
- return ret;
- /* length of additional input plus padding */
- XMEMSET(padding, 0, sizeof(padding));
- padding[0] = AEAD_AUTH_DATA_SZ;
- if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding,
- sizeof(padding))) != 0)
- return ret;
- /* add cipher info and then its length */
- XMEMSET(padding, 0, sizeof(padding));
- if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0)
- return ret;
- /* 32 bit size of cipher to 64 bit endian */
- padding[0] = msglen & 0xff;
- padding[1] = (msglen >> 8) & 0xff;
- padding[2] = ((word32)msglen >> 16) & 0xff;
- padding[3] = ((word32)msglen >> 24) & 0xff;
- if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding)))
- != 0)
- return ret;
- /* generate tag */
- if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0)
- return ret;
- return ret;
- }
- /* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
- * the implementation follows an older draft for creating the nonce and MAC.
- * The flag oldPoly gets set automatically depending on what cipher suite was
- * negotiated in the handshake. This is able to be done because the IDs for the
- * cipher suites was updated in RFC7905 giving unique values for the older
- * draft in comparison to the more recent RFC.
- *
- * ssl WOLFSSL structure to get cipher and TLS state from
- * out output buffer to hold encrypted data
- * input data to encrypt
- * sz size of input
- *
- * Return 0 on success negative values in error case
- */
- int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
- word16 sz)
- {
- const byte* additionalSrc = input - RECORD_HEADER_SZ;
- int ret = 0;
- word32 msgLen = (sz - ssl->specs.aead_mac_size);
- byte tag[POLY1305_AUTH_SZ];
- byte add[AEAD_AUTH_DATA_SZ];
- byte nonce[CHACHA20_NONCE_SZ];
- byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
- #ifdef CHACHA_AEAD_TEST
- int i;
- #endif
- Keys* keys = &ssl->keys;
- XMEMSET(tag, 0, sizeof(tag));
- XMEMSET(nonce, 0, sizeof(nonce));
- XMEMSET(poly, 0, sizeof(poly));
- XMEMSET(add, 0, sizeof(add));
- #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
- /*
- * For epochs 2+:
- * * use ssl->secure_renegotiation when encrypting the current epoch as it
- * has the current epoch cipher material
- * * use PREV_ORDER if encrypting the epoch not in
- * ssl->secure_renegotiation
- */
- /* opaque SEQ number stored for AD */
- if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
- if (ssl->keys.dtls_epoch ==
- ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
- keys = &ssl->secure_renegotiation->tmp_keys;
- WriteSEQ(ssl, CUR_ORDER, add);
- }
- else
- WriteSEQ(ssl, PREV_ORDER, add);
- }
- else
- #endif
- WriteSEQ(ssl, CUR_ORDER, add);
- if (ssl->options.oldPoly != 0) {
- /* get nonce. SEQ should not be incremented again here */
- XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
- }
- /* Store the type, version. Unfortunately, they are in
- * the input buffer ahead of the plaintext. */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- additionalSrc -= DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- /* add TLS message size to additional data */
- add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff;
- add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff;
- XMEMCPY(add + AEAD_TYPE_OFFSET, additionalSrc, 3);
- #ifdef CHACHA_AEAD_TEST
- printf("Encrypt Additional : ");
- for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) {
- printf("%02x", add[i]);
- }
- printf("\n\n");
- printf("input before encryption :\n");
- for (i = 0; i < sz; i++) {
- printf("%02x", input[i]);
- if ((i + 1) % 16 == 0)
- printf("\n");
- }
- printf("\n");
- #endif
- if (ssl->options.oldPoly == 0) {
- /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
- * record sequence number XORed with client_write_IV/server_write_IV */
- XMEMCPY(nonce, keys->aead_enc_imp_IV, CHACHA20_IMP_IV_SZ);
- nonce[4] ^= add[0];
- nonce[5] ^= add[1];
- nonce[6] ^= add[2];
- nonce[7] ^= add[3];
- nonce[8] ^= add[4];
- nonce[9] ^= add[5];
- nonce[10] ^= add[6];
- nonce[11] ^= add[7];
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChachaAEADEncrypt nonce", nonce, CHACHA20_NONCE_SZ);
- #endif
- /* set the nonce for chacha and get poly1305 key */
- if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- return ret;
- }
- /* create Poly1305 key using chacha20 keystream */
- if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly,
- poly, sizeof(poly))) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- return ret;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChachaAEADEncrypt poly", poly, CHACHA20_256_KEY_SIZE);
- #endif
- /* set the counter after getting poly1305 key */
- if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1)) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- /* encrypt the plain text */
- if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out,
- input, msgLen)) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- /* get the poly1305 tag using either old padding scheme or more recent */
- if (ssl->options.oldPoly != 0) {
- if ((ret = Poly1305TagOld(ssl, add, (const byte* )out,
- poly, sz, tag)) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- }
- else {
- if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly,
- sizeof(poly))) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add,
- sizeof(add), out, msgLen, tag, sizeof(tag))) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- }
- ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- /* append tag to ciphertext */
- XMEMCPY(out + msgLen, tag, sizeof(tag));
- AeadIncrementExpIV(ssl);
- #ifdef CHACHA_AEAD_TEST
- printf("mac tag :\n");
- for (i = 0; i < 16; i++) {
- printf("%02x", tag[i]);
- if ((i + 1) % 16 == 0)
- printf("\n");
- }
- printf("\n\noutput after encrypt :\n");
- for (i = 0; i < sz; i++) {
- printf("%02x", out[i]);
- if ((i + 1) % 16 == 0)
- printf("\n");
- }
- printf("\n");
- #endif
- return ret;
- }
- /* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
- * the implementation follows an older draft for creating the nonce and MAC.
- * The flag oldPoly gets set automatically depending on what cipher suite was
- * negotiated in the handshake. This is able to be done because the IDs for the
- * cipher suites was updated in RFC7905 giving unique values for the older
- * draft in comparison to the more recent RFC.
- *
- * ssl WOLFSSL structure to get cipher and TLS state from
- * plain output buffer to hold decrypted data
- * input data to decrypt
- * sz size of input
- *
- * Return 0 on success negative values in error case
- */
- static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
- word16 sz)
- {
- byte add[AEAD_AUTH_DATA_SZ];
- byte nonce[CHACHA20_NONCE_SZ];
- byte tag[POLY1305_AUTH_SZ];
- byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
- int ret = 0;
- int msgLen = (sz - ssl->specs.aead_mac_size);
- Keys* keys = &ssl->keys;
- #ifdef CHACHA_AEAD_TEST
- int i;
- printf("input before decrypt :\n");
- for (i = 0; i < sz; i++) {
- printf("%02x", input[i]);
- if ((i + 1) % 16 == 0)
- printf("\n");
- }
- printf("\n");
- #endif
- XMEMSET(tag, 0, sizeof(tag));
- XMEMSET(poly, 0, sizeof(poly));
- XMEMSET(nonce, 0, sizeof(nonce));
- XMEMSET(add, 0, sizeof(add));
- #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
- /*
- * For epochs 2+:
- * * use ssl->secure_renegotiation when decrypting the latest epoch as it
- * has the latest epoch cipher material
- */
- if (ssl->options.dtls && DtlsSCRKeysSet(ssl) &&
- ssl->keys.curEpoch == ssl->secure_renegotiation->tmp_keys.dtls_epoch)
- keys = &ssl->secure_renegotiation->tmp_keys;
- #endif
- /* sequence number field is 64-bits */
- WriteSEQ(ssl, PEER_ORDER, add);
- if (ssl->options.oldPoly != 0) {
- /* get nonce, SEQ should not be incremented again here */
- XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
- }
- /* get AD info */
- /* Store the type, version. */
- add[AEAD_TYPE_OFFSET] = ssl->curRL.type;
- add[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
- add[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
- /* add TLS message size to additional data */
- add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff;
- add[AEAD_AUTH_DATA_SZ - 1] = msgLen & 0xff;
- #ifdef CHACHA_AEAD_TEST
- printf("Decrypt Additional : ");
- for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) {
- printf("%02x", add[i]);
- }
- printf("\n\n");
- #endif
- if (ssl->options.oldPoly == 0) {
- /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
- * record sequence number XORed with client_write_IV/server_write_IV */
- XMEMCPY(nonce, keys->aead_dec_imp_IV, CHACHA20_IMP_IV_SZ);
- nonce[4] ^= add[0];
- nonce[5] ^= add[1];
- nonce[6] ^= add[2];
- nonce[7] ^= add[3];
- nonce[8] ^= add[4];
- nonce[9] ^= add[5];
- nonce[10] ^= add[6];
- nonce[11] ^= add[7];
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChachaAEADEncrypt nonce", nonce, CHACHA20_NONCE_SZ);
- #endif
- /* set nonce and get poly1305 key */
- if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- return ret;
- }
- /* use chacha20 keystream to get poly1305 key for tag */
- if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly,
- poly, sizeof(poly))) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- return ret;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChachaAEADEncrypt poly", poly, CHACHA20_256_KEY_SIZE);
- #endif
- /* set counter after getting poly1305 key */
- if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1)) != 0) {
- ForceZero(nonce, CHACHA20_NONCE_SZ);
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
- #endif
- /* get the tag using Poly1305 */
- if (ssl->options.oldPoly != 0) {
- if ((ret = Poly1305TagOld(ssl, add, input, poly, sz, tag)) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- }
- else {
- if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly,
- sizeof(poly))) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add,
- sizeof(add), input, msgLen, tag, sizeof(tag))) != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- return ret;
- }
- }
- ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
- #endif
- /* check tag sent along with packet */
- if (ConstantCompare(input + msgLen, tag, ssl->specs.aead_mac_size) != 0) {
- WOLFSSL_MSG("MAC did not match");
- if (!ssl->options.dtls)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- /* if the tag was good decrypt message */
- if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain,
- input, msgLen)) != 0)
- return ret;
- #ifdef CHACHA_AEAD_TEST
- printf("plain after decrypt :\n");
- for (i = 0; i < sz; i++) {
- printf("%02x", plain[i]);
- if ((i + 1) % 16 == 0)
- printf("\n");
- }
- printf("\n");
- #endif
- return ret;
- }
- #endif /* HAVE_CHACHA && HAVE_POLY1305 && !NO_CHAPOL_AEAD*/
- #endif /* HAVE_AEAD */
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- #if !defined(NO_GCM_ENCRYPT_EXTRA) && \
- ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
- (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
- /* The following type is used to share code between AES-GCM and AES-CCM. */
- typedef int (*AesAuthEncryptFunc)(Aes* aes, byte* out,
- const byte* in, word32 sz,
- byte* iv, word32 ivSz,
- byte* authTag, word32 authTagSz,
- const byte* authIn, word32 authInSz);
- #define AES_AUTH_ENCRYPT_FUNC AesAuthEncryptFunc
- #define AES_GCM_ENCRYPT wc_AesGcmEncrypt_ex
- #define AES_CCM_ENCRYPT wc_AesCcmEncrypt_ex
- #else
- #define AES_AUTH_ENCRYPT_FUNC wc_AesAuthEncryptFunc
- #define AES_GCM_ENCRYPT wc_AesGcmEncrypt
- #define AES_CCM_ENCRYPT wc_AesCcmEncrypt
- #endif
- #endif
- static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
- word16 sz, int asyncOkay)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- WC_ASYNC_DEV* asyncDev = NULL;
- word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
- #else
- (void)asyncOkay;
- #endif
- (void)out;
- (void)input;
- (void)sz;
- if (input == NULL) {
- return BAD_FUNC_ARG;
- }
- switch (ssl->specs.bulk_cipher_algorithm) {
- #ifdef BUILD_ARC4
- case wolfssl_rc4:
- wc_Arc4Process(ssl->encrypt.arc4, out, input, sz);
- break;
- #endif
- #ifdef BUILD_DES3
- case wolfssl_triple_des:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- asyncDev = &ssl->encrypt.des3->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
- if (ret != 0)
- break;
- #endif
- ret = wc_Des3_CbcEncrypt(ssl->encrypt.des3, out, input, sz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E && asyncOkay) {
- ret = wolfSSL_AsyncPush(ssl, asyncDev);
- }
- #endif
- break;
- #endif
- #if defined(BUILD_AES) && defined(HAVE_AES_CBC)
- case wolfssl_aes:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- asyncDev = &ssl->encrypt.aes->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
- if (ret != 0)
- break;
- #endif
- ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E && asyncOkay) {
- ret = wolfSSL_AsyncPush(ssl, asyncDev);
- }
- #endif
- break;
- #endif
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- case wolfssl_aes_gcm:
- case wolfssl_aes_ccm:/* GCM AEAD macros use same size as CCM */
- {
- AES_AUTH_ENCRYPT_FUNC aes_auth_fn;
- const byte* additionalSrc;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- asyncDev = &ssl->encrypt.aes->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
- if (ret != 0)
- break;
- #endif
- #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM)
- aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
- ? AES_GCM_ENCRYPT : AES_CCM_ENCRYPT;
- #elif defined(BUILD_AESGCM)
- aes_auth_fn = AES_GCM_ENCRYPT;
- #else
- aes_auth_fn = AES_CCM_ENCRYPT;
- #endif
- additionalSrc = input - 5;
- XMEMSET(ssl->encrypt.additional, 0, AEAD_AUTH_DATA_SZ);
- /* sequence number field is 64-bits */
- WriteSEQ(ssl, CUR_ORDER, ssl->encrypt.additional);
- /* Store the type, version. Unfortunately, they are in
- * the input buffer ahead of the plaintext. */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- additionalSrc -= DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- XMEMCPY(ssl->encrypt.additional + AEAD_TYPE_OFFSET,
- additionalSrc, 3);
- /* Store the length of the plain text minus the explicit
- * IV length minus the authentication tag size. */
- c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->encrypt.additional + AEAD_LEN_OFFSET);
- #if !defined(NO_PUBLIC_GCM_SET_IV) && \
- ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
- XMEMCPY(ssl->encrypt.nonce,
- ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
- XMEMCPY(ssl->encrypt.nonce + AESGCM_IMP_IV_SZ,
- ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
- #endif
- #ifdef HAVE_PK_CALLBACKS
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
- out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->encrypt.nonce, AESGCM_NONCE_SZ,
- out + sz - ssl->specs.aead_mac_size,
- ssl->specs.aead_mac_size,
- ssl->encrypt.additional, AEAD_AUTH_DATA_SZ);
- }
- if (ret == NOT_COMPILED_IN)
- #endif /* HAVE_PK_CALLBACKS */
- {
- ret = aes_auth_fn(ssl->encrypt.aes,
- out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->encrypt.nonce, AESGCM_NONCE_SZ,
- out + sz - ssl->specs.aead_mac_size,
- ssl->specs.aead_mac_size,
- ssl->encrypt.additional, AEAD_AUTH_DATA_SZ);
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E && asyncOkay) {
- ret = wolfSSL_AsyncPush(ssl, asyncDev);
- }
- #endif
- #if !defined(NO_PUBLIC_GCM_SET_IV) && \
- ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
- (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
- XMEMCPY(out,
- ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ);
- #endif
- }
- break;
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- #ifdef HAVE_CAMELLIA
- case wolfssl_camellia:
- ret = wc_CamelliaCbcEncrypt(ssl->encrypt.cam, out, input, sz);
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
- !defined(NO_CHAPOL_AEAD)
- case wolfssl_chacha:
- ret = ChachaAEADEncrypt(ssl, out, input, sz);
- break;
- #endif
- #ifdef HAVE_NULL_CIPHER
- case wolfssl_cipher_null:
- if (input != out) {
- XMEMMOVE(out, input, sz);
- }
- break;
- #endif
- default:
- WOLFSSL_MSG("wolfSSL Encrypt programming error");
- ret = ENCRYPT_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* if async is not okay, then block */
- if (ret == WC_PENDING_E && !asyncOkay) {
- ret = wc_AsyncWait(ret, asyncDev, event_flags);
- }
- #endif
- return ret;
- }
- static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
- word16 sz, int asyncOkay)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->error == WC_PENDING_E) {
- ssl->error = 0; /* clear async */
- }
- #endif
- switch (ssl->encrypt.state) {
- case CIPHER_STATE_BEGIN:
- {
- if (ssl->encrypt.setup == 0) {
- WOLFSSL_MSG("Encrypt ciphers not setup");
- WOLFSSL_ERROR_VERBOSE(ENCRYPT_ERROR);
- return ENCRYPT_ERROR;
- }
- #ifdef WOLFSSL_CIPHER_TEXT_CHECK
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
- XMEMCPY(ssl->encrypt.sanityCheck, input,
- min(sz, sizeof(ssl->encrypt.sanityCheck)));
- }
- #endif
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx);
- #endif
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- /* make sure AES GCM/CCM memory is allocated */
- /* free for these happens in FreeCiphers */
- if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
- /* make sure auth iv and auth are allocated */
- if (ssl->encrypt.additional == NULL)
- ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- if (ssl->encrypt.nonce == NULL) {
- ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if (ssl->encrypt.nonce != NULL) {
- wc_MemZero_Add("Encrypt nonce", ssl->encrypt.nonce,
- AESGCM_NONCE_SZ);
- }
- #endif
- }
- if (ssl->encrypt.additional == NULL ||
- ssl->encrypt.nonce == NULL) {
- return MEMORY_E;
- }
- }
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- /* Advance state and proceed */
- ssl->encrypt.state = CIPHER_STATE_DO;
- }
- FALL_THROUGH;
- case CIPHER_STATE_DO:
- {
- ret = EncryptDo(ssl, out, input, sz, asyncOkay);
- /* Advance state */
- ssl->encrypt.state = CIPHER_STATE_END;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* If pending, then leave and return will resume below */
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- }
- FALL_THROUGH;
- case CIPHER_STATE_END:
- {
- #ifdef WOLFSSL_CIPHER_TEXT_CHECK
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
- XMEMCMP(out, ssl->encrypt.sanityCheck,
- min(sz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
- WOLFSSL_MSG("Encrypt sanity check failed! Glitch?");
- WOLFSSL_ERROR_VERBOSE(ENCRYPT_ERROR);
- return ENCRYPT_ERROR;
- }
- ForceZero(ssl->encrypt.sanityCheck,
- sizeof(ssl->encrypt.sanityCheck));
- #endif
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
- {
- /* finalize authentication cipher */
- #if !defined(NO_PUBLIC_GCM_SET_IV) && \
- ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
- AeadIncrementExpIV(ssl);
- #endif
- if (ssl->encrypt.nonce)
- ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
- }
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
- (out != input) && (ret == 0)) {
- wc_MemZero_Add("TLS Encrypt plaintext", input, sz);
- }
- #endif
- break;
- }
- default:
- break;
- }
- /* Reset state */
- ssl->encrypt.state = CIPHER_STATE_BEGIN;
- return ret;
- }
- static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
- word16 sz)
- {
- int ret = 0;
- (void)plain;
- (void)input;
- (void)sz;
- switch (ssl->specs.bulk_cipher_algorithm)
- {
- #ifdef BUILD_ARC4
- case wolfssl_rc4:
- wc_Arc4Process(ssl->decrypt.arc4, plain, input, sz);
- break;
- #endif
- #ifdef BUILD_DES3
- case wolfssl_triple_des:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.des3->asyncDev,
- WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- break;
- #endif
- ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, plain, input, sz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.des3->asyncDev);
- }
- #endif
- break;
- #endif
- #if defined(BUILD_AES) && defined(HAVE_AES_CBC)
- case wolfssl_aes:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
- WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- break;
- #endif
- ret = wc_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
- }
- #endif
- break;
- #endif
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- case wolfssl_aes_gcm:
- case wolfssl_aes_ccm: /* GCM AEAD macros use same size as CCM */
- {
- wc_AesAuthDecryptFunc aes_auth_fn;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
- WC_ASYNC_FLAG_CALL_AGAIN);
- if (ret != 0)
- break;
- #endif
- #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM)
- aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
- ? wc_AesGcmDecrypt : wc_AesCcmDecrypt;
- #elif defined(BUILD_AESGCM)
- aes_auth_fn = wc_AesGcmDecrypt;
- #else
- aes_auth_fn = wc_AesCcmDecrypt;
- #endif
- XMEMSET(ssl->decrypt.additional, 0, AEAD_AUTH_DATA_SZ);
- /* sequence number field is 64-bits */
- WriteSEQ(ssl, PEER_ORDER, ssl->decrypt.additional);
- ssl->decrypt.additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
- ssl->decrypt.additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
- ssl->decrypt.additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
- c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->decrypt.additional + AEAD_LEN_OFFSET);
- #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
- if (ssl->options.dtls && IsDtlsMsgSCRKeys(ssl))
- XMEMCPY(ssl->decrypt.nonce,
- ssl->secure_renegotiation->tmp_keys.aead_dec_imp_IV,
- AESGCM_IMP_IV_SZ);
- else
- #endif
- XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
- AESGCM_IMP_IV_SZ);
- XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input,
- AESGCM_EXP_IV_SZ);
- #ifdef HAVE_PK_CALLBACKS
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
- plain + AESGCM_EXP_IV_SZ,
- input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
- (byte *)(input + sz - ssl->specs.aead_mac_size),
- ssl->specs.aead_mac_size,
- ssl->decrypt.additional, AEAD_AUTH_DATA_SZ);
- }
- if (ret == NOT_COMPILED_IN)
- #endif /* HAVE_PK_CALLBACKS */
- {
- if ((ret = aes_auth_fn(ssl->decrypt.aes,
- plain + AESGCM_EXP_IV_SZ,
- input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
- input + sz - ssl->specs.aead_mac_size,
- ssl->specs.aead_mac_size,
- ssl->decrypt.additional, AEAD_AUTH_DATA_SZ)) < 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl,
- &ssl->decrypt.aes->asyncDev);
- }
- #endif
- }
- }
- }
- break;
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- #ifdef HAVE_CAMELLIA
- case wolfssl_camellia:
- ret = wc_CamelliaCbcDecrypt(ssl->decrypt.cam, plain, input, sz);
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
- !defined(NO_CHAPOL_AEAD)
- case wolfssl_chacha:
- ret = ChachaAEADDecrypt(ssl, plain, input, sz);
- break;
- #endif
- #ifdef HAVE_NULL_CIPHER
- case wolfssl_cipher_null:
- if (input != plain) {
- XMEMMOVE(plain, input, sz);
- }
- break;
- #endif
- default:
- WOLFSSL_MSG("wolfSSL Decrypt programming error");
- WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
- ret = DECRYPT_ERROR;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
- (ret == 0)) {
- wc_MemZero_Add("Decrypted data", plain, sz);
- }
- #endif
- return ret;
- }
- static int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input, word16 sz)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
- if (ret != WC_NOT_PENDING_E) {
- /* check for still pending */
- if (ret == WC_PENDING_E)
- return ret;
- ssl->error = 0; /* clear async */
- /* let failures through so CIPHER_STATE_END logic is run */
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->decrypt.state = CIPHER_STATE_BEGIN;
- }
- switch (ssl->decrypt.state) {
- case CIPHER_STATE_BEGIN:
- {
- if (ssl->decrypt.setup == 0) {
- WOLFSSL_MSG("Decrypt ciphers not setup");
- WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
- return DECRYPT_ERROR;
- }
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- /* make sure AES GCM/CCM memory is allocated */
- /* free for these happens in FreeCiphers */
- if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
- /* make sure auth iv and auth are allocated */
- if (ssl->decrypt.additional == NULL)
- ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- if (ssl->decrypt.nonce == NULL) {
- ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if (ssl->decrypt.nonce != NULL) {
- wc_MemZero_Add("DecryptTls nonce", ssl->decrypt.nonce,
- AESGCM_NONCE_SZ);
- }
- #endif
- }
- if (ssl->decrypt.additional == NULL ||
- ssl->decrypt.nonce == NULL) {
- return MEMORY_E;
- }
- }
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- /* Advance state and proceed */
- ssl->decrypt.state = CIPHER_STATE_DO;
- }
- FALL_THROUGH;
- case CIPHER_STATE_DO:
- {
- #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
- if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
- /* For epochs >1 the current cipher parameters are located in
- * ssl->secure_renegotiation->tmp_keys. Previous cipher
- * parameters and for epoch 1 use ssl->keys */
- if (ssl->keys.curEpoch ==
- ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
- if (ssl->decrypt.src != SCR) {
- ssl->secure_renegotiation->cache_status =
- SCR_CACHE_NEEDED;
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- break;
- }
- }
- else {
- if (ssl->decrypt.src != KEYS) {
- ssl->secure_renegotiation->cache_status =
- SCR_CACHE_NULL;
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- break;
- }
- }
- }
- #endif
- ret = DecryptDo(ssl, plain, input, sz);
- /* Advance state */
- ssl->decrypt.state = CIPHER_STATE_END;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* If pending, leave and return below */
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- }
- FALL_THROUGH;
- case CIPHER_STATE_END:
- {
- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
- /* make sure AES GCM/CCM nonce is cleared */
- if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
- ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
- if (ssl->decrypt.nonce)
- ForceZero(ssl->decrypt.nonce, AESGCM_NONCE_SZ);
- if (ret < 0) {
- ret = VERIFY_MAC_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- #endif /* BUILD_AESGCM || HAVE_AESCCM */
- break;
- }
- default:
- break;
- }
- /* Reset state */
- ssl->decrypt.state = CIPHER_STATE_BEGIN;
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- /* Check conditions for a cipher to have an explicit IV.
- *
- * ssl The SSL/TLS object.
- * returns 1 if the cipher in use has an explicit IV and 0 otherwise.
- */
- static WC_INLINE int CipherHasExpIV(WOLFSSL *ssl)
- {
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3)
- return 0;
- #endif
- return (ssl->specs.cipher_type == aead) &&
- (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha);
- }
- /* check cipher text size for sanity */
- static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
- {
- #ifdef HAVE_TRUNCATED_HMAC
- word32 minLength = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
- : ssl->specs.hash_size;
- #else
- word32 minLength = ssl->specs.hash_size; /* covers stream */
- #endif
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type == block) {
- #ifdef HAVE_ENCRYPT_THEN_MAC
- if (ssl->options.startedETMRead) {
- if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
- WOLFSSL_MSG("Block ciphertext not block size");
- WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
- return SANITY_CIPHER_E;
- }
- }
- else
- #endif
- if (encryptSz % ssl->specs.block_size) {
- WOLFSSL_MSG("Block ciphertext not block size");
- WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
- return SANITY_CIPHER_E;
- }
- minLength++; /* pad byte */
- if (ssl->specs.block_size > minLength)
- minLength = ssl->specs.block_size;
- if (ssl->options.tls1_1)
- minLength += ssl->specs.block_size; /* explicit IV */
- }
- else
- #endif
- if (ssl->specs.cipher_type == aead) {
- minLength = ssl->specs.aead_mac_size; /* authTag size */
- if (CipherHasExpIV(ssl))
- minLength += AESGCM_EXP_IV_SZ; /* explicit IV */
- }
- if (encryptSz < minLength) {
- WOLFSSL_MSG("Ciphertext not minimum size");
- WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
- return SANITY_CIPHER_E;
- }
- return 0;
- }
- #ifndef WOLFSSL_AEAD_ONLY
- #ifdef WOLSSL_OLD_TIMINGPADVERIFY
- #define COMPRESS_LOWER 64
- #define COMPRESS_UPPER 55
- #define COMPRESS_CONSTANT 13
- #ifndef NO_OLD_TLS
- static WC_INLINE void Md5Rounds(int rounds, const byte* data, int sz)
- {
- wc_Md5 md5;
- int i;
- wc_InitMd5(&md5); /* no error check on purpose, dummy round */
- for (i = 0; i < rounds; i++)
- wc_Md5Update(&md5, data, sz);
- wc_Md5Free(&md5); /* in case needed to release resources */
- }
- /* do a dummy sha round */
- static WC_INLINE void ShaRounds(int rounds, const byte* data, int sz)
- {
- wc_Sha sha;
- int i;
- wc_InitSha(&sha); /* no error check on purpose, dummy round */
- for (i = 0; i < rounds; i++)
- wc_ShaUpdate(&sha, data, sz);
- wc_ShaFree(&sha); /* in case needed to release resources */
- }
- #endif
- #ifndef NO_SHA256
- static WC_INLINE void Sha256Rounds(int rounds, const byte* data, int sz)
- {
- wc_Sha256 sha256;
- int i;
- wc_InitSha256(&sha256); /* no error check on purpose, dummy round */
- for (i = 0; i < rounds; i++) {
- wc_Sha256Update(&sha256, data, sz);
- /* no error check on purpose, dummy round */
- }
- wc_Sha256Free(&sha256); /* in case needed to release resources */
- }
- #endif
- #ifdef WOLFSSL_SHA384
- static WC_INLINE void Sha384Rounds(int rounds, const byte* data, int sz)
- {
- wc_Sha384 sha384;
- int i;
- wc_InitSha384(&sha384); /* no error check on purpose, dummy round */
- for (i = 0; i < rounds; i++) {
- wc_Sha384Update(&sha384, data, sz);
- /* no error check on purpose, dummy round */
- }
- wc_Sha384Free(&sha384); /* in case needed to release resources */
- }
- #endif
- #ifdef WOLFSSL_SHA512
- static WC_INLINE void Sha512Rounds(int rounds, const byte* data, int sz)
- {
- wc_Sha512 sha512;
- int i;
- wc_InitSha512(&sha512); /* no error check on purpose, dummy round */
- for (i = 0; i < rounds; i++) {
- wc_Sha512Update(&sha512, data, sz);
- /* no error check on purpose, dummy round */
- }
- wc_Sha512Free(&sha512); /* in case needed to release resources */
- }
- #endif
- #ifdef WOLFSSL_RIPEMD
- static WC_INLINE void RmdRounds(int rounds, const byte* data, int sz)
- {
- RipeMd ripemd;
- int i;
- wc_InitRipeMd(&ripemd);
- for (i = 0; i < rounds; i++)
- wc_RipeMdUpdate(&ripemd, data, sz);
- }
- #endif
- /* Do dummy rounds */
- static WC_INLINE void DoRounds(int type, int rounds, const byte* data, int sz)
- {
- (void)rounds;
- (void)data;
- (void)sz;
- switch (type) {
- case no_mac :
- break;
- #ifndef NO_OLD_TLS
- #ifndef NO_MD5
- case md5_mac :
- Md5Rounds(rounds, data, sz);
- break;
- #endif
- #ifndef NO_SHA
- case sha_mac :
- ShaRounds(rounds, data, sz);
- break;
- #endif
- #endif
- #ifndef NO_SHA256
- case sha256_mac :
- Sha256Rounds(rounds, data, sz);
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac :
- Sha384Rounds(rounds, data, sz);
- break;
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac :
- Sha512Rounds(rounds, data, sz);
- break;
- #endif
- #ifdef WOLFSSL_RIPEMD
- case rmd_mac :
- RmdRounds(rounds, data, sz);
- break;
- #endif
- default:
- WOLFSSL_MSG("Bad round type");
- break;
- }
- }
- /* do number of compression rounds on dummy data */
- static WC_INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy)
- {
- if (rounds)
- DoRounds(ssl->specs.mac_algorithm, rounds, dummy, COMPRESS_LOWER);
- }
- /* check all length bytes for the pad value, return 0 on success */
- static int PadCheck(const byte* a, byte pad, int length)
- {
- int i;
- int compareSum = 0;
- for (i = 0; i < length; i++) {
- compareSum |= a[i] ^ pad;
- }
- return compareSum;
- }
- /* get compression extra rounds */
- static WC_INLINE int GetRounds(int pLen, int padLen, int t)
- {
- int roundL1 = 1; /* round up flags */
- int roundL2 = 1;
- int L1 = COMPRESS_CONSTANT + pLen - t;
- int L2 = COMPRESS_CONSTANT + pLen - padLen - 1 - t;
- L1 -= COMPRESS_UPPER;
- L2 -= COMPRESS_UPPER;
- if ( (L1 % COMPRESS_LOWER) == 0)
- roundL1 = 0;
- if ( (L2 % COMPRESS_LOWER) == 0)
- roundL2 = 0;
- L1 /= COMPRESS_LOWER;
- L2 /= COMPRESS_LOWER;
- L1 += roundL1;
- L2 += roundL2;
- return L1 - L2;
- }
- /* timing resistant pad/verify check, return 0 on success */
- int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int t,
- int pLen, int content)
- {
- byte verify[WC_MAX_DIGEST_SIZE];
- byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0};
- byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
- int ret = 0;
- (void)dmy;
- if ( (t + padLen + 1) > pLen) {
- WOLFSSL_MSG("Plain Len not long enough for pad/mac");
- PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE);
- /* still compare */
- ssl->hmac(ssl, verify, input, pLen - t, -1, content, 1, PEER_ORDER);
- ConstantCompare(verify, input + pLen - t, t);
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- if (PadCheck(input + pLen - (padLen + 1), (byte)padLen, padLen + 1) != 0) {
- WOLFSSL_MSG("PadCheck failed");
- PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
- /* still compare */
- ssl->hmac(ssl, verify, input, pLen - t, -1, content, 1, PEER_ORDER);
- ConstantCompare(verify, input + pLen - t, t);
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
- ret = ssl->hmac(ssl, verify, input, pLen - padLen - 1 - t, -1, content,
- 1, PEER_ORDER);
- CompressRounds(ssl, GetRounds(pLen, padLen, t), dummy);
- if (ConstantCompare(verify, input + (pLen - padLen - 1 - t), t) != 0) {
- WOLFSSL_MSG("Verify MAC compare failed");
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- /* treat any failure as verify MAC error */
- if (ret != 0) {
- ret = VERIFY_MAC_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #else
- #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
- /* check all length bytes for the pad value, return 0 on success */
- static int PadCheck(const byte* a, byte pad, int length)
- {
- int i;
- int compareSum = 0;
- for (i = 0; i < length; i++) {
- compareSum |= a[i] ^ pad;
- }
- return compareSum;
- }
- /* Mask the padding bytes with the expected values.
- * Constant time implementation - does maximum pad size possible.
- *
- * data Message data.
- * sz Size of the message including MAC and padding and padding length.
- * macSz Size of the MAC.
- * returns 0 on success, otherwise failure.
- */
- static byte MaskPadding(const byte* data, int sz, int macSz)
- {
- int i;
- int checkSz = sz - 1;
- byte paddingSz = data[sz - 1];
- byte good = ctMaskGT(paddingSz, sz - 1 - macSz);
- if (checkSz > TLS_MAX_PAD_SZ)
- checkSz = TLS_MAX_PAD_SZ;
- for (i = 0; i < checkSz; i++) {
- byte mask = ctMaskLTE(i, paddingSz);
- good |= mask & (data[sz - 1 - i] ^ paddingSz);
- }
- return good;
- }
- /* Mask the MAC in the message with the MAC calculated.
- * Constant time implementation - starts looking for MAC where maximum padding
- * size has it.
- *
- * data Message data.
- * sz Size of the message including MAC and padding and padding length.
- * macSz Size of the MAC data.
- * expMac Expected MAC value.
- * returns 0 on success, otherwise failure.
- */
- static byte MaskMac(const byte* data, int sz, int macSz, byte* expMac)
- {
- int i, j;
- unsigned char mac[WC_MAX_DIGEST_SIZE];
- int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
- int macEnd = sz - 1 - data[sz - 1];
- int macStart = macEnd - macSz;
- int r = 0;
- unsigned char started, notEnded;
- unsigned char good = 0;
- scanStart &= ctMaskIntGTE(scanStart, 0);
- macStart &= ctMaskIntGTE(macStart, 0);
- /* Div on Intel has different speeds depending on value.
- * Use a bitwise AND or mod a specific value (converted to mul). */
- if ((macSz & (macSz - 1)) == 0)
- r = (macSz - (scanStart - macStart)) & (macSz - 1);
- #ifndef NO_SHA
- else if (macSz == WC_SHA_DIGEST_SIZE)
- r = (macSz - (scanStart - macStart)) % WC_SHA_DIGEST_SIZE;
- #endif
- #ifdef WOLFSSL_SHA384
- else if (macSz == WC_SHA384_DIGEST_SIZE)
- r = (macSz - (scanStart - macStart)) % WC_SHA384_DIGEST_SIZE;
- #endif
- XMEMSET(mac, 0, macSz);
- for (i = scanStart; i < sz; i += macSz) {
- for (j = 0; j < macSz && j + i < sz; j++) {
- started = ctMaskGTE(i + j, macStart);
- notEnded = ctMaskLT(i + j, macEnd);
- mac[j] |= started & notEnded & data[i + j];
- }
- }
- if ((macSz & (macSz - 1)) == 0) {
- for (i = 0; i < macSz; i++)
- good |= expMac[i] ^ mac[(i + r) & (macSz - 1)];
- }
- #ifndef NO_SHA
- else if (macSz == WC_SHA_DIGEST_SIZE) {
- for (i = 0; i < macSz; i++)
- good |= expMac[i] ^ mac[(i + r) % WC_SHA_DIGEST_SIZE];
- }
- #endif
- #ifdef WOLFSSL_SHA384
- else if (macSz == WC_SHA384_DIGEST_SIZE) {
- for (i = 0; i < macSz; i++)
- good |= expMac[i] ^ mac[(i + r) % WC_SHA384_DIGEST_SIZE];
- }
- #endif
- return good;
- }
- /* timing resistant pad/verify check, return 0 on success */
- int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int macSz,
- int pLen, int content)
- {
- byte verify[WC_MAX_DIGEST_SIZE];
- byte good;
- int ret = 0;
- good = MaskPadding(input, pLen, macSz);
- /* 4th argument has potential to underflow, ssl->hmac function should
- * either increment the size by (macSz + padLen + 1) before use or check on
- * the size to make sure is valid. */
- ret = ssl->hmac(ssl, verify, input, pLen - macSz - padLen - 1, padLen,
- content, 1, PEER_ORDER);
- good |= MaskMac(input, pLen, ssl->specs.hash_size, verify);
- /* Non-zero on failure. */
- good = (byte)~(word32)good;
- good &= good >> 4;
- good &= good >> 2;
- good &= good >> 1;
- /* Make ret negative on masking failure. */
- ret -= 1 - good;
- /* Treat any failure as verify MAC error. */
- if (ret != 0) {
- ret = VERIFY_MAC_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
- #endif /* WOLSSL_OLD_TIMINGPADVERIFY */
- #endif /* WOLFSSL_AEAD_ONLY */
- int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
- {
- word32 msgSz = WOLFSSL_IS_QUIC(ssl)? ssl->curSize : ssl->keys.encryptSz;
- word32 idx = *inOutIdx;
- int dataSz;
- int ivExtra = 0;
- byte* rawData = input + idx; /* keep current for hmac */
- #ifdef HAVE_LIBZ
- byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
- #endif
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) {
- int process = 0;
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if ((ssl->earlyData != no_early_data) &&
- (ssl->options.clientState == CLIENT_HELLO_COMPLETE)) {
- process = 1;
- }
- if (!process) {
- WOLFSSL_MSG("Ignoring EarlyData!");
- *inOutIdx += ssl->curSize;
- if (*inOutIdx > ssl->buffers.inputBuffer.length)
- return BUFFER_E;
- return 0;
- }
- }
- if (!process) {
- WOLFSSL_MSG("Received App data before a handshake completed");
- if (sniff == NO_SNIFF) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- }
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- else
- #endif
- if (ssl->options.handShakeDone == 0) {
- WOLFSSL_MSG("Received App data before a handshake completed");
- if (sniff == NO_SNIFF) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- }
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS)
- /* Check if we want to invalidate old epochs. If
- * ssl->dtls13InvalidateBefore is set then we want to mark all old
- * epochs as encrypt only. This is done when we detect too many failed
- * decryptions. We do this here to confirm that the peer has updated its
- * keys and we can stop using the old keys. */
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
- if (!w64IsZero(ssl->dtls13InvalidateBefore) &&
- w64Equal(ssl->keys.curEpoch64, ssl->dtls13InvalidateBefore)) {
- Dtls13SetOlderEpochSide(ssl, ssl->dtls13InvalidateBefore,
- ENCRYPT_SIDE_ONLY);
- w64Zero(&ssl->dtls13InvalidateBefore);
- }
- }
- #endif
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type == block) {
- if (ssl->options.tls1_1)
- ivExtra = ssl->specs.block_size;
- }
- else
- #endif
- if (ssl->specs.cipher_type == aead) {
- if (CipherHasExpIV(ssl))
- ivExtra = AESGCM_EXP_IV_SZ;
- }
- dataSz = msgSz - ivExtra - ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- dataSz -= MacSize(ssl);
- #endif
- if (dataSz < 0) {
- WOLFSSL_MSG("App data buffer error, malicious input?");
- if (sniff == NO_SNIFF) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- }
- WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
- return BUFFER_ERROR;
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData > early_data_ext) {
- if (ssl->earlyDataSz + dataSz > ssl->options.maxEarlyDataSz) {
- if (sniff == NO_SNIFF) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- }
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->earlyDataSz += dataSz;
- }
- #endif
- /* read data */
- if (dataSz) {
- int rawSz = dataSz; /* keep raw size for idx adjustment */
- #ifdef HAVE_LIBZ
- if (ssl->options.usingCompression) {
- dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp));
- if (dataSz < 0) return dataSz;
- }
- #endif
- idx += rawSz;
- ssl->buffers.clearOutputBuffer.buffer = rawData;
- ssl->buffers.clearOutputBuffer.length = dataSz;
- }
- idx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- idx += MacSize(ssl);
- #endif
- #ifdef HAVE_LIBZ
- /* decompress could be bigger, overwrite after verify */
- if (ssl->options.usingCompression)
- XMEMMOVE(rawData, decomp, dataSz);
- #endif
- *inOutIdx = idx;
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (IsSCR(ssl)) {
- /* Reset the processReply state since
- * we finished processing this message. */
- ssl->options.processReply = doProcessInit;
- /* If we are in a secure renegotiation then APP DATA is treated
- * differently */
- return APP_DATA_READY;
- }
- #endif
- return 0;
- }
- const char* AlertTypeToString(int type)
- {
- switch (type) {
- case close_notify:
- {
- static const char close_notify_str[] =
- "close_notify";
- return close_notify_str;
- }
- case unexpected_message:
- {
- static const char unexpected_message_str[] =
- "unexpected_message";
- return unexpected_message_str;
- }
- case bad_record_mac:
- {
- static const char bad_record_mac_str[] =
- "bad_record_mac";
- return bad_record_mac_str;
- }
- case record_overflow:
- {
- static const char record_overflow_str[] =
- "record_overflow";
- return record_overflow_str;
- }
- case decompression_failure:
- {
- static const char decompression_failure_str[] =
- "decompression_failure";
- return decompression_failure_str;
- }
- case handshake_failure:
- {
- static const char handshake_failure_str[] =
- "handshake_failure";
- return handshake_failure_str;
- }
- case no_certificate:
- {
- static const char no_certificate_str[] =
- "no_certificate";
- return no_certificate_str;
- }
- case bad_certificate:
- {
- static const char bad_certificate_str[] =
- "bad_certificate";
- return bad_certificate_str;
- }
- case unsupported_certificate:
- {
- static const char unsupported_certificate_str[] =
- "unsupported_certificate";
- return unsupported_certificate_str;
- }
- case certificate_revoked:
- {
- static const char certificate_revoked_str[] =
- "certificate_revoked";
- return certificate_revoked_str;
- }
- case certificate_expired:
- {
- static const char certificate_expired_str[] =
- "certificate_expired";
- return certificate_expired_str;
- }
- case certificate_unknown:
- {
- static const char certificate_unknown_str[] =
- "certificate_unknown";
- return certificate_unknown_str;
- }
- case illegal_parameter:
- {
- static const char illegal_parameter_str[] =
- "illegal_parameter";
- return illegal_parameter_str;
- }
- case unknown_ca:
- {
- static const char unknown_ca_str[] =
- "unknown_ca";
- return unknown_ca_str;
- }
- case access_denied:
- {
- static const char access_denied_str[] =
- "access_denied";
- return access_denied_str;
- }
- case decode_error:
- {
- static const char decode_error_str[] =
- "decode_error";
- return decode_error_str;
- }
- case decrypt_error:
- {
- static const char decrypt_error_str[] =
- "decrypt_error";
- return decrypt_error_str;
- }
- case wolfssl_alert_protocol_version:
- {
- static const char protocol_version_str[] =
- "protocol_version";
- return protocol_version_str;
- }
- case insufficient_security:
- {
- static const char insufficient_security_str[] =
- "insufficient_security";
- return insufficient_security_str;
- }
- case internal_error:
- {
- static const char internal_error_str[] =
- "internal_error";
- return internal_error_str;
- }
- case user_canceled:
- {
- static const char user_canceled_str[] =
- "user_canceled";
- return user_canceled_str;
- }
- case no_renegotiation:
- {
- static const char no_renegotiation_str[] =
- "no_renegotiation";
- return no_renegotiation_str;
- }
- case unrecognized_name:
- {
- static const char unrecognized_name_str[] =
- "unrecognized_name";
- return unrecognized_name_str;
- }
- case bad_certificate_status_response:
- {
- static const char bad_certificate_status_response_str[] =
- "bad_certificate_status_response";
- return bad_certificate_status_response_str;
- }
- case no_application_protocol:
- {
- static const char no_application_protocol_str[] =
- "no_application_protocol";
- return no_application_protocol_str;
- }
- default:
- WOLFSSL_MSG("Unknown Alert");
- return NULL;
- }
- }
- static void LogAlert(int type)
- {
- #ifdef DEBUG_WOLFSSL
- const char* typeStr;
- char buff[60];
- typeStr = AlertTypeToString(type);
- if (typeStr != NULL) {
- XSNPRINTF(buff, sizeof(buff), "Alert type: %s", typeStr);
- WOLFSSL_MSG(buff);
- }
- #else
- (void)type;
- #endif /* DEBUG_WOLFSSL */
- }
- /* process alert, return level */
- static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
- {
- byte level;
- byte code;
- word32 dataSz = (word32)ssl->curSize;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "Alert");
- if (ssl->toInfoOn) {
- /* add record header back on to info + alert bytes level/code */
- int ret = AddPacketInfo(ssl, "Alert", alert, input + *inOutIdx,
- ALERT_SIZE, READ_PROTO, RECORD_HEADER_SZ, ssl->heap);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_CALLBACKS
- AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
- #endif
- }
- #endif
- if (IsEncryptionOn(ssl, 0)) {
- int ivExtra = 0;
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type == block) {
- if (ssl->options.tls1_1)
- ivExtra = ssl->specs.block_size;
- }
- else
- #endif
- if (ssl->specs.cipher_type == aead) {
- if (CipherHasExpIV(ssl))
- ivExtra = AESGCM_EXP_IV_SZ;
- }
- dataSz -= ivExtra;
- dataSz -= ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- dataSz -= MacSize(ssl);
- #endif
- }
- /* make sure can read the message */
- if (dataSz != ALERT_SIZE) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, unexpected_message);
- #endif
- return BUFFER_E;
- }
- level = input[(*inOutIdx)++];
- code = input[(*inOutIdx)++];
- ssl->alert_history.last_rx.code = code;
- ssl->alert_history.last_rx.level = level;
- *type = code;
- if (level == alert_fatal) {
- ssl->options.isClosed = 1; /* Don't send close_notify */
- }
- if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
- WOLFSSL_MSG("Alert count exceeded");
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (level != alert_warning || code != close_notify)
- SendAlert(ssl, alert_fatal, unexpected_message);
- #endif
- WOLFSSL_ERROR_VERBOSE(ALERT_COUNT_E);
- return ALERT_COUNT_E;
- }
- LogAlert(*type);
- if (*type == close_notify) {
- ssl->options.closeNotify = 1;
- }
- else {
- /*
- * A close_notify alert doesn't mean there's been an error, so we only
- * add other types of alerts to the error queue
- */
- WOLFSSL_ERROR(*type);
- }
- if (IsEncryptionOn(ssl, 0)) {
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- *inOutIdx += MacSize(ssl);
- #endif
- }
- return level;
- }
- static int GetInputData(WOLFSSL *ssl, word32 size)
- {
- int inSz;
- int maxLength;
- int usedLength;
- int dtlsExtra = 0;
- /* check max input length */
- usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx;
- maxLength = ssl->buffers.inputBuffer.bufferSize - usedLength;
- inSz = (int)(size - usedLength); /* from last partial read */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if (size < ssl->dtls_expected_rx)
- dtlsExtra = (int)(ssl->dtls_expected_rx - size);
- inSz = ssl->dtls_expected_rx;
- }
- #endif
- /* check that no lengths or size values are negative */
- if (usedLength < 0 || maxLength < 0 || inSz <= 0) {
- return BUFFER_ERROR;
- }
- if (inSz > maxLength) {
- if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0)
- return MEMORY_E;
- }
- /* Put buffer data at start if not there */
- if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0)
- XMEMMOVE(ssl->buffers.inputBuffer.buffer,
- ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
- usedLength);
- /* remove processed data */
- ssl->buffers.inputBuffer.idx = 0;
- ssl->buffers.inputBuffer.length = usedLength;
- /* read data from network */
- do {
- int in = wolfSSLReceive(ssl,
- ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.length,
- inSz);
- if (in == WANT_READ)
- return WANT_READ;
- if (in < 0) {
- WOLFSSL_ERROR_VERBOSE(SOCKET_ERROR_E);
- return SOCKET_ERROR_E;
- }
- if (in > inSz) {
- WOLFSSL_ERROR_VERBOSE(RECV_OVERFLOW_E);
- return RECV_OVERFLOW_E;
- }
- ssl->buffers.inputBuffer.length += in;
- inSz -= in;
- } while (ssl->buffers.inputBuffer.length < size);
- #ifdef WOLFSSL_DEBUG_TLS
- if (ssl->buffers.inputBuffer.idx == 0) {
- WOLFSSL_MSG("Data received");
- WOLFSSL_BUFFER(ssl->buffers.inputBuffer.buffer,
- ssl->buffers.inputBuffer.length);
- }
- #endif
- return 0;
- }
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- static WC_INLINE int VerifyMacEnc(WOLFSSL* ssl, const byte* input, word32 msgSz,
- int content)
- {
- int ret;
- #ifdef HAVE_TRUNCATED_HMAC
- word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
- : ssl->specs.hash_size;
- #else
- word32 digestSz = ssl->specs.hash_size;
- #endif
- byte verify[WC_MAX_DIGEST_SIZE];
- WOLFSSL_MSG("Verify MAC of Encrypted Data");
- if (msgSz < digestSz) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1, PEER_ORDER);
- ret |= ConstantCompare(verify, input + msgSz - digestSz, digestSz);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- return 0;
- }
- #endif
- static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
- int content, word32* padSz)
- {
- #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
- int ret;
- word32 pad = 0;
- word32 padByte = 0;
- #ifdef HAVE_TRUNCATED_HMAC
- word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
- : ssl->specs.hash_size;
- #else
- word32 digestSz = ssl->specs.hash_size;
- #endif
- byte verify[WC_MAX_DIGEST_SIZE];
- if (ssl->specs.cipher_type == block) {
- int ivExtra = 0;
- if (ssl->options.tls1_1)
- ivExtra = ssl->specs.block_size;
- pad = *(input + msgSz - ivExtra - 1);
- padByte = 1;
- if (ssl->options.tls) {
- #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
- ret = PROTOCOLCB_UNAVAILABLE;
- if(ssl->ctx->VerifyMacCb) {
- void* ctx = wolfSSL_GetVerifyMacCtx(ssl);
- ret = ssl->ctx->VerifyMacCb(ssl, input,
- (msgSz - ivExtra) - digestSz - pad - 1,
- digestSz, content, ctx);
- if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
- return ret;
- }
- }
- if (!ssl->ctx->VerifyMacCb || ret == PROTOCOLCB_UNAVAILABLE)
- #endif
- ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra,
- content);
- if (ret != 0)
- return ret;
- }
- else { /* sslv3, some implementations have bad padding, but don't
- * allow bad read */
- int badPadLen = 0;
- byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE];
- byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
- XMEMSET(dmy, 0, sizeof(dmy));
- if (pad > (msgSz - digestSz - 1)) {
- WOLFSSL_MSG("Plain Len not long enough for pad/mac");
- pad = 0; /* no bad read */
- badPadLen = 1;
- }
- (void)PadCheck(dummy, (byte)pad, MAX_PAD_SIZE); /* timing only */
- ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1,
- pad, content, 1, PEER_ORDER);
- if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1,
- digestSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- if (ret != 0 || badPadLen) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- }
- }
- else if (ssl->specs.cipher_type == stream) {
- ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1,
- PEER_ORDER);
- if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- }
- #endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
- if (ssl->specs.cipher_type == aead) {
- *padSz = ssl->specs.aead_mac_size;
- }
- #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
- else {
- *padSz = digestSz + pad + padByte;
- }
- #endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
- (void)input;
- (void)msgSz;
- (void)content;
- return 0;
- }
- #ifdef WOLFSSL_DTLS
- static int HandleDTLSDecryptFailed(WOLFSSL* ssl)
- {
- int ret = 0;
- #ifdef WOLFSSL_DTLS_DROP_STATS
- ssl->macDropCount++;
- #endif
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS)
- /* Handle AEAD limits specified by the RFC for failed decryption */
- if (IsAtLeastTLSv1_3(ssl->version))
- ret = Dtls13CheckAEADFailLimit(ssl);
- #endif
- (void)ssl;
- WOLFSSL_MSG("DTLS: Ignoring failed decryption");
- return ret;
- }
- static int DtlsShouldDrop(WOLFSSL* ssl, int retcode)
- {
- if (ssl->options.handShakeDone && !IsEncryptionOn(ssl, 0)) {
- WOLFSSL_MSG("Silently dropping plaintext DTLS message "
- "on established connection.");
- return 1;
- }
- if ((ssl->options.handShakeDone && retcode != 0)
- || retcode == SEQUENCE_ERROR || retcode == DTLS_CID_ERROR) {
- WOLFSSL_MSG_EX("Silently dropping DTLS message: %d", retcode);
- return 1;
- }
- #ifdef WOLFSSL_DTLS13
- if (IsAtLeastTLSv1_3(ssl->version) && !w64IsZero(ssl->dtls13Epoch)
- && w64IsZero(ssl->keys.curEpoch64) && ssl->curRL.type != ack) {
- WOLFSSL_MSG("Silently dropping plaintext DTLS message "
- "during encrypted handshake.");
- return 1;
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END
- && ssl->curRL.type != handshake) {
- int beforeCookieVerified = 0;
- if (!IsAtLeastTLSv1_3(ssl->version)) {
- beforeCookieVerified =
- ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE;
- }
- #ifdef WOLFSSL_DTLS13
- else {
- beforeCookieVerified =
- ssl->options.acceptState < TLS13_ACCEPT_SECOND_REPLY_DONE;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (beforeCookieVerified) {
- WOLFSSL_MSG("Drop non-handshake record before handshake");
- return 1;
- }
- }
- #endif /* NO_WOLFSSL_SERVER */
- return 0;
- }
- #endif /* WOLFSSL_DTLS */
- int ProcessReply(WOLFSSL* ssl)
- {
- return ProcessReplyEx(ssl, 0);
- }
- /* Process input requests. Return 0 is done, 1 is call again to complete, and
- negative number is error. If allowSocketErr is set, SOCKET_ERROR_E in
- ssl->error will be whitelisted. This is useful when the connection has been
- closed and the endpoint wants to check for an alert sent by the other end. */
- int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
- {
- int ret = 0, type = internal_error, readSz;
- int atomicUser = 0;
- word32 startIdx = 0;
- #if defined(WOLFSSL_DTLS)
- int used;
- #endif
- #ifdef ATOMIC_USER
- if (ssl->ctx->DecryptVerifyCb)
- atomicUser = 1;
- #endif
- if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE
- #ifdef HAVE_SECURE_RENEGOTIATION
- && ssl->error != APP_DATA_READY
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->error != WC_PENDING_E
- #endif
- #ifdef WOLFSSL_NONBLOCK_OCSP
- && ssl->error != OCSP_WANT_READ
- #endif
- && (allowSocketErr != 1 || ssl->error != SOCKET_ERROR_E)
- ) {
- WOLFSSL_MSG("ProcessReply retry in error state, not allowed");
- return ssl->error;
- }
- /* If checking alert on error (allowSocketErr == 1) do not try and
- * process alerts for async or ocsp non blocking */
- #if defined(WOLFSSL_CHECK_ALERT_ON_ERR) && \
- (defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP))
- if (allowSocketErr == 1 && \
- (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
- return ssl->error;
- }
- #endif
- #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_ASYNC_CRYPT)
- /* process any pending DTLS messages - this flow can happen with async */
- if (ssl->dtls_rx_msg_list != NULL) {
- word32 pendingMsg = ssl->dtls_rx_msg_list_sz;
- if(IsAtLeastTLSv1_3(ssl->version)) {
- #ifdef WOLFSSL_DTLS13
- ret = Dtls13ProcessBufferedMessages(ssl);
- #else
- ret = NOT_COMPILED_IN;
- #endif /* WOLFSSL_DTLS13 */
- }
- else {
- ret = DtlsMsgDrain(ssl);
- }
- if (ret != 0) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- /* we processed some messages, return so connect/accept can make
- progress */
- if (ssl->dtls_rx_msg_list_sz != pendingMsg)
- return ret;
- }
- #endif
- ret = RetrySendAlert(ssl);
- if (ret != 0)
- return ret;
- for (;;) {
- switch (ssl->options.processReply) {
- /* in the WOLFSSL_SERVER case, get the first byte for detecting
- * old client hello */
- case doProcessInit:
- readSz = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- readSz = DTLS_RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.tls1_3) {
- /* dtls1.3 unified header can be as little as 2 bytes */
- readSz = DTLS_UNIFIED_HEADER_MIN_SZ;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- #endif
- /* get header or return error */
- if (!ssl->options.dtls) {
- if ((ret = GetInputData(ssl, readSz)) < 0)
- return ret;
- } else {
- #ifdef WOLFSSL_DTLS
- /* read ahead may already have header */
- used = ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx;
- if (used < readSz) {
- if ((ret = GetInputData(ssl, readSz)) < 0)
- return ret;
- }
- #endif
- }
- #ifdef OLD_HELLO_ALLOWED
- /* see if sending SSLv2 client hello */
- if ( ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.clientState == NULL_STATE &&
- ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx]
- != handshake) {
- byte b0, b1;
- ssl->options.processReply = runProcessOldClientHello;
- /* sanity checks before getting size at front */
- if (ssl->buffers.inputBuffer.buffer[
- ssl->buffers.inputBuffer.idx + OPAQUE16_LEN] != OLD_HELLO_ID) {
- WOLFSSL_MSG("Not a valid old client hello");
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- if (ssl->buffers.inputBuffer.buffer[
- ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != SSLv3_MAJOR &&
- ssl->buffers.inputBuffer.buffer[
- ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != DTLS_MAJOR) {
- WOLFSSL_MSG("Not a valid version in old client hello");
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- /* how many bytes need ProcessOldClientHello */
- b0 =
- ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
- b1 =
- ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
- ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1);
- }
- else {
- ssl->options.processReply = getRecordLayerHeader;
- continue;
- }
- FALL_THROUGH;
- /* in the WOLFSSL_SERVER case, run the old client hello */
- case runProcessOldClientHello:
- /* get sz bytes or return error */
- if (!ssl->options.dtls) {
- if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
- return ret;
- } else {
- #ifdef WOLFSSL_DTLS
- /* read ahead may already have */
- used = ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx;
- if (used < ssl->curSize)
- if ((ret = GetInputData(ssl, ssl->curSize - used)) < 0)
- return ret;
- #endif /* WOLFSSL_DTLS */
- }
- ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx,
- ssl->curSize);
- if (ret < 0)
- return ret;
- else if (ssl->buffers.inputBuffer.idx ==
- ssl->buffers.inputBuffer.length) {
- ssl->options.processReply = doProcessInit;
- return 0;
- }
- #endif /* OLD_HELLO_ALLOWED */
- FALL_THROUGH;
- /* get the record layer header */
- case getRecordLayerHeader:
- /* DTLSv1.3 record numbers in the header are encrypted, and AAD
- * uses the unecrypted form. Because of this we need to modify the
- * header, decrypting the numbers inside
- * DtlsParseUnifiedRecordLayer(). This violates the const attribute
- * of the buffer parameter of GetRecordHeader() used here. */
- ret = GetRecordHeader(ssl, &ssl->buffers.inputBuffer.idx,
- &ssl->curRL, &ssl->curSize);
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls && DtlsShouldDrop(ssl, ret)) {
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.length = 0;
- ssl->buffers.inputBuffer.idx = 0;
- #ifdef WOLFSSL_DTLS_DROP_STATS
- ssl->replayDropCount++;
- #endif /* WOLFSSL_DTLS_DROP_STATS */
- #ifdef WOLFSSL_DTLS13
- /* return to send ACKS and shortcut rtx timer */
- if (IsAtLeastTLSv1_3(ssl->version)
- && ssl->dtls13Rtx.sendAcks)
- return 0;
- #endif /* WOLFSSL_DTLS13 */
- continue;
- }
- #endif
- if (ret != 0) {
- switch (ret) {
- case VERSION_ERROR:
- /* send alert per RFC5246 Appendix E. Backward
- * Compatibility */
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- SendAlert(ssl, alert_fatal,
- wolfssl_alert_protocol_version);
- break;
- #ifdef HAVE_MAX_FRAGMENT
- case LENGTH_ERROR:
- SendAlert(ssl, alert_fatal, record_overflow);
- break;
- #endif /* HAVE_MAX_FRAGMENT */
- default:
- break;
- }
- return ret;
- }
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version) && IsEncryptionOn(ssl, 0) &&
- ssl->curRL.type != application_data &&
- ssl->curRL.type != change_cipher_spec) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- #endif
- ssl->options.processReply = getData;
- FALL_THROUGH;
- /* retrieve record layer data */
- case getData:
- /* get sz bytes or return error */
- if (!ssl->options.dtls) {
- if ((ret = GetInputData(ssl, ssl->curSize)) < 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret != WANT_READ)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- #endif
- return ret;
- }
- }
- else {
- #ifdef WOLFSSL_DTLS
- /* read ahead may already have */
- used = ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx;
- if (used < ssl->curSize)
- if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
- return ret;
- #endif
- }
- if (IsEncryptionOn(ssl, 0)) {
- #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
- int tooLong = 0;
- #endif
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version)) {
- tooLong = ssl->curSize > MAX_TLS13_ENC_SZ;
- tooLong |= ssl->curSize - ssl->specs.aead_mac_size >
- MAX_TLS13_PLAIN_SZ;
- }
- #endif
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (!IsAtLeastTLSv1_3(ssl->version))
- tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ;
- #endif
- #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
- if (tooLong) {
- WOLFSSL_MSG("Encrypted data too long");
- SendAlert(ssl, alert_fatal, record_overflow);
- return BUFFER_ERROR;
- }
- #endif
- }
- ssl->keys.padSz = 0;
- ssl->options.processReply = verifyEncryptedMessage;
- startIdx = ssl->buffers.inputBuffer.idx; /* in case > 1 msg per */
- FALL_THROUGH;
- /* verify digest of encrypted message */
- case verifyEncryptedMessage:
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
- !atomicUser && ssl->options.startedETMRead) {
- ret = VerifyMacEnc(ssl, ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.idx,
- ssl->curSize, ssl->curRL.type);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- return ret;
- #endif
- if (ret < 0) {
- WOLFSSL_MSG("VerifyMacEnc failed");
- #ifdef WOLFSSL_DTLS
- /* If in DTLS mode, if the decrypt fails for any
- * reason, pretend the datagram never happened. */
- if (ssl->options.dtls) {
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.idx =
- ssl->buffers.inputBuffer.length;
- return HandleDTLSDecryptFailed(ssl);
- }
- #endif /* WOLFSSL_DTLS */
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (!ssl->options.dtls)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- #endif
- WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
- return DECRYPT_ERROR;
- }
- ssl->keys.encryptSz = ssl->curSize;
- }
- #endif
- ssl->options.processReply = decryptMessage;
- FALL_THROUGH;
- /* decrypt message */
- case decryptMessage:
- if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
- (!IsAtLeastTLSv1_3(ssl->version) ||
- ssl->curRL.type != change_cipher_spec))
- {
- bufferStatic* in = &ssl->buffers.inputBuffer;
- ret = SanityCheckCipherText(ssl, ssl->curSize);
- if (ret < 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, bad_record_mac);
- #endif
- return ret;
- }
- if (atomicUser) {
- #ifdef ATOMIC_USER
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- ret = ssl->ctx->VerifyDecryptCb(ssl,
- in->buffer + in->idx, in->buffer + in->idx,
- ssl->curSize - MacSize(ssl),
- ssl->curRL.type, 1, &ssl->keys.padSz,
- ssl->DecryptVerifyCtx);
- }
- else
- #endif
- {
- ret = ssl->ctx->DecryptVerifyCb(ssl,
- in->buffer + in->idx,
- in->buffer + in->idx,
- ssl->curSize, ssl->curRL.type, 1,
- &ssl->keys.padSz, ssl->DecryptVerifyCtx);
- }
- #endif /* ATOMIC_USER */
- }
- else {
- if (!ssl->options.tls1_3) {
- #ifndef WOLFSSL_NO_TLS12
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- ret = DecryptTls(ssl,
- in->buffer + in->idx,
- in->buffer + in->idx,
- ssl->curSize - (word16)digestSz);
- if (ret == 0) {
- byte invalid = 0;
- byte padding = (byte)-1;
- word32 i;
- word32 off = in->idx + ssl->curSize - digestSz - 1;
- /* Last of padding bytes - indicates length. */
- ssl->keys.padSz = in->buffer[off];
- /* Constant time checking of padding - don't leak
- * the length of the data.
- */
- /* Compare max pad bytes or at most data + pad. */
- for (i = 1; i < MAX_PAD_SIZE && off >= i; i++) {
- /* Mask on indicates this is expected to be a
- * padding byte.
- */
- padding &= ctMaskLTE(i, ssl->keys.padSz);
- /* When this is a padding byte and not equal
- * to length then mask is set.
- */
- invalid |= padding &
- ctMaskNotEq(in->buffer[off - i],
- ssl->keys.padSz);
- }
- /* If mask is set then there was an error. */
- if (invalid) {
- ret = DECRYPT_ERROR;
- }
- ssl->keys.padSz += 1;
- ssl->keys.decryptedCur = 1;
- }
- }
- else
- #endif
- {
- ret = DecryptTls(ssl,
- in->buffer + in->idx,
- in->buffer + in->idx,
- ssl->curSize);
- }
- #else
- ret = DECRYPT_ERROR;
- #endif
- }
- else
- {
- #ifdef WOLFSSL_TLS13
- byte *aad = (byte*)&ssl->curRL;
- word16 aad_size = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- /* aad now points to the record header */
- aad = ssl->dtls13CurRL;
- aad_size = ssl->dtls13CurRlLength;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Don't send an alert for DTLS. We will just drop it
- * silently later. */
- ret = DecryptTls13(ssl,
- in->buffer + in->idx,
- in->buffer + in->idx,
- ssl->curSize,
- aad, aad_size);
- #else
- ret = DECRYPT_ERROR;
- #endif /* WOLFSSL_TLS13 */
- }
- (void)in;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- return ret;
- #endif
- if (ret >= 0) {
- #ifndef WOLFSSL_NO_TLS12
- /* handle success */
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
- ssl->buffers.inputBuffer.idx += ssl->specs.block_size;
- #endif
- /* go past TLSv1.1 IV */
- if (CipherHasExpIV(ssl))
- ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
- #endif
- }
- else {
- WOLFSSL_MSG("Decrypt failed");
- #ifdef WOLFSSL_DTLS
- /* If in DTLS mode, if the decrypt fails for any
- * reason, pretend the datagram never happened. */
- if (ssl->options.dtls) {
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.idx =
- ssl->buffers.inputBuffer.length;
- return HandleDTLSDecryptFailed(ssl);
- }
- #endif /* WOLFSSL_DTLS */
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->options.tls1_3) {
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->earlyData != no_early_data &&
- ssl->options.clientState <
- CLIENT_FINISHED_COMPLETE) {
- ssl->earlyDataSz += ssl->curSize;
- if (ssl->earlyDataSz <=
- ssl->options.maxEarlyDataSz) {
- WOLFSSL_MSG("Ignoring EarlyData!");
- if (ssl->keys.peer_sequence_number_lo-- == 0)
- ssl->keys.peer_sequence_number_hi--;
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.idx += ssl->curSize;
- if (ssl->buffers.inputBuffer.idx >
- ssl->buffers.inputBuffer.length) {
- WOLFSSL_ERROR(BUFFER_E);
- return BUFFER_E;
- }
- return 0;
- }
- WOLFSSL_MSG("Too much EarlyData!");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR(TOO_MUCH_EARLY_DATA);
- return TOO_MUCH_EARLY_DATA;
- }
- }
- #endif
- SendAlert(ssl, alert_fatal, bad_record_mac);
- /* Push error once we know that we will error out here */
- WOLFSSL_ERROR(ret);
- return ret;
- }
- }
- ssl->options.processReply = verifyMessage;
- FALL_THROUGH;
- /* verify digest of message */
- case verifyMessage:
- if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
- (!IsAtLeastTLSv1_3(ssl->version) ||
- ssl->curRL.type != change_cipher_spec))
- {
- if (!atomicUser
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- && !ssl->options.startedETMRead
- #endif
- ) {
- ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.idx,
- ssl->curSize, ssl->curRL.type,
- &ssl->keys.padSz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- return ret;
- #endif
- if (ret < 0) {
- #ifdef WOLFSSL_DTLS
- /* If in DTLS mode, if the decrypt fails for any
- * reason, pretend the datagram never happened. */
- if (ssl->options.dtls) {
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.idx =
- ssl->buffers.inputBuffer.length;
- return HandleDTLSDecryptFailed(ssl);
- }
- #endif /* WOLFSSL_DTLS */
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (!ssl->options.dtls)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- #endif
- WOLFSSL_MSG("VerifyMac failed");
- WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
- return DECRYPT_ERROR;
- }
- }
- ssl->keys.encryptSz = ssl->curSize;
- ssl->keys.decryptedCur = 1;
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3) {
- /* end of plaintext */
- word16 i = (word16)(ssl->buffers.inputBuffer.idx +
- ssl->curSize - ssl->specs.aead_mac_size);
- if (i > ssl->buffers.inputBuffer.length) {
- WOLFSSL_ERROR(BUFFER_ERROR);
- return BUFFER_ERROR;
- }
- /* Remove padding from end of plain text. */
- for (--i; i > ssl->buffers.inputBuffer.idx; i--) {
- if (ssl->buffers.inputBuffer.buffer[i] != 0)
- break;
- }
- /* Get the real content type from the end of the data. */
- ssl->curRL.type = ssl->buffers.inputBuffer.buffer[i];
- /* consider both contentType byte and MAC as padding */
- ssl->keys.padSz = ssl->buffers.inputBuffer.idx
- + ssl->curSize - i;
- }
- #endif
- }
- ssl->options.processReply = runProcessingOneRecord;
- FALL_THROUGH;
- /* the record layer is here */
- case runProcessingOneRecord:
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
- if(!Dtls13CheckWindow(ssl)) {
- /* drop packet */
- WOLFSSL_MSG(
- "Dropping DTLS record outside receiving window");
- ssl->options.processReply = doProcessInit;
- ssl->buffers.inputBuffer.idx += ssl->curSize;
- if (ssl->buffers.inputBuffer.idx >
- ssl->buffers.inputBuffer.length)
- return BUFFER_E;
- continue;
- }
- ret = Dtls13UpdateWindow(ssl);
- if (ret != 1) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- ret = Dtls13RecordRecvd(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- ssl->options.processReply = runProcessingOneMessage;
- FALL_THROUGH;
- case runProcessingOneMessage:
- /* can't process a message if we have no data. */
- if (ssl->buffers.inputBuffer.idx
- >= ssl->buffers.inputBuffer.length) {
- return BUFFER_ERROR;
- }
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {
- /* For TLS v1.1 the block size and explicit IV are added to idx,
- * so it needs to be included in this limit check */
- if ((ssl->curSize - ssl->keys.padSz -
- (ssl->buffers.inputBuffer.idx - startIdx) -
- MacSize(ssl) > MAX_PLAINTEXT_SZ)
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->buffers.inputBuffer.length !=
- ssl->buffers.inputBuffer.idx
- #endif
- ) {
- WOLFSSL_MSG("Plaintext too long - Encrypt-Then-MAC");
- #if defined(WOLFSSL_EXTRA_ALERTS)
- SendAlert(ssl, alert_fatal, record_overflow);
- #endif
- WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
- return BUFFER_ERROR;
- }
- }
- else
- #endif
- /* TLS13 plaintext limit is checked earlier before decryption */
- /* For TLS v1.1 the block size and explicit IV are added to idx,
- * so it needs to be included in this limit check */
- if (!IsAtLeastTLSv1_3(ssl->version)
- && ssl->curSize - ssl->keys.padSz -
- (ssl->buffers.inputBuffer.idx - startIdx)
- > MAX_PLAINTEXT_SZ
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->buffers.inputBuffer.length !=
- ssl->buffers.inputBuffer.idx
- #endif
- ) {
- WOLFSSL_MSG("Plaintext too long");
- #if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
- SendAlert(ssl, alert_fatal, record_overflow);
- #endif
- WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
- return BUFFER_ERROR;
- }
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) && !IsAtLeastTLSv1_3(ssl->version)) {
- _DtlsUpdateWindow(ssl);
- }
- if (ssl->options.dtls) {
- /* Reset timeout as we have received a valid DTLS message */
- ssl->dtls_timeout = ssl->dtls_timeout_init;
- }
- #endif /* WOLFSSL_DTLS */
- WOLFSSL_MSG("received record layer msg");
- switch (ssl->curRL.type) {
- case handshake :
- WOLFSSL_MSG("got HANDSHAKE");
- /* debugging in DoHandShakeMsg */
- if (ssl->options.dtls) {
- #ifdef WOLFSSL_DTLS
- if (!IsAtLeastTLSv1_3(ssl->version)) {
- ret = DoDtlsHandShakeMsg(ssl,
- ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length);
- if (ret != 0)
- SendFatalAlertOnly(ssl, ret);
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- if (IsAtLeastTLSv1_3(ssl->version)) {
- ret = Dtls13HandshakeRecv(ssl,
- ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length);
- #ifdef WOLFSSL_EARLY_DATA
- if (ret == 0 &&
- ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->earlyData > early_data_ext &&
- ssl->options.handShakeState == HANDSHAKE_DONE) {
- /* return so wolfSSL_read_early_data can return
- exit */
- ssl->earlyData = no_early_data;
- ssl->options.processReply = doProcessInit;
- return ZERO_RETURN;
- }
- #endif /* WOLFSSL_EARLY_DATA */
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- else if (!IsAtLeastTLSv1_3(ssl->version)
- #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12)
- || !TLSv1_3_Capable(ssl)
- #endif
- ) {
- #ifndef WOLFSSL_NO_TLS12
- ret = DoHandShakeMsg(ssl,
- ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length);
- if (ret != 0)
- SendFatalAlertOnly(ssl, ret);
- #else
- ret = BUFFER_ERROR;
- #endif
- }
- else {
- #ifdef WOLFSSL_TLS13
- ssl->msgsReceived.got_change_cipher = 0;
- ret = DoTls13HandShakeMsg(ssl,
- ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length);
- #ifdef WOLFSSL_EARLY_DATA
- if (ret != 0)
- return ret;
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->earlyData > early_data_ext &&
- ssl->options.handShakeState == HANDSHAKE_DONE) {
- ssl->earlyData = no_early_data;
- ssl->options.processReply = doProcessInit;
- return ZERO_RETURN;
- }
- #endif
- #else
- ret = BUFFER_ERROR;
- #endif
- }
- if (ret != 0
- /* DoDtlsHandShakeMsg can return a WANT_WRITE when
- * calling DtlsMsgPoolSend. This msg is done
- * processing so let's move on. */
- && (!ssl->options.dtls
- || ret != WANT_WRITE)
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* In async case, on pending, move onto next message.
- * Current message should have been DtlsMsgStore'ed and
- * should be processed with DtlsMsgDrain */
- && (!ssl->options.dtls
- || ret != WC_PENDING_E)
- #endif
- ) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- break;
- case change_cipher_spec:
- WOLFSSL_MSG("got CHANGE CIPHER SPEC");
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ChangeCipher");
- /* add record header back on info */
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ChangeCipher",
- change_cipher_spec,
- ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.idx,
- 1, READ_PROTO, RECORD_HEADER_SZ, ssl->heap);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_CALLBACKS
- AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
- #endif
- }
- #endif
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version)) {
- word32 i = ssl->buffers.inputBuffer.idx;
- if (ssl->options.handShakeState == HANDSHAKE_DONE) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
- return UNKNOWN_RECORD_TYPE;
- }
- if (ssl->curSize != 1 ||
- ssl->buffers.inputBuffer.buffer[i] != 1) {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
- return UNKNOWN_RECORD_TYPE;
- }
- ssl->buffers.inputBuffer.idx++;
- if (!ssl->msgsReceived.got_change_cipher) {
- ssl->msgsReceived.got_change_cipher = 1;
- }
- else {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
- return UNKNOWN_RECORD_TYPE;
- }
- break;
- }
- #endif
- #ifndef WOLFSSL_NO_TLS12
- if (ssl->buffers.inputBuffer.idx >=
- ssl->buffers.inputBuffer.length ||
- ssl->curSize < 1) {
- WOLFSSL_MSG("ChangeCipher msg too short");
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- if (ssl->buffers.inputBuffer.buffer[
- ssl->buffers.inputBuffer.idx] != 1) {
- WOLFSSL_MSG("ChangeCipher msg wrong value");
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) {
- #ifdef HAVE_AEAD
- if (ssl->specs.cipher_type == aead) {
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
- ssl->curSize -= AESGCM_EXP_IV_SZ;
- ssl->buffers.inputBuffer.idx += ssl->specs.aead_mac_size;
- ssl->curSize -= ssl->specs.aead_mac_size;
- }
- else
- #endif
- {
- ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
- ssl->curSize -= (word16)ssl->keys.padSz;
- ssl->curSize -= ssl->specs.iv_size;
- }
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- ssl->buffers.inputBuffer.idx += digestSz;
- ssl->curSize -= (word16)digestSz;
- }
- #endif
- }
- if (ssl->curSize != 1) {
- WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg");
- WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
- return LENGTH_ERROR;
- }
- ssl->buffers.inputBuffer.idx++;
- ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
- if (ret != 0) {
- if (!ssl->options.dtls) {
- return ret;
- }
- else {
- #ifdef WOLFSSL_DTLS
- /* Check for duplicate CCS message in DTLS mode.
- * DTLS allows for duplicate messages, and it should be
- * skipped. Also skip if out of order. */
- if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E)
- return ret;
- /* Reset error */
- ret = 0;
- break;
- #endif /* WOLFSSL_DTLS */
- }
- }
- ssl->keys.encryptionOn = 1;
- /* setup decrypt keys for following messages */
- /* XXX This might not be what we want to do when
- * receiving a CCS with multicast. We update the
- * key when the application updates them. */
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- ssl->options.startedETMRead = ssl->options.encThenMac;
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq;
- #ifdef WOLFSSL_MULTICAST
- if (ssl->options.haveMcast) {
- peerSeq += ssl->keys.curPeerId;
- peerSeq->highwaterMark = UpdateHighwaterMark(0,
- ssl->ctx->mcastFirstSeq,
- ssl->ctx->mcastSecondSeq,
- ssl->ctx->mcastMaxSeq);
- }
- #endif
- peerSeq->nextEpoch++;
- peerSeq->prevSeq_lo = peerSeq->nextSeq_lo;
- peerSeq->prevSeq_hi = peerSeq->nextSeq_hi;
- peerSeq->nextSeq_lo = 0;
- peerSeq->nextSeq_hi = 0;
- XMEMCPY(peerSeq->prevWindow, peerSeq->window,
- DTLS_SEQ_SZ);
- XMEMSET(peerSeq->window, 0, DTLS_SEQ_SZ);
- }
- #endif
- #ifdef HAVE_LIBZ
- if (ssl->options.usingCompression)
- if ( (ret = InitStreams(ssl)) != 0)
- return ret;
- #endif
- ret = BuildFinished(ssl, &ssl->hsHashes->verifyHashes,
- ssl->options.side == WOLFSSL_CLIENT_END ?
- kTlsServerStr : kTlsClientStr);
- if (ret != 0)
- return ret;
- #endif /* !WOLFSSL_NO_TLS12 */
- break;
- case application_data:
- WOLFSSL_MSG("got app DATA");
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls && ssl->options.dtlsHsRetain) {
- #ifdef HAVE_SECURE_RENEGOTIATION
- /*
- * Only free HS resources when not in the process of a
- * secure renegotiation and we have received APP DATA
- * from the current epoch
- */
- if (!IsSCR(ssl) && (DtlsUseSCRKeys(ssl)
- || !DtlsSCRKeysSet(ssl))) {
- FreeHandshakeResources(ssl);
- ssl->options.dtlsHsRetain = 0;
- }
- #else
- FreeHandshakeResources(ssl);
- ssl->options.dtlsHsRetain = 0;
- #endif
- }
- #endif
- #ifdef WOLFSSL_TLS13
- if (ssl->keys.keyUpdateRespond) {
- WOLFSSL_MSG("No KeyUpdate from peer seen");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- #endif
- if ((ret = DoApplicationData(ssl,
- ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx,
- NO_SNIFF)) != 0) {
- WOLFSSL_ERROR(ret);
- return ret;
- }
- break;
- case alert:
- WOLFSSL_MSG("got ALERT!");
- ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer,
- &ssl->buffers.inputBuffer.idx, &type);
- if (ret == alert_fatal)
- return FATAL_ERROR;
- else if (ret < 0)
- return ret;
- /* catch warnings that are handled as errors */
- if (type == close_notify) {
- ssl->buffers.inputBuffer.idx =
- ssl->buffers.inputBuffer.length;
- ssl->options.processReply = doProcessInit;
- return ssl->error = ZERO_RETURN;
- }
- if (type == decrypt_error)
- return FATAL_ERROR;
- /* Reset error if we got an alert level in ret */
- if (ret > 0)
- ret = 0;
- break;
- #ifdef WOLFSSL_DTLS13
- case ack:
- WOLFSSL_MSG("got ACK");
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
- word32 processedSize = 0;
- ret = DoDtls13Ack(ssl, ssl->buffers.inputBuffer.buffer +
- ssl->buffers.inputBuffer.idx,
- ssl->buffers.inputBuffer.length -
- ssl->buffers.inputBuffer.idx -
- ssl->keys.padSz, &processedSize);
- ssl->buffers.inputBuffer.idx += processedSize;
- ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
- if (ret != 0)
- return ret;
- break;
- }
- FALL_THROUGH;
- #endif /* WOLFSSL_DTLS13 */
- default:
- WOLFSSL_ERROR(UNKNOWN_RECORD_TYPE);
- return UNKNOWN_RECORD_TYPE;
- }
- ssl->options.processReply = doProcessInit;
- /* input exhausted */
- if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length
- #ifdef WOLFSSL_DTLS
- /* If app data was processed then return now to avoid
- * dropping any app data. */
- || (ssl->options.dtls && ssl->curRL.type == application_data)
- #endif
- ) {
- /* Shrink input buffer when we successfully finish record
- * processing */
- if ((ret == 0) && ssl->buffers.inputBuffer.dynamicFlag)
- ShrinkInputBuffer(ssl, NO_FORCED_FREE);
- return ret;
- }
- /* more messages per record */
- else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) {
- WOLFSSL_MSG("More messages in record");
- ssl->options.processReply = runProcessingOneMessage;
- if (IsEncryptionOn(ssl, 0)) {
- WOLFSSL_MSG("Bundled encrypted messages, remove middle pad");
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead) {
- word32 digestSz = MacSize(ssl);
- if (ssl->buffers.inputBuffer.idx >=
- ssl->keys.padSz + digestSz) {
- ssl->buffers.inputBuffer.idx -=
- ssl->keys.padSz + digestSz;
- }
- else {
- WOLFSSL_MSG("\tmiddle padding error");
- WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
- return FATAL_ERROR;
- }
- }
- else
- #endif
- {
- if (ssl->buffers.inputBuffer.idx >= ssl->keys.padSz) {
- ssl->buffers.inputBuffer.idx -= ssl->keys.padSz;
- }
- else {
- WOLFSSL_MSG("\tmiddle padding error");
- WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
- return FATAL_ERROR;
- }
- }
- }
- }
- /* more records */
- else {
- WOLFSSL_MSG("More records in input");
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* We are setup to read next message/record but we had an error
- * (probably WC_PENDING_E) so return that so it can be handled
- * by higher layers. */
- if (ret != 0)
- return ret;
- #endif
- /* It is safe to shrink the input buffer here now. local vars will
- * be reset to the new starting value. */
- if (ret == 0 && ssl->buffers.inputBuffer.dynamicFlag)
- ShrinkInputBuffer(ssl, NO_FORCED_FREE);
- continue;
- default:
- WOLFSSL_MSG("Bad process input state, programming error");
- WOLFSSL_ERROR_VERBOSE(INPUT_CASE_ERROR);
- return INPUT_CASE_ERROR;
- }
- }
- }
- #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) || \
- (defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT))
- int SendChangeCipher(WOLFSSL* ssl)
- {
- byte *output;
- int sendSz = RECORD_HEADER_SZ + ENUM_LEN;
- int idx = RECORD_HEADER_SZ;
- int ret;
- #ifdef OPENSSL_EXTRA
- ssl->cbmode = SSL_CB_MODE_WRITE;
- if (ssl->options.side == WOLFSSL_SERVER_END){
- ssl->options.serverState = SERVER_CHANGECIPHERSPEC_COMPLETE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS);
- }
- else{
- ssl->options.clientState =
- CLIENT_CHANGECIPHERSPEC_COMPLETE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS);
- }
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- sendSz += DTLS_RECORD_EXTRA;
- idx += DTLS_RECORD_EXTRA;
- }
- #endif
- /* are we in scr */
- if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
- sendSz += MAX_MSG_EXTRA;
- }
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddRecordHeader(output, 1, change_cipher_spec, ssl, CUR_ORDER);
- output[idx] = 1; /* turn it on */
- if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
- byte input[ENUM_LEN];
- int inputSz = ENUM_LEN;
- input[0] = 1; /* turn it on */
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, change_cipher_hs)) != 0) {
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- change_cipher_spec, 0, 0, 0, CUR_ORDER);
- if (sendSz < 0) {
- return sendSz;
- }
- }
- #ifdef WOLFSSL_DTLS
- else {
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, change_cipher_hs)) != 0)
- return ret;
- DtlsSEQIncrement(ssl, CUR_ORDER);
- }
- }
- #endif
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "ChangeCipher");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ChangeCipher", change_cipher_spec, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- #ifdef WOLFSSL_TLS13
- if (!ssl->options.tls1_3)
- #endif
- {
- /* setup encrypt keys */
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- ssl->options.startedETMWrite = ssl->options.encThenMac;
- #endif
- }
- ssl->options.buildingMsg = 0;
- if (ssl->options.groupMessages)
- return 0;
- #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS)
- else if (ssl->options.dtls) {
- /* If using DTLS, force the ChangeCipherSpec message to be in the
- * same datagram as the finished message. */
- return 0;
- }
- #endif
- else
- return SendBuffered(ssl);
- }
- #endif
- #if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY)
- static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
- int padLen, int content, int verify, int epochOrder)
- {
- byte result[WC_MAX_DIGEST_SIZE];
- word32 digestSz = ssl->specs.hash_size; /* actual sizes */
- word32 padSz = ssl->specs.pad_size;
- int ret = 0;
- wc_Md5 md5;
- wc_Sha sha;
- /* data */
- byte seq[SEQ_SZ];
- byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */
- const byte* macSecret = NULL;
- (void)padLen;
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder);
- else
- macSecret = wolfSSL_GetMacSecret(ssl, verify);
- #else
- macSecret = wolfSSL_GetMacSecret(ssl, verify);
- #endif
- XMEMSET(seq, 0, SEQ_SZ);
- conLen[0] = (byte)content;
- c16toa((word16)sz, &conLen[ENUM_LEN]);
- WriteSEQ(ssl, epochOrder, seq);
- if (ssl->specs.mac_algorithm == md5_mac) {
- ret = wc_InitMd5_ex(&md5, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- /* inner */
- ret = wc_Md5Update(&md5, macSecret, digestSz);
- ret |= wc_Md5Update(&md5, PAD1, padSz);
- ret |= wc_Md5Update(&md5, seq, SEQ_SZ);
- ret |= wc_Md5Update(&md5, conLen, sizeof(conLen));
- /* in buffer */
- ret |= wc_Md5Update(&md5, in, sz);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- ret = wc_Md5Final(&md5, result);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* TODO: Make non-blocking */
- if (ret == WC_PENDING_E) {
- ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE);
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- /* outer */
- ret = wc_Md5Update(&md5, macSecret, digestSz);
- ret |= wc_Md5Update(&md5, PAD2, padSz);
- ret |= wc_Md5Update(&md5, result, digestSz);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- ret = wc_Md5Final(&md5, digest);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* TODO: Make non-blocking */
- if (ret == WC_PENDING_E) {
- ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE);
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- wc_Md5Free(&md5);
- }
- else {
- ret = wc_InitSha_ex(&sha, ssl->heap, ssl->devId);
- if (ret != 0)
- return ret;
- /* inner */
- ret = wc_ShaUpdate(&sha, macSecret, digestSz);
- ret |= wc_ShaUpdate(&sha, PAD1, padSz);
- ret |= wc_ShaUpdate(&sha, seq, SEQ_SZ);
- ret |= wc_ShaUpdate(&sha, conLen, sizeof(conLen));
- /* in buffer */
- ret |= wc_ShaUpdate(&sha, in, sz);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- ret = wc_ShaFinal(&sha, result);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* TODO: Make non-blocking */
- if (ret == WC_PENDING_E) {
- ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE);
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- /* outer */
- ret = wc_ShaUpdate(&sha, macSecret, digestSz);
- ret |= wc_ShaUpdate(&sha, PAD2, padSz);
- ret |= wc_ShaUpdate(&sha, result, digestSz);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- ret = wc_ShaFinal(&sha, digest);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* TODO: Make non-blocking */
- if (ret == WC_PENDING_E) {
- ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE);
- }
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
- return VERIFY_MAC_ERROR;
- }
- wc_ShaFree(&sha);
- }
- return 0;
- }
- #endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */
- #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
- static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest)
- {
- int ret;
- byte md5_result[WC_MD5_DIGEST_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- wc_Md5* md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #else
- wc_Md5 md5[1];
- #endif
- /* make md5 inner */
- ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); /* Save current position */
- if (ret == 0)
- ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_Md5Update(md5, PAD1, PAD_MD5);
- if (ret == 0)
- ret = wc_Md5Final(md5, md5_result);
- /* make md5 outer */
- if (ret == 0) {
- ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId);
- if (ret == 0) {
- ret = wc_Md5Update(md5, ssl->arrays->masterSecret, SECRET_LEN);
- if (ret == 0)
- ret = wc_Md5Update(md5, PAD2, PAD_MD5);
- if (ret == 0)
- ret = wc_Md5Update(md5, md5_result, WC_MD5_DIGEST_SIZE);
- if (ret == 0)
- ret = wc_Md5Final(md5, digest);
- wc_Md5Free(md5);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #endif
- return ret;
- }
- #endif /* !NO_MD5 && !NO_OLD_TLS */
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest)
- {
- int ret;
- byte sha_result[WC_SHA_DIGEST_SIZE];
- #ifdef WOLFSSL_SMALL_STACK
- wc_Sha* sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #else
- wc_Sha sha[1];
- #endif
- /* make sha inner */
- ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */
- if (ret == 0)
- ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, PAD1, PAD_SHA);
- if (ret == 0)
- ret = wc_ShaFinal(sha, sha_result);
- /* make sha outer */
- if (ret == 0) {
- ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId);
- if (ret == 0) {
- ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, PAD2, PAD_SHA);
- if (ret == 0)
- ret = wc_ShaUpdate(sha, sha_result, WC_SHA_DIGEST_SIZE);
- if (ret == 0)
- ret = wc_ShaFinal(sha, digest);
- wc_ShaFree(sha);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX);
- #endif
- return ret;
- }
- #endif /* !NO_SHA && (!NO_OLD_TLS || WOLFSSL_ALLOW_TLS_SHA1) */
- int BuildCertHashes(const WOLFSSL* ssl, Hashes* hashes)
- {
- int ret = 0;
- (void)hashes;
- if (ssl->options.tls) {
- #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
- ret = wc_Md5GetHash(&ssl->hsHashes->hashMd5, hashes->md5);
- if (ret != 0)
- return ret;
- #endif
- #if !defined(NO_SHA)
- ret = wc_ShaGetHash(&ssl->hsHashes->hashSha, hashes->sha);
- if (ret != 0)
- return ret;
- #endif
- if (IsAtLeastTLSv1_2(ssl)) {
- #ifndef NO_SHA256
- ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256,
- hashes->sha256);
- if (ret != 0)
- return ret;
- #endif
- #ifdef WOLFSSL_SHA384
- ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384,
- hashes->sha384);
- if (ret != 0)
- return ret;
- #endif
- #ifdef WOLFSSL_SHA512
- ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512,
- hashes->sha512);
- if (ret != 0)
- return ret;
- #endif
- }
- }
- else {
- #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
- ret = BuildMD5_CertVerify(ssl, hashes->md5);
- if (ret != 0)
- return ret;
- #endif
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- ret = BuildSHA_CertVerify(ssl, hashes->sha);
- if (ret != 0)
- return ret;
- #endif
- }
- return ret;
- }
- #ifndef WOLFSSL_NO_TLS12
- void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args)
- {
- (void)ssl;
- if (args
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->options.buildArgsSet
- #endif
- ) {
- /* only free the IV if it was dynamically allocated */
- if (args->iv && (args->iv != args->staticIvBuffer)) {
- XFREE(args->iv, ssl->heap, DYNAMIC_TYPE_SALT);
- }
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->options.buildArgsSet = 0;
- #endif
- }
- #endif
- /* Build SSL Message, encrypted */
- int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
- int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay,
- int epochOrder)
- {
- #ifndef WOLFSSL_NO_TLS12
- int ret;
- BuildMsgArgs* args;
- BuildMsgArgs lcl_args;
- #endif
- WOLFSSL_ENTER("BuildMessage");
- if (ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- /* catch mistaken sizeOnly parameter */
- if (!sizeOnly && (output == NULL || input == NULL) ) {
- return BAD_FUNC_ARG;
- }
- if (sizeOnly && (output || input) ) {
- return BAD_FUNC_ARG;
- }
- (void)epochOrder;
- #ifndef NO_TLS
- #if defined(WOLFSSL_NO_TLS12) && defined(WOLFSSL_TLS13)
- return BuildTls13Message(ssl, output, outSz, input, inSz, type,
- hashOutput, sizeOnly, asyncOkay);
- #else
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3) {
- return BuildTls13Message(ssl, output, outSz, input, inSz, type,
- hashOutput, sizeOnly, asyncOkay);
- }
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = WC_NOT_PENDING_E;
- if (asyncOkay) {
- if (ssl->async == NULL) {
- return BAD_FUNC_ARG;
- }
- args = &ssl->async->buildArgs;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_buildmsg;
- }
- }
- else
- #endif
- {
- args = &lcl_args;
- }
- /* Reset state */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_NOT_PENDING_E)
- #endif
- {
- ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->options.buildArgsSet = 1;
- #endif
- ssl->options.buildMsgState = BUILD_MSG_BEGIN;
- XMEMSET(args, 0, sizeof(BuildMsgArgs));
- args->sz = RECORD_HEADER_SZ + inSz;
- args->idx = RECORD_HEADER_SZ;
- args->headerSz = RECORD_HEADER_SZ;
- }
- switch (ssl->options.buildMsgState) {
- case BUILD_MSG_BEGIN:
- {
- #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
- if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
- /* For epochs >1 the current cipher parameters are located in
- * ssl->secure_renegotiation->tmp_keys. Previous cipher
- * parameters and for epoch 1 use ssl->keys */
- switch (epochOrder) {
- case PREV_ORDER:
- if (ssl->encrypt.src != KEYS) {
- ssl->secure_renegotiation->cache_status =
- SCR_CACHE_NULL;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- ERROR_OUT(ret, exit_buildmsg);
- }
- break;
- case CUR_ORDER:
- if (ssl->keys.dtls_epoch ==
- ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
- if (ssl->encrypt.src != SCR) {
- ssl->secure_renegotiation->cache_status =
- SCR_CACHE_NEEDED;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY))
- != 0)
- ERROR_OUT(ret, exit_buildmsg);
- }
- }
- else {
- if (ssl->encrypt.src != KEYS) {
- ssl->secure_renegotiation->cache_status =
- SCR_CACHE_NULL;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY))
- != 0)
- ERROR_OUT(ret, exit_buildmsg);
- }
- }
- break;
- default:
- WOLFSSL_MSG("BuildMessage only supports PREV_ORDER and "
- "CUR_ORDER");
- ERROR_OUT(BAD_FUNC_ARG, exit_buildmsg);
- }
- }
- #endif
- ssl->options.buildMsgState = BUILD_MSG_SIZE;
- }
- FALL_THROUGH;
- case BUILD_MSG_SIZE:
- {
- args->digestSz = ssl->specs.hash_size;
- #ifdef HAVE_TRUNCATED_HMAC
- if (ssl->truncated_hmac)
- args->digestSz = min(TRUNCATED_HMAC_SZ, args->digestSz);
- #endif
- args->sz += args->digestSz;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sz += DTLS_RECORD_EXTRA;
- args->idx += DTLS_RECORD_EXTRA;
- args->headerSz += DTLS_RECORD_EXTRA;
- }
- #endif
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type == block) {
- word32 blockSz = ssl->specs.block_size;
- if (blockSz == 0) {
- WOLFSSL_MSG("Invalid block size with block cipher type");
- ERROR_OUT(BAD_STATE_E, exit_buildmsg);
- }
- if (ssl->options.tls1_1) {
- args->ivSz = blockSz;
- args->sz += args->ivSz;
- if (args->ivSz > MAX_IV_SZ)
- ERROR_OUT(BUFFER_E, exit_buildmsg);
- }
- args->sz += 1; /* pad byte */
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite) {
- args->pad = (args->sz - args->headerSz -
- args->digestSz) % blockSz;
- }
- else
- #endif
- {
- args->pad = (args->sz - args->headerSz) % blockSz;
- }
- if (args->pad != 0)
- args->pad = blockSz - args->pad;
- args->sz += args->pad;
- }
- #endif /* WOLFSSL_AEAD_ONLY */
- #ifdef HAVE_AEAD
- if (ssl->specs.cipher_type == aead) {
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
- args->ivSz = AESGCM_EXP_IV_SZ;
- args->sz += (args->ivSz + ssl->specs.aead_mac_size - args->digestSz);
- }
- #endif
- /* done with size calculations */
- if (sizeOnly)
- goto exit_buildmsg;
- if (args->sz > (word32)outSz) {
- WOLFSSL_MSG("Oops, want to write past output buffer size");
- ERROR_OUT(BUFFER_E, exit_buildmsg);
- }
- if (args->ivSz > 0) {
- if (args->ivSz > sizeof(args->staticIvBuffer)) {
- args->iv = (byte*)XMALLOC(args->ivSz, ssl->heap,
- DYNAMIC_TYPE_SALT);
- if (args->iv == NULL) {
- ERROR_OUT(MEMORY_E, exit_buildmsg);
- }
- }
- else {
- args->iv = args->staticIvBuffer;
- }
- ret = wc_RNG_GenerateBlock(ssl->rng, args->iv, args->ivSz);
- if (ret != 0)
- goto exit_buildmsg;
- }
- #if !defined(NO_PUBLIC_GCM_SET_IV) && \
- ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) && \
- defined(HAVE_AEAD))
- if (ssl->specs.cipher_type == aead) {
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
- XMEMCPY(args->iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
- }
- #endif
- args->size = (word16)(args->sz - args->headerSz); /* include mac and digest */
- AddRecordHeader(output, args->size, (byte)type, ssl, epochOrder);
- /* write to output */
- if (args->ivSz > 0) {
- XMEMCPY(output + args->idx, args->iv,
- min(args->ivSz, MAX_IV_SZ));
- args->idx += min(args->ivSz, MAX_IV_SZ);
- }
- XMEMCPY(output + args->idx, input, inSz);
- args->idx += inSz;
- ssl->options.buildMsgState = BUILD_MSG_HASH;
- }
- FALL_THROUGH;
- case BUILD_MSG_HASH:
- {
- /* done with size calculations */
- if (sizeOnly)
- goto exit_buildmsg;
- if (type == handshake && hashOutput) {
- ret = HashOutput(ssl, output, args->headerSz + inSz, args->ivSz);
- if (ret != 0)
- goto exit_buildmsg;
- }
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type == block) {
- word32 tmpIdx;
- word32 i;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite)
- tmpIdx = args->idx;
- else
- #endif
- tmpIdx = args->idx + args->digestSz;
- for (i = 0; i <= args->pad; i++)
- output[tmpIdx++] = (byte)args->pad; /* pad byte gets pad value */
- }
- #endif
- ssl->options.buildMsgState = BUILD_MSG_VERIFY_MAC;
- }
- FALL_THROUGH;
- case BUILD_MSG_VERIFY_MAC:
- {
- /* done with size calculations */
- if (sizeOnly)
- goto exit_buildmsg;
- /* User Record Layer Callback handling */
- #ifdef ATOMIC_USER
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite) {
- if (ssl->ctx->EncryptMacCb) {
- ret = ssl->ctx->EncryptMacCb(ssl, output + args->idx +
- args->pad + 1, type, 0,
- output + args->headerSz,
- output + args->headerSz,
- args->size - args->digestSz,
- ssl->MacEncryptCtx);
- goto exit_buildmsg;
- }
- }
- else
- #endif
- {
- if (ssl->ctx->MacEncryptCb) {
- ret = ssl->ctx->MacEncryptCb(ssl, output + args->idx,
- output + args->headerSz + args->ivSz, inSz,
- type, 0, output + args->headerSz,
- output + args->headerSz, args->size,
- ssl->MacEncryptCtx);
- goto exit_buildmsg;
- }
- }
- #endif
- #ifndef WOLFSSL_AEAD_ONLY
- if (ssl->specs.cipher_type != aead
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- && !ssl->options.startedETMWrite
- #endif
- ) {
- #ifdef HAVE_TRUNCATED_HMAC
- if (ssl->truncated_hmac &&
- ssl->specs.hash_size > args->digestSz) {
- #ifdef WOLFSSL_SMALL_STACK
- byte* hmac;
- #else
- byte hmac[WC_MAX_DIGEST_SIZE];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- hmac = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, ssl->heap,
- DYNAMIC_TYPE_DIGEST);
- if (hmac == NULL)
- ERROR_OUT(MEMORY_E, exit_buildmsg);
- #endif
- ret = ssl->hmac(ssl, hmac,
- output + args->headerSz + args->ivSz, inSz,
- -1, type, 0, epochOrder);
- XMEMCPY(output + args->idx, hmac, args->digestSz);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(hmac, ssl->heap, DYNAMIC_TYPE_DIGEST);
- #endif
- }
- else
- #endif
- {
- ret = ssl->hmac(ssl, output + args->idx, output +
- args->headerSz + args->ivSz, inSz, -1, type, 0, epochOrder);
- }
- }
- #endif /* WOLFSSL_AEAD_ONLY */
- if (ret != 0)
- goto exit_buildmsg;
- ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
- }
- FALL_THROUGH;
- case BUILD_MSG_ENCRYPT:
- {
- /* done with size calculations */
- if (sizeOnly)
- goto exit_buildmsg;
- {
- #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
- /* If we want the PREV_ORDER then modify CUR_ORDER sequence number
- * for all encryption algos that use it for encryption parameters */
- word16 dtls_epoch = 0;
- word16 dtls_sequence_number_hi = 0;
- word32 dtls_sequence_number_lo = 0;
- int swap_seq = ssl->options.dtls && epochOrder == PREV_ORDER &&
- DtlsUseSCRKeys(ssl);
- if (swap_seq) {
- dtls_epoch = ssl->keys.dtls_epoch;
- dtls_sequence_number_hi = ssl->keys.dtls_sequence_number_hi;
- dtls_sequence_number_lo = ssl->keys.dtls_sequence_number_lo;
- ssl->keys.dtls_epoch--;
- ssl->keys.dtls_sequence_number_hi =
- ssl->keys.dtls_prev_sequence_number_hi;
- ssl->keys.dtls_sequence_number_lo =
- ssl->keys.dtls_prev_sequence_number_lo;
- }
- #endif
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite) {
- ret = Encrypt(ssl, output + args->headerSz,
- output + args->headerSz,
- (word16)(args->size - args->digestSz),
- asyncOkay);
- }
- else
- #endif
- {
- ret = Encrypt(ssl, output + args->headerSz,
- output + args->headerSz, args->size, asyncOkay);
- }
- #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
- /* Restore sequence numbers */
- if (swap_seq) {
- ssl->keys.dtls_epoch = dtls_epoch;
- ssl->keys.dtls_sequence_number_hi = dtls_sequence_number_hi;
- ssl->keys.dtls_sequence_number_lo = dtls_sequence_number_lo;
- }
- #endif
- }
- if (ret != 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* Zeroize plaintext. */
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite) {
- ForceZero(output + args->headerSz,
- (word16)(args->size - args->digestSz));
- }
- else
- #endif
- {
- ForceZero(output + args->headerSz, (word16)args->size);
- }
- }
- goto exit_buildmsg;
- }
- ssl->options.buildMsgState = BUILD_MSG_ENCRYPTED_VERIFY_MAC;
- }
- FALL_THROUGH;
- case BUILD_MSG_ENCRYPTED_VERIFY_MAC:
- {
- /* done with size calculations */
- if (sizeOnly)
- goto exit_buildmsg;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite) {
- WOLFSSL_MSG("Calculate MAC of Encrypted Data");
- #ifdef HAVE_TRUNCATED_HMAC
- if (ssl->truncated_hmac &&
- ssl->specs.hash_size > args->digestSz) {
- #ifdef WOLFSSL_SMALL_STACK
- byte* hmac = NULL;
- #else
- byte hmac[WC_MAX_DIGEST_SIZE];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- hmac = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, ssl->heap,
- DYNAMIC_TYPE_DIGEST);
- if (hmac == NULL)
- ERROR_OUT(MEMORY_E, exit_buildmsg);
- #endif
- ret = ssl->hmac(ssl, hmac, output + args->headerSz,
- args->ivSz + inSz + args->pad + 1, -1, type,
- 0, epochOrder);
- XMEMCPY(output + args->idx + args->pad + 1, hmac,
- args->digestSz);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(hmac, ssl->heap, DYNAMIC_TYPE_DIGEST);
- #endif
- }
- else
- #endif
- {
- ret = ssl->hmac(ssl, output + args->idx + args->pad + 1,
- output + args->headerSz,
- args->ivSz + inSz + args->pad + 1, -1, type,
- 0, epochOrder);
- }
- }
- #endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
- }
- FALL_THROUGH;
- default:
- break;
- }
- exit_buildmsg:
- WOLFSSL_LEAVE("BuildMessage", ret);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- /* make sure build message state is reset */
- ssl->options.buildMsgState = BUILD_MSG_BEGIN;
- #ifdef WOLFSSL_DTLS
- if (ret == 0 && ssl->options.dtls && !sizeOnly)
- DtlsSEQIncrement(ssl, epochOrder);
- #endif
- /* return sz on success */
- if (ret == 0) {
- ret = args->sz;
- }
- else {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- /* Final cleanup */
- FreeBuildMsgArgs(ssl, args);
- return ret;
- #endif /* !WOLFSSL_NO_TLS12 */
- #else
- (void)outSz;
- (void)inSz;
- (void)type;
- (void)hashOutput;
- (void)asyncOkay;
- return NOT_COMPILED_IN;
- #endif /* NO_TLS */
- }
- #ifndef WOLFSSL_NO_TLS12
- int SendFinished(WOLFSSL* ssl)
- {
- int sendSz,
- finishedSz = ssl->options.tls ? TLS_FINISHED_SZ :
- FINISHED_SZ;
- byte input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ]; /* max */
- byte *output;
- Hashes* hashes;
- int ret;
- int headerSz = HANDSHAKE_HEADER_SZ;
- int outputSz;
- WOLFSSL_START(WC_FUNC_FINISHED_SEND);
- WOLFSSL_ENTER("SendFinished");
- /* check for available size */
- outputSz = sizeof(input) + MAX_MSG_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- headerSz += DTLS_HANDSHAKE_EXTRA;
- ssl->keys.dtls_epoch++;
- ssl->keys.dtls_prev_sequence_number_hi =
- ssl->keys.dtls_sequence_number_hi;
- ssl->keys.dtls_prev_sequence_number_lo =
- ssl->keys.dtls_sequence_number_lo;
- ssl->keys.dtls_sequence_number_hi = 0;
- ssl->keys.dtls_sequence_number_lo = 0;
- }
- #endif
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
- /* make finished hashes */
- hashes = (Hashes*)&input[headerSz];
- ret = BuildFinished(ssl, hashes, ssl->options.side == WOLFSSL_CLIENT_END ?
- kTlsClientStr : kTlsServerStr);
- if (ret != 0) return ret;
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation) {
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes,
- TLS_FINISHED_SZ);
- else
- XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes,
- TLS_FINISHED_SZ);
- }
- #endif
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- XMEMCPY(ssl->clientFinished,
- hashes, TLS_FINISHED_SZ);
- ssl->clientFinished_len = TLS_FINISHED_SZ;
- }
- else {
- XMEMCPY(ssl->serverFinished,
- hashes, TLS_FINISHED_SZ);
- ssl->serverFinished_len = TLS_FINISHED_SZ;
- }
- #endif
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz,
- finished)) != 0) {
- return ret;
- }
- }
- #endif
- sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
- handshake, 1, 0, 0, CUR_ORDER);
- if (sendSz < 0)
- return BUILD_MSG_ERROR;
- if (!ssl->options.resuming) {
- SetupSession(ssl);
- #ifndef NO_SESSION_CACHE
- AddSession(ssl);
- #endif
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- #ifdef OPENSSL_EXTRA
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- ssl->cbmode = SSL_CB_MODE_WRITE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS);
- #endif
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- }
- else {
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- #ifdef OPENSSL_EXTRA
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- ssl->cbmode = SSL_CB_MODE_WRITE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS);
- #endif
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ret = SendBuffered(ssl);
- ssl->options.buildingMsg = 0;
- #ifdef WOLFSSL_DTLS
- if ((!ssl->options.resuming &&
- ssl->options.side == WOLFSSL_SERVER_END) ||
- (ssl->options.resuming &&
- ssl->options.side == WOLFSSL_CLIENT_END)) {
- ssl->keys.dtls_handshake_number = 0;
- ssl->keys.dtls_expected_peer_handshake_number = 0;
- }
- #endif
- WOLFSSL_LEAVE("SendFinished", ret);
- WOLFSSL_END(WC_FUNC_FINISHED_SEND);
- return ret;
- }
- #endif /* WOLFSSL_NO_TLS12 */
- #ifndef NO_WOLFSSL_SERVER
- #if (!defined(WOLFSSL_NO_TLS12) && \
- (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
- defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))) || \
- (defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST))
- /* Parses and decodes the certificate then initializes "request". In the case
- * of !ssl->buffers.weOwnCert, ssl->ctx->certOcspRequest gets set to "request".
- *
- * Returns 0 on success
- */
- static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request,
- DecodedCert* cert, byte* certData, word32 length)
- {
- int ret;
- if (request != NULL)
- XMEMSET(request, 0, sizeof(OcspRequest));
- InitDecodedCert(cert, certData, length, ssl->heap);
- /* TODO: Setup async support here */
- ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl));
- if (ret != 0) {
- WOLFSSL_MSG("ParseCert failed");
- }
- if (ret == 0)
- ret = InitOcspRequest(request, cert, 0, ssl->heap);
- if (ret == 0) {
- /* make sure ctx OCSP request is updated */
- if (!ssl->buffers.weOwnCert) {
- wolfSSL_Mutex* ocspLock = &SSL_CM(ssl)->ocsp_stapling->ocspLock;
- if (wc_LockMutex(ocspLock) == 0) {
- if (ssl->ctx->certOcspRequest == NULL)
- ssl->ctx->certOcspRequest = request;
- wc_UnLockMutex(ocspLock);
- }
- }
- }
- FreeDecodedCert(cert);
- return ret;
- }
- /* Creates OCSP response and places it in variable "response". Memory
- * management for "buffer* response" is up to the caller.
- *
- * Also creates an OcspRequest in the case that ocspRequest is null or that
- * ssl->buffers.weOwnCert is set. In those cases managing ocspRequest free'ing
- * is up to the caller. NOTE: in OcspCreateRequest ssl->ctx->certOcspRequest can
- * be set to point to "ocspRequest" and it then should not be free'd since
- * wolfSSL_CTX_free will take care of it.
- *
- * Returns 0 on success
- */
- int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
- buffer* response)
- {
- int ret = 0;
- OcspRequest* request = NULL;
- byte createdRequest = 0;
- if (ssl == NULL || ocspRequest == NULL || response == NULL)
- return BAD_FUNC_ARG;
- XMEMSET(response, 0, sizeof(*response));
- request = *ocspRequest;
- /* unable to fetch status. skip. */
- if (SSL_CM(ssl) == NULL || SSL_CM(ssl)->ocspStaplingEnabled == 0)
- return 0;
- if (request == NULL || ssl->buffers.weOwnCert) {
- DerBuffer* der = ssl->buffers.certificate;
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert* cert = NULL;
- #else
- DecodedCert cert[1];
- #endif
- /* unable to fetch status. skip. */
- if (der->buffer == NULL || der->length == 0)
- return 0;
- #ifdef WOLFSSL_SMALL_STACK
- cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
- DYNAMIC_TYPE_DCERT);
- if (cert == NULL)
- return MEMORY_E;
- #endif
- request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (request == NULL)
- ret = MEMORY_E;
- createdRequest = 1;
- if (ret == 0) {
- ret = CreateOcspRequest(ssl, request, cert, der->buffer,
- der->length);
- }
- if (ret != 0) {
- XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- request = NULL;
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
- #endif
- }
- if (ret == 0) {
- request->ssl = ssl;
- ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling, request, response);
- /* Suppressing, not critical */
- if (ret == OCSP_CERT_REVOKED ||
- ret == OCSP_CERT_UNKNOWN ||
- ret == OCSP_LOOKUP_FAIL) {
- ret = 0;
- }
- }
- /* free request up if error case found otherwise return it */
- if (ret != 0 && createdRequest) {
- FreeOcspRequest(request);
- XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- }
- if (ret == 0)
- *ocspRequest = request;
- return ret;
- }
- #endif
- #endif /* !NO_WOLFSSL_SERVER */
- int cipherExtraData(WOLFSSL* ssl)
- {
- int cipherExtra;
- /* Cipher data that may be added by BuildMessage */
- /* There is always an IV (expect for chacha). For AEAD ciphers,
- * there is the authentication tag (aead_mac_size). For block
- * ciphers we have the hash_size MAC on the message, and one
- * block size for possible padding. */
- if (ssl->specs.cipher_type == aead) {
- cipherExtra = ssl->specs.aead_mac_size;
- /* CHACHA does not have an explicit IV. */
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) {
- cipherExtra += AESGCM_EXP_IV_SZ;
- }
- }
- else {
- cipherExtra = ssl->specs.iv_size + ssl->specs.block_size +
- ssl->specs.hash_size;
- }
- /* Sanity check so we don't ever return negative. */
- return cipherExtra > 0 ? cipherExtra : 0;
- }
- #ifndef WOLFSSL_NO_TLS12
- #ifndef NO_CERTS
- #if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- /* handle generation of certificate (11) */
- int SendCertificate(WOLFSSL* ssl)
- {
- int ret = 0;
- word32 certSz, certChainSz, headerSz, listSz, payloadSz;
- word32 length, maxFragment;
- WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
- WOLFSSL_ENTER("SendCertificate");
- if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) {
- WOLFSSL_MSG("Not sending certificate msg. Using PSK or ANON cipher.");
- return 0; /* not needed */
- }
- if (ssl->options.sendVerify == SEND_BLANK_CERT) {
- #ifdef OPENSSL_EXTRA
- if (ssl->version.major == SSLv3_MAJOR
- && ssl->version.minor == SSLv3_MINOR){
- return SendAlert(ssl, alert_warning, no_certificate);
- } else {
- #endif
- certSz = 0;
- certChainSz = 0;
- headerSz = CERT_HEADER_SZ;
- length = CERT_HEADER_SZ;
- listSz = 0;
- #ifdef OPENSSL_EXTRA
- }
- #endif
- }
- else {
- if (!ssl->buffers.certificate) {
- WOLFSSL_MSG("Send Cert missing certificate buffer");
- return BUFFER_ERROR;
- }
- certSz = ssl->buffers.certificate->length;
- headerSz = 2 * CERT_HEADER_SZ;
- /* list + cert size */
- length = certSz + headerSz;
- listSz = certSz + CERT_HEADER_SZ;
- /* may need to send rest of chain, already has leading size(s) */
- if (certSz && ssl->buffers.certChain) {
- certChainSz = ssl->buffers.certChain->length;
- length += certChainSz;
- listSz += certChainSz;
- }
- else
- certChainSz = 0;
- }
- payloadSz = length;
- if (ssl->fragOffset != 0)
- length -= (ssl->fragOffset + headerSz);
- maxFragment = MAX_RECORD_SIZE;
- maxFragment = wolfSSL_GetMaxFragSize(ssl, maxFragment);
- while (length > 0 && ret == 0) {
- byte* output = NULL;
- word32 fragSz = 0;
- word32 i = RECORD_HEADER_SZ;
- int sendSz = RECORD_HEADER_SZ;
- ssl->options.buildingMsg = 1;
- if (!ssl->options.dtls) {
- if (ssl->fragOffset == 0) {
- if (headerSz + certSz + certChainSz <=
- maxFragment - HANDSHAKE_HEADER_SZ) {
- fragSz = headerSz + certSz + certChainSz;
- }
- else {
- fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
- }
- sendSz += fragSz + HANDSHAKE_HEADER_SZ;
- i += HANDSHAKE_HEADER_SZ;
- }
- else {
- fragSz = min(length, maxFragment);
- sendSz += fragSz;
- }
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- }
- else {
- #ifdef WOLFSSL_DTLS
- fragSz = min(length, maxFragment);
- sendSz += fragSz + DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_HEADER_SZ;
- i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_HEADER_SZ;
- #endif
- }
- if (IsEncryptionOn(ssl, 1))
- sendSz += cipherExtraData(ssl);
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- /* Safe to use ssl->fragOffset since it will be incremented immediately
- * after this block. This block needs to be entered only once to not
- * hash the cert msg twice. */
- if (ssl->fragOffset == 0) {
- if (!ssl->options.dtls) {
- AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
- if (!IsEncryptionOn(ssl, 1))
- HashRaw(ssl, output + RECORD_HEADER_SZ,
- HANDSHAKE_HEADER_SZ);
- }
- else {
- #ifdef WOLFSSL_DTLS
- AddHeaders(output, payloadSz, certificate, ssl);
- HashRaw(ssl,
- output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA,
- HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA);
- /* Adding the headers increments these, decrement them for
- * actual message header. */
- ssl->keys.dtls_handshake_number--;
- AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
- ssl->keys.dtls_handshake_number--;
- #endif /* WOLFSSL_DTLS */
- }
- /* list total */
- c32to24(listSz, output + i);
- if (ssl->options.dtls || !IsEncryptionOn(ssl, 1))
- HashRaw(ssl, output + i, CERT_HEADER_SZ);
- i += CERT_HEADER_SZ;
- length -= CERT_HEADER_SZ;
- fragSz -= CERT_HEADER_SZ;
- if (certSz) {
- c32to24(certSz, output + i);
- if (ssl->options.dtls || !IsEncryptionOn(ssl, 1))
- HashRaw(ssl, output + i, CERT_HEADER_SZ);
- i += CERT_HEADER_SZ;
- length -= CERT_HEADER_SZ;
- fragSz -= CERT_HEADER_SZ;
- if (ssl->options.dtls || !IsEncryptionOn(ssl, 1)) {
- HashRaw(ssl, ssl->buffers.certificate->buffer, certSz);
- if (certChainSz)
- HashRaw(ssl, ssl->buffers.certChain->buffer,
- certChainSz);
- }
- }
- }
- else {
- if (!ssl->options.dtls) {
- AddRecordHeader(output, fragSz, handshake, ssl, CUR_ORDER);
- }
- else {
- #ifdef WOLFSSL_DTLS
- AddFragHeaders(output, fragSz, ssl->fragOffset + headerSz,
- payloadSz, certificate, ssl);
- ssl->keys.dtls_handshake_number--;
- #endif /* WOLFSSL_DTLS */
- }
- }
- /* member */
- if (certSz && ssl->fragOffset < certSz) {
- word32 copySz = min(certSz - ssl->fragOffset, fragSz);
- XMEMCPY(output + i,
- ssl->buffers.certificate->buffer + ssl->fragOffset, copySz);
- i += copySz;
- ssl->fragOffset += copySz;
- length -= copySz;
- fragSz -= copySz;
- }
- if (certChainSz && fragSz) {
- word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz);
- XMEMCPY(output + i,
- ssl->buffers.certChain->buffer + ssl->fragOffset - certSz,
- copySz);
- i += copySz;
- ssl->fragOffset += copySz;
- length -= copySz;
- }
- if (IsEncryptionOn(ssl, 1)) {
- byte* input = NULL;
- int inputSz = i; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- if (inputSz < 0) {
- WOLFSSL_MSG("Send Cert bad inputSz");
- return BUFFER_E;
- }
- if (inputSz > 0) { /* clang thinks could be zero, let's help */
- input = (byte*)XMALLOC(inputSz, ssl->heap,
- DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- }
- #ifndef WOLFSSL_DTLS
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- #else
- if (!ssl->options.dtls)
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- else /* DTLS 1.2 has to ignore fragmentation in hashing so we need to
- * calculate the hash ourselves above */ {
- if ((ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 0, 0, 0, CUR_ORDER);
- }
- #endif
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- }
- else {
- sendSz = i;
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate)) != 0)
- return ret;
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "Certificate");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "Certificate", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- }
- if (ret != WANT_WRITE) {
- /* Clean up the fragment offset. */
- ssl->options.buildingMsg = 0;
- ssl->fragOffset = 0;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- ssl->keys.dtls_handshake_number++;
- #endif
- if (ssl->options.side == WOLFSSL_SERVER_END){
- ssl->options.serverState = SERVER_CERT_COMPLETE;
- }
- }
- WOLFSSL_LEAVE("SendCertificate", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
- return ret;
- }
- #endif /* !NO_WOLFSSL_SERVER || !WOLFSSL_NO_CLIENT_AUTH */
- /* handle generation of certificate_request (13) */
- int SendCertificateRequest(WOLFSSL* ssl)
- {
- byte *output;
- int ret;
- int sendSz;
- word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- word32 dnLen = 0;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
- #endif
- const Suites* suites = WOLFSSL_SUITES(ssl);
- int typeTotal = 1; /* only 1 for now */
- int reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ; /* add auth later */
- WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
- WOLFSSL_ENTER("SendCertificateRequest");
- if (IsAtLeastTLSv1_2(ssl))
- reqSz += LENGTH_SZ + suites->hashSigAlgoSz;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- /* Certificate Authorities */
- names = SSL_CA_NAMES(ssl);
- while (names != NULL) {
- byte seq[MAX_SEQ_SZ];
- WOLFSSL_X509_NAME* name = names->data.name;
- if (name != NULL) {
- /* 16-bit length | SEQ | Len | DER of name */
- dnLen += OPAQUE16_LEN + SetSequence(name->rawLen, seq) +
- name->rawLen;
- }
- names = names->next;
- }
- reqSz += dnLen;
- #endif
- if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
- return 0; /* not needed */
- sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
- if (!ssl->options.dtls) {
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- }
- else {
- #ifdef WOLFSSL_DTLS
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- #endif
- }
- if (IsEncryptionOn(ssl, 1))
- sendSz += cipherExtraData(ssl);
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, reqSz, certificate_request, ssl);
- /* write to output */
- output[i++] = (byte)typeTotal; /* # of types */
- #ifdef HAVE_ECC
- if ((ssl->options.cipherSuite0 == ECC_BYTE ||
- ssl->options.cipherSuite0 == CHACHA_BYTE) &&
- ssl->specs.sig_algo == ecc_dsa_sa_algo) {
- output[i++] = ecdsa_sign;
- } else
- #endif /* HAVE_ECC */
- {
- output[i++] = rsa_sign;
- }
- /* supported hash/sig */
- if (IsAtLeastTLSv1_2(ssl)) {
- c16toa(suites->hashSigAlgoSz, &output[i]);
- i += OPAQUE16_LEN;
- XMEMCPY(&output[i], suites->hashSigAlgo, suites->hashSigAlgoSz);
- i += suites->hashSigAlgoSz;
- }
- /* Certificate Authorities */
- c16toa((word16)dnLen, &output[i]); /* auth's */
- i += REQ_HEADER_SZ;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- names = SSL_CA_NAMES(ssl);
- while (names != NULL) {
- byte seq[MAX_SEQ_SZ];
- WOLFSSL_X509_NAME* name = names->data.name;
- if (name != NULL) {
- c16toa((word16)name->rawLen +
- (word16)SetSequence(name->rawLen, seq), &output[i]);
- i += OPAQUE16_LEN;
- i += SetSequence(name->rawLen, output + i);
- XMEMCPY(output + i, name->raw, name->rawLen);
- i += name->rawLen;
- }
- names = names->next;
- }
- #endif
- (void)i;
- if (IsEncryptionOn(ssl, 1)) {
- byte* input = NULL;
- int inputSz = i; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- if (inputSz <= 0) {
- WOLFSSL_MSG("Send Cert Req bad inputSz");
- return BUFFER_E;
- }
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_request)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- } else {
- sendSz = i;
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_request)) != 0)
- return ret;
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
- return ret;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateRequest");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "CertificateRequest", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
- ret = 0;
- else
- ret = SendBuffered(ssl);
- ssl->options.buildingMsg = 0;
- WOLFSSL_LEAVE("SendCertificateRequest", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
- return ret;
- }
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
- || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
- byte count)
- {
- byte* output = NULL;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- word32 length = ENUM_LEN;
- int sendSz = 0;
- int ret = 0;
- int i = 0;
- WOLFSSL_ENTER("BuildCertificateStatus");
- switch (type) {
- case WOLFSSL_CSR2_OCSP_MULTI:
- length += OPAQUE24_LEN;
- FALL_THROUGH; /* followed by */
- case WOLFSSL_CSR2_OCSP:
- for (i = 0; i < count; i++)
- length += OPAQUE24_LEN + status[i].length;
- break;
- default:
- return 0;
- }
- sendSz = idx + length;
- if (ssl->keys.encryptionOn)
- sendSz += MAX_MSG_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) {
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, length, certificate_status, ssl);
- output[idx++] = type;
- if (type == WOLFSSL_CSR2_OCSP_MULTI) {
- c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
- idx += OPAQUE24_LEN;
- }
- for (i = 0; i < count; i++) {
- c32to24(status[i].length, output + idx);
- idx += OPAQUE24_LEN;
- XMEMCPY(output + idx, status[i].buffer, status[i].length);
- idx += status[i].length;
- }
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = idx; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_status);
- #endif
- if (ret == 0)
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- ret = sendSz;
- }
- else {
- #ifdef WOLFSSL_DTLS
- if (ret == 0 && IsDtlsNotSctpMode(ssl))
- ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_status);
- if (ret == 0 && ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ret == 0 && ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateStatus");
- if (ret == 0 && ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "CertificateStatus", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- if (ret == 0) {
- ssl->options.buildingMsg = 0;
- ssl->buffers.outputBuffer.length += sendSz;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- }
- }
- WOLFSSL_LEAVE("BuildCertificateStatus", ret);
- return ret;
- }
- #endif
- #endif /* NO_WOLFSSL_SERVER */
- /* handle generation of certificate_status (22) */
- int SendCertificateStatus(WOLFSSL* ssl)
- {
- int ret = 0;
- byte status_type = 0;
- WOLFSSL_START(WC_FUNC_CERTIFICATE_STATUS_SEND);
- WOLFSSL_ENTER("SendCertificateStatus");
- (void) ssl;
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
- status_type = ssl->status_request;
- #endif
- #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
- status_type = status_type ? status_type : ssl->status_request_v2;
- #endif
- switch (status_type) {
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
- || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
- /* case WOLFSSL_CSR_OCSP: */
- case WOLFSSL_CSR2_OCSP:
- {
- OcspRequest* request = ssl->ctx->certOcspRequest;
- buffer response;
- ret = CreateOcspResponse(ssl, &request, &response);
- /* if a request was successfully created and not stored in
- * ssl->ctx then free it */
- if (ret == 0 && request != ssl->ctx->certOcspRequest) {
- FreeOcspRequest(request);
- XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- request = NULL;
- }
- if (ret == 0 && response.buffer) {
- ret = BuildCertificateStatus(ssl, status_type, &response, 1);
- XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- response.buffer = NULL;
- }
- break;
- }
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
- /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
- #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2
- case WOLFSSL_CSR2_OCSP_MULTI:
- {
- OcspRequest* request = ssl->ctx->certOcspRequest;
- buffer responses[1 + MAX_CHAIN_DEPTH];
- int i = 0;
- XMEMSET(responses, 0, sizeof(responses));
- ret = CreateOcspResponse(ssl, &request, &responses[0]);
- /* if a request was successfully created and not stored in
- * ssl->ctx then free it */
- if (ret == 0 && request != ssl->ctx->certOcspRequest) {
- FreeOcspRequest(request);
- XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- request = NULL;
- }
- if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
- || ssl->buffers.weOwnCertChain)) {
- buffer der;
- word32 idx = 0;
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert* cert;
- #else
- DecodedCert cert[1];
- #endif
- DerBuffer* chain;
- #ifdef WOLFSSL_SMALL_STACK
- cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
- DYNAMIC_TYPE_DCERT);
- if (cert == NULL)
- return MEMORY_E;
- #endif
- request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap,
- DYNAMIC_TYPE_OCSP_REQUEST);
- if (request == NULL) {
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
- #endif
- return MEMORY_E;
- }
- /* use certChain if available, otherwise use peer certificate */
- chain = ssl->buffers.certChain;
- if (chain == NULL) {
- chain = ssl->buffers.certificate;
- }
- if (chain && chain->buffer) {
- while (idx + OPAQUE24_LEN < chain->length) {
- c24to32(chain->buffer + idx, &der.length);
- idx += OPAQUE24_LEN;
- der.buffer = chain->buffer + idx;
- idx += der.length;
- if (idx > chain->length)
- break;
- ret = CreateOcspRequest(ssl, request, cert, der.buffer,
- der.length);
- if (ret == 0) {
- request->ssl = ssl;
- ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
- request, &responses[i + 1]);
- /* Suppressing, not critical */
- if (ret == OCSP_CERT_REVOKED ||
- ret == OCSP_CERT_UNKNOWN ||
- ret == OCSP_LOOKUP_FAIL) {
- ret = 0;
- }
- i++;
- FreeOcspRequest(request);
- }
- }
- }
- XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
- #endif
- }
- else {
- while (ret == 0 &&
- NULL != (request = ssl->ctx->chainOcspRequest[i])) {
- request->ssl = ssl;
- ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
- request, &responses[++i]);
- /* Suppressing, not critical */
- if (ret == OCSP_CERT_REVOKED ||
- ret == OCSP_CERT_UNKNOWN ||
- ret == OCSP_LOOKUP_FAIL) {
- ret = 0;
- }
- }
- }
- if (responses[0].buffer) {
- if (ret == 0) {
- ret = BuildCertificateStatus(ssl, status_type, responses,
- (byte)i + 1);
- }
- for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) {
- if (responses[i].buffer) {
- XFREE(responses[i].buffer, ssl->heap,
- DYNAMIC_TYPE_OCSP_REQUEST);
- }
- }
- }
- break;
- }
- #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
- #endif /* NO_WOLFSSL_SERVER */
- default:
- break;
- }
- WOLFSSL_LEAVE("SendCertificateStatus", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_STATUS_SEND);
- return ret;
- }
- #endif /* !NO_CERTS */
- #endif /* WOLFSSL_NO_TLS12 */
- #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
- /**
- * Check if the SCR keys are set in ssl->secure_renegotiation->tmp_keys.
- */
- int DtlsSCRKeysSet(WOLFSSL* ssl)
- {
- return ssl->secure_renegotiation &&
- ssl->secure_renegotiation->tmp_keys.dtls_epoch != 0;
- }
- /**
- * ssl->keys contains the current cipher parameters only for epoch 1. For
- * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current
- * cipher parameters. This function checks if the message currently being
- * processed should use ssl->keys or ssl->secure_renegotiation->tmp_keys.
- */
- int IsDtlsMsgSCRKeys(WOLFSSL* ssl)
- {
- return DtlsSCRKeysSet(ssl) &&
- ssl->keys.curEpoch ==
- ssl->secure_renegotiation->tmp_keys.dtls_epoch;
- }
- /**
- * ssl->keys contains the current cipher parameters only for epoch 1. For
- * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current
- * cipher parameters. This function checks if the message currently being
- * built should use ssl->keys or ssl->secure_renegotiation->tmp_keys.
- */
- int DtlsUseSCRKeys(WOLFSSL* ssl)
- {
- return DtlsSCRKeysSet(ssl) &&
- ssl->secure_renegotiation->tmp_keys.dtls_epoch ==
- ssl->keys.dtls_epoch;
- }
- /**
- * If ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch
- * then PREV_ORDER refers to the current epoch.
- * */
- int DtlsCheckOrder(WOLFSSL* ssl, int order)
- {
- if (order == PREV_ORDER && ssl->secure_renegotiation &&
- ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch) {
- return CUR_ORDER;
- }
- else {
- return order;
- }
- }
- #endif /* HAVE_SECURE_RENEGOTIATION && WOLFSSL_DTLS */
- /* If secure renegotiation is disabled, this will always return false.
- * Otherwise it checks to see if we are currently renegotiating. */
- int IsSCR(WOLFSSL* ssl)
- {
- #ifndef HAVE_SECURE_RENEGOTIATION
- (void)ssl;
- #else /* HAVE_SECURE_RENEGOTIATION */
- if (ssl->secure_renegotiation &&
- ssl->secure_renegotiation->enabled && /* Is SCR enabled? */
- ssl->options.handShakeDone && /* At least one handshake done? */
- ssl->options.handShakeState != HANDSHAKE_DONE) /* Currently handshaking? */
- return 1;
- #endif /* HAVE_SECURE_RENEGOTIATION */
- return 0;
- }
- #ifdef WOLFSSL_DTLS
- static int ModifyForMTU(WOLFSSL* ssl, int buffSz, int outputSz, int mtuSz)
- {
- int recordExtra = outputSz - buffSz;
- (void)ssl;
- if (recordExtra > 0 && outputSz > mtuSz) {
- buffSz = mtuSz - recordExtra;
- #ifndef WOLFSSL_AEAD_ONLY
- /* Subtract a block size to be certain that returned fragment
- * size won't get more padding. */
- if (ssl->specs.cipher_type == block)
- buffSz -= ssl->specs.block_size;
- #endif
- }
- return buffSz;
- }
- #endif /* WOLFSSL_DTLS */
- #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS)
- /*
- * Enforce limits specified in
- * https://www.rfc-editor.org/rfc/rfc8446#section-5.5
- */
- static int CheckTLS13AEADSendLimit(WOLFSSL* ssl)
- {
- w64wrapper seq;
- w64wrapper limit;
- switch (ssl->specs.bulk_cipher_algorithm) {
- #ifdef BUILD_AESGCM
- case wolfssl_aes_gcm:
- /* Limit is 2^24.5 */
- limit = AEAD_AES_LIMIT;
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- case wolfssl_chacha:
- /* For ChaCha20/Poly1305, the record sequence number would wrap
- * before the safety limit is reached. */
- return 0;
- #endif
- #ifdef HAVE_AESCCM
- case wolfssl_aes_ccm:
- /* Use the limits calculated in the DTLS 1.3 spec
- * https://www.rfc-editor.org/rfc/rfc9147.html#name-analysis-of-limits-on-ccm-u */
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- limit = DTLS_AEAD_AES_CCM_LIMIT; /* Limit is 2^23 */
- else
- #endif
- limit = AEAD_AES_LIMIT; /* Limit is 2^24.5 */
- break;
- #endif
- case wolfssl_cipher_null:
- /* No encryption being done */
- return 0;
- default:
- WOLFSSL_MSG("Unrecognized ciphersuite for AEAD limit check");
- return BAD_STATE_E;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- seq = ssl->dtls13EncryptEpoch->nextSeqNumber;
- }
- else
- #endif
- {
- seq = w64From32(ssl->keys.sequence_number_hi,
- ssl->keys.sequence_number_lo);
- }
- if (w64GTE(seq, limit))
- return Tls13UpdateKeys(ssl); /* Need to generate new keys */
- return 0;
- }
- #endif /* WOLFSSL_TLS13 && !WOLFSSL_TLS13_IGNORE_AEAD_LIMITS */
- int SendData(WOLFSSL* ssl, const void* data, int sz)
- {
- int sent = 0, /* plainText size */
- sendSz,
- ret;
- #if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
- int groupMsgs = 0;
- #endif
- if (ssl->error == WANT_WRITE
- #ifdef WOLFSSL_ASYNC_CRYPT
- || ssl->error == WC_PENDING_E
- #endif
- ) {
- ssl->error = 0;
- }
- /* don't allow write after decrypt or mac error */
- if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) {
- /* For DTLS allow these possible errors and allow the session
- to continue despite them */
- if (ssl->options.dtls) {
- ssl->error = 0;
- }
- else {
- WOLFSSL_MSG("Not allowing write after decrypt or mac error");
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- if (ssl->options.handShakeState == HANDSHAKE_DONE) {
- WOLFSSL_MSG("handshake complete, trying to send early data");
- ssl->error = BUILD_MSG_ERROR;
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_EARLY_DATA_GROUP
- groupMsgs = 1;
- #endif
- }
- else
- #endif
- if (ssl->options.handShakeState != HANDSHAKE_DONE && !IsSCR(ssl)) {
- int err;
- WOLFSSL_MSG("handshake not complete, trying to finish");
- if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* if async would block return WANT_WRITE */
- if (ssl->error == WC_PENDING_E) {
- return WOLFSSL_CBIO_ERR_WANT_WRITE;
- }
- #endif
- return err;
- }
- }
- /* last time system socket output buffer was full, try again to send */
- if (ssl->buffers.outputBuffer.length > 0
- #if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
- && !groupMsgs
- #endif
- ) {
- WOLFSSL_MSG("output buffer was full, trying to send again");
- if ( (ssl->error = SendBuffered(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- if (ssl->error == SOCKET_ERROR_E && (ssl->options.connReset ||
- ssl->options.isClosed)) {
- ssl->error = SOCKET_PEER_CLOSED_E;
- WOLFSSL_ERROR(ssl->error);
- return 0; /* peer reset or closed */
- }
- return ssl->error;
- }
- else {
- /* advance sent to previous sent + plain size just sent */
- sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
- WOLFSSL_MSG("sent write buffered data");
- if (sent > sz) {
- WOLFSSL_MSG("error: write() after WANT_WRITE with short size");
- return ssl->error = BAD_FUNC_ARG;
- }
- }
- }
- ret = RetrySendAlert(ssl);
- if (ret != 0) {
- ssl->error = ret;
- return WOLFSSL_FATAL_ERROR;
- }
- for (;;) {
- byte* out;
- byte* sendBuffer = (byte*)data + sent; /* may switch on comp */
- int buffSz; /* may switch on comp */
- int outputSz;
- #ifdef HAVE_LIBZ
- byte comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
- #endif
- #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS)
- if (IsAtLeastTLSv1_3(ssl->version)) {
- ret = CheckTLS13AEADSendLimit(ssl);
- if (ret != 0) {
- ssl->error = ret;
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && ssl->options.tls1_3) {
- byte isEarlyData = 0;
- if (ssl->dtls13EncryptEpoch == NULL)
- return ssl->error = BAD_STATE_E;
- #ifdef WOLFSSL_EARLY_DATA
- isEarlyData = ssl->earlyData != no_early_data;
- #endif
- if (isEarlyData) {
- #ifdef WOLFSSL_EARLY_DATA
- ret = Dtls13SetEpochKeys(ssl,
- w64From32(0x0, DTLS13_EPOCH_EARLYDATA), ENCRYPT_SIDE_ONLY);
- if (ret != 0) {
- WOLFSSL_MSG(
- "trying to send early data without epoch 1");
- ssl->error = BUILD_MSG_ERROR;
- return WOLFSSL_FATAL_ERROR;
- }
- #endif /* WOLFSSL_EARLY_DATA */
- }
- else if (!w64Equal(
- ssl->dtls13EncryptEpoch->epochNumber,
- ssl->dtls13Epoch)) {
- ret = Dtls13SetEpochKeys(
- ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
- if (ret != 0) {
- ssl->error = BUILD_MSG_ERROR;
- return WOLFSSL_FATAL_ERROR;
- }
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
- }
- else
- #endif
- {
- buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
- }
- if (sent == sz) break;
- #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK)
- if (ssl->options.dtls && (buffSz < sz - sent)) {
- ssl->error = DTLS_SIZE_ERROR;
- WOLFSSL_ERROR(ssl->error);
- return ssl->error;
- }
- #endif
- outputSz = buffSz + COMP_EXTRA + DTLS_RECORD_HEADER_SZ;
- if (IsEncryptionOn(ssl, 1) || ssl->options.tls1_3)
- outputSz += cipherExtraData(ssl);
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
- return ssl->error = ret;
- /* get output buffer */
- out = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- #ifdef HAVE_LIBZ
- if (ssl->options.usingCompression) {
- buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp));
- if (buffSz < 0) {
- return buffSz;
- }
- sendBuffer = comp;
- }
- #endif
- if (!ssl->options.tls1_3) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- return MEMORY_E;
- ssl->async->freeArgs = NULL;
- }
- #endif
- sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz,
- application_data, 0, 0, 1, CUR_ORDER);
- }
- else {
- #ifdef WOLFSSL_TLS13
- sendSz = BuildTls13Message(ssl, out, outputSz, sendBuffer, buffSz,
- application_data, 0, 0, 1);
- #else
- sendSz = BUFFER_ERROR;
- #endif
- }
- if (sendSz < 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (sendSz == WC_PENDING_E)
- ssl->error = sendSz;
- #endif
- return BUILD_MSG_ERROR;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- FreeAsyncCtx(ssl, 0);
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- if ( (ssl->error = SendBuffered(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- /* store for next call if WANT_WRITE or user embedSend() that
- doesn't present like WANT_WRITE */
- ssl->buffers.plainSz = buffSz;
- ssl->buffers.prevSent = sent;
- if (ssl->error == SOCKET_ERROR_E && (ssl->options.connReset ||
- ssl->options.isClosed)) {
- ssl->error = SOCKET_PEER_CLOSED_E;
- WOLFSSL_ERROR(ssl->error);
- return 0; /* peer reset or closed */
- }
- return ssl->error;
- }
- sent += buffSz;
- /* only one message per attempt */
- if (ssl->options.partialWrite == 1) {
- WOLFSSL_MSG("Partial Write on, only sending one record");
- break;
- }
- }
- return sent;
- }
- /* process input data */
- int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
- {
- int size;
- WOLFSSL_ENTER("ReceiveData");
- /* reset error state */
- if (ssl->error == WANT_READ || ssl->error == WOLFSSL_ERROR_WANT_READ) {
- ssl->error = 0;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* In DTLS mode, we forgive some errors and allow the session
- * to continue despite them. */
- if (ssl->error == VERIFY_MAC_ERROR ||
- ssl->error == DECRYPT_ERROR ||
- ssl->error == DTLS_SIZE_ERROR) {
- ssl->error = 0;
- }
- }
- #endif /* WOLFSSL_DTLS */
- if (ssl->error != 0 && ssl->error != WANT_WRITE
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ssl->error != WC_PENDING_E
- #endif
- #ifdef HAVE_SECURE_RENEGOTIATION
- && ssl->error != APP_DATA_READY
- #endif
- ) {
- WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed");
- return ssl->error;
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- }
- else
- #endif
- {
- int negotiate = 0;
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
- if (ssl->options.handShakeState != HANDSHAKE_DONE
- && ssl->buffers.clearOutputBuffer.length == 0)
- negotiate = 1;
- }
- else
- #endif
- if (ssl->options.handShakeState != HANDSHAKE_DONE)
- negotiate = 1;
- if (negotiate) {
- int err;
- WOLFSSL_MSG("Handshake not complete, trying to finish");
- if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* if async would block return WANT_WRITE */
- if (ssl->error == WC_PENDING_E) {
- return WOLFSSL_CBIO_ERR_WANT_READ;
- }
- #endif
- return err;
- }
- }
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- startScr:
- if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
- int ret;
- WOLFSSL_MSG("Need to start scr, server requested");
- ret = wolfSSL_Rehandshake(ssl);
- ssl->secure_renegotiation->startScr = 0; /* only start once */
- if (ret != WOLFSSL_SUCCESS)
- return ret;
- }
- #endif
- while (ssl->buffers.clearOutputBuffer.length == 0) {
- if ( (ssl->error = ProcessReply(ssl)) < 0) {
- if (ssl->error == ZERO_RETURN) {
- WOLFSSL_MSG("Zero return, no more data coming");
- return 0; /* no more data coming */
- }
- if (ssl->error == SOCKET_ERROR_E) {
- if (ssl->options.connReset || ssl->options.isClosed) {
- WOLFSSL_MSG("Peer reset or closed, connection done");
- ssl->error = SOCKET_PEER_CLOSED_E;
- WOLFSSL_ERROR(ssl->error);
- return 0; /* peer reset or closed */
- }
- }
- WOLFSSL_ERROR(ssl->error);
- return ssl->error;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- /* Dtls13DoScheduledWork(ssl) may return WANT_WRITE */
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return ssl->error;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation &&
- ssl->secure_renegotiation->startScr) {
- goto startScr;
- }
- if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
- ssl->options.handShakeState != HANDSHAKE_DONE
- && ssl->buffers.clearOutputBuffer.length == 0) {
- /* ProcessReply processed a handshake packet and not any APP DATA
- * so let's move the handshake along */
- int err;
- WOLFSSL_MSG("Handshake not complete, trying to finish");
- if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* if async would block return WANT_WRITE */
- if (ssl->error == WC_PENDING_E) {
- return WOLFSSL_CBIO_ERR_WANT_READ;
- }
- #endif
- return err;
- }
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- /* if wolfSSL_Peek() is invoked with sz == 0 it will not block (but
- * it processes pending non-application records) */
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) && peek &&
- sz == 0 && ssl->buffers.inputBuffer.idx
- - ssl->buffers.inputBuffer.length == 0) {
- return 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifndef WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.handShakeDone &&
- ssl->curRL.type == handshake && peek) {
- WOLFSSL_MSG("Got Handshake Message in APP data");
- if (ssl->buffers.inputBuffer.length == 0) {
- ssl->error = WOLFSSL_ERROR_WANT_READ;
- return 0;
- }
- }
- #endif
- #endif
- }
- size = min(sz, (int)ssl->buffers.clearOutputBuffer.length);
- XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
- if (peek == 0) {
- ssl->buffers.clearOutputBuffer.length -= size;
- ssl->buffers.clearOutputBuffer.buffer += size;
- }
- if (ssl->buffers.inputBuffer.dynamicFlag)
- ShrinkInputBuffer(ssl, NO_FORCED_FREE);
- WOLFSSL_LEAVE("ReceiveData()", size);
- return size;
- }
- static int SendAlert_ex(WOLFSSL* ssl, int severity, int type)
- {
- byte input[ALERT_SIZE];
- byte *output;
- int sendSz;
- int ret;
- int outputSz;
- int dtlsExtra = 0;
- WOLFSSL_ENTER("SendAlert");
- WOLFSSL_MSG_EX("SendAlert: %d %s", type, AlertTypeToString(type));
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- ret = !ssl->quic.method->send_alert(ssl, ssl->quic.enc_level_write, (uint8_t)type);
- if (ret) {
- WOLFSSL_MSG("QUIC send_alert callback error");
- }
- return ret;
- }
- #endif
- #ifdef HAVE_WRITE_DUP
- if (ssl->dupWrite && ssl->dupSide == READ_DUP_SIDE) {
- int notifyErr = 0;
- WOLFSSL_MSG("Read dup side cannot write alerts, notifying sibling");
- if (type == close_notify) {
- notifyErr = ZERO_RETURN;
- } else if (severity == alert_fatal) {
- notifyErr = FATAL_ERROR;
- }
- if (notifyErr != 0) {
- return NotifyWriteSide(ssl, notifyErr);
- }
- return 0;
- }
- #endif
- ssl->pendingAlert.code = type;
- ssl->pendingAlert.level = severity;
- #ifdef OPENSSL_EXTRA
- if (ssl->CBIS != NULL) {
- ssl->CBIS(ssl, SSL_CB_ALERT, type);
- }
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- dtlsExtra = DTLS_RECORD_EXTRA;
- #endif
- /* check for available size */
- outputSz = ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra;
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) {
- #ifdef WOLFSSL_DTLS
- /* If CheckAvailableSize returned WANT_WRITE due to a blocking write
- * then discard pending output and just send the alert. */
- if (ssl->options.dtls) {
- if (ret != WANT_WRITE || severity != alert_fatal)
- return ret;
- ShrinkOutputBuffer(ssl);
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) {
- return ret;
- }
- }
- else {
- return ret;
- }
- #else
- return ret;
- #endif
- }
- /* Check output buffer */
- if (ssl->buffers.outputBuffer.buffer == NULL)
- return BUFFER_E;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- input[0] = (byte)severity;
- input[1] = (byte)type;
- ssl->alert_history.last_tx.code = type;
- ssl->alert_history.last_tx.level = severity;
- if (severity == alert_fatal) {
- #ifdef WOLFSSL_DTLS
- /* Mark as closed in dtls only once we enter stateful mode. */
- if (!ssl->options.dtls || ssl->options.dtlsStateful)
- #endif
- ssl->options.isClosed = 1; /* Don't send close_notify */
- }
- /* send encrypted alert if encryption is on - can be a rehandshake over
- * an existing encrypted channel.
- * TLS 1.3 encrypts handshake packets after the ServerHello
- */
- if (IsEncryptionOn(ssl, 1)) {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls
- && IsAtLeastTLSv1_3(ssl->version)
- && !w64Equal(ssl->dtls13EncryptEpoch->epochNumber, ssl->dtls13Epoch)) {
- ret = Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert,
- 0, 0, 0, CUR_ORDER);
- }
- else {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
- ret = Dtls13RlAddPlaintextHeader(ssl, output, alert, ALERT_SIZE);
- if (ret != 0)
- return ret;
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- AddRecordHeader(output, ALERT_SIZE, alert, ssl, CUR_ORDER);
- }
- output += RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- output += DTLS_RECORD_EXTRA;
- #endif
- XMEMCPY(output, input, ALERT_SIZE);
- sendSz = RECORD_HEADER_SZ + ALERT_SIZE;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- sendSz += DTLS_RECORD_EXTRA;
- #endif
- }
- if (sendSz < 0)
- return BUILD_MSG_ERROR;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "Alert");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "Alert", alert, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ret = SendBuffered(ssl);
- ssl->pendingAlert.code = 0;
- ssl->pendingAlert.level = alert_none;
- WOLFSSL_LEAVE("SendAlert", ret);
- return ret;
- }
- int RetrySendAlert(WOLFSSL* ssl)
- {
- int type = ssl->pendingAlert.code;
- int severity = ssl->pendingAlert.level;
- if (severity == alert_none)
- return 0;
- ssl->pendingAlert.code = 0;
- ssl->pendingAlert.level = alert_none;
- return SendAlert_ex(ssl, severity, type);
- }
- /* send alert message */
- int SendAlert(WOLFSSL* ssl, int severity, int type)
- {
- if (ssl->pendingAlert.level != alert_none) {
- int ret = RetrySendAlert(ssl);
- if (ret != 0) {
- if (ssl->pendingAlert.level == alert_none ||
- (ssl->pendingAlert.level != alert_fatal &&
- severity == alert_fatal)) {
- /* Store current alert if pendingAlert is empty or if current
- * is fatal and previous was not */
- ssl->pendingAlert.code = type;
- ssl->pendingAlert.level = severity;
- }
- return ret;
- }
- }
- return SendAlert_ex(ssl, severity, type);
- }
- const char* wolfSSL_ERR_reason_error_string(unsigned long e)
- {
- #ifdef NO_ERROR_STRINGS
- (void)e;
- return "no support for error strings built in";
- #else
- int error = (int)e;
- #ifdef OPENSSL_EXTRA
- /* OpenSSL uses positive error codes */
- if (error > 0) {
- error = -error;
- }
- #endif
- /* pass to wolfCrypt */
- if (error < MAX_CODE_E && error > MIN_CODE_E) {
- return wc_GetErrorString(error);
- }
- switch (error) {
- #ifdef OPENSSL_EXTRA
- case 0 :
- return "ok";
- #endif
- case UNSUPPORTED_SUITE :
- return "unsupported cipher suite";
- case INPUT_CASE_ERROR :
- return "input state error";
- case PREFIX_ERROR :
- return "bad index to key rounds";
- case MEMORY_ERROR :
- return "out of memory";
- case VERIFY_FINISHED_ERROR :
- return "verify problem on finished";
- case VERIFY_MAC_ERROR :
- return "verify mac problem";
- case PARSE_ERROR :
- return "parse error on header";
- case SIDE_ERROR :
- return "wrong client/server type";
- case NO_PEER_CERT : /* OpenSSL compatibility expects this exact text */
- return "peer did not return a certificate";
- case UNKNOWN_HANDSHAKE_TYPE :
- return "weird handshake type";
- case SOCKET_ERROR_E :
- return "error state on socket";
- case SOCKET_NODATA :
- return "expected data, not there";
- case INCOMPLETE_DATA :
- return "don't have enough data to complete task";
- case UNKNOWN_RECORD_TYPE :
- return "unknown type in record hdr";
- case DECRYPT_ERROR :
- return "error during decryption";
- case FATAL_ERROR :
- return "received alert fatal error";
- case ENCRYPT_ERROR :
- return "error during encryption";
- case FREAD_ERROR :
- return "fread problem";
- case NO_PEER_KEY :
- return "need peer's key";
- case NO_PRIVATE_KEY :
- return "need the private key";
- case NO_DH_PARAMS :
- return "server missing DH params";
- case RSA_PRIVATE_ERROR :
- return "error during rsa priv op";
- case MATCH_SUITE_ERROR :
- return "can't match cipher suite";
- case COMPRESSION_ERROR :
- return "compression mismatch error";
- case BUILD_MSG_ERROR :
- return "build message failure";
- case BAD_HELLO :
- return "client hello malformed";
- case DOMAIN_NAME_MISMATCH :
- return "peer subject name mismatch";
- case IPADDR_MISMATCH :
- return "peer ip address mismatch";
- case WANT_READ :
- case WOLFSSL_ERROR_WANT_READ :
- return "non-blocking socket wants data to be read";
- case NOT_READY_ERROR :
- return "handshake layer not ready yet, complete first";
- case VERSION_ERROR :
- return "record layer version error";
- case WANT_WRITE :
- case WOLFSSL_ERROR_WANT_WRITE :
- return "non-blocking socket write buffer full";
- case BUFFER_ERROR :
- return "malformed buffer input error";
- case VERIFY_CERT_ERROR :
- return "verify problem on certificate";
- case VERIFY_SIGN_ERROR :
- return "verify problem based on signature";
- case CLIENT_ID_ERROR :
- return "psk client identity error";
- case SERVER_HINT_ERROR:
- return "psk server hint error";
- case PSK_KEY_ERROR:
- return "psk key callback error";
- case GETTIME_ERROR:
- return "gettimeofday() error";
- case GETITIMER_ERROR:
- return "getitimer() error";
- case SIGACT_ERROR:
- return "sigaction() error";
- case SETITIMER_ERROR:
- return "setitimer() error";
- case LENGTH_ERROR:
- return "record layer length error";
- case PEER_KEY_ERROR:
- return "can't decode peer key";
- case ZERO_RETURN:
- case WOLFSSL_ERROR_ZERO_RETURN:
- return "peer sent close notify alert";
- case ECC_CURVETYPE_ERROR:
- return "Bad ECC Curve Type or unsupported";
- case ECC_CURVE_ERROR:
- return "Bad ECC Curve or unsupported";
- case ECC_PEERKEY_ERROR:
- return "Bad ECC Peer Key";
- case ECC_MAKEKEY_ERROR:
- return "ECC Make Key failure";
- case ECC_EXPORT_ERROR:
- return "ECC Export Key failure";
- case ECC_SHARED_ERROR:
- return "ECC DHE shared failure";
- case NOT_CA_ERROR:
- return "Not a CA by basic constraint error";
- case BAD_CERT_MANAGER_ERROR:
- return "Bad Cert Manager error";
- case OCSP_CERT_REVOKED:
- return "OCSP Cert revoked";
- case CRL_CERT_REVOKED:
- #ifdef OPENSSL_EXTRA
- return "certificate revoked";
- #else
- return "CRL Cert revoked";
- #endif
- case CRL_MISSING:
- return "CRL missing, not loaded";
- case MONITOR_SETUP_E:
- return "CRL monitor setup error";
- case THREAD_CREATE_E:
- return "Thread creation problem";
- case OCSP_NEED_URL:
- return "OCSP need URL";
- case OCSP_CERT_UNKNOWN:
- return "OCSP Cert unknown";
- case OCSP_LOOKUP_FAIL:
- return "OCSP Responder lookup fail";
- case MAX_CHAIN_ERROR:
- return "Maximum Chain Depth Exceeded";
- case COOKIE_ERROR:
- return "DTLS Cookie Error";
- case SEQUENCE_ERROR:
- return "DTLS Sequence Error";
- case SUITES_ERROR:
- return "Suites Pointer Error";
- case OUT_OF_ORDER_E:
- return "Out of order message, fatal";
- case BAD_KEA_TYPE_E:
- return "Bad KEA type found";
- case SANITY_CIPHER_E:
- return "Sanity check on ciphertext failed";
- case RECV_OVERFLOW_E:
- return "Receive callback returned more than requested";
- case GEN_COOKIE_E:
- return "Generate Cookie Error";
- case NO_PEER_VERIFY:
- return "Need peer certificate verify Error";
- case FWRITE_ERROR:
- return "fwrite Error";
- case CACHE_MATCH_ERROR:
- return "Cache restore header match Error";
- case UNKNOWN_SNI_HOST_NAME_E:
- return "Unrecognized host name Error";
- case UNKNOWN_MAX_FRAG_LEN_E:
- return "Unrecognized max frag len Error";
- case KEYUSE_SIGNATURE_E:
- return "Key Use digitalSignature not set Error";
- case KEYUSE_ENCIPHER_E:
- return "Key Use keyEncipherment not set Error";
- case EXTKEYUSE_AUTH_E:
- return "Ext Key Use server/client auth not set Error";
- case SEND_OOB_READ_E:
- return "Send Callback Out of Bounds Read Error";
- case SECURE_RENEGOTIATION_E:
- return "Invalid Renegotiation Error";
- case SESSION_TICKET_LEN_E:
- return "Session Ticket Too Long Error";
- case SESSION_TICKET_EXPECT_E:
- return "Session Ticket Error";
- case SESSION_SECRET_CB_E:
- return "Session Secret Callback Error";
- case NO_CHANGE_CIPHER_E:
- return "Finished received from peer before Change Cipher Error";
- case SANITY_MSG_E:
- return "Sanity Check on message order Error";
- case DUPLICATE_MSG_E:
- return "Duplicate HandShake message Error";
- case SNI_UNSUPPORTED:
- return "Protocol version does not support SNI Error";
- case SOCKET_PEER_CLOSED_E:
- return "Peer closed underlying transport Error";
- case BAD_TICKET_KEY_CB_SZ:
- return "Bad user session ticket key callback Size Error";
- case BAD_TICKET_MSG_SZ:
- return "Bad session ticket message Size Error";
- case BAD_TICKET_ENCRYPT:
- return "Bad user ticket callback encrypt Error";
- case DH_KEY_SIZE_E:
- return "DH key too small Error";
- case SNI_ABSENT_ERROR:
- return "No Server Name Indication extension Error";
- case RSA_SIGN_FAULT:
- return "RSA Signature Fault Error";
- case HANDSHAKE_SIZE_ERROR:
- return "Handshake message too large Error";
- case UNKNOWN_ALPN_PROTOCOL_NAME_E:
- return "Unrecognized protocol name Error";
- case BAD_CERTIFICATE_STATUS_ERROR:
- return "Bad Certificate Status Message Error";
- case OCSP_INVALID_STATUS:
- return "Invalid OCSP Status Error";
- case OCSP_WANT_READ:
- return "OCSP nonblock wants read";
- case RSA_KEY_SIZE_E:
- return "RSA key too small";
- case ECC_KEY_SIZE_E:
- return "ECC key too small";
- case DTLS_EXPORT_VER_E:
- return "Version needs updated after code change or version mismatch";
- case INPUT_SIZE_E:
- return "Input size too large Error";
- case CTX_INIT_MUTEX_E:
- return "Initialize ctx mutex error";
- case EXT_MASTER_SECRET_NEEDED_E:
- return "Extended Master Secret must be enabled to resume EMS session";
- case DTLS_POOL_SZ_E:
- return "Maximum DTLS pool size exceeded";
- case DECODE_E:
- return "Decode handshake message error";
- case WRITE_DUP_READ_E:
- return "Write dup write side can't read error";
- case WRITE_DUP_WRITE_E:
- return "Write dup read side can't write error";
- case INVALID_CERT_CTX_E:
- return "Certificate context does not match request or not empty";
- case BAD_KEY_SHARE_DATA:
- return "The Key Share data contains group that wasn't in Client Hello";
- case MISSING_HANDSHAKE_DATA:
- return "The handshake message is missing required data";
- case BAD_BINDER: /* OpenSSL compatibility expects this exact text */
- return "binder does not verify";
- case EXT_NOT_ALLOWED:
- return "Extension type not allowed in handshake message type";
- case INVALID_PARAMETER:
- return "The security parameter is invalid";
- case UNSUPPORTED_EXTENSION:
- return "TLS Extension not requested by the client";
- case PRF_MISSING:
- return "Pseudo-random function is not enabled";
- case KEY_SHARE_ERROR:
- return "Key share extension did not contain a valid named group";
- case POST_HAND_AUTH_ERROR:
- return "Client will not do post handshake authentication";
- case HRR_COOKIE_ERROR:
- return "Cookie does not match one sent in HelloRetryRequest";
- case MCAST_HIGHWATER_CB_E:
- return "Multicast highwater callback returned error";
- case ALERT_COUNT_E:
- return "Alert Count exceeded error";
- case EXT_MISSING:
- return "Required TLS extension missing";
- case DTLS_RETX_OVER_TX:
- return "DTLS interrupting flight transmit with retransmit";
- case DH_PARAMS_NOT_FFDHE_E:
- return "Server DH parameters were not from the FFDHE set as required";
- case TCA_INVALID_ID_TYPE:
- return "TLS Extension Trusted CA ID type invalid";
- case TCA_ABSENT_ERROR:
- return "TLS Extension Trusted CA ID response absent";
- case TSIP_MAC_DIGSZ_E:
- return "TSIP MAC size invalid, must be sized for SHA-1 or SHA-256";
- case CLIENT_CERT_CB_ERROR:
- return "Error importing client cert or key from callback";
- case SSL_SHUTDOWN_ALREADY_DONE_E:
- return "Shutdown has already occurred";
- case TLS13_SECRET_CB_E:
- return "TLS1.3 Secret Callback Error";
- case DTLS_SIZE_ERROR:
- return "DTLS trying to send too much in single datagram error";
- case NO_CERT_ERROR:
- return "TLS1.3 No Certificate Set Error";
- case APP_DATA_READY:
- return "Application data is available for reading";
- case TOO_MUCH_EARLY_DATA:
- return "Too much early data";
- case SOCKET_FILTERED_E:
- return "Session stopped by network filter";
- #ifdef HAVE_HTTP_CLIENT
- case HTTP_TIMEOUT:
- return "HTTP timeout for OCSP or CRL req";
- case HTTP_RECV_ERR:
- return "HTTP Receive error";
- case HTTP_HEADER_ERR:
- return "HTTP Header error";
- case HTTP_PROTO_ERR:
- return "HTTP Protocol error";
- case HTTP_STATUS_ERR:
- return "HTTP Status error";
- case HTTP_VERSION_ERR:
- return "HTTP Version error";
- case HTTP_APPSTR_ERR:
- return "HTTP Application string error";
- #endif
- #ifdef OPENSSL_EXTRA
- case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
- return "unable to get local issuer certificate";
- #endif
- case UNSUPPORTED_PROTO_VERSION:
- #ifdef OPENSSL_EXTRA
- return "WRONG_SSL_VERSION";
- #else
- return "bad/unsupported protocol version";
- #endif
- case FALCON_KEY_SIZE_E:
- return "Wrong key size for Falcon.";
- case DILITHIUM_KEY_SIZE_E:
- return "Wrong key size for Dilithium.";
- #ifdef WOLFSSL_QUIC
- case QUIC_TP_MISSING_E:
- return "QUIC transport parameter not set";
- case QUIC_WRONG_ENC_LEVEL:
- return "QUIC data received at wrong encryption level";
- #endif
- case DTLS_CID_ERROR:
- return "DTLS ConnectionID mismatch or missing";
- case DTLS_TOO_MANY_FRAGMENTS_E:
- return "Received too many fragmented messages from peer error";
- case DUPLICATE_TLS_EXT_E:
- return "Duplicate TLS extension in message.";
- default :
- return "unknown error number";
- }
- #endif /* NO_ERROR_STRINGS */
- }
- const char* wolfSSL_ERR_func_error_string(unsigned long e)
- {
- (void)e;
- WOLFSSL_MSG("wolfSSL_ERR_func_error_string does not return the name of "
- "the function that failed. Please inspect the wolfSSL debug "
- "logs to determine where the error occurred.");
- return "";
- }
- /* return library name
- * @param e error code
- * @return text library name,
- * if there is no suitable library found, returns empty string
- */
- const char* wolfSSL_ERR_lib_error_string(unsigned long e)
- {
- int libe = 0;
- (void)libe;
- (void)e;
- #if defined(OPENSSL_EXTRA)
- libe = wolfSSL_ERR_GET_LIB(e);
- switch (libe) {
- case ERR_LIB_PEM:
- return "wolfSSL PEM routines";
- case ERR_LIB_EVP:
- return "wolfSSL digital envelope routines";
- default:
- return "";
- }
- #else
- return "";
- #endif
- }
- void SetErrorString(int error, char* str)
- {
- XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ);
- str[WOLFSSL_MAX_ERROR_SZ-1] = 0;
- }
- #ifdef NO_CIPHER_SUITE_ALIASES
- #ifndef NO_ERROR_STRINGS
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u)
- #else
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u)
- #endif
- #else
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u)
- #else
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u)
- #endif
- #endif
- #else /* !NO_CIPHER_SUITE_ALIASES */
- /* note that the comma is included at the end of the SUITE_ALIAS() macro
- * definitions, to allow aliases to be gated out by the above null macros
- * in the NO_CIPHER_SUITE_ALIASES section.
- */
- #ifndef NO_ERROR_STRINGS
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \
- defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
- #else
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
- #endif
- #else
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \
- defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
- #else
- #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
- #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
- #endif
- #endif
- #endif /* NO_CIPHER_SUITE_ALIASES */
- static const CipherSuiteInfo cipher_names[] =
- {
- #ifdef BUILD_TLS_AES_128_GCM_SHA256
- SUITE_INFO("TLS13-AES128-GCM-SHA256","TLS_AES_128_GCM_SHA256",TLS13_BYTE,TLS_AES_128_GCM_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_AES_256_GCM_SHA384
- SUITE_INFO("TLS13-AES256-GCM-SHA384","TLS_AES_256_GCM_SHA384",TLS13_BYTE,TLS_AES_256_GCM_SHA384, TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
- SUITE_INFO("TLS13-CHACHA20-POLY1305-SHA256","TLS_CHACHA20_POLY1305_SHA256",TLS13_BYTE,TLS_CHACHA20_POLY1305_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_SHA256
- SUITE_INFO("TLS13-AES128-CCM-SHA256","TLS_AES_128_CCM_SHA256",TLS13_BYTE,TLS_AES_128_CCM_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
- SUITE_INFO("TLS13-AES128-CCM-8-SHA256","TLS_AES_128_CCM_8_SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR),
- SUITE_ALIAS("TLS13-AES128-CCM8-SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_SHA256_SHA256
- SUITE_INFO("TLS13-SHA256-SHA256","TLS_SHA256_SHA256",ECC_BYTE,TLS_SHA256_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_SHA384_SHA384
- SUITE_INFO("TLS13-SHA384-SHA384","TLS_SHA384_SHA384",ECC_BYTE,TLS_SHA384_SHA384,TLSv1_3_MINOR, SSLv3_MAJOR),
- #endif
- #ifndef WOLFSSL_NO_TLS12
- #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
- SUITE_INFO("RC4-SHA","SSL_RSA_WITH_RC4_128_SHA",CIPHER_BYTE,SSL_RSA_WITH_RC4_128_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
- SUITE_INFO("RC4-MD5","SSL_RSA_WITH_RC4_128_MD5",CIPHER_BYTE,SSL_RSA_WITH_RC4_128_MD5,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("DES-CBC3-SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA",CIPHER_BYTE,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("AES128-SHA","TLS_RSA_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_AES_128_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("AES256-SHA","TLS_RSA_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_AES_256_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_MD5
- SUITE_INFO("NULL-MD5","TLS_RSA_WITH_NULL_MD5",CIPHER_BYTE,TLS_RSA_WITH_NULL_MD5,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
- SUITE_INFO("NULL-SHA","TLS_RSA_WITH_NULL_SHA",CIPHER_BYTE,TLS_RSA_WITH_NULL_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
- SUITE_INFO("NULL-SHA256","TLS_RSA_WITH_NULL_SHA256",CIPHER_BYTE,TLS_RSA_WITH_NULL_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("DHE-RSA-AES128-SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("DHE-RSA-AES256-SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
- SUITE_INFO("DHE-PSK-AES256-GCM-SHA384","TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
- SUITE_INFO("DHE-PSK-AES128-GCM-SHA256","TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
- SUITE_INFO("PSK-AES256-GCM-SHA384","TLS_PSK_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_PSK_WITH_AES_256_GCM_SHA384,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
- SUITE_INFO("PSK-AES128-GCM-SHA256","TLS_PSK_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_PSK_WITH_AES_128_GCM_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
- SUITE_INFO("DHE-PSK-AES256-CBC-SHA384","TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
- SUITE_INFO("DHE-PSK-AES128-CBC-SHA256","TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
- SUITE_INFO("PSK-AES256-CBC-SHA384","TLS_PSK_WITH_AES_256_CBC_SHA384",CIPHER_BYTE,TLS_PSK_WITH_AES_256_CBC_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
- SUITE_INFO("PSK-AES128-CBC-SHA256","TLS_PSK_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
- SUITE_INFO("PSK-AES128-CBC-SHA","TLS_PSK_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_PSK_WITH_AES_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
- SUITE_INFO("PSK-AES256-CBC-SHA","TLS_PSK_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_PSK_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
- SUITE_INFO("DHE-PSK-AES128-CCM","TLS_DHE_PSK_WITH_AES_128_CCM",ECC_BYTE,TLS_DHE_PSK_WITH_AES_128_CCM,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
- SUITE_INFO("DHE-PSK-AES256-CCM","TLS_DHE_PSK_WITH_AES_256_CCM",ECC_BYTE,TLS_DHE_PSK_WITH_AES_256_CCM,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
- SUITE_INFO("PSK-AES128-CCM","TLS_PSK_WITH_AES_128_CCM",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
- SUITE_INFO("PSK-AES256-CCM","TLS_PSK_WITH_AES_256_CCM",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
- SUITE_INFO("PSK-AES128-CCM-8","TLS_PSK_WITH_AES_128_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR),
- SUITE_ALIAS("PSK-AES128-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
- SUITE_INFO("PSK-AES256-CCM-8","TLS_PSK_WITH_AES_256_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR),
- SUITE_ALIAS("PSK-AES256-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
- SUITE_INFO("DHE-PSK-NULL-SHA384","TLS_DHE_PSK_WITH_NULL_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_NULL_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
- SUITE_INFO("DHE-PSK-NULL-SHA256","TLS_DHE_PSK_WITH_NULL_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
- SUITE_INFO("PSK-NULL-SHA384","TLS_PSK_WITH_NULL_SHA384",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
- SUITE_INFO("PSK-NULL-SHA256","TLS_PSK_WITH_NULL_SHA256",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_NULL_SHA
- SUITE_INFO("PSK-NULL-SHA","TLS_PSK_WITH_NULL_SHA",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
- SUITE_INFO("AES128-CCM-8","TLS_RSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
- SUITE_ALIAS("AES128-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
- SUITE_INFO("AES256-CCM-8","TLS_RSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
- SUITE_ALIAS("AES256-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
- SUITE_INFO("ECDHE-ECDSA-AES128-CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
- SUITE_INFO("ECDHE-ECDSA-AES128-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
- SUITE_ALIAS("ECDHE-ECDSA-AES128-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
- SUITE_INFO("ECDHE-ECDSA-AES256-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
- SUITE_ALIAS("ECDHE-ECDSA-AES256-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("ECDHE-RSA-AES128-SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("ECDHE-RSA-AES256-SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("ECDHE-ECDSA-AES128-SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("ECDHE-ECDSA-AES256-SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- SUITE_INFO("ECDHE-RSA-RC4-SHA","TLS_ECDHE_RSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("ECDHE-RSA-DES-CBC3-SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- SUITE_INFO("ECDHE-ECDSA-RC4-SHA","TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("ECDHE-ECDSA-DES-CBC3-SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("AES128-SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_128_CBC_SHA256, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
- SUITE_INFO("AES256-SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_256_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("DHE-RSA-AES128-SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- SUITE_INFO("DHE-RSA-AES256-SHA256","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("ECDH-RSA-AES128-SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("ECDH-RSA-AES256-SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- SUITE_INFO("ECDH-ECDSA-AES128-SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- SUITE_INFO("ECDH-ECDSA-AES256-SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
- SUITE_INFO("ECDH-RSA-RC4-SHA","TLS_ECDH_RSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("ECDH-RSA-DES-CBC3-SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- SUITE_INFO("ECDH-ECDSA-RC4-SHA","TLS_ECDH_ECDSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("ECDH-ECDSA-DES-CBC3-SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("AES128-GCM-SHA256","TLS_RSA_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("AES256-GCM-SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("DHE-RSA-AES128-GCM-SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("DHE-RSA-AES256-GCM-SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("ECDHE-RSA-AES128-GCM-SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("ECDHE-RSA-AES256-GCM-SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("ECDHE-ECDSA-AES128-GCM-SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("ECDHE-ECDSA-AES256-GCM-SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("ECDH-RSA-AES128-GCM-SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("ECDH-RSA-AES256-GCM-SHA384","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- SUITE_INFO("ECDH-ECDSA-AES128-GCM-SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- SUITE_INFO("ECDH-ECDSA-AES256-GCM-SHA384","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- SUITE_INFO("CAMELLIA128-SHA","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- SUITE_INFO("DHE-RSA-CAMELLIA128-SHA","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- SUITE_INFO("CAMELLIA256-SHA","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- SUITE_INFO("DHE-RSA-CAMELLIA256-SHA","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- SUITE_INFO("CAMELLIA128-SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- SUITE_INFO("DHE-RSA-CAMELLIA128-SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- SUITE_INFO("CAMELLIA256-SHA256","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- SUITE_INFO("DHE-RSA-CAMELLIA256-SHA256","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("ECDHE-RSA-AES128-SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("ECDHE-ECDSA-AES128-SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("ECDH-RSA-AES128-SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- SUITE_INFO("ECDH-ECDSA-AES128-SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- SUITE_INFO("ECDHE-RSA-AES256-SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- SUITE_INFO("ECDHE-ECDSA-AES256-SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- SUITE_INFO("ECDH-RSA-AES256-SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- SUITE_INFO("ECDH-ECDSA-AES256-SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("ECDHE-RSA-CHACHA20-POLY1305","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("ECDHE-ECDSA-CHACHA20-POLY1305","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("DHE-RSA-CHACHA20-POLY1305","TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- SUITE_INFO("ECDHE-RSA-CHACHA20-POLY1305-OLD","TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- SUITE_INFO("ECDHE-ECDSA-CHACHA20-POLY1305-OLD","TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
- SUITE_INFO("DHE-RSA-CHACHA20-POLY1305-OLD","TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
- SUITE_INFO("ADH-AES128-SHA","TLS_DH_anon_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_DH_anon_WITH_AES_128_CBC_SHA, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
- SUITE_INFO("ADH-AES256-GCM-SHA384","TLS_DH_anon_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef HAVE_RENEGOTIATION_INDICATION
- SUITE_INFO("RENEGOTIATION-INFO","TLS_EMPTY_RENEGOTIATION_INFO_SCSV",CIPHER_BYTE,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSLv3_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
- SUITE_INFO("ECDHE-ECDSA-NULL-SHA","TLS_ECDHE_ECDSA_WITH_NULL_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
- SUITE_INFO("ECDHE-PSK-NULL-SHA256","TLS_ECDHE_PSK_WITH_NULL_SHA256",ECC_BYTE,TLS_ECDHE_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- SUITE_INFO("ECDHE-PSK-AES128-CBC-SHA256","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
- SUITE_INFO("ECDHE-PSK-AES128-GCM-SHA256","TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",ECDHE_PSK_BYTE,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("PSK-CHACHA20-POLY1305","TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("ECDHE-PSK-CHACHA20-POLY1305","TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
- SUITE_INFO("DHE-PSK-CHACHA20-POLY1305","TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
- #endif
- #ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SUITE_INFO("EDH-RSA-DES-CBC3-SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
- #endif
- #ifdef BUILD_WDM_WITH_NULL_SHA256
- SUITE_INFO("WDM-NULL-SHA256","WDM_WITH_NULL_SHA256",CIPHER_BYTE,WDM_WITH_NULL_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR)
- #endif
- #endif /* WOLFSSL_NO_TLS12 */
- };
- /* returns the cipher_names array */
- const CipherSuiteInfo* GetCipherNames(void)
- {
- return cipher_names;
- }
- /* returns the number of elements in the cipher_names array */
- int GetCipherNamesSize(void)
- {
- return (int)(sizeof(cipher_names) / sizeof(CipherSuiteInfo));
- }
- const char* GetCipherNameInternal(const byte cipherSuite0, const byte cipherSuite)
- {
- int i;
- const char* nameInternal = "None";
- for (i = 0; i < GetCipherNamesSize(); i++) {
- if ((cipher_names[i].cipherSuite0 == cipherSuite0) &&
- (cipher_names[i].cipherSuite == cipherSuite)
- #ifndef NO_CIPHER_SUITE_ALIASES
- && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS))
- #endif
- ) {
- nameInternal = cipher_names[i].name;
- break;
- }
- }
- return nameInternal;
- }
- #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
- /* Segment cipher name into n[n0,n1,n2,n4]
- * @param cipher a pointer to WOLFSSL_CIPHER
- * @param n return segment cipher name
- * return cipher name if cipher is in the list,
- * otherwise NULL
- */
- const char* GetCipherSegment(const WOLFSSL_CIPHER* cipher, char n[][MAX_SEGMENT_SZ])
- {
- int i,j,k;
- int strLen;
- unsigned long offset;
- const char* name;
- /* sanity check */
- if (cipher == NULL || n == NULL)
- return NULL;
- offset = cipher->offset;
- if (offset >= (unsigned long)GetCipherNamesSize())
- return NULL;
- name = cipher_names[offset].name;
- if (name == NULL)
- return NULL;
- /* Segment cipher name into n[n0,n1,n2,n4]
- * These are used later for comparisons to create:
- * keaStr, authStr, encStr, macStr
- *
- * If cipher_name = ECDHE-ECDSA-AES256-SHA
- * then n0 = "ECDHE", n1 = "ECDSA", n2 = "AES256", n3 = "SHA"
- * and n = [n0,n1,n2,n3,0]
- */
- strLen = (int)XSTRLEN(name);
- for (i = 0, j = 0, k = 0; i <= strLen; i++) {
- if (k >= MAX_SEGMENTS || j >= MAX_SEGMENT_SZ)
- break;
- if (name[i] != '-' && name[i] != '\0') {
- n[k][j] = name[i]; /* Fill kth segment string until '-' */
- j++;
- }
- else {
- n[k][j] = '\0';
- j = 0;
- k++;
- }
- }
- return name;
- }
- /* gcc-12 and later, building with ASAN at -O2 and higher, generate spurious
- * stringop-overread warnings on some (but not all...) reads of n[1] in
- * GetCipherKeaStr().
- */
- #if defined(__GNUC__) && __GNUC__ > 11 && defined(__SANITIZE_ADDRESS__)
- PRAGMA_GCC_DIAG_PUSH
- PRAGMA_GCC("GCC diagnostic ignored \"-Wstringop-overread\"")
- #endif
- const char* GetCipherKeaStr(char n[][MAX_SEGMENT_SZ]) {
- const char* keaStr = NULL;
- if (XSTRCMP(n[0],"ECDHE") == 0 && XSTRCMP(n[1],"PSK") == 0)
- keaStr = "ECDHEPSK";
- else if ((XSTRCMP(n[0],"ECDH") == 0) || (XSTRCMP(n[0],"ECDHE") == 0))
- keaStr = "ECDH";
- else if (XSTRCMP(n[0],"DHE") == 0 && XSTRCMP(n[1],"PSK") == 0)
- keaStr = "DHEPSK";
- else if (XSTRCMP(n[0],"DHE") == 0)
- keaStr = "DH";
- else if (XSTRCMP(n[0],"RSA") == 0 && XSTRCMP(n[1],"PSK") == 0)
- keaStr = "RSAPSK";
- else if (XSTRCMP(n[0],"SRP") == 0)
- keaStr = "SRP";
- else if (XSTRCMP(n[0],"PSK") == 0)
- keaStr = "PSK";
- else if (XSTRCMP(n[0],"EDH") == 0)
- keaStr = "EDH";
- else if ((XSTRNCMP(n[1],"SHA", 3) == 0) || (XSTRNCMP(n[2],"SHA", 3) == 0) ||
- (XSTRNCMP(n[3],"SHA", 3) == 0) || (XSTRNCMP(n[4],"SHA", 3) == 0) ||
- (XSTRCMP(n[2],"RSA") == 0) || (XSTRCMP(n[0],"AES128") == 0) ||
- (XSTRCMP(n[0],"AES256") == 0) || (XSTRCMP(n[1],"MD5") == 0))
- keaStr = "RSA";
- else if (XSTRCMP(n[0],"NULL") == 0)
- keaStr = "None";
- else
- keaStr = "unknown";
- return keaStr;
- }
- #if defined(__GNUC__) && __GNUC__ > 11 && defined(__SANITIZE_ADDRESS__)
- PRAGMA_GCC_DIAG_POP
- #endif
- const char* GetCipherAuthStr(char n[][MAX_SEGMENT_SZ]) {
- const char* authStr = NULL;
- if ((XSTRCMP(n[0],"AES128") == 0) || (XSTRCMP(n[0],"AES256") == 0) ||
- ((XSTRCMP(n[0],"TLS13") == 0) && ((XSTRCMP(n[1],"AES128") == 0) ||
- (XSTRCMP(n[1],"AES256") == 0) || (XSTRCMP(n[1],"CHACHA20") == 0))) ||
- (XSTRCMP(n[0],"RSA") == 0) || (XSTRCMP(n[1],"RSA") == 0) ||
- (XSTRNCMP(n[1],"SHA", 3) == 0) || (XSTRNCMP(n[2],"SHA", 3) == 0) ||
- (XSTRCMP(n[1],"MD5") == 0))
- authStr = "RSA";
- else if (XSTRCMP(n[0],"PSK") == 0 || XSTRCMP(n[1],"PSK") == 0)
- authStr = "PSK";
- else if (XSTRCMP(n[0],"SRP") == 0 && XSTRCMP(n[1],"AES") == 0)
- authStr = "SRP";
- else if (XSTRCMP(n[1],"ECDSA") == 0)
- authStr = "ECDSA";
- else if (XSTRCMP(n[0],"ADH") == 0 || XSTRCMP(n[0],"NULL") == 0)
- authStr = "None";
- else
- authStr = "unknown";
- return authStr;
- }
- const char* GetCipherEncStr(char n[][MAX_SEGMENT_SZ]) {
- const char* encStr = NULL;
- if ((XSTRCMP(n[0],"AES256") == 0 && XSTRCMP(n[1],"GCM") == 0) ||
- (XSTRCMP(n[1],"AES256") == 0 && XSTRCMP(n[2],"GCM") == 0) ||
- (XSTRCMP(n[2],"AES256") == 0 && XSTRCMP(n[3],"GCM") == 0))
- encStr = "AESGCM(256)";
- else if ((XSTRCMP(n[0],"AES128") == 0 && XSTRCMP(n[1],"GCM") == 0) ||
- (XSTRCMP(n[1],"AES128") == 0 && XSTRCMP(n[2],"GCM") == 0) ||
- (XSTRCMP(n[2],"AES128") == 0 && XSTRCMP(n[3],"GCM") == 0))
- encStr = "AESGCM(128)";
- else if ((XSTRCMP(n[0],"AES128") == 0 && XSTRCMP(n[1],"CCM") == 0) ||
- (XSTRCMP(n[1],"AES128") == 0 && XSTRCMP(n[2],"CCM") == 0) ||
- (XSTRCMP(n[2],"AES128") == 0 && XSTRCMP(n[3],"CCM") == 0))
- encStr = "AESCCM(128)";
- else if ((XSTRCMP(n[0],"AES128") == 0) ||
- (XSTRCMP(n[1],"AES128") == 0) ||
- (XSTRCMP(n[2],"AES128") == 0) ||
- (XSTRCMP(n[1],"AES") == 0 && XSTRCMP(n[2],"128") == 0) ||
- (XSTRCMP(n[2],"AES") == 0 && XSTRCMP(n[3],"128") == 0))
- encStr = "AES(128)";
- else if ((XSTRCMP(n[0],"AES256") == 0) ||
- (XSTRCMP(n[1],"AES256") == 0) ||
- (XSTRCMP(n[2],"AES256") == 0) ||
- (XSTRCMP(n[1],"AES") == 0 && XSTRCMP(n[2],"256") == 0) ||
- (XSTRCMP(n[2],"AES") == 0 && XSTRCMP(n[3],"256") == 0))
- encStr = "AES(256)";
- else if ((XSTRCMP(n[0],"CAMELLIA256") == 0) ||
- (XSTRCMP(n[2],"CAMELLIA256") == 0))
- encStr = "CAMELLIA(256)";
- else if ((XSTRCMP(n[0],"CAMELLIA128") == 0) ||
- (XSTRCMP(n[2],"CAMELLIA128") == 0))
- encStr = "CAMELLIA(128)";
- else if ((XSTRCMP(n[0],"RC4") == 0) || (XSTRCMP(n[1],"RC4") == 0) ||
- (XSTRCMP(n[2],"RC4") == 0))
- encStr = "RC4";
- else if (((XSTRCMP(n[0],"DES") == 0) || (XSTRCMP(n[1],"DES") == 0) ||
- (XSTRCMP(n[2],"DES") == 0)) &&
- ((XSTRCMP(n[1],"CBC3") == 0) || (XSTRCMP(n[2],"CBC3") == 0) ||
- (XSTRCMP(n[3],"CBC3") == 0)))
- encStr = "3DES";
- else if ((XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
- (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
- encStr = "CHACHA20/POLY1305(256)";
- else if ((XSTRCMP(n[0],"NULL") == 0) || (XSTRCMP(n[1],"NULL") == 0) ||
- (XSTRCMP(n[2],"NULL") == 0) ||
- ((XSTRCMP(n[0],"TLS13") == 0) && (XSTRCMP(n[3],"") == 0)))
- encStr = "None";
- else
- encStr = "unknown";
- return encStr;
- }
- /* Check if a cipher is AEAD
- * @param n return segment cipher name
- * return 1 if the cipher is AEAD, otherwise 0
- */
- int IsCipherAEAD(char n[][MAX_SEGMENT_SZ])
- {
- WOLFSSL_ENTER("IsCipherAEAD");
- if (n == NULL) {
- WOLFSSL_MSG("bad function argument. n is NULL.");
- return 0;
- }
- if ((XSTRCMP(n[2],"GCM") == 0) || (XSTRCMP(n[3],"GCM") == 0) ||
- (XSTRCMP(n[1],"CCM") == 0) ||
- (XSTRCMP(n[2],"CCM") == 0) || (XSTRCMP(n[3],"CCM") == 0) ||
- (XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
- (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
- return 1;
- return 0;
- }
- /* Returns the MAC string of a cipher or "unknown" on failure */
- const char* GetCipherMacStr(char n[][MAX_SEGMENT_SZ]) {
- const char* macStr = NULL;
- if ((XSTRCMP(n[4],"SHA256") == 0) || (XSTRCMP(n[3],"SHA256") == 0) ||
- (XSTRCMP(n[2],"SHA256") == 0) || (XSTRCMP(n[1],"SHA256") == 0))
- macStr = "SHA256";
- else if ((XSTRCMP(n[4],"SHA384") == 0) ||
- (XSTRCMP(n[3],"SHA384") == 0) ||
- (XSTRCMP(n[2],"SHA384") == 0) ||
- (XSTRCMP(n[1],"SHA384") == 0))
- macStr = "SHA384";
- else if ((XSTRCMP(n[4],"SHA") == 0) || (XSTRCMP(n[3],"SHA") == 0) ||
- (XSTRCMP(n[2],"SHA") == 0) || (XSTRCMP(n[1],"SHA") == 0) ||
- (XSTRCMP(n[1],"MD5") == 0))
- macStr = "SHA1";
- else if ((XSTRCMP(n[3],"GCM") == 0) ||
- (XSTRCMP(n[1],"CCM") == 0) ||
- (XSTRCMP(n[2],"CCM") == 0) || (XSTRCMP(n[3],"CCM") == 0) ||
- (XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
- (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
- macStr = "AEAD";
- else
- macStr = "unknown";
- return macStr;
- }
- /* Returns the number of bits based on the cipher enc string, or 0 on failure */
- int SetCipherBits(const char* enc) {
- int ret = WOLFSSL_FAILURE;
- if ((XSTRCMP(enc,"AESGCM(256)") == 0) ||
- (XSTRCMP(enc,"AES(256)") == 0) ||
- (XSTRCMP(enc,"CAMELLIA(256)") == 0) ||
- (XSTRCMP(enc,"CHACHA20/POLY1305(256)") == 0))
- ret = 256;
- else if
- ((XSTRCMP(enc,"3DES") == 0))
- ret = 168;
- else if
- ((XSTRCMP(enc,"AESGCM(128)") == 0) ||
- (XSTRCMP(enc,"AES(128)") == 0) ||
- (XSTRCMP(enc,"CAMELLIA(128)") == 0) ||
- (XSTRCMP(enc,"RC4") == 0))
- ret = 128;
- else if
- ((XSTRCMP(enc,"DES") == 0))
- ret = 56;
- return ret;
- }
- #endif /* WOLFSSL_QT || OPENSSL_ALL */
- const char* GetCipherNameIana(const byte cipherSuite0, const byte cipherSuite)
- {
- #ifndef NO_ERROR_STRINGS
- int i;
- const char* nameIana = "NONE";
- for (i = 0; i < GetCipherNamesSize(); i++) {
- if ((cipher_names[i].cipherSuite0 == cipherSuite0) &&
- (cipher_names[i].cipherSuite == cipherSuite)
- #ifndef NO_CIPHER_SUITE_ALIASES
- && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS))
- #endif
- ) {
- nameIana = cipher_names[i].name_iana;
- break;
- }
- }
- return nameIana;
- #else
- (void)cipherSuite0;
- (void)cipherSuite;
- return NULL;
- #endif
- }
- const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl)
- {
- if (ssl == NULL) {
- return NULL;
- }
- return GetCipherNameInternal(ssl->options.cipherSuite0, ssl->options.cipherSuite);
- }
- const char* wolfSSL_get_cipher_name_iana(WOLFSSL* ssl)
- {
- if (ssl == NULL) {
- return NULL;
- }
- return GetCipherNameIana(ssl->options.cipherSuite0, ssl->options.cipherSuite);
- }
- int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
- byte* cipherSuite, int* flags)
- {
- int ret = BAD_FUNC_ARG;
- int i;
- unsigned long len;
- const char* nameDelim;
- /* Support trailing : */
- nameDelim = XSTRSTR(name, ":");
- if (nameDelim)
- len = (unsigned long)(nameDelim - name);
- else
- len = (unsigned long)XSTRLEN(name);
- for (i = 0; i < GetCipherNamesSize(); i++) {
- int found = (XSTRNCMP(name, cipher_names[i].name, len) == 0) &&
- (cipher_names[i].name[len] == 0);
- #ifndef NO_ERROR_STRINGS
- if (!found)
- found = (XSTRNCMP(name, cipher_names[i].name_iana, len) == 0) &&
- (cipher_names[i].name_iana[len] == 0);
- #endif
- if (found) {
- *cipherSuite0 = cipher_names[i].cipherSuite0;
- *cipherSuite = cipher_names[i].cipherSuite;
- *flags = cipher_names[i].flags;
- ret = 0;
- break;
- }
- }
- return ret;
- }
- /**
- Set the enabled cipher suites.
- With OPENSSL_EXTRA we attempt to understand some of the available "bulk"
- ciphersuites. We can not perfectly filter ciphersuites based on the "bulk"
- names but we do what we can. Ciphersuites named explicitly take precedence to
- ciphersuites introduced through the "bulk" ciphersuites.
- @param [out] suites Suites structure.
- @param [in] list List of cipher suites, only supports full name from
- cipher_names[] delimited by ':'.
- @return true on success, else false.
- */
- int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
- {
- int ret = 0;
- int idx = 0;
- word16 haveRSAsig = 0;
- word16 haveECDSAsig = 0;
- word16 haveFalconSig = 0;
- word16 haveDilithiumSig = 0;
- word16 haveAnon = 0;
- word16 haveRSA = 0;
- #ifdef OPENSSL_EXTRA
- word16 haveDH = 0;
- word16 haveECC = 0;
- word16 haveStaticRSA = 1; /* allowed by default if compiled in */
- word16 haveStaticECC = 0;
- word16 haveNull = 1; /* allowed by default if compiled in */
- int callInitSuites = 0;
- word16 havePSK = 0;
- #endif
- const int suiteSz = GetCipherNamesSize();
- const char* next = list;
- (void)haveRSA;
- if (suites == NULL || list == NULL) {
- WOLFSSL_MSG("SetCipherList parameter error");
- return 0;
- }
- if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 ||
- XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) {
- /* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- InitSuites(suites, ctx->method->version,
- #ifndef NO_CERTS
- ctx->privateKeySz,
- #else
- 0,
- #endif
- haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
- ctx->method->side);
- return 1; /* wolfSSL default */
- }
- do {
- const char* current = next;
- char name[MAX_SUITE_NAME + 1];
- int i;
- word32 length;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
- word16 allowing = 1;
- #endif
- next = XSTRSTR(next, ":");
- length = MAX_SUITE_NAME;
- if (next != NULL) {
- word32 currLen = (word32)(next - current);
- if (length > currLen) {
- length = currLen;
- }
- }
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
- if (length > 1) {
- if (*current == '!') {
- allowing = 0;
- current++;
- length--;
- }
- }
- #endif
- XSTRNCPY(name, current, length);
- name[(length == sizeof(name)) ? length - 1 : length] = 0;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
- if (length > 1) {
- char* substr = NULL;
- char* substrCurrent = name;
- /* extract first public key type from a string like ECDHE+AESGCM */
- substr = XSTRSTR(substrCurrent, "+");
- if (substr != NULL) {
- do {
- if (substr) {
- length = (word32)(substr - substrCurrent);
- substrCurrent[length] = '\0';
- }
- else {
- length = (int)XSTRLEN(substrCurrent);
- }
- /* check if is a public key type */
- if (XSTRCMP(substrCurrent, "ECDHE") == 0 ||
- XSTRCMP(substrCurrent, "RSA") == 0 ||
- XSTRCMP(substrCurrent, "DHE") == 0) {
- if (name != substrCurrent)
- XMEMMOVE(name, substrCurrent, length);
- name[length] = '\0';
- break;
- }
- substrCurrent = substr;
- if (substr) {
- substrCurrent = substrCurrent + 1; /* +1 to skip over '+' */
- substr = XSTRSTR(substrCurrent, "+");
- }
- } while (substrCurrent != NULL);
- }
- }
- if (XSTRCMP(name, "DEFAULT") == 0 || XSTRCMP(name, "ALL") == 0) {
- if (XSTRCMP(name, "ALL") == 0)
- haveAnon = 1;
- else
- haveAnon = 0;
- #ifdef HAVE_ANON
- ctx->haveAnon = haveAnon;
- #endif
- haveRSA = 1;
- haveDH = 1;
- haveECC = 1;
- /* having static ECC will disable all RSA use, do not set
- * static ECC suites here
- * haveStaticECC = 1; */
- haveStaticRSA = 1;
- haveRSAsig = 1;
- havePSK = 1;
- haveNull = 0;
- callInitSuites = 1;
- ret = 1;
- continue;
- }
- /* We don't have a way to disallow high bit sizes. Only disable unsafe
- * ciphersuites. */
- if (XSTRCMP(name, "HIGH") == 0 && allowing) {
- /* Disable static, anonymous, and null ciphers */
- haveAnon = 0;
- #ifdef HAVE_ANON
- ctx->haveAnon = 0;
- #endif
- haveRSA = 1;
- haveDH = 1;
- haveECC = 1;
- haveStaticECC = 0;
- haveStaticRSA = 0;
- haveRSAsig = 1;
- havePSK = 1;
- haveNull = 0;
- callInitSuites = 1;
- ret = 1;
- continue;
- }
- if (XSTRCMP(name, "aNULL") == 0) {
- haveAnon = allowing;
- #ifdef HAVE_ANON
- ctx->haveAnon = allowing;
- #endif
- if (allowing) {
- /* Allow RSA by default. */
- if (!haveECC)
- haveRSA = 1;
- if (!haveECDSAsig)
- haveRSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "eNULL") == 0 || XSTRCMP(name, "NULL") == 0) {
- haveNull = allowing;
- if (allowing) {
- /* Allow RSA by default. */
- if (!haveECC)
- haveRSA = 1;
- if (!haveECDSAsig)
- haveRSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "kDH") == 0) {
- haveStaticECC = allowing;
- if (allowing) {
- haveECC = 1;
- haveECDSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "ECDHE") == 0) {
- if (allowing) {
- haveECC = 1;
- haveECDSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "kRSA") == 0 || XSTRCMP(name, "RSA") == 0) {
- haveStaticRSA = allowing;
- if (allowing) {
- haveRSA = 1;
- haveRSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "PSK") == 0) {
- havePSK = allowing;
- haveRSAsig = 1;
- if (allowing) {
- /* Allow RSA by default. */
- if (!haveECC)
- haveRSA = 1;
- if (!haveECDSAsig)
- haveRSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
- /* No way to limit or allow low bit sizes */
- if (allowing) {
- /* Allow RSA by default */
- haveRSA = 1;
- haveRSAsig = 1;
- callInitSuites = 1;
- ret = 1;
- }
- continue;
- }
- if (XSTRCMP(name, "DSS") == 0) {
- /* No support for DSA ciphersuites */
- continue;
- }
- if (XSTRCMP(name, "EXP") == 0 || XSTRCMP(name, "EXPORT") == 0) {
- /* wolfSSL doesn't support "export" ciphers. We can skip this */
- continue;
- }
- #endif /* OPENSSL_EXTRA */
- for (i = 0; i < suiteSz; i++) {
- if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
- #ifndef NO_ERROR_STRINGS
- || XSTRNCMP(name, cipher_names[i].name_iana, sizeof(name)) == 0
- #endif
- ) {
- int j;
- #ifdef WOLFSSL_DTLS
- /* don't allow stream ciphers with DTLS */
- if (ctx->method->version.major == DTLS_MAJOR) {
- if (XSTRSTR(name, "RC4"))
- {
- WOLFSSL_MSG("Stream ciphers not supported with DTLS");
- continue;
- }
- }
- #endif /* WOLFSSL_DTLS */
- for (j = 0; j < idx; j += 2) {
- if ((suites->suites[j+0] == cipher_names[i].cipherSuite0) &&
- (suites->suites[j+1] == cipher_names[i].cipherSuite)) {
- break;
- }
- }
- /* Silently drop duplicates from list. */
- if (j != idx) {
- break;
- }
- if (idx + 1 >= WOLFSSL_MAX_SUITE_SZ) {
- WOLFSSL_MSG("WOLFSSL_MAX_SUITE_SZ set too low");
- return 0; /* suites buffer not large enough, error out */
- }
- suites->suites[idx++] = cipher_names[i].cipherSuite0;
- suites->suites[idx++] = cipher_names[i].cipherSuite;
- /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA
- * suites don't necessarily have RSA in the name. */
- #ifdef WOLFSSL_TLS13
- if (cipher_names[i].cipherSuite0 == TLS13_BYTE ||
- (cipher_names[i].cipherSuite0 == ECC_BYTE &&
- (cipher_names[i].cipherSuite == TLS_SHA256_SHA256 ||
- cipher_names[i].cipherSuite == TLS_SHA384_SHA384))) {
- #ifndef NO_RSA
- haveRSAsig = 1;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)
- haveECDSAsig = 1;
- #endif
- #if defined(HAVE_PQC)
- #ifdef HAVE_FALCON
- haveFalconSig = 1;
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- haveDilithiumSig = 1;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- }
- else
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)
- if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA"))
- haveECDSAsig = 1;
- else
- #endif
- #ifdef HAVE_ANON
- if (XSTRSTR(name, "ADH"))
- haveAnon = 1;
- else
- #endif
- if (haveRSAsig == 0
- #ifndef NO_PSK
- && (XSTRSTR(name, "PSK") == NULL)
- #endif
- ) {
- haveRSAsig = 1;
- }
- ret = 1; /* found at least one */
- break;
- }
- }
- }
- while (next++); /* ++ needed to skip ':' */
- if (ret) {
- int keySz = 0;
- #ifndef NO_CERTS
- keySz = ctx->privateKeySz;
- #endif
- #ifdef OPENSSL_EXTRA
- if (callInitSuites) {
- byte tmp[WOLFSSL_MAX_SUITE_SZ];
- XMEMCPY(tmp, suites->suites, idx); /* Store copy */
- suites->setSuites = 0; /* Force InitSuites */
- suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
- * inside InitSuites */
- InitSuites(suites, ctx->method->version, keySz, haveRSA,
- havePSK, haveDH, haveECDSAsig,
- haveECC, haveStaticRSA,
- haveStaticECC, haveFalconSig,
- haveDilithiumSig, haveAnon,
- haveNull, ctx->method->side);
- /* Restore user ciphers ahead of defaults */
- XMEMMOVE(suites->suites + idx, suites->suites,
- min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
- suites->suiteSz += (word16)idx;
- }
- else
- #endif
- {
- suites->suiteSz = (word16)idx;
- InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig,
- haveFalconSig, haveDilithiumSig, haveAnon,
- 1, keySz);
- }
- suites->setSuites = 1;
- }
- (void)ctx;
- return ret;
- }
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SET_CIPHER_BYTES)
- int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list,
- const int listSz)
- {
- int ret = 0;
- int idx = 0;
- int i;
- int haveRSAsig = 0;
- int haveECDSAsig = 0;
- int haveFalconSig = 0;
- int haveDilithiumSig = 0;
- int haveAnon = 0;
- if (suites == NULL || list == NULL) {
- WOLFSSL_MSG("SetCipherListFromBytes parameter error");
- return 0;
- }
- if ((listSz % 2) != 0) {
- return 0;
- }
- for (i = 0; (i + 1) < listSz; i += 2) {
- const byte firstByte = list[i];
- const byte secondByte = list[i + 1];
- const char* name = NULL;
- int j;
- name = GetCipherNameInternal(firstByte, secondByte);
- if (XSTRCMP(name, "None") == 0) {
- /* bytes don't match any known cipher */
- continue;
- }
- #ifdef WOLFSSL_DTLS
- /* don't allow stream ciphers with DTLS */
- if (ctx->method->version.major == DTLS_MAJOR) {
- if (XSTRSTR(name, "RC4")) {
- WOLFSSL_MSG("Stream ciphers not supported with DTLS");
- continue;
- }
- }
- #endif /* WOLFSSL_DTLS */
- for (j = 0; j < idx; j += 2) {
- if ((suites->suites[j+0] == firstByte) &&
- (suites->suites[j+1] == secondByte)) {
- break;
- }
- }
- /* Silently drop duplicates from list. */
- if (j != idx) {
- continue;
- }
- if (idx + 1 >= WOLFSSL_MAX_SUITE_SZ) {
- WOLFSSL_MSG("WOLFSSL_MAX_SUITE_SZ set too low");
- return 0; /* suites buffer not large enough, error out */
- }
- suites->suites[idx++] = firstByte;
- suites->suites[idx++] = secondByte;
- /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA
- * suites don't necessarily have RSA in the name. */
- #ifdef WOLFSSL_TLS13
- if (firstByte == TLS13_BYTE || (firstByte == ECC_BYTE &&
- (secondByte == TLS_SHA256_SHA256 ||
- secondByte == TLS_SHA384_SHA384))) {
- #ifndef NO_RSA
- haveRSAsig = 1;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- haveECDSAsig = 1;
- #endif
- #if defined(HAVE_PQC)
- #ifdef HAVE_FALCON
- haveFalconSig = 1;
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- haveDilithiumSig = 1;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- }
- else
- #endif /* WOLFSSL_TLS13 */
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA"))
- haveECDSAsig = 1;
- else
- #endif
- #ifdef HAVE_ANON
- if (XSTRSTR(name, "ADH"))
- haveAnon = 1;
- else
- #endif
- if (haveRSAsig == 0
- #ifndef NO_PSK
- && (XSTRSTR(name, "PSK") == NULL)
- #endif
- ) {
- haveRSAsig = 1;
- }
- ret = 1; /* found at least one */
- }
- if (ret) {
- int keySz = 0;
- #ifndef NO_CERTS
- keySz = ctx->privateKeySz;
- #endif
- suites->suiteSz = (word16)idx;
- InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig,
- haveFalconSig, haveDilithiumSig, haveAnon, 1,
- keySz);
- suites->setSuites = 1;
- }
- (void)ctx;
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- #ifdef OPENSSL_EXTRA
- struct mac_algs {
- byte alg;
- const char* name;
- } mac_names[] = {
- #ifndef NO_SHA256
- { sha256_mac, "SHA256" },
- #endif
- #ifdef WOLFSSL_SHA384
- { sha384_mac, "SHA384" },
- #endif
- #ifdef WOLFSSL_SHA512
- { sha512_mac, "SHA512" },
- #endif
- #ifdef WOLFSSL_SHA224
- { sha224_mac, "SHA224" },
- #endif
- #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
- defined(WOLFSSL_ALLOW_TLS_SHA1))
- { sha_mac, "SHA1" },
- #endif
- };
- #define MAC_NAMES_SZ (int)(sizeof(mac_names)/sizeof(*mac_names))
- /* Convert the hash algorithm string to a TLS MAC algorithm num. */
- static byte GetMacAlgFromName(const char* name, int len)
- {
- byte alg = no_mac;
- int i;
- for (i = 0; i < MAC_NAMES_SZ; i++) {
- if (((int)XSTRLEN(mac_names[i].name) == len) &&
- (XMEMCMP(mac_names[i].name, name, len) == 0)) {
- alg = mac_names[i].alg;
- break;
- }
- }
- return alg;
- }
- struct sig_algs {
- byte alg;
- const char* name;
- } sig_names[] = {
- #ifndef NO_RSA
- { rsa_sa_algo, "RSA" },
- #ifdef WC_RSA_PSS
- { rsa_pss_sa_algo, "RSA-PSS" },
- { rsa_pss_sa_algo, "PSS" },
- #endif
- #endif
- #ifdef HAVE_ECC
- { ecc_dsa_sa_algo, "ECDSA" },
- #endif
- #ifdef HAVE_ED25519
- { ed25519_sa_algo, "ED25519" },
- #endif
- #ifdef HAVE_ED448
- { ed448_sa_algo, "ED448" },
- #endif
- #ifndef NO_DSA
- { dsa_sa_algo, "DSA" },
- #endif
- };
- #define SIG_NAMES_SZ (int)(sizeof(sig_names)/sizeof(*sig_names))
- /* Convert the signature algorithm string to a TLS signature algorithm num. */
- static byte GetSigAlgFromName(const char* name, int len)
- {
- byte alg = anonymous_sa_algo;
- int i;
- for (i = 0; i < SIG_NAMES_SZ; i++) {
- if (((int)XSTRLEN(sig_names[i].name) == len) &&
- (XMEMCMP(sig_names[i].name, name, len) == 0)) {
- alg = sig_names[i].alg;
- break;
- }
- }
- return alg;
- }
- /* Set the hash/signature algorithms that are supported for certificate signing.
- *
- * suites [in,out] Cipher suites and signature algorithms.
- * list [in] String representing hash/signature algorithms to set.
- * returns 0 on failure.
- * 1 on success.
- */
- int SetSuitesHashSigAlgo(Suites* suites, const char* list)
- {
- int ret = 1;
- word16 idx = 0;
- const char* s = list;
- byte sig_alg = 0;
- byte mac_alg = no_mac;
- /* Setting is destructive on error. */
- suites->hashSigAlgoSz = 0;
- do {
- if (*list == '+') {
- if (mac_alg != 0) {
- ret = 0;
- break;
- }
- sig_alg = GetSigAlgFromName(s, (int)(list - s));
- if (sig_alg == 0) {
- ret = 0;
- break;
- }
- s = list + 1;
- }
- else if (*list == ':' || *list == '\0') {
- if (sig_alg == 0) {
- /* No signature algorithm set yet.
- * Ed25519 and Ed448 have implied MAC algorithm.
- */
- sig_alg = GetSigAlgFromName(s, (int)(list - s));
- if (sig_alg != ed25519_sa_algo && sig_alg != ed448_sa_algo) {
- ret = 0;
- break;
- }
- }
- else {
- mac_alg = GetMacAlgFromName(s, (int)(list - s));
- if (mac_alg == 0) {
- ret = 0;
- break;
- }
- }
- AddSuiteHashSigAlgo(suites->hashSigAlgo, mac_alg, sig_alg, 0, &idx);
- sig_alg = 0;
- mac_alg = no_mac;
- s = list + 1;
- }
- list++;
- }
- while (*(list-1) != '\0');
- if (s != list && (sig_alg != 0 || mac_alg != 0)) {
- ret = 0;
- }
- else {
- suites->hashSigAlgoSz = idx;
- }
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS)
- static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo)
- {
- #ifdef HAVE_ED25519
- if (ssl->pkCurveOID == ECC_ED25519_OID) {
- /* Certificate has Ed25519 key, only match with Ed25519 sig alg */
- return sigAlgo == ed25519_sa_algo;
- }
- #endif
- #ifdef HAVE_ED448
- if (ssl->pkCurveOID == ECC_ED448_OID) {
- /* Certificate has Ed448 key, only match with Ed448 sig alg */
- return sigAlgo == ed448_sa_algo;
- }
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- if (ssl->pkCurveOID == CTC_FALCON_LEVEL1) {
- /* Certificate has Falcon level 1 key, only match with Falcon level 1
- * sig alg */
- return sigAlgo == falcon_level1_sa_algo;
- }
- if (ssl->pkCurveOID == CTC_FALCON_LEVEL5) {
- /* Certificate has Falcon level 5 key, only match with Falcon level 5
- * sig alg */
- return sigAlgo == falcon_level5_sa_algo;
- }
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2) {
- /* Certificate has Dilithium level 2 key, only match with it. */
- return sigAlgo == dilithium_level2_sa_algo;
- }
- if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3) {
- /* Certificate has Dilithium level 3 key, only match with it. */
- return sigAlgo == dilithium_level3_sa_algo;
- }
- if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5) {
- /* Certificate has Dilithium level 5 key, only match with it. */
- return sigAlgo == dilithium_level5_sa_algo;
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #ifdef WC_RSA_PSS
- /* RSA certificate and PSS sig alg. */
- if (ssl->options.sigAlgo == rsa_sa_algo) {
- #if defined(WOLFSSL_TLS13)
- /* TLS 1.3 only supports RSA-PSS. */
- if (IsAtLeastTLSv1_3(ssl->version))
- return sigAlgo == rsa_pss_sa_algo;
- #endif
- /* TLS 1.2 and below - RSA-PSS allowed. */
- if (sigAlgo == rsa_pss_sa_algo)
- return 1;
- }
- #endif
- /* Signature algorithm matches certificate. */
- return sigAlgo == ssl->options.sigAlgo;
- }
- #if defined(HAVE_ECC) && defined(WOLFSSL_TLS13) || \
- defined(USE_ECDSA_KEYSZ_HASH_ALGO)
- static int CmpEccStrength(int hashAlgo, int curveSz)
- {
- int dgstSz = GetMacDigestSize((byte)hashAlgo);
- if (dgstSz <= 0)
- return -1;
- return dgstSz - (curveSz & (~0x3));
- }
- #endif
- static byte MinHashAlgo(WOLFSSL* ssl)
- {
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version)) {
- return sha256_mac;
- }
- #endif
- #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_ALLOW_TLS_SHA1)
- if (IsAtLeastTLSv1_2(ssl)) {
- return sha256_mac;
- }
- #endif /* WOLFSSL_NO_TLS12 */
- (void)ssl;
- return sha_mac;
- }
- int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
- {
- word32 i;
- int ret = MATCH_SUITE_ERROR;
- byte minHash;
- /* set defaults */
- if (IsAtLeastTLSv1_3(ssl->version)) {
- #ifndef NO_CERTS
- /* TLS 1.3 cipher suites don't have public key algorithms in them.
- * Using the one in the certificate - if any.
- */
- ssl->options.sigAlgo = ssl->buffers.keyType;
- #endif
- }
- else {
- ssl->options.sigAlgo = ssl->specs.sig_algo;
- }
- if (ssl->options.sigAlgo == anonymous_sa_algo) {
- /* PSK ciphersuite - get digest to use from cipher suite */
- ssl->options.hashAlgo = ssl->specs.mac_algorithm;
- return 0;
- }
- ssl->options.hashAlgo = minHash = MinHashAlgo(ssl);
- /* No list means go with the defaults. */
- if (hashSigAlgoSz == 0)
- return 0;
- /* i+1 since two bytes used to describe hash and signature algorithm */
- for (i = 0; (i+1) < hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) {
- byte hashAlgo = 0, sigAlgo = 0;
- DecodeSigAlg(&hashSigAlgo[i], &hashAlgo, &sigAlgo);
- /* Keep looking if hash algorithm not strong enough. */
- if (hashAlgo < minHash)
- continue;
- /* Keep looking if signature algorithm isn't supported by cert. */
- if (!MatchSigAlgo(ssl, sigAlgo))
- continue;
- #ifdef HAVE_ED25519
- if (ssl->pkCurveOID == ECC_ED25519_OID) {
- /* Matched Ed25519 - set chosen and finished. */
- ssl->options.sigAlgo = sigAlgo;
- ssl->options.hashAlgo = hashAlgo;
- ret = 0;
- break;
- }
- #endif
- #ifdef HAVE_ED448
- if (ssl->pkCurveOID == ECC_ED448_OID) {
- /* Matched Ed448 - set chosen and finished. */
- ssl->options.sigAlgo = sigAlgo;
- ssl->options.hashAlgo = hashAlgo;
- ret = 0;
- break;
- }
- #endif
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- if (ssl->pkCurveOID == CTC_FALCON_LEVEL1 ||
- ssl->pkCurveOID == CTC_FALCON_LEVEL5 ) {
- /* Matched Falcon - set chosen and finished. */
- ssl->options.sigAlgo = sigAlgo;
- ssl->options.hashAlgo = hashAlgo;
- ret = 0;
- break;
- }
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2 ||
- ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3 ||
- ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5) {
- /* Matched Dilithium - set chosen and finished. */
- ssl->options.sigAlgo = sigAlgo;
- ssl->options.hashAlgo = hashAlgo;
- ret = 0;
- break;
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- #if defined(WOLFSSL_ECDSA_MATCH_HASH) && defined(USE_ECDSA_KEYSZ_HASH_ALGO)
- #error "WOLFSSL_ECDSA_MATCH_HASH and USE_ECDSA_KEYSZ_HASH_ALGO cannot "
- "be used together"
- #endif
- #if defined(HAVE_ECC) && (defined(WOLFSSL_TLS13) || \
- defined(WOLFSSL_ECDSA_MATCH_HASH))
- if (sigAlgo == ecc_dsa_sa_algo
- #ifndef WOLFSSL_ECDSA_MATCH_HASH
- && IsAtLeastTLSv1_3(ssl->version)
- #endif
- ) {
- /* Must be exact match. */
- if (CmpEccStrength(hashAlgo, ssl->buffers.keySz) != 0)
- continue;
- /* Matched ECDSA exactly - set chosen and finished. */
- ssl->options.hashAlgo = hashAlgo;
- ssl->options.sigAlgo = sigAlgo;
- ret = 0;
- break;
- }
- #endif
- /* For ECDSA the `USE_ECDSA_KEYSZ_HASH_ALGO` build option will choose a hash
- * algorithm that matches the ephemeral ECDHE key size or the next highest
- * available. This workaround resolves issue with some peer's that do not
- * properly support scenarios such as a P-256 key hashed with SHA512.
- */
- #if defined(HAVE_ECC) && defined(USE_ECDSA_KEYSZ_HASH_ALGO)
- if (sigAlgo == ecc_dsa_sa_algo) {
- int cmp = CmpEccStrength(hashAlgo, ssl->eccTempKeySz);
- /* Keep looking if digest not strong enough. */
- if (cmp < 0)
- continue;
- /* Looking for exact match or next highest. */
- if (ret != 0 || hashAlgo <= ssl->options.hashAlgo) {
- ssl->options.hashAlgo = hashAlgo;
- ssl->options.sigAlgo = sigAlgo;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- ssl->namedGroup = 0;
- #endif
- ret = 0;
- }
- /* Continue looking if not the same strength. */
- if (cmp > 0)
- continue;
- /* Exact match - finished. */
- break;
- }
- #endif
- switch (hashAlgo) {
- #ifndef NO_SHA
- case sha_mac:
- #endif
- #ifdef WOLFSSL_SHA224
- case sha224_mac:
- #endif
- #ifndef NO_SHA256
- case sha256_mac:
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- #endif
- #ifdef WOLFSSL_STRONGEST_HASH_SIG
- /* Is hash algorithm weaker than chosen/min? */
- if (hashAlgo < ssl->options.hashAlgo)
- break;
- #else
- /* Is hash algorithm stonger than last chosen? */
- if (ret == 0 && hashAlgo > ssl->options.hashAlgo)
- break;
- #endif
- if (IsAtLeastTLSv1_2(ssl) && !IsAtLeastTLSv1_3(ssl->version) &&
- (ssl->options.side == WOLFSSL_CLIENT_END)) {
- /* TLS 1.2 client deciding hash algorithm for
- * CertificateVerify. Hash must be one of the handshake
- * hashes being maintained. */
- if (1
- #ifndef NO_SHA
- && (hashAlgo != sha_mac)
- #endif
- #ifndef NO_SHA256
- && (hashAlgo != sha256_mac)
- #endif
- #ifdef WOLFSSL_SHA384
- && (hashAlgo != sha384_mac)
- #endif
- #ifdef WOLFSSL_SHA512
- && (hashAlgo != sha512_mac)
- #endif
- )
- {
- break;
- }
- }
- /* The chosen one - but keep looking. */
- ssl->options.hashAlgo = hashAlgo;
- ssl->options.sigAlgo = sigAlgo;
- ret = 0;
- break;
- default:
- /* Support for hash algorithm not compiled in. */
- break;
- }
- }
- return ret;
- }
- #endif /* !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) */
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- /* Initialize HandShakeInfo */
- void InitHandShakeInfo(HandShakeInfo* info, WOLFSSL* ssl)
- {
- int i;
- info->ssl = ssl;
- info->cipherName[0] = 0;
- for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
- info->packetNames[i][0] = 0;
- info->numberPackets = 0;
- info->negotiationError = 0;
- }
- /* Set Final HandShakeInfo parameters */
- void FinishHandShakeInfo(HandShakeInfo* info)
- {
- int i;
- int sz = GetCipherNamesSize();
- for (i = 0; i < sz; i++) {
- #ifndef NO_CIPHER_SUITE_ALIASES
- if (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)
- continue;
- #endif
- if (info->ssl->options.cipherSuite ==
- (byte)cipher_names[i].cipherSuite) {
- if (info->ssl->options.cipherSuite0 == ECC_BYTE)
- continue; /* ECC suites at end */
- XSTRNCPY(info->cipherName, cipher_names[i].name, MAX_CIPHERNAME_SZ);
- info->cipherName[MAX_CIPHERNAME_SZ] = '\0';
- break;
- }
- }
- /* error max and min are negative numbers */
- if (info->ssl->error <= MIN_PARAM_ERR && info->ssl->error >= MAX_PARAM_ERR)
- info->negotiationError = info->ssl->error;
- }
- /* Add name to info packet names, increase packet name count */
- void AddPacketName(WOLFSSL* ssl, const char* name)
- {
- #ifdef WOLFSSL_CALLBACKS
- HandShakeInfo* info = &ssl->handShakeInfo;
- if (info->numberPackets < MAX_PACKETS_HANDSHAKE) {
- char* packetName = info->packetNames[info->numberPackets];
- XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
- packetName[MAX_PACKETNAME_SZ] = '\0';
- info->numberPackets++;
- }
- #endif
- (void)ssl;
- (void)name;
- }
- #ifdef WOLFSSL_CALLBACKS
- /* Initialize TimeoutInfo */
- void InitTimeoutInfo(TimeoutInfo* info)
- {
- XMEMSET(info, 0, sizeof(TimeoutInfo));
- }
- /* Free TimeoutInfo */
- void FreeTimeoutInfo(TimeoutInfo* info, void* heap)
- {
- int i;
- (void)heap;
- for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) {
- if (info->packets[i].bufferValue) {
- XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO);
- info->packets[i].bufferValue = NULL;
- }
- }
- }
- /* Add packet name to previously added packet info */
- void AddLateName(const char* name, TimeoutInfo* info)
- {
- /* make sure we have a valid previous one */
- if (info->numberPackets > 0 && info->numberPackets <
- MAX_PACKETS_HANDSHAKE) {
- char* packetName = info->packets[info->numberPackets-1].packetName;
- XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
- packetName[MAX_PACKETNAME_SZ] = '\0';
- }
- }
- /* Add record header to previously added packet info */
- void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info)
- {
- /* make sure we have a valid previous one */
- if (info->numberPackets > 0 && info->numberPackets <
- MAX_PACKETS_HANDSHAKE) {
- if (info->packets[info->numberPackets - 1].bufferValue)
- XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl,
- RECORD_HEADER_SZ);
- else
- XMEMCPY(info->packets[info->numberPackets - 1].value, rl,
- RECORD_HEADER_SZ);
- }
- }
- #endif /* WOLFSSL_CALLBACKS */
- /* Add PacketInfo to TimeoutInfo
- *
- * ssl WOLFSSL structure sending or receiving packet
- * name name of packet being sent
- * type type of packet being sent
- * data data bing sent with packet
- * sz size of data buffer
- * lateRL save space for record layer in TimoutInfo struct
- * written 1 if this packet is being written to wire, 0 if being read
- * heap custom heap to use for mallocs/frees
- */
- int AddPacketInfo(WOLFSSL* ssl, const char* name, int type,
- const byte* data, int sz, int written, int lateRL, void* heap)
- {
- #ifdef WOLFSSL_CALLBACKS
- TimeoutInfo* info = &ssl->timeoutInfo;
- if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) {
- WOLFSSL_TIMEVAL currTime;
- int totalSz;
- /* add in space for post record layer */
- totalSz = sz + lateRL;
- /* may add name after */
- if (name) {
- char* packetName = info->packets[info->numberPackets].packetName;
- XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
- packetName[MAX_PACKETNAME_SZ] = '\0';
- }
- /* add data, put in buffer if bigger than static buffer */
- info->packets[info->numberPackets].valueSz = totalSz;
- if (totalSz < MAX_VALUE_SZ) {
- XMEMCPY(info->packets[info->numberPackets].value, data + lateRL,
- sz);
- }
- else {
- info->packets[info->numberPackets].bufferValue =
- (byte*)XMALLOC(totalSz, heap, DYNAMIC_TYPE_INFO);
- if (!info->packets[info->numberPackets].bufferValue) {
- /* let next alloc catch, just don't fill, not fatal here */
- info->packets[info->numberPackets].valueSz = 0;
- }
- else {
- /* copy over data (which has the handshake header), leaving
- * room for post record layer header if set */
- XMEMCPY(info->packets[info->numberPackets].bufferValue +
- lateRL, data, sz);
- }
- }
- if (gettimeofday(&currTime, 0) < 0)
- return SYSLIB_FAILED_E;
- info->packets[info->numberPackets].timestamp.tv_sec =
- currTime.tv_sec;
- info->packets[info->numberPackets].timestamp.tv_usec =
- currTime.tv_usec;
- info->numberPackets++;
- }
- #endif /* WOLFSSL_CALLBACKS */
- #ifdef OPENSSL_EXTRA
- if ((ssl->protoMsgCb != NULL) && (sz > 0) &&
- (ssl->keys.encryptionOn != 1)) {
- /* version from hex to dec 16 is 16^1, 256 from 16^2 and
- 4096 from 16^3 */
- int version = (ssl->version.minor & 0x0F) +
- ((ssl->version.minor & 0xF0) << 4) +
- ((ssl->version.major & 0x0F) << 8) +
- ((ssl->version.major & 0xF0) << 12);
- ssl->protoMsgCb(written, version, type,
- (const void *)data, (size_t)sz,
- ssl, ssl->protoMsgCtx);
- }
- #endif /* OPENSSL_EXTRA */
- (void)written;
- (void)name;
- (void)heap;
- (void)type;
- (void)ssl;
- (void)lateRL;
- return 0;
- }
- #endif /* WOLFSSL_CALLBACKS */
- #if !defined(NO_CERTS)
- #if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
- /* Create a private key for a device.
- *
- * pkey Key object.
- * data Data to identify key.
- * length Length of data.
- * hsType Type of the key to create.
- * heap Custom heap to use for mallocs/frees
- * devId Id for device.
- * return 0 on success.
- * return NOT_COMPILED_IN if algorithm type not supported.
- * return MEMORY_E on memory allocation failure.
- * return other internal error
- */
- int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
- int label, int id, void* heap, int devId)
- {
- int ret = NOT_COMPILED_IN;
- if (hsType == DYNAMIC_TYPE_RSA) {
- #ifndef NO_RSA
- RsaKey* rsaKey;
- rsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
- if (rsaKey == NULL) {
- return MEMORY_E;
- }
- if (label) {
- ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId);
- }
- else if (id) {
- ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId);
- }
- if (ret == 0) {
- *pkey = (void*)rsaKey;
- }
- else {
- XFREE(rsaKey, heap, DYNAMIC_TYPE_RSA);
- }
- #endif
- }
- else if (hsType == DYNAMIC_TYPE_ECC) {
- #ifdef HAVE_ECC
- ecc_key* ecKey;
- ecKey = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
- if (ecKey == NULL) {
- return MEMORY_E;
- }
- if (label) {
- ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId);
- }
- else if (id) {
- ret = wc_ecc_init_id(ecKey, data, length, heap, devId);
- }
- if (ret == 0) {
- *pkey = (void*)ecKey;
- }
- else {
- XFREE(ecKey, heap, DYNAMIC_TYPE_ECC);
- }
- #endif
- }
- return ret;
- }
- #endif /* WOLF_PRIVATE_KEY_ID && !NO_CHECK_PRIVATE_KEY */
- /* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon/Dilithium - and
- * creates a key object.
- *
- * The signature type is set as well.
- * The maximum length of a signature is returned.
- *
- * ssl The SSL/TLS object.
- * length The length of a signature.
- * returns 0 on success, otherwise failure.
- */
- int DecodePrivateKey(WOLFSSL *ssl, word16* length)
- {
- int ret = BAD_FUNC_ARG;
- int keySz;
- word32 idx;
- /* make sure private key exists */
- if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) {
- /* allow no private key if using external */
- #ifdef WOLF_PRIVATE_KEY_ID
- if (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- ) {
- *length = GetPrivateKeySigSize(ssl);
- return 0;
- }
- else
- #endif
- {
- WOLFSSL_MSG("Private key missing!");
- ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
- }
- }
- #ifdef WOLF_PRIVATE_KEY_ID
- if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
- ssl->buffers.keyLabel)) {
- if (ssl->buffers.keyType == rsa_sa_algo)
- ssl->hsType = DYNAMIC_TYPE_RSA;
- else if (ssl->buffers.keyType == ecc_dsa_sa_algo)
- ssl->hsType = DYNAMIC_TYPE_ECC;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- if (ssl->buffers.keyType == rsa_sa_algo) {
- #ifndef NO_RSA
- if (ssl->buffers.keyLabel) {
- ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey,
- (char*)ssl->buffers.key->buffer,
- ssl->heap, ssl->buffers.keyDevId);
- }
- else if (ssl->buffers.keyId) {
- ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey,
- ssl->buffers.key->buffer,
- ssl->buffers.key->length, ssl->heap,
- ssl->buffers.keyDevId);
- }
- if (ret == 0) {
- if (ssl->buffers.keySz < ssl->options.minRsaKeySz) {
- WOLFSSL_MSG("RSA key size too small");
- ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = (word16)ssl->buffers.keySz;
- }
- #else
- ret = NOT_COMPILED_IN;
- #endif
- }
- else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
- #ifdef HAVE_ECC
- if (ssl->buffers.keyLabel) {
- ret = wc_ecc_init_label((ecc_key*)ssl->hsKey,
- (char*)ssl->buffers.key->buffer,
- ssl->heap, ssl->buffers.keyDevId);
- }
- else if (ssl->buffers.keyId) {
- ret = wc_ecc_init_id((ecc_key*)ssl->hsKey,
- ssl->buffers.key->buffer,
- ssl->buffers.key->length, ssl->heap,
- ssl->buffers.keyDevId);
- }
- if (ret == 0) {
- if (ssl->buffers.keySz < ssl->options.minEccKeySz) {
- WOLFSSL_MSG("ECC key size too small");
- ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
- }
- #else
- ret = NOT_COMPILED_IN;
- #endif
- }
- goto exit_dpk;
- }
- #endif /* WOLF_PRIVATE_KEY_ID */
- #ifndef NO_RSA
- if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_RSA;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- WOLFSSL_MSG("Trying RSA private key");
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is an RSA private key. */
- ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
- (RsaKey*)ssl->hsKey, ssl->buffers.key->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* if using external key then allow using a public key */
- if (ret != 0 && (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- )) {
- WOLFSSL_MSG("Trying RSA public key with crypto callbacks");
- idx = 0;
- ret = wc_RsaPublicKeyDecode(ssl->buffers.key->buffer, &idx,
- (RsaKey*)ssl->hsKey, ssl->buffers.key->length);
- }
- #endif
- if (ret == 0) {
- WOLFSSL_MSG("Using RSA private key");
- /* It worked so check it meets minimum key size requirements. */
- keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey);
- if (keySz < 0) { /* check if keySz has error case */
- ERROR_OUT(keySz, exit_dpk);
- }
- if (keySz < ssl->options.minRsaKeySz) {
- WOLFSSL_MSG("RSA key size too small");
- ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = (word16)keySz;
- goto exit_dpk;
- }
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- #ifndef NO_RSA
- FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
- #endif /* !NO_RSA */
- if (ssl->buffers.keyType == ecc_dsa_sa_algo || ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_ECC;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- #ifndef NO_RSA
- WOLFSSL_MSG("Trying ECC private key, RSA didn't work");
- #else
- WOLFSSL_MSG("Trying ECC private key");
- #endif
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is an ECC private key. */
- ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
- (ecc_key*)ssl->hsKey,
- ssl->buffers.key->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* if using external key then allow using a public key */
- if (ret != 0 && (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- )) {
- WOLFSSL_MSG("Trying ECC public key with crypto callbacks");
- idx = 0;
- ret = wc_EccPublicKeyDecode(ssl->buffers.key->buffer, &idx,
- (ecc_key*)ssl->hsKey,
- ssl->buffers.key->length);
- }
- #endif
- if (ret == 0) {
- WOLFSSL_MSG("Using ECC private key");
- /* Check it meets the minimum ECC key size requirements. */
- keySz = wc_ecc_size((ecc_key*)ssl->hsKey);
- if (keySz < ssl->options.minEccKeySz) {
- WOLFSSL_MSG("ECC key size too small");
- ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = (word16)wc_ecc_sig_size((ecc_key*)ssl->hsKey);
- goto exit_dpk;
- }
- }
- #endif
- #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
- #if !defined(NO_RSA) || defined(HAVE_ECC)
- FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
- #endif
- if (ssl->buffers.keyType == ed25519_sa_algo || ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_ED25519;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- #ifdef HAVE_ECC
- WOLFSSL_MSG("Trying ED25519 private key, ECC didn't work");
- #elif !defined(NO_RSA)
- WOLFSSL_MSG("Trying ED25519 private key, RSA didn't work");
- #else
- WOLFSSL_MSG("Trying ED25519 private key");
- #endif
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is an ED25519 private key. */
- ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
- (ed25519_key*)ssl->hsKey,
- ssl->buffers.key->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* if using external key then allow using a public key */
- if (ret != 0 && (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- )) {
- WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
- idx = 0;
- ret = wc_Ed25519PublicKeyDecode(ssl->buffers.key->buffer, &idx,
- (ed25519_key*)ssl->hsKey,
- ssl->buffers.key->length);
- }
- #endif
- if (ret == 0) {
- WOLFSSL_MSG("Using ED25519 private key");
- /* Check it meets the minimum ECC key size requirements. */
- if (ED25519_KEY_SIZE < ssl->options.minEccKeySz) {
- WOLFSSL_MSG("ED25519 key size too small");
- ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = ED25519_SIG_SIZE;
- goto exit_dpk;
- }
- }
- #endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
- #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
- #if !defined(NO_RSA) || defined(HAVE_ECC)
- FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
- #endif
- if (ssl->buffers.keyType == ed448_sa_algo || ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_ED448;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- #ifdef HAVE_ED25519
- WOLFSSL_MSG("Trying ED448 private key, ED25519 didn't work");
- #elif defined(HAVE_ECC)
- WOLFSSL_MSG("Trying ED448 private key, ECC didn't work");
- #elif !defined(NO_RSA)
- WOLFSSL_MSG("Trying ED448 private key, RSA didn't work");
- #else
- WOLFSSL_MSG("Trying ED448 private key");
- #endif
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is an ED448 private key. */
- ret = wc_Ed448PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
- (ed448_key*)ssl->hsKey,
- ssl->buffers.key->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* if using external key then allow using a public key */
- if (ret != 0 && (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- )) {
- WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
- idx = 0;
- ret = wc_Ed448PublicKeyDecode(ssl->buffers.key->buffer, &idx,
- (ed448_key*)ssl->hsKey,
- ssl->buffers.key->length);
- }
- #endif
- if (ret == 0) {
- WOLFSSL_MSG("Using ED448 private key");
- /* Check it meets the minimum ECC key size requirements. */
- if (ED448_KEY_SIZE < ssl->options.minEccKeySz) {
- WOLFSSL_MSG("ED448 key size too small");
- ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = ED448_SIG_SIZE;
- goto exit_dpk;
- }
- }
- #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- if (ssl->buffers.keyType == falcon_level1_sa_algo ||
- ssl->buffers.keyType == falcon_level5_sa_algo ||
- ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_FALCON;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- if (ssl->buffers.keyType == falcon_level1_sa_algo) {
- ret = wc_falcon_set_level((falcon_key*)ssl->hsKey, 1);
- }
- else if (ssl->buffers.keyType == falcon_level5_sa_algo) {
- ret = wc_falcon_set_level((falcon_key*)ssl->hsKey, 5);
- }
- else {
- /* What if ssl->buffers.keyType is 0? We might want to do something
- * more graceful here. */
- ret = ALGO_ID_E;
- }
- if (ret != 0) {
- goto exit_dpk;
- }
- #if defined(HAVE_ED448)
- WOLFSSL_MSG("Trying Falcon private key, ED448 didn't work");
- #elif defined(HAVE_ED25519)
- WOLFSSL_MSG("Trying Falcon private key, ED25519 didn't work");
- #elif defined(HAVE_ECC)
- WOLFSSL_MSG("Trying Falcon private key, ECC didn't work");
- #elif !defined(NO_RSA)
- WOLFSSL_MSG("Trying Falcon private key, RSA didn't work");
- #else
- WOLFSSL_MSG("Trying Falcon private key");
- #endif
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is a Falcon private key. */
- ret = wc_falcon_import_private_only(ssl->buffers.key->buffer,
- ssl->buffers.key->length,
- (falcon_key*)ssl->hsKey);
- if (ret == 0) {
- WOLFSSL_MSG("Using Falcon private key");
- /* Check it meets the minimum Falcon key size requirements. */
- if (FALCON_MAX_KEY_SIZE < ssl->options.minFalconKeySz) {
- WOLFSSL_MSG("Falcon key size too small");
- ERROR_OUT(FALCON_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = FALCON_MAX_SIG_SIZE;
- goto exit_dpk;
- }
- }
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- if (ssl->buffers.keyType == dilithium_level2_sa_algo ||
- ssl->buffers.keyType == dilithium_level3_sa_algo ||
- ssl->buffers.keyType == dilithium_level5_sa_algo ||
- ssl->buffers.keyType == 0) {
- ssl->hsType = DYNAMIC_TYPE_DILITHIUM;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_dpk;
- }
- if (ssl->buffers.keyType == dilithium_level2_sa_algo) {
- ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 2);
- }
- else if (ssl->buffers.keyType == dilithium_level3_sa_algo) {
- ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 3);
- }
- else if (ssl->buffers.keyType == dilithium_level5_sa_algo) {
- ret = wc_dilithium_set_level((dilithium_key*)ssl->hsKey, 5);
- }
- else {
- /* What if ssl->buffers.keyType is 0? We might want to do something
- * more graceful here. */
- ret = ALGO_ID_E;
- }
- if (ret != 0) {
- goto exit_dpk;
- }
- #if defined(HAVE_ED448)
- WOLFSSL_MSG("Trying Dilithium private key, ED448 didn't work");
- #elif defined(HAVE_ED25519)
- WOLFSSL_MSG("Trying Dilithium private key, ED25519 didn't work");
- #elif defined(HAVE_ECC)
- WOLFSSL_MSG("Trying Dilithium private key, ECC didn't work");
- #elif !defined(NO_RSA)
- WOLFSSL_MSG("Trying Dilithium private key, RSA didn't work");
- #elif defined(HAVE_FALCON)
- WOLFSSL_MSG("Trying Dilithium private key, Falcon didn't work");
- #else
- WOLFSSL_MSG("Trying Dilithium private key");
- #endif
- /* Set start of data to beginning of buffer. */
- idx = 0;
- /* Decode the key assuming it is a Dilithium private key. */
- ret = wc_dilithium_import_private_only(ssl->buffers.key->buffer,
- ssl->buffers.key->length,
- (dilithium_key*)ssl->hsKey);
- if (ret == 0) {
- WOLFSSL_MSG("Using Dilithium private key");
- /* Check it meets the minimum Dilithium key size requirements. */
- if (DILITHIUM_MAX_KEY_SIZE < ssl->options.minDilithiumKeySz) {
- WOLFSSL_MSG("Dilithium key size too small");
- ERROR_OUT(DILITHIUM_KEY_SIZE_E, exit_dpk);
- }
- /* Return the maximum signature length. */
- *length = DILITHIUM_MAX_SIG_SIZE;
- goto exit_dpk;
- }
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- (void)idx;
- (void)keySz;
- (void)length;
- exit_dpk:
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
- #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12)
- /* returns 1 if able to do TLS 1.3 otherwise 0 */
- int TLSv1_3_Capable(WOLFSSL* ssl)
- {
- #ifndef WOLFSSL_TLS13
- return 0;
- #else
- int ret = 0;
- if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
- ret = 1;
- }
- if ((wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_3)) {
- /* option set at run time to disable TLS 1.3 */
- ret = 0;
- }
- return ret;
- #endif
- }
- #endif /* WOLFSSL_TLS13 */
- #ifndef WOLFSSL_NO_TLS12
- #if (!defined(NO_WOLFSSL_CLIENT) && (!defined(NO_DH) || defined(HAVE_ECC) || \
- defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))) || \
- (!defined(NO_WOLFSSL_SERVER) && (defined(HAVE_ECC) || \
- ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
- (defined(HAVE_ED25519) || defined(HAVE_ED448) || !defined(NO_RSA)))) || \
- (!defined(NO_DH) && (!defined(NO_RSA) || defined(HAVE_ANON))))
- static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
- const byte* data, int sz, byte sigAlgo)
- {
- int ret = 0;
- int digest_sz = wc_HashGetDigestSize(hashType);
- if (digest_sz <= 0) {
- ret = BUFFER_ERROR;
- }
- if (ret == 0) {
- /* buffer for signature */
- ssl->buffers.sig.buffer = (byte*)XMALLOC(SEED_LEN + sz, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (ssl->buffers.sig.buffer == NULL) {
- ret = MEMORY_E;
- }
- }
- if (ret == 0) {
- ssl->buffers.sig.length = SEED_LEN + sz;
- /* build message to hash */
- XMEMCPY(ssl->buffers.sig.buffer, ssl->arrays->clientRandom, RAN_LEN);
- XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN], ssl->arrays->serverRandom,
- RAN_LEN);
- /* message */
- XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN * 2], data, sz);
- }
- if (ret == 0 && sigAlgo != ed25519_sa_algo && sigAlgo != ed448_sa_algo) {
- ssl->buffers.digest.length = (unsigned int)digest_sz;
- /* buffer for hash */
- if (!ssl->buffers.digest.buffer) {
- if (!ssl->options.dontFreeDigest) {
- XFREE(ssl->buffers.digest.buffer, ssl->heap,
- DYNAMIC_TYPE_DIGEST);
- }
- }
- ssl->options.dontFreeDigest = 0;
- ssl->buffers.digest.buffer = (byte*)XMALLOC(ssl->buffers.digest.length,
- ssl->heap, DYNAMIC_TYPE_DIGEST);
- if (ssl->buffers.digest.buffer == NULL) {
- ret = MEMORY_E;
- }
- }
- if (ret == 0 && sigAlgo != ed25519_sa_algo && sigAlgo != ed448_sa_algo) {
- /* Perform hash. Only wc_Hash supports MD5_SHA1. */
- ret = wc_Hash(hashType, ssl->buffers.sig.buffer,
- ssl->buffers.sig.length,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length);
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->ProcessServerSigKexCb == NULL)
- #endif
- {
- /* No further processing will be done. It can be freed. */
- XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- ssl->buffers.sig.buffer = NULL;
- }
- }
- return ret;
- }
- #endif
- #endif /* !WOLFSSL_NO_TLS12 */
- /* client only parts */
- #ifndef NO_WOLFSSL_CLIENT
- #ifndef WOLFSSL_NO_TLS12
- /* handle generation of client_hello (1) */
- int SendClientHello(WOLFSSL* ssl)
- {
- byte *output;
- word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- int sendSz;
- int idSz;
- int ret;
- word16 extSz = 0;
- const Suites* suites;
- if (ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- idSz = ssl->options.resuming ? ssl->session->sessionIDSz : 0;
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version))
- return SendTls13ClientHello(ssl);
- #endif
- WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
- WOLFSSL_ENTER("SendClientHello");
- suites = WOLFSSL_SUITES(ssl);
- if (suites == NULL) {
- WOLFSSL_MSG("Bad suites pointer in SendClientHello");
- return SUITES_ERROR;
- }
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.resuming && ssl->session->ticketLen > 0) {
- SessionTicket* ticket;
- ticket = TLSX_SessionTicket_Create(0, ssl->session->ticket,
- ssl->session->ticketLen, ssl->heap);
- if (ticket == NULL) return MEMORY_E;
- ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap);
- if (ret != WOLFSSL_SUCCESS) {
- TLSX_SessionTicket_Free(ticket, ssl->heap);
- return ret;
- }
- idSz = 0;
- }
- #endif
- length = VERSION_SZ + RAN_LEN
- + idSz + ENUM_LEN
- + SUITE_LEN
- + COMP_LEN + ENUM_LEN;
- #ifndef NO_FORCE_SCR_SAME_SUITE
- if (IsSCR(ssl))
- length += SUITE_LEN;
- else
- #endif
- length += suites->suiteSz;
- #ifdef HAVE_TLS_EXTENSIONS
- /* auto populate extensions supported unless user defined */
- if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
- return ret;
- extSz = 0;
- ret = TLSX_GetRequestSize(ssl, client_hello, &extSz);
- if (ret != 0)
- return ret;
- length += extSz;
- #else
- if (IsAtLeastTLSv1_2(ssl) && suites->hashSigAlgoSz)
- extSz += HELLO_EXT_SZ + HELLO_EXT_SIGALGO_SZ
- + suites->hashSigAlgoSz;
- #ifdef HAVE_EXTENDED_MASTER
- if (ssl->options.haveEMS)
- extSz += HELLO_EXT_SZ;
- #endif
- if (extSz != 0)
- length += extSz + HELLO_EXT_SZ_SZ;
- #endif
- sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- if (ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- length += ENUM_LEN; /* cookie */
- if (ssl->arrays->cookieSz != 0) length += ssl->arrays->cookieSz;
- sendSz = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ;
- idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
- }
- #endif
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, length, client_hello, ssl);
- /* client hello, first version */
- output[idx++] = ssl->version.major;
- output[idx++] = ssl->version.minor;
- ssl->chVersion = ssl->version; /* store in case changed */
- /* then random */
- if (ssl->options.connectState == CONNECT_BEGIN) {
- ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
- if (ret != 0)
- return ret;
- /* store random */
- XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
- } else {
- #ifdef WOLFSSL_DTLS
- /* send same random on hello again */
- XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
- #endif
- }
- idx += RAN_LEN;
- /* then session id */
- output[idx++] = (byte)idSz;
- if (idSz) {
- XMEMCPY(output + idx, ssl->session->sessionID,
- ssl->session->sessionIDSz);
- idx += ssl->session->sessionIDSz;
- }
- /* then DTLS cookie */
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- byte cookieSz = ssl->arrays->cookieSz;
- output[idx++] = cookieSz;
- if (cookieSz) {
- XMEMCPY(&output[idx], ssl->arrays->cookie, cookieSz);
- idx += cookieSz;
- }
- }
- #endif
- #ifndef NO_FORCE_SCR_SAME_SUITE
- if (IsSCR(ssl)) {
- c16toa(SUITE_LEN, output + idx);
- idx += OPAQUE16_LEN;
- output[idx++] = ssl->options.cipherSuite0;
- output[idx++] = ssl->options.cipherSuite;
- }
- else
- #endif
- {
- /* then cipher suites */
- c16toa(suites->suiteSz, output + idx);
- idx += OPAQUE16_LEN;
- XMEMCPY(output + idx, &suites->suites, suites->suiteSz);
- idx += suites->suiteSz;
- }
- /* last, compression */
- output[idx++] = COMP_LEN;
- if (ssl->options.usingCompression)
- output[idx++] = ZLIB_COMPRESSION;
- else
- output[idx++] = NO_COMPRESSION;
- #ifdef HAVE_TLS_EXTENSIONS
- extSz = 0;
- ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &extSz);
- if (ret != 0)
- return ret;
- idx += extSz;
- (void)idx; /* suppress analyzer warning, keep idx current */
- #else
- if (extSz != 0) {
- c16toa(extSz, output + idx);
- idx += HELLO_EXT_SZ_SZ;
- if (IsAtLeastTLSv1_2(ssl)) {
- if (suites->hashSigAlgoSz) {
- word16 i;
- /* extension type */
- c16toa(HELLO_EXT_SIG_ALGO, output + idx);
- idx += HELLO_EXT_TYPE_SZ;
- /* extension data length */
- c16toa(HELLO_EXT_SIGALGO_SZ + suites->hashSigAlgoSz,
- output + idx);
- idx += HELLO_EXT_SZ_SZ;
- /* sig algos length */
- c16toa(suites->hashSigAlgoSz, output + idx);
- idx += HELLO_EXT_SIGALGO_SZ;
- for (i=0; i < suites->hashSigAlgoSz; i++, idx++) {
- output[idx] = suites->hashSigAlgo[i];
- }
- }
- }
- #ifdef HAVE_EXTENDED_MASTER
- if (ssl->options.haveEMS) {
- c16toa(HELLO_EXT_EXTMS, output + idx);
- idx += HELLO_EXT_TYPE_SZ;
- c16toa(0, output + idx);
- idx += HELLO_EXT_SZ_SZ;
- }
- #endif
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = idx; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, client_hello)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- } else {
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, client_hello)) != 0)
- return ret;
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
- return ret;
- }
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- #ifdef OPENSSL_EXTRA
- ssl->cbmode = SSL_CB_MODE_WRITE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS);
- #endif
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->options.buildingMsg = 0;
- ssl->buffers.outputBuffer.length += sendSz;
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendClientHello", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
- return ret;
- }
- /* handle processing of DTLS hello_verify_request (3) */
- int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 size)
- {
- ProtocolVersion pv;
- byte cookieSz;
- word32 begin = *inOutIdx;
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "HelloVerifyRequest");
- if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo);
- #endif
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- DtlsMsgPoolReset(ssl);
- }
- #endif
- if (OPAQUE16_LEN + OPAQUE8_LEN > size)
- return BUFFER_ERROR;
- XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN);
- *inOutIdx += OPAQUE16_LEN;
- if (pv.major != DTLS_MAJOR ||
- (pv.minor != DTLS_MINOR && pv.minor != DTLSv1_2_MINOR))
- return VERSION_ERROR;
- cookieSz = input[(*inOutIdx)++];
- if (cookieSz) {
- if ((*inOutIdx - begin) + cookieSz > size)
- return BUFFER_ERROR;
- #ifdef WOLFSSL_DTLS
- if (cookieSz <= MAX_COOKIE_LEN) {
- XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz);
- ssl->arrays->cookieSz = cookieSz;
- }
- #endif
- *inOutIdx += cookieSz;
- }
- #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13)
- if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.dtls) {
- /* we sent a TLSv1.3 ClientHello but received a
- * HELLO_VERIFY_REQUEST */
- if (!ssl->options.downgrade ||
- ssl->options.minDowngrade < pv.minor)
- return VERSION_ERROR;
- }
- #endif /* defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) */
- ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
- return 0;
- }
- static WC_INLINE int DSH_CheckSessionId(WOLFSSL* ssl)
- {
- int ret = 0;
- #ifdef HAVE_SECRET_CALLBACK
- /* If a session secret callback exists, we are using that
- * key instead of the saved session key. Requires a ticket. */
- ret = ret || (ssl->sessionSecretCb != NULL
- #ifdef HAVE_SESSION_TICKET
- && ssl->session->ticketLen > 0
- #endif
- );
- #endif
- #ifdef HAVE_SESSION_TICKET
- /* server may send blank ticket which may not be expected to indicate
- * existing one ok but will also be sending a new one */
- ret = ret || (ssl->session->ticketLen > 0);
- #endif
- ret = ret ||
- (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID,
- ssl->session->sessionID, ID_LEN) == 0);
- return ret;
- }
- /* Check the version in the received message is valid and set protocol
- * version to use.
- *
- * ssl The SSL/TLS object.
- * pv The protocol version from the packet.
- * returns 0 on success, otherwise failure.
- */
- int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv)
- {
- byte lowerVersion, higherVersion;
- #ifdef WOLFSSL_TLS13_DRAFT
- if (pv.major == TLS_DRAFT_MAJOR) {
- pv.major = SSLv3_MAJOR;
- pv.minor = TLSv1_3_MINOR;
- }
- #endif
- #ifdef OPENSSL_EXTRA
- if (ssl->CBIS != NULL) {
- ssl->CBIS(ssl, SSL_CB_HANDSHAKE_START, WOLFSSL_SUCCESS);
- }
- #endif
- if (ssl->options.dtls) {
- if (pv.major != DTLS_MAJOR || pv.minor == DTLS_BOGUS_MINOR) {
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- lowerVersion = pv.minor > ssl->version.minor;
- higherVersion = pv.minor < ssl->version.minor;
- }
- else {
- if (pv.major != SSLv3_MAJOR) {
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- lowerVersion = pv.minor < ssl->version.minor;
- higherVersion = pv.minor > ssl->version.minor;
- }
- if (higherVersion) {
- WOLFSSL_MSG("Server using higher version, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- if (lowerVersion) {
- WOLFSSL_MSG("server using lower version");
- /* Check for downgrade attack. */
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("\tno downgrade allowed, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- if ((!ssl->options.dtls && pv.minor < ssl->options.minDowngrade) ||
- (ssl->options.dtls && pv.minor > ssl->options.minDowngrade)) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (ssl->secure_renegotiation &&
- ssl->secure_renegotiation->enabled &&
- ssl->options.handShakeDone) {
- WOLFSSL_MSG("Server changed version during scr");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- #endif
- /* Checks made - OK to downgrade. */
- ssl->version.minor = pv.minor;
- switch(pv.minor) {
- case SSLv3_MINOR:
- /* turn off tls */
- WOLFSSL_MSG("\tdowngrading to SSLv3");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- break;
- case TLSv1_MINOR:
- /* turn off tls 1.1+ */
- WOLFSSL_MSG("\tdowngrading to TLSv1");
- ssl->options.tls1_1 = 0;
- break;
- case TLSv1_1_MINOR:
- WOLFSSL_MSG("\tdowngrading to TLSv1.1");
- break;
- case DTLS_MINOR:
- WOLFSSL_MSG("\tdowngrading to DTLSv1.1");
- break;
- case TLSv1_2_MINOR:
- WOLFSSL_MSG("\tdowngrading to TLSv1.2");
- break;
- case DTLSv1_2_MINOR:
- WOLFSSL_MSG("\tdowngrading to DTLSv1.2");
- break;
- default:
- WOLFSSL_MSG("\tbad minor version");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- }
- /* check if option is set to not allow the current version
- * set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
- if (!ssl->options.dtls && ssl->options.downgrade &&
- ssl->options.mask > 0) {
- if (ssl->version.minor == TLSv1_2_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
- WOLFSSL_OP_NO_TLSv1_2) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
- ssl->version.minor = TLSv1_1_MINOR;
- }
- if (ssl->version.minor == TLSv1_1_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
- WOLFSSL_OP_NO_TLSv1_1) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
- ssl->options.tls1_1 = 0;
- ssl->version.minor = TLSv1_MINOR;
- }
- if (ssl->version.minor == TLSv1_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
- WOLFSSL_OP_NO_TLSv1) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- ssl->version.minor = SSLv3_MINOR;
- }
- if (ssl->version.minor == SSLv3_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
- WOLFSSL_OP_NO_SSLv3) {
- WOLFSSL_MSG("\tError, option set to not allow SSLv3");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- if (ssl->version.minor < ssl->options.minDowngrade) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- }
- return 0;
- }
- /* handle processing of server_hello (2) */
- int DoServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 helloSz)
- {
- byte cs0; /* cipher suite bytes 0, 1 */
- byte cs1;
- ProtocolVersion pv;
- byte compression;
- word32 i = *inOutIdx;
- word32 begin = i;
- int ret;
- WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
- WOLFSSL_ENTER("DoServerHello");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
- if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
- #endif
- /* protocol version, random and session id length check */
- if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
- return BUFFER_ERROR;
- /* protocol version */
- XMEMCPY(&pv, input + i, OPAQUE16_LEN);
- i += OPAQUE16_LEN;
- ret = CheckVersion(ssl, pv);
- if (ret != 0) {
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- return ret;
- }
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(pv)) {
- byte type = server_hello;
- return DoTls13ServerHello(ssl, input, inOutIdx, helloSz, &type);
- }
- #endif
- /* random */
- XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
- i += RAN_LEN;
- /* session id */
- ssl->arrays->sessionIDSz = input[i++];
- if (ssl->arrays->sessionIDSz > ID_LEN) {
- WOLFSSL_MSG("Invalid session ID size");
- ssl->arrays->sessionIDSz = 0;
- return BUFFER_ERROR;
- }
- else if (ssl->arrays->sessionIDSz) {
- if ((i - begin) + ssl->arrays->sessionIDSz > helloSz)
- return BUFFER_ERROR;
- XMEMCPY(ssl->arrays->sessionID, input + i,
- ssl->arrays->sessionIDSz);
- i += ssl->arrays->sessionIDSz;
- ssl->options.haveSessionId = 1;
- }
- /* suite and compression */
- if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
- return BUFFER_ERROR;
- cs0 = input[i++];
- cs1 = input[i++];
- #ifndef WOLFSSL_NO_STRICT_CIPHER_SUITE
- #if defined(HAVE_SECURE_RENEGOTIATION) && !defined(NO_FORCE_SCR_SAME_SUITE)
- if (IsSCR(ssl)) {
- if (ssl->options.cipherSuite0 != cs0 ||
- ssl->options.cipherSuite != cs1) {
- WOLFSSL_MSG("Server changed cipher suite during scr");
- WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
- return MATCH_SUITE_ERROR;
- }
- }
- else
- #endif
- {
- word32 idx, found = 0;
- const Suites* suites = WOLFSSL_SUITES(ssl);
- /* confirm server_hello cipher suite is one sent in client_hello */
- for (idx = 0; idx < suites->suiteSz; idx += 2) {
- if (suites->suites[idx] == cs0 &&
- suites->suites[idx+1] == cs1) {
- found = 1;
- break;
- }
- }
- if (!found) {
- WOLFSSL_MSG("ServerHello did not use cipher suite from ClientHello");
- WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
- return MATCH_SUITE_ERROR;
- }
- }
- #endif /* !WOLFSSL_NO_STRICT_CIPHER_SUITE */
- ssl->options.cipherSuite0 = cs0;
- ssl->options.cipherSuite = cs1;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Chosen cipher suite:");
- WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
- ssl->options.cipherSuite));
- #endif
- compression = input[i++];
- if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
- WOLFSSL_MSG("Server forcing compression w/o support");
- WOLFSSL_ERROR_VERBOSE(COMPRESSION_ERROR);
- return COMPRESSION_ERROR;
- }
- if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) {
- WOLFSSL_MSG("Server refused compression, turning off");
- ssl->options.usingCompression = 0; /* turn off if server refused */
- }
- *inOutIdx = i;
- #ifdef HAVE_TLS_EXTENSIONS
- if ( (i - begin) < helloSz) {
- if (TLSX_SupportExtensions(ssl)) {
- word16 totalExtSz;
- if ((i - begin) + OPAQUE16_LEN > helloSz)
- return BUFFER_ERROR;
- ato16(&input[i], &totalExtSz);
- i += OPAQUE16_LEN;
- if ((i - begin) + totalExtSz > helloSz)
- return BUFFER_ERROR;
- if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz,
- server_hello, NULL)))
- return ret;
- i += totalExtSz;
- *inOutIdx = i;
- }
- else
- *inOutIdx = begin + helloSz; /* skip extensions */
- }
- else
- ssl->options.haveEMS = 0; /* If no extensions, no EMS */
- #else
- {
- byte pendingEMS = 0;
- if ( (i - begin) < helloSz) {
- int allowExt = 0;
- if (ssl->version.major == SSLv3_MAJOR &&
- ssl->version.minor >= TLSv1_MINOR) {
- allowExt = 1;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->version.major == DTLS_MAJOR)
- allowExt = 1;
- #endif
- if (allowExt) {
- word16 totalExtSz;
- if ((i - begin) + OPAQUE16_LEN > helloSz)
- return BUFFER_ERROR;
- ato16(&input[i], &totalExtSz);
- i += OPAQUE16_LEN;
- if ((i - begin) + totalExtSz > helloSz)
- return BUFFER_ERROR;
- while (totalExtSz) {
- word16 extId, extSz;
- if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz)
- return BUFFER_ERROR;
- ato16(&input[i], &extId);
- i += OPAQUE16_LEN;
- ato16(&input[i], &extSz);
- i += OPAQUE16_LEN;
- if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz)
- return BUFFER_ERROR;
- if (extId == HELLO_EXT_EXTMS)
- pendingEMS = 1;
- else
- i += extSz;
- totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
- }
- *inOutIdx = i;
- }
- else
- *inOutIdx = begin + helloSz; /* skip extensions */
- }
- if (!pendingEMS && ssl->options.haveEMS)
- ssl->options.haveEMS = 0;
- }
- #endif
- #if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK)
- if (ssl->secure_renegotiation == NULL ||
- !ssl->secure_renegotiation->enabled) {
- /* If the server does not acknowledge the extension, the client
- * MUST generate a fatal handshake_failure alert prior to
- * terminating the connection.
- * https://www.rfc-editor.org/rfc/rfc9325#name-renegotiation-in-tls-12 */
- WOLFSSL_MSG("ServerHello did not contain SCR extension");
- return SECURE_RENEGOTIATION_E;
- }
- #endif
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- if (IsEncryptionOn(ssl, 0)) {
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMWrite &&
- ssl->specs.cipher_type == block) {
- *inOutIdx += MacSize(ssl);
- }
- #endif
- }
- #ifdef HAVE_SECRET_CALLBACK
- if (ssl->sessionSecretCb != NULL
- #ifdef HAVE_SESSION_TICKET
- && ssl->session->ticketLen > 0
- #endif
- ) {
- int secretSz = SECRET_LEN;
- ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
- &secretSz, ssl->sessionSecretCtx);
- if (ret != 0 || secretSz != SECRET_LEN) {
- WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E);
- return SESSION_SECRET_CB_E;
- }
- }
- #endif /* HAVE_SECRET_CALLBACK */
- ret = CompleteServerHello(ssl);
- WOLFSSL_LEAVE("DoServerHello", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
- return ret;
- }
- int CompleteServerHello(WOLFSSL* ssl)
- {
- int ret;
- if (!ssl->options.resuming) {
- byte* down = ssl->arrays->serverRandom + RAN_LEN -
- TLS13_DOWNGRADE_SZ - 1;
- byte vers = ssl->arrays->serverRandom[RAN_LEN - 1];
- #ifdef WOLFSSL_TLS13
- if (TLSv1_3_Capable(ssl)) {
- /* TLS v1.3 capable client not allowed to downgrade when
- * connecting to TLS v1.3 capable server unless cipher suite
- * demands it.
- */
- if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
- (vers == 0 || vers == 1)) {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- }
- else
- #endif
- if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
- ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
- (wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0) {
- /* TLS v1.2 capable client not allowed to downgrade when
- * connecting to TLS v1.2 capable server.
- */
- if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
- vers == 0) {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- }
- }
- else {
- if (DSH_CheckSessionId(ssl)) {
- if (SetCipherSpecs(ssl) == 0) {
- XMEMCPY(ssl->arrays->masterSecret,
- ssl->session->masterSecret, SECRET_LEN);
- #ifdef NO_OLD_TLS
- ret = DeriveTlsKeys(ssl);
- #else
- ret = -1; /* default value */
- #ifndef NO_TLS
- if (ssl->options.tls)
- ret = DeriveTlsKeys(ssl);
- #endif
- if (!ssl->options.tls)
- ret = DeriveKeys(ssl);
- #endif /* NO_OLD_TLS */
- /* SERVER: peer auth based on session secret. */
- ssl->options.peerAuthGood = (ret == 0);
- ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
- return ret;
- }
- else {
- WOLFSSL_MSG("Unsupported cipher suite, DoServerHello");
- WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_SUITE);
- return UNSUPPORTED_SUITE;
- }
- }
- else {
- WOLFSSL_MSG("Server denied resumption attempt");
- ssl->options.resuming = 0; /* server denied resumption try */
- }
- }
- return SetCipherSpecs(ssl);
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- /* Make sure client setup is valid for this suite, true on success */
- int VerifyClientSuite(word16 havePSK, byte cipherSuite0, byte cipherSuite)
- {
- (void)havePSK;
- WOLFSSL_ENTER("VerifyClientSuite");
- if (CipherRequires(cipherSuite0, cipherSuite, REQUIRES_PSK)) {
- WOLFSSL_MSG("Requires PSK");
- #ifndef NO_PSK
- if (havePSK == 0)
- #endif
- {
- WOLFSSL_MSG("Don't have PSK");
- return 0;
- }
- }
- return 1; /* success */
- }
- #ifndef WOLFSSL_NO_TLS12
- #ifndef NO_CERTS
- /* handle processing of certificate_request (13) */
- static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*
- inOutIdx, word32 size)
- {
- word16 len;
- word32 begin = *inOutIdx;
- #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
- defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- int ret;
- #endif
- #ifdef OPENSSL_EXTRA
- WOLFSSL_X509* x509 = NULL;
- WOLFSSL_EVP_PKEY* pkey = NULL;
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
- WOLFSSL_ENTER("DoCertificateRequest");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateRequest");
- if (ssl->toInfoOn)
- AddLateName("CertificateRequest", &ssl->timeoutInfo);
- #endif
- if (OPAQUE8_LEN > size)
- return BUFFER_ERROR;
- len = input[(*inOutIdx)++];
- if ((*inOutIdx - begin) + len > size)
- return BUFFER_ERROR;
- /* types, read in here */
- *inOutIdx += len;
- /* signature and hash signature algorithm */
- if (IsAtLeastTLSv1_2(ssl)) {
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &len);
- *inOutIdx += OPAQUE16_LEN;
- if ((len > size) || ((*inOutIdx - begin) + len > size))
- return BUFFER_ERROR;
- if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 &&
- ssl->buffers.certificate &&
- ssl->buffers.certificate->buffer) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
- WOLFSSL_MSG("Using PK for client private key");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- #endif
- if (ssl->buffers.key && ssl->buffers.key->buffer) {
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- }
- *inOutIdx += len;
- #ifdef WC_RSA_PSS
- ssl->pssAlgo = 0;
- if (ssl->options.sigAlgo == rsa_pss_sa_algo)
- ssl->pssAlgo |= 1 << ssl->options.hashAlgo;
- #endif
- }
- /* authorities */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
- /* DN seq length */
- ato16(input + *inOutIdx, &len);
- *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + len > size)
- return BUFFER_ERROR;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- if (ssl->ca_names != ssl->ctx->ca_names)
- wolfSSL_sk_X509_NAME_pop_free(ssl->ca_names, NULL);
- ssl->ca_names = wolfSSL_sk_X509_NAME_new(NULL);
- if (ssl->ca_names == NULL) {
- return MEMORY_ERROR;
- }
- #endif
- while (len) {
- word16 dnSz;
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &dnSz);
- *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + dnSz > size)
- return BUFFER_ERROR;
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
- {
- WOLFSSL_X509_NAME* name = NULL;
- /* Use a DecodedCert struct to get access to GetName to
- * parse DN name */
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert *cert = (DecodedCert *)XMALLOC(
- sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT);
- if (cert == NULL)
- return MEMORY_ERROR;
- #else
- DecodedCert cert[1];
- #endif
- InitDecodedCert(cert, input + *inOutIdx, dnSz, ssl->heap);
- ret = GetName(cert, SUBJECT, dnSz);
- if (ret == 0) {
- if ((name = wolfSSL_X509_NAME_new()) == NULL)
- ret = MEMORY_ERROR;
- }
- if (ret == 0) {
- CopyDecodedName(name, cert, SUBJECT);
- }
- if (ret == 0) {
- if (wolfSSL_sk_X509_NAME_push(ssl->ca_names, name)
- == WOLFSSL_FAILURE)
- {
- ret = MEMORY_ERROR;
- }
- }
- FreeDecodedCert(cert);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
- #endif
- if (ret != 0) {
- if (name != NULL)
- wolfSSL_X509_NAME_free(name);
- return ret;
- }
- }
- #endif
- *inOutIdx += dnSz;
- len -= OPAQUE16_LEN + dnSz;
- }
- #ifdef OPENSSL_EXTRA
- /* call client cert callback if no cert has been loaded */
- if ((ssl->ctx->CBClientCert != NULL) &&
- (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
- ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
- if (ret == 1) {
- if ((wolfSSL_use_certificate(ssl, x509) != WOLFSSL_SUCCESS) ||
- (wolfSSL_use_PrivateKey(ssl, pkey) != WOLFSSL_SUCCESS)) {
- WOLFSSL_ERROR_VERBOSE(CLIENT_CERT_CB_ERROR);
- return CLIENT_CERT_CB_ERROR;
- }
- wolfSSL_X509_free(x509);
- wolfSSL_EVP_PKEY_free(pkey);
- }
- else if (ret < 0) {
- return WOLFSSL_ERROR_WANT_X509_LOOKUP;
- }
- }
- if ((ret = CertSetupCbWrapper(ssl)) != 0)
- return ret;
- #endif
- /* don't send client cert or cert verify if user hasn't provided
- cert and private key */
- if (ssl->buffers.certificate && ssl->buffers.certificate->buffer) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
- WOLFSSL_MSG("Using PK for client private key");
- ssl->options.sendVerify = SEND_CERT;
- }
- #endif
- if (ssl->buffers.key && ssl->buffers.key->buffer) {
- ssl->options.sendVerify = SEND_CERT;
- }
- }
- #ifdef OPENSSL_EXTRA
- else
- #else
- else if (IsTLS(ssl))
- #endif
- {
- ssl->options.sendVerify = SEND_BLANK_CERT;
- }
- if (IsEncryptionOn(ssl, 0)) {
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- *inOutIdx += MacSize(ssl);
- #endif
- }
- WOLFSSL_LEAVE("DoCertificateRequest", 0);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
- return 0;
- }
- #endif /* !NO_CERTS */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- static int CheckCurveId(int tlsCurveId)
- {
- int ret = ECC_CURVE_ERROR;
- switch (tlsCurveId) {
- #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_SECPR2
- case WOLFSSL_ECC_SECP160R2: return ECC_SECP160R2_OID;
- #endif /* HAVE_ECC_SECPR2 */
- #ifdef HAVE_ECC_KOBLITZ
- case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case WOLFSSL_ECC_SECP192K1: return ECC_SECP192K1_OID;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case WOLFSSL_ECC_SECP224K1: return ECC_SECP224K1_OID;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
- case WOLFSSL_ECC_X25519: return ECC_X25519_OID;
- #endif
- #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case WOLFSSL_ECC_SECP256K1: return ECC_SECP256K1_OID;
- #endif /* HAVE_ECC_KOBLITZ */
- #ifdef HAVE_ECC_BRAINPOOL
- case WOLFSSL_ECC_BRAINPOOLP256R1: return ECC_BRAINPOOLP256R1_OID;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
- case WOLFSSL_ECC_X448: return ECC_X448_OID;
- #endif
- #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_BRAINPOOL
- case WOLFSSL_ECC_BRAINPOOLP384R1: return ECC_BRAINPOOLP384R1_OID;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
- #ifdef HAVE_ECC_BRAINPOOL
- case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
- #ifndef NO_ECC_SECP
- case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID;
- #endif /* !NO_ECC_SECP */
- #endif
- default: break;
- }
- return ret;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- /* Persistable DoServerKeyExchange arguments */
- typedef struct DskeArgs {
- byte* output; /* not allocated */
- #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- byte* verifySig;
- #endif
- word32 idx;
- word32 begin;
- #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- word16 verifySigSz;
- #endif
- word16 sigSz;
- byte sigAlgo;
- byte hashAlgo;
- #if !defined(NO_RSA) && defined(WC_RSA_PSS)
- int bits;
- #endif
- } DskeArgs;
- static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs)
- {
- DskeArgs* args = (DskeArgs*)pArgs;
- (void)ssl;
- (void)args;
- #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- if (args->verifySig) {
- XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->verifySig = NULL;
- }
- #endif
- }
- #ifndef NO_DH
- static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
- DskeArgs* args)
- {
- int ret = 0;
- word16 length;
- #ifdef HAVE_FFDHE
- #ifdef HAVE_PUBLIC_FFDHE
- const DhParams* params = NULL;
- #endif
- word16 group = 0;
- #endif
- if (ssl->buffers.weOwnDH) {
- if (ssl->buffers.serverDH_P.buffer) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- }
- if (ssl->buffers.serverDH_G.buffer) {
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- }
- }
- if (ssl->buffers.serverDH_Pub.buffer) {
- XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_Pub.buffer = NULL;
- }
- /* p */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- if (length < ssl->options.minDhKeySz) {
- WOLFSSL_MSG("Server using a DH key that is too small");
- SendAlert(ssl, alert_fatal, handshake_failure);
- ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
- }
- if (length > ssl->options.maxDhKeySz) {
- WOLFSSL_MSG("Server using a DH key that is too big");
- SendAlert(ssl, alert_fatal, handshake_failure);
- ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
- }
- ssl->buffers.serverDH_P.buffer =
- (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (ssl->buffers.serverDH_P.buffer) {
- ssl->buffers.serverDH_P.length = length;
- }
- else {
- ERROR_OUT(MEMORY_ERROR, exit_gdpk);
- }
- XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx,
- length);
- args->idx += length;
- ssl->options.dhKeySz = length;
- /* g */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- if (length > ssl->options.maxDhKeySz) {
- WOLFSSL_MSG("Server using a DH key generator that is too big");
- SendAlert(ssl, alert_fatal, handshake_failure);
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
- }
- ssl->buffers.serverDH_G.buffer =
- (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (ssl->buffers.serverDH_G.buffer) {
- ssl->buffers.serverDH_G.length = length;
- }
- else {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- ERROR_OUT(MEMORY_ERROR, exit_gdpk);
- }
- XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx,
- length);
- args->idx += length;
- /* pub */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- ERROR_OUT(BUFFER_ERROR, exit_gdpk);
- }
- if (length > ssl->options.maxDhKeySz) {
- WOLFSSL_MSG("Server using a public DH key that is too big");
- SendAlert(ssl, alert_fatal, handshake_failure);
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
- }
- ssl->buffers.serverDH_Pub.buffer =
- (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (ssl->buffers.serverDH_Pub.buffer) {
- ssl->buffers.serverDH_Pub.length = length;
- }
- else {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_P.buffer = NULL;
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- ssl->buffers.serverDH_G.buffer = NULL;
- ERROR_OUT(MEMORY_ERROR, exit_gdpk);
- }
- XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx,
- length);
- ssl->buffers.weOwnDH = 1;
- args->idx += length;
- #ifdef HAVE_FFDHE
- switch (ssl->options.dhKeySz) {
- #ifdef HAVE_FFDHE_2048
- case 2048/8:
- #ifdef HAVE_PUBLIC_FFDHE
- params = wc_Dh_ffdhe2048_Get();
- #endif
- group = WOLFSSL_FFDHE_2048;
- break;
- #endif
- #ifdef HAVE_FFDHE_3072
- case 3072/8:
- #ifdef HAVE_PUBLIC_FFDHE
- params = wc_Dh_ffdhe3072_Get();
- #endif
- group = WOLFSSL_FFDHE_3072;
- break;
- #endif
- #ifdef HAVE_FFDHE_4096
- case 4096/8:
- #ifdef HAVE_PUBLIC_FFDHE
- params = wc_Dh_ffdhe4096_Get();
- #endif
- group = WOLFSSL_FFDHE_4096;
- break;
- #endif
- #ifdef HAVE_FFDHE_6144
- case 6144/8:
- #ifdef HAVE_PUBLIC_FFDHE
- params = wc_Dh_ffdhe6144_Get();
- #endif
- group = WOLFSSL_FFDHE_6144;
- break;
- #endif
- #ifdef HAVE_FFDHE_8192
- case 8192/8:
- #ifdef HAVE_PUBLIC_FFDHE
- params = wc_Dh_ffdhe8192_Get();
- #endif
- group = WOLFSSL_FFDHE_8192;
- break;
- #endif
- default:
- break;
- }
- #ifdef HAVE_PUBLIC_FFDHE
- if (params == NULL || params->g_len != ssl->buffers.serverDH_G.length ||
- (XMEMCMP(ssl->buffers.serverDH_G.buffer, params->g,
- params->g_len) != 0) ||
- (XMEMCMP(ssl->buffers.serverDH_P.buffer, params->p,
- params->p_len) != 0))
- #else
- if (!wc_DhCmpNamedKey(group, 1,
- ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length,
- NULL, 0))
- #endif
- {
- WOLFSSL_MSG("Server not using FFDHE parameters");
- #ifdef WOLFSSL_REQUIRE_FFDHE
- SendAlert(ssl, alert_fatal, handshake_failure);
- ERROR_OUT(DH_PARAMS_NOT_FFDHE_E, exit_gdpk);
- #endif
- }
- else {
- ssl->namedGroup = group;
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- ssl->options.dhDoKeyTest = 0;
- #endif
- }
- #endif /* HAVE_FFDHE */
- exit_gdpk:
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif
- /* handle processing of server_key_exchange (12) */
- static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- DskeArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- DskeArgs args[1];
- #endif
- (void)input;
- (void)size;
- WOLFSSL_START(WC_FUNC_SERVER_KEY_EXCHANGE_DO);
- WOLFSSL_ENTER("DoServerKeyExchange");
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_dske);
- }
- args = (DskeArgs*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_dske;
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(DskeArgs));
- args->idx = *inOutIdx;
- args->begin = *inOutIdx;
- args->sigAlgo = ssl->specs.sig_algo;
- args->hashAlgo = sha_mac;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeDskeArgs;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ServerKeyExchange");
- if (ssl->toInfoOn)
- AddLateName("ServerKeyExchange", &ssl->timeoutInfo);
- #endif
- switch(ssl->specs.kea)
- {
- #ifndef NO_PSK
- case psk_kea:
- {
- int srvHintLen;
- word16 length;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- /* get PSK server hint from the wire */
- srvHintLen = min(length, MAX_PSK_ID_LEN);
- XMEMCPY(ssl->arrays->server_hint, input + args->idx,
- srvHintLen);
- ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
- args->idx += length;
- break;
- }
- #endif /* !NO_PSK */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- ret = GetDhPublicKey(ssl, input, size, args);
- if (ret != 0)
- goto exit_dske;
- break;
- }
- #endif /* !NO_DH */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- byte b;
- #ifdef HAVE_ECC
- int curveId;
- #endif
- int curveOid;
- word16 length;
- if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN +
- OPAQUE8_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- b = input[args->idx++];
- if (b != named_curve) {
- ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske);
- }
- args->idx += 1; /* curve type, eat leading 0 */
- b = input[args->idx++];
- if ((curveOid = CheckCurveId(b)) < 0) {
- ERROR_OUT(ECC_CURVE_ERROR, exit_dske);
- }
- ssl->ecdhCurveOID = curveOid;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- ssl->namedGroup = 0;
- #endif
- length = input[args->idx++];
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- if (ssl->peerX25519Key == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerX25519KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
- ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- if ((ret = wc_curve25519_check_public(
- input + args->idx, length,
- EC25519_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- if (wc_curve25519_import_public_ex(input + args->idx,
- length, ssl->peerX25519Key,
- EC25519_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerX25519KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- if (ssl->peerX448Key == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerX448KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
- ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- if ((ret = wc_curve448_check_public(
- input + args->idx, length,
- EC448_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- if (wc_curve448_import_public_ex(input + args->idx,
- length, ssl->peerX448Key,
- EC448_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerX448KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_ECC
- if (ssl->peerEccKey == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- curveId = wc_ecc_get_oid(curveOid, NULL, NULL);
- if (wc_ecc_import_x963_ex(input + args->idx, length,
- ssl->peerEccKey, curveId) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerEccKeyPresent = 1;
- #endif
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- int srvHintLen;
- word16 length;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- /* get PSK server hint from the wire */
- srvHintLen = min(length, MAX_PSK_ID_LEN);
- XMEMCPY(ssl->arrays->server_hint, input + args->idx,
- srvHintLen);
- ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
- args->idx += length;
- ret = GetDhPublicKey(ssl, input, size, args);
- if (ret != 0)
- goto exit_dske;
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- byte b;
- int curveOid, curveId;
- int srvHintLen;
- word16 length;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- ato16(input + args->idx, &length);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- /* get PSK server hint from the wire */
- srvHintLen = min(length, MAX_PSK_ID_LEN);
- XMEMCPY(ssl->arrays->server_hint, input + args->idx,
- srvHintLen);
- ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
- args->idx += length;
- if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN +
- OPAQUE8_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- /* Check curve name and ID */
- b = input[args->idx++];
- if (b != named_curve) {
- ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske);
- }
- args->idx += 1; /* curve type, eat leading 0 */
- b = input[args->idx++];
- if ((curveOid = CheckCurveId(b)) < 0) {
- ERROR_OUT(ECC_CURVE_ERROR, exit_dske);
- }
- length = input[args->idx++];
- if ((args->idx - args->begin) + length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- if (ssl->peerX25519Key == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
- ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- if ((ret = wc_curve25519_check_public(
- input + args->idx, length,
- EC25519_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- if (wc_curve25519_import_public_ex(input + args->idx,
- length, ssl->peerX25519Key,
- EC25519_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerX25519KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- if (ssl->peerX448Key == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
- ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- if ((ret = wc_curve448_check_public(
- input + args->idx, length,
- EC448_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal, illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- if (wc_curve448_import_public_ex(input + args->idx,
- length, ssl->peerX448Key,
- EC448_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerX448KeyPresent = 1;
- break;
- }
- #endif
- if (ssl->peerEccKey == NULL) {
- ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- if (ret != 0) {
- goto exit_dske;
- }
- } else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- if (ret != 0) {
- goto exit_dske;
- }
- }
- curveId = wc_ecc_get_oid(curveOid, NULL, NULL);
- if (wc_ecc_import_x963_ex(input + args->idx, length,
- ssl->peerEccKey, curveId) != 0) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
- }
- args->idx += length;
- ssl->peerEccKeyPresent = 1;
- break;
- }
- #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- switch(ssl->specs.kea)
- {
- case psk_kea:
- case dhe_psk_kea:
- case ecdhe_psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- case diffie_hellman_kea:
- case ecc_diffie_hellman_kea:
- {
- #if defined(NO_DH) && !defined(HAVE_ECC) && \
- !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
- ERROR_OUT(NOT_COMPILED_IN, exit_dske);
- #else
- enum wc_HashType hashType;
- word16 verifySz;
- byte sigAlgo;
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- verifySz = (word16)(args->idx - args->begin);
- if (verifySz > MAX_DH_SZ) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- if (IsAtLeastTLSv1_2(ssl)) {
- if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN >
- size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- DecodeSigAlg(&input[args->idx], &args->hashAlgo,
- &sigAlgo);
- #ifndef NO_RSA
- if (sigAlgo == rsa_pss_sa_algo &&
- args->sigAlgo == rsa_sa_algo) {
- args->sigAlgo = sigAlgo;
- }
- else
- #endif
- #ifdef HAVE_ED25519
- if (sigAlgo == ed25519_sa_algo &&
- args->sigAlgo == ecc_dsa_sa_algo) {
- args->sigAlgo = sigAlgo;
- }
- else
- #endif
- #ifdef HAVE_ED448
- if (sigAlgo == ed448_sa_algo &&
- args->sigAlgo == ecc_dsa_sa_algo) {
- args->sigAlgo = sigAlgo;
- }
- else
- #endif
- /* Signature algorithm from message must match signature
- * algorithm in cipher suite. */
- if (sigAlgo != args->sigAlgo) {
- ERROR_OUT(ALGO_ID_E, exit_dske);
- }
- args->idx += 2;
- hashType = HashAlgoToType(args->hashAlgo);
- if (hashType == WC_HASH_TYPE_NONE) {
- ERROR_OUT(ALGO_ID_E, exit_dske);
- }
- } else {
- /* only using sha and md5 for rsa */
- #ifndef NO_OLD_TLS
- hashType = WC_HASH_TYPE_SHA;
- if (args->sigAlgo == rsa_sa_algo) {
- hashType = WC_HASH_TYPE_MD5_SHA;
- }
- #else
- ERROR_OUT(ALGO_ID_E, exit_dske);
- #endif
- }
- /* signature */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- ato16(input + args->idx, &args->verifySigSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + args->verifySigSz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dske);
- }
- ret = HashSkeData(ssl, hashType, input + args->begin,
- verifySz, args->sigAlgo);
- if (ret != 0) {
- goto exit_dske;
- }
- switch (args->sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- if (ssl->peerRsaKey == NULL ||
- !ssl->peerRsaKeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_dske);
- }
- break;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- {
- if (!ssl->peerEccDsaKeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_dske);
- }
- break;
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519)
- case ed25519_sa_algo:
- {
- if (!ssl->peerEd25519KeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_dske);
- }
- break;
- }
- #endif /* HAVE_ED25519 */
- #if defined(HAVE_ED448)
- case ed448_sa_algo:
- {
- if (!ssl->peerEd448KeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_dske);
- }
- break;
- }
- #endif /* HAVE_ED448 */
- default:
- ret = ALGO_ID_E;
- } /* switch (args->sigAlgo) */
- #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
- break;
- }
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- switch(ssl->specs.kea)
- {
- case psk_kea:
- case dhe_psk_kea:
- case ecdhe_psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- case diffie_hellman_kea:
- case ecc_diffie_hellman_kea:
- {
- #if defined(NO_DH) && !defined(HAVE_ECC) && \
- !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
- ERROR_OUT(NOT_COMPILED_IN, exit_dske);
- #else
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- if (args->verifySig == NULL) {
- args->verifySig = (byte*)XMALLOC(args->verifySigSz,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (args->verifySig == NULL) {
- ERROR_OUT(MEMORY_E, exit_dske);
- }
- XMEMCPY(args->verifySig, input + args->idx,
- args->verifySigSz);
- }
- switch (args->sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- ret = RsaVerify(ssl,
- args->verifySig, args->verifySigSz,
- &args->output,
- args->sigAlgo, args->hashAlgo,
- ssl->peerRsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerRsaKey
- #else
- NULL
- #endif
- );
- if (ret >= 0) {
- args->sigSz = (word16)ret;
- #ifdef WC_RSA_PSS
- args->bits = mp_count_bits(&ssl->peerRsaKey->n);
- #endif
- ret = 0;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* peerRsaKey */
- FreeKey(ssl, DYNAMIC_TYPE_RSA,
- (void**)&ssl->peerRsaKey);
- ssl->peerRsaKeyPresent = 0;
- }
- break;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- {
- ret = NOT_COMPILED_IN;
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx && ssl->ctx->ProcessServerSigKexCb) {
- ret = ssl->ctx->ProcessServerSigKexCb(ssl,
- args->sigAlgo,
- args->verifySig, args->verifySigSz,
- ssl->buffers.sig.buffer, SEED_LEN,
- &ssl->buffers.sig.buffer[SEED_LEN],
- (ssl->buffers.sig.length - SEED_LEN));
- }
- #endif /* HAVE_PK_CALLBACKS */
- if (ret == NOT_COMPILED_IN) {
- ret = EccVerify(ssl,
- args->verifySig, args->verifySigSz,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- ssl->peerEccDsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEccDsaKey
- #else
- NULL
- #endif
- );
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* peerEccDsaKey */
- FreeKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccDsaKey);
- ssl->peerEccDsaKeyPresent = 0;
- }
- /* CLIENT: Data verified with cert's public key. */
- ssl->options.peerAuthGood =
- ssl->options.havePeerCert && (ret == 0);
- break;
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519)
- case ed25519_sa_algo:
- {
- ret = Ed25519Verify(ssl,
- args->verifySig, args->verifySigSz,
- ssl->buffers.sig.buffer,
- ssl->buffers.sig.length,
- ssl->peerEd25519Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd25519Key
- #else
- NULL
- #endif
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* peerEccDsaKey */
- FreeKey(ssl, DYNAMIC_TYPE_ED25519,
- (void**)&ssl->peerEd25519Key);
- ssl->peerEd25519KeyPresent = 0;
- }
- /* CLIENT: Data verified with cert's public key. */
- ssl->options.peerAuthGood =
- ssl->options.havePeerCert && (ret == 0);
- break;
- }
- #endif /* HAVE_ED25519 */
- #if defined(HAVE_ED448)
- case ed448_sa_algo:
- {
- ret = Ed448Verify(ssl,
- args->verifySig, args->verifySigSz,
- ssl->buffers.sig.buffer,
- ssl->buffers.sig.length,
- ssl->peerEd448Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd448Key
- #else
- NULL
- #endif
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* peerEccDsaKey */
- FreeKey(ssl, DYNAMIC_TYPE_ED448,
- (void**)&ssl->peerEd448Key);
- ssl->peerEd448KeyPresent = 0;
- }
- /* CLIENT: Data verified with cert's public key. */
- ssl->options.peerAuthGood =
- ssl->options.havePeerCert && (ret == 0);
- break;
- }
- #endif /* HAVE_ED448 */
- default:
- ret = ALGO_ID_E;
- } /* switch (sigAlgo) */
- #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
- break;
- }
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- switch(ssl->specs.kea)
- {
- case psk_kea:
- case dhe_psk_kea:
- case ecdhe_psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- case diffie_hellman_kea:
- case ecc_diffie_hellman_kea:
- {
- #if defined(NO_DH) && !defined(HAVE_ECC) && \
- !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
- ERROR_OUT(NOT_COMPILED_IN, exit_dske);
- #else
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- /* increment index after verify is done */
- args->idx += args->verifySigSz;
- switch(args->sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #ifdef HAVE_SELFTEST
- ret = wc_RsaPSS_CheckPadding(
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output, args->sigSz,
- HashAlgoToType(args->hashAlgo));
- #else
- ret = wc_RsaPSS_CheckPadding_ex(
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output, args->sigSz,
- HashAlgoToType(args->hashAlgo),
- -1, args->bits);
- #endif
- if (ret != 0)
- goto exit_dske;
- /* CLIENT: Data verified with cert's public key. */
- ssl->options.peerAuthGood =
- ssl->options.havePeerCert;
- break;
- #endif
- case rsa_sa_algo:
- {
- #if (defined(WOLFSSL_RENESAS_SCEPROTECT) && \
- defined(WOLFSSL_RENESAS_SCEPROTECT_ECC)) || \
- defined(WOLFSSL_RENESAS_TSIP_TLS)
- /* already checked signature result by SCE */
- /* skip the sign checks below */
- if (Renesas_cmn_usable(ssl, 0)) {
- break;
- }
- #endif
- if (IsAtLeastTLSv1_2(ssl)) {
- #ifdef WOLFSSL_SMALL_STACK
- byte* encodedSig;
- #else
- byte encodedSig[MAX_ENCODED_SIG_SZ];
- #endif
- word32 encSigSz;
- #ifdef WOLFSSL_SMALL_STACK
- encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (encodedSig == NULL) {
- ERROR_OUT(MEMORY_E, exit_dske);
- }
- #endif
- encSigSz = wc_EncodeSignature(encodedSig,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- TypeHash(args->hashAlgo));
- if (encSigSz != args->sigSz || !args->output ||
- XMEMCMP(args->output, encodedSig,
- min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) {
- ret = VERIFY_SIGN_ERROR;
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- #endif
- if (ret != 0) {
- goto exit_dske;
- }
- }
- else if (args->sigSz != FINISHED_SZ ||
- !args->output ||
- XMEMCMP(args->output,
- ssl->buffers.digest.buffer,
- FINISHED_SZ) != 0) {
- ERROR_OUT(VERIFY_SIGN_ERROR, exit_dske);
- }
- /* CLIENT: Data verified with cert's public key. */
- ssl->options.peerAuthGood =
- ssl->options.havePeerCert;
- break;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- /* Nothing to do in this algo */
- break;
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519)
- case ed25519_sa_algo:
- /* Nothing to do in this algo */
- break;
- #endif /* HAVE_ED25519 */
- #if defined(HAVE_ED448)
- case ed448_sa_algo:
- /* Nothing to do in this algo */
- break;
- #endif /* HAVE_ED448 */
- default:
- ret = ALGO_ID_E;
- } /* switch (sigAlgo) */
- #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
- break;
- }
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- if (IsEncryptionOn(ssl, 0)) {
- args->idx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- args->idx += MacSize(ssl);
- #endif
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- /* return index */
- *inOutIdx = args->idx;
- ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_dske:
- WOLFSSL_LEAVE("DoServerKeyExchange", ret);
- WOLFSSL_END(WC_FUNC_SERVER_KEY_EXCHANGE_DO);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_server_key_exchange = 0;
- return ret;
- }
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeDskeArgs(ssl, args);
- #endif /* WOLFSSL_ASYNC_CRYPT */
- /* Final cleanup */
- FreeKeyExchange(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- typedef struct SckeArgs {
- byte* output; /* not allocated */
- byte* encSecret;
- byte* input;
- word32 encSz;
- word32 length;
- int sendSz;
- int inputSz;
- } SckeArgs;
- static void FreeSckeArgs(WOLFSSL* ssl, void* pArgs)
- {
- SckeArgs* args = (SckeArgs*)pArgs;
- (void)ssl;
- if (args->encSecret) {
- XFREE(args->encSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
- args->encSecret = NULL;
- }
- if (args->input) {
- XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- args->input = NULL;
- }
- }
- /* handle generation client_key_exchange (16) */
- int SendClientKeyExchange(WOLFSSL* ssl)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_IO
- SckeArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- SckeArgs args[1];
- #endif
- WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
- WOLFSSL_ENTER("SendClientKeyExchange");
- #ifdef OPENSSL_EXTRA
- ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
- ssl->cbmode = SSL_CB_MODE_WRITE;
- if (ssl->CBIS != NULL)
- ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS);
- #endif
- #ifdef WOLFSSL_ASYNC_IO
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_scke);
- XMEMSET(ssl->async, 0, sizeof(struct WOLFSSL_ASYNC));
- }
- args = (SckeArgs*)ssl->async->args;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_scke;
- }
- else
- #endif
- if (ssl->options.buildingMsg) {
- /* Continue building the message */
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(SckeArgs));
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- #ifdef WOLFSSL_ASYNC_IO
- ssl->async->freeArgs = FreeSckeArgs;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- switch (ssl->specs.kea) {
- #ifndef NO_RSA
- case rsa_kea:
- if (ssl->peerRsaKey == NULL ||
- ssl->peerRsaKeyPresent == 0) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- break;
- #endif
- #ifndef NO_DH
- case diffie_hellman_kea:
- if (ssl->buffers.serverDH_P.buffer == NULL ||
- ssl->buffers.serverDH_G.buffer == NULL ||
- ssl->buffers.serverDH_Pub.buffer == NULL) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- break;
- #endif /* NO_DH */
- #ifndef NO_PSK
- case psk_kea:
- /* sanity check that PSK client callback has been set */
- if (ssl->options.client_psk_cb == NULL) {
- WOLFSSL_MSG("No client PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- break;
- #endif /* NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- if (ssl->buffers.serverDH_P.buffer == NULL ||
- ssl->buffers.serverDH_G.buffer == NULL ||
- ssl->buffers.serverDH_Pub.buffer == NULL) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- /* sanity check that PSK client callback has been set */
- if (ssl->options.client_psk_cb == NULL) {
- WOLFSSL_MSG("No client PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- break;
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- /* sanity check that PSK client callback has been set */
- if (ssl->options.client_psk_cb == NULL) {
- WOLFSSL_MSG("No client PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->peerX25519KeyPresent) {
- /* Check client ECC public key */
- if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X25519SharedSecretCb != NULL) {
- break;
- }
- #endif
- /* create private key */
- ssl->hsType = DYNAMIC_TYPE_CURVE25519;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
- ssl->peerX25519Key);
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->peerX448KeyPresent) {
- /* Check client ECC public key */
- if (!ssl->peerX448Key) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X448SharedSecretCb != NULL) {
- break;
- }
- #endif
- /* create private key */
- ssl->hsType = DYNAMIC_TYPE_CURVE448;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
- ssl->peerX448Key);
- break;
- }
- #endif
- /* Check client ECC public key */
- if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
- !ssl->peerEccKey->dp) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- #endif
- /* create ephemeral private key */
- ssl->hsType = DYNAMIC_TYPE_ECC;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey);
- break;
- #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- #ifdef HAVE_ECC
- ecc_key* peerKey;
- #endif
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- if (ssl->ctx->X25519SharedSecretCb != NULL)
- break;
- }
- else
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- if (ssl->ctx->X448SharedSecretCb != NULL)
- break;
- }
- else
- #endif
- #ifdef HAVE_ECC
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- else
- #endif
- {
- }
- #endif /* HAVE_PK_CALLBACKS */
- #ifdef HAVE_CURVE25519
- if (ssl->peerX25519KeyPresent) {
- if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- /* create private key */
- ssl->hsType = DYNAMIC_TYPE_CURVE25519;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
- ssl->peerX25519Key);
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->peerX448KeyPresent) {
- if (!ssl->peerX448Key) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- /* create private key */
- ssl->hsType = DYNAMIC_TYPE_CURVE448;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
- ssl->peerX448Key);
- break;
- }
- #endif
- #ifdef HAVE_ECC
- if (ssl->specs.static_ecdh) {
- /* Note: EccDsa is really fixed Ecc key here */
- if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- peerKey = ssl->peerEccDsaKey;
- }
- else {
- if (!ssl->peerEccKey || !ssl->peerEccKeyPresent) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- peerKey = ssl->peerEccKey;
- }
- if (peerKey == NULL) {
- ERROR_OUT(NO_PEER_KEY, exit_scke);
- }
- /* create ephemeral private key */
- ssl->hsType = DYNAMIC_TYPE_ECC;
- ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
- if (ret != 0) {
- goto exit_scke;
- }
- ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey);
- #endif /* HAVE_ECC */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_scke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- args->encSz = MAX_ENCRYPT_SZ;
- args->encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, ssl->heap,
- DYNAMIC_TYPE_SECRET);
- if (args->encSecret == NULL) {
- ERROR_OUT(MEMORY_E, exit_scke);
- }
- if (ssl->arrays->preMasterSecret == NULL) {
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN,
- ssl->heap, DYNAMIC_TYPE_SECRET);
- if (ssl->arrays->preMasterSecret == NULL) {
- ERROR_OUT(MEMORY_E, exit_scke);
- }
- XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
- }
- switch(ssl->specs.kea)
- {
- #ifndef NO_RSA
- case rsa_kea:
- {
- #ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->GenPreMasterCb) {
- void* ctx = wolfSSL_GetGenPreMasterCtx(ssl);
- ret = ssl->ctx->GenPreMasterCb(ssl,
- ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx);
- if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
- goto exit_scke;
- }
- }
- if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE)
- #endif
- {
- /* build PreMasterSecret with RNG data */
- ret = wc_RNG_GenerateBlock(ssl->rng,
- &ssl->arrays->preMasterSecret[VERSION_SZ],
- SECRET_LEN - VERSION_SZ);
- if (ret != 0) {
- goto exit_scke;
- }
- ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
- ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
- ssl->arrays->preMasterSz = SECRET_LEN;
- }
- break;
- }
- #endif /* !NO_RSA */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- ssl->buffers.sig.length = ENCRYPT_LEN;
- ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (ssl->buffers.sig.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_scke);
- }
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_scke;
- }
- #if defined(HAVE_FFDHE) && !defined(HAVE_PUBLIC_FFDHE)
- if (ssl->namedGroup) {
- ret = wc_DhSetNamedKey(ssl->buffers.serverDH_Key,
- ssl->namedGroup);
- if (ret != 0) {
- goto exit_scke;
- }
- ssl->buffers.sig.length =
- wc_DhGetNamedKeyMinSize(ssl->namedGroup);
- }
- else
- #endif
- #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
- !defined(WOLFSSL_OLD_PRIME_CHECK)
- if (ssl->options.dhDoKeyTest &&
- !ssl->options.dhKeyTested)
- {
- ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length,
- NULL, 0, 0, ssl->rng);
- if (ret != 0) {
- goto exit_scke;
- }
- ssl->options.dhKeyTested = 1;
- }
- else
- #endif
- {
- ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- if (ret != 0) {
- goto exit_scke;
- }
- }
- /* for DH, encSecret is Yc, agree is pre-master */
- ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
- args->encSecret, &args->encSz);
- /* set the max agree result size */
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- break;
- }
- #endif /* !NO_DH */
- #ifndef NO_PSK
- case psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- int cbret = (int)ssl->options.client_psk_cb(ssl,
- ssl->arrays->server_hint, ssl->arrays->client_identity,
- MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
- if (cbret == 0 || cbret > MAX_PSK_KEY_LEN) {
- if (cbret != USE_HW_PSK) {
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- }
- if (cbret == USE_HW_PSK) {
- /* USE_HW_PSK indicates that the hardware has the PSK
- * and generates the premaster secret. */
- ssl->arrays->psk_keySz = 0;
- }
- else {
- ssl->arrays->psk_keySz = (word32)cbret;
- }
- /* Ensure the buffer is null-terminated. */
- ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
- args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity);
- if (args->encSz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
- }
- XMEMCPY(args->encSecret, ssl->arrays->client_identity,
- args->encSz);
- ssl->options.peerAuthGood = 1;
- if (cbret != USE_HW_PSK) {
- /* CLIENT: Pre-shared Key for peer authentication. */
- /* make psk pre master secret */
- /* length of key + length 0s + length of key + key */
- c16toa((word16)ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMSET(pms, 0, ssl->arrays->psk_keySz);
- pms += ssl->arrays->psk_keySz;
- c16toa((word16)ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key,
- ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2)
- + (2 * OPAQUE16_LEN);
- ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->psk_keySz = 0; /* No further need */
- }
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- word32 esSz = 0;
- args->output = args->encSecret;
- ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
- ssl->arrays->server_hint, ssl->arrays->client_identity,
- MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
- esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
- if (esSz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
- }
- /* CLIENT: Pre-shared Key for peer authentication. */
- ssl->options.peerAuthGood = 1;
- ssl->buffers.sig.length = ENCRYPT_LEN;
- ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (ssl->buffers.sig.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_scke);
- }
- c16toa((word16)esSz, args->output);
- args->output += OPAQUE16_LEN;
- XMEMCPY(args->output, ssl->arrays->client_identity, esSz);
- args->output += esSz;
- args->length = args->encSz - esSz - OPAQUE16_LEN;
- args->encSz = esSz + OPAQUE16_LEN;
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_scke;
- }
- #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
- !defined(WOLFSSL_OLD_PRIME_CHECK)
- if (ssl->options.dhDoKeyTest &&
- !ssl->options.dhKeyTested)
- {
- ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length,
- NULL, 0, 0, ssl->rng);
- if (ret != 0) {
- goto exit_scke;
- }
- ssl->options.dhKeyTested = 1;
- }
- else
- #endif
- {
- ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- if (ret != 0) {
- goto exit_scke;
- }
- }
- /* for DH, encSecret is Yc, agree is pre-master */
- ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.sig.buffer,
- (word32*)&ssl->buffers.sig.length,
- args->output + OPAQUE16_LEN, &args->length);
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- word32 esSz = 0;
- args->output = args->encSecret;
- /* Send PSK client identity */
- ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
- ssl->arrays->server_hint, ssl->arrays->client_identity,
- MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- ERROR_OUT(PSK_KEY_ERROR, exit_scke);
- }
- ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
- esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
- if (esSz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
- }
- /* CLIENT: Pre-shared Key for peer authentication. */
- ssl->options.peerAuthGood = 1;
- /* place size and identity in output buffer sz:identity */
- c16toa((word16)esSz, args->output);
- args->output += OPAQUE16_LEN;
- XMEMCPY(args->output, ssl->arrays->client_identity, esSz);
- args->output += esSz;
- args->encSz = esSz + OPAQUE16_LEN;
- /* length is used for public key size */
- args->length = MAX_ENCRYPT_SZ;
- /* Create shared ECC key leaving room at the beginning
- of buffer for size of shared key. */
- ssl->arrays->preMasterSz = ENCRYPT_LEN - OPAQUE16_LEN;
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X25519SharedSecretCb != NULL) {
- break;
- }
- #endif
- ret = wc_curve25519_export_public_ex(
- (curve25519_key*)ssl->hsKey,
- args->output + OPAQUE8_LEN, &args->length,
- EC25519_LITTLE_ENDIAN);
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X448SharedSecretCb != NULL) {
- break;
- }
- #endif
- ret = wc_curve448_export_public_ex(
- (curve448_key*)ssl->hsKey,
- args->output + OPAQUE8_LEN, &args->length,
- EC448_LITTLE_ENDIAN);
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- break;
- }
- #endif
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- #endif
- /* Place ECC key in output buffer, leaving room for size */
- PRIVATE_KEY_UNLOCK();
- ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey,
- args->output + OPAQUE8_LEN, &args->length);
- PRIVATE_KEY_LOCK();
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- break;
- }
- #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- #ifdef HAVE_CURVE25519
- if (ssl->hsType == DYNAMIC_TYPE_CURVE25519) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X25519SharedSecretCb != NULL) {
- break;
- }
- #endif
- ret = wc_curve25519_export_public_ex(
- (curve25519_key*)ssl->hsKey,
- args->encSecret + OPAQUE8_LEN, &args->encSz,
- EC25519_LITTLE_ENDIAN);
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->hsType == DYNAMIC_TYPE_CURVE448) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X448SharedSecretCb != NULL) {
- break;
- }
- #endif
- ret = wc_curve448_export_public_ex(
- (curve448_key*)ssl->hsKey,
- args->encSecret + OPAQUE8_LEN, &args->encSz,
- EC448_LITTLE_ENDIAN);
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- break;
- }
- #endif
- #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- #endif
- /* Place ECC key in buffer, leaving room for size */
- PRIVATE_KEY_UNLOCK();
- ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey,
- args->encSecret + OPAQUE8_LEN, &args->encSz);
- PRIVATE_KEY_LOCK();
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
- }
- #endif /* HAVE_ECC */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_scke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- switch(ssl->specs.kea)
- {
- #ifndef NO_RSA
- case rsa_kea:
- {
- ret = RsaEnc(ssl,
- ssl->arrays->preMasterSecret, SECRET_LEN,
- args->encSecret, &args->encSz,
- ssl->peerRsaKey,
- #if defined(HAVE_PK_CALLBACKS)
- &ssl->buffers.peerRsaKey
- #else
- NULL
- #endif
- );
- break;
- }
- #endif /* !NO_RSA */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length,
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_Pub.length,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- break;
- }
- #endif /* !NO_DH */
- #ifndef NO_PSK
- case psk_kea:
- {
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length,
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_Pub.length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &ssl->arrays->preMasterSz,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- #ifdef HAVE_CURVE25519
- if (ssl->peerX25519KeyPresent) {
- ret = X25519SharedSecret(ssl,
- (curve25519_key*)ssl->hsKey, ssl->peerX25519Key,
- args->output + OPAQUE8_LEN, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END
- );
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- ) {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->peerX448KeyPresent) {
- ret = X448SharedSecret(ssl,
- (curve448_key*)ssl->hsKey, ssl->peerX448Key,
- args->output + OPAQUE8_LEN, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END
- );
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- ) {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- }
- break;
- }
- #endif
- ret = EccSharedSecret(ssl,
- (ecc_key*)ssl->hsKey, ssl->peerEccKey,
- args->output + OPAQUE8_LEN, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- FreeKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- }
- break;
- }
- #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- #ifdef HAVE_ECC
- ecc_key* peerKey;
- #endif
- #ifdef HAVE_CURVE25519
- if (ssl->peerX25519KeyPresent) {
- ret = X25519SharedSecret(ssl,
- (curve25519_key*)ssl->hsKey, ssl->peerX25519Key,
- args->encSecret + OPAQUE8_LEN, &args->encSz,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END
- );
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- ) {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->peerX448KeyPresent) {
- ret = X448SharedSecret(ssl,
- (curve448_key*)ssl->hsKey, ssl->peerX448Key,
- args->encSecret + OPAQUE8_LEN, &args->encSz,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END
- );
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- ) {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- }
- break;
- }
- #endif
- #ifdef HAVE_ECC
- peerKey = (ssl->specs.static_ecdh) ?
- ssl->peerEccDsaKey : ssl->peerEccKey;
- ret = EccSharedSecret(ssl,
- (ecc_key*)ssl->hsKey, peerKey,
- args->encSecret + OPAQUE8_LEN, &args->encSz,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_CLIENT_END);
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- && !ssl->options.keepResources) {
- FreeKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- }
- #endif
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_scke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- switch(ssl->specs.kea)
- {
- #ifndef NO_RSA
- case rsa_kea:
- {
- break;
- }
- #endif /* !NO_RSA */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- break;
- }
- #endif /* !NO_DH */
- #ifndef NO_PSK
- case psk_kea:
- {
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- /* validate args */
- if (args->output == NULL || args->length == 0) {
- ERROR_OUT(BAD_FUNC_ARG, exit_scke);
- }
- c16toa((word16)args->length, args->output);
- args->encSz += args->length + OPAQUE16_LEN;
- c16toa((word16)ssl->arrays->preMasterSz, pms);
- ssl->arrays->preMasterSz += OPAQUE16_LEN;
- pms += ssl->arrays->preMasterSz;
- /* make psk pre master secret */
- /* length of key + length 0s + length of key + key */
- c16toa((word16)ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz +=
- ssl->arrays->psk_keySz + OPAQUE16_LEN;
- ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->psk_keySz = 0; /* No further need */
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- /* validate args */
- if (args->output == NULL || args->length > ENCRYPT_LEN) {
- ERROR_OUT(BAD_FUNC_ARG, exit_scke);
- }
- /* place size of public key in output buffer */
- *args->output = (byte)args->length;
- args->encSz += args->length + OPAQUE8_LEN;
- /* Create pre master secret is the concatenation of
- eccSize + eccSharedKey + pskSize + pskKey */
- c16toa((word16)ssl->arrays->preMasterSz, pms);
- ssl->arrays->preMasterSz += OPAQUE16_LEN;
- pms += ssl->arrays->preMasterSz;
- c16toa((word16)ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz +=
- ssl->arrays->psk_keySz + OPAQUE16_LEN;
- ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->psk_keySz = 0; /* No further need */
- break;
- }
- #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- if (args->encSecret == NULL) {
- ret = BAD_STATE_E;
- goto exit_scke;
- }
- else {
- /* place size of public key in buffer */
- *args->encSecret = (byte)args->encSz;
- args->encSz += OPAQUE8_LEN;
- }
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_scke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- word32 tlsSz = 0;
- word32 idx = 0;
- if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea) {
- tlsSz = 2;
- }
- if (ssl->specs.kea == ecc_diffie_hellman_kea ||
- ssl->specs.kea == dhe_psk_kea ||
- ssl->specs.kea == ecdhe_psk_kea) { /* always off */
- tlsSz = 0;
- }
- idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- args->sendSz = args->encSz + tlsSz + idx;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
- args->sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
- goto exit_scke;
- /* get output buffer */
- args->output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(args->output, args->encSz + tlsSz, client_key_exchange, ssl);
- if (tlsSz) {
- c16toa((word16)args->encSz, &args->output[idx]);
- idx += OPAQUE16_LEN;
- }
- XMEMCPY(args->output + idx, args->encSecret, args->encSz);
- idx += args->encSz;
- if (IsEncryptionOn(ssl, 1)) {
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- args->inputSz = idx - recordHeaderSz; /* buildmsg adds rechdr */
- args->input = (byte*)XMALLOC(args->inputSz, ssl->heap,
- DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL) {
- ERROR_OUT(MEMORY_E, exit_scke);
- }
- XMEMCPY(args->input, args->output + recordHeaderSz,
- args->inputSz);
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- if (IsEncryptionOn(ssl, 1)) {
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, args->input, args->inputSz, client_key_exchange)) != 0) {
- goto exit_scke;
- }
- #endif
- ret = BuildMessage(ssl, args->output, args->sendSz,
- args->input, args->inputSz, handshake, 1, 0, 0, CUR_ORDER);
- XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- args->input = NULL; /* make sure its not double free'd on cleanup */
- if (ret >= 0) {
- args->sendSz = ret;
- ret = 0;
- }
- }
- else {
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz, client_key_exchange)) != 0) {
- goto exit_scke;
- }
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, args->output, args->sendSz, 0);
- }
- if (ret != 0) {
- goto exit_scke;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ClientKeyExchange");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ClientKeyExchange", handshake,
- args->output, args->sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0) {
- goto exit_scke;
- }
- }
- #endif
- ssl->buffers.outputBuffer.length += args->sendSz;
- if (!ssl->options.groupMessages) {
- ret = SendBuffered(ssl);
- }
- if (ret == 0 || ret == WANT_WRITE) {
- int tmpRet = MakeMasterSecret(ssl);
- if (tmpRet != 0) {
- ret = tmpRet; /* save WANT_WRITE unless more serious */
- }
- ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
- ssl->options.buildingMsg = 0;
- }
- #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
- if (ssl->keyLogCb != NULL) {
- int secretSz = SECRET_LEN;
- ret = ssl->keyLogCb(ssl, ssl->arrays->masterSecret, &secretSz,
- NULL);
- if (ret != 0 || secretSz != SECRET_LEN)
- return SESSION_SECRET_CB_E;
- }
- #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_scke:
- WOLFSSL_LEAVE("SendClientKeyExchange", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
- #ifdef WOLFSSL_ASYNC_IO
- /* Handle async operation */
- if (ret == WC_PENDING_E || ret == WANT_WRITE) {
- if (ssl->options.buildingMsg)
- return ret;
- /* If we have completed all states then we will not enter this function
- * again. We need to do clean up now. */
- }
- #endif
- /* No further need for PMS */
- if (ssl->arrays->preMasterSecret != NULL) {
- ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
- }
- ssl->arrays->preMasterSz = 0;
- /* Final cleanup */
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeSckeArgs(ssl, args);
- #endif
- FreeKeyExchange(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifndef NO_CERTS
- #ifndef WOLFSSL_NO_TLS12
- #ifndef WOLFSSL_NO_CLIENT_AUTH
- typedef struct ScvArgs {
- byte* output; /* not allocated */
- #ifndef NO_RSA
- byte* verifySig;
- #endif
- byte* verify; /* not allocated */
- byte* input;
- word32 idx;
- word32 extraSz;
- word32 sigSz;
- int sendSz;
- int inputSz;
- word16 length;
- byte sigAlgo;
- } ScvArgs;
- static void FreeScvArgs(WOLFSSL* ssl, void* pArgs)
- {
- ScvArgs* args = (ScvArgs*)pArgs;
- (void)ssl;
- #ifndef NO_RSA
- if (args->verifySig) {
- XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->verifySig = NULL;
- }
- #endif
- if (args->input) {
- XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- args->input = NULL;
- }
- }
- /* handle generation of certificate_verify (15) */
- int SendCertificateVerify(WOLFSSL* ssl)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_IO
- ScvArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- ScvArgs args[1];
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
- WOLFSSL_ENTER("SendCertificateVerify");
- #ifdef WOLFSSL_ASYNC_IO
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_scv);
- XMEMSET(ssl->async, 0, sizeof(struct WOLFSSL_ASYNC));
- }
- args = (ScvArgs*)ssl->async->args;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* BuildMessage does its own Pop */
- if (ssl->error != WC_PENDING_E ||
- ssl->options.asyncState != TLS_ASYNC_END)
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_scv;
- }
- else
- #endif
- if (ssl->options.buildingMsg) {
- /* We should be in the sending state. */
- if (ssl->options.asyncState != TLS_ASYNC_END) {
- ret = BAD_STATE_E;
- goto exit_scv;
- }
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(ScvArgs));
- #ifdef WOLFSSL_ASYNC_IO
- ssl->async->freeArgs = FreeScvArgs;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- if (ssl->options.sendVerify == SEND_BLANK_CERT) {
- return 0; /* sent blank cert, can't verify */
- }
- args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_scv);
- args->output = args->input;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
- if (ret != 0) {
- goto exit_scv;
- }
- if (ssl->buffers.key == NULL) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
- args->length = GetPrivateKeySigSize(ssl);
- else
- #endif
- ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
- }
- else {
- /* Decode private key. */
- ret = DecodePrivateKey(ssl, &args->length);
- if (ret != 0) {
- goto exit_scv;
- }
- }
- if (args->length == 0) {
- ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
- }
- /* idx is used to track verify pointer offset to output */
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
- args->extraSz = 0; /* tls 1.2 hash/sig */
- /* build encoded signature buffer */
- ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ;
- ssl->buffers.sig.buffer = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (ssl->buffers.sig.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_scv);
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- if (!IsAtLeastTLSv1_2(ssl)) {
- #ifndef NO_OLD_TLS
- #ifndef NO_SHA
- /* old tls default */
- SetDigest(ssl, sha_mac);
- #endif
- #else
- #ifndef NO_SHA256
- /* new tls default */
- SetDigest(ssl, sha256_mac);
- #endif
- #endif /* !NO_OLD_TLS */
- }
- else {
- SetDigest(ssl, ssl->options.hashAlgo);
- }
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- #ifdef WC_RSA_PSS
- if (IsAtLeastTLSv1_2(ssl) &&
- (ssl->pssAlgo & (1 << ssl->options.hashAlgo))) {
- args->sigAlgo = rsa_pss_sa_algo;
- }
- else
- #endif
- args->sigAlgo = rsa_sa_algo;
- }
- else if (ssl->hsType == DYNAMIC_TYPE_ECC)
- args->sigAlgo = ecc_dsa_sa_algo;
- else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
- args->sigAlgo = ed25519_sa_algo;
- else if (ssl->hsType == DYNAMIC_TYPE_ED448)
- args->sigAlgo = ed448_sa_algo;
- if (IsAtLeastTLSv1_2(ssl)) {
- EncodeSigAlg(ssl->options.hashAlgo, args->sigAlgo,
- args->verify);
- args->extraSz = HASH_SIG_SIZE;
- SetDigest(ssl, ssl->options.hashAlgo);
- }
- #ifndef NO_OLD_TLS
- else {
- /* if old TLS load MD5 and SHA hash as value to sign
- * MD5 and SHA must be first two buffers in structure */
- XMEMCPY(ssl->buffers.sig.buffer,
- (byte*)&ssl->hsHashes->certHashes, FINISHED_SZ);
- }
- #endif
- #ifndef NO_RSA
- if (args->sigAlgo == rsa_sa_algo) {
- ssl->buffers.sig.length = FINISHED_SZ;
- args->sigSz = ENCRYPT_LEN;
- if (IsAtLeastTLSv1_2(ssl)) {
- ssl->buffers.sig.length = wc_EncodeSignature(
- ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- TypeHash(ssl->options.hashAlgo));
- }
- /* prepend hdr */
- c16toa(args->length, args->verify + args->extraSz);
- }
- #ifdef WC_RSA_PSS
- else if (args->sigAlgo == rsa_pss_sa_algo) {
- XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,
- ssl->buffers.digest.length);
- ssl->buffers.sig.length = ssl->buffers.digest.length;
- args->sigSz = ENCRYPT_LEN;
- /* prepend hdr */
- c16toa(args->length, args->verify + args->extraSz);
- }
- #endif
- #endif /* !NO_RSA */
- #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
- if (args->sigAlgo == ed25519_sa_algo) {
- ret = Ed25519CheckPubKey(ssl);
- if (ret != 0)
- goto exit_scv;
- }
- #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
- #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
- if (args->sigAlgo == ed448_sa_algo) {
- ret = Ed448CheckPubKey(ssl);
- if (ret != 0)
- goto exit_scv;
- }
- #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- #ifdef HAVE_ECC
- if (ssl->hsType == DYNAMIC_TYPE_ECC) {
- ecc_key* key = (ecc_key*)ssl->hsKey;
- ret = EccSign(ssl,
- ssl->buffers.digest.buffer, ssl->buffers.digest.length,
- ssl->buffers.sig.buffer,
- (word32*)&ssl->buffers.sig.length,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
- if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
- ed25519_key* key = (ed25519_key*)ssl->hsKey;
- ret = Ed25519Sign(ssl,
- ssl->hsHashes->messages, ssl->hsHashes->length,
- ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- }
- #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
- #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
- if (ssl->hsType == DYNAMIC_TYPE_ED448) {
- ed448_key* key = (ed448_key*)ssl->hsKey;
- ret = Ed448Sign(ssl,
- ssl->hsHashes->messages, ssl->hsHashes->length,
- ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- }
- #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
- #ifndef NO_RSA
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- /* restore verify pointer */
- args->verify = &args->output[args->idx];
- ret = RsaSign(ssl,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length,
- args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz,
- args->sigAlgo, ssl->options.hashAlgo, key,
- ssl->buffers.key
- );
- }
- #endif /* !NO_RSA */
- /* Check for error */
- if (ret != 0) {
- goto exit_scv;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- /* restore verify pointer */
- args->verify = &args->output[args->idx];
- switch (ssl->hsType) {
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- #ifdef HAVE_ECC
- case DYNAMIC_TYPE_ECC:
- #ifdef WOLFSSL_CHECK_SIG_FAULTS
- {
- ecc_key* key = (ecc_key*)ssl->hsKey;
- ret = EccVerify(ssl,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length,
- ssl->buffers.digest.buffer, ssl->buffers.digest.length,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- if (ret != 0) {
- WOLFSSL_MSG("Failed to verify ECC signature");
- goto exit_scv;
- }
- }
- #if defined(HAVE_ED25519) || defined(HAVE_ED448)
- FALL_THROUGH;
- #endif
- #endif /* WOLFSSL_CHECK_SIG_FAULTS */
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case DYNAMIC_TYPE_ED25519:
- #endif
- #ifdef HAVE_ED448
- case DYNAMIC_TYPE_ED448:
- #endif
- args->length = (word16)ssl->buffers.sig.length;
- /* prepend hdr */
- c16toa(args->length, args->verify + args->extraSz);
- XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length);
- break;
- #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
- #ifndef NO_RSA
- case DYNAMIC_TYPE_RSA:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- if (args->verifySig == NULL) {
- args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->verifySig == NULL) {
- ERROR_OUT(MEMORY_E, exit_scv);
- }
- XMEMCPY(args->verifySig, args->verify + args->extraSz +
- VERIFY_HEADER, args->sigSz);
- }
- /* check for signature faults */
- ret = VerifyRsaSign(ssl,
- args->verifySig, args->sigSz,
- ssl->buffers.sig.buffer, ssl->buffers.sig.length,
- args->sigAlgo, ssl->options.hashAlgo, key,
- ssl->buffers.key
- );
- /* free temporary buffer now */
- if (ret != WC_PENDING_E) {
- XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->verifySig = NULL;
- }
- break;
- }
- #endif /* !NO_RSA */
- default:
- break;
- }
- /* Check for error */
- if (ret != 0) {
- goto exit_scv;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- if (args->output == NULL) {
- ERROR_OUT(BUFFER_ERROR, exit_scv);
- }
- AddHeaders(args->output, (word32)args->length + args->extraSz +
- VERIFY_HEADER, certificate_verify, ssl);
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- ret = SendHandshakeMsg(ssl, args->output,
- (word32)args->length + args->extraSz + VERIFY_HEADER,
- certificate_verify, "CertificateVerify");
- if (ret != 0)
- goto exit_scv;
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_scv:
- WOLFSSL_LEAVE("SendCertificateVerify", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
- #ifdef WOLFSSL_ASYNC_IO
- /* Handle async operation */
- if (ret == WANT_WRITE
- #ifdef WOLFSSL_ASYNC_CRYPT
- || ret == WC_PENDING_E
- #endif
- )
- return ret;
- #endif /* WOLFSSL_ASYNC_IO */
- /* Digest is not allocated, so do this to prevent free */
- if(ssl->buffers.digest.buffer) {
- if (!ssl->options.dontFreeDigest) {
- /*This should not happen*/
- XFREE(ssl->buffers.digest.buffer,
- ssl->heap, DYNAMIC_TYPE_DIGEST);
- }
- }
- ssl->buffers.digest.buffer = NULL;
- ssl->buffers.digest.length = 0;
- ssl->options.dontFreeDigest = 0;
- /* Final cleanup */
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeScvArgs(ssl, args);
- #endif
- FreeKeyExchange(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif /* WOLFSSL_NO_CLIENT_AUTH */
- #endif /* WOLFSSL_NO_TLS12 */
- #endif /* NO_CERTS */
- #ifdef HAVE_SESSION_TICKET
- int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
- {
- /* Free old dynamic ticket if we already had one */
- if (ssl->session->ticketLenAlloc > 0) {
- XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
- ssl->session->ticket = ssl->session->staticTicket;
- ssl->session->ticketLenAlloc = 0;
- }
- if (length > sizeof(ssl->session->staticTicket)) {
- byte* sessionTicket =
- (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
- if (sessionTicket == NULL)
- return MEMORY_E;
- ssl->session->ticket = sessionTicket;
- ssl->session->ticketLenAlloc = (word16)length;
- }
- ssl->session->ticketLen = (word16)length;
- if (length > 0) {
- XMEMCPY(ssl->session->ticket, ticket, length);
- if (ssl->session_ticket_cb != NULL) {
- ssl->session_ticket_cb(ssl,
- ssl->session->ticket, ssl->session->ticketLen,
- ssl->session_ticket_ctx);
- }
- /* Create a fake sessionID based on the ticket, this will
- * supersede the existing session cache info. */
- ssl->options.haveSessionId = 1;
- #ifdef WOLFSSL_TLS13
- if (ssl->options.tls1_3) {
- XMEMCPY(ssl->session->sessionID,
- ssl->session->ticket + length - ID_LEN, ID_LEN);
- ssl->session->sessionIDSz = ID_LEN;
- }
- else
- #endif
- {
- XMEMCPY(ssl->arrays->sessionID,
- ssl->session->ticket + length - ID_LEN, ID_LEN);
- ssl->arrays->sessionIDSz = ID_LEN;
- }
- }
- return 0;
- }
- #ifndef WOLFSSL_NO_TLS12
- /* handle processing of session_ticket (4) */
- static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 size)
- {
- word32 begin = *inOutIdx;
- word32 lifetime;
- word16 length;
- int ret;
- if (ssl->expect_session_ticket == 0) {
- WOLFSSL_MSG("Unexpected session ticket");
- WOLFSSL_ERROR_VERBOSE(SESSION_TICKET_EXPECT_E);
- return SESSION_TICKET_EXPECT_E;
- }
- if (OPAQUE32_LEN > size)
- return BUFFER_ERROR;
- ato32(input + *inOutIdx, &lifetime);
- *inOutIdx += OPAQUE32_LEN;
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &length);
- *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
- if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
- return ret;
- *inOutIdx += length;
- if (length > 0) {
- ssl->timeout = lifetime;
- SetupSession(ssl);
- #ifndef NO_SESSION_CACHE
- AddSession(ssl);
- #endif
- }
- if (IsEncryptionOn(ssl, 0)) {
- *inOutIdx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- *inOutIdx += MacSize(ssl);
- #endif
- }
- ssl->expect_session_ticket = 0;
- return 0;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #endif /* HAVE_SESSION_TICKET */
- #endif /* NO_WOLFSSL_CLIENT */
- #ifndef NO_CERTS
- #ifdef WOLF_PRIVATE_KEY_ID
- int GetPrivateKeySigSize(WOLFSSL* ssl)
- {
- int sigSz = 0;
- if (ssl == NULL)
- return 0;
- switch (ssl->buffers.keyType) {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- sigSz = ssl->buffers.keySz;
- ssl->hsType = DYNAMIC_TYPE_RSA;
- break;
- #endif
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- sigSz = wc_ecc_sig_size_calc(ssl->buffers.keySz);
- ssl->hsType = DYNAMIC_TYPE_ECC;
- break;
- #endif
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- sigSz = ED25519_SIG_SIZE; /* fixed known value */
- ssl->hsType = DYNAMIC_TYPE_ED25519;
- break;
- #endif
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- sigSz = ED448_SIG_SIZE; /* fixed known value */
- ssl->hsType = DYNAMIC_TYPE_ED448;
- break;
- #endif
- default:
- break;
- }
- return sigSz;
- }
- #endif /* HAVE_PK_CALLBACKS */
- #endif /* NO_CERTS */
- #ifdef HAVE_ECC
- /* returns the WOLFSSL_* version of the curve from the OID sum */
- word16 GetCurveByOID(int oidSum) {
- switch(oidSum) {
- #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
- #ifndef NO_ECC_SECP
- case ECC_SECP160R1_OID:
- return WOLFSSL_ECC_SECP160R1;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_SECPR2
- case ECC_SECP160R2_OID:
- return WOLFSSL_ECC_SECP160R2;
- #endif /* HAVE_ECC_SECPR2 */
- #ifdef HAVE_ECC_KOBLITZ
- case ECC_SECP160K1_OID:
- return WOLFSSL_ECC_SECP160K1;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
- #ifndef NO_ECC_SECP
- case ECC_SECP192R1_OID:
- return WOLFSSL_ECC_SECP192R1;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case ECC_SECP192K1_OID:
- return WOLFSSL_ECC_SECP192K1;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
- #ifndef NO_ECC_SECP
- case ECC_SECP224R1_OID:
- return WOLFSSL_ECC_SECP224R1;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case ECC_SECP224K1_OID:
- return WOLFSSL_ECC_SECP224K1;
- #endif /* HAVE_ECC_KOBLITZ */
- #endif
- #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
- #ifndef NO_ECC_SECP
- case ECC_SECP256R1_OID:
- return WOLFSSL_ECC_SECP256R1;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_KOBLITZ
- case ECC_SECP256K1_OID:
- return WOLFSSL_ECC_SECP256K1;
- #endif /* HAVE_ECC_KOBLITZ */
- #ifdef HAVE_ECC_BRAINPOOL
- case ECC_BRAINPOOLP256R1_OID:
- return WOLFSSL_ECC_BRAINPOOLP256R1;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
- #ifndef NO_ECC_SECP
- case ECC_SECP384R1_OID:
- return WOLFSSL_ECC_SECP384R1;
- #endif /* !NO_ECC_SECP */
- #ifdef HAVE_ECC_BRAINPOOL
- case ECC_BRAINPOOLP384R1_OID:
- return WOLFSSL_ECC_BRAINPOOLP384R1;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
- #ifdef HAVE_ECC_BRAINPOOL
- case ECC_BRAINPOOLP512R1_OID:
- return WOLFSSL_ECC_BRAINPOOLP512R1;
- #endif /* HAVE_ECC_BRAINPOOL */
- #endif
- #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
- #ifndef NO_ECC_SECP
- case ECC_SECP521R1_OID:
- return WOLFSSL_ECC_SECP521R1;
- #endif /* !NO_ECC_SECP */
- #endif
- default:
- WOLFSSL_MSG("Curve OID not compiled in or implemented");
- return 0;
- }
- }
- #endif /* HAVE_ECC */
- int TranslateErrorToAlert(int err)
- {
- switch (err) {
- case BUFFER_ERROR:
- return decode_error;
- case EXT_NOT_ALLOWED:
- case PEER_KEY_ERROR:
- case ECC_PEERKEY_ERROR:
- case BAD_KEY_SHARE_DATA:
- case PSK_KEY_ERROR:
- case INVALID_PARAMETER:
- case HRR_COOKIE_ERROR:
- return illegal_parameter;
- case INCOMPLETE_DATA:
- return missing_extension;
- case MATCH_SUITE_ERROR:
- case MISSING_HANDSHAKE_DATA:
- return handshake_failure;
- case VERSION_ERROR:
- return wolfssl_alert_protocol_version;
- default:
- return invalid_alert;
- }
- }
- #ifndef NO_WOLFSSL_SERVER
- #ifndef WOLFSSL_NO_TLS12
- /* handle generation of server_hello (2) */
- int SendServerHello(WOLFSSL* ssl)
- {
- int ret;
- byte *output;
- word16 length;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- int sendSz;
- byte sessIdSz = ID_LEN;
- #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
- byte echoId = 0; /* ticket echo id flag */
- #endif
- byte cacheOff = 0; /* session cache off flag */
- WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
- WOLFSSL_ENTER("SendServerHello");
- length = VERSION_SZ + RAN_LEN
- + ID_LEN + ENUM_LEN
- + SUITE_LEN
- + ENUM_LEN;
- #ifdef HAVE_TLS_EXTENSIONS
- ret = TLSX_GetResponseSize(ssl, server_hello, &length);
- if (ret != 0)
- return ret;
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.useTicket) {
- /* echo session id sz can be 0,32 or bogus len in between */
- sessIdSz = ssl->arrays->sessionIDSz;
- if (sessIdSz > ID_LEN) {
- WOLFSSL_MSG("Bad bogus session id len");
- return BUFFER_ERROR;
- }
- if (!IsAtLeastTLSv1_3(ssl->version))
- length -= (ID_LEN - sessIdSz); /* adjust ID_LEN assumption */
- echoId = 1;
- }
- #endif /* HAVE_SESSION_TICKET */
- #else
- if (ssl->options.haveEMS) {
- length += HELLO_EXT_SZ_SZ + HELLO_EXT_SZ;
- }
- #endif
- /* is the session cache off at build or runtime */
- #ifdef NO_SESSION_CACHE
- cacheOff = 1;
- #else
- if (ssl->options.sessionCacheOff == 1) {
- cacheOff = 1;
- }
- #endif
- /* if no session cache don't send a session ID unless we're echoing
- * an ID as part of session tickets */
- if (cacheOff == 1
- #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
- && echoId == 0
- #endif
- ) {
- length -= ID_LEN; /* adjust ID_LEN assumption */
- sessIdSz = 0;
- }
- sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif /* WOLFSSL_DTLS */
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, length, server_hello, ssl);
- /* now write to output */
- /* first version */
- output[idx++] = (byte)ssl->version.major;
- output[idx++] = (byte)ssl->version.minor;
- /* then random and session id */
- if (!ssl->options.resuming) {
- /* generate random part and session id */
- ret = wc_RNG_GenerateBlock(ssl->rng, output + idx,
- RAN_LEN + sizeof(sessIdSz) + sessIdSz);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_TLS13
- if (TLSv1_3_Capable(ssl)) {
- /* TLS v1.3 capable server downgraded. */
- XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
- tls13Downgrade, TLS13_DOWNGRADE_SZ);
- output[idx + RAN_LEN - 1] = (byte)IsAtLeastTLSv1_2(ssl);
- }
- else
- #endif
- if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
- ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
- (wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0 &&
- !IsAtLeastTLSv1_2(ssl)) {
- /* TLS v1.2 capable server downgraded. */
- XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
- tls13Downgrade, TLS13_DOWNGRADE_SZ);
- output[idx + RAN_LEN - 1] = 0;
- }
- /* store info in SSL for later */
- XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
- idx += RAN_LEN;
- output[idx++] = sessIdSz;
- XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz);
- ssl->arrays->sessionIDSz = sessIdSz;
- }
- else {
- /* If resuming, use info from SSL */
- XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN);
- idx += RAN_LEN;
- output[idx++] = sessIdSz;
- XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz);
- }
- idx += sessIdSz;
- #ifdef SHOW_SECRETS
- {
- int j;
- printf("server random: ");
- for (j = 0; j < RAN_LEN; j++)
- printf("%02x", ssl->arrays->serverRandom[j]);
- printf("\n");
- }
- #endif
- /* then cipher suite */
- output[idx++] = ssl->options.cipherSuite0;
- output[idx++] = ssl->options.cipherSuite;
- /* then compression */
- if (ssl->options.usingCompression)
- output[idx++] = ZLIB_COMPRESSION;
- else
- output[idx++] = NO_COMPRESSION;
- /* last, extensions */
- #ifdef HAVE_TLS_EXTENSIONS
- {
- word16 offset = 0;
- ret = TLSX_WriteResponse(ssl, output + idx, server_hello, &offset);
- if (ret != 0)
- return ret;
- idx += offset;
- }
- #else
- #ifdef HAVE_EXTENDED_MASTER
- if (ssl->options.haveEMS) {
- c16toa(HELLO_EXT_SZ, output + idx);
- idx += HELLO_EXT_SZ_SZ;
- c16toa(HELLO_EXT_EXTMS, output + idx);
- idx += HELLO_EXT_TYPE_SZ;
- c16toa(0, output + idx);
- /*idx += HELLO_EXT_SZ_SZ;*/
- /* idx is not used after this point. uncomment the line above
- * if adding any more extensions in the future. */
- }
- #endif
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = idx; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- } else {
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello)) != 0)
- return ret;
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
- return ret;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ServerHello");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- ssl->options.buildingMsg = 0;
- ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
- ret = 0;
- else
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendServerHello", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
- return ret;
- }
- #if defined(HAVE_ECC)
- static byte SetCurveId(ecc_key* key)
- {
- if (key == NULL || key->dp == NULL) {
- WOLFSSL_MSG("SetCurveId: Invalid key!");
- return 0;
- }
- return (byte)GetCurveByOID(key->dp->oidSum);
- }
- #endif /* HAVE_ECC */
- typedef struct SskeArgs {
- byte* output; /* not allocated */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- byte* exportBuf;
- #endif
- #ifndef NO_RSA
- byte* verifySig;
- #endif
- byte* input;
- word32 idx;
- word32 tmpSigSz;
- word32 length;
- word32 sigSz;
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- !defined(NO_RSA)
- word32 sigDataSz;
- #endif
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- word32 exportSz;
- #endif
- int sendSz;
- int inputSz;
- } SskeArgs;
- static void FreeSskeArgs(WOLFSSL* ssl, void* pArgs)
- {
- SskeArgs* args = (SskeArgs*)pArgs;
- (void)ssl;
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
- if (args->exportBuf) {
- XFREE(args->exportBuf, ssl->heap, DYNAMIC_TYPE_DER);
- args->exportBuf = NULL;
- }
- #endif
- #ifndef NO_RSA
- if (args->verifySig) {
- XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->verifySig = NULL;
- }
- #endif
- (void)args;
- }
- /* handle generation of server_key_exchange (12) */
- int SendServerKeyExchange(WOLFSSL* ssl)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_IO
- SskeArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- SskeArgs args[1];
- #endif
- WOLFSSL_START(WC_FUNC_SERVER_KEY_EXCHANGE_SEND);
- WOLFSSL_ENTER("SendServerKeyExchange");
- #ifdef WOLFSSL_ASYNC_IO
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- XMEMSET(ssl->async, 0, sizeof(struct WOLFSSL_ASYNC));
- }
- args = (SskeArgs*)ssl->async->args;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_sske;
- }
- else
- #endif
- if (ssl->options.buildingMsg) {
- /* We should be in the sending state. */
- if (ssl->options.asyncState != TLS_ASYNC_END) {
- ret = BAD_STATE_E;
- goto exit_sske;
- }
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(SskeArgs));
- #ifdef WOLFSSL_ASYNC_IO
- ssl->async->freeArgs = FreeSskeArgs;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- /* Do some checks / debug msgs */
- switch(ssl->specs.kea)
- {
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- WOLFSSL_MSG("Using ephemeral ECDH PSK");
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC)
- case ecc_diffie_hellman_kea:
- {
- if (ssl->specs.static_ecdh) {
- WOLFSSL_MSG("Using Static ECDH, not sending "
- "ServerKeyExchange");
- ERROR_OUT(0, exit_sske);
- }
- WOLFSSL_MSG("Using ephemeral ECDH");
- break;
- }
- #endif /* HAVE_ECC */
- }
- /* Preparing keys */
- switch(ssl->specs.kea)
- {
- #ifndef NO_PSK
- case psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && (!defined(NO_PSK) || !defined(NO_RSA) \
- || (defined(HAVE_ANON) && !defined(WOLFSSL_NO_TLS12)))
- #if !defined(NO_PSK)
- case dhe_psk_kea:
- #endif
- #if !defined(NO_RSA) || (defined(HAVE_ANON) && \
- !defined(WOLFSSL_NO_TLS12))
- case diffie_hellman_kea:
- #endif
- #if (defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)) && !defined(HAVE_PUBLIC_FFDHE)
- if (ssl->namedGroup) {
- word32 pSz = 0;
- ret = wc_DhGetNamedKeyParamSize(ssl->namedGroup, &pSz,
- NULL, NULL);
- if (ret != 0)
- goto exit_sske;
- if (ssl->buffers.serverDH_Pub.buffer == NULL) {
- /* Free'd in SSL_ResourceFree and
- * FreeHandshakeResources */
- ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
- pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (ssl->buffers.serverDH_Pub.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.serverDH_Pub.length = pSz;
- }
- ssl->options.dhKeySz =(word16)pSz;
- pSz = wc_DhGetNamedKeyMinSize(ssl->namedGroup);
- if (ssl->buffers.serverDH_Priv.buffer == NULL) {
- /* Free'd in SSL_ResourceFree and
- * FreeHandshakeResources */
- ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
- pSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
- if (ssl->buffers.serverDH_Priv.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.serverDH_Priv.length = pSz;
- }
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_sske;
- }
- ret = wc_DhSetNamedKey(ssl->buffers.serverDH_Key,
- ssl->namedGroup);
- if (ret != 0) {
- goto exit_sske;
- }
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
- !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
- ssl->options.dhKeyTested = 1;
- #endif
- #ifdef HAVE_SECURE_RENEGOTIATION
- /* Check that the DH public key buffer is large
- * enough to hold the key. This may occur on a
- * renegotiation when the key generated in the
- * initial handshake is shorter than the key
- * generated in the renegotiation. */
- if (ssl->buffers.serverDH_Pub.length <
- ssl->buffers.serverDH_P.length) {
- byte* tmp = (byte*)XREALLOC(
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_P.length +
- OPAQUE16_LEN,
- ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (tmp == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- ssl->buffers.serverDH_Pub.buffer = tmp;
- ssl->buffers.serverDH_Pub.length =
- ssl->buffers.serverDH_P.length + OPAQUE16_LEN;
- }
- #endif
- ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_Priv.buffer,
- (word32*)&ssl->buffers.serverDH_Priv.length,
- ssl->buffers.serverDH_Pub.buffer,
- (word32*)&ssl->buffers.serverDH_Pub.length);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("DH private key buffer",
- ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length);
- #endif
- break;
- }
- else
- #endif
- {
- /* Allocate DH key buffers and generate key */
- if (ssl->buffers.serverDH_P.buffer == NULL ||
- ssl->buffers.serverDH_G.buffer == NULL) {
- ERROR_OUT(NO_DH_PARAMS, exit_sske);
- }
- if (ssl->buffers.serverDH_Pub.buffer == NULL) {
- /* Free'd in SSL_ResourceFree and FreeHandshakeResources */
- ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
- ssl->buffers.serverDH_P.length,
- ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (ssl->buffers.serverDH_Pub.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.serverDH_Pub.length =
- ssl->buffers.serverDH_P.length;
- }
- if (ssl->buffers.serverDH_Priv.buffer == NULL) {
- /* Free'd in SSL_ResourceFree and FreeHandshakeResources */
- ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
- ssl->buffers.serverDH_P.length,
- ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
- if (ssl->buffers.serverDH_Priv.buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.serverDH_Priv.length =
- ssl->buffers.serverDH_P.length;
- }
- ssl->options.dhKeySz =
- (word16)ssl->buffers.serverDH_P.length;
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_sske;
- }
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
- !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- if (ssl->options.dhDoKeyTest &&
- !ssl->options.dhKeyTested)
- {
- ret = wc_DhSetCheckKey(
- ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length,
- NULL, 0, 0, ssl->rng);
- if (ret != 0) {
- goto exit_sske;
- }
- ssl->options.dhKeyTested = 1;
- }
- else
- #endif
- {
- ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- if (ret != 0) {
- goto exit_sske;
- }
- }
- #ifdef HAVE_SECURE_RENEGOTIATION
- /* Check that the DH public key buffer is large
- * enough to hold the key. This may occur on a
- * renegotiation when the key generated in the
- * initial handshake is shorter than the key
- * generated in the renegotiation. */
- if (ssl->buffers.serverDH_Pub.length <
- ssl->buffers.serverDH_P.length) {
- byte* tmp = (byte*)XREALLOC(
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_P.length +
- OPAQUE16_LEN,
- ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if (tmp == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- ssl->buffers.serverDH_Pub.buffer = tmp;
- ssl->buffers.serverDH_Pub.length =
- ssl->buffers.serverDH_P.length + OPAQUE16_LEN;
- }
- #endif
- ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_Priv.buffer,
- (word32*)&ssl->buffers.serverDH_Priv.length,
- ssl->buffers.serverDH_Pub.buffer,
- (word32*)&ssl->buffers.serverDH_Pub.length);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("DH private key buffer",
- ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length);
- #endif
- break;
- }
- #endif /* !NO_DH && (!NO_PSK || !NO_RSA) */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- /* Fall through to create temp ECC key */
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || \
- ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
- (defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- !defined(NO_RSA)))
- case ecc_diffie_hellman_kea:
- {
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- /* need ephemeral key now, create it if missing */
- if (ssl->eccTempKey == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->eccTempKey);
- if (ret != 0) {
- goto exit_sske;
- }
- }
- if (ssl->eccTempKeyPresent == 0) {
- ret = X25519MakeKey(ssl,
- (curve25519_key*)ssl->eccTempKey, NULL);
- if (ret == 0 || ret == WC_PENDING_E) {
- ssl->eccTempKeyPresent =
- DYNAMIC_TYPE_CURVE25519;
- }
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- /* need ephemeral key now, create it if missing */
- if (ssl->eccTempKey == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->eccTempKey);
- if (ret != 0) {
- goto exit_sske;
- }
- }
- if (ssl->eccTempKeyPresent == 0) {
- ret = X448MakeKey(ssl,
- (curve448_key*)ssl->eccTempKey, NULL);
- if (ret == 0 || ret == WC_PENDING_E) {
- ssl->eccTempKeyPresent =
- DYNAMIC_TYPE_CURVE448;
- }
- }
- break;
- }
- #endif
- #ifdef HAVE_ECC
- /* need ephemeral key now, create it if missing */
- if (ssl->eccTempKey == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->eccTempKey);
- if (ret != 0) {
- goto exit_sske;
- }
- }
- if (ssl->eccTempKeyPresent == 0) {
- ret = EccMakeKey(ssl, ssl->eccTempKey, NULL);
- if (ret == 0 || ret == WC_PENDING_E) {
- ssl->eccTempKeyPresent = DYNAMIC_TYPE_ECC;
- }
- }
- #endif
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- default:
- /* Skip ServerKeyExchange */
- goto exit_sske;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_sske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- switch(ssl->specs.kea)
- {
- #ifndef NO_PSK
- case psk_kea:
- {
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- if (ssl->arrays->server_hint[0] == 0) {
- ERROR_OUT(0, exit_sske); /* don't send */
- }
- /* include size part */
- args->length = (word32)XSTRLEN(ssl->arrays->server_hint);
- if (args->length > MAX_PSK_ID_LEN) {
- ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
- }
- args->length += HINT_LEN_SZ;
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
- RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- args->output = args->input;
- AddHeaders(args->output, args->length,
- server_key_exchange, ssl);
- /* key data */
- c16toa((word16)(args->length - HINT_LEN_SZ),
- args->output + args->idx);
- args->idx += HINT_LEN_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->arrays->server_hint,
- args->length - HINT_LEN_SZ);
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- word32 hintLen;
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->length = LENGTH_SZ * 3 + /* p, g, pub */
- ssl->buffers.serverDH_P.length +
- ssl->buffers.serverDH_G.length +
- ssl->buffers.serverDH_Pub.length;
- /* include size part */
- hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
- if (hintLen > MAX_PSK_ID_LEN) {
- ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
- }
- args->length += hintLen + HINT_LEN_SZ;
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
- RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- args->output = args->input;
- AddHeaders(args->output, args->length,
- server_key_exchange, ssl);
- /* key data */
- c16toa((word16)hintLen, args->output + args->idx);
- args->idx += HINT_LEN_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->arrays->server_hint, hintLen);
- args->idx += hintLen;
- /* add p, g, pub */
- c16toa((word16)ssl->buffers.serverDH_P.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- args->idx += ssl->buffers.serverDH_P.length;
- /* g */
- c16toa((word16)ssl->buffers.serverDH_G.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- args->idx += ssl->buffers.serverDH_G.length;
- /* pub */
- c16toa((word16)ssl->buffers.serverDH_Pub.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_Pub.length);
- /* No need to update idx, since sizes are already set */
- /* args->idx += ssl->buffers.serverDH_Pub.length; */
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_PSK) */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- word32 hintLen;
- /* curve type, named curve, length(1) */
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
- args->exportSz = MAX_EXPORT_ECC_SZ;
- args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
- ssl->heap, DYNAMIC_TYPE_DER);
- if (args->exportBuf == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- if (wc_curve25519_export_public_ex(
- (curve25519_key*)ssl->eccTempKey,
- args->exportBuf, &args->exportSz,
- EC25519_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- }
- else
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- if (wc_curve448_export_public_ex(
- (curve448_key*)ssl->eccTempKey,
- args->exportBuf, &args->exportSz,
- EC448_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- }
- else
- #endif
- {
- PRIVATE_KEY_UNLOCK();
- ret = wc_ecc_export_x963(ssl->eccTempKey,
- args->exportBuf, &args->exportSz);
- PRIVATE_KEY_LOCK();
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- }
- args->length += args->exportSz;
- /* include size part */
- hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
- if (hintLen > MAX_PSK_ID_LEN) {
- ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
- }
- args->length += hintLen + HINT_LEN_SZ;
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- args->output = args->input;
- /* key data */
- c16toa((word16)hintLen, args->output + args->idx);
- args->idx += HINT_LEN_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->arrays->server_hint, hintLen);
- args->idx += hintLen;
- /* ECC key exchange data */
- args->output[args->idx++] = named_curve;
- args->output[args->idx++] = 0x00; /* leading zero */
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID)
- args->output[args->idx++] = WOLFSSL_ECC_X25519;
- else
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID)
- args->output[args->idx++] = WOLFSSL_ECC_X448;
- else
- #endif
- {
- #ifdef HAVE_ECC
- args->output[args->idx++] =
- SetCurveId(ssl->eccTempKey);
- #endif
- }
- args->output[args->idx++] = (byte)args->exportSz;
- XMEMCPY(args->output + args->idx, args->exportBuf,
- args->exportSz);
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || \
- ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
- (defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- !defined(NO_RSA)))
- case ecc_diffie_hellman_kea:
- {
- enum wc_HashType hashType;
- word32 preSigSz, preSigIdx;
- /* curve type, named curve, length(1) */
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
- /* Export temp ECC key and add to length */
- args->exportSz = MAX_EXPORT_ECC_SZ;
- args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
- ssl->heap, DYNAMIC_TYPE_DER);
- if (args->exportBuf == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- if (wc_curve25519_export_public_ex(
- (curve25519_key*)ssl->eccTempKey,
- args->exportBuf, &args->exportSz,
- EC25519_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- }
- else
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- if (wc_curve448_export_public_ex(
- (curve448_key*)ssl->eccTempKey,
- args->exportBuf, &args->exportSz,
- EC448_LITTLE_ENDIAN) != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- }
- else
- #endif
- {
- #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
- PRIVATE_KEY_UNLOCK();
- ret = wc_ecc_export_x963(ssl->eccTempKey,
- args->exportBuf, &args->exportSz);
- PRIVATE_KEY_LOCK();
- if (ret != 0) {
- ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
- }
- #endif
- }
- args->length += args->exportSz;
- preSigSz = args->length;
- preSigIdx = args->idx;
- if (ssl->buffers.key == NULL) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
- args->tmpSigSz = GetPrivateKeySigSize(ssl);
- if (args->tmpSigSz == 0) {
- ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
- }
- }
- else
- #endif
- ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
- }
- else {
- switch(ssl->options.sigAlgo) {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- word16 keySz;
- ssl->buffers.keyType = rsa_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_sske;
- }
- args->tmpSigSz = (word32)keySz;
- break;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- {
- word16 keySz;
- ssl->buffers.keyType = ecc_dsa_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_sske;
- }
- /* worst case estimate */
- args->tmpSigSz = keySz;
- break;
- }
- #endif
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- {
- word16 keySz;
- ssl->buffers.keyType = ed25519_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_sske;
- }
- /* worst case estimate */
- args->tmpSigSz = ED25519_SIG_SIZE;
- break;
- }
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- {
- word16 keySz;
- ssl->buffers.keyType = ed448_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_sske;
- }
- /* worst case estimate */
- args->tmpSigSz = ED448_SIG_SIZE;
- break;
- }
- #endif /* HAVE_ED448 */
- default:
- ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */
- } /* switch(ssl->specs.sig_algo) */
- }
- /* sig length */
- args->length += LENGTH_SZ;
- args->length += args->tmpSigSz;
- if (IsAtLeastTLSv1_2(ssl)) {
- args->length += HASH_SIG_SIZE;
- }
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- preSigIdx = args->idx;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- args->output = args->input;
- /* record and message headers will be added below, when we're sure
- of the sig length */
- /* key exchange data */
- args->output[args->idx++] = named_curve;
- args->output[args->idx++] = 0x00; /* leading zero */
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID)
- args->output[args->idx++] = WOLFSSL_ECC_X25519;
- else
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID)
- args->output[args->idx++] = WOLFSSL_ECC_X448;
- else
- #endif
- {
- #ifdef HAVE_ECC
- args->output[args->idx++] =
- SetCurveId(ssl->eccTempKey);
- #endif
- }
- args->output[args->idx++] = (byte)args->exportSz;
- XMEMCPY(args->output + args->idx, args->exportBuf, args->exportSz);
- args->idx += args->exportSz;
- /* Determine hash type */
- if (IsAtLeastTLSv1_2(ssl)) {
- EncodeSigAlg(ssl->options.hashAlgo,
- ssl->options.sigAlgo,
- &args->output[args->idx]);
- args->idx += 2;
- hashType = HashAlgoToType(ssl->options.hashAlgo);
- if (hashType == WC_HASH_TYPE_NONE) {
- ERROR_OUT(ALGO_ID_E, exit_sske);
- }
- } else {
- /* only using sha and md5 for rsa */
- #ifndef NO_OLD_TLS
- hashType = WC_HASH_TYPE_SHA;
- if (ssl->options.sigAlgo == rsa_sa_algo) {
- hashType = WC_HASH_TYPE_MD5_SHA;
- }
- #else
- ERROR_OUT(ALGO_ID_E, exit_sske);
- #endif
- }
- /* Signature length will be written later, when we're sure what it is */
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb) {
- ssl->fuzzerCb(ssl, args->output + preSigIdx,
- preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx);
- }
- #endif
- ret = HashSkeData(ssl, hashType,
- args->output + preSigIdx, preSigSz,
- ssl->options.sigAlgo);
- if (ret != 0) {
- goto exit_sske;
- }
- args->sigSz = args->tmpSigSz;
- /* Sign hash to create signature */
- switch (ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- case rsa_sa_algo:
- {
- /* For TLS 1.2 re-encode signature */
- if (IsAtLeastTLSv1_2(ssl)) {
- byte* encodedSig = (byte*)XMALLOC(
- MAX_ENCODED_SIG_SZ, ssl->heap,
- DYNAMIC_TYPE_DIGEST);
- if (encodedSig == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.digest.length =
- wc_EncodeSignature(encodedSig,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- TypeHash(ssl->options.hashAlgo));
- /* Replace sig buffer with new one */
- if (!ssl->options.dontFreeDigest) {
- XFREE(ssl->buffers.digest.buffer,
- ssl->heap, DYNAMIC_TYPE_DIGEST);
- }
- ssl->options.dontFreeDigest = 0;
- ssl->buffers.digest.buffer = encodedSig;
- }
- /* write sig size here */
- c16toa((word16)args->sigSz,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- break;
- }
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- /* write sig size here */
- c16toa((word16)args->sigSz,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- break;
- #endif
- #endif /* !NO_RSA */
- case ecc_dsa_sa_algo:
- {
- break;
- }
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- ret = Ed25519CheckPubKey(ssl);
- if (ret != 0)
- goto exit_sske;
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- ret = Ed448CheckPubKey(ssl);
- if (ret != 0)
- goto exit_sske;
- break;
- #endif /* HAVE_ED448 */
- default:
- break;
- } /* switch(ssl->specs.sig_algo) */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #if !defined(NO_DH) && (!defined(NO_RSA) || \
- (defined(HAVE_ANON) && !defined(WOLFSSL_NO_TLS12)))
- case diffie_hellman_kea:
- {
- enum wc_HashType hashType;
- word32 preSigSz, preSigIdx;
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->length = LENGTH_SZ * 3; /* p, g, pub */
- args->length += ssl->buffers.serverDH_P.length +
- ssl->buffers.serverDH_G.length +
- ssl->buffers.serverDH_Pub.length;
- preSigIdx = args->idx;
- preSigSz = args->length;
- if (!ssl->options.usingAnon_cipher) {
- word16 keySz = 0;
- /* sig length */
- args->length += LENGTH_SZ;
- if (ssl->buffers.key == NULL) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
- keySz = (word32)GetPrivateKeySigSize(ssl);
- else
- #endif
- ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
- }
- else
- {
- if (ssl->buffers.keyType == 0)
- ssl->buffers.keyType = rsa_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_sske;
- }
- }
- /* test if keySz has error */
- if (keySz == 0) {
- ERROR_OUT(keySz, exit_sske);
- }
- args->tmpSigSz = (word32)keySz;
- args->length += args->tmpSigSz;
- if (IsAtLeastTLSv1_2(ssl)) {
- args->length += HASH_SIG_SIZE;
- }
- }
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
- RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- preSigIdx = args->idx;
- }
- #endif
- if (IsEncryptionOn(ssl, 1)) {
- args->sendSz += MAX_MSG_EXTRA;
- }
- /* Use tmp buffer */
- args->input = (byte*)XMALLOC(args->sendSz,
- ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (args->input == NULL)
- ERROR_OUT(MEMORY_E, exit_sske);
- args->output = args->input;
- AddHeaders(args->output, args->length,
- server_key_exchange, ssl);
- /* add p, g, pub */
- c16toa((word16)ssl->buffers.serverDH_P.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- args->idx += ssl->buffers.serverDH_P.length;
- /* g */
- c16toa((word16)ssl->buffers.serverDH_G.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- args->idx += ssl->buffers.serverDH_G.length;
- /* pub */
- c16toa((word16)ssl->buffers.serverDH_Pub.length,
- args->output + args->idx);
- args->idx += LENGTH_SZ;
- XMEMCPY(args->output + args->idx,
- ssl->buffers.serverDH_Pub.buffer,
- ssl->buffers.serverDH_Pub.length);
- args->idx += ssl->buffers.serverDH_Pub.length;
- #ifdef HAVE_FUZZER
- if (ssl->fuzzerCb) {
- ssl->fuzzerCb(ssl, args->output + preSigIdx,
- preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx);
- }
- #endif
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- /* Determine hash type */
- if (IsAtLeastTLSv1_2(ssl)) {
- EncodeSigAlg(ssl->options.hashAlgo,
- ssl->options.sigAlgo,
- &args->output[args->idx]);
- args->idx += 2;
- hashType = HashAlgoToType(ssl->options.hashAlgo);
- if (hashType == WC_HASH_TYPE_NONE) {
- ERROR_OUT(ALGO_ID_E, exit_sske);
- }
- } else {
- /* only using sha and md5 for rsa */
- #ifndef NO_OLD_TLS
- hashType = WC_HASH_TYPE_SHA;
- if (ssl->options.sigAlgo == rsa_sa_algo) {
- hashType = WC_HASH_TYPE_MD5_SHA;
- }
- #else
- ERROR_OUT(ALGO_ID_E, exit_sske);
- #endif
- }
- /* signature size */
- c16toa((word16)args->tmpSigSz, args->output + args->idx);
- args->idx += LENGTH_SZ;
- ret = HashSkeData(ssl, hashType,
- args->output + preSigIdx, preSigSz,
- ssl->options.sigAlgo);
- if (ret != 0) {
- goto exit_sske;
- }
- args->sigSz = args->tmpSigSz;
- /* Sign hash to create signature */
- switch (ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- case rsa_sa_algo:
- {
- /* For TLS 1.2 re-encode signature */
- if (IsAtLeastTLSv1_2(ssl)) {
- byte* encodedSig = (byte*)XMALLOC(
- MAX_ENCODED_SIG_SZ, ssl->heap,
- DYNAMIC_TYPE_DIGEST);
- if (encodedSig == NULL) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- ssl->buffers.digest.length =
- wc_EncodeSignature(encodedSig,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- TypeHash(ssl->options.hashAlgo));
- /* Replace sig buffer with new one */
- if (!ssl->options.dontFreeDigest) {
- XFREE(ssl->buffers.digest.buffer,
- ssl->heap, DYNAMIC_TYPE_DIGEST);
- }
- ssl->options.dontFreeDigest = 0;
- ssl->buffers.digest.buffer = encodedSig;
- }
- break;
- }
- #endif /* NO_RSA */
- default:
- break;
- } /* switch (ssl->options.sigAlgo) */
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_RSA) */
- default:
- break;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_sske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- switch(ssl->specs.kea)
- {
- #ifndef NO_PSK
- case psk_kea:
- {
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_PSK) */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- /* Sign hash to create signature */
- switch (ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- ret = RsaSign(ssl,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output + args->idx,
- &args->sigSz,
- ssl->options.sigAlgo, ssl->options.hashAlgo,
- key,
- ssl->buffers.key
- );
- break;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- {
- ecc_key* key = (ecc_key*)ssl->hsKey;
- ret = EccSign(ssl,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output + LENGTH_SZ + args->idx,
- &args->sigSz,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- break;
- }
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- {
- ed25519_key* key = (ed25519_key*)ssl->hsKey;
- ret = Ed25519Sign(ssl,
- ssl->buffers.sig.buffer,
- ssl->buffers.sig.length,
- args->output + LENGTH_SZ + args->idx,
- &args->sigSz,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- break;
- }
- #endif
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- {
- ed448_key* key = (ed448_key*)ssl->hsKey;
- ret = Ed448Sign(ssl,
- ssl->buffers.sig.buffer,
- ssl->buffers.sig.length,
- args->output + LENGTH_SZ + args->idx,
- &args->sigSz,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- break;
- }
- #endif
- default:
- ERROR_OUT(ALGO_ID_E, exit_sske);
- } /* switch(ssl->specs.sig_algo) */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #if !defined(NO_DH) && !defined(NO_RSA)
- case diffie_hellman_kea:
- {
- /* Sign hash to create signature */
- switch (ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- ret = RsaSign(ssl,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output + args->idx,
- &args->sigSz,
- ssl->options.sigAlgo, ssl->options.hashAlgo,
- key,
- ssl->buffers.key
- );
- break;
- }
- #endif /* NO_RSA */
- default:
- break;
- } /* switch (ssl->options.sigAlgo) */
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_RSA) */
- default:
- break;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_sske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- switch(ssl->specs.kea)
- {
- #ifndef NO_PSK
- case psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- #endif /* !NO_PSK */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_PSK) */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- /* Nothing to do in this sub-state */
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- switch(ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- if (args->verifySig == NULL) {
- if (args->sigSz == 0) {
- ERROR_OUT(BAD_COND_E, exit_sske);
- }
- args->verifySig = (byte*)XMALLOC(
- args->sigSz, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (!args->verifySig) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- XMEMCPY(args->verifySig,
- args->output + args->idx, args->sigSz);
- }
- /* check for signature faults */
- ret = VerifyRsaSign(ssl,
- args->verifySig, args->sigSz,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- ssl->options.sigAlgo, ssl->options.hashAlgo,
- key, ssl->buffers.key
- );
- break;
- }
- #endif
- case ecc_dsa_sa_algo:
- #ifdef WOLFSSL_CHECK_SIG_FAULTS
- {
- ecc_key* key = (ecc_key*)ssl->hsKey;
- ret = EccVerify(ssl,
- args->output + LENGTH_SZ + args->idx,
- args->sigSz,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- if (ret != 0) {
- WOLFSSL_MSG(
- "Failed to verify ECC signature");
- goto exit_sske;
- }
- }
- #if defined(HAVE_E25519) || defined(HAVE_ED448)
- FALL_THROUGH;
- #endif
- #endif /* WOLFSSL_CHECK_SIG_FAULTS */
- #ifdef HAVE_ED25519
- case ed25519_sa_algo:
- #endif
- #ifdef HAVE_ED448
- case ed448_sa_algo:
- #endif
- {
- /* Now that we know the real sig size, write it. */
- c16toa((word16)args->sigSz,
- args->output + args->idx);
- /* And adjust length and sendSz from estimates */
- args->length += args->sigSz - args->tmpSigSz;
- args->sendSz += args->sigSz - args->tmpSigSz;
- break;
- }
- default:
- ERROR_OUT(ALGO_ID_E, exit_sske); /* unsupported type */
- } /* switch(ssl->specs.sig_algo) */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #if !defined(NO_DH) && !defined(NO_RSA)
- case diffie_hellman_kea:
- {
- switch (ssl->options.sigAlgo)
- {
- #ifndef NO_RSA
- #ifndef WC_RSA_PSS
- case rsa_pss_sa_algo:
- #endif
- case rsa_sa_algo:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- if (ssl->options.usingAnon_cipher) {
- break;
- }
- if (args->verifySig == NULL) {
- if (args->sigSz == 0) {
- ERROR_OUT(BAD_COND_E, exit_sske);
- }
- args->verifySig = (byte*)XMALLOC(
- args->sigSz, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (!args->verifySig) {
- ERROR_OUT(MEMORY_E, exit_sske);
- }
- XMEMCPY(args->verifySig,
- args->output + args->idx, args->sigSz);
- }
- /* check for signature faults */
- ret = VerifyRsaSign(ssl,
- args->verifySig, args->sigSz,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- ssl->options.sigAlgo, ssl->options.hashAlgo,
- key, ssl->buffers.key
- );
- break;
- }
- #endif
- } /* switch (ssl->options.sigAlgo) */
- break;
- }
- #endif /* !defined(NO_DH) && !defined(NO_RSA) */
- default:
- break;
- } /* switch(ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_sske;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- if (ssl->specs.kea == ecdhe_psk_kea ||
- ssl->specs.kea == ecc_diffie_hellman_kea) {
- /* Check output to make sure it was set */
- if (args->output) {
- AddHeaders(args->output, args->length,
- server_key_exchange, ssl);
- }
- else {
- ERROR_OUT(BUFFER_ERROR, exit_sske);
- }
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- ret = SendHandshakeMsg(ssl, args->output, args->length,
- server_key_exchange, "ServerKeyExchange");
- if (ret != 0)
- goto exit_sske;
- ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_sske:
- WOLFSSL_LEAVE("SendServerKeyExchange", ret);
- WOLFSSL_END(WC_FUNC_SERVER_KEY_EXCHANGE_SEND);
- #ifdef WOLFSSL_ASYNC_IO
- /* Handle async operation */
- if (ret == WANT_WRITE
- #ifdef WOLFSSL_ASYNC_CRYPT
- || ret == WC_PENDING_E
- #endif
- )
- return ret;
- #endif /* WOLFSSL_ASYNC_IO */
- /* Final cleanup */
- if (
- #ifdef WOLFSSL_ASYNC_IO
- args != NULL &&
- #endif
- args->input != NULL) {
- XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- args->input = NULL;
- }
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeSskeArgs(ssl, args);
- #endif
- FreeKeyExchange(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #if defined(HAVE_SERVER_RENEGOTIATION_INFO) || defined(HAVE_FALLBACK_SCSV) || \
- defined(OPENSSL_ALL)
- /* search suites for specific one, idx on success, negative on error */
- static int FindSuite(Suites* suites, byte first, byte second)
- {
- int i;
- if (suites == NULL || suites->suiteSz == 0) {
- WOLFSSL_MSG("Suites pointer error or suiteSz 0");
- return SUITES_ERROR;
- }
- for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) {
- if (suites->suites[i] == first &&
- suites->suites[i+1] == second )
- return i;
- }
- return MATCH_SUITE_ERROR;
- }
- #endif
- #endif /* !WOLFSSL_NO_TLS12 */
- /* Make sure server cert/key are valid for this suite, true on success
- * Returns 1 for valid server suite or 0 if not found
- * For asynchronous this can return WC_PENDING_E
- */
- static int VerifyServerSuite(const WOLFSSL* ssl, const Suites* suites,
- word16 idx, CipherSuite* cs, TLSX* extensions)
- {
- #ifndef NO_PSK
- int havePSK = ssl->options.havePSK;
- #endif
- byte first;
- byte second;
- (void)cs;
- (void)extensions;
- WOLFSSL_ENTER("VerifyServerSuite");
- if (suites == NULL) {
- WOLFSSL_MSG("Suites pointer error");
- return 0;
- }
- first = suites->suites[idx];
- second = suites->suites[idx+1];
- if (CipherRequires(first, second, REQUIRES_RSA)) {
- WOLFSSL_MSG("Requires RSA");
- if (ssl->options.haveRSA == 0) {
- WOLFSSL_MSG("Don't have RSA");
- return 0;
- }
- }
- if (CipherRequires(first, second, REQUIRES_DHE)) {
- WOLFSSL_MSG("Requires DHE");
- if (ssl->options.haveDH == 0) {
- WOLFSSL_MSG("Don't have DHE");
- return 0;
- }
- }
- if (CipherRequires(first, second, REQUIRES_ECC)) {
- WOLFSSL_MSG("Requires ECC");
- if (ssl->options.haveECC == 0) {
- WOLFSSL_MSG("Don't have ECC");
- return 0;
- }
- }
- if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) {
- WOLFSSL_MSG("Requires static ECC");
- if (ssl->options.haveStaticECC == 0) {
- WOLFSSL_MSG("Don't have static ECC");
- return 0;
- }
- }
- if (CipherRequires(first, second, REQUIRES_PSK)) {
- WOLFSSL_MSG("Requires PSK");
- #ifndef NO_PSK
- if (havePSK == 0)
- #endif
- {
- WOLFSSL_MSG("Don't have PSK");
- return 0;
- }
- }
- if (CipherRequires(first, second, REQUIRES_RSA_SIG)) {
- WOLFSSL_MSG("Requires RSA Signature");
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.haveECDSAsig == 1) {
- WOLFSSL_MSG("Don't have RSA Signature");
- return 0;
- }
- }
- #if !defined(WOLFSSL_OLDTLS_AEAD_CIPHERSUITES)
- if (CipherRequires(first, second, REQUIRES_AEAD)) {
- WOLFSSL_MSG("Requires AEAD");
- if (ssl->version.major == SSLv3_MAJOR &&
- ssl->version.minor < TLSv1_2_MINOR) {
- WOLFSSL_MSG("Version of SSL does not support AEAD ciphers");
- return 0;
- }
- }
- #endif
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && defined(HAVE_SUPPORTED_CURVES)
- if (!TLSX_ValidateSupportedCurves(ssl, first, second,
- &cs->ecdhCurveOID)) {
- WOLFSSL_MSG("Don't have matching curves");
- return 0;
- }
- #endif
- #ifdef WOLFSSL_TLS13
- if (IsAtLeastTLSv1_3(ssl->version) &&
- ssl->options.side == WOLFSSL_SERVER_END) {
- #ifdef HAVE_SUPPORTED_CURVES
- byte searched = 0;
- int ret = TLSX_KeyShare_Choose(ssl, extensions, &cs->clientKSE,
- &searched);
- if (ret == MEMORY_E) {
- WOLFSSL_MSG("TLSX_KeyShare_Choose() failed in "
- "VerifyServerSuite() with MEMORY_E");
- return 0;
- }
- if (cs->clientKSE == NULL && searched)
- cs->doHelloRetry = 1;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- return ret;
- #endif
- if (!cs->doHelloRetry && ret != 0)
- return 0; /* not found */
- #endif /* HAVE_SUPPORTED_CURVES */
- }
- else if (first == TLS13_BYTE || (first == ECC_BYTE &&
- (second == TLS_SHA256_SHA256 || second == TLS_SHA384_SHA384))) {
- /* Can't negotiate TLS 1.3 cipher suites with lower protocol
- * version. */
- return 0;
- }
- #endif /* WOLFSSL_TLS13 */
- return 1;
- }
- static int CompareSuites(const WOLFSSL* ssl, const Suites* suites,
- Suites* peerSuites, word16 i, word16 j,
- CipherSuite* cs, TLSX* extensions)
- {
- if (suites->suites[i] == peerSuites->suites[j] &&
- suites->suites[i+1] == peerSuites->suites[j+1] ) {
- int ret = VerifyServerSuite(ssl, suites, i, cs, extensions);
- if (ret < 0) {
- return ret;
- }
- if (ret) {
- WOLFSSL_MSG("Verified suite validity");
- cs->cipherSuite0 = suites->suites[i];
- cs->cipherSuite = suites->suites[i+1];
- return 0;
- }
- else {
- WOLFSSL_MSG("Could not verify suite validity, continue");
- }
- }
- return MATCH_SUITE_ERROR;
- }
- int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites, CipherSuite* cs,
- TLSX* extensions)
- {
- int ret;
- word16 i, j;
- const Suites* suites = WOLFSSL_SUITES(ssl);
- WOLFSSL_ENTER("MatchSuite");
- /* & 0x1 equivalent % 2 */
- if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
- return BUFFER_ERROR;
- if (suites == NULL)
- return SUITES_ERROR;
- if (!ssl->options.useClientOrder) {
- /* Server order */
- for (i = 0; i < suites->suiteSz; i += 2) {
- for (j = 0; j < peerSuites->suiteSz; j += 2) {
- ret = CompareSuites(ssl, suites, peerSuites, i, j, cs, extensions);
- if (ret != MATCH_SUITE_ERROR)
- return ret;
- }
- }
- }
- else {
- /* Client order */
- for (j = 0; j < peerSuites->suiteSz; j += 2) {
- for (i = 0; i < suites->suiteSz; i += 2) {
- ret = CompareSuites(ssl, suites, peerSuites, i, j, cs, extensions);
- if (ret != MATCH_SUITE_ERROR)
- return ret;
- }
- }
- }
- WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
- return MATCH_SUITE_ERROR;
- }
- int MatchSuite(WOLFSSL* ssl, Suites* peerSuites)
- {
- int ret;
- CipherSuite cs;
- XMEMSET(&cs, 0, sizeof(cs));
- ret = MatchSuite_ex(ssl, peerSuites, &cs,
- #ifdef HAVE_TLS_EXTENSIONS
- ssl->extensions
- #else
- NULL
- #endif
- );
- if (ret != 0)
- return ret;
- ssl->options.cipherSuite0 = cs.cipherSuite0;
- ssl->options.cipherSuite = cs.cipherSuite;
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_CURVE25519) || \
- defined(HAVE_ED448) || defined(HAVE_CURVE448)
- ssl->ecdhCurveOID = cs.ecdhCurveOID;
- #endif
- ret = SetCipherSpecs(ssl);
- if (ret != 0)
- return ret;
- ret = PickHashSigAlgo(ssl, peerSuites->hashSigAlgo,
- peerSuites->hashSigAlgoSz);
- if (ret != 0)
- return ret;
- #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
- if (cs.doHelloRetry) {
- ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
- return TLSX_KeyShare_SetSupported(ssl, &ssl->extensions);
- }
- #endif
- #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
- if (IsAtLeastTLSv1_3(ssl->version) &&
- ssl->options.side == WOLFSSL_SERVER_END) {
- ret = TLSX_KeyShare_Setup(ssl, cs.clientKSE);
- if (ret != 0)
- return ret;
- }
- #endif
- return ret;
- }
- #ifdef OLD_HELLO_ALLOWED
- /* process old style client hello, deprecate? */
- int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 inSz, word16 sz)
- {
- word32 idx = *inOutIdx;
- word16 sessionSz;
- word16 randomSz;
- word16 i, j;
- ProtocolVersion pv;
- Suites clSuites;
- int ret = -1;
- (void)inSz;
- WOLFSSL_MSG("Got old format client hello");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ClientHello");
- if (ssl->toInfoOn)
- AddLateName("ClientHello", &ssl->timeoutInfo);
- #endif
- /* manually hash input since different format */
- #ifndef NO_OLD_TLS
- #ifndef NO_MD5
- wc_Md5Update(&ssl->hsHashes->hashMd5, input + idx, sz);
- #endif
- #ifndef NO_SHA
- wc_ShaUpdate(&ssl->hsHashes->hashSha, input + idx, sz);
- #endif
- #endif
- #ifndef NO_SHA256
- if (IsAtLeastTLSv1_2(ssl)) {
- int shaRet = wc_Sha256Update(&ssl->hsHashes->hashSha256,
- input + idx, sz);
- if (shaRet != 0)
- return shaRet;
- }
- #endif
- /* does this value mean client_hello? */
- idx++;
- /* version */
- pv.major = input[idx++];
- pv.minor = input[idx++];
- ssl->chVersion = pv; /* store */
- if (ssl->version.minor > pv.minor) {
- byte haveRSA = 0;
- byte havePSK = 0;
- int keySz = 0;
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("Client trying to connect with lesser version");
- return VERSION_ERROR;
- }
- if (pv.minor < ssl->options.minDowngrade) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- return VERSION_ERROR;
- }
- if (pv.minor == SSLv3_MINOR) {
- /* turn off tls */
- WOLFSSL_MSG("\tdowngrading to SSLv3");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- ssl->version.minor = SSLv3_MINOR;
- }
- else if (pv.minor == TLSv1_MINOR) {
- WOLFSSL_MSG("\tdowngrading to TLSv1");
- /* turn off tls 1.1+ */
- ssl->options.tls1_1 = 0;
- ssl->version.minor = TLSv1_MINOR;
- }
- else if (pv.minor == TLSv1_1_MINOR) {
- WOLFSSL_MSG("\tdowngrading to TLSv1.1");
- ssl->version.minor = TLSv1_1_MINOR;
- }
- else if (pv.minor == TLSv1_2_MINOR) {
- WOLFSSL_MSG(" downgrading to TLSv1.2");
- ssl->version.minor = TLSv1_2_MINOR;
- }
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- #ifndef NO_PSK
- havePSK = ssl->options.havePSK;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- ret = AllocateSuites(ssl);
- if (ret != 0)
- return ret;
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig,
- ssl->options.haveDilithiumSig, ssl->options.haveAnon,
- TRUE, ssl->options.side);
- }
- /* suite size */
- ato16(&input[idx], &clSuites.suiteSz);
- idx += OPAQUE16_LEN;
- if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
- return BUFFER_ERROR;
- /* Make sure the suiteSz is a multiple of 3. (Old Client Hello) */
- if (clSuites.suiteSz % 3 != 0)
- return BUFFER_ERROR;
- clSuites.hashSigAlgoSz = 0;
- /* session size */
- ato16(&input[idx], &sessionSz);
- idx += OPAQUE16_LEN;
- if (sessionSz > ID_LEN)
- return BUFFER_ERROR;
- /* random size */
- ato16(&input[idx], &randomSz);
- idx += OPAQUE16_LEN;
- if (randomSz > RAN_LEN)
- return BUFFER_ERROR;
- /* suites */
- for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) {
- byte first = input[idx++];
- if (!first) { /* implicit: skip sslv2 type */
- XMEMCPY(&clSuites.suites[j], &input[idx], SUITE_LEN);
- j += SUITE_LEN;
- }
- idx += SUITE_LEN;
- }
- clSuites.suiteSz = j;
- /* session id */
- if (sessionSz) {
- XMEMCPY(ssl->arrays->sessionID, input + idx, sessionSz);
- ssl->arrays->sessionIDSz = (byte)sessionSz;
- idx += sessionSz;
- ssl->options.resuming = 1;
- }
- /* random */
- if (randomSz < RAN_LEN)
- XMEMSET(ssl->arrays->clientRandom, 0, RAN_LEN - randomSz);
- XMEMCPY(&ssl->arrays->clientRandom[RAN_LEN - randomSz], input + idx,
- randomSz);
- idx += randomSz;
- if (ssl->options.usingCompression)
- ssl->options.usingCompression = 0; /* turn off */
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- ssl->cbmode = SSL_CB_MODE_WRITE;
- *inOutIdx = idx;
- ssl->options.haveSessionId = 1;
- /* DoClientHello uses same resume code */
- if (ssl->options.resuming) { /* let's try */
- WOLFSSL_SESSION* session;
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.useTicket == 1) {
- session = ssl->session;
- }
- else
- #endif
- {
- session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
- }
- if (!session) {
- WOLFSSL_MSG("Session lookup for resume failed");
- ssl->options.resuming = 0;
- } else {
- if (MatchSuite(ssl, &clSuites) < 0) {
- WOLFSSL_MSG("Unsupported cipher suite, OldClientHello");
- return UNSUPPORTED_SUITE;
- }
- ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
- RAN_LEN);
- if (ret != 0)
- return ret;
- #ifdef NO_OLD_TLS
- ret = DeriveTlsKeys(ssl);
- #else
- #ifndef NO_TLS
- if (ssl->options.tls)
- ret = DeriveTlsKeys(ssl);
- #endif
- if (!ssl->options.tls)
- ret = DeriveKeys(ssl);
- #endif
- /* SERVER: peer auth based on session secret. */
- ssl->options.peerAuthGood = (ret == 0);
- ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
- return ret;
- }
- }
- ret = MatchSuite(ssl, &clSuites);
- if (ret != 0)return ret;
- return SanityCheckMsgReceived(ssl, client_hello);
- }
- #endif /* OLD_HELLO_ALLOWED */
- #ifndef WOLFSSL_NO_TLS12
- /**
- * Handles session resumption.
- * Session tickets are checked for validity based on the time each ticket
- * was created, timeout value and the current time. If the tickets are
- * judged expired, falls back to full-handshake. If you want disable this
- * session ticket validation check in TLS1.2 and below, define
- * WOLFSSL_NO_TICKET_EXPIRE.
- */
- int HandleTlsResumption(WOLFSSL* ssl, int bogusID, Suites* clSuites)
- {
- int ret = 0;
- WOLFSSL_SESSION* session;
- (void)bogusID;
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.useTicket == 1) {
- session = ssl->session;
- }
- else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
- WOLFSSL_MSG("Bogus session ID without session ticket");
- return BUFFER_ERROR;
- }
- else
- #endif
- {
- session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
- }
- if (!session) {
- WOLFSSL_MSG("Session lookup for resume failed");
- ssl->options.resuming = 0;
- return ret;
- }
- #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_TICKET_EXPIRE) && \
- !defined(NO_ASN_TIME)
- /* check if the ticket is valid */
- if (LowResTimer() > session->bornOn + ssl->timeout) {
- WOLFSSL_MSG("Expired session ticket, fall back to full handshake.");
- ssl->options.resuming = 0;
- }
- #endif /* HAVE_SESSION_TICKET && !WOLFSSL_NO_TICKET_EXPIRE && !NO_ASN_TIME */
- else if (session->haveEMS != ssl->options.haveEMS) {
- /* RFC 7627, 5.3, server-side */
- /* if old sess didn't have EMS, but new does, full handshake */
- if (!session->haveEMS && ssl->options.haveEMS) {
- WOLFSSL_MSG("Attempting to resume a session that didn't "
- "use EMS with a new session with EMS. Do full "
- "handshake.");
- ssl->options.resuming = 0;
- }
- /* if old sess used EMS, but new doesn't, MUST abort */
- else if (session->haveEMS && !ssl->options.haveEMS) {
- WOLFSSL_MSG("Trying to resume a session with EMS without "
- "using EMS");
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, handshake_failure);
- #endif
- ret = EXT_MASTER_SECRET_NEEDED_E;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- else {
- #ifndef NO_RESUME_SUITE_CHECK
- int j;
- /* Check client suites include the one in session */
- for (j = 0; j < clSuites->suiteSz; j += 2) {
- if (clSuites->suites[j] == session->cipherSuite0 &&
- clSuites->suites[j+1] == session->cipherSuite) {
- break;
- }
- }
- if (j == clSuites->suiteSz) {
- WOLFSSL_MSG("Prev session's cipher suite not in ClientHello");
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ret = UNSUPPORTED_SUITE;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- if (ret == 0 && ssl->options.resuming) {
- /* for resumption use the cipher suite from session */
- ssl->options.cipherSuite0 = session->cipherSuite0;
- ssl->options.cipherSuite = session->cipherSuite;
- ret = SetCipherSpecs(ssl);
- if (ret == 0) {
- ret = PickHashSigAlgo(ssl, clSuites->hashSigAlgo,
- clSuites->hashSigAlgoSz);
- }
- }
- else if (ret == 0) {
- if (MatchSuite(ssl, clSuites) < 0) {
- WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
- ret = UNSUPPORTED_SUITE;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if (ret == 0) {
- ret = wc_RNG_GenerateBlock(ssl->rng,
- ssl->arrays->serverRandom, RAN_LEN);
- }
- if (ret == 0) {
- #ifdef NO_OLD_TLS
- ret = DeriveTlsKeys(ssl);
- #else
- #ifndef NO_TLS
- if (ssl->options.tls)
- ret = DeriveTlsKeys(ssl);
- #endif
- if (!ssl->options.tls)
- ret = DeriveKeys(ssl);
- #endif
- /* SERVER: peer auth based on session secret. */
- ssl->options.peerAuthGood = (ret == 0);
- ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
- }
- }
- return ret;
- }
- /* handle processing of client_hello (1) */
- int DoClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 helloSz)
- {
- byte b;
- byte bogusID = 0; /* flag for a bogus session id */
- ProtocolVersion pv;
- #ifdef WOLFSSL_SMALL_STACK
- Suites* clSuites = NULL;
- #else
- Suites clSuites[1];
- #endif
- word32 i = *inOutIdx;
- word32 begin = i;
- int ret = 0;
- byte lesserVersion;
- WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
- WOLFSSL_ENTER("DoClientHello");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
- if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
- #endif
- /* do not change state in the SSL object before the next region of code
- * to be able to statelessly compute a DTLS cookie */
- #ifdef WOLFSSL_DTLS
- /* Update the ssl->options.dtlsStateful setting `if` statement in
- * wolfSSL_accept when changing this one. */
- if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
- DtlsSetSeqNumForReply(ssl);
- ret = DoClientHelloStateless(ssl, input, inOutIdx, helloSz);
- if (ret != 0 || !ssl->options.dtlsStateful) {
- int alertType = TranslateErrorToAlert(ret);
- if (alertType != invalid_alert) {
- int err;
- /* propogate socket errors to avoid re-calling send alert */
- err = SendAlert(ssl, alert_fatal, alertType);
- if (err == SOCKET_ERROR_E)
- ret = SOCKET_ERROR_E;
- }
- *inOutIdx += helloSz;
- DtlsResetState(ssl);
- if (DtlsIgnoreError(ret))
- ret = 0;
- return ret;
- }
- }
- ssl->options.dtlsStateful = 1;
- #endif /* WOLFSSL_DTLS */
- /* protocol version, random and session id length check */
- if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
- return BUFFER_ERROR;
- /* protocol version */
- XMEMCPY(&pv, input + i, OPAQUE16_LEN);
- ssl->chVersion = pv; /* store */
- i += OPAQUE16_LEN;
- /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
- if (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR)
- pv.minor = TLSv1_2_MINOR;
- lesserVersion = !ssl->options.dtls && ssl->version.minor > pv.minor;
- lesserVersion |= ssl->options.dtls && ssl->version.minor < pv.minor;
- if (lesserVersion) {
- byte belowMinDowngrade;
- word16 haveRSA = 0;
- word16 havePSK = 0;
- int keySz = 0;
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("Client trying to connect with lesser version");
- ret = VERSION_ERROR;
- goto out;
- }
- belowMinDowngrade = pv.minor < ssl->options.minDowngrade;
- /* DTLS versions increase backwards (-1,-2,-3) ecc */
- if (ssl->options.dtls)
- belowMinDowngrade = ssl->options.dtls
- && pv.minor > ssl->options.minDowngrade;
- if (belowMinDowngrade) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- ret = VERSION_ERROR;
- goto out;
- }
- if (!ssl->options.dtls) {
- if (pv.minor == SSLv3_MINOR) {
- /* turn off tls */
- WOLFSSL_MSG("\tdowngrading to SSLv3");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- ssl->version.minor = SSLv3_MINOR;
- }
- else if (pv.minor == TLSv1_MINOR) {
- /* turn off tls 1.1+ */
- WOLFSSL_MSG("\tdowngrading to TLSv1");
- ssl->options.tls1_1 = 0;
- ssl->version.minor = TLSv1_MINOR;
- }
- else if (pv.minor == TLSv1_1_MINOR) {
- WOLFSSL_MSG("\tdowngrading to TLSv1.1");
- ssl->version.minor = TLSv1_1_MINOR;
- }
- else if (pv.minor == TLSv1_2_MINOR) {
- WOLFSSL_MSG(" downgrading to TLSv1.2");
- ssl->version.minor = TLSv1_2_MINOR;
- }
- }
- else {
- if (pv.minor == DTLSv1_2_MINOR) {
- WOLFSSL_MSG("\tDowngrading to DTLSv1.2");
- ssl->options.tls1_3 = 0;
- ssl->version.minor = DTLSv1_2_MINOR;
- }
- else if (pv.minor == DTLS_MINOR) {
- WOLFSSL_MSG("\tDowngrading to DTLSv1.0");
- ssl->options.tls1_3 = 0;
- ssl->version.minor = DTLS_MINOR;
- }
- }
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- #ifndef NO_PSK
- havePSK = ssl->options.havePSK;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- ret = AllocateSuites(ssl);
- if (ret != 0)
- goto out;
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig,
- ssl->options.haveDilithiumSig, ssl->options.haveAnon,
- TRUE, ssl->options.side);
- }
- /* check if option is set to not allow the current version
- * set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
- if (!ssl->options.dtls && ssl->options.downgrade &&
- ssl->options.mask > 0) {
- int reset = 0;
- if (ssl->version.minor == TLSv1_2_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
- WOLFSSL_OP_NO_TLSv1_2) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
- ssl->version.minor = TLSv1_1_MINOR;
- reset = 1;
- }
- if (ssl->version.minor == TLSv1_1_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
- WOLFSSL_OP_NO_TLSv1_1) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
- ssl->options.tls1_1 = 0;
- ssl->version.minor = TLSv1_MINOR;
- reset = 1;
- }
- if (ssl->version.minor == TLSv1_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
- WOLFSSL_OP_NO_TLSv1) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
- ssl->options.tls = 0;
- ssl->options.tls1_1 = 0;
- ssl->version.minor = SSLv3_MINOR;
- reset = 1;
- }
- if (ssl->version.minor == SSLv3_MINOR &&
- (ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
- WOLFSSL_OP_NO_SSLv3) {
- WOLFSSL_MSG("\tError, option set to not allow SSLv3");
- ret = VERSION_ERROR;
- goto out;
- }
- if (ssl->version.minor < ssl->options.minDowngrade) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- ret = VERSION_ERROR;
- goto out;
- }
- if (reset) {
- word16 haveRSA = 0;
- word16 havePSK = 0;
- int keySz = 0;
- #ifndef NO_RSA
- haveRSA = 1;
- #endif
- #ifndef NO_PSK
- havePSK = ssl->options.havePSK;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- ret = AllocateSuites(ssl);
- if (ret != 0)
- goto out;
- /* reset cipher suites to account for TLS version change */
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig,
- ssl->options.haveDilithiumSig, ssl->options.haveAnon,
- TRUE, ssl->options.side);
- }
- }
- /* random */
- XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
- i += RAN_LEN;
- #ifdef SHOW_SECRETS
- {
- int j;
- printf("client random: ");
- for (j = 0; j < RAN_LEN; j++)
- printf("%02x", ssl->arrays->clientRandom[j]);
- printf("\n");
- }
- #endif
- /* session id */
- b = input[i++];
- #ifdef HAVE_SESSION_TICKET
- if (b > 0 && b < ID_LEN) {
- bogusID = 1;
- WOLFSSL_MSG("Client sent bogus session id, let's allow for echo");
- }
- #endif
- if (b == ID_LEN || bogusID) {
- if ((i - begin) + b > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- XMEMCPY(ssl->arrays->sessionID, input + i, b);
- ssl->arrays->sessionIDSz = b;
- i += b;
- ssl->options.resuming = 1; /* client wants to resume */
- WOLFSSL_MSG("Client wants to resume session");
- }
- else if (b) {
- WOLFSSL_MSG("Invalid session ID size");
- ret = BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */
- goto out;
- }
- #ifdef WOLFSSL_DTLS
- /* cookie */
- if (ssl->options.dtls) {
- word8 peerCookieSz;
- if ((i - begin) + OPAQUE8_LEN > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- peerCookieSz = input[i++];
- if (peerCookieSz) {
- if (peerCookieSz > MAX_COOKIE_LEN) {
- ret = BUFFER_ERROR;
- goto out;
- }
- if ((i - begin) + peerCookieSz > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- i += peerCookieSz;
- }
- }
- #endif /* WOLFSSL_DTLS */
- /* suites */
- if ((i - begin) + OPAQUE16_LEN > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- #ifdef WOLFSSL_SMALL_STACK
- clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
- DYNAMIC_TYPE_SUITES);
- if (clSuites == NULL) {
- ret = MEMORY_E;
- goto out;
- }
- #endif
- XMEMSET(clSuites, 0, sizeof(Suites));
- ato16(&input[i], &clSuites->suiteSz);
- i += OPAQUE16_LEN;
- /* Cipher suite lists are always multiples of two in length. */
- if (clSuites->suiteSz % 2 != 0) {
- ret = BUFFER_ERROR;
- goto out;
- }
- /* suites and compression length check */
- if ((i - begin) + clSuites->suiteSz + OPAQUE8_LEN > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- if (clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ) {
- ret = BUFFER_ERROR;
- goto out;
- }
- XMEMCPY(clSuites->suites, input + i, clSuites->suiteSz);
- #ifdef HAVE_SERVER_RENEGOTIATION_INFO
- /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
- if (FindSuite(clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) {
- TLSX* extension;
- /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
- ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap);
- if (ret != WOLFSSL_SUCCESS)
- goto out;
- extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
- if (extension) {
- ssl->secure_renegotiation =
- (SecureRenegotiation*)extension->data;
- ssl->secure_renegotiation->enabled = 1;
- }
- }
- #endif /* HAVE_SERVER_RENEGOTIATION_INFO */
- #if defined(HAVE_FALLBACK_SCSV) || defined(OPENSSL_ALL)
- /* check for TLS_FALLBACK_SCSV suite */
- if (FindSuite(clSuites, TLS_FALLBACK_SCSV, 0) >= 0) {
- WOLFSSL_MSG("Found Fallback SCSV");
- if (ssl->ctx->method->version.minor > pv.minor) {
- WOLFSSL_MSG("Client trying to connect with lesser version");
- SendAlert(ssl, alert_fatal, inappropriate_fallback);
- ret = VERSION_ERROR;
- goto out;
- }
- }
- #endif
- i += clSuites->suiteSz;
- clSuites->hashSigAlgoSz = 0;
- /* compression length */
- b = input[i++];
- if ((i - begin) + b > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- if (b == 0) {
- WOLFSSL_MSG("No compression types in list");
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, decode_error);
- #endif
- ret = COMPRESSION_ERROR;
- goto out;
- }
- {
- /* compression match types */
- int matchNo = 0;
- int matchZlib = 0;
- while (b--) {
- byte comp = input[i++];
- if (comp == NO_COMPRESSION) {
- matchNo = 1;
- }
- if (comp == ZLIB_COMPRESSION) {
- matchZlib = 1;
- }
- }
- if (ssl->options.usingCompression == 0 && matchNo) {
- WOLFSSL_MSG("Matched No Compression");
- } else if (ssl->options.usingCompression && matchZlib) {
- WOLFSSL_MSG("Matched zlib Compression");
- } else if (ssl->options.usingCompression && matchNo) {
- WOLFSSL_MSG("Could only match no compression, turning off");
- ssl->options.usingCompression = 0; /* turn off */
- } else {
- WOLFSSL_MSG("Could not match compression");
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ret = COMPRESSION_ERROR;
- goto out;
- }
- }
- *inOutIdx = i;
- /* tls extensions */
- if ((i - begin) < helloSz) {
- #ifdef HAVE_TLS_EXTENSIONS
- if (TLSX_SupportExtensions(ssl))
- #else
- if (IsAtLeastTLSv1_2(ssl))
- #endif
- {
- /* Process the hello extension. Skip unsupported. */
- word16 totalExtSz;
- #ifdef HAVE_TLS_EXTENSIONS
- /* auto populate extensions supported unless user defined */
- if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
- goto out;
- #endif
- if ((i - begin) + OPAQUE16_LEN > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- ato16(&input[i], &totalExtSz);
- i += OPAQUE16_LEN;
- if ((i - begin) + totalExtSz > helloSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- #ifdef HAVE_TLS_EXTENSIONS
- /* tls extensions */
- if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, client_hello,
- clSuites)))
- goto out;
- #ifdef WOLFSSL_TLS13
- if (TLSX_Find(ssl->extensions,
- TLSX_SUPPORTED_VERSIONS) != NULL) {
- WOLFSSL_MSG(
- "Client attempting to connect with higher version");
- ret = VERSION_ERROR;
- goto out;
- }
- #endif
- #ifdef HAVE_SNI
- if((ret=SNI_Callback(ssl)))
- goto out;
- #endif
- #ifdef HAVE_ALPN
- if((ret=ALPN_Select(ssl)))
- goto out;
- #endif
- i += totalExtSz;
- #else
- while (totalExtSz) {
- word16 extId, extSz;
- if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- ato16(&input[i], &extId);
- i += OPAQUE16_LEN;
- ato16(&input[i], &extSz);
- i += OPAQUE16_LEN;
- if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- if (extId == HELLO_EXT_SIG_ALGO) {
- word16 hashSigAlgoSz;
- ato16(&input[i], &hashSigAlgoSz);
- i += OPAQUE16_LEN;
- if (OPAQUE16_LEN + hashSigAlgoSz > extSz) {
- ret = BUFFER_ERROR;
- goto out;
- }
- if (hashSigAlgoSz % 2 != 0) {
- ret = BUFFER_ERROR;
- goto out;
- }
- clSuites->hashSigAlgoSz = hashSigAlgoSz;
- if (clSuites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
- WOLFSSL_MSG("ClientHello SigAlgo list exceeds max, "
- "truncating");
- clSuites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
- }
- XMEMCPY(clSuites->hashSigAlgo, &input[i],
- clSuites->hashSigAlgoSz);
- i += hashSigAlgoSz;
- }
- #ifdef HAVE_EXTENDED_MASTER
- else if (extId == HELLO_EXT_EXTMS)
- ssl->options.haveEMS = 1;
- #endif
- else
- i += extSz;
- totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
- }
- #endif
- *inOutIdx = i;
- }
- else
- *inOutIdx = begin + helloSz; /* skip extensions */
- }
- #ifdef WOLFSSL_DTLS_CID
- if (ssl->options.useDtlsCID)
- DtlsCIDOnExtensionsParsed(ssl);
- #endif /* WOLFSSL_DTLS_CID */
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- ssl->options.haveSessionId = 1;
- /* ProcessOld uses same resume code */
- if (ssl->options.resuming) {
- ret = HandleTlsResumption(ssl, bogusID, clSuites);
- if (ret != 0)
- goto out;
- #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
- !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.encThenMac && ssl->specs.cipher_type == block) {
- ret = TLSX_EncryptThenMac_Respond(ssl);
- if (ret != 0)
- goto out;
- }
- else
- ssl->options.encThenMac = 0;
- #endif
- if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
- WOLFSSL_LEAVE("DoClientHello", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
- goto out;
- }
- }
- #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_DH_DEFAULT_PARAMS)
- #if defined(HAVE_FFDHE) && defined(HAVE_SUPPORTED_CURVES)
- if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) != NULL) {
- /* Set FFDHE parameters or clear DHE parameters if FFDH parameters
- * present and no matches in the server's list. */
- ret = TLSX_SupportedFFDHE_Set(ssl);
- if (ret != 0)
- goto out;
- }
- #endif
- #endif
- #ifdef OPENSSL_EXTRA
- /* Give user last chance to provide a cert for cipher selection */
- if (ret == 0 && ssl->ctx->certSetupCb != NULL)
- ret = CertSetupCbWrapper(ssl);
- #endif
- if (ret == 0)
- ret = MatchSuite(ssl, clSuites);
- #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
- !defined(WOLFSSL_AEAD_ONLY)
- if (ret == 0 && ssl->options.encThenMac &&
- ssl->specs.cipher_type == block) {
- ret = TLSX_EncryptThenMac_Respond(ssl);
- }
- else
- ssl->options.encThenMac = 0;
- #endif
- #ifdef WOLFSSL_DTLS
- if (ret == 0 && ssl->options.dtls)
- DtlsMsgPoolReset(ssl);
- #endif
- out:
- #ifdef WOLFSSL_SMALL_STACK
- if (clSuites != NULL)
- XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
- #endif
- WOLFSSL_LEAVE("DoClientHello", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- typedef struct DcvArgs {
- byte* output; /* not allocated */
- word32 sendSz;
- word16 sz;
- word32 sigSz;
- word32 idx;
- word32 begin;
- byte hashAlgo;
- byte sigAlgo;
- } DcvArgs;
- static void FreeDcvArgs(WOLFSSL* ssl, void* pArgs)
- {
- DcvArgs* args = (DcvArgs*)pArgs;
- (void)ssl;
- (void)args;
- }
- /* handle processing of certificate_verify (15) */
- static int DoCertificateVerify(WOLFSSL* ssl, byte* input,
- word32* inOutIdx, word32 size)
- {
- int ret = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- DcvArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- DcvArgs args[1];
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
- WOLFSSL_ENTER("DoCertificateVerify");
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- args = (DcvArgs*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_dcv;
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(DcvArgs));
- args->hashAlgo = sha_mac;
- args->sigAlgo = anonymous_sa_algo;
- args->idx = *inOutIdx;
- args->begin = *inOutIdx;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeDcvArgs;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateVerify");
- if (ssl->toInfoOn)
- AddLateName("CertificateVerify", &ssl->timeoutInfo);
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- if (IsAtLeastTLSv1_2(ssl)) {
- if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- DecodeSigAlg(&input[args->idx], &args->hashAlgo,
- &args->sigAlgo);
- args->idx += 2;
- }
- #ifndef NO_RSA
- else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0)
- args->sigAlgo = rsa_sa_algo;
- #endif
- #ifdef HAVE_ECC
- else if (ssl->peerEccDsaKeyPresent)
- args->sigAlgo = ecc_dsa_sa_algo;
- #endif
- #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
- else if (ssl->peerEd25519KeyPresent)
- args->sigAlgo = ed25519_sa_algo;
- #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
- #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
- else if (ssl->peerEd448KeyPresent)
- args->sigAlgo = ed448_sa_algo;
- #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- ato16(input + args->idx, &args->sz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + args->sz > size ||
- args->sz > ENCRYPT_LEN) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- #ifdef HAVE_ECC
- if (ssl->peerEccDsaKeyPresent) {
- WOLFSSL_MSG("Doing ECC peer cert verify");
- /* make sure a default is defined */
- #if !defined(NO_SHA)
- SetDigest(ssl, sha_mac);
- #elif !defined(NO_SHA256)
- SetDigest(ssl, sha256_mac);
- #elif defined(WOLFSSL_SHA384)
- SetDigest(ssl, sha384_mac);
- #elif defined(WOLFSSL_SHA512)
- SetDigest(ssl, sha512_mac);
- #else
- #error No digest enabled for ECC sig verify
- #endif
- if (IsAtLeastTLSv1_2(ssl)) {
- if (args->sigAlgo != ecc_dsa_sa_algo) {
- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
- }
- SetDigest(ssl, args->hashAlgo);
- }
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
- if (ssl->peerEd25519KeyPresent) {
- WOLFSSL_MSG("Doing ED25519 peer cert verify");
- if (IsAtLeastTLSv1_2(ssl) &&
- args->sigAlgo != ed25519_sa_algo) {
- WOLFSSL_MSG(
- "Oops, peer sent ED25519 key but not in verify");
- }
- }
- #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
- #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
- if (ssl->peerEd448KeyPresent) {
- WOLFSSL_MSG("Doing ED448 peer cert verify");
- if (IsAtLeastTLSv1_2(ssl) &&
- args->sigAlgo != ed448_sa_algo) {
- WOLFSSL_MSG(
- "Oops, peer sent ED448 key but not in verify");
- }
- }
- #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- #ifndef NO_RSA
- if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
- WOLFSSL_MSG("Doing RSA peer cert verify");
- ret = RsaVerify(ssl,
- input + args->idx,
- args->sz,
- &args->output,
- args->sigAlgo, args->hashAlgo,
- ssl->peerRsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerRsaKey
- #else
- NULL
- #endif
- );
- if (ret >= 0) {
- if (args->sigAlgo == rsa_sa_algo)
- args->sendSz = ret;
- else {
- args->sigSz = ret;
- args->sendSz = ssl->buffers.digest.length;
- }
- ret = 0;
- }
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- if (ssl->peerEccDsaKeyPresent) {
- WOLFSSL_MSG("Doing ECC peer cert verify");
- ret = EccVerify(ssl,
- input + args->idx, args->sz,
- ssl->buffers.digest.buffer, ssl->buffers.digest.length,
- ssl->peerEccDsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEccDsaKey
- #else
- NULL
- #endif
- );
- /* SERVER: Data verified with certificate's public key. */
- ssl->options.peerAuthGood = ssl->options.havePeerCert &&
- (ret == 0);
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
- if (ssl->peerEd25519KeyPresent) {
- WOLFSSL_MSG("Doing Ed25519 peer cert verify");
- ret = Ed25519Verify(ssl,
- input + args->idx, args->sz,
- ssl->hsHashes->messages, ssl->hsHashes->prevLen,
- ssl->peerEd25519Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd25519Key
- #else
- NULL
- #endif
- );
- /* SERVER: Data verified with certificate's public key. */
- ssl->options.peerAuthGood = ssl->options.havePeerCert &&
- (ret == 0);
- }
- #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
- #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
- if (ssl->peerEd448KeyPresent) {
- WOLFSSL_MSG("Doing Ed448 peer cert verify");
- ret = Ed448Verify(ssl,
- input + args->idx, args->sz,
- ssl->hsHashes->messages, ssl->hsHashes->prevLen,
- ssl->peerEd448Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd448Key
- #else
- NULL
- #endif
- );
- /* SERVER: Data verified with certificate's public key. */
- ssl->options.peerAuthGood = ssl->options.havePeerCert &&
- (ret == 0);
- }
- #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* handle async pending */
- if (ret == WC_PENDING_E)
- goto exit_dcv;
- #endif
- /* Check for error */
- if (ret != 0) {
- ret = SIG_VERIFY_E;
- goto exit_dcv;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- #ifndef NO_RSA
- if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
- if (IsAtLeastTLSv1_2(ssl)) {
- #ifdef WC_RSA_PSS
- if (args->sigAlgo == rsa_pss_sa_algo) {
- SetDigest(ssl, args->hashAlgo);
- #ifdef HAVE_SELFTEST
- ret = wc_RsaPSS_CheckPadding(
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output, args->sigSz,
- HashAlgoToType(args->hashAlgo));
- #else
- ret = wc_RsaPSS_CheckPadding_ex(
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- args->output, args->sigSz,
- HashAlgoToType(args->hashAlgo), -1,
- mp_count_bits(&ssl->peerRsaKey->n));
- #endif
- if (ret != 0) {
- ret = SIG_VERIFY_E;
- goto exit_dcv;
- }
- }
- else
- #endif
- {
- #ifndef WOLFSSL_SMALL_STACK
- byte encodedSig[MAX_ENCODED_SIG_SZ];
- #else
- byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
- ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- if (encodedSig == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- #endif
- if (args->sigAlgo != rsa_sa_algo) {
- WOLFSSL_MSG("Oops, peer sent RSA key but not "
- "in verify");
- }
- SetDigest(ssl, args->hashAlgo);
- args->sigSz = wc_EncodeSignature(encodedSig,
- ssl->buffers.digest.buffer,
- ssl->buffers.digest.length,
- TypeHash(args->hashAlgo));
- if (args->sendSz != args->sigSz || !args->output ||
- XMEMCMP(args->output, encodedSig,
- min(args->sigSz, MAX_ENCODED_SIG_SZ)) != 0) {
- ret = VERIFY_CERT_ERROR;
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(encodedSig, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- #endif
- }
- }
- else {
- if (args->sendSz != FINISHED_SZ || !args->output ||
- XMEMCMP(args->output,
- &ssl->hsHashes->certHashes, FINISHED_SZ) != 0) {
- ret = VERIFY_CERT_ERROR;
- }
- }
- if (ret == 0) {
- /* SERVER: Data verified with cert's public key. */
- ssl->options.peerAuthGood = ssl->options.havePeerCert &&
- (ret == 0);
- }
- }
- #endif /* !NO_RSA */
- if (ret != 0)
- break;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- if (IsEncryptionOn(ssl, 0)) {
- args->idx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- args->idx += MacSize(ssl);
- #endif
- }
- ssl->options.havePeerVerify = 1;
- /* Set final index */
- args->idx += args->sz;
- *inOutIdx = args->idx;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_dcv:
- WOLFSSL_LEAVE("DoCertificateVerify", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_certificate_verify = 0;
- return ret;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_ERROR)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == SIG_VERIFY_E)
- SendAlert(ssl, alert_fatal, decrypt_error);
- else if (ret != 0)
- SendAlert(ssl, alert_fatal, bad_certificate);
- #endif
- /* Digest is not allocated, so do this to prevent free */
- if(ssl->buffers.digest.buffer) {
- if (!ssl->options.dontFreeDigest) {
- /*This should not happen*/
- XFREE(ssl->buffers.digest.buffer,
- ssl->heap, DYNAMIC_TYPE_DIGEST);
- }
- }
- ssl->buffers.digest.buffer = NULL;
- ssl->buffers.digest.length = 0;
- ssl->options.dontFreeDigest = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeDcvArgs(ssl, args);
- #endif
- /* Final cleanup */
- FreeKeyExchange(ssl);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif /* (!NO_RSA || ECC || ED25519 || ED448) && !WOLFSSL_NO_CLIENT_AUTH */
- /* handle generation of server_hello_done (14) */
- int SendServerHelloDone(WOLFSSL* ssl)
- {
- byte* output;
- int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- int ret;
- WOLFSSL_START(WC_FUNC_SERVER_HELLO_DONE_SEND);
- WOLFSSL_ENTER("SendServerHelloDone");
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- #endif
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, 0, server_hello_done, ssl);
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls) {
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz += DTLS_HANDSHAKE_EXTRA;
- }
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello_done)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- } else {
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello_done)) != 0)
- return ret;
- }
- if (ssl->options.dtls)
- DtlsSEQIncrement(ssl, CUR_ORDER);
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
- return ret;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ServerHelloDone");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ServerHelloDone", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
- ssl->options.buildingMsg = 0;
- ssl->buffers.outputBuffer.length += sendSz;
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendServerHelloDone", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_DONE_SEND);
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifdef HAVE_SESSION_TICKET
- /* create a new session ticket, 0 on success */
- int CreateTicket(WOLFSSL* ssl)
- {
- InternalTicket* it;
- ExternalTicket* et;
- int encLen;
- int ret;
- int error;
- word32 itHash = 0;
- byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->session->staticTicket, *et);
- WOLFSSL_ASSERT_SIZEOF_GE(et->enc_ticket, *it);
- if (ssl->session->ticket != ssl->session->staticTicket) {
- /* Always use the static ticket buffer */
- XFREE(ssl->session->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK);
- ssl->session->ticket = ssl->session->staticTicket;
- ssl->session->ticketLenAlloc = 0;
- }
- et = (ExternalTicket*)ssl->session->ticket;
- it = (InternalTicket*)et->enc_ticket;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->error != WC_PENDING_E)
- #endif
- {
- XMEMSET(et, 0, sizeof(*et));
- }
- /* build internal */
- it->pv.major = ssl->version.major;
- it->pv.minor = ssl->version.minor;
- it->suite[0] = ssl->options.cipherSuite0;
- it->suite[1] = ssl->options.cipherSuite;
- #ifdef WOLFSSL_EARLY_DATA
- c32toa(ssl->options.maxEarlyDataSz, it->maxEarlyDataSz);
- #endif
- if (!ssl->options.tls1_3) {
- XMEMCPY(it->msecret, ssl->arrays->masterSecret, SECRET_LEN);
- #ifndef NO_ASN_TIME
- c32toa(LowResTimer(), it->timestamp);
- #endif
- it->haveEMS = (byte) ssl->options.haveEMS;
- }
- else {
- #ifdef WOLFSSL_TLS13
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- word32 now = TimeNowInMilliseconds();
- #else
- sword64 now = TimeNowInMilliseconds();
- #endif
- if (now == 0) {
- ret = GETTIME_ERROR;
- goto error;
- }
- /* Client adds to ticket age to obfuscate. */
- ret = wc_RNG_GenerateBlock(ssl->rng, it->ageAdd,
- sizeof(it->ageAdd));
- if (ret != 0) {
- ret = BAD_TICKET_ENCRYPT;
- goto error;
- }
- ato32(it->ageAdd, &ssl->session->ticketAdd);
- c16toa(ssl->session->namedGroup, it->namedGroup);
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- c32toa(now, it->timestamp);
- #else
- c32toa((word32)(now >> 32), it->timestamp);
- c32toa((word32)now , it->timestamp + OPAQUE32_LEN);
- #endif
- /* Resumption master secret. */
- XMEMCPY(it->msecret, ssl->session->masterSecret, SECRET_LEN);
- if (ssl->session->ticketNonce.len > MAX_TICKET_NONCE_STATIC_SZ) {
- WOLFSSL_MSG("Bad ticket nonce value");
- ret = BAD_TICKET_MSG_SZ;
- goto error;
- }
- XMEMCPY(it->ticketNonce, ssl->session->ticketNonce.data,
- ssl->session->ticketNonce.len);
- it->ticketNonceLen = ssl->session->ticketNonce.len;
- #endif
- }
- #ifdef WOLFSSL_TICKET_HAVE_ID
- {
- const byte* id = NULL;
- byte idSz = 0;
- if (ssl->session->haveAltSessionID) {
- id = ssl->session->altSessionID;
- idSz = ID_LEN;
- }
- else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
- id = ssl->arrays->sessionID;
- idSz = ssl->arrays->sessionIDSz;
- }
- else {
- id = ssl->session->sessionID;
- idSz = ssl->session->sessionIDSz;
- }
- if (idSz == 0) {
- ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
- ID_LEN);
- if (ret != 0)
- goto error;
- ssl->session->haveAltSessionID = 1;
- id = ssl->session->altSessionID;
- idSz = ID_LEN;
- }
- /* make sure idSz is not larger than ID_LEN */
- if (idSz > ID_LEN)
- idSz = ID_LEN;
- XMEMCPY(it->id, id, idSz);
- }
- #endif
- /* encrypt */
- encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */
- if (ssl->ctx->ticketEncCb == NULL
- #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
- ||
- /* SSL_OP_NO_TICKET turns off tickets in <= 1.2. Forces
- * "stateful" tickets for 1.3 so just use the regular
- * stateless ones. */
- (!IsAtLeastTLSv1_3(ssl->version) &&
- (ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
- #endif
- ) {
- /* Use BAD_TICKET_ENCRYPT to signal missing ticket callback */
- ret = BAD_TICKET_ENCRYPT;
- }
- else {
- itHash = HashObject((byte*)it, sizeof(*it), &error);
- if (error == 0) {
- ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
- 1, et->enc_ticket, sizeof(InternalTicket), &encLen,
- ssl->ctx->ticketEncCtx);
- }
- else {
- ret = WOLFSSL_TICKET_RET_FATAL;
- }
- }
- if (ret != WOLFSSL_TICKET_RET_OK) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- goto error;
- }
- if (encLen < (int)sizeof(InternalTicket) ||
- encLen > (int)WOLFSSL_TICKET_ENC_SZ) {
- WOLFSSL_MSG("Bad user ticket encrypt size");
- ret = BAD_TICKET_KEY_CB_SZ;
- }
- /* sanity checks on encrypt callback */
- /* internal ticket can't be the same if encrypted */
- if (itHash == HashObject((byte*)it, sizeof(*it), &error) || error != 0)
- {
- WOLFSSL_MSG("User ticket encrypt didn't encrypt or hash failed");
- ret = BAD_TICKET_ENCRYPT;
- goto error;
- }
- XMEMSET(zeros, 0, sizeof(zeros));
- /* name */
- if (XMEMCMP(et->key_name, zeros, WOLFSSL_TICKET_NAME_SZ) == 0) {
- WOLFSSL_MSG("User ticket encrypt didn't set name");
- ret = BAD_TICKET_ENCRYPT;
- goto error;
- }
- /* iv */
- if (XMEMCMP(et->iv, zeros, WOLFSSL_TICKET_IV_SZ) == 0) {
- WOLFSSL_MSG("User ticket encrypt didn't set iv");
- ret = BAD_TICKET_ENCRYPT;
- goto error;
- }
- /* mac */
- if (XMEMCMP(et->mac, zeros, WOLFSSL_TICKET_MAC_SZ) == 0) {
- WOLFSSL_MSG("User ticket encrypt didn't set mac");
- ret = BAD_TICKET_ENCRYPT;
- goto error;
- }
- /* set size */
- c16toa((word16)encLen, et->enc_len);
- if (encLen < (int)WOLFSSL_TICKET_ENC_SZ) {
- /* move mac up since whole enc buffer not used */
- XMEMMOVE(et->enc_ticket + encLen, et->mac,
- WOLFSSL_TICKET_MAC_SZ);
- }
- ssl->session->ticketLen =
- (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
- return ret;
- error:
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- /* Ticket has sensitive data in it now. */
- wc_MemZero_Add("Create Ticket internal", it, sizeof(InternalTicket));
- #endif
- ForceZero(it, sizeof(*it));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(it, sizeof(InternalTicket));
- #endif
- WOLFSSL_ERROR_VERBOSE(ret);
- return ret;
- }
- int DoDecryptTicket(const WOLFSSL* ssl, const byte* input, word32 len,
- InternalTicket **it)
- {
- ExternalTicket* et;
- int ret;
- int outLen;
- word16 inLen;
- WOLFSSL_START(WC_FUNC_TICKET_DO);
- WOLFSSL_ENTER("DoDecryptTicket");
- if (len > SESSION_TICKET_LEN ||
- len < (word32)(sizeof(InternalTicket) + WOLFSSL_TICKET_FIXED_SZ)) {
- WOLFSSL_ERROR_VERBOSE(BAD_TICKET_MSG_SZ);
- return WOLFSSL_TICKET_RET_REJECT;
- }
- et = (ExternalTicket*)input;
- /* decrypt */
- ato16(et->enc_len, &inLen);
- if (inLen > WOLFSSL_TICKET_ENC_SZ) {
- WOLFSSL_ERROR_VERBOSE(BAD_TICKET_MSG_SZ);
- return WOLFSSL_TICKET_RET_REJECT;
- }
- outLen = (int)inLen; /* may be reduced by user padding */
- if (ssl->ctx->ticketEncCb == NULL
- #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
- ||
- /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
- * "stateful" tickets for 1.3 so just use the regular
- * stateless ones. */
- (!IsAtLeastTLSv1_3(ssl->version) &&
- (ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
- #endif
- ) {
- /* Use BAD_TICKET_ENCRYPT to signal missing ticket callback */
- WOLFSSL_ERROR_VERBOSE(BAD_TICKET_ENCRYPT);
- ret = WOLFSSL_TICKET_RET_REJECT;
- }
- else {
- /* Callback uses ssl without const but for DTLS, it really shouldn't
- * modify its state. */
- ret = ssl->ctx->ticketEncCb((WOLFSSL*)ssl, et->key_name, et->iv,
- et->enc_ticket + inLen, 0,
- et->enc_ticket, inLen, &outLen,
- ssl->ctx->ticketEncCtx);
- }
- if (ret != WOLFSSL_TICKET_RET_OK) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- if (ret != WOLFSSL_TICKET_RET_CREATE) {
- WOLFSSL_ERROR_VERBOSE(BAD_TICKET_KEY_CB_SZ);
- return WOLFSSL_TICKET_RET_REJECT;
- }
- }
- if (outLen > (int)inLen || outLen < (int)sizeof(InternalTicket)) {
- WOLFSSL_MSG("Bad user ticket decrypt len");
- WOLFSSL_ERROR_VERBOSE(BAD_TICKET_KEY_CB_SZ);
- return BAD_TICKET_KEY_CB_SZ;
- }
- *it = (InternalTicket*)et->enc_ticket;
- return ret;
- }
- static int DoClientTicketCheckVersion(const WOLFSSL* ssl,
- InternalTicket* it)
- {
- if (ssl->version.minor < it->pv.minor) {
- WOLFSSL_MSG("Ticket has greater version");
- return VERSION_ERROR;
- }
- else if (ssl->version.minor > it->pv.minor) {
- if (IsAtLeastTLSv1_3(it->pv) != IsAtLeastTLSv1_3(ssl->version)) {
- WOLFSSL_MSG("Tickets cannot be shared between "
- "TLS 1.3 and TLS 1.2 and lower");
- return VERSION_ERROR;
- }
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("Ticket has lesser version");
- return VERSION_ERROR;
- }
- WOLFSSL_MSG("Downgrading protocol due to ticket");
- if (it->pv.minor < ssl->options.minDowngrade) {
- WOLFSSL_MSG("Ticket has lesser version than allowed");
- return VERSION_ERROR;
- }
- }
- #ifdef WOLFSSL_TLS13
- /* Check resumption master secret. */
- if (IsAtLeastTLSv1_3(it->pv) &&
- it->ticketNonceLen > MAX_TICKET_NONCE_STATIC_SZ) {
- WOLFSSL_MSG("Unsupported ticketNonce len in ticket");
- return BAD_TICKET_ENCRYPT;
- }
- #endif
- return 0;
- }
- #if defined(WOLFSSL_TLS13)
- /* Return 0 when check successful. <0 on failure. */
- int DoClientTicketCheck(const WOLFSSL* ssl, const PreSharedKey* psk,
- sword64 timeout, const byte* suite)
- {
- word32 ticketAdd;
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- word32 now;
- sword64 diff;
- word32 ticketSeen; /* Time ticket seen (ms) */
- ato32(psk->it->timestamp, &ticketSeen);
- now = TimeNowInMilliseconds();
- if (now == 0)
- return GETTIME_ERROR;
- /* Difference between now and time ticket constructed
- * (from decrypted ticket). */
- diff = now;
- diff -= ticketSeen;
- if (diff > timeout * 1000 ||
- diff > (sword64)TLS13_MAX_TICKET_AGE * 1000)
- return -1;
- #else
- sword64 diff;
- sword64 ticketSeen; /* Time ticket seen (ms) */
- word32 seenHi, seenLo;
- ato32(psk->it->timestamp , &seenHi);
- ato32(psk->it->timestamp + OPAQUE32_LEN, &seenLo);
- ticketSeen = ((sword64)seenHi << 32) + seenLo;
- diff = TimeNowInMilliseconds();
- if (diff == 0)
- return GETTIME_ERROR;
- /* Difference between now and time ticket constructed
- * (from decrypted ticket). */
- diff -= ticketSeen;
- if (diff > timeout * 1000 ||
- diff > (sword64)TLS13_MAX_TICKET_AGE * 1000)
- return -1;
- #endif
- ato32(psk->it->ageAdd, &ticketAdd);
- /* Subtract client's ticket age and unobfuscate. */
- diff -= psk->ticketAge;
- diff += ticketAdd;
- /* Check session and ticket age timeout.
- * Allow +/- 1000 milliseconds on ticket age.
- */
- if (diff < -1000 || diff - MAX_TICKET_AGE_DIFF * 1000 > 1000)
- return -1;
- #if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK)
- /* Check whether resumption is possible based on suites in SSL and
- * ciphersuite in ticket.
- */
- (void)ssl;
- if (XMEMCMP(suite, psk->it->suite, SUITE_LEN) != 0)
- return -1;
- #else
- (void)suite;
- if (!FindSuiteSSL(ssl, psk->it->suite))
- return -1;
- #endif
- return 0;
- }
- #endif /* WOLFSSL_SLT13 */
- void DoClientTicketFinalize(WOLFSSL* ssl, InternalTicket* it,
- const WOLFSSL_SESSION* sess)
- {
- #ifdef WOLFSSL_TICKET_HAVE_ID
- ssl->session->haveAltSessionID = 1;
- XMEMCPY(ssl->session->altSessionID, it->id, ID_LEN);
- #endif
- if (sess != NULL) {
- byte bogusID[ID_LEN];
- byte bogusIDSz = ssl->session->sessionIDSz;
- XMEMCPY(bogusID, ssl->session->sessionID, ID_LEN);
- /* Failure here should not interupt the resumption. We already have
- * all the cipher material we need in `it` */
- WOLFSSL_MSG("Copying in session from passed in arg");
- (void)wolfSSL_DupSession(sess, ssl->session, 1);
- /* Restore the fake ID */
- XMEMCPY(ssl->session->sessionID, bogusID, ID_LEN);
- ssl->session->sessionIDSz= bogusIDSz;
- }
- #ifdef WOLFSSL_TICKET_HAVE_ID
- else {
- if (wolfSSL_GetSession(ssl, NULL, 1) != NULL) {
- WOLFSSL_MSG("Found session matching the session id"
- " found in the ticket");
- }
- else {
- WOLFSSL_MSG("Can't find session matching the session id"
- " found in the ticket");
- }
- }
- #endif
- if (!IsAtLeastTLSv1_3(ssl->version)) {
- XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
- /* Copy the haveExtendedMasterSecret property from the ticket to
- * the saved session, so the property may be checked later. */
- ssl->session->haveEMS = it->haveEMS;
- ato32((const byte*)&it->timestamp, &ssl->session->bornOn);
- #ifndef NO_RESUME_SUITE_CHECK
- ssl->session->cipherSuite0 = it->suite[0];
- ssl->session->cipherSuite = it->suite[1];
- #endif
- }
- else {
- #ifdef WOLFSSL_TLS13
- /* This should have been already checked in
- * DoClientTicketCheckVersion */
- if (it->ticketNonceLen > MAX_TICKET_NONCE_STATIC_SZ) {
- WOLFSSL_MSG("Unsupported ticketNonce len in ticket");
- return;
- }
- /* Restore information to renegotiate. */
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- ato32(it->timestamp, &ssl->session->ticketSeen);
- #else
- {
- word32 seenHi, seenLo;
- ato32(it->timestamp , &seenHi);
- ato32(it->timestamp + OPAQUE32_LEN, &seenLo);
- ssl->session->ticketSeen = ((sword64)seenHi << 32) + seenLo;
- }
- #endif
- ato32(it->ageAdd, &ssl->session->ticketAdd);
- ssl->session->cipherSuite0 = it->suite[0];
- ssl->session->cipherSuite = it->suite[1];
- #ifdef WOLFSSL_EARLY_DATA
- ato32(it->maxEarlyDataSz, &ssl->session->maxEarlyDataSz);
- #endif
- /* Resumption master secret. */
- XMEMCPY(ssl->session->masterSecret, it->msecret, SECRET_LEN);
- #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
- if (ssl->session->ticketNonce.data
- != ssl->session->ticketNonce.dataStatic) {
- XFREE(ssl->session->ticketNonce.data, ssl->heap,
- DYNAMIC_TYPE_SESSION_TICK);
- ssl->session->ticketNonce.data =
- ssl->session->ticketNonce.dataStatic;
- }
- #endif /* defined(WOLFSSL_TICKET_NONCE_MALLOC) && FIPS_VERSION_GE(5,3) */
- XMEMCPY(ssl->session->ticketNonce.data, it->ticketNonce,
- it->ticketNonceLen);
- ssl->session->ticketNonce.len = it->ticketNonceLen;
- ato16(it->namedGroup, &ssl->session->namedGroup);
- #endif
- }
- ssl->version.minor = it->pv.minor;
- }
- #if defined(WOLFSSL_TLS13)
- static void PopulateInternalTicketFromSession(const WOLFSSL_SESSION* sess,
- InternalTicket* it)
- {
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- word32 milliBornOn = sess->bornOn;
- #else
- sword64 milliBornOn = (sword64)sess->bornOn;
- #endif
- /* Convert to milliseconds */
- milliBornOn *= 1000;
- it->pv = sess->version;
- it->suite[0] = sess->cipherSuite0;
- it->suite[1] = sess->cipherSuite;
- XMEMCPY(it->msecret, sess->masterSecret, SECRET_LEN);
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- c32toa(milliBornOn, it->timestamp);
- #else
- c32toa((word32)(milliBornOn >> 32), it->timestamp);
- c32toa((word32)milliBornOn , it->timestamp + OPAQUE32_LEN);
- #endif
- it->haveEMS = (byte)sess->haveEMS;
- c32toa(sess->ticketAdd, it->ageAdd);
- c16toa(sess->namedGroup, it->namedGroup);
- if (sess->ticketNonce.len <= MAX_TICKET_NONCE_STATIC_SZ) {
- it->ticketNonceLen = sess->ticketNonce.len;
- XMEMCPY(it->ticketNonce, sess->ticketNonce.data,
- sess->ticketNonce.len);
- }
- #ifdef WOLFSSL_EARLY_DATA
- c32toa(sess->maxEarlyDataSz, it->maxEarlyDataSz);
- #endif
- #ifdef WOLFSSL_TICKET_HAVE_ID
- if (sess->haveAltSessionID)
- XMEMCPY(it->id, sess->altSessionID, ID_LEN);
- else
- XMEMCPY(it->id, sess->sessionID, ID_LEN);
- #endif
- }
- static const WOLFSSL_SESSION* GetSesionFromCacheOrExt(const WOLFSSL* ssl,
- const byte* id, psk_sess_free_cb_ctx* freeCtx)
- {
- const WOLFSSL_SESSION* sess = NULL;
- int ret;
- XMEMSET(freeCtx, 0, sizeof(*freeCtx));
- #ifdef HAVE_EXT_CACHE
- if (ssl->ctx->get_sess_cb != NULL) {
- int copy = 0;
- sess = ssl->ctx->get_sess_cb((WOLFSSL*)ssl,
- id, ID_LEN, ©);
- if (sess != NULL) {
- freeCtx->extCache = 1;
- /* If copy not set then free immediately */
- if (!copy)
- freeCtx->freeSess = 1;
- }
- }
- #endif
- if (sess == NULL) {
- ret = TlsSessionCacheGetAndRdLock(id, &sess, &freeCtx->row,
- ssl->options.side);
- if (ret != 0)
- sess = NULL;
- }
- return sess;
- }
- static void FreeSessionFromCacheOrExt(const WOLFSSL* ssl,
- const WOLFSSL_SESSION* sess, psk_sess_free_cb_ctx* freeCtx)
- {
- (void)ssl;
- (void)sess;
- #ifdef HAVE_EXT_CACHE
- if (freeCtx->extCache) {
- if (freeCtx->freeSess)
- /* In this case sess is not longer const and the external cache
- * wants us to free it. */
- wolfSSL_FreeSession(ssl->ctx, (WOLFSSL_SESSION*)sess);
- }
- else
- #endif
- TlsSessionCacheUnlockRow(freeCtx->row);
- }
- /* Parse ticket sent by client, returns callback return value. Doesn't
- * modify ssl and stores the InternalTicket inside psk */
- int DoClientTicket_ex(const WOLFSSL* ssl, PreSharedKey* psk, int retainSess)
- {
- int ret;
- int decryptRet = WOLFSSL_TICKET_RET_REJECT;
- WOLFSSL_START(WC_FUNC_TICKET_DO);
- WOLFSSL_ENTER("DoClientTicket_ex");
- if (psk->identityLen == ID_LEN && IsAtLeastTLSv1_3(ssl->version)) {
- /* This is a stateful ticket. We can be sure about this because
- * stateless tickets are much longer. */
- const WOLFSSL_SESSION* sess = NULL;
- sess = GetSesionFromCacheOrExt(ssl, psk->identity,
- &psk->sess_free_cb_ctx);
- if (sess != NULL) {
- /* Session found in cache. Copy in relevant info to psk */
- byte* tmp;
- WOLFSSL_MSG("Found session matching the session id"
- " found in the ticket");
- /* Allocate and populate an InternalTicket */
- tmp = (byte*)XREALLOC(psk->identity, sizeof(InternalTicket),
- ssl->heap, DYNAMIC_TYPE_TLSX);
- if (tmp != NULL) {
- XMEMSET(tmp, 0, sizeof(InternalTicket));
- psk->identity = tmp;
- psk->identityLen = sizeof(InternalTicket);
- psk->it = (InternalTicket*)tmp;
- PopulateInternalTicketFromSession(sess, psk->it);
- decryptRet = WOLFSSL_TICKET_RET_OK;
- if (retainSess) {
- psk->sess = sess;
- psk->sess_free_cb = FreeSessionFromCacheOrExt;
- }
- }
- if (psk->sess == NULL) {
- FreeSessionFromCacheOrExt(ssl, sess,
- &psk->sess_free_cb_ctx);
- XMEMSET(&psk->sess_free_cb_ctx, 0,
- sizeof(psk_sess_free_cb_ctx));
- }
- }
- }
- else {
- decryptRet = DoDecryptTicket(ssl, psk->identity, psk->identityLen,
- &psk->it);
- }
- switch (decryptRet) {
- case WOLFSSL_TICKET_RET_OK:
- psk->decryptRet = PSK_DECRYPT_OK;
- break;
- case WOLFSSL_TICKET_RET_CREATE:
- psk->decryptRet = PSK_DECRYPT_CREATE;
- break;
- default:
- psk->decryptRet = PSK_DECRYPT_FAIL;
- return decryptRet;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- /* Internal ticket successfully decrypted. */
- wc_MemZero_Add("Do Client Ticket internal", psk->it,
- sizeof(InternalTicket));
- #endif
- ret = DoClientTicketCheckVersion(ssl, psk->it);
- if (ret != 0) {
- psk->decryptRet = PSK_DECRYPT_FAIL;
- ForceZero(psk->identity, psk->identityLen);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(psk->it, sizeof(InternalTicket));
- #endif
- return ret;
- }
- return decryptRet;
- }
- #endif /* WOLFSL_TLS13 */
- /* Parse ticket sent by client, returns callback return value */
- int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len)
- {
- int decryptRet = WOLFSSL_TICKET_RET_REJECT;
- int ret;
- InternalTicket* it;
- #ifdef WOLFSSL_TLS13
- InternalTicket staticIt;
- const WOLFSSL_SESSION* sess = NULL;
- psk_sess_free_cb_ctx freeCtx;
- XMEMSET(&freeCtx, 0, sizeof(psk_sess_free_cb_ctx));
- #endif
- WOLFSSL_START(WC_FUNC_TICKET_DO);
- WOLFSSL_ENTER("DoClientTicket");
- #ifdef WOLFSSL_TLS13
- if (len == ID_LEN && IsAtLeastTLSv1_3(ssl->version)) {
- /* This is a stateful ticket. We can be sure about this because
- * stateless tickets are much longer. */
- sess = GetSesionFromCacheOrExt(ssl, input, &freeCtx);
- if (sess != NULL) {
- it = &staticIt;
- XMEMSET(it, 0, sizeof(InternalTicket));
- PopulateInternalTicketFromSession(sess, it);
- decryptRet = WOLFSSL_TICKET_RET_OK;
- }
- }
- else
- #endif
- decryptRet = DoDecryptTicket(ssl, input, len, &it);
- if (decryptRet != WOLFSSL_TICKET_RET_OK &&
- decryptRet != WOLFSSL_TICKET_RET_CREATE) {
- it = NULL;
- goto cleanup;
- }
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- /* Internal ticket successfully decrypted. */
- wc_MemZero_Add("Do Client Ticket internal", it, sizeof(InternalTicket));
- #endif
- ret = DoClientTicketCheckVersion(ssl, it);
- if (ret != 0) {
- decryptRet = ret;
- goto cleanup;
- }
- DoClientTicketFinalize(ssl, it, NULL);
- cleanup:
- if (it != NULL) {
- ForceZero(it, sizeof(*it));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(it, sizeof(InternalTicket));
- #endif
- }
- #ifdef WOLFSSL_TLS13
- if (sess != NULL)
- FreeSessionFromCacheOrExt(ssl, sess, &freeCtx);
- #endif
- return decryptRet;
- }
- #ifdef WOLFSSL_TLS13
- void CleanupClientTickets(PreSharedKey* psk)
- {
- for (; psk != NULL; psk = psk->next) {
- if (psk->decryptRet == PSK_DECRYPT_OK ||
- psk->decryptRet == PSK_DECRYPT_CREATE) {
- psk->decryptRet = PSK_DECRYPT_NONE;
- ForceZero(psk->identity, psk->identityLen);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- /* We want to check the InternalTicket area since that is what
- * we registered in DoClientTicket_ex */
- wc_MemZero_Check((((ExternalTicket*)psk->identity)->enc_ticket),
- sizeof(InternalTicket));
- #endif
- }
- }
- }
- #endif /* WOLFSSL_TLS13 */
- /* send Session Ticket */
- int SendTicket(WOLFSSL* ssl)
- {
- byte* output;
- int ret;
- int sendSz;
- word32 length = SESSION_HINT_SZ + LENGTH_SZ;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- WOLFSSL_START(WC_FUNC_TICKET_SEND);
- WOLFSSL_ENTER("SendTicket");
- if (ssl->options.createTicket) {
- ret = CreateTicket(ssl);
- if (ret != 0)
- return ret;
- }
- length += ssl->session->ticketLen;
- sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- if (!ssl->options.dtls) {
- if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
- sendSz += MAX_MSG_EXTRA;
- }
- else {
- #ifdef WOLFSSL_DTLS
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- #endif
- }
- if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
- sendSz += cipherExtraData(ssl);
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, length, session_ticket, ssl);
- /* hint */
- c32toa(ssl->ctx->ticketHint, output + idx);
- idx += SESSION_HINT_SZ;
- /* length */
- c16toa(ssl->session->ticketLen, output + idx);
- idx += LENGTH_SZ;
- /* ticket */
- XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
- idx += ssl->session->ticketLen;
- if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
- byte* input;
- int inputSz = idx; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls)
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz -= recordHeaderSz;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 1, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- }
- else {
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, session_ticket)) != 0)
- return ret;
- DtlsSEQIncrement(ssl, CUR_ORDER);
- }
- #endif
- ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
- return ret;
- }
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTicket", ret);
- WOLFSSL_END(WC_FUNC_TICKET_SEND);
- return ret;
- }
- #ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB
- /* Initialize the context for session ticket encryption.
- *
- * @param [in] ctx SSL context.
- * @param [in] keyCtx Context for session ticket encryption.
- * @return 0 on success.
- * @return BAD_MUTEX_E when initializing mutex fails.
- */
- static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx, TicketEncCbCtx* keyCtx)
- {
- int ret = 0;
- XMEMSET(keyCtx, 0, sizeof(*keyCtx));
- keyCtx->ctx = ctx;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->name", keyCtx->name,
- sizeof(keyCtx->name));
- wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->key[0]", keyCtx->key[0],
- sizeof(keyCtx->key[0]));
- wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->key[1]", keyCtx->key[1],
- sizeof(keyCtx->key[1]));
- #endif
- #ifndef SINGLE_THREADED
- ret = wc_InitMutex(&keyCtx->mutex);
- #endif
- return ret;
- }
- /* Setup the session ticket encryption context for this.
- *
- * Initialize RNG, generate name, generate primary key and set primary key
- * expirary.
- *
- * @param [in] keyCtx Context for session ticket encryption.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @return 0 on success.
- * @return Other value when random number generator fails.
- */
- static int TicketEncCbCtx_Setup(TicketEncCbCtx* keyCtx, void* heap, int devId)
- {
- int ret;
- #ifndef SINGLE_THREADED
- ret = 0;
- /* Check that key wasn't set up while waiting. */
- if (keyCtx->expirary[0] == 0)
- #endif
- {
- ret = wc_InitRng_ex(&keyCtx->rng, heap, devId);
- if (ret == 0) {
- ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->name,
- sizeof(keyCtx->name));
- }
- if (ret == 0) {
- /* Mask of the bottom bit - used for index of key. */
- keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1] &= 0xfe;
- /* Generate initial primary key. */
- ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[0],
- WOLFSSL_TICKET_KEY_SZ);
- }
- if (ret == 0) {
- keyCtx->expirary[0] = LowResTimer() + WOLFSSL_TICKET_KEY_LIFETIME;
- }
- }
- return ret;
- }
- /* Free the context for session ticket encryption.
- *
- * Zeroize keys and name.
- *
- * @param [in] keyCtx Context for session ticket encryption.
- */
- static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx)
- {
- /* Zeroize sensitive data. */
- ForceZero(keyCtx->name, sizeof(keyCtx->name));
- ForceZero(keyCtx->key[0], sizeof(keyCtx->key[0]));
- ForceZero(keyCtx->key[1], sizeof(keyCtx->key[1]));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(keyCtx->name, sizeof(keyCtx->name));
- wc_MemZero_Check(keyCtx->key[0], sizeof(keyCtx->key[0]));
- wc_MemZero_Check(keyCtx->key[1], sizeof(keyCtx->key[1]));
- #endif
- #ifndef SINGLE_THREADED
- wc_FreeMutex(&keyCtx->mutex);
- #endif
- wc_FreeRng(&keyCtx->rng);
- }
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
- !defined(WOLFSSL_TICKET_ENC_AES128_GCM) && \
- !defined(WOLFSSL_TICKET_ENC_AES256_GCM)
- /* Ticket encryption/decryption implementation.
- *
- * @param [in] key Key for encryption/decryption.
- * @param [in] keyLen Length of key in bytes.
- * @param [in] iv IV/Nonce for encryption/decryption.
- * @param [in] aad Additional authentication data.
- * @param [in] aadSz Length of additional authentication data.
- * @param [in] in Data to encrypt/decrypt.
- * @param [in] inLen Length of encrypted data.
- * @param [out] out Resulting data from encrypt/decrypt.
- * @param [out] outLen Size of resulting data.
- * @param [in] tag Authentication tag for encrypted data.
- * @param [in] heap Dynamic memory allocation data hint.
- * @param [in] enc 1 when encrypting, 0 when decrypting.
- * @return 0 on success.
- * @return Other value when encryption/decryption fails.
- */
- static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
- byte* in, int inLen, byte* out, int* outLen, byte* tag,
- void* heap, int enc)
- {
- int ret;
- (void)keyLen;
- (void)heap;
- if (enc) {
- ret = wc_ChaCha20Poly1305_Encrypt(key, iv, aad, aadSz, in, inLen, out,
- tag);
- }
- else {
- ret = wc_ChaCha20Poly1305_Decrypt(key, iv, aad, aadSz, in, inLen, tag,
- out);
- }
- *outLen = inLen;
- return ret;
- }
- #elif defined(HAVE_AESGCM)
- /* Ticket encryption/decryption implementation.
- *
- * @param [in] key Key for encryption/decryption.
- * @param [in] keyLen Length of key in bytes.
- * @param [in] iv IV/Nonce for encryption/decryption.
- * @param [in] aad Additional authentication data.
- * @param [in] aadSz Length of additional authentication data.
- * @param [in] in Data to encrypt/decrypt.
- * @param [in] inLen Length of encrypted data.
- * @param [out] out Resulting data from encrypt/decrypt.
- * @param [out] outLen Size of resulting data.
- * @param [in] tag Authentication tag for encrypted data.
- * @param [in] heap Dynamic memory allocation data hint.
- * @param [in] enc 1 when encrypting, 0 when decrypting.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return Other value when encryption/decryption fails.
- */
- static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
- byte* in, int inLen, byte* out, int* outLen, byte* tag,
- void* heap, int enc)
- {
- int ret;
- #ifdef WOLFSSL_SMALL_STACK
- Aes* aes;
- #else
- Aes aes[1];
- #endif
- (void)heap;
- #ifdef WOLFSSL_SMALL_STACK
- aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (aes == NULL)
- return MEMORY_E;
- #endif
- if (enc) {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_AesGcmSetKey(aes, key, keyLen);
- }
- if (ret == 0) {
- ret = wc_AesGcmEncrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
- tag, AES_BLOCK_SIZE, aad, aadSz);
- }
- wc_AesFree(aes);
- }
- else {
- ret = wc_AesInit(aes, NULL, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_AesGcmSetKey(aes, key, keyLen);
- }
- if (ret == 0) {
- ret = wc_AesGcmDecrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
- tag, AES_BLOCK_SIZE, aad, aadSz);
- }
- wc_AesFree(aes);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(aes, heap, DYNAMIC_TYPE_TMP_BUFFER);
- #endif
- *outLen = inLen;
- return ret;
- }
- #else
- #error "No encryption algorithm available for default ticket encryption."
- #endif
- /* Choose a key to use for encryption.
- *
- * Generate a new key if the current ones are expired.
- * If the secondary key has not been used and the primary key has expired then
- * generate a new primary key.
- *
- * @param [in] Ticket encryption callback context.
- * @param [in] Session ticket lifetime.
- * @param [out] Index of key to use for encryption.
- * @return 0 on success.
- * @return Other value when random number generation fails.
- */
- static int TicketEncCbCtx_ChooseKey(TicketEncCbCtx* keyCtx, int ticketHint,
- int* keyIdx)
- {
- int ret = 0;
- /* Get new current time as lock may have taken some time. */
- word32 now = LowResTimer();
- /* Check expirary of primary key for encrypt. */
- if (keyCtx->expirary[0] >= now + ticketHint) {
- *keyIdx = 0;
- }
- /* Check expirary of primary key for encrypt. */
- else if (keyCtx->expirary[1] >= now + ticketHint) {
- *keyIdx = 1;
- }
- /* No key available to use. */
- else {
- int genKey;
- /* Generate which ever key is expired for decrypt - primary first. */
- if (keyCtx->expirary[0] < now) {
- genKey = 0;
- }
- else if (keyCtx->expirary[1] < now) {
- genKey = 1;
- }
- /* Timeouts and expirary should not allow this to happen. */
- else {
- return BAD_STATE_E;
- }
- /* Generate the required key */
- ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[genKey],
- WOLFSSL_TICKET_KEY_SZ);
- if (ret == 0) {
- keyCtx->expirary[genKey] = now + WOLFSSL_TICKET_KEY_LIFETIME;
- *keyIdx = genKey;
- }
- }
- return ret;
- }
- /* Default Session Ticket encryption/decryption callback.
- *
- * Use ChaCha20-Poly1305 or AES-GCM to encrypt/decrypt the ticket.
- * Two keys are used:
- * - When the first expires for encryption, then use the other.
- * - Don't encrypt with key if the ticket lifetime will go beyond expirary.
- * - Generate a new primary key when primary key expired for decrypt and
- * no secondary key is activate for encryption.
- * - Generate a new secondary key when expired and needed.
- * - Calculate expirary starting from first encrypted ticket.
- * - Key name has last bit set to indicate index of key.
- * Keys expire for decryption after ticket key lifetime from the first encrypted
- * ticket.
- * Keys can only be use for encryption while the ticket hint does not exceed
- * the key lifetime.
- * Lifetime of a key must be greater than the lifetime of a ticket. This means
- * that if one ticket is only valid for decryption, then the other will be
- * valid for encryption.
- * AAD = key_name | iv | ticket len (16-bits network order)
- *
- * @param [in] ssl SSL connection.
- * @param [in,out] key_name Name of key from client.
- * Encrypt: name of key returned.
- * Decrypt: name from ticket message to check.
- * @param [in] iv IV to use in encryption/decryption.
- * @param [in] mac MAC for authentication of encrypted data.
- * @param [in] enc 1 when encrypting ticket, 0 when decrypting.
- * @param [in,out] ticket Encrypted/decrypted session ticket bytes.
- * @param [in] inLen Length of incoming ticket.
- * @param [out] outLen Length of outgoing ticket.
- * @param [in] userCtx Context for encryption/decryption of ticket.
- * @return WOLFSSL_TICKET_RET_OK when successful.
- * @return WOLFSSL_TICKET_RET_CREATE when successful and a new ticket is to
- * be created for TLS 1.2 and below.
- * @return WOLFSSL_TICKET_RET_REJECT when failed to produce valid encrypted or
- * decrypted ticket.
- * @return WOLFSSL_TICKET_RET_FATAL when key name does not match.
- */
- static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
- byte iv[WOLFSSL_TICKET_IV_SZ],
- byte mac[WOLFSSL_TICKET_MAC_SZ],
- int enc, byte* ticket, int inLen, int* outLen,
- void* userCtx)
- {
- int ret;
- TicketEncCbCtx* keyCtx = (TicketEncCbCtx*)userCtx;
- WOLFSSL_CTX* ctx = keyCtx->ctx;
- word16 sLen = XHTONS((word16)inLen);
- byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen)];
- int aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen);
- byte* p = aad;
- int keyIdx = 0;
- WOLFSSL_ENTER("DefTicketEncCb");
- /* Check we have setup the RNG, name and primary key. */
- if (keyCtx->expirary[0] == 0) {
- #ifndef SINGLE_THREADED
- /* Lock around access to expirary and key - stop initial key being
- * generated twice at the same time. */
- if (wc_LockMutex(&keyCtx->mutex) != 0) {
- WOLFSSL_MSG("Couldn't lock key context mutex");
- return WOLFSSL_TICKET_RET_REJECT;
- }
- #endif
- /* Sets expirary of primary key in setup. */
- ret = TicketEncCbCtx_Setup(keyCtx, ssl->ctx->heap, ssl->ctx->devId);
- #ifndef SINGLE_THREADED
- wc_UnLockMutex(&keyCtx->mutex);
- #endif
- if (ret != 0)
- return ret;
- }
- if (enc) {
- /* Return the name of the key - missing key index. */
- XMEMCPY(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ);
- /* Generate a new IV into buffer to be returned.
- * Don't use the RNG in keyCtx as it's for generating private data. */
- ret = wc_RNG_GenerateBlock(ssl->rng, iv, WOLFSSL_TICKET_IV_SZ);
- if (ret != 0) {
- return WOLFSSL_TICKET_RET_REJECT;
- }
- }
- else {
- /* Mask of last bit that is the key index. */
- byte lastByte = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0xfe;
- /* For decryption, see if we know this key - check all but last byte. */
- if (XMEMCMP(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ - 1) != 0) {
- return WOLFSSL_TICKET_RET_FATAL;
- }
- /* Ensure last byte without index bit matches too. */
- if (lastByte != keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1]) {
- return WOLFSSL_TICKET_RET_FATAL;
- }
- }
- /* Build AAD from: key name, iv, and length of ticket. */
- XMEMCPY(p, keyCtx->name, WOLFSSL_TICKET_NAME_SZ);
- p += WOLFSSL_TICKET_NAME_SZ;
- XMEMCPY(p, iv, WOLFSSL_TICKET_IV_SZ);
- p += WOLFSSL_TICKET_IV_SZ;
- XMEMCPY(p, &sLen, sizeof(sLen));
- /* Encrypt ticket. */
- if (enc) {
- word32 now;
- now = LowResTimer();
- /* As long as encryption expirary isn't imminent - no lock. */
- if (keyCtx->expirary[0] > now + ctx->ticketHint) {
- keyIdx = 0;
- }
- else if (keyCtx->expirary[1] > now + ctx->ticketHint) {
- keyIdx = 1;
- }
- else {
- #ifndef SINGLE_THREADED
- /* Lock around access to expirary and key - stop key being generated
- * twice at the same time. */
- if (wc_LockMutex(&keyCtx->mutex) != 0) {
- WOLFSSL_MSG("Couldn't lock key context mutex");
- return WOLFSSL_TICKET_RET_REJECT;
- }
- #endif
- ret = TicketEncCbCtx_ChooseKey(keyCtx, ctx->ticketHint, &keyIdx);
- #ifndef SINGLE_THREADED
- wc_UnLockMutex(&keyCtx->mutex);
- #endif
- if (ret != 0) {
- return WOLFSSL_TICKET_RET_REJECT;
- }
- }
- /* Set the name of the key to the index chosen. */
- key_name[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
- /* Update AAD too. */
- aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
- /* Encrypt ticket data. */
- ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad,
- aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap,
- 1);
- if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
- }
- /* Decrypt ticket. */
- else {
- /* Get index of key from name. */
- keyIdx = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0x1;
- /* Update AAD with index. */
- aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
- /* Check expirary */
- if (keyCtx->expirary[keyIdx] <= LowResTimer()) {
- return WOLFSSL_TICKET_RET_REJECT;
- }
- /* Decrypt ticket data. */
- ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad,
- aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap,
- 0);
- if (ret != 0) {
- return WOLFSSL_TICKET_RET_REJECT;
- }
- }
- #ifndef WOLFSSL_TICKET_DECRYPT_NO_CREATE
- if (!IsAtLeastTLSv1_3(ssl->version) && !enc)
- return WOLFSSL_TICKET_RET_CREATE;
- #endif
- return WOLFSSL_TICKET_RET_OK;
- }
- #endif /* !WOLFSSL_NO_DEF_TICKET_ENC_CB */
- #endif /* HAVE_SESSION_TICKET */
- #ifndef WOLFSSL_NO_TLS12
- #if defined(HAVE_SECURE_RENEGOTIATION) && \
- !defined(NO_WOLFSSL_SERVER)
- /* handle generation of server's hello_request (0) */
- int SendHelloRequest(WOLFSSL* ssl)
- {
- byte* output;
- int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- int ret;
- WOLFSSL_START(WC_FUNC_HELLO_REQUEST_SEND);
- WOLFSSL_ENTER("SendHelloRequest");
- if (IsEncryptionOn(ssl, 1))
- sendSz += MAX_MSG_EXTRA;
- if (ssl->options.dtls)
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
- * is not advanced yet */
- ssl->options.buildingMsg = 1;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- AddHeaders(output, 0, hello_request, ssl);
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */
- int recordHeaderSz = RECORD_HEADER_SZ;
- if (ssl->options.dtls) {
- recordHeaderSz += DTLS_RECORD_EXTRA;
- inputSz += DTLS_HANDSHAKE_EXTRA;
- }
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl) &&
- (ret = DtlsMsgPoolSave(ssl, input, inputSz, hello_request)) != 0) {
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- return ret;
- }
- #endif
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 0, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- }
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendHelloRequest", ret);
- WOLFSSL_END(WC_FUNC_HELLO_REQUEST_SEND);
- return ret;
- }
- #endif /* HAVE_SECURE_RENEGOTIATION && !NO_WOLFSSL_SERVER */
- #ifdef WOLFSSL_DTLS
- /* handle generation of DTLS hello_verify_request (3) */
- int SendHelloVerifyRequest(WOLFSSL* ssl,
- const byte* cookie, byte cookieSz)
- {
- byte* output;
- int length = VERSION_SZ + ENUM_LEN + cookieSz;
- int idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
- int sendSz = length + idx;
- int ret;
- /* are we in scr */
- if (IsEncryptionOn(ssl, 1)) {
- sendSz += MAX_MSG_EXTRA;
- }
- /* reset hashes */
- ret = InitHandshakeHashes(ssl);
- if (ret != 0)
- return ret;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* get output buffer */
- output = ssl->buffers.outputBuffer.buffer +
- ssl->buffers.outputBuffer.length;
- /* Hello Verify Request should use the same sequence number
- * as the Client Hello unless we are in renegotiation then
- * don't change numbers */
- #ifdef HAVE_SECURE_RENEGOTIATION
- if (!IsSCR(ssl))
- #endif
- {
- ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi;
- ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo;
- }
- AddHeaders(output, length, hello_verify_request, ssl);
- output[idx++] = DTLS_MAJOR;
- output[idx++] = DTLS_MINOR;
- output[idx++] = cookieSz;
- if (cookie == NULL || cookieSz == 0)
- return COOKIE_ERROR;
- XMEMCPY(output + idx, cookie, cookieSz);
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "HelloVerifyRequest");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "HelloVerifyRequest", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- /* are we in scr */
- if (IsEncryptionOn(ssl, 1)) {
- byte* input;
- int inputSz = DTLS_HANDSHAKE_HEADER_SZ + length; /* build msg adds rec hdr */
- int recordHeaderSz = DTLS_RECORD_HEADER_SZ;
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (input == NULL)
- return MEMORY_E;
- XMEMCPY(input, output + recordHeaderSz, inputSz);
- sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake, 0, 0, 0, CUR_ORDER);
- XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
- if (sendSz < 0)
- return sendSz;
- }
- ssl->buffers.outputBuffer.length += sendSz;
- return SendBuffered(ssl);
- }
- #endif /* WOLFSSL_DTLS */
- typedef struct DckeArgs {
- byte* output; /* not allocated */
- word32 length;
- word32 idx;
- word32 begin;
- word32 sigSz;
- #ifndef NO_RSA
- int lastErr;
- #endif
- } DckeArgs;
- static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
- {
- DckeArgs* args = (DckeArgs*)pArgs;
- (void)ssl;
- (void)args;
- }
- /* handle processing client_key_exchange (16) */
- static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 size)
- {
- int ret;
- #ifdef WOLFSSL_ASYNC_CRYPT
- DckeArgs* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- DckeArgs args[1];
- #endif
- (void)size;
- (void)input;
- WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_DO);
- WOLFSSL_ENTER("DoClientKeyExchange");
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_dcke);
- }
- args = (DckeArgs*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NOT_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_dcke;
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(DckeArgs));
- args->idx = *inOutIdx;
- args->begin = *inOutIdx;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeDckeArgs;
- #endif
- }
- /* Do Client Key Exchange State Machine */
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- /* Sanity checks */
- /* server side checked in SanityCheckMsgReceived */
- if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- WOLFSSL_MSG("Client sending keyexchange at wrong time");
- SendAlert(ssl, alert_fatal, unexpected_message);
- ERROR_OUT(OUT_OF_ORDER_E, exit_dcke);
- }
- #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- if (ssl->options.verifyPeer &&
- (ssl->options.mutualAuth || ssl->options.failNoCert)) {
- if (!ssl->options.havePeerCert) {
- WOLFSSL_MSG("client didn't present peer cert");
- ERROR_OUT(NO_PEER_CERT, exit_dcke);
- }
- }
- if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) {
- if (!ssl->options.havePeerCert &&
- !ssl->options.usingPSK_cipher) {
- WOLFSSL_MSG("client didn't present peer cert");
- ERROR_OUT(NO_PEER_CERT, exit_dcke);
- }
- }
- #endif /* !NO_CERTS && !WOLFSSL_NO_CLIENT_AUTH */
- #if defined(WOLFSSL_CALLBACKS)
- if (ssl->hsInfoOn) {
- AddPacketName(ssl, "ClientKeyExchange");
- }
- if (ssl->toInfoOn) {
- AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
- }
- #endif
- if (ssl->arrays->preMasterSecret == NULL) {
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN,
- ssl->heap, DYNAMIC_TYPE_SECRET);
- if (ssl->arrays->preMasterSecret == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcke);
- }
- XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
- }
- switch (ssl->specs.kea) {
- #ifndef NO_RSA
- case rsa_kea:
- {
- break;
- } /* rsa_kea */
- #endif /* !NO_RSA */
- #ifndef NO_PSK
- case psk_kea:
- {
- /* sanity check that PSK server callback has been set */
- if (ssl->options.server_psk_cb == NULL) {
- WOLFSSL_MSG("No server PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- break;
- }
- #endif /* !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- break;
- }
- #endif /* !NO_DH */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- /* sanity check that PSK server callback has been set */
- if (ssl->options.server_psk_cb == NULL) {
- WOLFSSL_MSG("No server PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- /* sanity check that PSK server callback has been set */
- if (ssl->options.server_psk_cb == NULL) {
- WOLFSSL_MSG("No server PSK callback set");
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- default:
- WOLFSSL_MSG("Bad kea type");
- ret = BAD_KEA_TYPE_E;
- } /* switch (ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dcke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- switch (ssl->specs.kea) {
- #ifndef NO_RSA
- case rsa_kea:
- {
- word16 keySz;
- ssl->buffers.keyType = rsa_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_dcke;
- }
- args->length = (word32)keySz;
- ssl->arrays->preMasterSz = SECRET_LEN;
- if (ssl->options.tls) {
- word16 check;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &check);
- args->idx += OPAQUE16_LEN;
- if ((word32)check != args->length) {
- WOLFSSL_MSG("RSA explicit size doesn't match");
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, bad_record_mac);
- #endif
- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
- }
- }
- if ((args->idx - args->begin) + args->length > size) {
- WOLFSSL_MSG("RSA message too big");
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- /* pre-load PreMasterSecret with RNG data */
- ret = wc_RNG_GenerateBlock(ssl->rng,
- &ssl->arrays->preMasterSecret[VERSION_SZ],
- SECRET_LEN - VERSION_SZ);
- if (ret != 0) {
- goto exit_dcke;
- }
- args->output = NULL;
- break;
- } /* rsa_kea */
- #endif /* !NO_RSA */
- #ifndef NO_PSK
- case psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- word16 ci_sz;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &ci_sz);
- args->idx += OPAQUE16_LEN;
- if (ci_sz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
- }
- if ((args->idx - args->begin) + ci_sz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- XMEMCPY(ssl->arrays->client_identity,
- input + args->idx, ci_sz);
- args->idx += ci_sz;
- ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */
- ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
- ssl->arrays->client_identity, ssl->arrays->psk_key,
- MAX_PSK_KEY_LEN);
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- #if defined(WOLFSSL_EXTRA_ALERTS) || \
- defined(WOLFSSL_PSK_IDENTITY_ALERT)
- SendAlert(ssl, alert_fatal,
- unknown_psk_identity);
- #endif
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- /* SERVER: Pre-shared Key for peer authentication. */
- ssl->options.peerAuthGood = 1;
- /* make psk pre master secret */
- /* length of key + length 0s + length of key + key */
- c16toa((word16) ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMSET(pms, 0, ssl->arrays->psk_keySz);
- pms += ssl->arrays->psk_keySz;
- c16toa((word16) ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz =
- (ssl->arrays->psk_keySz * 2) + (OPAQUE16_LEN * 2);
- break;
- }
- #endif /* !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- #ifdef HAVE_ECC
- ecc_key* private_key = ssl->eccTempKey;
- /* handle static private key */
- if (ssl->specs.static_ecdh &&
- ssl->ecdhCurveOID != ECC_X25519_OID &&
- ssl->ecdhCurveOID != ECC_X448_OID) {
- word16 keySz;
- ssl->buffers.keyType = ecc_dsa_sa_algo;
- ret = DecodePrivateKey(ssl, &keySz);
- if (ret != 0) {
- goto exit_dcke;
- }
- private_key = (ecc_key*)ssl->hsKey;
- }
- #endif
- /* import peer ECC key */
- if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- args->length = input[args->idx++];
- if ((args->idx - args->begin) + args->length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X25519SharedSecretCb != NULL) {
- break;
- }
- #endif
- if (ssl->peerX25519Key == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- } else if (ssl->peerX25519KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
- ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if ((ret = wc_curve25519_check_public(
- input + args->idx, args->length,
- EC25519_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal,
- illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- if (wc_curve25519_import_public_ex(
- input + args->idx, args->length,
- ssl->peerX25519Key,
- EC25519_LITTLE_ENDIAN)) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->arrays->preMasterSz = CURVE25519_KEYSIZE;
- ssl->peerX25519KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X448SharedSecretCb != NULL) {
- break;
- }
- #endif
- if (ssl->peerX448Key == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- } else if (ssl->peerX448KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
- ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if ((ret = wc_curve448_check_public(
- input + args->idx, args->length,
- EC448_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal,
- illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- if (wc_curve448_import_public_ex(
- input + args->idx, args->length,
- ssl->peerX448Key,
- EC448_LITTLE_ENDIAN)) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->arrays->preMasterSz = CURVE448_KEY_SIZE;
- ssl->peerX448KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_ECC
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- #endif
- if (!ssl->specs.static_ecdh &&
- ssl->eccTempKeyPresent == 0) {
- WOLFSSL_MSG("Ecc ephemeral key not made correctly");
- ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
- }
- if (ssl->peerEccKey == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- if (ret != 0) {
- goto exit_dcke;
- }
- } else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
- ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if (wc_ecc_import_x963_ex(input + args->idx,
- args->length, ssl->peerEccKey,
- private_key->dp->id)) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- SendAlert(ssl, alert_fatal, illegal_parameter);
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->arrays->preMasterSz = private_key->dp->size;
- ssl->peerEccKeyPresent = 1;
- #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
- /* client_hello may have sent FFEDH2048, which sets namedGroup,
- but that is not being used, so clear it */
- /* resolves issue with server side wolfSSL_get_curve_name */
- ssl->namedGroup = 0;
- #endif
- #endif /* HAVE_ECC */
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- word16 clientPubSz;
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &clientPubSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + clientPubSz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- args->sigSz = clientPubSz;
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- /* set the max agree result size */
- ssl->arrays->preMasterSz = ENCRYPT_LEN;
- break;
- }
- #endif /* !NO_DH */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- word16 clientSz;
- /* Read in the PSK hint */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &clientSz);
- args->idx += OPAQUE16_LEN;
- if (clientSz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
- }
- if ((args->idx - args->begin) + clientSz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- XMEMCPY(ssl->arrays->client_identity, input + args->idx,
- clientSz);
- args->idx += clientSz;
- ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
- /* Read in the DHE business */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &clientSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + clientSz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- args->sigSz = clientSz;
- ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
- (void**)&ssl->buffers.serverDH_Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length,
- ssl->buffers.serverDH_G.buffer,
- ssl->buffers.serverDH_G.length);
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- word16 clientSz;
- /* Read in the PSK hint */
- if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- ato16(input + args->idx, &clientSz);
- args->idx += OPAQUE16_LEN;
- if (clientSz > MAX_PSK_ID_LEN) {
- ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
- }
- if ((args->idx - args->begin) + clientSz > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- XMEMCPY(ssl->arrays->client_identity,
- input + args->idx, clientSz);
- args->idx += clientSz;
- ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
- /* import peer ECC key */
- if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- args->length = input[args->idx++];
- if ((args->idx - args->begin) + args->length > size) {
- ERROR_OUT(BUFFER_ERROR, exit_dcke);
- }
- args->sigSz = ENCRYPT_LEN - OPAQUE16_LEN;
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X25519SharedSecretCb != NULL) {
- break;
- }
- #endif
- if (ssl->eccTempKeyPresent == 0) {
- WOLFSSL_MSG(
- "X25519 ephemeral key not made correctly");
- ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
- }
- if (ssl->peerX25519Key == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- } else if (ssl->peerX25519KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
- ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if ((ret = wc_curve25519_check_public(
- input + args->idx, args->length,
- EC25519_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal,
- illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- if (wc_curve25519_import_public_ex(
- input + args->idx, args->length,
- ssl->peerX25519Key,
- EC25519_LITTLE_ENDIAN)) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->peerX25519KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->X448SharedSecretCb != NULL) {
- break;
- }
- #endif
- if (ssl->eccTempKeyPresent == 0) {
- WOLFSSL_MSG(
- "X448 ephemeral key not made correctly");
- ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
- }
- if (ssl->peerX448Key == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- if (ret != 0) {
- goto exit_dcke;
- }
- } else if (ssl->peerX448KeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
- ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if ((ret = wc_curve448_check_public(
- input + args->idx, args->length,
- EC448_LITTLE_ENDIAN)) != 0) {
- #ifdef WOLFSSL_EXTRA_ALERTS
- if (ret == BUFFER_E)
- SendAlert(ssl, alert_fatal, decode_error);
- else if (ret == ECC_OUT_OF_RANGE_E)
- SendAlert(ssl, alert_fatal, bad_record_mac);
- else {
- SendAlert(ssl, alert_fatal,
- illegal_parameter);
- }
- #endif
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- if (wc_curve448_import_public_ex(
- input + args->idx, args->length,
- ssl->peerX448Key,
- EC448_LITTLE_ENDIAN)) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->peerX448KeyPresent = 1;
- break;
- }
- #endif
- #ifdef HAVE_PK_CALLBACKS
- /* if callback then use it for shared secret */
- if (ssl->ctx->EccSharedSecretCb != NULL) {
- break;
- }
- #endif
- if (ssl->eccTempKeyPresent == 0) {
- WOLFSSL_MSG("Ecc ephemeral key not made correctly");
- ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
- }
- if (ssl->peerEccKey == NULL) {
- /* alloc/init on demand */
- ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- else if (ssl->peerEccKeyPresent) {
- ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
- ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- if (ret != 0) {
- goto exit_dcke;
- }
- }
- if (wc_ecc_import_x963_ex(input + args->idx,
- args->length, ssl->peerEccKey,
- ssl->eccTempKey->dp->id)) {
- ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
- }
- ssl->peerEccKeyPresent = 1;
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch (ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dcke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- switch (ssl->specs.kea) {
- #ifndef NO_RSA
- case rsa_kea:
- {
- RsaKey* key = (RsaKey*)ssl->hsKey;
- ret = RsaDec(ssl,
- input + args->idx,
- args->length,
- &args->output,
- &args->sigSz,
- key,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- /* Errors that can occur here that should be
- * indistinguishable:
- * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
- */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- goto exit_dcke;
- #endif
- if (ret == BAD_FUNC_ARG)
- goto exit_dcke;
- args->lastErr = ret - (SECRET_LEN - args->sigSz);
- ret = 0;
- break;
- } /* rsa_kea */
- #endif /* !NO_RSA */
- #ifndef NO_PSK
- case psk_kea:
- {
- break;
- }
- #endif /* !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- void* private_key = ssl->eccTempKey;
- (void)private_key;
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- ret = X25519SharedSecret(ssl,
- (curve25519_key*)private_key,
- ssl->peerX25519Key,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_SERVER_END
- );
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- ret = X448SharedSecret(ssl,
- (curve448_key*)private_key,
- ssl->peerX448Key,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_SERVER_END
- );
- break;
- }
- #endif
- #ifdef HAVE_ECC
- if (ssl->specs.static_ecdh) {
- private_key = ssl->hsKey;
- }
- /* Generate shared secret */
- ret = EccSharedSecret(ssl,
- (ecc_key*)private_key, ssl->peerEccKey,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- WOLFSSL_SERVER_END
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- FreeKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- }
- #endif
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length,
- input + args->idx,
- (word16)args->sigSz,
- ssl->arrays->preMasterSecret,
- &ssl->arrays->preMasterSz,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- break;
- }
- #endif /* !NO_DH */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
- ssl->buffers.serverDH_Priv.buffer,
- ssl->buffers.serverDH_Priv.length,
- input + args->idx,
- (word16)args->sigSz,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &ssl->arrays->preMasterSz,
- ssl->buffers.serverDH_P.buffer,
- ssl->buffers.serverDH_P.length);
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- #ifdef HAVE_CURVE25519
- if (ssl->ecdhCurveOID == ECC_X25519_OID) {
- ret = X25519SharedSecret(ssl,
- (curve25519_key*)ssl->eccTempKey,
- ssl->peerX25519Key,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &args->sigSz,
- WOLFSSL_SERVER_END
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
- (void**)&ssl->peerX25519Key);
- ssl->peerX25519KeyPresent = 0;
- }
- break;
- }
- #endif
- #ifdef HAVE_CURVE448
- if (ssl->ecdhCurveOID == ECC_X448_OID) {
- ret = X448SharedSecret(ssl,
- (curve448_key*)ssl->eccTempKey,
- ssl->peerX448Key,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &args->sigSz,
- WOLFSSL_SERVER_END
- );
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
- (void**)&ssl->peerX448Key);
- ssl->peerX448KeyPresent = 0;
- }
- break;
- }
- #endif
- /* Generate shared secret */
- ret = EccSharedSecret(ssl,
- ssl->eccTempKey, ssl->peerEccKey,
- input + args->idx, &args->length,
- ssl->arrays->preMasterSecret + OPAQUE16_LEN,
- &args->sigSz,
- WOLFSSL_SERVER_END
- );
- if (!ssl->specs.static_ecdh
- #ifdef WOLFSSL_ASYNC_CRYPT
- && ret != WC_PENDING_E
- #endif
- ) {
- FreeKey(ssl, DYNAMIC_TYPE_ECC,
- (void**)&ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- }
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch (ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dcke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- switch (ssl->specs.kea) {
- #ifndef NO_RSA
- case rsa_kea:
- {
- byte *tmpRsa;
- byte mask;
- /* Add the signature length to idx */
- args->idx += args->length;
- #ifdef DEBUG_WOLFSSL
- /* check version (debug warning message only) */
- if (args->output != NULL) {
- if (args->output[0] != ssl->chVersion.major ||
- args->output[1] != ssl->chVersion.minor) {
- WOLFSSL_MSG("preMasterSecret version mismatch");
- }
- }
- #endif
- /* RFC5246 7.4.7.1:
- * Treat incorrectly formatted message blocks and/or
- * mismatched version numbers in a manner
- * indistinguishable from correctly formatted RSA blocks
- */
- ret = args->lastErr;
- args->lastErr = 0; /* reset */
- /* On error 'ret' will be negative */
- mask = ((unsigned int)ret >>
- ((sizeof(ret) * 8) - 1)) - 1;
- /* build PreMasterSecret */
- ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
- ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
- tmpRsa = input + args->idx - VERSION_SZ - SECRET_LEN;
- ctMaskCopy(~mask, (byte*)&args->output, (byte*)&tmpRsa,
- sizeof(args->output));
- if (args->output != NULL) {
- int i;
- /* Use random secret on error */
- for (i = VERSION_SZ; i < SECRET_LEN; i++) {
- ssl->arrays->preMasterSecret[i] =
- ctMaskSel(mask, args->output[i],
- ssl->arrays->preMasterSecret[i]);
- }
- }
- /* preMasterSecret has RNG and version set
- * return proper length and ignore error
- * error will be caught as decryption error
- */
- args->sigSz = SECRET_LEN;
- ret = 0;
- break;
- } /* rsa_kea */
- #endif /* !NO_RSA */
- #ifndef NO_PSK
- case psk_kea:
- {
- break;
- }
- #endif /* !NO_PSK */
- #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)
- case ecc_diffie_hellman_kea:
- {
- /* skip past the imported peer key */
- args->idx += args->length;
- break;
- }
- #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
- #ifndef NO_DH
- case diffie_hellman_kea:
- {
- args->idx += (word16)args->sigSz;
- break;
- }
- #endif /* !NO_DH */
- #if !defined(NO_DH) && !defined(NO_PSK)
- case dhe_psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- word16 clientSz = (word16)args->sigSz;
- args->idx += clientSz;
- c16toa((word16)ssl->arrays->preMasterSz, pms);
- ssl->arrays->preMasterSz += OPAQUE16_LEN;
- pms += ssl->arrays->preMasterSz;
- /* Use the PSK hint to look up the PSK and add it to the
- * preMasterSecret here. */
- ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
- ssl->arrays->client_identity, ssl->arrays->psk_key,
- MAX_PSK_KEY_LEN);
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- #if defined(WOLFSSL_EXTRA_ALERTS) || \
- defined(WOLFSSL_PSK_IDENTITY_ALERT)
- SendAlert(ssl, alert_fatal,
- unknown_psk_identity);
- #endif
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- /* SERVER: Pre-shared Key for peer authentication. */
- ssl->options.peerAuthGood = 1;
- c16toa((word16) ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key,
- ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz += ssl->arrays->psk_keySz +
- OPAQUE16_LEN;
- break;
- }
- #endif /* !NO_DH && !NO_PSK */
- #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
- defined(HAVE_CURVE448)) && !defined(NO_PSK)
- case ecdhe_psk_kea:
- {
- byte* pms = ssl->arrays->preMasterSecret;
- word16 clientSz = (word16)args->sigSz;
- /* skip past the imported peer key */
- args->idx += args->length;
- /* Add preMasterSecret */
- c16toa(clientSz, pms);
- ssl->arrays->preMasterSz = OPAQUE16_LEN + clientSz;
- pms += ssl->arrays->preMasterSz;
- /* Use the PSK hint to look up the PSK and add it to the
- * preMasterSecret here. */
- ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
- ssl->arrays->client_identity, ssl->arrays->psk_key,
- MAX_PSK_KEY_LEN);
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
- }
- /* SERVER: Pre-shared Key for peer authentication. */
- ssl->options.peerAuthGood = 1;
- c16toa((word16) ssl->arrays->psk_keySz, pms);
- pms += OPAQUE16_LEN;
- XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
- ssl->arrays->preMasterSz +=
- ssl->arrays->psk_keySz + OPAQUE16_LEN;
- break;
- }
- #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
- default:
- ret = BAD_KEA_TYPE_E;
- } /* switch (ssl->specs.kea) */
- /* Check for error */
- if (ret != 0) {
- goto exit_dcke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- if (IsEncryptionOn(ssl, 0)) {
- args->idx += ssl->keys.padSz;
- #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
- if (ssl->options.startedETMRead)
- args->idx += MacSize(ssl);
- #endif
- }
- ret = MakeMasterSecret(ssl);
- /* Check for error */
- if (ret != 0) {
- goto exit_dcke;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- /* Set final index */
- *inOutIdx = args->idx;
- ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
- #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- if (ssl->options.verifyPeer) {
- ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
- }
- #endif
- break;
- } /* TLS_ASYNC_END */
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_dcke:
- WOLFSSL_LEAVE("DoClientKeyExchange", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_KEY_EXCHANGE_DO);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_client_key_exchange = 0;
- return ret;
- }
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #else
- FreeDckeArgs(ssl, args);
- #endif /* WOLFSSL_ASYNC_CRYPT */
- #ifdef OPENSSL_ALL
- /* add error ret value to error queue */
- if (ret != 0) {
- WOLFSSL_ERROR(ret);
- }
- #endif
- /* Cleanup PMS */
- if (ssl->arrays->preMasterSecret != NULL) {
- ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
- }
- ssl->arrays->preMasterSz = 0;
- /* Final cleanup */
- FreeKeyExchange(ssl);
- return ret;
- }
- #endif /* !WOLFSSL_NO_TLS12 */
- #ifdef HAVE_SNI
- int SNI_Callback(WOLFSSL* ssl)
- {
- int ad = 0;
- int sniRet = 0;
- int ret = 0;
- /* Stunnel supports a custom sni callback to switch an SSL's ctx
- * when SNI is received. Call it now if exists */
- if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
- WOLFSSL_MSG("Calling custom sni callback");
- sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg);
- switch (sniRet) {
- case warning_return:
- WOLFSSL_MSG("Error in custom sni callback. Warning alert");
- ret = SendAlert(ssl, alert_warning, ad);
- break;
- case fatal_return:
- WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
- SendAlert(ssl, alert_fatal, ad);
- return FATAL_ERROR;
- case noack_return:
- WOLFSSL_MSG("Server quietly not acking servername.");
- break;
- default:
- break;
- }
- }
- return ret;
- }
- #endif /* HAVE_SNI */
- #endif /* NO_WOLFSSL_SERVER */
- #ifdef WOLFSSL_ASYNC_CRYPT
- int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state)
- {
- int ret = 0;
- WC_ASYNC_DEV* asyncDev;
- WOLF_EVENT* event;
- if (ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- /* check for pending async */
- asyncDev = ssl->asyncDev;
- if (asyncDev) {
- /* grab event pointer */
- event = &asyncDev->event;
- ret = wolfAsync_EventPop(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL);
- if (ret != WC_NOT_PENDING_E && ret != WC_PENDING_E) {
- /* advance key share state if doesn't need called again */
- if (state && (asyncDev->event.flags & WC_ASYNC_FLAG_CALL_AGAIN) == 0) {
- (*state)++;
- }
- /* clear event */
- XMEMSET(&asyncDev->event, 0, sizeof(WOLF_EVENT));
- /* clear async dev */
- ssl->asyncDev = NULL;
- }
- }
- else {
- ret = WC_NOT_PENDING_E;
- }
- WOLFSSL_LEAVE("wolfSSL_AsyncPop", ret);
- return ret;
- }
- int wolfSSL_AsyncInit(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, word32 flags)
- {
- int ret;
- WOLF_EVENT* event;
- if (ssl == NULL || asyncDev == NULL) {
- return BAD_FUNC_ARG;
- }
- /* grab event pointer */
- event = &asyncDev->event;
- /* init event */
- ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL, ssl, flags);
- WOLFSSL_LEAVE("wolfSSL_AsyncInit", ret);
- return ret;
- }
- int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev)
- {
- int ret;
- WOLF_EVENT* event;
- if (ssl == NULL || asyncDev == NULL) {
- return BAD_FUNC_ARG;
- }
- /* grab event pointer */
- event = &asyncDev->event;
- /* store reference to active async operation */
- ssl->asyncDev = asyncDev;
- /* place event into queue */
- ret = wolfAsync_EventQueuePush(&ssl->ctx->event_queue, event);
- /* success means return WC_PENDING_E */
- if (ret == 0) {
- ret = WC_PENDING_E;
- }
- WOLFSSL_LEAVE("wolfSSL_AsyncPush", ret);
- return ret;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- /**
- * Return the max fragment size. This is essentially the maximum
- * fragment_length available.
- * @param ssl WOLFSSL object containing ciphersuite information.
- * @param maxFragment The amount of space we want to check is available. This
- * is only the fragment length WITHOUT the (D)TLS headers.
- * @return Max fragment size
- */
- int wolfSSL_GetMaxFragSize(WOLFSSL* ssl, int maxFragment)
- {
- (void) ssl; /* Avoid compiler warnings */
- if (maxFragment > MAX_RECORD_SIZE) {
- maxFragment = MAX_RECORD_SIZE;
- }
- #ifdef HAVE_MAX_FRAGMENT
- if ((ssl->max_fragment != 0) && ((word16)maxFragment > ssl->max_fragment)) {
- maxFragment = ssl->max_fragment;
- }
- #endif /* HAVE_MAX_FRAGMENT */
- #ifdef WOLFSSL_DTLS
- if (IsDtlsNotSctpMode(ssl)) {
- int outputSz, mtuSz;
- /* Given a input buffer size of maxFragment, how big will the
- * encrypted output be? */
- if (IsEncryptionOn(ssl, 1)) {
- outputSz = BuildMessage(ssl, NULL, 0, NULL,
- maxFragment + DTLS_HANDSHAKE_HEADER_SZ,
- application_data, 0, 1, 0, CUR_ORDER);
- }
- else {
- outputSz = maxFragment + DTLS_RECORD_HEADER_SZ +
- DTLS_HANDSHAKE_HEADER_SZ;
- }
- /* Readjust maxFragment for MTU size. */
- #if defined(WOLFSSL_DTLS_MTU)
- mtuSz = ssl->dtlsMtuSz;
- #else
- mtuSz = MAX_MTU;
- #endif
- maxFragment = ModifyForMTU(ssl, maxFragment, outputSz, mtuSz);
- }
- #endif
- return maxFragment;
- }
- #if defined(WOLFSSL_IOTSAFE) && defined(HAVE_PK_CALLBACKS)
- IOTSAFE *wolfSSL_get_iotsafe_ctx(WOLFSSL *ssl)
- {
- if (ssl == NULL)
- return NULL;
- return &ssl->iotsafe;
- }
- int wolfSSL_set_iotsafe_ctx(WOLFSSL *ssl, IOTSAFE *iotsafe)
- {
- if ((ssl == NULL) || (iotsafe == NULL))
- return BAD_FUNC_ARG;
- XMEMCPY(&ssl->iotsafe, iotsafe, sizeof(IOTSAFE));
- return 0;
- }
- #endif
- #if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
- /* create an instance of WOLFSSL_BY_DIR_HASH structure */
- WOLFSSL_BY_DIR_HASH* wolfSSL_BY_DIR_HASH_new(void)
- {
- WOLFSSL_BY_DIR_HASH* dir_hash;
- WOLFSSL_ENTER("wolfSSL_BY_DIR_HASH_new");
- dir_hash = (WOLFSSL_BY_DIR_HASH*)XMALLOC(sizeof(WOLFSSL_BY_DIR_HASH), NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (dir_hash) {
- XMEMSET(dir_hash, 0, sizeof(WOLFSSL_BY_DIR_HASH));
- }
- return dir_hash;
- }
- /* release a WOLFSSL_BY_DIR_HASH resource */
- void wolfSSL_BY_DIR_HASH_free(WOLFSSL_BY_DIR_HASH* dir_hash)
- {
- if (dir_hash == NULL)
- return;
- XFREE(dir_hash, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- /* create an instance of WOLFSSL_STACK for STACK_TYPE_BY_DIR_hash */
- WOLFSSL_STACK* wolfSSL_sk_BY_DIR_HASH_new_null(void)
- {
- WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL);
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_new_null");
- if (sk) {
- sk->type = STACK_TYPE_BY_DIR_hash;
- }
- return sk;
- }
- /* returns value less than 0 on fail to match
- * On a successful match the priority level found is returned
- */
- int wolfSSL_sk_BY_DIR_HASH_find(
- WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk, const WOLFSSL_BY_DIR_HASH* toFind)
- {
- WOLFSSL_STACK* next;
- int i, sz;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_find");
- if (sk == NULL || toFind == NULL) {
- return WOLFSSL_FAILURE;
- }
- sz = wolfSSL_sk_BY_DIR_HASH_num(sk);
- next = sk;
- for (i = 0; i < sz && next != NULL; i++) {
- if (next->data.dir_hash->hash_value == toFind->hash_value) {
- return sz - i; /* reverse because stack pushed highest on first */
- }
- next = next->next;
- }
- return -1;
- }
- /* return a number of WOLFSSL_BY_DIR_HASH in stack */
- int wolfSSL_sk_BY_DIR_HASH_num(const WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk)
- {
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_num");
- if (sk == NULL)
- return -1;
- return (int)sk->num;
- }
- /* return WOLFSSL_BY_DIR_HASH instance at i */
- WOLFSSL_BY_DIR_HASH* wolfSSL_sk_BY_DIR_HASH_value(
- const WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk, int i)
- {
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_value");
- for (; sk != NULL && i > 0; i--)
- sk = sk->next;
- if (i != 0 || sk == NULL)
- return NULL;
- return sk->data.dir_hash;
- }
- /* pop WOLFSSL_BY_DIR_HASH instance, and remove its node from stack */
- WOLFSSL_BY_DIR_HASH* wolfSSL_sk_BY_DIR_HASH_pop(
- WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk)
- {
- WOLFSSL_STACK* node;
- WOLFSSL_BY_DIR_HASH* hash;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_pop");
- if (sk == NULL) {
- return NULL;
- }
- node = sk->next;
- hash = sk->data.dir_hash;
- if (node != NULL) { /* update sk and remove node from stack */
- sk->data.dir_hash = node->data.dir_hash;
- sk->next = node->next;
- wolfSSL_sk_free_node(node);
- }
- else { /* last x509 in stack */
- sk->data.dir_hash = NULL;
- }
- if (sk->num > 0) {
- sk->num -= 1;
- }
- return hash;
- }
- /* release all contents in stack, and then release stack itself. */
- /* Second argument is a function pointer to release resources. */
- /* It calls the function to release resources when it is passed */
- /* instead of wolfSSL_BY_DIR_HASH_free(). */
- void wolfSSL_sk_BY_DIR_HASH_pop_free(WOLF_STACK_OF(BY_DIR_HASH)* sk,
- void (*f) (WOLFSSL_BY_DIR_HASH*))
- {
- WOLFSSL_STACK* node;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_pop_free");
- if (sk == NULL) {
- return;
- }
- /* parse through stack freeing each node */
- node = sk->next;
- while (node && sk->num > 1) {
- WOLFSSL_STACK* tmp = node;
- node = node->next;
- if (f)
- f(tmp->data.dir_hash);
- else
- wolfSSL_BY_DIR_HASH_free(tmp->data.dir_hash);
- tmp->data.dir_hash = NULL;
- XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
- sk->num -= 1;
- }
- /* free head of stack */
- if (sk->num == 1) {
- if (f)
- f(sk->data.dir_hash);
- else
- wolfSSL_BY_DIR_HASH_free(sk->data.dir_hash);
- sk->data.dir_hash = NULL;
- }
- XFREE(sk, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- /* release all contents in stack, and then release stack itself */
- void wolfSSL_sk_BY_DIR_HASH_free(WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk)
- {
- wolfSSL_sk_BY_DIR_HASH_pop_free(sk, NULL);
- }
- /* Adds the WOLFSSL_BY_DIR_HASH to the stack "sk". "sk" takes control of "in" and
- * tries to free it when the stack is free'd.
- *
- * return 1 on success 0 on fail
- */
- int wolfSSL_sk_BY_DIR_HASH_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk,
- WOLFSSL_BY_DIR_HASH* in)
- {
- WOLFSSL_STACK* node;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_push");
- if (sk == NULL || in == NULL) {
- return WOLFSSL_FAILURE;
- }
- /* no previous values in stack */
- if (sk->data.dir_hash == NULL) {
- sk->data.dir_hash = in;
- sk->num += 1;
- return WOLFSSL_SUCCESS;
- }
- /* stack already has value(s) create a new node and add more */
- node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (node == NULL) {
- WOLFSSL_MSG("Memory error");
- return WOLFSSL_FAILURE;
- }
- XMEMSET(node, 0, sizeof(WOLFSSL_STACK));
- /* push new obj onto head of stack */
- node->data.dir_hash = sk->data.dir_hash;
- node->next = sk->next;
- node->type = sk->type;
- sk->next = node;
- sk->data.dir_hash = in;
- sk->num += 1;
- return WOLFSSL_SUCCESS;
- }
- /* create an instance of WOLFSSL_BY_DIR_entry structure */
- WOLFSSL_BY_DIR_entry* wolfSSL_BY_DIR_entry_new(void)
- {
- WOLFSSL_BY_DIR_entry* entry;
- WOLFSSL_ENTER("wolfSSL_BY_DIR_entry_new");
- entry = (WOLFSSL_BY_DIR_entry*)XMALLOC(sizeof(WOLFSSL_BY_DIR_entry), NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (entry) {
- XMEMSET(entry, 0, sizeof(WOLFSSL_BY_DIR_entry));
- }
- return entry;
- }
- /* release a WOLFSSL_BY_DIR_entry resource */
- void wolfSSL_BY_DIR_entry_free(WOLFSSL_BY_DIR_entry* entry)
- {
- WOLFSSL_ENTER("wolfSSL_BY_DIR_entry_free");
- if (entry == NULL)
- return;
- if (entry->hashes) {
- wolfSSL_sk_BY_DIR_HASH_free(entry->hashes);
- }
- if (entry->dir_name != NULL) {
- XFREE(entry->dir_name, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- XFREE(entry, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- WOLFSSL_STACK* wolfSSL_sk_BY_DIR_entry_new_null(void)
- {
- WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL);
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_new_null");
- if (sk) {
- sk->type = STACK_TYPE_BY_DIR_entry;
- }
- return sk;
- }
- /* return a number of WOLFSSL_BY_DIR_entry in stack */
- int wolfSSL_sk_BY_DIR_entry_num(const WOLF_STACK_OF(WOLFSSL_BY_DIR_entry) *sk)
- {
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_num");
- if (sk == NULL)
- return -1;
- return (int)sk->num;
- }
- /* return WOLFSSL_BY_DIR_entry instance at i */
- WOLFSSL_BY_DIR_entry* wolfSSL_sk_BY_DIR_entry_value(
- const WOLF_STACK_OF(WOLFSSL_BY_DIR_entry) *sk, int i)
- {
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_value");
- for (; sk != NULL && i > 0; i--)
- sk = sk->next;
- if (i != 0 || sk == NULL)
- return NULL;
- return sk->data.dir_entry;
- }
- /* pop WOLFSSL_BY_DIR_entry instance first, and remove its node from stack */
- WOLFSSL_BY_DIR_entry* wolfSSL_sk_BY_DIR_entry_pop(
- WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk)
- {
- WOLFSSL_STACK* node;
- WOLFSSL_BY_DIR_entry* entry;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_pop");
- if (sk == NULL) {
- return NULL;
- }
- node = sk->next;
- entry = sk->data.dir_entry;
- if (node != NULL) { /* update sk and remove node from stack */
- sk->data.dir_entry = node->data.dir_entry;
- sk->next = node->next;
- wolfSSL_sk_free_node(node);
- }
- else { /* last x509 in stack */
- sk->data.dir_entry = NULL;
- }
- if (sk->num > 0) {
- sk->num -= 1;
- }
- return entry;
- }
- /* release all contents in stack, and then release stack itself. */
- /* Second argument is a function pointer to release resources. */
- /* It calls the function to release resources when it is passed */
- /* instead of wolfSSL_BY_DIR_entry_free(). */
- void wolfSSL_sk_BY_DIR_entry_pop_free(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
- void (*f) (WOLFSSL_BY_DIR_entry*))
- {
- WOLFSSL_STACK* node;
- WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_pop_free");
- if (sk == NULL) {
- return;
- }
- /* parse through stack freeing each node */
- node = sk->next;
- while (node && sk->num > 1) {
- WOLFSSL_STACK* tmp = node;
- node = node->next;
- if (f)
- f(tmp->data.dir_entry);
- else
- wolfSSL_BY_DIR_entry_free(tmp->data.dir_entry);
- tmp->data.dir_entry = NULL;
- XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
- sk->num -= 1;
- }
- /* free head of stack */
- if (sk->num == 1) {
- if (f)
- f(sk->data.dir_entry);
- else
- wolfSSL_BY_DIR_entry_free(sk->data.dir_entry);
- sk->data.dir_entry = NULL;
- }
- XFREE(sk, NULL, DYNAMIC_TYPE_OPENSSL);
- }
- /* release all contents in stack, and then release stack itself */
- void wolfSSL_sk_BY_DIR_entry_free(WOLF_STACK_OF(wolfSSL_BY_DIR_entry) *sk)
- {
- wolfSSL_sk_BY_DIR_entry_pop_free(sk, NULL);
- }
- /* Adds the wolfSSL_BY_DIR_entry to the stack "sk". "sk" takes control of "in" and
- * tries to free it when the stack is free'd.
- *
- * return 1 on success 0 on fail
- */
- int wolfSSL_sk_BY_DIR_entry_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
- WOLFSSL_BY_DIR_entry* in)
- {
- WOLFSSL_STACK* node;
- if (sk == NULL || in == NULL) {
- return WOLFSSL_FAILURE;
- }
- /* no previous values in stack */
- if (sk->data.dir_entry == NULL) {
- sk->data.dir_entry = in;
- sk->num += 1;
- return WOLFSSL_SUCCESS;
- }
- /* stack already has value(s) create a new node and add more */
- node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
- DYNAMIC_TYPE_OPENSSL);
- if (node == NULL) {
- WOLFSSL_MSG("Memory error");
- return WOLFSSL_FAILURE;
- }
- XMEMSET(node, 0, sizeof(WOLFSSL_STACK));
- /* push new obj onto head of stack */
- node->data.dir_entry = sk->data.dir_entry;
- node->next = sk->next;
- node->type = sk->type;
- sk->next = node;
- sk->data.dir_entry = in;
- sk->num += 1;
- return WOLFSSL_SUCCESS;
- }
- #endif /* OPENSSL_ALL */
- #undef ERROR_OUT
- #endif /* WOLFCRYPT_ONLY */
|