123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300123011230212303123041230512306123071230812309123101231112312123131231412315123161231712318123191232012321123221232312324123251232612327123281232912330123311233212333123341233512336123371233812339123401234112342123431234412345123461234712348123491235012351123521235312354123551235612357123581235912360123611236212363123641236512366123671236812369123701237112372123731237412375123761237712378123791238012381123821238312384123851238612387123881238912390123911239212393123941239512396123971239812399124001240112402124031240412405124061240712408124091241012411124121241312414124151241612417124181241912420124211242212423124241242512426124271242812429124301243112432124331243412435124361243712438124391244012441124421244312444124451244612447124481244912450124511245212453124541245512456124571245812459124601246112462124631246412465124661246712468124691247012471124721247312474124751247612477124781247912480124811248212483124841248512486124871248812489124901249112492124931249412495124961249712498124991250012501125021250312504125051250612507125081250912510125111251212513125141251512516125171251812519125201252112522125231252412525125261252712528125291253012531125321253312534125351253612537125381253912540125411254212543125441254512546125471254812549125501255112552125531255412555125561255712558125591256012561125621256312564125651256612567125681256912570125711257212573125741257512576125771257812579125801258112582125831258412585125861258712588125891259012591125921259312594125951259612597125981259912600126011260212603126041260512606126071260812609126101261112612126131261412615126161261712618126191262012621126221262312624126251262612627126281262912630126311263212633126341263512636126371263812639126401264112642126431264412645126461264712648126491265012651126521265312654126551265612657126581265912660126611266212663126641266512666126671266812669126701267112672126731267412675126761267712678126791268012681126821268312684126851268612687126881268912690126911269212693126941269512696126971269812699127001270112702127031270412705127061270712708127091271012711127121271312714127151271612717127181271912720127211272212723127241272512726127271272812729127301273112732127331273412735127361273712738127391274012741127421274312744127451274612747127481274912750127511275212753127541275512756127571275812759127601276112762127631276412765127661276712768127691277012771127721277312774127751277612777127781277912780127811278212783127841278512786127871278812789127901279112792127931279412795127961279712798127991280012801128021280312804128051280612807128081280912810128111281212813128141281512816128171281812819128201282112822128231282412825128261282712828128291283012831128321283312834128351283612837128381283912840128411284212843128441284512846128471284812849128501285112852128531285412855128561285712858128591286012861128621286312864128651286612867128681286912870128711287212873128741287512876128771287812879128801288112882128831288412885128861288712888128891289012891128921289312894128951289612897128981289912900129011290212903129041290512906129071290812909129101291112912129131291412915129161291712918129191292012921129221292312924129251292612927129281292912930129311293212933129341293512936129371293812939129401294112942129431294412945129461294712948129491295012951129521295312954129551295612957129581295912960129611296212963129641296512966129671296812969129701297112972129731297412975129761297712978129791298012981129821298312984129851298612987129881298912990129911299212993129941299512996129971299812999130001300113002130031300413005130061300713008130091301013011130121301313014130151301613017130181301913020130211302213023130241302513026130271302813029130301303113032130331303413035130361303713038130391304013041130421304313044130451304613047130481304913050130511305213053130541305513056130571305813059130601306113062130631306413065130661306713068130691307013071130721307313074130751307613077130781307913080130811308213083130841308513086130871308813089130901309113092130931309413095130961309713098130991310013101131021310313104131051310613107131081310913110131111311213113131141311513116131171311813119131201312113122131231312413125131261312713128131291313013131131321313313134131351313613137131381313913140131411314213143131441314513146131471314813149131501315113152131531315413155131561315713158131591316013161131621316313164131651316613167131681316913170131711317213173131741317513176131771317813179131801318113182131831318413185131861318713188131891319013191131921319313194131951319613197131981319913200132011320213203132041320513206132071320813209132101321113212132131321413215132161321713218132191322013221132221322313224132251322613227132281322913230132311323213233132341323513236132371323813239132401324113242132431324413245132461324713248132491325013251132521325313254132551325613257132581325913260132611326213263132641326513266132671326813269132701327113272132731327413275132761327713278132791328013281132821328313284132851328613287132881328913290132911329213293132941329513296132971329813299133001330113302133031330413305133061330713308133091331013311133121331313314133151331613317133181331913320133211332213323133241332513326133271332813329133301333113332133331333413335133361333713338133391334013341133421334313344133451334613347133481334913350133511335213353133541335513356133571335813359133601336113362133631336413365133661336713368133691337013371133721337313374133751337613377133781337913380133811338213383133841338513386133871338813389133901339113392133931339413395133961339713398133991340013401134021340313404134051340613407134081340913410134111341213413134141341513416134171341813419134201342113422134231342413425134261342713428134291343013431134321343313434134351343613437134381343913440134411344213443134441344513446134471344813449134501345113452134531345413455134561345713458134591346013461134621346313464134651346613467134681346913470134711347213473134741347513476134771347813479134801348113482134831348413485134861348713488134891349013491134921349313494134951349613497134981349913500135011350213503135041350513506135071350813509135101351113512135131351413515135161351713518135191352013521135221352313524135251352613527135281352913530135311353213533135341353513536135371353813539135401354113542135431354413545135461354713548135491355013551135521355313554135551355613557135581355913560135611356213563135641356513566135671356813569135701357113572135731357413575135761357713578135791358013581135821358313584135851358613587135881358913590135911359213593135941359513596135971359813599136001360113602136031360413605136061360713608136091361013611136121361313614136151361613617136181361913620136211362213623136241362513626136271362813629136301363113632136331363413635136361363713638136391364013641136421364313644136451364613647136481364913650136511365213653136541365513656136571365813659136601366113662136631366413665136661366713668136691367013671136721367313674136751367613677136781367913680136811368213683136841368513686136871368813689136901369113692136931369413695136961369713698136991370013701137021370313704137051370613707137081370913710137111371213713137141371513716137171371813719137201372113722137231372413725137261372713728137291373013731137321373313734137351373613737137381373913740137411374213743137441374513746137471374813749137501375113752137531375413755137561375713758137591376013761137621376313764137651376613767137681376913770137711377213773137741377513776137771377813779137801378113782137831378413785137861378713788137891379013791137921379313794137951379613797137981379913800138011380213803138041380513806138071380813809138101381113812138131381413815138161381713818138191382013821138221382313824138251382613827138281382913830138311383213833138341383513836 |
- /* tls13.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /*
- * BUILD_GCM
- * Enables AES-GCM ciphersuites.
- * HAVE_AESCCM
- * Enables AES-CCM ciphersuites.
- * HAVE_SESSION_TICKET
- * Enables session tickets - required for TLS 1.3 resumption.
- * NO_PSK
- * Do not enable Pre-Shared Keys.
- * HAVE_KEYING_MATERIAL
- * Enables exporting keying material based on section 7.5 of RFC 8446.
- * WOLFSSL_ASYNC_CRYPT
- * Enables the use of asynchronous cryptographic operations.
- * This is available for ciphers and certificates.
- * HAVE_CHACHA && HAVE_POLY1305
- * Enables use of CHACHA20-POLY1305 ciphersuites.
- * WOLFSSL_DEBUG_TLS
- * Writes out details of TLS 1.3 protocol including handshake message buffers
- * and key generation input and output.
- * WOLFSSL_EARLY_DATA
- * Allow 0-RTT Handshake using Early Data extensions and handshake message
- * WOLFSSL_EARLY_DATA_GROUP
- * Group EarlyData message with ClientHello when sending
- * WOLFSSL_NO_SERVER_GROUPS_EXT
- * Do not send the server's groups in an extension when the server's top
- * preference is not in client's list.
- * WOLFSSL_POST_HANDSHAKE_AUTH
- * Allow TLS v1.3 code to perform post-handshake authentication of the
- * client.
- * WOLFSSL_SEND_HRR_COOKIE
- * Send a cookie in hello_retry_request message to enable stateless tracking
- * of ClientHello replies.
- * WOLFSSL_TLS13
- * Enable TLS 1.3 protocol implementation.
- * WOLFSSL_TLS13_MIDDLEBOX_COMPAT
- * Enable middlebox compatibility in the TLS 1.3 handshake.
- * This includes sending ChangeCipherSpec before encrypted messages and
- * including a session id.
- * WOLFSSL_TLS13_SHA512
- * Allow generation of SHA-512 digests in handshake - no ciphersuite
- * requires SHA-512 at this time.
- * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
- * Allow a NewSessionTicket message to be sent by server before Client's
- * Finished message.
- * See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note).
- * WOLFSSL_PSK_ONE_ID
- * When only one PSK ID is used and only one call to the PSK callback can
- * be made per connect.
- * You cannot use wc_psk_client_cs_callback type callback on client.
- * WOLFSSL_PRIORITIZE_PSK
- * During a handshake, prioritize PSK order instead of ciphersuite order.
- * WOLFSSL_CHECK_ALERT_ON_ERR
- * Check for alerts during the handshake in the event of an error.
- * WOLFSSL_NO_CLIENT_CERT_ERROR
- * Requires client to set a client certificate
- * WOLFSSL_PSK_MULTI_ID_PER_CS
- * When multiple PSK identities are available for the same cipher suite.
- * Sets the first byte of the client identity to the count of identities
- * that have been seen so far for the cipher suite.
- * WOLFSSL_CHECK_SIG_FAULTS
- * Verifies the ECC signature after signing in case of faults in the
- * calculation of the signature. Useful when signature fault injection is a
- * possible attack.
- * WOLFSSL_32BIT_MILLI_TIME
- * Function TimeNowInMilliseconds() returns an unsigned 32-bit value.
- * Default behavior is to return a signed 64-bit value.
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef WOLFSSL_TLS13
- #ifdef HAVE_SESSION_TICKET
- #include <wolfssl/wolfcrypt/wc_port.h>
- #endif
- #ifndef WOLFCRYPT_ONLY
- #ifdef HAVE_ERRNO_H
- #include <errno.h>
- #endif
- #if defined(__MACH__) || defined(__FreeBSD__) || \
- defined(__INCLUDE_NUTTX_CONFIG_H) || defined(WOLFSSL_RIOT_OS)
- #include <sys/time.h>
- #endif /* __MACH__ || __FreeBSD__ ||
- __INCLUDE_NUTTX_CONFIG_H || WOLFSSL_RIOT_OS */
- #include <wolfssl/internal.h>
- #include <wolfssl/error-ssl.h>
- #include <wolfssl/wolfcrypt/asn.h>
- #include <wolfssl/wolfcrypt/dh.h>
- #include <wolfssl/wolfcrypt/kdf.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #ifdef __sun
- #include <sys/filio.h>
- #endif
- #ifndef TRUE
- #define TRUE 1
- #endif
- #ifndef FALSE
- #define FALSE 0
- #endif
- #ifndef HAVE_HKDF
- #ifndef _MSC_VER
- #error "The build option HAVE_HKDF is required for TLS 1.3"
- #else
- #pragma message("error: The build option HAVE_HKDF is required for TLS 1.3")
- #endif
- #endif
- #ifndef HAVE_TLS_EXTENSIONS
- #ifndef _MSC_VER
- #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
- #else
- #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
- #endif
- #endif
- /* Set ret to error value and jump to label.
- *
- * err The error value to set.
- * eLabel The label to jump to.
- */
- #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
- /* Size of the TLS v1.3 label use when deriving keys. */
- #define TLS13_PROTOCOL_LABEL_SZ 6
- /* The protocol label for TLS v1.3. */
- static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
- #ifdef WOLFSSL_DTLS13
- #define DTLS13_PROTOCOL_LABEL_SZ 6
- static const byte dtls13ProtocolLabel[DTLS13_PROTOCOL_LABEL_SZ + 1] = "dtls13";
- #endif /* WOLFSSL_DTLS13 */
- #if defined(HAVE_ECH)
- #define ECH_ACCEPT_CONFIRMATION_SZ 8
- #define ECH_ACCEPT_CONFIRMATION_LABEL_SZ 23
- static const byte
- echAcceptConfirmationLabel[ECH_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =
- "ech accept confirmation";
- #endif
- #ifndef NO_CERTS
- #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448) || defined(HAVE_PQC)
- static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash);
- #endif
- #endif
- /* Expand data using HMAC, salt and label and info.
- * TLS v1.3 defines this function. Use callback if available.
- *
- * ssl The SSL/TLS object.
- * okm The generated pseudorandom key - output key material.
- * okmLen The length of generated pseudorandom key -
- * output key material.
- * prk The salt - pseudo-random key.
- * prkLen The length of the salt - pseudo-random key.
- * protocol The TLS protocol label.
- * protocolLen The length of the TLS protocol label.
- * info The information to expand.
- * infoLen The length of the information.
- * digest The type of digest to use.
- * returns 0 on success, otherwise failure.
- */
- static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
- const byte* prk, word32 prkLen,
- const byte* protocol, word32 protocolLen,
- const byte* label, word32 labelLen,
- const byte* info, word32 infoLen,
- int digest)
- {
- int ret = NOT_COMPILED_IN;
- #if defined(HAVE_PK_CALLBACKS)
- if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
- ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
- protocol, protocolLen,
- label, labelLen,
- info, infoLen, digest,
- WOLFSSL_CLIENT_END /* ignored */);
- }
- if (ret != NOT_COMPILED_IN)
- return ret;
- #endif
- (void)ssl;
- PRIVATE_KEY_UNLOCK();
- ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
- protocol, protocolLen,
- label, labelLen,
- info, infoLen, digest);
- PRIVATE_KEY_LOCK();
- return ret;
- }
- #if !defined(HAVE_FIPS) || !defined(wc_Tls13_HKDF_Expand_Label)
- /* Same as above, but pass in the side we are expanding for.
- *
- * side The side (WOLFSSL_CLIENT_END or WOLFSSL_SERVER_END).
- */
- static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
- const byte* prk, word32 prkLen,
- const byte* protocol, word32 protocolLen,
- const byte* label, word32 labelLen,
- const byte* info, word32 infoLen,
- int digest, int side)
- {
- #if defined(HAVE_PK_CALLBACKS)
- int ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
- ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
- protocol, protocolLen,
- label, labelLen,
- info, infoLen,
- digest, side);
- }
- if (ret != NOT_COMPILED_IN)
- return ret;
- #endif
- /* hash buffer may not be fully initialized, but the sending length won't
- * extend beyond the initialized span.
- */
- PRAGMA_GCC_DIAG_PUSH
- PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
- (void)ssl;
- (void)side;
- return wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
- protocol, protocolLen,
- label, labelLen,
- info, infoLen, digest);
- PRAGMA_GCC_DIAG_POP
- }
- #endif /* !HAVE_FIPS || !wc_Tls13_HKDF_Expand_Label */
- /* Derive a key from a message.
- *
- * ssl The SSL/TLS object.
- * output The buffer to hold the derived key.
- * outputLen The length of the derived key.
- * secret The secret used to derive the key (HMAC secret).
- * label The label used to distinguish the context.
- * labelLen The length of the label.
- * msg The message data to derive key from.
- * msgLen The length of the message data to derive key from.
- * hashAlgo The hash algorithm to use in the HMAC.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
- const byte* secret, const byte* label, word32 labelLen,
- byte* msg, int msgLen, int hashAlgo)
- {
- byte hash[WC_MAX_DIGEST_SIZE];
- Digest digest;
- word32 hashSz = 0;
- const byte* protocol;
- word32 protocolLen;
- int digestAlg = -1;
- int ret = BAD_FUNC_ARG;
- switch (hashAlgo) {
- #ifndef NO_WOLFSSL_SHA256
- case sha256_mac:
- ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
- if (ret == 0)
- ret = wc_Sha256Final(&digest.sha256, hash);
- wc_Sha256Free(&digest.sha256);
- }
- hashSz = WC_SHA256_DIGEST_SIZE;
- digestAlg = WC_SHA256;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
- if (ret == 0)
- ret = wc_Sha384Final(&digest.sha384, hash);
- wc_Sha384Free(&digest.sha384);
- }
- hashSz = WC_SHA384_DIGEST_SIZE;
- digestAlg = WC_SHA384;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
- if (ret == 0)
- ret = wc_Sha512Final(&digest.sha512, hash);
- wc_Sha512Free(&digest.sha512);
- }
- hashSz = WC_SHA512_DIGEST_SIZE;
- digestAlg = WC_SHA512;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- ret = wc_InitSm3(&digest.sm3, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_Sm3Update(&digest.sm3, msg, msgLen);
- if (ret == 0)
- ret = wc_Sm3Final(&digest.sm3, hash);
- wc_Sm3Free(&digest.sm3);
- }
- hashSz = WC_SM3_DIGEST_SIZE;
- digestAlg = WC_SM3;
- break;
- #endif
- default:
- digestAlg = -1;
- break;
- }
- if (digestAlg < 0)
- return HASH_TYPE_E;
- if (ret != 0)
- return ret;
- switch (ssl->version.minor) {
- case TLSv1_3_MINOR:
- protocol = tls13ProtocolLabel;
- protocolLen = TLS13_PROTOCOL_LABEL_SZ;
- break;
- #ifdef WOLFSSL_DTLS13
- case DTLSv1_3_MINOR:
- if (!ssl->options.dtls)
- return VERSION_ERROR;
- protocol = dtls13ProtocolLabel;
- protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
- break;
- #endif /* WOLFSSL_DTLS13 */
- default:
- return VERSION_ERROR;
- }
- if (outputLen == -1)
- outputLen = hashSz;
- ret = Tls13HKDFExpandLabel(ssl, output, outputLen, secret, hashSz,
- protocol, protocolLen, label, labelLen,
- hash, hashSz, digestAlg);
- return ret;
- }
- /* Derive a key.
- *
- * ssl The SSL/TLS object.
- * output The buffer to hold the derived key.
- * outputLen The length of the derived key.
- * secret The secret used to derive the key (HMAC secret).
- * label The label used to distinguish the context.
- * labelLen The length of the label.
- * hashAlgo The hash algorithm to use in the HMAC.
- * includeMsgs Whether to include a hash of the handshake messages so far.
- * side The side that we are deriving the secret for.
- * returns 0 on success, otherwise failure.
- */
- int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
- const byte* secret, const byte* label, word32 labelLen,
- int hashAlgo, int includeMsgs, int side)
- {
- int ret = 0;
- byte hash[WC_MAX_DIGEST_SIZE];
- word32 hashSz = 0;
- word32 hashOutSz = 0;
- const byte* protocol;
- word32 protocolLen;
- int digestAlg = 0;
- switch (hashAlgo) {
- #ifndef NO_SHA256
- case sha256_mac:
- hashSz = WC_SHA256_DIGEST_SIZE;
- digestAlg = WC_SHA256;
- if (includeMsgs)
- ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- hashSz = WC_SHA384_DIGEST_SIZE;
- digestAlg = WC_SHA384;
- if (includeMsgs)
- ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- hashSz = WC_SHA512_DIGEST_SIZE;
- digestAlg = WC_SHA512;
- if (includeMsgs)
- ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- hashSz = WC_SM3_DIGEST_SIZE;
- digestAlg = WC_SM3;
- if (includeMsgs)
- ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
- break;
- #endif
- default:
- ret = HASH_TYPE_E;
- break;
- }
- if (ret != 0)
- return ret;
- protocol = tls13ProtocolLabel;
- protocolLen = TLS13_PROTOCOL_LABEL_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- protocol = dtls13ProtocolLabel;
- protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (outputLen == -1)
- outputLen = hashSz;
- if (includeMsgs)
- hashOutSz = hashSz;
- /* hash buffer may not be fully initialized, but the sending length won't
- * extend beyond the initialized span.
- */
- PRAGMA_GCC_DIAG_PUSH
- PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
- PRIVATE_KEY_UNLOCK();
- #if defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)
- (void)side;
- ret = wc_Tls13_HKDF_Expand_Label_fips(output, outputLen, secret, hashSz,
- protocol, protocolLen, label, labelLen,
- hash, hashOutSz, digestAlg);
- #else
- ret = Tls13HKDFExpandKeyLabel(ssl, output, outputLen, secret, hashSz,
- protocol, protocolLen, label, labelLen,
- hash, hashOutSz, digestAlg, side);
- #endif
- PRIVATE_KEY_LOCK();
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("TLS 1.3 derived key", output, outputLen);
- #endif
- return ret;
- PRAGMA_GCC_DIAG_POP
- }
- /* Convert TLS mac ID to a hash algorithm ID
- *
- * mac Mac ID to convert
- * returns hash ID on success, or the NONE type.
- */
- static WC_INLINE int mac2hash(int mac)
- {
- int hash;
- switch (mac) {
- #ifndef NO_SHA256
- case sha256_mac:
- hash = WC_SHA256;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- hash = WC_SHA384;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- hash = WC_SHA512;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- hash = WC_SM3;
- break;
- #endif
- default:
- hash = WC_HASH_TYPE_NONE;
- }
- return hash;
- }
- #ifndef NO_PSK
- /* The length of the binder key label. */
- #define BINDER_KEY_LABEL_SZ 10
- /* The binder key label. */
- static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
- "ext binder";
- /* Derive the binder key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
- {
- WOLFSSL_MSG("Derive Binder Key");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
- binderKeyLabel, BINDER_KEY_LABEL_SZ,
- NULL, 0, ssl->specs.mac_algorithm);
- }
- #endif /* !NO_PSK */
- #if defined(HAVE_SESSION_TICKET) && \
- (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
- /* The length of the binder key resume label. */
- #define BINDER_KEY_RESUME_LABEL_SZ 10
- /* The binder key resume label. */
- static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
- "res binder";
- /* Derive the binder resumption key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
- {
- WOLFSSL_MSG("Derive Binder Key - Resumption");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
- binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
- NULL, 0, ssl->specs.mac_algorithm);
- }
- #endif /* HAVE_SESSION_TICKET && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */
- #ifdef WOLFSSL_EARLY_DATA
- /* The length of the early traffic label. */
- #define EARLY_TRAFFIC_LABEL_SZ 11
- /* The early traffic label. */
- static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
- "c e traffic";
- /* Derive the early traffic key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * side The side that we are deriving the secret for.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key, int side)
- {
- int ret;
- WOLFSSL_MSG("Derive Early Traffic Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
- /* If this is called from a sniffer session with keylog file support,
- * obtain the appropriate secret from the callback */
- if (ssl->snifferSecretCb != NULL) {
- return ssl->snifferSecretCb(ssl->arrays->clientRandom,
- SNIFFER_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,
- key);
- }
- #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->secret,
- earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, side);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- #endif
- /* The length of the client handshake label. */
- #define CLIENT_HANDSHAKE_LABEL_SZ 12
- /* The client handshake label. */
- static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
- "c hs traffic";
- /* Derive the client handshake key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
- {
- int ret;
- WOLFSSL_MSG("Derive Client Handshake Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
- /* If this is called from a sniffer session with keylog file support,
- * obtain the appropriate secret from the callback */
- if (ssl->snifferSecretCb != NULL) {
- return ssl->snifferSecretCb(ssl->arrays->clientRandom,
- SNIFFER_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
- key);
- }
- #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
- clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- /* The length of the server handshake label. */
- #define SERVER_HANDSHAKE_LABEL_SZ 12
- /* The server handshake label. */
- static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
- "s hs traffic";
- /* Derive the server handshake key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
- {
- int ret;
- WOLFSSL_MSG("Derive Server Handshake Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
- /* If this is called from a sniffer session with keylog file support,
- * obtain the appropriate secret from the callback */
- if (ssl->snifferSecretCb != NULL) {
- return ssl->snifferSecretCb(ssl->arrays->clientRandom,
- SNIFFER_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET,
- key);
- }
- #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
- serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- /* The length of the client application traffic label. */
- #define CLIENT_APP_LABEL_SZ 12
- /* The client application traffic label. */
- static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
- "c ap traffic";
- /* Derive the client application traffic key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
- {
- int ret;
- WOLFSSL_MSG("Derive Client Traffic Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
- /* If this is called from a sniffer session with keylog file support,
- * obtain the appropriate secret from the callback */
- if (ssl->snifferSecretCb != NULL) {
- return ssl->snifferSecretCb(ssl->arrays->clientRandom,
- SNIFFER_SECRET_CLIENT_TRAFFIC_SECRET,
- key);
- }
- #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
- clientAppLabel, CLIENT_APP_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, CLIENT_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- /* The length of the server application traffic label. */
- #define SERVER_APP_LABEL_SZ 12
- /* The server application traffic label. */
- static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
- "s ap traffic";
- /* Derive the server application traffic key.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
- {
- int ret;
- WOLFSSL_MSG("Derive Server Traffic Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
- /* If this is called from a sniffer session with keylog file support,
- * obtain the appropriate secret from the callback */
- if (ssl->snifferSecretCb != NULL) {
- return ssl->snifferSecretCb(ssl->arrays->clientRandom,
- SNIFFER_SECRET_SERVER_TRAFFIC_SECRET,
- key);
- }
- #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
- serverAppLabel, SERVER_APP_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, SERVER_TRAFFIC_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- #ifdef HAVE_KEYING_MATERIAL
- /* The length of the exporter master secret label. */
- #define EXPORTER_MASTER_LABEL_SZ 10
- /* The exporter master secret label. */
- static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
- "exp master";
- /* Derive the exporter secret.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
- {
- int ret;
- WOLFSSL_ENTER("Derive Exporter Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
- exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
- ssl->specs.mac_algorithm, 1, 0 /* Unused */);
- #ifdef HAVE_SECRET_CALLBACK
- if (ret == 0 && ssl->tls13SecretCb != NULL) {
- ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key,
- ssl->specs.hash_size, ssl->tls13SecretCtx);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #ifdef OPENSSL_EXTRA
- if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
- ret = ssl->tls13KeyLogCb(ssl, EXPORTER_SECRET, key,
- ssl->specs.hash_size, NULL);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
- return TLS13_SECRET_CB_E;
- }
- }
- #endif /* OPENSSL_EXTRA */
- #endif /* HAVE_SECRET_CALLBACK */
- return ret;
- }
- /* The length of the exporter label. */
- #define EXPORTER_LABEL_SZ 8
- /* The exporter label. */
- static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] =
- "exporter";
- /* Hash("") */
- #ifndef NO_SHA256
- static const byte emptySHA256Hash[] = {
- 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8,
- 0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C,
- 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55
- };
- #endif
- #ifdef WOLFSSL_SHA384
- static const byte emptySHA384Hash[] = {
- 0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E,
- 0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43,
- 0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF,
- 0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B
- };
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- static const byte emptySHA512Hash[] = {
- 0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50,
- 0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC,
- 0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C,
- 0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F,
- 0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A,
- 0xF9, 0x27, 0xDA, 0x3E
- };
- #endif
- /**
- * Implement section 7.5 of RFC 8446
- * @return 0 on success
- * <0 on failure
- */
- int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
- const char *label, size_t labelLen,
- const unsigned char *context, size_t contextLen)
- {
- int ret;
- enum wc_HashType hashType = WC_HASH_TYPE_NONE;
- int hashLen = 0;
- byte hashOut[WC_MAX_DIGEST_SIZE];
- const byte* emptyHash = NULL;
- byte firstExpand[WC_MAX_DIGEST_SIZE];
- const byte* protocol = tls13ProtocolLabel;
- word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
- if (ssl->options.dtls && ssl->version.minor != DTLSv1_3_MINOR)
- return VERSION_ERROR;
- if (!ssl->options.dtls && ssl->version.minor != TLSv1_3_MINOR)
- return VERSION_ERROR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- protocol = dtls13ProtocolLabel;
- protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
- }
- #endif /* WOLFSSL_DTLS13 */
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- hashType = WC_HASH_TYPE_SHA256;
- hashLen = WC_SHA256_DIGEST_SIZE;
- emptyHash = emptySHA256Hash;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- hashType = WC_HASH_TYPE_SHA384;
- hashLen = WC_SHA384_DIGEST_SIZE;
- emptyHash = emptySHA384Hash;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- hashType = WC_HASH_TYPE_SHA512;
- hashLen = WC_SHA512_DIGEST_SIZE;
- emptyHash = emptySHA512Hash;
- break;
- #endif
- }
- /* Derive-Secret(Secret, label, "") */
- ret = Tls13HKDFExpandLabel(ssl, firstExpand, hashLen,
- ssl->arrays->exporterSecret, hashLen,
- protocol, protocolLen, (byte*)label, (word32)labelLen,
- emptyHash, hashLen, hashType);
- if (ret != 0)
- return ret;
- /* Hash(context_value) */
- ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE);
- if (ret != 0)
- return ret;
- ret = Tls13HKDFExpandLabel(ssl, out, (word32)outLen, firstExpand, hashLen,
- protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ,
- hashOut, hashLen, hashType);
- return ret;
- }
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* The length of the resumption master secret label. */
- #define RESUME_MASTER_LABEL_SZ 10
- /* The resumption master secret label. */
- static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
- "res master";
- /* Derive the resumption secret.
- *
- * ssl The SSL/TLS object.
- * key The derived key.
- * returns 0 on success, otherwise failure.
- */
- int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
- {
- byte* masterSecret;
- WOLFSSL_MSG("Derive Resumption Secret");
- if (ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- if (ssl->arrays != NULL) {
- masterSecret = ssl->arrays->masterSecret;
- }
- else {
- masterSecret = ssl->session->masterSecret;
- }
- return Tls13DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
- RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1,
- 0 /* Unused */);
- }
- #endif
- /* Length of the finished label. */
- #define FINISHED_LABEL_SZ 8
- /* Finished label for generating finished key. */
- static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
- /* Derive the finished secret.
- *
- * ssl The SSL/TLS object.
- * key The key to use with the HMAC.
- * secret The derived secret.
- * side The side that we are deriving the secret for.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret,
- int side)
- {
- WOLFSSL_MSG("Derive Finished Secret");
- return Tls13DeriveKey(ssl, secret, -1, key, finishedLabel,
- FINISHED_LABEL_SZ, ssl->specs.mac_algorithm, 0,
- side);
- }
- /* The length of the application traffic label. */
- #define APP_TRAFFIC_LABEL_SZ 11
- /* The application traffic label. */
- static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
- "traffic upd";
- /* Update the traffic secret.
- *
- * ssl The SSL/TLS object.
- * secret The previous secret and derived secret.
- * side The side that we are deriving the secret for.
- * returns 0 on success, otherwise failure.
- */
- static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret, int side)
- {
- WOLFSSL_MSG("Derive New Application Traffic Secret");
- return Tls13DeriveKey(ssl, secret, -1, secret,
- appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
- ssl->specs.mac_algorithm, 0, side);
- }
- static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, int saltLen,
- byte* ikm, int ikmLen, int digest)
- {
- int ret;
- #ifdef HAVE_PK_CALLBACKS
- void *cb_ctx = ssl->HkdfExtractCtx;
- CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb;
- if (cb != NULL) {
- ret = cb(prk, salt, saltLen, ikm, ikmLen, digest, cb_ctx);
- }
- else
- #endif
- {
- (void)ssl;
- ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest);
- }
- return ret;
- }
- /* Derive the early secret using HKDF Extract.
- *
- * ssl The SSL/TLS object.
- */
- int DeriveEarlySecret(WOLFSSL* ssl)
- {
- int ret;
- WOLFSSL_MSG("Derive Early Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13DeriveEarlySecret(ssl);
- if (ret != CRYPTOCB_UNAVAILABLE)
- return ret;
- #endif
- PRIVATE_KEY_UNLOCK();
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
- ssl->arrays->psk_key, ssl->arrays->psk_keySz,
- mac2hash(ssl->specs.mac_algorithm));
- #else
- ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
- ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
- #endif
- PRIVATE_KEY_LOCK();
- return ret;
- }
- /* The length of the derived label. */
- #define DERIVED_LABEL_SZ 7
- /* The derived label. */
- static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
- "derived";
- /* Derive the handshake secret using HKDF Extract.
- *
- * ssl The SSL/TLS object.
- */
- int DeriveHandshakeSecret(WOLFSSL* ssl)
- {
- byte key[WC_MAX_DIGEST_SIZE];
- int ret;
- WOLFSSL_MSG("Derive Handshake Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13DeriveHandshakeSecret(ssl);
- if (ret != CRYPTOCB_UNAVAILABLE)
- return ret;
- #endif
- ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
- derivedLabel, DERIVED_LABEL_SZ,
- NULL, 0, ssl->specs.mac_algorithm);
- if (ret != 0)
- return ret;
- PRIVATE_KEY_UNLOCK();
- ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret,
- key, ssl->specs.hash_size,
- ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
- mac2hash(ssl->specs.mac_algorithm));
- PRIVATE_KEY_LOCK();
- return ret;
- }
- /* Derive the master secret using HKDF Extract.
- *
- * ssl The SSL/TLS object.
- */
- int DeriveMasterSecret(WOLFSSL* ssl)
- {
- byte key[WC_MAX_DIGEST_SIZE];
- int ret;
- WOLFSSL_MSG("Derive Master Secret");
- if (ssl == NULL || ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13DeriveMasterSecret(ssl);
- if (ret != CRYPTOCB_UNAVAILABLE)
- return ret;
- #endif
- ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
- derivedLabel, DERIVED_LABEL_SZ,
- NULL, 0, ssl->specs.mac_algorithm);
- if (ret != 0)
- return ret;
- PRIVATE_KEY_UNLOCK();
- ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret,
- key, ssl->specs.hash_size,
- ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
- PRIVATE_KEY_LOCK();
- #ifdef HAVE_KEYING_MATERIAL
- if (ret != 0)
- return ret;
- /* Calculate exporter secret only when saving arrays */
- if (ssl->options.saveArrays)
- ret = DeriveExporterSecret(ssl, ssl->arrays->exporterSecret);
- #endif
- return ret;
- }
- #if defined(HAVE_SESSION_TICKET)
- /* Length of the resumption label. */
- #define RESUMPTION_LABEL_SZ 10
- /* Resumption label for generating PSK associated with the ticket. */
- static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption";
- /* Derive the PSK associated with the ticket.
- *
- * ssl The SSL/TLS object.
- * nonce The nonce to derive with.
- * nonceLen The length of the nonce to derive with.
- * secret The derived secret.
- * returns 0 on success, otherwise failure.
- */
- int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
- {
- int digestAlg;
- /* Only one protocol version defined at this time. */
- const byte* protocol = tls13ProtocolLabel;
- word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
- int ret;
- WOLFSSL_MSG("Derive Resumption PSK");
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- protocol = dtls13ProtocolLabel;
- protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
- }
- #endif /* WOLFSSL_DTLS13 */
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- digestAlg = WC_SHA256;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- digestAlg = WC_SHA384;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- digestAlg = WC_SHA512;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- digestAlg = WC_SM3;
- break;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
- PRIVATE_KEY_UNLOCK();
- ret = wc_Tls13_HKDF_Expand_Label_Alloc(secret, ssl->specs.hash_size,
- ssl->session->masterSecret, ssl->specs.hash_size, protocol, protocolLen,
- resumptionLabel, RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg,
- ssl->heap);
- PRIVATE_KEY_LOCK();
- #else
- ret = Tls13HKDFExpandLabel(ssl, secret, ssl->specs.hash_size,
- ssl->session->masterSecret, ssl->specs.hash_size,
- protocol, protocolLen, resumptionLabel,
- RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
- #endif /* !defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3) */
- return ret;
- }
- #endif /* HAVE_SESSION_TICKET */
- /* Calculate the HMAC of message data to this point.
- *
- * ssl The SSL/TLS object.
- * key The HMAC key.
- * hash The hash result - verify data.
- * returns length of verify data generated.
- */
- static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
- word32* pHashSz)
- {
- #ifdef WOLFSSL_SMALL_STACK
- Hmac* verifyHmac;
- #else
- Hmac verifyHmac[1];
- #endif
- int hashType = WC_SHA256;
- int hashSz = WC_SHA256_DIGEST_SIZE;
- int ret = BAD_FUNC_ARG;
- if (ssl == NULL || key == NULL || hash == NULL) {
- return BAD_FUNC_ARG;
- }
- /* Get the hash of the previous handshake messages. */
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- hashType = WC_SHA256;
- hashSz = WC_SHA256_DIGEST_SIZE;
- ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- hashType = WC_SHA384;
- hashSz = WC_SHA384_DIGEST_SIZE;
- ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- hashType = WC_SHA512;
- hashSz = WC_SHA512_DIGEST_SIZE;
- ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
- break;
- #endif /* WOLFSSL_TLS13_SHA512 */
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- hashType = WC_SM3;
- hashSz = WC_SM3_DIGEST_SIZE;
- ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
- break;
- #endif /* WOLFSSL_SM3 */
- default:
- break;
- }
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" Key");
- WOLFSSL_BUFFER(key, ssl->specs.hash_size);
- WOLFSSL_MSG(" Msg Hash");
- WOLFSSL_BUFFER(hash, hashSz);
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- verifyHmac = (Hmac*)XMALLOC(sizeof(Hmac), NULL, DYNAMIC_TYPE_HMAC);
- if (verifyHmac == NULL) {
- return MEMORY_E;
- }
- #endif
- /* Calculate the verify data. */
- ret = wc_HmacInit(verifyHmac, ssl->heap, ssl->devId);
- if (ret == 0) {
- ret = wc_HmacSetKey(verifyHmac, hashType, key, ssl->specs.hash_size);
- if (ret == 0)
- ret = wc_HmacUpdate(verifyHmac, hash, hashSz);
- if (ret == 0)
- ret = wc_HmacFinal(verifyHmac, hash);
- wc_HmacFree(verifyHmac);
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(verifyHmac, NULL, DYNAMIC_TYPE_HMAC);
- #endif
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG(" Hash");
- WOLFSSL_BUFFER(hash, hashSz);
- #endif
- if (pHashSz)
- *pHashSz = hashSz;
- return ret;
- }
- /* The length of the label to use when deriving keys. */
- #define WRITE_KEY_LABEL_SZ 3
- /* The length of the label to use when deriving IVs. */
- #define WRITE_IV_LABEL_SZ 2
- /* The label to use when deriving keys. */
- static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
- /* The label to use when deriving IVs. */
- static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
- /* Derive the keys and IVs for TLS v1.3.
- *
- * ssl The SSL/TLS object.
- * secret early_data_key when deriving the key and IV for encrypting early
- * data application data and end_of_early_data messages.
- * handshake_key when deriving keys and IVs for encrypting handshake
- * messages.
- * traffic_key when deriving first keys and IVs for encrypting
- * traffic messages.
- * update_traffic_key when deriving next keys and IVs for encrypting
- * traffic messages.
- * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
- * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
- * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
- * store 1 indicates to derive the keys and IVs from derived secret and
- * store ready for provisioning.
- * returns 0 on success, otherwise failure.
- */
- int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
- {
- int ret = BAD_FUNC_ARG; /* Assume failure */
- int i = 0;
- #ifdef WOLFSSL_SMALL_STACK
- byte* key_dig;
- #else
- byte key_dig[MAX_PRF_DIG];
- #endif
- int provision;
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13DeriveKeys(ssl, secret, side);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- return ret;
- }
- ret = BAD_FUNC_ARG; /* Assume failure */
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
- if (key_dig == NULL)
- return MEMORY_E;
- #endif
- if (side == ENCRYPT_AND_DECRYPT_SIDE) {
- provision = PROVISION_CLIENT_SERVER;
- }
- else {
- provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
- (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
- PROVISION_SERVER;
- }
- /* Derive the appropriate secret to use in the HKDF. */
- switch (secret) {
- #ifdef WOLFSSL_EARLY_DATA
- case early_data_key:
- ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- goto end;
- break;
- #endif
- case handshake_key:
- if (provision & PROVISION_CLIENT) {
- ret = DeriveClientHandshakeSecret(ssl,
- ssl->clientSecret);
- if (ret != 0)
- goto end;
- }
- if (provision & PROVISION_SERVER) {
- ret = DeriveServerHandshakeSecret(ssl,
- ssl->serverSecret);
- if (ret != 0)
- goto end;
- }
- break;
- case traffic_key:
- if (provision & PROVISION_CLIENT) {
- ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret);
- if (ret != 0)
- goto end;
- }
- if (provision & PROVISION_SERVER) {
- ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret);
- if (ret != 0)
- goto end;
- }
- break;
- case update_traffic_key:
- if (provision & PROVISION_CLIENT) {
- ret = DeriveTrafficSecret(ssl, ssl->clientSecret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- goto end;
- }
- if (provision & PROVISION_SERVER) {
- ret = DeriveTrafficSecret(ssl, ssl->serverSecret,
- WOLFSSL_SERVER_END);
- if (ret != 0)
- goto end;
- }
- break;
- default:
- break;
- }
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- ret = wolfSSL_quic_forward_secrets(ssl, secret, side);
- if (ret != 0)
- goto end;
- }
- #endif /* WOLFSSL_QUIC */
- if (!store)
- goto end;
- /* Key data = client key | server key | client IV | server IV */
- if (provision & PROVISION_CLIENT) {
- /* Derive the client key. */
- WOLFSSL_MSG("Derive Client Key");
- ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
- ssl->clientSecret, writeKeyLabel,
- WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- goto end;
- i += ssl->specs.key_size;
- }
- if (provision & PROVISION_SERVER) {
- /* Derive the server key. */
- WOLFSSL_MSG("Derive Server Key");
- ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
- ssl->serverSecret, writeKeyLabel,
- WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
- WOLFSSL_SERVER_END);
- if (ret != 0)
- goto end;
- i += ssl->specs.key_size;
- }
- if (provision & PROVISION_CLIENT) {
- /* Derive the client IV. */
- WOLFSSL_MSG("Derive Client IV");
- ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
- ssl->clientSecret, writeIVLabel,
- WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- goto end;
- i += ssl->specs.iv_size;
- }
- if (provision & PROVISION_SERVER) {
- /* Derive the server IV. */
- WOLFSSL_MSG("Derive Server IV");
- ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
- ssl->serverSecret, writeIVLabel,
- WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
- WOLFSSL_SERVER_END);
- if (ret != 0)
- goto end;
- i += ssl->specs.iv_size;
- }
- /* Store keys and IVs but don't activate them. */
- ret = StoreKeys(ssl, key_dig, provision);
- #ifdef WOLFSSL_DTLS13
- if (ret != 0)
- goto end;
- if (ssl->options.dtls) {
- ret = Dtls13DeriveSnKeys(ssl, provision);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- end:
- ForceZero(key_dig, i);
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
- #elif defined(WOLFSSL_CHECK_MEM_ZERO)
- wc_MemZero_Check(key_dig, MAX_PRF_DIG);
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- #ifndef NO_ASN_TIME
- #if defined(USER_TICKS)
- #if 0
- word32 TimeNowInMilliseconds(void)
- {
- /*
- write your own clock tick function if don't want gettimeofday()
- needs millisecond accuracy but doesn't have to correlated to EPOCH
- */
- }
- #endif
- #elif defined(TIME_OVERRIDES)
- #if !defined(NO_ASN) && !defined(NO_ASN_TIME)
- word32 TimeNowInMilliseconds(void)
- {
- return (word32) wc_Time(0) * 1000;
- }
- #else
- #ifndef HAVE_TIME_T_TYPE
- typedef long time_t;
- #endif
- extern time_t XTIME(time_t * timer);
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32) XTIME(0) * 1000;
- }
- #endif
- #elif defined(XTIME_MS)
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)XTIME_MS(0);
- }
- #elif defined(USE_WINDOWS_API)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- static int init = 0;
- static LARGE_INTEGER freq;
- LARGE_INTEGER count;
- if (!init) {
- QueryPerformanceFrequency(&freq);
- init = 1;
- }
- QueryPerformanceCounter(&count);
- return (word32)(count.QuadPart / (freq.QuadPart / 1000));
- }
- #elif defined(HAVE_RTP_SYS)
- #include "rtptime.h"
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)rtp_get_system_sec() * 1000;
- }
- #elif defined(WOLFSSL_DEOS)
- word32 TimeNowInMilliseconds(void)
- {
- const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
- word32 *systemTickPtr = systemTickPointer();
- return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000;
- }
- #elif defined(MICRIUM)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- OS_TICK ticks = 0;
- OS_ERR err;
- ticks = OSTimeGet(&err);
- return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
- }
- #elif defined(MICROCHIP_TCPIP_V5)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
- }
- #elif defined(MICROCHIP_TCPIP)
- #if defined(MICROCHIP_MPLAB_HARMONY)
- #include <system/tmr/sys_tmr.h>
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)(SYS_TMR_TickCountGet() /
- (SYS_TMR_TickCounterFrequencyGet() / 1000));
- }
- #else
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
- }
- #endif
- #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- TIME_STRUCT mqxTime;
- _time_get_elapsed(&mqxTime);
- return (word32) mqxTime.SECONDS * 1000;
- }
- #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
- #include "include/task.h"
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (unsigned int)(((float)xTaskGetTickCount()) /
- (configTICK_RATE_HZ / 1000));
- }
- #elif defined(FREESCALE_KSDK_BM)
- #include "lwip/sys.h" /* lwIP */
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return sys_now();
- }
- #elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)osKernelGetTickCount();
- }
- #elif defined(WOLFSSL_TIRTOS)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32) Seconds_get() * 1000;
- }
- #elif defined(WOLFSSL_UTASKER)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
- }
- #elif defined(WOLFSSL_LINUXKM)
- word32 TimeNowInMilliseconds(void)
- {
- s64 t;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
- struct timespec ts;
- getnstimeofday(&ts);
- t = ts.tv_sec * (s64)1000;
- t += ts.tv_nsec / (s64)1000000;
- #else
- struct timespec64 ts;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
- ts = current_kernel_time64();
- #else
- ktime_get_coarse_real_ts64(&ts);
- #endif
- t = ts.tv_sec * 1000L;
- t += ts.tv_nsec / 1000000L;
- #endif
- return (word32)t;
- }
- #elif defined(WOLFSSL_QNX_CAAM)
- word32 TimeNowInMilliseconds(void)
- {
- struct timespec now;
- clock_gettime(CLOCK_REALTIME, &now);
- return (word32)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
- }
- #elif defined(FUSION_RTOS)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- struct timeval now;
- if (FCL_GETTIMEOFDAY(&now, 0) < 0)
- return 0;
- /* Convert to milliseconds number. */
- return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
- }
- #elif defined(WOLFSSL_ZEPHYR)
- word32 TimeNowInMilliseconds(void)
- {
- #if defined(CONFIG_ARCH_POSIX)
- k_cpu_idle();
- #endif
- return (word32)k_uptime_get() / 1000;
- }
- #else
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- word32 TimeNowInMilliseconds(void)
- {
- struct timeval now;
- if (gettimeofday(&now, 0) < 0)
- return 0;
- /* Convert to milliseconds number. */
- return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
- }
- #endif
- #else
- /* user must supply time in milliseconds function:
- * word32 TimeNowInMilliseconds(void);
- * The response is milliseconds elapsed
- */
- #endif /* !NO_ASN_TIME */
- #else
- #ifndef NO_ASN_TIME
- #if defined(USER_TICKS)
- #if 0
- sword64 TimeNowInMilliseconds(void)
- {
- /*
- write your own clock tick function if don't want gettimeofday()
- needs millisecond accuracy but doesn't have to correlated to EPOCH
- */
- }
- #endif
- #elif defined(TIME_OVERRIDES)
- #if !defined(NO_ASN) && !defined(NO_ASN_TIME)
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64) wc_Time(0) * 1000;
- }
- #else
- #ifndef HAVE_TIME_T_TYPE
- typedef long time_t;
- #endif
- extern time_t XTIME(time_t * timer);
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 32-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64) XTIME(0) * 1000;
- }
- #endif
- #elif defined(XTIME_MS)
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)XTIME_MS(0);
- }
- #elif defined(USE_WINDOWS_API)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- static int init = 0;
- static LARGE_INTEGER freq;
- LARGE_INTEGER count;
- if (!init) {
- QueryPerformanceFrequency(&freq);
- init = 1;
- }
- QueryPerformanceCounter(&count);
- return (sword64)(count.QuadPart / (freq.QuadPart / 1000));
- }
- #elif defined(HAVE_RTP_SYS)
- #include "rtptime.h"
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)rtp_get_system_sec() * 1000;
- }
- #elif defined(WOLFSSL_DEOS)
- sword64 TimeNowInMilliseconds(void)
- {
- const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
- word32 *systemTickPtr = systemTickPointer();
- return (sword64) (*systemTickPtr/systemTickTimeInHz) * 1000;
- }
- #elif defined(MICRIUM)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- OS_TICK ticks = 0;
- OS_ERR err;
- ticks = OSTimeGet(&err);
- return (sword64) (ticks / OSCfg_TickRate_Hz) * 1000;
- }
- #elif defined(MICROCHIP_TCPIP_V5)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64) (TickGet() / (TICKS_PER_SECOND / 1000));
- }
- #elif defined(MICROCHIP_TCPIP)
- #if defined(MICROCHIP_MPLAB_HARMONY)
- #include <system/tmr/sys_tmr.h>
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)SYS_TMR_TickCountGet() /
- (SYS_TMR_TickCounterFrequencyGet() / 1000);
- }
- #else
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000);
- }
- #endif
- #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- TIME_STRUCT mqxTime;
- _time_get_elapsed(&mqxTime);
- return (sword64) mqxTime.SECONDS * 1000;
- }
- #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
- #include "include/task.h"
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)xTaskGetTickCount() / (configTICK_RATE_HZ / 1000);
- }
- #elif defined(FREESCALE_KSDK_BM)
- #include "lwip/sys.h" /* lwIP */
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return sys_now();
- }
- #elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)osKernelGetTickCount();
- }
- #elif defined(WOLFSSL_TIRTOS)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64) Seconds_get() * 1000;
- }
- #elif defined(WOLFSSL_UTASKER)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- return (sword64)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
- }
- #elif defined(WOLFSSL_LINUXKM)
- sword64 TimeNowInMilliseconds(void)
- {
- s64 t;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
- struct timespec ts;
- getnstimeofday(&ts);
- t = ts.tv_sec * (s64)1000;
- t += ts.tv_nsec / (s64)1000000;
- #else
- struct timespec64 ts;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
- ts = current_kernel_time64();
- #else
- ktime_get_coarse_real_ts64(&ts);
- #endif
- t = ts.tv_sec * 1000L;
- t += ts.tv_nsec / 1000000L;
- #endif
- return (sword64)t;
- }
- #elif defined(WOLFSSL_QNX_CAAM)
- sword64 TimeNowInMilliseconds(void)
- {
- struct timespec now;
- clock_gettime(CLOCK_REALTIME, &now);
- return (sword64)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
- }
- #elif defined(FUSION_RTOS)
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- struct timeval now;
- if (FCL_GETTIMEOFDAY(&now, 0) < 0)
- return 0;
- /* Convert to milliseconds number. */
- return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
- }
- #elif defined(WOLFSSL_ZEPHYR)
- sword64 TimeNowInMilliseconds(void)
- {
- #if defined(CONFIG_ARCH_POSIX)
- k_cpu_idle();
- #endif
- return (sword64)k_uptime_get() / 1000;
- }
- #else
- /* The time in milliseconds.
- * Used for tickets to represent difference between when first seen and when
- * sending.
- *
- * returns the time in milliseconds as a 64-bit value.
- */
- sword64 TimeNowInMilliseconds(void)
- {
- struct timeval now;
- if (gettimeofday(&now, 0) < 0)
- return 0;
- /* Convert to milliseconds number. */
- return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
- }
- #endif
- #else
- /* user must supply time in milliseconds function:
- * sword64 TimeNowInMilliseconds(void);
- * The response is milliseconds elapsed
- */
- #endif /* !NO_ASN_TIME */
- #endif /* WOLFSSL_32BIT_MILLI_TIME */
- #endif /* HAVE_SESSION_TICKET || !NO_PSK */
- /* Extract the handshake header information.
- *
- * ssl The SSL/TLS object.
- * input The buffer holding the message data.
- * inOutIdx On entry, the index into the buffer of the handshake data.
- * On exit, the start of the handshake data.
- * type Type of handshake message.
- * size The length of the handshake message data.
- * totalSz The total size of data in the buffer.
- * returns BUFFER_E if there is not enough input data and 0 on success.
- */
- static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- byte* type, word32* size, word32 totalSz)
- {
- const byte* ptr = input + *inOutIdx;
- (void)ssl;
- *inOutIdx += HANDSHAKE_HEADER_SZ;
- if (*inOutIdx > totalSz)
- return BUFFER_E;
- *type = ptr[0];
- c24to32(&ptr[1], size);
- return 0;
- }
- /* Add record layer header to message.
- *
- * output The buffer to write the record layer header into.
- * length The length of the record data.
- * type The type of record message.
- * ssl The SSL/TLS object.
- */
- static void AddTls13RecordHeader(byte* output, word32 length, byte type,
- WOLFSSL* ssl)
- {
- RecordLayerHeader* rl;
- rl = (RecordLayerHeader*)output;
- rl->type = type;
- rl->pvMajor = ssl->version.major;
- /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */
- rl->pvMinor = TLSv1_2_MINOR;
- c16toa((word16)length, rl->length);
- }
- /* Add handshake header to message.
- *
- * output The buffer to write the handshake header into.
- * length The length of the handshake data.
- * fragOffset The offset of the fragment data. (DTLS)
- * fragLength The length of the fragment data. (DTLS)
- * type The type of handshake message.
- * ssl The SSL/TLS object. (DTLS)
- */
- static void AddTls13HandShakeHeader(byte* output, word32 length,
- word32 fragOffset, word32 fragLength,
- byte type, WOLFSSL* ssl)
- {
- HandShakeHeader* hs;
- (void)fragOffset;
- (void)fragLength;
- (void)ssl;
- #ifdef WOLFSSL_DTLS13
- /* message_hash type is used for a synthetic message that replaces the first
- ClientHello in the hash transcript when using HelloRetryRequest. It will
- never be transmitted and, as the DTLS-only fields must not be considered
- when computing the hash transcript, we can avoid to use the DTLS
- handshake header. */
- if (ssl->options.dtls && type != message_hash) {
- Dtls13HandshakeAddHeader(ssl, output, (enum HandShakeType)type, length);
- return;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* handshake header */
- hs = (HandShakeHeader*)output;
- hs->type = type;
- c32to24(length, hs->length);
- }
- /* Add both record layer and handshake header to message.
- *
- * output The buffer to write the headers into.
- * length The length of the handshake data.
- * type The type of record layer message.
- * ssl The SSL/TLS object. (DTLS)
- */
- static void AddTls13Headers(byte* output, word32 length, byte type,
- WOLFSSL* ssl)
- {
- word32 lengthAdj = HANDSHAKE_HEADER_SZ;
- word32 outputAdj = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
- return;
- }
- #endif /* WOLFSSL_DTLS13 */
- AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
- AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
- }
- #if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) \
- && !defined(NO_CERTS)
- /* Add both record layer and fragment handshake header to message.
- *
- * output The buffer to write the headers into.
- * fragOffset The offset of the fragment data. (DTLS)
- * fragLength The length of the fragment data. (DTLS)
- * length The length of the handshake data.
- * type The type of record layer message.
- * ssl The SSL/TLS object. (DTLS)
- */
- static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
- word32 length, byte type, WOLFSSL* ssl)
- {
- word32 lengthAdj = HANDSHAKE_HEADER_SZ;
- word32 outputAdj = RECORD_HEADER_SZ;
- (void)fragSz;
- #ifdef WOLFSSL_DTLS13
- /* we ignore fragmentation fields here because fragmentation logic for
- DTLS1.3 is inside dtls13_handshake_send(). */
- if (ssl->options.dtls) {
- Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
- return;
- }
- #endif /* WOLFSSL_DTLS13 */
- AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
- AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
- type, ssl);
- }
- #endif /* (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) && !NO_CERTS */
- /* Write the sequence number into the buffer.
- * No DTLS v1.3 support.
- *
- * ssl The SSL/TLS object.
- * verifyOrder Which set of sequence numbers to use.
- * out The buffer to write into.
- */
- static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out)
- {
- word32 seq[2] = {0, 0};
- if (ssl->options.dtls) {
- #ifdef WOLFSSL_DTLS13
- Dtls13GetSeq(ssl, verifyOrder, seq, 1);
- #endif /* WOLFSSL_DTLS13 */
- }
- else if (verifyOrder == PEER_ORDER) {
- seq[0] = ssl->keys.peer_sequence_number_hi;
- seq[1] = ssl->keys.peer_sequence_number_lo++;
- /* handle rollover */
- if (seq[1] > ssl->keys.peer_sequence_number_lo)
- ssl->keys.peer_sequence_number_hi++;
- }
- else {
- seq[0] = ssl->keys.sequence_number_hi;
- seq[1] = ssl->keys.sequence_number_lo++;
- /* handle rollover */
- if (seq[1] > ssl->keys.sequence_number_lo)
- ssl->keys.sequence_number_hi++;
- }
- c32toa(seq[0], out);
- c32toa(seq[1], out + OPAQUE32_LEN);
- }
- /* Build the nonce for TLS v1.3 encryption and decryption.
- *
- * ssl The SSL/TLS object.
- * nonce The nonce data to use when encrypting or decrypting.
- * iv The derived IV.
- * order The side on which the message is to be or was sent.
- */
- static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
- int order)
- {
- int i;
- /* The nonce is the IV with the sequence XORed into the last bytes. */
- WriteSEQTls13(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
- for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
- nonce[i] = iv[i];
- for (; i < AEAD_NONCE_SZ; i++)
- nonce[i] ^= iv[i];
- }
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- /* Encrypt with ChaCha20 and create authentication tag with Poly1305.
- *
- * ssl The SSL/TLS object.
- * output The buffer to write encrypted data and authentication tag into.
- * May be the same pointer as input.
- * input The data to encrypt.
- * sz The number of bytes to encrypt.
- * nonce The nonce to use with ChaCha20.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * tag The authentication tag buffer.
- * returns 0 on success, otherwise failure.
- */
- static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
- const byte* input, word16 sz, byte* nonce,
- const byte* aad, word16 aadSz, byte* tag)
- {
- int ret = 0;
- byte poly[CHACHA20_256_KEY_SIZE];
- /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
- XMEMSET(poly, 0, sizeof(poly));
- /* Set the nonce for ChaCha and get Poly1305 key. */
- ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
- if (ret != 0)
- return ret;
- /* Create Poly1305 key using ChaCha20 keystream. */
- ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChaCha20Poly1305_Encrypt poly", poly, sizeof(poly));
- #endif
- ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1);
- if (ret != 0)
- return ret;
- /* Encrypt the plain text. */
- ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
- if (ret != 0) {
- ForceZero(poly, sizeof(poly));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, sizeof(poly));
- #endif
- return ret;
- }
- /* Set key for Poly1305. */
- ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
- ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, sizeof(poly));
- #endif
- if (ret != 0)
- return ret;
- /* Add authentication code of encrypted data to end. */
- ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, output, sz, tag,
- POLY1305_AUTH_SZ);
- return ret;
- }
- #endif
- #ifdef HAVE_NULL_CIPHER
- /* Create authentication tag and copy data over input.
- *
- * ssl The SSL/TLS object.
- * output The buffer to copy data into.
- * May be the same pointer as input.
- * input The data.
- * sz The number of bytes of data.
- * nonce The nonce to use with authentication.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * tag The authentication tag buffer.
- * returns 0 on success, otherwise failure.
- */
- static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output,
- const byte* input, word16 sz,
- const byte* nonce,
- const byte* aad, word16 aadSz, byte* tag)
- {
- int ret;
- /* HMAC: nonce | aad | input */
- ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, HMAC_NONCE_SZ);
- if (ret == 0)
- ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz);
- if (ret == 0)
- ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz);
- if (ret == 0)
- ret = wc_HmacFinal(ssl->encrypt.hmac, tag);
- /* Copy the input to output if not the same buffer */
- if (ret == 0 && output != input)
- XMEMCPY(output, input, sz);
- return ret;
- }
- #endif
- /* Encrypt data for TLS v1.3.
- *
- * ssl The SSL/TLS object.
- * output The buffer to write encrypted data and authentication tag into.
- * May be the same pointer as input.
- * input The record header and data to encrypt.
- * sz The number of bytes to encrypt.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
- * returns 0 on success, otherwise failure.
- */
- static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
- word16 sz, const byte* aad, word16 aadSz, int asyncOkay)
- {
- int ret = 0;
- word16 dataSz = sz - ssl->specs.aead_mac_size;
- word16 macSz = ssl->specs.aead_mac_size;
- word32 nonceSz = 0;
- #ifdef WOLFSSL_ASYNC_CRYPT
- WC_ASYNC_DEV* asyncDev = NULL;
- word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
- #endif
- WOLFSSL_ENTER("EncryptTls13");
- (void)output;
- (void)input;
- (void)sz;
- (void)dataSz;
- (void)macSz;
- (void)asyncOkay;
- (void)nonceSz;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->error == WC_PENDING_E) {
- ssl->error = 0; /* clear async */
- }
- #endif
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13AesEncrypt(ssl, output, input, dataSz);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- if (ret > 0) {
- ret = 0; /* tsip_Tls13AesEncrypt returns output size */
- }
- return ret;
- }
- ret = 0;
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- switch (ssl->encrypt.state) {
- case CIPHER_STATE_BEGIN:
- {
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Data to encrypt");
- WOLFSSL_BUFFER(input, dataSz);
- WOLFSSL_MSG("Additional Authentication Data");
- WOLFSSL_BUFFER(aad, aadSz);
- #endif
- #ifdef WOLFSSL_CIPHER_TEXT_CHECK
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
- XMEMCPY(ssl->encrypt.sanityCheck, input,
- min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
- }
- #endif
- #ifdef CIPHER_NONCE
- if (ssl->encrypt.nonce == NULL) {
- ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if (ssl->encrypt.nonce != NULL) {
- wc_MemZero_Add("EncryptTls13 nonce", ssl->encrypt.nonce,
- AEAD_NONCE_SZ);
- }
- #endif
- }
- if (ssl->encrypt.nonce == NULL)
- return MEMORY_E;
- BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
- CUR_ORDER);
- #endif
- /* Advance state and proceed */
- ssl->encrypt.state = CIPHER_STATE_DO;
- }
- FALL_THROUGH;
- case CIPHER_STATE_DO:
- {
- switch (ssl->specs.bulk_cipher_algorithm) {
- #ifdef BUILD_AESGCM
- case wolfssl_aes_gcm:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- asyncDev = &ssl->encrypt.aes->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
- if (ret != 0)
- break;
- #endif
- nonceSz = AESGCM_NONCE_SZ;
- #if defined(HAVE_PK_CALLBACKS)
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
- output, input, dataSz,
- ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz,
- aad, aadSz);
- }
- if (ret == NOT_COMPILED_IN)
- #endif
- {
- #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
- ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
- dataSz, ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz, aad, aadSz);
- #else
- ret = wc_AesGcmSetExtIV(ssl->encrypt.aes,
- ssl->encrypt.nonce, nonceSz);
- if (ret == 0) {
- ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output,
- input, dataSz, ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz, aad, aadSz);
- }
- #endif
- }
- break;
- #endif
- #ifdef HAVE_AESCCM
- case wolfssl_aes_ccm:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- asyncDev = &ssl->encrypt.aes->asyncDev;
- ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
- if (ret != 0)
- break;
- #endif
- nonceSz = AESCCM_NONCE_SZ;
- #if defined(HAVE_PK_CALLBACKS)
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
- output, input, dataSz,
- ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz,
- aad, aadSz);
- }
- if (ret == NOT_COMPILED_IN)
- #endif
- {
- #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
- (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
- ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
- dataSz, ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz, aad, aadSz);
- #else
- ret = wc_AesCcmSetNonce(ssl->encrypt.aes,
- ssl->encrypt.nonce, nonceSz);
- if (ret == 0) {
- ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output,
- input, dataSz, ssl->encrypt.nonce, nonceSz,
- output + dataSz, macSz, aad, aadSz);
- }
- #endif
- }
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- case wolfssl_chacha:
- ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
- ssl->encrypt.nonce, aad, aadSz, output + dataSz);
- break;
- #endif
- #ifdef WOLFSSL_SM4_GCM
- case wolfssl_sm4_gcm:
- nonceSz = SM4_GCM_NONCE_SZ;
- ret = wc_Sm4GcmEncrypt(ssl->encrypt.sm4, output, input,
- dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
- macSz, aad, aadSz);
- break;
- #endif
- #ifdef WOLFSSL_SM4_CCM
- case wolfssl_sm4_ccm:
- nonceSz = SM4_CCM_NONCE_SZ;
- ret = wc_Sm4CcmEncrypt(ssl->encrypt.sm4, output, input,
- dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
- macSz, aad, aadSz);
- break;
- #endif
- #ifdef HAVE_NULL_CIPHER
- case wolfssl_cipher_null:
- ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz,
- ssl->encrypt.nonce, aad, aadSz, output + dataSz);
- break;
- #endif
- default:
- WOLFSSL_MSG("wolfSSL Encrypt programming error");
- return ENCRYPT_ERROR;
- }
- /* Advance state */
- ssl->encrypt.state = CIPHER_STATE_END;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- /* if async is not okay, then block */
- if (!asyncOkay) {
- ret = wc_AsyncWait(ret, asyncDev, event_flags);
- }
- else {
- /* If pending, then leave and return will resume below */
- return wolfSSL_AsyncPush(ssl, asyncDev);
- }
- }
- #endif
- }
- FALL_THROUGH;
- case CIPHER_STATE_END:
- {
- #ifdef WOLFSSL_DEBUG_TLS
- #ifdef CIPHER_NONCE
- WOLFSSL_MSG("Nonce");
- WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
- #endif
- WOLFSSL_MSG("Encrypted data");
- WOLFSSL_BUFFER(output, dataSz);
- WOLFSSL_MSG("Authentication Tag");
- WOLFSSL_BUFFER(output + dataSz, macSz);
- #endif
- #ifdef WOLFSSL_CIPHER_TEXT_CHECK
- if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
- XMEMCMP(output, ssl->encrypt.sanityCheck,
- min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
- WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
- return ENCRYPT_ERROR;
- }
- ForceZero(ssl->encrypt.sanityCheck,
- sizeof(ssl->encrypt.sanityCheck));
- #endif
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
- (output != input) && (ret == 0)) {
- wc_MemZero_Add("TLS 1.3 Encrypt plaintext", input, sz);
- }
- #endif
- #ifdef CIPHER_NONCE
- ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
- #endif
- break;
- }
- default:
- break;
- }
- /* Reset state */
- ssl->encrypt.state = CIPHER_STATE_BEGIN;
- return ret;
- }
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- /* Decrypt with ChaCha20 and check authentication tag with Poly1305.
- *
- * ssl The SSL/TLS object.
- * output The buffer to write decrypted data into.
- * May be the same pointer as input.
- * input The data to decrypt.
- * sz The number of bytes to decrypt.
- * nonce The nonce to use with ChaCha20.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * tagIn The authentication tag data from packet.
- * returns 0 on success, otherwise failure.
- */
- static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
- const byte* input, word16 sz, byte* nonce,
- const byte* aad, word16 aadSz,
- const byte* tagIn)
- {
- int ret;
- byte tag[POLY1305_AUTH_SZ];
- byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
- /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
- XMEMSET(poly, 0, sizeof(poly));
- /* Set nonce and get Poly1305 key. */
- ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
- if (ret != 0)
- return ret;
- /* Use ChaCha20 keystream to get Poly1305 key for tag. */
- ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ChaCha20Poly1305_Decrypt poly", poly, sizeof(poly));
- #endif
- ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1);
- if (ret != 0) {
- ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, sizeof(poly));
- #endif
- return ret;
- }
- /* Set key for Poly1305. */
- ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
- ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(poly, sizeof(poly));
- #endif
- if (ret != 0)
- return ret;
- /* Generate authentication tag for encrypted data. */
- if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, input, sz, tag,
- sizeof(tag))) != 0) {
- return ret;
- }
- /* Check tag sent along with packet. */
- if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
- WOLFSSL_MSG("MAC did not match");
- return VERIFY_MAC_ERROR;
- }
- /* If the tag was good decrypt message. */
- ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
- return ret;
- }
- #endif
- #ifdef HAVE_NULL_CIPHER
- /* Check HMAC tag and copy over input.
- *
- * ssl The SSL/TLS object.
- * output The buffer to copy data into.
- * May be the same pointer as input.
- * input The data.
- * sz The number of bytes of data.
- * nonce The nonce to use with authentication.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * tagIn The authentication tag data from packet.
- * returns 0 on success, otherwise failure.
- */
- static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
- const byte* input, word16 sz,
- const byte* nonce,
- const byte* aad, word16 aadSz,
- const byte* tagIn)
- {
- int ret;
- byte hmac[WC_MAX_DIGEST_SIZE];
- /* HMAC: nonce | aad | input */
- ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, HMAC_NONCE_SZ);
- if (ret == 0)
- ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz);
- if (ret == 0)
- ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz);
- if (ret == 0)
- ret = wc_HmacFinal(ssl->decrypt.hmac, hmac);
- /* Check authentication tag matches */
- if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0)
- ret = DECRYPT_ERROR;
- /* Copy the input to output if not the same buffer */
- if (ret == 0 && output != input)
- XMEMCPY(output, input, sz);
- return ret;
- }
- #endif
- /* Decrypt data for TLS v1.3.
- *
- * ssl The SSL/TLS object.
- * output The buffer to write decrypted data into.
- * May be the same pointer as input.
- * input The data to decrypt and authentication tag.
- * sz The length of the encrypted data plus authentication tag.
- * aad The additional authentication data.
- * aadSz The size of the addition authentication data.
- * returns 0 on success, otherwise failure.
- */
- int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
- const byte* aad, word16 aadSz)
- {
- int ret = 0;
- word16 dataSz = sz - ssl->specs.aead_mac_size;
- word16 macSz = ssl->specs.aead_mac_size;
- word32 nonceSz = 0;
- WOLFSSL_ENTER("DecryptTls13");
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13AesDecrypt(ssl, output, input, sz);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- #ifndef WOLFSSL_EARLY_DATA
- if (ret < 0) {
- ret = VERIFY_MAC_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #endif
- return ret;
- }
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
- if (ret != WC_NO_PENDING_E) {
- /* check for still pending */
- if (ret == WC_PENDING_E)
- return ret;
- ssl->error = 0; /* clear async */
- /* let failures through so CIPHER_STATE_END logic is run */
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->decrypt.state = CIPHER_STATE_BEGIN;
- }
- (void)output;
- (void)input;
- (void)sz;
- (void)dataSz;
- (void)macSz;
- (void)nonceSz;
- switch (ssl->decrypt.state) {
- case CIPHER_STATE_BEGIN:
- {
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Data to decrypt");
- WOLFSSL_BUFFER(input, dataSz);
- WOLFSSL_MSG("Additional Authentication Data");
- WOLFSSL_BUFFER(aad, aadSz);
- WOLFSSL_MSG("Authentication tag");
- WOLFSSL_BUFFER(input + dataSz, macSz);
- #endif
- #ifdef CIPHER_NONCE
- if (ssl->decrypt.nonce == NULL) {
- ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
- ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if (ssl->decrypt.nonce != NULL) {
- wc_MemZero_Add("DecryptTls13 nonce", ssl->decrypt.nonce,
- AEAD_NONCE_SZ);
- }
- #endif
- }
- if (ssl->decrypt.nonce == NULL)
- return MEMORY_E;
- BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
- PEER_ORDER);
- #endif
- /* Advance state and proceed */
- ssl->decrypt.state = CIPHER_STATE_DO;
- }
- FALL_THROUGH;
- case CIPHER_STATE_DO:
- {
- switch (ssl->specs.bulk_cipher_algorithm) {
- #ifdef BUILD_AESGCM
- case wolfssl_aes_gcm:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
- WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- break;
- #endif
- nonceSz = AESGCM_NONCE_SZ;
- #if defined(HAVE_PK_CALLBACKS)
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
- output, input, dataSz,
- ssl->decrypt.nonce, nonceSz,
- (byte *)(input + dataSz), macSz,
- aad, aadSz);
- }
- if (ret == NOT_COMPILED_IN)
- #endif
- {
- ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
- dataSz, ssl->decrypt.nonce, nonceSz,
- input + dataSz, macSz, aad, aadSz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl,
- &ssl->decrypt.aes->asyncDev);
- }
- #endif
- }
- break;
- #endif
- #ifdef HAVE_AESCCM
- case wolfssl_aes_ccm:
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* initialize event */
- ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
- WC_ASYNC_FLAG_NONE);
- if (ret != 0)
- break;
- #endif
- nonceSz = AESCCM_NONCE_SZ;
- #if defined(HAVE_PK_CALLBACKS)
- ret = NOT_COMPILED_IN;
- if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
- ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
- output, input, dataSz,
- ssl->decrypt.nonce, nonceSz,
- (byte *)(input + dataSz), macSz,
- aad, aadSz);
- }
- if (ret == NOT_COMPILED_IN)
- #endif
- {
- ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
- dataSz, ssl->decrypt.nonce, nonceSz,
- input + dataSz, macSz, aad, aadSz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ret = wolfSSL_AsyncPush(ssl,
- &ssl->decrypt.aes->asyncDev);
- }
- #endif
- }
- break;
- #endif
- #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
- case wolfssl_chacha:
- ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
- ssl->decrypt.nonce, aad, aadSz, input + dataSz);
- break;
- #endif
- #ifdef WOLFSSL_SM4_GCM
- case wolfssl_sm4_gcm:
- nonceSz = SM4_GCM_NONCE_SZ;
- ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input,
- dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz,
- macSz, aad, aadSz);
- break;
- #endif
- #ifdef WOLFSSL_SM4_CCM
- case wolfssl_sm4_ccm:
- nonceSz = SM4_CCM_NONCE_SZ;
- ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input,
- dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz,
- macSz, aad, aadSz);
- break;
- #endif
- #ifdef HAVE_NULL_CIPHER
- case wolfssl_cipher_null:
- ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz,
- ssl->decrypt.nonce, aad, aadSz, input + dataSz);
- break;
- #endif
- default:
- WOLFSSL_MSG("wolfSSL Decrypt programming error");
- return DECRYPT_ERROR;
- }
- /* Advance state */
- ssl->decrypt.state = CIPHER_STATE_END;
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* If pending, leave now */
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- }
- FALL_THROUGH;
- case CIPHER_STATE_END:
- {
- #ifdef WOLFSSL_DEBUG_TLS
- #ifdef CIPHER_NONCE
- WOLFSSL_MSG("Nonce");
- WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
- #endif
- WOLFSSL_MSG("Decrypted data");
- WOLFSSL_BUFFER(output, dataSz);
- #endif
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
- (ret == 0)) {
- wc_MemZero_Add("TLS 1.3 Decrypted data", output, sz);
- }
- #endif
- #ifdef CIPHER_NONCE
- ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
- #endif
- break;
- }
- default:
- break;
- }
- if (ret < 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- /* Persistable BuildTls13Message arguments */
- typedef struct BuildMsg13Args {
- word32 sz;
- word32 idx;
- word32 headerSz;
- word16 size;
- } BuildMsg13Args;
- static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
- {
- BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
- (void)ssl;
- (void)args;
- /* no allocations in BuildTls13Message */
- }
- /* Build SSL Message, encrypted.
- * TLS v1.3 encryption is AEAD only.
- *
- * ssl The SSL/TLS object.
- * output The buffer to write record message to.
- * outSz Size of the buffer being written into.
- * input The record data to encrypt (excluding record header).
- * inSz The size of the record data.
- * type The recorder header content type.
- * hashOutput Whether to hash the unencrypted record data.
- * sizeOnly Only want the size of the record message.
- * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
- * returns the size of the encrypted record message or negative value on error.
- */
- int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
- int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
- {
- int ret;
- BuildMsg13Args* args;
- BuildMsg13Args lcl_args;
- WOLFSSL_ENTER("BuildTls13Message");
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = WC_NO_PENDING_E;
- if (asyncOkay) {
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- return MEMORY_E;
- }
- args = (BuildMsg13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_buildmsg;
- }
- }
- else
- #endif
- {
- args = &lcl_args;
- }
- /* Reset state */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_NO_PENDING_E)
- #endif
- {
- ret = 0;
- ssl->options.buildMsgState = BUILD_MSG_BEGIN;
- XMEMSET(args, 0, sizeof(BuildMsg13Args));
- args->headerSz = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- args->headerSz = Dtls13GetRlHeaderLength(ssl, 1);
- #endif /* WOLFSSL_DTLS13 */
- args->sz = args->headerSz + inSz;
- args->idx = args->headerSz;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (asyncOkay)
- ssl->async->freeArgs = FreeBuildMsg13Args;
- #endif
- }
- switch (ssl->options.buildMsgState) {
- case BUILD_MSG_BEGIN:
- {
- /* catch mistaken sizeOnly parameter */
- if (sizeOnly) {
- if (output || input) {
- WOLFSSL_MSG("BuildTls13Message with sizeOnly "
- "doesn't need input or output");
- return BAD_FUNC_ARG;
- }
- }
- else if (output == NULL || input == NULL) {
- return BAD_FUNC_ARG;
- }
- /* Record layer content type at the end of record data. */
- args->sz++;
- /* Authentication data at the end. */
- args->sz += ssl->specs.aead_mac_size;
- if (sizeOnly)
- return args->sz;
- if (args->sz > (word32)outSz) {
- WOLFSSL_MSG("Oops, want to write past output buffer size");
- return BUFFER_E;
- }
- /* Record data length. */
- args->size = (word16)(args->sz - args->headerSz);
- /* Write/update the record header with the new size.
- * Always have the content type as application data for encrypted
- * messages in TLS v1.3.
- */
- if (ssl->options.dtls) {
- #ifdef WOLFSSL_DTLS13
- Dtls13RlAddCiphertextHeader(ssl, output, args->size);
- #endif /* WOLFSSL_DTLS13 */
- }
- else {
- AddTls13RecordHeader(output, args->size, application_data, ssl);
- }
- /* TLS v1.3 can do in place encryption. */
- if (input != output + args->idx)
- XMEMCPY(output + args->idx, input, inSz);
- args->idx += inSz;
- ssl->options.buildMsgState = BUILD_MSG_HASH;
- }
- FALL_THROUGH;
- case BUILD_MSG_HASH:
- {
- if (hashOutput) {
- ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
- if (ret != 0)
- goto exit_buildmsg;
- }
- /* The real record content type goes at the end of the data. */
- output[args->idx++] = (byte)type;
- ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
- }
- FALL_THROUGH;
- case BUILD_MSG_ENCRYPT:
- {
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- /* QUIC does not use encryption of the TLS Record Layer.
- * Return the original length + added headers
- * and restore it in the record header. */
- AddTls13RecordHeader(output, inSz, type, ssl);
- ret = args->headerSz + inSz;
- goto exit_buildmsg;
- }
- #endif
- #ifdef ATOMIC_USER
- if (ssl->ctx->MacEncryptCb) {
- /* User Record Layer Callback handling */
- byte* mac = output + args->idx;
- output += args->headerSz;
- ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
- output, output, args->size, ssl->MacEncryptCtx);
- }
- else
- #endif
- {
- const byte* aad = output;
- output += args->headerSz;
- ret = EncryptTls13(ssl, output, output, args->size, aad,
- (word16)args->headerSz, asyncOkay);
- if (ret != 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- {
- /* Zeroize plaintext. */
- ForceZero(output, args->size);
- }
- }
- #ifdef WOLFSSL_DTLS13
- if (ret == 0 && ssl->options.dtls) {
- /* AAD points to the header. Reuse the variable */
- ret = Dtls13EncryptRecordNumber(ssl, (byte*)aad, (word16)args->sz);
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- break;
- }
- default:
- break;
- }
- exit_buildmsg:
- WOLFSSL_LEAVE("BuildTls13Message", ret);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif
- /* make sure build message state is reset */
- ssl->options.buildMsgState = BUILD_MSG_BEGIN;
- /* return sz on success */
- if (ret == 0) {
- ret = args->sz;
- }
- else {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- /* Final cleanup */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (asyncOkay)
- FreeAsyncCtx(ssl, 0);
- else
- #endif
- FreeBuildMsg13Args(ssl, args);
- return ret;
- }
- #if !defined(NO_WOLFSSL_CLIENT) || (!defined(NO_WOLFSSL_SERVER) && \
- (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
- (defined(WOLFSSL_PSK_ONE_ID) || defined(WOLFSSL_PRIORITIZE_PSK)))
- /* Find the cipher suite in the suites set in the SSL.
- *
- * ssl SSL/TLS object.
- * suite Cipher suite to look for.
- * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise.
- */
- int FindSuiteSSL(const WOLFSSL* ssl, byte* suite)
- {
- word16 i;
- const Suites* suites = WOLFSSL_SUITES(ssl);
- for (i = 0; i < suites->suiteSz; i += 2) {
- if (suites->suites[i+0] == suite[0] &&
- suites->suites[i+1] == suite[1]) {
- return 1;
- }
- }
- return 0;
- }
- #endif
- #ifndef NO_PSK
- /* Get the MAC algorithm for the TLS 1.3 cipher suite.
- *
- * @param [in] suite.
- * @return A value from wc_MACAlgorithm enumeration.
- */
- byte SuiteMac(const byte* suite)
- {
- byte mac = no_mac;
- if (suite[0] == TLS13_BYTE) {
- switch (suite[1]) {
- #ifdef BUILD_TLS_AES_128_GCM_SHA256
- case TLS_AES_128_GCM_SHA256:
- mac = sha256_mac;
- break;
- #endif
- #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
- case TLS_CHACHA20_POLY1305_SHA256:
- mac = sha256_mac;
- break;
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_SHA256
- case TLS_AES_128_CCM_SHA256:
- mac = sha256_mac;
- break;
- #endif
- #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
- case TLS_AES_128_CCM_8_SHA256:
- mac = sha256_mac;
- break;
- #endif
- #ifdef BUILD_TLS_AES_256_GCM_SHA384
- case TLS_AES_256_GCM_SHA384:
- mac = sha384_mac;
- break;
- #endif
- default:
- break;
- }
- }
- #if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \
- defined(WOLFSSL_SM3)
- else if (suite[0] == CIPHER_BYTE) {
- switch (suite[1]) {
- #ifdef BUILD_TLS_SM4_GCM_SM3
- case TLS_SM4_GCM_SM3:
- mac = sm3_mac;
- break;
- #endif
- #ifdef BUILD_TLS_SM4_CCM_SM3
- case TLS_SM4_CCM_SM3:
- mac = sm3_mac;
- break;
- #endif
- default:
- break;
- }
- }
- #endif
- #ifdef HAVE_NULL_CIPHER
- else if (suite[0] == ECC_BYTE) {
- switch (suite[1]) {
- #ifdef BUILD_TLS_SHA256_SHA256
- case TLS_SHA256_SHA256:
- mac = sha256_mac;
- break;
- #endif
- #ifdef BUILD_TLS_SHA384_SHA384
- case TLS_SHA384_SHA384:
- mac = sha384_mac;
- break;
- #endif
- default:
- break;
- }
- }
- #endif
- return mac;
- }
- #endif
- #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
- /* Create Cookie extension using the hash of the first ClientHello.
- *
- * ssl SSL/TLS object.
- * hash The hash data.
- * hashSz The size of the hash data in bytes.
- * returns 0 on success, otherwise failure.
- */
- int CreateCookieExt(const WOLFSSL* ssl, byte* hash, word16 hashSz,
- TLSX** exts, byte cipherSuite0, byte cipherSuite)
- {
- int ret;
- byte mac[WC_MAX_DIGEST_SIZE] = {0};
- Hmac cookieHmac;
- byte cookieType = 0;
- byte macSz = 0;
- byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
- TLSX* ext;
- word16 cookieSz = 0;
- if (hash == NULL || hashSz == 0) {
- return BAD_FUNC_ARG;
- }
- /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
- cookie[cookieSz++] = (byte)hashSz;
- XMEMCPY(cookie + cookieSz, hash, hashSz);
- cookieSz += hashSz;
- cookie[cookieSz++] = cipherSuite0;
- cookie[cookieSz++] = cipherSuite;
- if ((ext = TLSX_Find(*exts, TLSX_KEY_SHARE)) != NULL) {
- KeyShareEntry* kse = (KeyShareEntry*)ext->data;
- if (kse == NULL) {
- WOLFSSL_MSG("KeyShareEntry can't be empty when negotiating "
- "parameters");
- return BAD_STATE_E;
- }
- c16toa(kse->group, cookie + cookieSz);
- cookieSz += OPAQUE16_LEN;
- }
- #if !defined(NO_SHA) && defined(NO_SHA256)
- cookieType = SHA;
- macSz = WC_SHA_DIGEST_SIZE;
- #endif /* NO_SHA */
- #ifndef NO_SHA256
- cookieType = WC_SHA256;
- macSz = WC_SHA256_DIGEST_SIZE;
- #endif /* NO_SHA256 */
- ret = wc_HmacInit(&cookieHmac, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_HmacSetKey(&cookieHmac, cookieType,
- ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- }
- if (ret == 0)
- ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz);
- #ifdef WOLFSSL_DTLS13
- /* Tie cookie to peer address */
- if (ret == 0) {
- if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
- ret = wc_HmacUpdate(&cookieHmac,
- (byte*)ssl->buffers.dtlsCtx.peer.sa,
- ssl->buffers.dtlsCtx.peer.sz);
- }
- }
- #endif
- if (ret == 0)
- ret = wc_HmacFinal(&cookieHmac, mac);
- wc_HmacFree(&cookieHmac);
- if (ret != 0)
- return ret;
- /* The cookie data is the hash and the integrity check. */
- return TLSX_Cookie_Use(ssl, cookie, cookieSz, mac, macSz, 1, exts);
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- #define HRR_MAX_HS_HEADER_SZ DTLS_HANDSHAKE_HEADER_SZ
- #else
- #define HRR_MAX_HS_HEADER_SZ HANDSHAKE_HEADER_SZ
- #endif /* WOLFSSL_DTLS13 */
- static int CreateCookie(const WOLFSSL* ssl, byte** hash, byte* hashSz,
- Hashes* hashes, TLSX** exts)
- {
- int ret = 0;
- (void)exts;
- *hash = NULL;
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- *hash = hashes->sha256;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- *hash = hashes->sha384;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- *hash = hashes->sha512;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- *hash = hashes->sm3;
- break;
- #endif
- }
- *hashSz = ssl->specs.hash_size;
- /* check hash */
- if (*hash == NULL && *hashSz > 0)
- return BAD_FUNC_ARG;
- #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
- if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
- ret = CreateCookieExt(ssl, *hash, *hashSz, exts,
- ssl->options.cipherSuite0, ssl->options.cipherSuite);
- #endif
- return ret;
- }
- /* Restart the handshake hash with a hash of the previous messages.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- int RestartHandshakeHash(WOLFSSL* ssl)
- {
- int ret;
- byte header[HANDSHAKE_HEADER_SZ] = {0};
- Hashes hashes;
- byte* hash = NULL;
- byte hashSz = 0;
- ret = BuildCertHashes(ssl, &hashes);
- if (ret != 0)
- return ret;
- ret = CreateCookie(ssl, &hash, &hashSz, &hashes, &ssl->extensions);
- if (ret != 0)
- return ret;
- #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
- if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
- return 0;
- #endif
- AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Restart Hash");
- WOLFSSL_BUFFER(hash, hashSz);
- #endif
- ret = InitHandshakeHashes(ssl);
- if (ret != 0)
- return ret;
- ret = HashRaw(ssl, header, sizeof(header));
- if (ret != 0)
- return ret;
- return HashRaw(ssl, hash, hashSz);
- }
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
- /* The value in the random field of a ServerHello to indicate
- * HelloRetryRequest.
- */
- static byte helloRetryRequestRandom[] = {
- 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
- 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
- 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
- 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
- };
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- #if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \
- !defined(NO_PSK)
- /**
- * convert mac algorithm to WOLFSSL_EVP_MD
- * @param mac_alg mac algorithm
- * @return const WOLFSSL_EVP_MD on successful, otherwise NULL
- */
- static const WOLFSSL_EVP_MD* ssl_handshake_md(const byte mac_alg)
- {
- switch(mac_alg) {
- case no_mac:
- #ifndef NO_MD5
- case md5_mac:
- return wolfSSL_EVP_md5();
- #endif
- #ifndef NO_SHA
- case sha_mac:
- return wolfSSL_EVP_sha1();
- #endif
- #ifdef WOLFSSL_SHA224
- case sha224_mac:
- return wolfSSL_EVP_sha224();
- #endif
- case sha256_mac:
- return wolfSSL_EVP_sha256();
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- return wolfSSL_EVP_sha384();
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- return wolfSSL_EVP_sha512();
- #endif
- case rmd_mac:
- case blake2b_mac:
- WOLFSSL_MSG("no suitable EVP_MD");
- return NULL;
- default:
- WOLFSSL_MSG("Unknown mac algorithm");
- return NULL;
- }
- }
- #endif
- /* Setup pre-shared key based on the details in the extension data.
- *
- * ssl SSL/TLS object.
- * psk Pre-shared key extension data.
- * clientHello Whether called from client_hello construction.
- * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
- * other negative value on failure.
- */
- static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello)
- {
- #if defined(HAVE_SESSION_TICKET) || !defined(WOLFSSL_PSK_ONE_ID)
- int ret;
- #endif
- byte suite[2];
- if (psk == NULL)
- return BAD_FUNC_ARG;
- if (!HaveUniqueSessionObj(ssl)) {
- WOLFSSL_MSG("Unable to have unique session object");
- WOLFSSL_ERROR_VERBOSE(MEMORY_ERROR);
- return MEMORY_ERROR;
- }
- suite[0] = ssl->options.cipherSuite0;
- suite[1] = ssl->options.cipherSuite;
- #ifdef HAVE_SESSION_TICKET
- if (psk->resumption) {
- if (clientHello) {
- suite[0] = psk->cipherSuite0;
- suite[1] = psk->cipherSuite;
- /* Ensure cipher suite is supported or changed suite to one with
- * the same MAC algorithm. */
- if (!FindSuiteSSL(ssl, suite)) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- ssl->options.cipherSuite0 = suite[0];
- ssl->options.cipherSuite = suite[1];
- /* Setting mac for binder and keys for deriving EarlyData. */
- ret = SetCipherSpecs(ssl);
- if (ret != 0)
- return ret;
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->session->maxEarlyDataSz == 0)
- ssl->earlyData = no_early_data;
- #endif
- /* Resumption PSK is master secret. */
- ssl->arrays->psk_keySz = ssl->specs.hash_size;
- if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
- ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
- return ret;
- }
- if (!clientHello) {
- /* CLIENT: using secret in ticket for peer authentication. */
- ssl->options.peerAuthGood = 1;
- }
- }
- #endif
- #ifndef NO_PSK
- if (!psk->resumption) {
- /* Get the pre-shared key. */
- #ifndef WOLFSSL_PSK_ONE_ID
- const char* cipherName = NULL;
- #ifdef OPENSSL_EXTRA
- WOLFSSL_SESSION* psksession = NULL;
- #endif
- /* Set the client identity to use. */
- XMEMSET(ssl->arrays->client_identity, 0,
- sizeof(ssl->arrays->client_identity));
- XMEMCPY(ssl->arrays->client_identity, psk->identity, psk->identityLen);
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("PSK cipher suite:");
- WOLFSSL_MSG(GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
- #endif
- /* Get the pre-shared key. */
- #ifdef OPENSSL_EXTRA
- if (ssl->options.session_psk_cb != NULL) {
- const unsigned char* id = NULL;
- size_t idlen = 0;
- const WOLFSSL_EVP_MD* handshake_md = NULL;
- if (ssl->msgsReceived.got_hello_retry_request >= 1) {
- handshake_md = ssl_handshake_md(ssl->specs.mac_algorithm);
- }
- /* OpenSSL compatible callback that gets cached session. */
- if (ssl->options.session_psk_cb(ssl, handshake_md, &id, &idlen,
- &psksession) == 0) {
- wolfSSL_FreeSession(ssl->ctx, psksession);
- WOLFSSL_MSG("psk session callback failed");
- return PSK_KEY_ERROR;
- }
- if (psksession != NULL) {
- if (idlen > MAX_PSK_KEY_LEN) {
- wolfSSL_FreeSession(ssl->ctx, psksession);
- WOLFSSL_MSG("psk key length is too long");
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- ssl->arrays->psk_keySz = (word32)idlen;
- XMEMCPY(ssl->arrays->psk_key, id, idlen);
- suite[0] = psksession->cipherSuite0;
- suite[1] = psksession->cipherSuite;
- /* Not needed anymore. */
- wolfSSL_FreeSession(ssl->ctx, psksession);
- /* Leave pointer not NULL to indicate success with callback. */
- }
- }
- if (psksession != NULL) {
- /* Don't try other callbacks - we have an answer. */
- }
- else
- #endif /* OPENSSL_EXTRA */
- if (ssl->options.client_psk_cs_cb != NULL) {
- #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
- ssl->arrays->client_identity[0] = 0;
- #endif
- /* Lookup key again for next identity. */
- ssl->arrays->psk_keySz = ssl->options.client_psk_cs_cb(
- ssl, ssl->arrays->server_hint,
- ssl->arrays->client_identity, MAX_PSK_ID_LEN,
- ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
- GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
- if (clientHello) {
- /* Use PSK cipher suite. */
- ssl->options.cipherSuite0 = psk->cipherSuite0;
- ssl->options.cipherSuite = psk->cipherSuite;
- }
- else {
- byte pskCS[2];
- pskCS[0] = psk->cipherSuite0;
- pskCS[1] = psk->cipherSuite;
- /* Ensure PSK and negotiated cipher suites have same hash. */
- if (SuiteMac(pskCS) != SuiteMac(suite)) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- /* Negotiated cipher suite is to be used - update PSK. */
- psk->cipherSuite0 = suite[0];
- psk->cipherSuite = suite[1];
- }
- }
- else if (ssl->options.client_psk_tls13_cb != NULL) {
- byte cipherSuite0;
- byte cipherSuite;
- int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
- ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl,
- ssl->arrays->server_hint, ssl->arrays->client_identity,
- MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
- &cipherName);
- if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
- &cipherSuite, &cipherSuiteFlags) != 0) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- ssl->options.cipherSuite0 = cipherSuite0;
- ssl->options.cipherSuite = cipherSuite;
- (void)cipherSuiteFlags;
- }
- else {
- ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
- ssl->arrays->server_hint, ssl->arrays->client_identity,
- MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
- ssl->options.cipherSuite0 = TLS13_BYTE;
- ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
- }
- if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- ret = SetCipherSpecs(ssl);
- if (ret != 0)
- return ret;
- #else
- /* PSK information loaded during setting of default TLS extensions. */
- #endif /* !WOLFSSL_PSK_ONE_ID */
- if (!clientHello && (psk->cipherSuite0 != suite[0] ||
- psk->cipherSuite != suite[1])) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- if (!clientHello) {
- /* CLIENT: using PSK for peer authentication. */
- ssl->options.peerAuthGood = 1;
- }
- }
- #endif
- if (ssl->options.noPskDheKe) {
- ssl->arrays->preMasterSz = 0;
- }
- /* Derive the early secret using the PSK. */
- return DeriveEarlySecret(ssl);
- }
- /* Derive and write the binders into the ClientHello in space left when
- * writing the Pre-Shared Key extension.
- *
- * ssl The SSL/TLS object.
- * output The buffer containing the ClientHello.
- * idx The index at the end of the completed ClientHello.
- * returns 0 on success and otherwise failure.
- */
- static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
- {
- int ret;
- TLSX* ext;
- PreSharedKey* current;
- byte binderKey[WC_MAX_DIGEST_SIZE];
- word16 len;
- WOLFSSL_ENTER("WritePSKBinders");
- ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
- if (ext == NULL)
- return SANITY_MSG_E;
- /* Get the size of the binders to determine where to write binders. */
- ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
- client_hello, &len);
- if (ret < 0)
- return ret;
- idx -= len;
- /* Hash truncated ClientHello - up to binders. */
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- ret = Dtls13HashHandshake(ssl, output + Dtls13GetRlHeaderLength(ssl, 0),
- idx - Dtls13GetRlHeaderLength(ssl, 0));
- else
- #endif /* WOLFSSL_DTLS13 */
- ret = HashOutput(ssl, output, idx, 0);
- if (ret != 0)
- return ret;
- current = (PreSharedKey*)ext->data;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- if (current != NULL) {
- wc_MemZero_Add("WritePSKBinders binderKey", binderKey,
- sizeof(binderKey));
- }
- #endif
- /* Calculate the binder for each identity based on previous handshake data.
- */
- while (current != NULL) {
- if ((ret = SetupPskKey(ssl, current, 1)) != 0)
- break;
- #ifdef HAVE_SESSION_TICKET
- if (current->resumption)
- ret = DeriveBinderKeyResume(ssl, binderKey);
- #endif
- #ifndef NO_PSK
- if (!current->resumption)
- ret = DeriveBinderKey(ssl, binderKey);
- #endif
- if (ret != 0)
- break;
- /* Derive the Finished message secret. */
- ret = DeriveFinishedSecret(ssl, binderKey,
- ssl->keys.client_write_MAC_secret,
- 0 /* neither end */);
- if (ret != 0)
- break;
- /* Build the HMAC of the handshake message data = binder. */
- ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
- current->binder, ¤t->binderLen);
- if (ret != 0)
- break;
- current = current->next;
- }
- ForceZero(binderKey, sizeof(binderKey));
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(binderKey, sizeof(binderKey));
- #endif
- if (ret != 0)
- return ret;
- /* Data entered into extension, now write to message. */
- ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
- client_hello, &len);
- if (ret < 0)
- return ret;
- /* Hash binders to complete the hash of the ClientHello. */
- ret = HashRaw(ssl, output + idx, len);
- if (ret < 0)
- return ret;
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data, 1)) != 0)
- return ret;
- /* Derive early data encryption key. */
- ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
- if (ret != 0)
- return ret;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13NewEpoch(
- ssl, w64From32(0x0, DTLS13_EPOCH_EARLYDATA), ENCRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- #endif
- WOLFSSL_LEAVE("WritePSKBinders", ret);
- return ret;
- }
- #endif
- #if defined(HAVE_ECH)
- /* returns the index of the first supported cipher suite, -1 if none */
- int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
- {
- int i, j, supported = 0;
- for (i = 0; i < config->numCipherSuites; i++) {
- supported = 0;
- for (j = 0; j < HPKE_SUPPORTED_KDF_LEN; j++) {
- if (config->cipherSuites[i].kdfId == hpkeSupportedKdf[j])
- break;
- }
- if (j < HPKE_SUPPORTED_KDF_LEN)
- for (j = 0; j < HPKE_SUPPORTED_AEAD_LEN; j++) {
- if (config->cipherSuites[i].aeadId == hpkeSupportedAead[j]) {
- supported = 1;
- break;
- }
- }
- if (supported)
- return i;
- }
- return -1;
- }
- /* returns status after we hash the ech inner */
- static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
- {
- int ret;
- HS_Hashes* tmpHashes;
- byte falseHeader[HANDSHAKE_HEADER_SZ];
- if (ssl == NULL || ech == NULL)
- return BAD_FUNC_ARG;
- /* switch hsHashes to the ech version */
- InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, &ssl->hsHashesEch);
- /* swap hsHashes so the regular hash functions work */
- tmpHashes = ssl->hsHashes;
- ssl->hsHashes = ssl->hsHashesEch;
- /* do the handshake header then the body */
- AddTls13HandShakeHeader(falseHeader,
- ech->innerClientHelloLen - ech->paddingLen - ech->hpke->Nt, 0, 0,
- client_hello, ssl);
- ret = HashRaw(ssl, falseHeader, HANDSHAKE_HEADER_SZ);
- /* hash the body */
- if (ret == 0) {
- ret = HashRaw(ssl, ech->innerClientHello,
- ech->innerClientHelloLen - ech->paddingLen - ech->hpke->Nt);
- }
- /* swap hsHashes back */
- ssl->hsHashes = tmpHashes;
- return ret;
- }
- #endif
- static void GetTls13SessionId(WOLFSSL* ssl, byte* output, word32* idx)
- {
- if (ssl->session->sessionIDSz > 0) {
- /* Session resumption for old versions of protocol. */
- if (ssl->session->sessionIDSz <= ID_LEN) {
- if (output != NULL)
- output[*idx] = ssl->session->sessionIDSz;
- (*idx)++;
- if (output != NULL) {
- XMEMCPY(output + *idx, ssl->session->sessionID,
- ssl->session->sessionIDSz);
- }
- *idx += ssl->session->sessionIDSz;
- }
- else {
- /* Invalid session ID length. Reset it. */
- ssl->session->sessionIDSz = 0;
- if (output != NULL)
- output[*idx] = 0;
- (*idx)++;
- }
- }
- else {
- #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
- if (ssl->options.tls13MiddleBoxCompat) {
- if (output != NULL)
- output[*idx] = ID_LEN;
- (*idx)++;
- if (output != NULL)
- XMEMCPY(output + *idx, ssl->arrays->clientRandom, ID_LEN);
- *idx += ID_LEN;
- }
- else
- #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
- {
- /* TLS v1.3 does not use session id - 0 length. */
- if (output != NULL)
- output[*idx] = 0;
- (*idx)++;
- }
- }
- }
- /* handle generation of TLS 1.3 client_hello (1) */
- /* Send a ClientHello message to the server.
- * Include the information required to start a handshake with servers using
- * protocol versions less than TLS v1.3.
- * Only a client will send this message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success and otherwise failure.
- */
- typedef struct Sch13Args {
- byte* output;
- word32 idx;
- int sendSz;
- word16 length;
- #if defined(HAVE_ECH)
- int clientRandomOffset;
- int preXLength;
- WOLFSSL_ECH* ech;
- #endif
- } Sch13Args;
- int SendTls13ClientHello(WOLFSSL* ssl)
- {
- int ret;
- #ifdef WOLFSSL_ASYNC_CRYPT
- Sch13Args* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- Sch13Args args[1];
- #endif
- byte major, tls12minor;
- const Suites* suites;
- WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
- WOLFSSL_ENTER("SendTls13ClientHello");
- if (ssl == NULL) {
- return BAD_FUNC_ARG;
- }
- ssl->options.buildingMsg = 1;
- major = SSLv3_MAJOR;
- tls12minor = TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- major = DTLS_MAJOR;
- tls12minor = DTLSv1_2_MINOR;
- }
- #endif /* WOLFSSL_DTLS */
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.resuming &&
- (ssl->session->version.major != ssl->version.major ||
- ssl->session->version.minor != ssl->version.minor)) {
- #ifndef WOLFSSL_NO_TLS12
- if (ssl->session->version.major == ssl->version.major &&
- ssl->session->version.minor < ssl->version.minor) {
- /* Cannot resume with a different protocol version. */
- ssl->options.resuming = 0;
- ssl->version.major = ssl->session->version.major;
- ssl->version.minor = ssl->session->version.minor;
- return SendClientHello(ssl);
- }
- else
- #endif
- {
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- }
- #endif
- suites = WOLFSSL_SUITES(ssl);
- if (suites == NULL) {
- WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
- return SUITES_ERROR;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- return MEMORY_E;
- ssl->async->freeArgs = NULL;
- }
- args = (Sch13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- return ret;
- }
- else
- #endif
- {
- /* Reset state */
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(Sch13Args));
- }
- switch (ssl->options.asyncState) {
- case TLS_ASYNC_BEGIN:
- {
- word32 sessIdSz = 0;
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- #endif /* WOLFSSL_DTLS13 */
- /* Version | Random | Cipher Suites | Compression */
- args->length = VERSION_SZ + RAN_LEN + suites->suiteSz +
- SUITE_LEN + COMP_LEN + ENUM_LEN;
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- /* RFC 9001 ch. 8.4 sessionID in ClientHello MUST be 0 length */
- ssl->session->sessionIDSz = 0;
- ssl->options.tls13MiddleBoxCompat = 0;
- }
- #endif
- GetTls13SessionId(ssl, NULL, &sessIdSz);
- args->length += (word16)sessIdSz;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- /* legacy_cookie_id len */
- args->length += ENUM_LEN;
- /* server sent us an HelloVerifyRequest and we allow downgrade */
- if (ssl->arrays->cookieSz > 0 && ssl->options.downgrade)
- args->length += ssl->arrays->cookieSz;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- case TLS_ASYNC_DO:
- {
- /* Auto populate extensions supported unless user defined. */
- if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
- return ret;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- #ifdef WOLFSSL_EARLY_DATA
- #ifndef NO_PSK
- if (!ssl->options.resuming &&
- ssl->options.client_psk_tls13_cb == NULL &&
- ssl->options.client_psk_cb == NULL)
- #else
- if (!ssl->options.resuming)
- #endif
- ssl->earlyData = no_early_data;
- if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
- ssl->earlyData = no_early_data;
- if (ssl->earlyData == no_early_data)
- TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap);
- if (ssl->earlyData != no_early_data &&
- (ret = TLSX_EarlyData_Use(ssl, 0, 0)) < 0) {
- return ret;
- }
- #endif
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) {
- ret = wolfSSL_quic_add_transport_extensions(ssl, client_hello);
- if (ret != 0)
- return ret;
- }
- #endif
- /* find length of outer and inner */
- #if defined(HAVE_ECH)
- if (ssl->options.useEch == 1) {
- TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
- if (echX == NULL)
- return -1;
- args->ech = (WOLFSSL_ECH*)echX->data;
- if (args->ech == NULL)
- return -1;
- /* set the type to inner */
- args->ech->type = ECH_TYPE_INNER;
- args->preXLength = args->length;
- /* get size for inner */
- ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
- if (ret != 0)
- return ret;
- /* set the type to outer */
- args->ech->type = 0;
- /* set innerClientHelloLen to ClientHelloInner + padding + tag */
- args->ech->paddingLen = 31 - ((args->length - 1) % 32);
- args->ech->innerClientHelloLen = args->length +
- args->ech->paddingLen + args->ech->hpke->Nt;
- /* set the length back to before we computed ClientHelloInner size */
- args->length = args->preXLength;
- }
- #endif
- /* Include length of TLS extensions. */
- ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
- if (ret != 0)
- return ret;
- /* Total message size. */
- args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- #endif /* WOLFSSL_DTLS13 */
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- args->output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(args->output, args->length, client_hello, ssl);
- /* Protocol version - negotiation now in extension: supported_versions. */
- args->output[args->idx++] = major;
- args->output[args->idx++] = tls12minor;
- /* Keep for downgrade. */
- ssl->chVersion = ssl->version;
- if (ssl->arrays == NULL) {
- return BAD_FUNC_ARG;
- }
- /* Client Random */
- if (ssl->options.connectState == CONNECT_BEGIN) {
- ret = wc_RNG_GenerateBlock(ssl->rng, args->output + args->idx, RAN_LEN);
- if (ret != 0)
- return ret;
- /* Store random for possible second ClientHello. */
- XMEMCPY(ssl->arrays->clientRandom, args->output + args->idx, RAN_LEN);
- }
- else
- XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN);
- #if defined(HAVE_ECH)
- args->clientRandomOffset = args->idx;
- #endif
- args->idx += RAN_LEN;
- GetTls13SessionId(ssl, args->output, &args->idx);
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- args->output[args->idx++] = ssl->arrays->cookieSz;
- if (ssl->arrays->cookieSz > 0) {
- /* We have a cookie saved, so the server sent us an
- * HelloVerifyRequest, it means it is a v1.2 server */
- if (!ssl->options.downgrade)
- return VERSION_ERROR;
- XMEMCPY(args->output + args->idx, ssl->arrays->cookie,
- ssl->arrays->cookieSz);
- args->idx += ssl->arrays->cookieSz;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Cipher suites */
- c16toa(suites->suiteSz, args->output + args->idx);
- args->idx += OPAQUE16_LEN;
- XMEMCPY(args->output + args->idx, &suites->suites,
- suites->suiteSz);
- args->idx += suites->suiteSz;
- #ifdef WOLFSSL_DEBUG_TLS
- {
- int ii;
- WOLFSSL_MSG("Ciphers:");
- for (ii = 0 ; ii < suites->suiteSz; ii += 2) {
- WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0],
- suites->suites[ii+1]));
- }
- }
- #endif
- /* Compression not supported in TLS v1.3. */
- args->output[args->idx++] = COMP_LEN;
- args->output[args->idx++] = NO_COMPRESSION;
- #if defined(HAVE_ECH)
- /* write inner then outer */
- if (ssl->options.useEch == 1) {
- /* set the type to inner */
- args->ech->type = ECH_TYPE_INNER;
- /* allocate the inner */
- args->ech->innerClientHello =
- (byte*)XMALLOC(args->ech->innerClientHelloLen - args->ech->hpke->Nt,
- ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (args->ech->innerClientHello == NULL)
- return MEMORY_E;
- /* set the padding bytes to 0 */
- XMEMSET(args->ech->innerClientHello + args->ech->innerClientHelloLen -
- args->ech->hpke->Nt - args->ech->paddingLen, 0,
- args->ech->paddingLen);
- /* copy the client hello to the ech innerClientHello, exclude record */
- /* and handshake headers */
- XMEMCPY(args->ech->innerClientHello,
- args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
- args->idx - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ));
- /* copy the client random to inner */
- XMEMCPY(ssl->arrays->clientRandomInner, ssl->arrays->clientRandom,
- RAN_LEN);
- /* change the outer client random */
- ret = wc_RNG_GenerateBlock(ssl->rng, args->output +
- args->clientRandomOffset, RAN_LEN);
- if (ret != 0)
- return ret;
- /* copy the new client random */
- XMEMCPY(ssl->arrays->clientRandom, args->output +
- args->clientRandomOffset, RAN_LEN);
- /* write the extensions for inner */
- args->length = 0;
- ret = TLSX_WriteRequest(ssl, args->ech->innerClientHello + args->idx -
- (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ), client_hello,
- &args->length);
- if (ret != 0)
- return ret;
- /* set the type to outer */
- args->ech->type = 0;
- }
- #endif
- /* Write out extensions for a request. */
- args->length = 0;
- ret = TLSX_WriteRequest(ssl, args->output + args->idx, client_hello,
- &args->length);
- if (ret != 0)
- return ret;
- args->idx += args->length;
- #if defined(HAVE_ECH)
- /* encrypt and pack the ech innerClientHello */
- if (ssl->options.useEch == 1) {
- ret = TLSX_FinalizeEch(args->ech,
- args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
- args->sendSz - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ));
- if (ret != 0)
- return ret;
- }
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Resumption has a specific set of extensions and binder is calculated
- * for each identity.
- */
- if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) {
- ret = WritePSKBinders(ssl, args->output, args->idx);
- }
- else
- #endif
- {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- ret = Dtls13HashHandshake(ssl,
- args->output + Dtls13GetRlHeaderLength(ssl, 0),
- (word16)args->idx - Dtls13GetRlHeaderLength(ssl, 0));
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- #if defined(HAVE_ECH)
- /* compute the inner hash */
- if (ssl->options.useEch == 1) {
- ret = EchHashHelloInner(ssl, args->ech);
- }
- #endif
- /* compute the outer hash */
- if (ret == 0)
- ret = HashOutput(ssl, args->output, args->idx, 0);
- }
- }
- if (ret != 0)
- return ret;
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ClientHello", handshake, args->output,
- args->sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->options.buildingMsg = 0;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13HandshakeSend(ssl, args->output, (word16)args->sendSz,
- (word16)args->idx, client_hello, 0);
- break;
- }
- #endif /* WOLFSSL_DTLS13 */
- ssl->buffers.outputBuffer.length += args->sendSz;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- }
- /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- #ifdef WOLFSSL_EARLY_DATA_GROUP
- /* QUIC needs to forward records at their encryption level
- * and is therefore unable to group here */
- if (ssl->earlyData == no_early_data || WOLFSSL_IS_QUIC(ssl))
- #endif
- ret = SendBuffered(ssl);
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch (ssl->options.asyncState) */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == 0)
- FreeAsyncCtx(ssl, 0);
- #endif
- WOLFSSL_LEAVE("SendTls13ClientHello", ret);
- WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
- return ret;
- }
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_CLIENT)
- static int Dtls13DoDowngrade(WOLFSSL* ssl)
- {
- int ret;
- if (ssl->dtls13ClientHello == NULL)
- return BAD_STATE_E;
- /* v1.3 and v1.2 hash messages to compute the transcript hash. When we are
- * using DTLSv1.3 we hash the first clientHello following v1.3 but the
- * server can negotiate a lower version. So we need to re-hash the
- * clientHello to adhere to DTLS <= v1.2 rules. */
- ret = InitHandshakeHashes(ssl);
- if (ret != 0)
- return ret;
- ret = HashRaw(ssl, ssl->dtls13ClientHello, ssl->dtls13ClientHelloSz);
- XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
- ssl->dtls13ClientHello = NULL;
- ssl->dtls13ClientHelloSz = 0;
- ssl->keys.dtls_sequence_number_hi =
- (word16)w64GetHigh32(ssl->dtls13EncryptEpoch->nextSeqNumber);
- ssl->keys.dtls_sequence_number_lo =
- w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber);
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_CLIENT*/
- #if defined(HAVE_ECH)
- /* check if the server accepted ech or not */
- static int EchCheckAcceptance(WOLFSSL* ssl, const byte* input,
- int serverRandomOffset, int helloSz)
- {
- int ret = 0;
- int digestType;
- int digestSize;
- HS_Hashes* tmpHashes;
- HS_Hashes* acceptHashes;
- byte zeros[WC_MAX_DIGEST_SIZE] = {0};
- byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
- byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
- byte acceptConfirmation[ECH_ACCEPT_CONFIRMATION_SZ];
- /* copy ech hashes to accept */
- ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashesEch, &acceptHashes);
- /* swap hsHashes to acceptHashes */
- tmpHashes = ssl->hsHashes;
- ssl->hsHashes = acceptHashes;
- /* hash up to the last 8 bytes */
- if (ret == 0)
- ret = HashRaw(ssl, input, serverRandomOffset + RAN_LEN -
- ECH_ACCEPT_CONFIRMATION_SZ);
- /* hash 8 zeros */
- if (ret == 0)
- ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
- /* hash the rest of the hello */
- if (ret == 0)
- ret = HashRaw(ssl, input + serverRandomOffset + RAN_LEN,
- helloSz + HANDSHAKE_HEADER_SZ - (serverRandomOffset + RAN_LEN));
- /* get the modified transcript hash */
- if (ret == 0)
- ret = GetMsgHash(ssl, transcriptEchConf);
- if (ret > 0)
- ret = 0;
- /* pick the right type and size based on mac_algorithm */
- if (ret == 0)
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- digestType = WC_SHA256;
- digestSize = WC_SHA256_DIGEST_SIZE;
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- digestType = WC_SHA384;
- digestSize = WC_SHA384_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- digestType = WC_SHA512;
- digestSize = WC_SHA512_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_TLS13_SHA512 */
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- digestType = WC_SM3;
- digestSize = WC_SM3_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SM3 */
- default:
- ret = -1;
- break;
- }
- /* extract clientRandomInner with a key of all zeros */
- if (ret == 0)
- ret = wc_HKDF_Extract(digestType, zeros, digestSize,
- ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk);
- /* tls expand with the confirmation label */
- if (ret == 0)
- ret = wc_Tls13_HKDF_Expand_Label(acceptConfirmation,
- ECH_ACCEPT_CONFIRMATION_SZ,
- expandLabelPrk, digestSize, tls13ProtocolLabel,
- TLS13_PROTOCOL_LABEL_SZ, echAcceptConfirmationLabel,
- ECH_ACCEPT_CONFIRMATION_LABEL_SZ, transcriptEchConf, digestSize,
- digestType);
- if (ret == 0) {
- /* last 8 bytes should match our expand output */
- ret = XMEMCMP(acceptConfirmation,
- ssl->arrays->serverRandom + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ,
- ECH_ACCEPT_CONFIRMATION_SZ);
- /* ech accepted */
- if (ret == 0) {
- /* use the inner random for client random */
- XMEMCPY(ssl->arrays->clientRandom, ssl->arrays->clientRandomInner,
- RAN_LEN);
- /* switch back to original hsHashes */
- ssl->hsHashes = tmpHashes;
- /* free hsHashes */
- FreeHandshakeHashes(ssl);
- /* set the final hsHashes to the ech hashes */
- tmpHashes = ssl->hsHashesEch;
- /* set hsHashesEch to NULL to avoid double free */
- ssl->hsHashesEch = NULL;
- }
- /* ech rejected */
- else {
- /* switch to hsHashesEch */
- ssl->hsHashes = ssl->hsHashesEch;
- /* free ech hashes */
- FreeHandshakeHashes(ssl);
- }
- /* continue with outer if we failed to verify ech was accepted */
- ret = 0;
- }
- /* switch to acceptHashes */
- ssl->hsHashes = acceptHashes;
- /* free acceptHashes */
- FreeHandshakeHashes(ssl);
- ssl->hsHashes = tmpHashes;
- return ret;
- }
- /* replace the last 8 bytes of the server random with the ech acceptance
- * parameter, return status */
- static int EchWriteAcceptance(WOLFSSL* ssl, byte* output,
- int serverRandomOffset, int helloSz)
- {
- int ret = 0;
- int digestType;
- int digestSize;
- HS_Hashes* tmpHashes;
- HS_Hashes* acceptHashes;
- byte zeros[WC_MAX_DIGEST_SIZE] = {0};
- byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
- byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
- /* copy ech hashes to accept */
- ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, &acceptHashes);
- /* swap hsHashes to acceptHashes */
- tmpHashes = ssl->hsHashes;
- ssl->hsHashes = acceptHashes;
- /* hash up to the last 8 bytes */
- if (ret == 0)
- ret = HashRaw(ssl, output, serverRandomOffset + RAN_LEN -
- ECH_ACCEPT_CONFIRMATION_SZ);
- /* hash 8 zeros */
- if (ret == 0)
- ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
- /* hash the rest of the hello */
- if (ret == 0)
- ret = HashRaw(ssl, output + serverRandomOffset + RAN_LEN,
- helloSz - (serverRandomOffset + RAN_LEN));
- /* get the modified transcript hash */
- if (ret == 0)
- ret = GetMsgHash(ssl, transcriptEchConf);
- if (ret > 0)
- ret = 0;
- /* pick the right type and size based on mac_algorithm */
- if (ret == 0)
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- digestType = WC_SHA256;
- digestSize = WC_SHA256_DIGEST_SIZE;
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- digestType = WC_SHA384;
- digestSize = WC_SHA384_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- digestType = WC_SHA512;
- digestSize = WC_SHA512_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_TLS13_SHA512 */
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- digestType = WC_SM3;
- digestSize = WC_SM3_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SM3 */
- default:
- ret = -1;
- break;
- }
- /* extract clientRandom with a key of all zeros */
- if (ret == 0) {
- PRIVATE_KEY_UNLOCK();
- ret = wc_HKDF_Extract(digestType, zeros, digestSize,
- ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk);
- PRIVATE_KEY_LOCK();
- }
- /* tls expand with the confirmation label */
- if (ret == 0) {
- PRIVATE_KEY_UNLOCK();
- ret = wc_Tls13_HKDF_Expand_Label(
- output + serverRandomOffset + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ,
- ECH_ACCEPT_CONFIRMATION_SZ,
- expandLabelPrk, digestSize, tls13ProtocolLabel,
- TLS13_PROTOCOL_LABEL_SZ, echAcceptConfirmationLabel,
- ECH_ACCEPT_CONFIRMATION_LABEL_SZ, transcriptEchConf, digestSize,
- digestType);
- PRIVATE_KEY_LOCK();
- }
- if (ret == 0)
- XMEMCPY(ssl->arrays->serverRandom, output + serverRandomOffset,
- RAN_LEN);
- /* free acceptHashes */
- FreeHandshakeHashes(ssl);
- ssl->hsHashes = tmpHashes;
- return ret;
- }
- #endif
- /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
- /* Handle the ServerHello message from the server.
- * Only a client will receive this message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of ServerHello.
- * On exit, the index of byte after the ServerHello message.
- * helloSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- typedef struct Dsh13Args {
- ProtocolVersion pv;
- word32 idx;
- word32 begin;
- const byte* sessId;
- word16 totalExtSz;
- byte sessIdSz;
- byte extMsgType;
- #if defined(HAVE_ECH)
- int serverRandomOffset;
- #endif
- } Dsh13Args;
- int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 helloSz, byte* extMsgType)
- {
- int ret;
- byte suite[2];
- byte tls12minor;
- #ifdef WOLFSSL_ASYNC_CRYPT
- Dsh13Args* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- Dsh13Args args[1];
- #endif
- WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
- WOLFSSL_ENTER("DoTls13ServerHello");
- tls12minor = TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- tls12minor = DTLSv1_2_MINOR;
- #endif /* WOLFSSL_DTLS13 */
- if (ssl == NULL || ssl->arrays == NULL)
- return BAD_FUNC_ARG;
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- return MEMORY_E;
- ssl->async->freeArgs = NULL;
- }
- args = (Dsh13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0) {
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_server_hello = 0;
- }
- return ret;
- }
- }
- else
- #endif
- {
- /* Reset state */
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(Dsh13Args));
- }
- switch (ssl->options.asyncState) {
- case TLS_ASYNC_BEGIN:
- {
- byte b;
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
- if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
- #endif
- /* Protocol version length check. */
- if (helloSz < OPAQUE16_LEN)
- return BUFFER_ERROR;
- args->idx = *inOutIdx;
- args->begin = args->idx;
- /* Protocol version */
- XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
- args->idx += OPAQUE16_LEN;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls &&
- (args->pv.major != DTLS_MAJOR || args->pv.minor == DTLS_BOGUS_MINOR))
- return VERSION_ERROR;
- #endif /* WOLFSSL_DTLS */
- #ifndef WOLFSSL_NO_TLS12
- {
- byte wantDowngrade;
- wantDowngrade = args->pv.major == ssl->version.major &&
- args->pv.minor < TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- wantDowngrade = args->pv.major == ssl->version.major &&
- args->pv.minor > DTLSv1_2_MINOR;
- #endif /* WOLFSSL_DTLS13 */
- if (wantDowngrade && ssl->options.downgrade) {
- /* Force client hello version 1.2 to work for static RSA. */
- ssl->chVersion.minor = TLSv1_2_MINOR;
- ssl->version.minor = TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ssl->chVersion.minor = DTLSv1_2_MINOR;
- ssl->version.minor = DTLSv1_2_MINOR;
- ret = Dtls13DoDowngrade(ssl);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- return DoServerHello(ssl, input, inOutIdx, helloSz);
- }
- }
- #endif
- if (args->pv.major != ssl->version.major ||
- args->pv.minor != tls12minor) {
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- /* Random and session id length check */
- if ((args->idx - args->begin) + RAN_LEN + ENUM_LEN > helloSz)
- return BUFFER_ERROR;
- /* Check if hello retry request */
- if (XMEMCMP(input + args->idx, helloRetryRequestRandom, RAN_LEN) == 0) {
- WOLFSSL_MSG("HelloRetryRequest format");
- *extMsgType = hello_retry_request;
- if (ssl->msgsReceived.got_hello_verify_request) {
- WOLFSSL_MSG("Received HelloRetryRequest after a "
- "HelloVerifyRequest");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- /* A HelloRetryRequest comes in as an ServerHello for MiddleBox compat.
- * Found message to be a HelloRetryRequest.
- * Don't allow more than one HelloRetryRequest or ServerHello.
- */
- if (ssl->msgsReceived.got_hello_retry_request) {
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- }
- args->extMsgType = *extMsgType;
- /* Server random - keep for debugging. */
- XMEMCPY(ssl->arrays->serverRandom, input + args->idx, RAN_LEN);
- #if defined(HAVE_ECH)
- args->serverRandomOffset = args->idx;
- #endif
- args->idx += RAN_LEN;
- /* Session id */
- args->sessIdSz = input[args->idx++];
- if ((args->idx - args->begin) + args->sessIdSz > helloSz)
- return BUFFER_ERROR;
- args->sessId = input + args->idx;
- args->idx += args->sessIdSz;
- ssl->options.haveSessionId = 1;
- /* Ciphersuite and compression check */
- if ((args->idx - args->begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
- return BUFFER_ERROR;
- /* Set the cipher suite from the message. */
- ssl->options.cipherSuite0 = input[args->idx++];
- ssl->options.cipherSuite = input[args->idx++];
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Chosen cipher suite:");
- WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
- ssl->options.cipherSuite));
- #endif
- /* Compression */
- b = input[args->idx++];
- if (b != 0) {
- WOLFSSL_MSG("Must be no compression types in list");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) {
- if (!ssl->options.downgrade)
- return BUFFER_ERROR;
- #ifndef WOLFSSL_NO_TLS12
- /* Force client hello version 1.2 to work for static RSA. */
- ssl->chVersion.minor = TLSv1_2_MINOR;
- ssl->version.minor = TLSv1_2_MINOR;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ssl->chVersion.minor = DTLSv1_2_MINOR;
- ssl->version.minor = DTLSv1_2_MINOR;
- ret = Dtls13DoDowngrade(ssl);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- #endif
- ssl->options.haveEMS = 0;
- if (args->pv.minor < ssl->options.minDowngrade) {
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- return VERSION_ERROR;
- }
- #ifndef WOLFSSL_NO_TLS12
- return DoServerHello(ssl, input, inOutIdx, helloSz);
- #else
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- return VERSION_ERROR;
- #endif
- }
- if ((args->idx - args->begin) < helloSz) {
- int foundVersion;
- /* Get extension length and length check. */
- if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
- return BUFFER_ERROR;
- ato16(&input[args->idx], &args->totalExtSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + args->totalExtSz > helloSz)
- return BUFFER_ERROR;
- /* Need to negotiate version first. */
- if ((ret = TLSX_ParseVersion(ssl, input + args->idx,
- args->totalExtSz, *extMsgType, &foundVersion))) {
- return ret;
- }
- if (!foundVersion) {
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("Server trying to downgrade to version less than "
- "TLS v1.3");
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
- defined(WOLFSSL_WPAS_SMALL)
- /* Check if client has disabled TLS 1.2 */
- if (args->pv.minor == TLSv1_2_MINOR &&
- (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
- WOLFSSL_MSG("\tOption set to not allow TLSv1.2");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- #endif
- if (!ssl->options.dtls &&
- args->pv.minor < ssl->options.minDowngrade) {
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- if (ssl->options.dtls &&
- args->pv.minor > ssl->options.minDowngrade) {
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- ssl->version.minor = args->pv.minor;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13DoDowngrade(ssl);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- }
- #ifdef WOLFSSL_DTLS13
- /* we are sure that version is >= v1.3 now, we can get rid of buffered
- * ClientHello that was buffered to re-compute the hash in case of
- * downgrade */
- if (ssl->options.dtls && ssl->dtls13ClientHello != NULL) {
- XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
- ssl->dtls13ClientHello = NULL;
- ssl->dtls13ClientHelloSz = 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- case TLS_ASYNC_DO:
- {
- /* restore message type */
- *extMsgType = args->extMsgType;
- if (args->totalExtSz > 0) {
- /* Parse and handle extensions. */
- ret = TLSX_Parse(ssl, input + args->idx, args->totalExtSz,
- *extMsgType, NULL);
- if (ret != 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_server_hello = 0;
- }
- #endif
- return ret;
- }
- if (*extMsgType == hello_retry_request) {
- /* Update counts to reflect change of message type. */
- ssl->msgsReceived.got_hello_retry_request = 1;
- ssl->msgsReceived.got_server_hello = 0;
- }
- args->idx += args->totalExtSz;
- }
- #ifdef WOLFSSL_DTLS_CID
- if (ssl->options.useDtlsCID && *extMsgType == server_hello)
- DtlsCIDOnExtensionsParsed(ssl);
- #endif /* WOLFSSL_DTLS_CID */
- *inOutIdx = args->idx;
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- #ifdef HAVE_SECRET_CALLBACK
- if (ssl->sessionSecretCb != NULL
- #ifdef HAVE_SESSION_TICKET
- && ssl->session->ticketLen > 0
- #endif
- ) {
- int secretSz = SECRET_LEN;
- ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
- &secretSz, ssl->sessionSecretCtx);
- if (ret != 0 || secretSz != SECRET_LEN) {
- WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E);
- return SESSION_SECRET_CB_E;
- }
- }
- #endif /* HAVE_SECRET_CALLBACK */
- /* Version only negotiated in extensions for TLS v1.3.
- * Only now do we know how to deal with session id.
- */
- if (!IsAtLeastTLSv1_3(ssl->version)) {
- #ifndef WOLFSSL_NO_TLS12
- ssl->arrays->sessionIDSz = args->sessIdSz;
- if (ssl->arrays->sessionIDSz > ID_LEN) {
- WOLFSSL_MSG("Invalid session ID size");
- ssl->arrays->sessionIDSz = 0;
- return BUFFER_ERROR;
- }
- else if (ssl->arrays->sessionIDSz) {
- XMEMCPY(ssl->arrays->sessionID, args->sessId,
- ssl->arrays->sessionIDSz);
- ssl->options.haveSessionId = 1;
- }
- /* Force client hello version 1.2 to work for static RSA. */
- ssl->chVersion.minor = TLSv1_2_MINOR;
- /* Complete TLS v1.2 processing of ServerHello. */
- ret = CompleteServerHello(ssl);
- #else
- WOLFSSL_MSG("Client using higher version, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- ret = VERSION_ERROR;
- #endif
- WOLFSSL_LEAVE("DoTls13ServerHello", ret);
- return ret;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
- if (ssl->options.tls13MiddleBoxCompat) {
- if (args->sessIdSz == 0) {
- WOLFSSL_MSG("args->sessIdSz == 0");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- if (ssl->session->sessionIDSz != 0) {
- if (ssl->session->sessionIDSz != args->sessIdSz ||
- XMEMCMP(ssl->session->sessionID, args->sessId,
- args->sessIdSz) != 0) {
- WOLFSSL_MSG("session id doesn't match");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- }
- else if (XMEMCMP(ssl->arrays->clientRandom, args->sessId,
- args->sessIdSz) != 0) {
- WOLFSSL_MSG("session id doesn't match client random");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- }
- else
- #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl)) {
- if (args->sessIdSz != 0) {
- WOLFSSL_MSG("args->sessIdSz != 0");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- }
- else
- #endif /* WOLFSSL_QUIC */
- if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
- XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
- {
- WOLFSSL_MSG("Server sent different session id");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- ret = SetCipherSpecs(ssl);
- if (ret != 0)
- return ret;
- #if defined(HAVE_ECH)
- /* check for acceptConfirmation and HashInput with 8 0 bytes */
- if (ssl->options.useEch == 1) {
- ret = EchCheckAcceptance(ssl, input, args->serverRandomOffset, helloSz);
- if (ret != 0)
- return ret;
- }
- #endif
- #ifdef HAVE_NULL_CIPHER
- if (ssl->options.cipherSuite0 == ECC_BYTE &&
- (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
- ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
- ;
- }
- else
- #endif
- #if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
- if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
- ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
- ; /* Do nothing. */
- }
- else
- #endif
- #if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
- if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
- ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
- ; /* Do nothing. */
- }
- else
- #endif
- /* Check that the negotiated ciphersuite matches protocol version. */
- if (ssl->options.cipherSuite0 != TLS13_BYTE) {
- WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- suite[0] = ssl->options.cipherSuite0;
- suite[1] = ssl->options.cipherSuite;
- if (!FindSuiteSSL(ssl, suite)) {
- WOLFSSL_MSG("Cipher suite not supported on client");
- WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
- return MATCH_SUITE_ERROR;
- }
- if (*extMsgType == server_hello) {
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- PreSharedKey* psk = NULL;
- TLSX* ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
- if (ext != NULL)
- psk = (PreSharedKey*)ext->data;
- while (psk != NULL && !psk->chosen)
- psk = psk->next;
- if (psk == NULL) {
- ssl->options.resuming = 0;
- ssl->arrays->psk_keySz = 0;
- XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
- }
- else {
- if ((ret = SetupPskKey(ssl, psk, 0)) != 0)
- return ret;
- ssl->options.pskNegotiated = 1;
- }
- #endif
- /* sanity check on PSK / KSE */
- if (
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ssl->options.pskNegotiated == 0 &&
- #endif
- ssl->session->namedGroup == 0) {
- return EXT_MISSING;
- }
- ssl->keys.encryptionOn = 1;
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- }
- else {
- ssl->options.tls1_3 = 1;
- ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
- ret = RestartHandshakeHash(ssl);
- }
- break;
- } /* case TLS_ASYNC_FINALIZE */
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch (ssl->options.asyncState) */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == 0)
- FreeAsyncCtx(ssl, 0);
- #endif
- WOLFSSL_LEAVE("DoTls13ServerHello", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
- return ret;
- }
- /* handle processing TLS 1.3 encrypted_extensions (8) */
- /* Parse and handle an EncryptedExtensions message.
- * Only a client will receive this message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of
- * EncryptedExtensions.
- * On exit, the index of byte after the EncryptedExtensions
- * message.
- * totalSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 totalSz)
- {
- int ret;
- word32 begin = *inOutIdx;
- word32 i = begin;
- word16 totalExtSz;
- WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
- WOLFSSL_ENTER("DoTls13EncryptedExtensions");
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions");
- if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
- #endif
- /* Length field of extension data. */
- if (totalSz < OPAQUE16_LEN)
- return BUFFER_ERROR;
- ato16(&input[i], &totalExtSz);
- i += OPAQUE16_LEN;
- /* Extension data. */
- if (i - begin + totalExtSz > totalSz)
- return BUFFER_ERROR;
- if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions,
- NULL))) {
- return ret;
- }
- /* Move index to byte after message. */
- *inOutIdx = i + totalExtSz;
- /* Always encrypted. */
- *inOutIdx += ssl->keys.padSz;
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
- if (ext == NULL || !ext->val)
- ssl->earlyData = no_early_data;
- }
- #endif
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData == no_early_data) {
- ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
- WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
- WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
- return ret;
- }
- #ifndef NO_CERTS
- /* handle processing TLS v1.3 certificate_request (13) */
- /* Handle a TLS v1.3 CertificateRequest message.
- * This message is always encrypted.
- * Only a client will receive this message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of CertificateRequest.
- * On exit, the index of byte after the CertificateRequest message.
- * size The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size)
- {
- word16 len;
- word32 begin = *inOutIdx;
- int ret = 0;
- Suites peerSuites;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- CertReqCtx* certReqCtx;
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
- WOLFSSL_ENTER("DoTls13CertificateRequest");
- XMEMSET(&peerSuites, 0, sizeof(Suites));
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest");
- if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
- #endif
- if (OPAQUE8_LEN > size)
- return BUFFER_ERROR;
- /* Length of the request context. */
- len = input[(*inOutIdx)++];
- if ((*inOutIdx - begin) + len > size)
- return BUFFER_ERROR;
- if (ssl->options.connectState < FINISHED_DONE && len > 0)
- return BUFFER_ERROR;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- /* CertReqCtx has one byte at end for context value.
- * Increase size to handle other implementations sending more than one byte.
- * That is, allocate extra space, over one byte, to hold the context value.
- */
- certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (certReqCtx == NULL)
- return MEMORY_E;
- certReqCtx->next = ssl->certReqCtx;
- certReqCtx->len = len;
- XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
- ssl->certReqCtx = certReqCtx;
- #endif
- *inOutIdx += len;
- /* TODO: Add support for more extensions:
- * signed_certificate_timestamp, certificate_authorities, oid_filters.
- */
- /* Certificate extensions */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &len);
- *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + len > size)
- return BUFFER_ERROR;
- if (len == 0)
- return INVALID_PARAMETER;
- if ((ret = TLSX_Parse(ssl, input + *inOutIdx, len, certificate_request,
- &peerSuites))) {
- return ret;
- }
- *inOutIdx += len;
- if ((ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
- ((ssl->buffers.key && ssl->buffers.key->buffer)
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- ))
- #ifdef OPENSSL_EXTRA
- || ssl->ctx->certSetupCb != NULL
- #endif
- ) {
- if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo,
- peerSuites.hashSigAlgoSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- ssl->options.sendVerify = SEND_CERT;
- }
- else {
- #ifndef WOLFSSL_NO_CLIENT_CERT_ERROR
- ssl->options.sendVerify = SEND_BLANK_CERT;
- #else
- WOLFSSL_MSG("Certificate required but none set on client");
- SendAlert(ssl, alert_fatal, illegal_parameter);
- WOLFSSL_ERROR_VERBOSE(NO_CERT_ERROR);
- return NO_CERT_ERROR;
- #endif
- }
- /* This message is always encrypted so add encryption padding. */
- *inOutIdx += ssl->keys.padSz;
- WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
- return ret;
- }
- #endif /* !NO_CERTS */
- #endif /* !NO_WOLFSSL_CLIENT */
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Refine list of supported cipher suites to those common to server and client.
- *
- * ssl SSL/TLS object.
- * peerSuites The peer's advertised list of supported cipher suites.
- */
- static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)
- {
- byte suites[WOLFSSL_MAX_SUITE_SZ];
- word16 suiteSz = 0;
- word16 i;
- word16 j;
- if (AllocateSuites(ssl) != 0)
- return;
- XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);
- if (!ssl->options.useClientOrder) {
- /* Server order refining. */
- for (i = 0; i < ssl->suites->suiteSz; i += 2) {
- for (j = 0; j < peerSuites->suiteSz; j += 2) {
- if ((ssl->suites->suites[i+0] == peerSuites->suites[j+0]) &&
- (ssl->suites->suites[i+1] == peerSuites->suites[j+1])) {
- suites[suiteSz++] = peerSuites->suites[j+0];
- suites[suiteSz++] = peerSuites->suites[j+1];
- break;
- }
- }
- if (suiteSz == WOLFSSL_MAX_SUITE_SZ)
- break;
- }
- }
- else {
- /* Client order refining. */
- for (j = 0; j < peerSuites->suiteSz; j += 2) {
- for (i = 0; i < ssl->suites->suiteSz; i += 2) {
- if ((ssl->suites->suites[i+0] == peerSuites->suites[j+0]) &&
- (ssl->suites->suites[i+1] == peerSuites->suites[j+1])) {
- suites[suiteSz++] = peerSuites->suites[j+0];
- suites[suiteSz++] = peerSuites->suites[j+1];
- break;
- }
- }
- if (suiteSz == WOLFSSL_MAX_SUITE_SZ)
- break;
- }
- }
- ssl->suites->suiteSz = suiteSz;
- XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));
- #ifdef WOLFSSL_DEBUG_TLS
- {
- int ii;
- WOLFSSL_MSG("Refined Ciphers:");
- for (ii = 0 ; ii < ssl->suites->suiteSz; ii += 2) {
- WOLFSSL_MSG(GetCipherNameInternal(ssl->suites->suites[ii+0],
- ssl->suites->suites[ii+1]));
- }
- }
- #endif
- }
- #ifndef NO_PSK
- int FindPskSuite(const WOLFSSL* ssl, PreSharedKey* psk, byte* psk_key,
- word32* psk_keySz, const byte* suite, int* found, byte* foundSuite)
- {
- const char* cipherName = NULL;
- byte cipherSuite0 = TLS13_BYTE;
- byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
- int ret = 0;
- *found = 0;
- (void)suite;
- if (ssl->options.server_psk_tls13_cb != NULL) {
- *psk_keySz = ssl->options.server_psk_tls13_cb((WOLFSSL*)ssl,
- (char*)psk->identity, psk_key, MAX_PSK_KEY_LEN, &cipherName);
- if (*psk_keySz != 0) {
- int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
- *found = (GetCipherSuiteFromName(cipherName, &cipherSuite0,
- &cipherSuite, &cipherSuiteFlags) == 0);
- (void)cipherSuiteFlags;
- }
- }
- if (*found == 0 && (ssl->options.server_psk_cb != NULL)) {
- *psk_keySz = ssl->options.server_psk_cb((WOLFSSL*)ssl,
- (char*)psk->identity, psk_key,
- MAX_PSK_KEY_LEN);
- *found = (*psk_keySz != 0);
- }
- if (*found) {
- if (*psk_keySz > MAX_PSK_KEY_LEN) {
- WOLFSSL_MSG("Key len too long in FindPsk()");
- ret = PSK_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- *found = 0;
- }
- if (ret == 0) {
- #if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK)
- /* Check whether PSK ciphersuite is in SSL. */
- *found = (suite[0] == cipherSuite0) && (suite[1] == cipherSuite);
- #else
- (void)suite;
- /* Check whether PSK ciphersuite is in SSL. */
- {
- byte s[2] = {
- cipherSuite0,
- cipherSuite,
- };
- *found = FindSuiteSSL(ssl, s);
- }
- #endif
- }
- }
- if (*found && foundSuite != NULL) {
- foundSuite[0] = cipherSuite0;
- foundSuite[1] = cipherSuite;
- }
- return ret;
- }
- /* Attempt to find the PSK (not session ticket) that matches.
- *
- * @param [in, out] ssl The SSL/TLS object.
- * @param [in] psk A pre-shared key from the extension.
- * @param [out] suite Cipher suite to use with PSK.
- * @param [out] err Error code.
- * PSK_KEY_ERROR when key is too big or ticket age is
- * invalid,
- * UNSUPPORTED_SUITE on invalid suite.
- * Other error when attempting to derive early secret.
- * @return 1 when a match found - but check error code.
- * @return 0 when no match found.
- */
- static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, const byte* suite, int* err)
- {
- int ret = 0;
- int found = 0;
- byte foundSuite[SUITE_LEN];
- WOLFSSL_ENTER("FindPsk");
- ret = FindPskSuite(ssl, psk, ssl->arrays->psk_key, &ssl->arrays->psk_keySz,
- suite, &found, foundSuite);
- if (ret == 0 && found) {
- if ((ret == 0) && found) {
- /* Default to ciphersuite if cb doesn't specify. */
- ssl->options.resuming = 0;
- /* Don't send certificate request when using PSK. */
- ssl->options.verifyPeer = 0;
- /* PSK age is always zero. */
- if (psk->ticketAge != 0) {
- ret = PSK_KEY_ERROR;
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- }
- if ((ret == 0) && found) {
- /* Set PSK ciphersuite into SSL. */
- ssl->options.cipherSuite0 = foundSuite[0];
- ssl->options.cipherSuite = foundSuite[1];
- ret = SetCipherSpecs(ssl);
- }
- if ((ret == 0) && found) {
- /* Derive the early secret using the PSK. */
- ret = DeriveEarlySecret(ssl);
- }
- if ((ret == 0) && found) {
- /* PSK negotiation has succeeded */
- ssl->options.isPSK = 1;
- /* SERVER: using PSK for peer authentication. */
- ssl->options.peerAuthGood = 1;
- }
- }
- *err = ret;
- WOLFSSL_LEAVE("FindPsk", found);
- WOLFSSL_LEAVE("FindPsk", ret);
- return found;
- }
- #endif /* !NO_PSK */
- /* Handle any Pre-Shared Key (PSK) extension.
- * Find a PSK that supports the cipher suite passed in.
- *
- * ssl SSL/TLS object.
- * suite Cipher suite to find PSK for.
- * usingPSK 1=Indicates handshake is using Pre-Shared Keys (2=Ephemeral)
- * first Set to 1 if first in extension
- * returns 0 on success and otherwise failure.
- */
- static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
- const byte* suite, int* usingPSK, int* first)
- {
- int ret = 0;
- TLSX* ext;
- PreSharedKey* current;
- byte binderKey[WC_MAX_DIGEST_SIZE];
- byte binder[WC_MAX_DIGEST_SIZE];
- word32 binderLen;
- #ifdef NO_PSK
- (void) suite; /* to avoid unused var warning when not used */
- #endif
- WOLFSSL_ENTER("DoPreSharedKeys");
- (void)suite;
- ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
- if (ext == NULL) {
- WOLFSSL_MSG("No pre shared extension keys found");
- return BAD_FUNC_ARG;
- }
- /* Look through all client's pre-shared keys for a match. */
- for (current = (PreSharedKey*)ext->data; current != NULL;
- current = current->next) {
- #ifndef NO_PSK
- if (current->identityLen > MAX_PSK_ID_LEN) {
- return BUFFER_ERROR;
- }
- XMEMCPY(ssl->arrays->client_identity, current->identity,
- current->identityLen);
- ssl->arrays->client_identity[current->identityLen] = '\0';
- #endif
- #ifdef HAVE_SESSION_TICKET
- /* Decode the identity. */
- switch (current->decryptRet) {
- case PSK_DECRYPT_NONE:
- ret = DoClientTicket_ex(ssl, current, 1);
- /* psk->sess may be set. Need to clean up later. */
- break;
- case PSK_DECRYPT_OK:
- ret = WOLFSSL_TICKET_RET_OK;
- break;
- case PSK_DECRYPT_CREATE:
- ret = WOLFSSL_TICKET_RET_CREATE;
- break;
- case PSK_DECRYPT_FAIL:
- ret = WOLFSSL_TICKET_RET_REJECT;
- break;
- }
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E)
- return ret;
- #endif
- if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) {
- current->sess_free_cb(ssl, current->sess,
- ¤t->sess_free_cb_ctx);
- current->sess = NULL;
- XMEMSET(¤t->sess_free_cb_ctx, 0,
- sizeof(psk_sess_free_cb_ctx));
- }
- if (ret == WOLFSSL_TICKET_RET_OK) {
- ret = DoClientTicketCheck(ssl, current, ssl->timeout, suite);
- if (ret == 0)
- DoClientTicketFinalize(ssl, current->it, current->sess);
- if (current->sess_free_cb != NULL) {
- current->sess_free_cb(ssl, current->sess,
- ¤t->sess_free_cb_ctx);
- current->sess = NULL;
- XMEMSET(¤t->sess_free_cb_ctx, 0,
- sizeof(psk_sess_free_cb_ctx));
- }
- if (ret != 0)
- continue;
- /* SERVER: using secret in session ticket for peer auth. */
- ssl->options.peerAuthGood = 1;
- #ifdef WOLFSSL_EARLY_DATA
- ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz;
- #endif
- /* Use the same cipher suite as before and set up for use. */
- ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
- ssl->options.cipherSuite = ssl->session->cipherSuite;
- ret = SetCipherSpecs(ssl);
- if (ret != 0)
- return ret;
- /* Resumption PSK is resumption master secret. */
- ssl->arrays->psk_keySz = ssl->specs.hash_size;
- if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
- ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
- return ret;
- }
- /* Derive the early secret using the PSK. */
- ret = DeriveEarlySecret(ssl);
- if (ret != 0)
- return ret;
- /* Hash data up to binders for deriving binders in PSK extension. */
- ret = HashInput(ssl, input, inputSz);
- if (ret < 0)
- return ret;
- /* Derive the binder key to use with HMAC. */
- ret = DeriveBinderKeyResume(ssl, binderKey);
- if (ret != 0)
- return ret;
- }
- else
- #endif /* HAVE_SESSION_TICKET */
- #ifndef NO_PSK
- if (FindPsk(ssl, current, suite, &ret)) {
- if (ret != 0)
- return ret;
- ret = HashInput(ssl, input, inputSz);
- if (ret < 0)
- return ret;
- /* Derive the binder key to use with HMAC. */
- ret = DeriveBinderKey(ssl, binderKey);
- if (ret != 0)
- return ret;
- }
- else
- #endif
- {
- continue;
- }
- ssl->options.sendVerify = 0;
- /* Derive the Finished message secret. */
- ret = DeriveFinishedSecret(ssl, binderKey,
- ssl->keys.client_write_MAC_secret,
- 0 /* neither end */);
- if (ret != 0)
- return ret;
- /* Derive the binder and compare with the one in the extension. */
- ret = BuildTls13HandshakeHmac(ssl,
- ssl->keys.client_write_MAC_secret, binder, &binderLen);
- if (ret != 0)
- return ret;
- if (binderLen != current->binderLen ||
- XMEMCMP(binder, current->binder, binderLen) != 0) {
- WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
- return BAD_BINDER;
- }
- /* This PSK works, no need to try any more. */
- current->chosen = 1;
- ext->resp = 1;
- break;
- }
- if (current == NULL) {
- #ifdef WOLFSSL_PSK_ID_PROTECTION
- #ifndef NO_CERTS
- if (ssl->buffers.certChainCnt != 0)
- return 0;
- #endif
- WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
- return BAD_BINDER;
- #else
- return 0;
- #endif
- }
- *first = (current == ext->data);
- *usingPSK = 1;
- WOLFSSL_LEAVE("DoPreSharedKeys", ret);
- return ret;
- }
- /* Handle any Pre-Shared Key (PSK) extension.
- * Must do this in ClientHello as it requires a hash of the truncated message.
- * Don't know size of binders until Pre-Shared Key extension has been parsed.
- *
- * ssl SSL/TLS object.
- * input ClientHello message.
- * helloSz Size of the ClientHello message (including binders if present).
- * clSuites Client's cipher suite list.
- * usingPSK Indicates handshake is using Pre-Shared Keys.
- */
- static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
- Suites* clSuites, int* usingPSK)
- {
- int ret;
- TLSX* ext;
- word16 bindersLen;
- int first = 0;
- #ifndef WOLFSSL_PSK_ONE_ID
- int i;
- const Suites* suites = WOLFSSL_SUITES(ssl);
- #else
- byte suite[2];
- #endif
- WOLFSSL_ENTER("CheckPreSharedKeys");
- ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
- if (ext == NULL) {
- #ifdef WOLFSSL_EARLY_DATA
- ssl->earlyData = no_early_data;
- #endif
- if (usingPSK)
- *usingPSK = 0;
- /* Hash data up to binders for deriving binders in PSK extension. */
- ret = HashInput(ssl, input, helloSz);
- return ret;
- }
- /* Extensions pushed on stack/list and PSK must be last. */
- if (ssl->extensions != ext) {
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- /* Assume we are going to resume with a pre-shared key. */
- ssl->options.resuming = 1;
- /* Find the pre-shared key extension and calculate hash of truncated
- * ClientHello for binders.
- */
- ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
- client_hello, &bindersLen);
- if (ret < 0)
- return ret;
- /* Refine list for PSK processing. */
- RefineSuites(ssl, clSuites);
- #ifndef WOLFSSL_PSK_ONE_ID
- if (usingPSK == NULL)
- return BAD_FUNC_ARG;
- /* Server list has only common suites from refining in server or client
- * order. */
- for (i = 0; !(*usingPSK) && i < suites->suiteSz; i += 2) {
- ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen,
- suites->suites + i, usingPSK, &first);
- if (ret != 0) {
- #ifdef HAVE_SESSION_TICKET
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- CleanupClientTickets((PreSharedKey*)ext->data);
- #endif
- WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
- return ret;
- }
- }
- #ifdef HAVE_SESSION_TICKET
- CleanupClientTickets((PreSharedKey*)ext->data);
- #endif
- #else
- ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, suite, usingPSK,
- &first);
- if (ret != 0) {
- WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
- return ret;
- }
- #endif
- if (*usingPSK) {
- /* While verifying the selected PSK, we updated the
- * handshake hash up to the binder bytes in the PSK extensions.
- * Continuing, we need the rest of the ClientHello hashed as well.
- */
- ret = HashRaw(ssl, input + helloSz - bindersLen, bindersLen);
- }
- else {
- /* No suitable PSK found, Hash the complete ClientHello,
- * as caller expect it after we return */
- ret = HashInput(ssl, input, helloSz);
- }
- if (ret != 0)
- return ret;
- if (*usingPSK != 0) {
- word16 modes;
- #ifdef WOLFSSL_EARLY_DATA
- TLSX* extEarlyData;
- extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
- if (extEarlyData != NULL) {
- /* Check if accepting early data and first PSK. */
- if (ssl->earlyData != no_early_data && first) {
- extEarlyData->resp = 1;
- /* Derive early data decryption key. */
- ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY,
- 1);
- if (ret != 0)
- return ret;
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13NewEpoch(ssl,
- w64From32(0x0, DTLS13_EPOCH_EARLYDATA),
- DECRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- ssl->earlyData = process_early_data;
- }
- else
- extEarlyData->resp = 0;
- }
- #endif
- /* Get the PSK key exchange modes the client wants to negotiate. */
- ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
- if (ext == NULL) {
- WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA);
- return MISSING_HANDSHAKE_DATA;
- }
- modes = ext->val;
- #ifdef HAVE_SUPPORTED_CURVES
- ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
- /* Use (EC)DHE for forward-security if possible. */
- if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
- ext != NULL) {
- /* Only use named group used in last session. */
- ssl->namedGroup = ssl->session->namedGroup;
- *usingPSK = 2; /* generate new ephemeral key */
- }
- else if (ssl->options.onlyPskDheKe) {
- return PSK_KEY_ERROR;
- }
- else
- #endif
- {
- if ((modes & (1 << PSK_KE)) == 0) {
- WOLFSSL_MSG("psk_ke mode does not allow key share");
- WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
- return PSK_KEY_ERROR;
- }
- ssl->options.noPskDheKe = 1;
- ssl->arrays->preMasterSz = 0;
- *usingPSK = 1;
- }
- }
- #ifdef WOLFSSL_PSK_ID_PROTECTION
- else {
- #ifndef NO_CERTS
- if (ssl->buffers.certChainCnt != 0)
- return 0;
- #endif
- WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
- return BAD_BINDER;
- }
- #endif
- WOLFSSL_LEAVE("CheckPreSharedKeys", ret);
- return 0;
- }
- #endif /* HAVE_SESSION_TICKET || !NO_PSK */
- #if defined(WOLFSSL_SEND_HRR_COOKIE)
- /* Check that the Cookie data's integrity.
- *
- * ssl SSL/TLS object.
- * cookie The cookie data - hash and MAC.
- * cookieSz The length of the cookie data in bytes.
- * returns Length of the hash on success, otherwise failure.
- */
- int TlsCheckCookie(const WOLFSSL* ssl, const byte* cookie, word16 cookieSz)
- {
- int ret;
- byte mac[WC_MAX_DIGEST_SIZE] = {0};
- Hmac cookieHmac;
- byte cookieType = 0;
- byte macSz = 0;
- #if !defined(NO_SHA) && defined(NO_SHA256)
- cookieType = SHA;
- macSz = WC_SHA_DIGEST_SIZE;
- #endif /* NO_SHA */
- #ifndef NO_SHA256
- cookieType = WC_SHA256;
- macSz = WC_SHA256_DIGEST_SIZE;
- #endif /* NO_SHA256 */
- if (cookieSz < ssl->specs.hash_size + macSz)
- return HRR_COOKIE_ERROR;
- cookieSz -= macSz;
- ret = wc_HmacInit(&cookieHmac, ssl->heap, INVALID_DEVID);
- if (ret == 0) {
- ret = wc_HmacSetKey(&cookieHmac, cookieType,
- ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- }
- if (ret == 0)
- ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz);
- #ifdef WOLFSSL_DTLS13
- /* Tie cookie to peer address */
- if (ret == 0) {
- if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
- ret = wc_HmacUpdate(&cookieHmac,
- (byte*)ssl->buffers.dtlsCtx.peer.sa,
- ssl->buffers.dtlsCtx.peer.sz);
- }
- }
- #endif
- if (ret == 0)
- ret = wc_HmacFinal(&cookieHmac, mac);
- wc_HmacFree(&cookieHmac);
- if (ret != 0)
- return ret;
- if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
- return HRR_COOKIE_ERROR;
- }
- return cookieSz;
- }
- /* Length of the KeyShare Extension */
- #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
- /* Length of the Supported Versions Extension */
- #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
- /* Length of the Cookie Extension excluding cookie data */
- #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
- /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */
- #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \
- SUITE_LEN + COMP_LEN + OPAQUE16_LEN)
- /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */
- #define MAX_HRR_SZ (HRR_MAX_HS_HEADER_SZ + \
- HRR_BODY_SZ + \
- HRR_KEY_SHARE_SZ + \
- HRR_VERSIONS_SZ + \
- HRR_COOKIE_HDR_SZ)
- /* Restart the handshake hash from the cookie value.
- *
- * ssl SSL/TLS object.
- * cookie Cookie data from client.
- * returns 0 on success, otherwise failure.
- */
- static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
- {
- byte header[HANDSHAKE_HEADER_SZ] = {0};
- byte hrr[MAX_HRR_SZ] = {0};
- int hrrIdx;
- word32 idx;
- byte hashSz;
- byte* cookieData;
- word16 cookieDataSz;
- word16 length;
- int keyShareExt = 0;
- int ret;
- ret = TlsCheckCookie(ssl, cookie->data, (byte)cookie->len);
- if (ret < 0)
- return ret;
- cookieDataSz = (word16)ret;
- hashSz = cookie->data[0];
- cookieData = cookie->data;
- idx = OPAQUE8_LEN;
- /* Restart handshake hash with synthetic message hash. */
- AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
- if ((ret = InitHandshakeHashes(ssl)) != 0)
- return ret;
- if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
- return ret;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Restart Hash from Cookie");
- WOLFSSL_BUFFER(cookieData + idx, hashSz);
- #endif
- if ((ret = HashRaw(ssl, cookieData + idx, hashSz)) != 0)
- return ret;
- /* Reconstruct the HelloRetryMessage for handshake hash. */
- length = HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz +
- HRR_COOKIE_HDR_SZ + cookie->len;
- length += HRR_VERSIONS_SZ;
- /* HashSz (1 byte) + Hash (HashSz bytes) + CipherSuite (2 bytes) */
- if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) {
- keyShareExt = 1;
- length += HRR_KEY_SHARE_SZ;
- }
- AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl);
- idx += hashSz;
- hrrIdx = HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- hrrIdx += DTLS_HANDSHAKE_EXTRA;
- #endif /* WOLFSSL_DTLS13 */
- /* The negotiated protocol version. */
- hrr[hrrIdx++] = ssl->version.major;
- hrr[hrrIdx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
- /* HelloRetryRequest message has fixed value for random. */
- XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
- hrrIdx += RAN_LEN;
- hrr[hrrIdx++] = ssl->session->sessionIDSz;
- if (ssl->session->sessionIDSz > 0) {
- XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
- hrrIdx += ssl->session->sessionIDSz;
- }
- /* Cipher Suite */
- hrr[hrrIdx++] = cookieData[idx++];
- hrr[hrrIdx++] = cookieData[idx++];
- /* Compression not supported in TLS v1.3. */
- hrr[hrrIdx++] = 0;
- /* Extensions' length */
- length -= HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz;
- c16toa(length, hrr + hrrIdx);
- hrrIdx += 2;
- /* Optional KeyShare Extension */
- if (keyShareExt) {
- c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
- hrrIdx += 2;
- c16toa(OPAQUE16_LEN, hrr + hrrIdx);
- hrrIdx += 2;
- hrr[hrrIdx++] = cookieData[idx++];
- hrr[hrrIdx++] = cookieData[idx++];
- }
- c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx);
- hrrIdx += 2;
- c16toa(OPAQUE16_LEN, hrr + hrrIdx);
- hrrIdx += 2;
- #ifdef WOLFSSL_TLS13_DRAFT
- hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
- hrr[hrrIdx++] = TLS_DRAFT_MINOR;
- #else
- hrr[hrrIdx++] = ssl->version.major;
- hrr[hrrIdx++] = ssl->version.minor;
- #endif
- /* Mandatory Cookie Extension */
- c16toa(TLSX_COOKIE, hrr + hrrIdx);
- hrrIdx += 2;
- c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
- hrrIdx += 2;
- c16toa(cookie->len, hrr + hrrIdx);
- hrrIdx += 2;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Reconstructed HelloRetryRequest");
- WOLFSSL_BUFFER(hrr, hrrIdx);
- WOLFSSL_MSG("Cookie");
- WOLFSSL_BUFFER(cookieData, cookie->len);
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13HashHandshake(ssl, hrr, (word16)hrrIdx);
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- ret = HashRaw(ssl, hrr, hrrIdx);
- }
- if (ret != 0)
- return ret;
- return HashRaw(ssl, cookieData, cookie->len);
- }
- #endif
- /* Do SupportedVersion extension for TLS v1.3+ otherwise it is not.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * i The index into the message buffer of ClientHello.
- * helloSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i,
- word32 helloSz, int* wantDowngrade)
- {
- int ret;
- byte b;
- word16 suiteSz;
- word16 totalExtSz;
- int foundVersion = 0;
- /* Client random */
- i += RAN_LEN;
- /* Session id - not used in TLS v1.3 */
- b = input[i++];
- if (i + b > helloSz) {
- return BUFFER_ERROR;
- }
- i += b;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- /* legacy_cookie - not used in DTLS v1.3 */
- b = input[i++];
- if (i + b > helloSz) {
- return BUFFER_ERROR;
- }
- i += b;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Cipher suites */
- if (i + OPAQUE16_LEN > helloSz)
- return BUFFER_ERROR;
- ato16(input + i, &suiteSz);
- i += OPAQUE16_LEN;
- if (i + suiteSz + 1 > helloSz)
- return BUFFER_ERROR;
- i += suiteSz;
- /* Compression */
- b = input[i++];
- if (i + b > helloSz)
- return BUFFER_ERROR;
- i += b;
- /* TLS 1.3 must have extensions */
- if (i < helloSz) {
- if (i + OPAQUE16_LEN > helloSz)
- return BUFFER_ERROR;
- ato16(&input[i], &totalExtSz);
- i += OPAQUE16_LEN;
- if (totalExtSz != helloSz - i)
- return BUFFER_ERROR;
- /* Need to negotiate version first. */
- if ((ret = TLSX_ParseVersion(ssl, input + i, totalExtSz, client_hello,
- &foundVersion))) {
- return ret;
- }
- }
- *wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version);
- return 0;
- }
- /* Handle a ClientHello handshake message.
- * If the protocol version in the message is not TLS v1.3 or higher, use
- * DoClientHello()
- * Only a server will receive this message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of ClientHello.
- * On exit, the index of byte after the ClientHello message and
- * padding.
- * helloSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- typedef struct Dch13Args {
- ProtocolVersion pv;
- Suites* clSuites;
- word32 idx;
- word32 begin;
- int usingPSK;
- } Dch13Args;
- static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
- {
- Dch13Args* args = (Dch13Args*)pArgs;
- (void)ssl;
- if (args && args->clSuites) {
- XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
- args->clSuites = NULL;
- }
- }
- int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 helloSz)
- {
- int ret;
- #ifdef WOLFSSL_ASYNC_CRYPT
- Dch13Args* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- Dch13Args args[1];
- #endif
- #if defined(HAVE_ECH)
- TLSX* echX = NULL;
- #endif
- WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
- WOLFSSL_ENTER("DoTls13ClientHello");
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_dch);
- }
- args = (Dch13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0) {
- goto exit_dch;
- }
- }
- else
- #endif
- {
- /* Reset state */
- ret = VERSION_ERROR;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(Dch13Args));
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeDch13Args;
- #endif
- }
- switch (ssl->options.asyncState) {
- case TLS_ASYNC_BEGIN:
- {
- byte b;
- byte sessIdSz;
- int wantDowngrade = 0;
- word16 totalExtSz = 0;
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
- if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
- #endif
- /* do not change state in the SSL object before the next region of code
- * to be able to statelessly compute a DTLS cookie */
- #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
- /* Update the ssl->options.dtlsStateful setting `if` statement in
- * wolfSSL_accept_TLSv13 when changing this one. */
- if (IsDtlsNotSctpMode(ssl) && ssl->options.sendCookie) {
- ret = DoClientHelloStateless(ssl, input, inOutIdx, helloSz);
- if (ret != 0 || !ssl->options.dtlsStateful) {
- *inOutIdx += helloSz;
- goto exit_dch;
- }
- }
- ssl->options.dtlsStateful = 1;
- #endif /* WOLFSSL_DTLS */
- args->idx = *inOutIdx;
- args->begin = args->idx;
- /* protocol version, random and session id length check */
- if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) {
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- }
- /* Protocol version */
- XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
- ssl->chVersion = args->pv; /* store */
- args->idx += OPAQUE16_LEN;
- /* this check pass for DTLS Major (0xff) */
- if (args->pv.major < SSLv3_MAJOR) {
- WOLFSSL_MSG("Legacy version field contains unsupported value");
- ERROR_OUT(VERSION_ERROR, exit_dch);
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls &&
- args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) {
- wantDowngrade = 1;
- ssl->version.minor = args->pv.minor;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (!ssl->options.dtls) {
- /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
- if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR &&
- args->pv.minor >= TLSv1_3_MINOR)) {
- args->pv.major = SSLv3_MAJOR;
- args->pv.minor = TLSv1_2_MINOR;
- wantDowngrade = 1;
- ssl->version.minor = args->pv.minor;
- }
- /* Legacy version must be [ SSLv3_MAJOR, TLSv1_2_MINOR ] for TLS v1.3 */
- else if (args->pv.major == SSLv3_MAJOR &&
- args->pv.minor < TLSv1_2_MINOR) {
- wantDowngrade = 1;
- ssl->version.minor = args->pv.minor;
- }
- }
- if (!wantDowngrade) {
- ret = DoTls13SupportedVersions(ssl, input + args->begin,
- args->idx - args->begin, helloSz, &wantDowngrade);
- if (ret < 0)
- goto exit_dch;
- }
- if (wantDowngrade) {
- #ifndef WOLFSSL_NO_TLS12
- byte realMinor;
- if (!ssl->options.downgrade) {
- WOLFSSL_MSG("Client trying to connect with lesser version than "
- "TLS v1.3");
- ERROR_OUT(VERSION_ERROR, exit_dch);
- }
- if ((!ssl->options.dtls
- && args->pv.minor < ssl->options.minDowngrade) ||
- (ssl->options.dtls && args->pv.minor > ssl->options.minDowngrade)) {
- WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
- ERROR_OUT(VERSION_ERROR, exit_dch);
- }
- realMinor = ssl->version.minor;
- ssl->version.minor = args->pv.minor;
- ret = HashInput(ssl, input + args->begin, helloSz);
- ssl->version.minor = realMinor;
- if (ret == 0) {
- ret = DoClientHello(ssl, input, inOutIdx, helloSz);
- }
- goto exit_dch;
- #else
- WOLFSSL_MSG("Client trying to connect with lesser version than "
- "TLS v1.3");
- ERROR_OUT(VERSION_ERROR, exit_dch);
- #endif
- }
- /* From here on we are a TLS 1.3 ClientHello. */
- /* Client random */
- XMEMCPY(ssl->arrays->clientRandom, input + args->idx, RAN_LEN);
- args->idx += RAN_LEN;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("client random");
- WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
- #endif
- sessIdSz = input[args->idx++];
- #ifndef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
- if (sessIdSz > ID_LEN)
- #else
- if (sessIdSz != ID_LEN && sessIdSz != 0)
- #endif
- {
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- }
- if (sessIdSz + args->idx > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- ssl->session->sessionIDSz = sessIdSz;
- if (sessIdSz > 0)
- XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
- args->idx += sessIdSz;
- #ifdef WOLFSSL_DTLS13
- /* legacy_cookie */
- if (ssl->options.dtls) {
- /* https://www.rfc-editor.org/rfc/rfc9147.html#section-5.3 */
- byte cookieLen = input[args->idx++];
- if (cookieLen != 0) {
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- args->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
- DYNAMIC_TYPE_SUITES);
- if (args->clSuites == NULL) {
- ERROR_OUT(MEMORY_E, exit_dch);
- }
- /* Cipher suites */
- if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- ato16(&input[args->idx], &args->clSuites->suiteSz);
- args->idx += OPAQUE16_LEN;
- if ((args->clSuites->suiteSz % 2) != 0) {
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- }
- /* suites and compression length check */
- if ((args->idx - args->begin) + args->clSuites->suiteSz + OPAQUE8_LEN > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- if (args->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- XMEMCPY(args->clSuites->suites, input + args->idx, args->clSuites->suiteSz);
- args->idx += args->clSuites->suiteSz;
- args->clSuites->hashSigAlgoSz = 0;
- /* Compression */
- b = input[args->idx++];
- if ((args->idx - args->begin) + b > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- if (b != COMP_LEN) {
- WOLFSSL_MSG("Must be one compression type in list");
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- }
- b = input[args->idx++];
- if (b != NO_COMPRESSION) {
- WOLFSSL_MSG("Must be no compression type in list");
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- }
- /* Extensions */
- if ((args->idx - args->begin) == helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- ato16(&input[args->idx], &totalExtSz);
- args->idx += OPAQUE16_LEN;
- if ((args->idx - args->begin) + totalExtSz > helloSz)
- ERROR_OUT(BUFFER_ERROR, exit_dch);
- /* Auto populate extensions supported unless user defined. */
- if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
- goto exit_dch;
- #if defined(HAVE_ECH)
- if (ssl->ctx->echConfigs != NULL) {
- /* save the start of the buffer so we can use it when parsing ech */
- echX = TLSX_Find(ssl->extensions, TLSX_ECH);
- if (echX == NULL)
- return -1;
- ((WOLFSSL_ECH*)echX->data)->aad = input + HANDSHAKE_HEADER_SZ;
- ((WOLFSSL_ECH*)echX->data)->aadLen = helloSz;
- }
- #endif
- /* Parse extensions */
- if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello,
- args->clSuites))) {
- goto exit_dch;
- }
- #if defined(HAVE_ECH)
- /* jump to the end to clean things up */
- if (echX != NULL && ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE)
- goto exit_dch;
- #endif
- #ifdef HAVE_SNI
- if ((ret = SNI_Callback(ssl)) != 0)
- goto exit_dch;
- ssl->options.side = WOLFSSL_SERVER_END;
- #endif
- args->idx += totalExtSz;
- ssl->options.haveSessionId = 1;
- ssl->options.sendVerify = SEND_CERT;
- #if defined(WOLFSSL_SEND_HRR_COOKIE)
- ssl->options.cookieGood = 0;
- if (ssl->options.sendCookie &&
- (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE
- #ifdef WOLFSSL_DTLS13
- /* Always check for a valid cookie since we may have already
- * sent a HRR but we reset the state. */
- || ssl->options.dtls
- #endif
- )) {
- TLSX* ext = TLSX_Find(ssl->extensions, TLSX_COOKIE);
- if (ext != NULL) {
- /* Ensure the cookie came from client and isn't the one in the
- * response - HelloRetryRequest.
- */
- if (ext->resp == 0) {
- ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
- if (ret != 0)
- goto exit_dch;
- /* Don't change state here as we may want to enter
- * DoTls13ClientHello again. */
- ssl->options.cookieGood = 1;
- }
- else {
- ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
- }
- }
- else {
- ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
- }
- }
- #endif
- #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
- defined(HAVE_TLS_EXTENSIONS)
- ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, args->clSuites,
- &args->usingPSK);
- if (ret != 0)
- goto exit_dch;
- #else
- if ((ret = HashInput(ssl, input + args->begin, helloSz)) != 0)
- goto exit_dch;
- #endif
- #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
- defined(HAVE_TLS_EXTENSIONS)
- if (!args->usingPSK)
- #endif
- {
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Not using PSK so don't require no KE. */
- ssl->options.noPskDheKe = 0;
- #endif
- #ifndef NO_CERTS
- if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
- WOLFSSL_MSG("Client did not send a KeyShare extension");
- ERROR_OUT(INCOMPLETE_DATA, exit_dch);
- }
- if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) {
- WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
- ERROR_OUT(INCOMPLETE_DATA, exit_dch);
- }
- #else
- ERROR_OUT(INVALID_PARAMETER, exit_dch);
- #endif
- }
- #ifdef HAVE_ALPN
- /* With PSK and all other things validated, it's time to
- * select the ALPN protocol, if so requested */
- if ((ret = ALPN_Select(ssl)) != 0)
- goto exit_dch;
- #endif
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- #ifndef NO_CERTS
- if (!args->usingPSK) {
- if ((ret = MatchSuite(ssl, args->clSuites)) < 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret != WC_PENDING_E)
- #endif
- WOLFSSL_MSG("Unsupported cipher suite, ClientHello 1.3");
- goto exit_dch;
- }
- }
- else
- #endif
- #ifdef HAVE_SUPPORTED_CURVES
- if (args->usingPSK == 2) {
- /* Pick key share and Generate a new key if not present. */
- int doHelloRetry = 0;
- ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);
- if (doHelloRetry) {
- ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
- if (ret != WC_PENDING_E)
- ret = 0; /* for hello_retry return 0 */
- }
- if (ret != 0)
- goto exit_dch;
- }
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- #if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SUPPORTED_CURVES)
- /* Check if the KeyShare calculations from the previous state are complete.
- * wolfSSL_AsyncPop advances ssl->options.asyncState so we may end up here
- * with a pending calculation. */
- TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
- if (extension != NULL && extension->resp == 1) {
- KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data;
- if (serverKSE != NULL && serverKSE->lastRet == WC_PENDING_E) {
- ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
- if (ret != 0)
- goto exit_dch;
- }
- }
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- }
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- *inOutIdx = args->idx;
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ssl->options.pskNegotiated = (args->usingPSK != 0);
- #endif
- if (!args->usingPSK) {
- #ifndef NO_CERTS
- /* Check that the negotiated ciphersuite matches protocol version. */
- #ifdef HAVE_NULL_CIPHER
- if (ssl->options.cipherSuite0 == ECC_BYTE &&
- (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
- ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
- ;
- }
- else
- #endif
- #if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
- if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
- ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
- ; /* Do nothing. */
- }
- else
- #endif
- #if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
- if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
- ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
- ; /* Do nothing. */
- }
- else
- #endif
- if (ssl->options.cipherSuite0 != TLS13_BYTE) {
- WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
- "TLS v1.3");
- ERROR_OUT(MATCH_SUITE_ERROR, exit_dch);
- }
- #ifdef HAVE_SESSION_TICKET
- if (ssl->options.resuming) {
- ssl->options.resuming = 0;
- XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
- }
- #endif
- /* Derive early secret for handshake secret. */
- if ((ret = DeriveEarlySecret(ssl)) != 0)
- goto exit_dch;
- #endif /* !NO_CERTS */
- }
- break;
- } /* case TLS_ASYNC_FINALIZE */
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch (ssl->options.asyncState) */
- #if defined(WOLFSSL_SEND_HRR_COOKIE)
- if (ret == 0 && ssl->options.sendCookie && ssl->options.cookieGood &&
- (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE
- #ifdef WOLFSSL_DTLS13
- /* DTLS cookie exchange should be done in stateless code in
- * DoClientHelloStateless. If we verified the cookie then
- * always advance the state. */
- || ssl->options.dtls
- #endif
- ))
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- #endif
- #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
- if (ret == 0 && ssl->options.dtls && ssl->options.sendCookie &&
- ssl->options.serverState <= SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- /* Cookie and key share negotiation should be handled in
- * DoClientHelloStateless. If we enter here then something went wrong
- * in our logic. */
- ERROR_OUT(BAD_HELLO, exit_dch);
- }
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_DTLS_CID
- /* do not modify CID state if we are sending an HRR */
- if (ssl->options.useDtlsCID &&
- ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE)
- DtlsCIDOnExtensionsParsed(ssl);
- #endif /* WOLFSSL_DTLS_CID */
- exit_dch:
- WOLFSSL_LEAVE("DoTls13ClientHello", ret);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- ssl->msgsReceived.got_client_hello = 0;
- return ret;
- }
- #endif
- FreeDch13Args(ssl, args);
- #ifdef WOLFSSL_ASYNC_CRYPT
- FreeAsyncCtx(ssl, 0);
- #endif
- WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- #if defined(HAVE_ECH)
- if (ret == 0 && echX != NULL &&
- ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE) {
- /* add the header to the inner hello */
- AddTls13HandShakeHeader(((WOLFSSL_ECH*)echX->data)->innerClientHello,
- ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen, 0, 0,
- client_hello, ssl);
- }
- #endif
- return ret;
- }
- /* Send TLS v1.3 ServerHello message to client.
- * Only a server will send this message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- /* handle generation of TLS 1.3 server_hello (2) */
- int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
- {
- int ret;
- byte* output;
- word16 length;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- int sendSz;
- #if defined(HAVE_ECH)
- TLSX* echX = NULL;
- word32 serverRandomOffset;
- #endif
- WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
- WOLFSSL_ENTER("SendTls13ServerHello");
- /* When ssl->options.dtlsStateful is not set then cookie is calculated in
- * dtls.c */
- if (extMsgType == hello_retry_request
- #ifdef WOLFSSL_DTLS13
- && (!ssl->options.dtls || ssl->options.dtlsStateful)
- #endif
- ) {
- WOLFSSL_MSG("wolfSSL Sending HelloRetryRequest");
- if ((ret = RestartHandshakeHash(ssl)) < 0)
- return ret;
- }
- ssl->options.buildingMsg = 1;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
- #endif /* WOLFSSL_DTLS13 */
- /* Protocol version, server random, session id, cipher suite, compression
- * and extensions.
- */
- length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
- SUITE_LEN + COMP_LEN;
- ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
- if (ret != 0)
- return ret;
- sendSz = idx + length;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(output, length, server_hello, ssl);
- /* The protocol version must be TLS v1.2 for middleboxes. */
- output[idx++] = ssl->version.major;
- output[idx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
- if (extMsgType == server_hello) {
- /* Generate server random. */
- if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
- return ret;
- }
- else {
- /* HelloRetryRequest message has fixed value for random. */
- XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN);
- }
- #if defined(HAVE_ECH)
- serverRandomOffset = idx;
- #endif
- /* Store in SSL for debugging. */
- XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
- idx += RAN_LEN;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Server random");
- WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
- #endif
- output[idx++] = ssl->session->sessionIDSz;
- if (ssl->session->sessionIDSz > 0) {
- XMEMCPY(output + idx, ssl->session->sessionID, ssl->session->sessionIDSz);
- idx += ssl->session->sessionIDSz;
- }
- /* Chosen cipher suite */
- output[idx++] = ssl->options.cipherSuite0;
- output[idx++] = ssl->options.cipherSuite;
- #ifdef WOLFSSL_DEBUG_TLS
- WOLFSSL_MSG("Chosen cipher suite:");
- WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
- ssl->options.cipherSuite));
- #endif
- /* Compression not supported in TLS v1.3. */
- output[idx++] = 0;
- /* Extensions */
- ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_SEND_HRR_COOKIE
- if (ssl->options.sendCookie && extMsgType == hello_retry_request) {
- /* Reset the hashes from here. We will be able to restart the hashes
- * from the cookie in RestartHandshakeHashWithCookie */
- #ifdef WOLFSSL_DTLS13
- /* When ssl->options.dtlsStateful is not set then cookie is calculated
- * in dtls.c */
- if (ssl->options.dtls && !ssl->options.dtlsStateful)
- ret = 0;
- else
- #endif
- ret = InitHandshakeHashes(ssl);
- }
- else
- #endif
- {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13HashHandshake(
- ssl,
- output + Dtls13GetRlHeaderLength(ssl, 0) ,
- (word16)sendSz - Dtls13GetRlHeaderLength(ssl, 0));
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- #if defined(HAVE_ECH)
- if (ssl->ctx->echConfigs != NULL) {
- echX = TLSX_Find(ssl->extensions, TLSX_ECH);
- if (echX == NULL)
- return -1;
- /* replace the last 8 bytes of server random with the accept */
- if (((WOLFSSL_ECH*)echX->data)->state == ECH_PARSED_INTERNAL) {
- ret = EchWriteAcceptance(ssl, output + RECORD_HEADER_SZ,
- serverRandomOffset - RECORD_HEADER_SZ,
- sendSz - RECORD_HEADER_SZ);
- /* remove ech so we don't keep sending it in write */
- TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap);
- }
- }
- #endif
- if (ret == 0)
- ret = HashOutput(ssl, output, sendSz, 0);
- }
- }
- if (ret != 0)
- return ret;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "ServerHello");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- if (extMsgType == server_hello)
- ssl->options.serverState = SERVER_HELLO_COMPLETE;
- ssl->options.buildingMsg = 0;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)sendSz,
- (enum HandShakeType)extMsgType, 0);
- WOLFSSL_LEAVE("SendTls13ServerHello", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- ssl->buffers.outputBuffer.length += sendSz;
- if (!ssl->options.groupMessages || extMsgType != server_hello)
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTls13ServerHello", ret);
- WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
- return ret;
- }
- /* handle generation of TLS 1.3 encrypted_extensions (8) */
- /* Send the rest of the extensions encrypted under the handshake key.
- * This message is always encrypted in TLS v1.3.
- * Only a server will send this message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
- {
- int ret;
- byte* output;
- word16 length = 0;
- word32 idx;
- int sendSz;
- WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
- WOLFSSL_ENTER("SendTls13EncryptedExtensions");
- ssl->options.buildingMsg = 1;
- ssl->keys.encryptionOn = 1;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- idx = Dtls13GetHeadersLength(ssl, encrypted_extensions);
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- }
- #if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
- if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
- return ret;
- #endif
- /* Derive the handshake secret now that we are at first message to be
- * encrypted under the keys.
- */
- if ((ret = DeriveHandshakeSecret(ssl)) != 0)
- return ret;
- if ((ret = DeriveTls13Keys(ssl, handshake_key,
- ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
- return ret;
- /* Setup encrypt/decrypt keys for following messages. */
- #ifdef WOLFSSL_EARLY_DATA
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- if (ssl->earlyData != process_early_data) {
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- }
- #else
- if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
- return ret;
- #endif
- #ifdef WOLFSSL_QUIC
- if (IsAtLeastTLSv1_3(ssl->version) && WOLFSSL_IS_QUIC(ssl)) {
- ret = wolfSSL_quic_add_transport_extensions(ssl, encrypted_extensions);
- if (ret != 0)
- return ret;
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- w64wrapper epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
- ssl->dtls13Epoch = epochHandshake;
- ret = Dtls13NewEpoch(
- ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- ret = Dtls13SetEpochKeys(
- ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length);
- if (ret != 0)
- return ret;
- sendSz = idx + length;
- /* Encryption always on. */
- sendSz += MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- ret = CheckAvailableSize(ssl, sendSz);
- if (ret != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(output, length, encrypted_extensions, ssl);
- ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL);
- if (ret != 0)
- return ret;
- idx += length;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "EncryptedExtensions");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "EncryptedExtensions", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ssl->options.buildingMsg = 0;
- ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)idx,
- encrypted_extensions, 1);
- if (ret == 0)
- ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
- WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
- WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* This handshake message is always encrypted. */
- sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
- idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
- if (sendSz < 0)
- return sendSz;
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
- WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
- return ret;
- }
- #ifndef NO_CERTS
- /* handle generation TLS v1.3 certificate_request (13) */
- /* Send the TLS v1.3 CertificateRequest message.
- * This message is always encrypted in TLS v1.3.
- * Only a server will send this message.
- *
- * ssl SSL/TLS object.
- * reqCtx Request context.
- * reqCtxLen Length of context. 0 when sending as part of handshake.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
- int reqCtxLen)
- {
- byte* output;
- int ret;
- int sendSz;
- word32 i;
- word16 reqSz;
- word16 hashSigAlgoSz = 0;
- SignatureAlgorithms* sa;
- int haveSig = SIG_RSA | SIG_ECDSA | SIG_FALCON | SIG_DILITHIUM;
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- haveSig |= SIG_SM2;
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
- WOLFSSL_ENTER("SendTls13CertificateRequest");
- ssl->options.buildingMsg = 1;
- if (ssl->options.side != WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- /* Get the length of the hashSigAlgo buffer */
- InitSuitesHashSigAlgo_ex2(NULL, haveSig, 1, ssl->buffers.keySz,
- &hashSigAlgoSz);
- sa = TLSX_SignatureAlgorithms_New(ssl, hashSigAlgoSz, ssl->heap);
- if (sa == NULL)
- return MEMORY_ERROR;
- InitSuitesHashSigAlgo_ex2(sa->hashSigAlgo, haveSig, 1, ssl->buffers.keySz,
- &hashSigAlgoSz);
- ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap);
- if (ret != 0) {
- TLSX_SignatureAlgorithms_FreeAll(sa, ssl->heap);
- return ret;
- }
- i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
- #endif /* WOLFSSL_DTLS13 */
- reqSz = (word16)(OPAQUE8_LEN + reqCtxLen);
- ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz);
- if (ret != 0)
- return ret;
- sendSz = i + reqSz;
- /* Always encrypted and make room for padding. */
- sendSz += MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(output, reqSz, certificate_request, ssl);
- /* Certificate request context. */
- output[i++] = (byte)reqCtxLen;
- if (reqCtxLen != 0) {
- XMEMCPY(output + i, reqCtx, reqCtxLen);
- i += reqCtxLen;
- }
- /* Certificate extensions. */
- reqSz = 0;
- ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz);
- if (ret != 0)
- return ret;
- i += reqSz;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ssl->options.buildingMsg = 0;
- ret =
- Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
- certificate_request, 1);
- WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* Always encrypted. */
- sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
- i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
- if (sendSz < 0)
- return sendSz;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateRequest");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "CertificateRequest", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
- return ret;
- }
- #endif /* NO_CERTS */
- #endif /* NO_WOLFSSL_SERVER */
- #ifndef NO_CERTS
- #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448) || defined(HAVE_PQC)
- /* Encode the signature algorithm into buffer.
- *
- * hashalgo The hash algorithm.
- * hsType The signature type.
- * output The buffer to encode into.
- */
- static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
- {
- switch (hsType) {
- #ifdef HAVE_ECC
- case ecc_dsa_sa_algo:
- output[0] = hashAlgo;
- output[1] = ecc_dsa_sa_algo;
- break;
- #endif
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case sm2_sa_algo:
- output[0] = SM2_SA_MAJOR;
- output[1] = SM2_SA_MINOR;
- break;
- #endif
- #ifdef HAVE_ED25519
- /* ED25519: 0x0807 */
- case ed25519_sa_algo:
- output[0] = ED25519_SA_MAJOR;
- output[1] = ED25519_SA_MINOR;
- (void)hashAlgo;
- break;
- #endif
- #ifdef HAVE_ED448
- /* ED448: 0x0808 */
- case ed448_sa_algo:
- output[0] = ED448_SA_MAJOR;
- output[1] = ED448_SA_MINOR;
- (void)hashAlgo;
- break;
- #endif
- #ifndef NO_RSA
- /* PSS signatures: 0x080[4-6] */
- case rsa_pss_sa_algo:
- output[0] = rsa_pss_sa_algo;
- output[1] = hashAlgo;
- break;
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- case falcon_level1_sa_algo:
- output[0] = FALCON_LEVEL1_SA_MAJOR;
- output[1] = FALCON_LEVEL1_SA_MINOR;
- break;
- case falcon_level5_sa_algo:
- output[0] = FALCON_LEVEL5_SA_MAJOR;
- output[1] = FALCON_LEVEL5_SA_MINOR;
- break;
- #endif
- #ifdef HAVE_DILITHIUM
- case dilithium_level2_sa_algo:
- output[0] = DILITHIUM_LEVEL2_SA_MAJOR;
- output[1] = DILITHIUM_LEVEL2_SA_MINOR;
- break;
- case dilithium_level3_sa_algo:
- output[0] = DILITHIUM_LEVEL3_SA_MAJOR;
- output[1] = DILITHIUM_LEVEL3_SA_MINOR;
- break;
- case dilithium_level5_sa_algo:
- output[0] = DILITHIUM_LEVEL5_SA_MAJOR;
- output[1] = DILITHIUM_LEVEL5_SA_MINOR;
- break;
- #endif
- #endif
- default:
- break;
- }
- }
- /* Decode the signature algorithm.
- *
- * input The encoded signature algorithm.
- * hashalgo The hash algorithm.
- * hsType The signature type.
- * returns INVALID_PARAMETER if not recognized and 0 otherwise.
- */
- static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
- byte* hsType)
- {
- int ret = 0;
- switch (input[0]) {
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case SM2_SA_MAJOR:
- if (input[1] == SM2_SA_MINOR) {
- *hsType = sm2_sa_algo;
- *hashAlgo = sm3_mac;
- }
- else
- ret = INVALID_PARAMETER;
- break;
- #endif
- case NEW_SA_MAJOR:
- /* PSS signatures: 0x080[4-6] */
- if (input[1] >= sha256_mac && input[1] <= sha512_mac) {
- *hsType = input[0];
- *hashAlgo = input[1];
- }
- #ifdef HAVE_ED25519
- /* ED25519: 0x0807 */
- else if (input[1] == ED25519_SA_MINOR) {
- *hsType = ed25519_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- #endif
- #ifdef HAVE_ED448
- /* ED448: 0x0808 */
- else if (input[1] == ED448_SA_MINOR) {
- *hsType = ed448_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- #endif
- else
- ret = INVALID_PARAMETER;
- break;
- #ifdef HAVE_PQC
- case PQC_SA_MAJOR:
- #if defined(HAVE_FALCON)
- if (input[1] == FALCON_LEVEL1_SA_MINOR) {
- *hsType = falcon_level1_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- } else if (input[1] == FALCON_LEVEL5_SA_MINOR) {
- *hsType = falcon_level5_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- else
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
- *hsType = dilithium_level2_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- } else if (input[1] == DILITHIUM_LEVEL3_SA_MINOR) {
- *hsType = dilithium_level3_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- } else if (input[1] == DILITHIUM_LEVEL5_SA_MINOR) {
- *hsType = dilithium_level5_sa_algo;
- /* Hash performed as part of sign/verify operation. */
- *hashAlgo = sha512_mac;
- }
- else
- #endif /* HAVE_DILITHIUM */
- {
- ret = INVALID_PARAMETER;
- }
- break;
- #endif
- default:
- *hashAlgo = input[0];
- *hsType = input[1];
- break;
- }
- return ret;
- }
- /* Get the hash of the messages so far.
- *
- * ssl The SSL/TLS object.
- * hash The buffer to write the hash to.
- * returns the length of the hash.
- */
- static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
- {
- int ret = 0;
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
- if (ret == 0)
- ret = WC_SHA256_DIGEST_SIZE;
- break;
- #endif /* !NO_SHA256 */
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
- if (ret == 0)
- ret = WC_SHA384_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SHA384 */
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
- if (ret == 0)
- ret = WC_SHA512_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_TLS13_SHA512 */
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
- if (ret == 0)
- ret = WC_SM3_DIGEST_SIZE;
- break;
- #endif /* WOLFSSL_SM3 */
- default:
- break;
- }
- return ret;
- }
- /* The server certificate verification label. */
- static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
- "TLS 1.3, server CertificateVerify";
- /* The client certificate verification label. */
- static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
- "TLS 1.3, client CertificateVerify";
- /* The prefix byte in the signature data. */
- #define SIGNING_DATA_PREFIX_BYTE 0x20
- /* Create the signature data for TLS v1.3 certificate verification.
- *
- * ssl The SSL/TLS object.
- * sigData The signature data.
- * sigDataSz The length of the signature data.
- * check Indicates this is a check not create.
- */
- int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
- int check)
- {
- word16 idx;
- int side = ssl->options.side;
- int ret;
- /* Signature Data = Prefix | Label | Handshake Hash */
- XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
- idx = SIGNING_DATA_PREFIX_SZ;
- if ((side == WOLFSSL_SERVER_END && check) ||
- (side == WOLFSSL_CLIENT_END && !check)) {
- XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
- }
- if ((side == WOLFSSL_CLIENT_END && check) ||
- (side == WOLFSSL_SERVER_END && !check)) {
- XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
- }
- idx += CERT_VFY_LABEL_SZ;
- ret = GetMsgHash(ssl, &sigData[idx]);
- if (ret < 0)
- return ret;
- *sigDataSz = (word16)(idx + ret);
- ret = 0;
- return ret;
- }
- #ifndef NO_RSA
- /* Encode the PKCS #1.5 RSA signature.
- *
- * sig The buffer to place the encoded signature into.
- * sigData The data to be signed.
- * sigDataSz The size of the data to be signed.
- * hashAlgo The hash algorithm to use when signing.
- * returns the length of the encoded signature or negative on error.
- */
- int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
- int sigAlgo, int hashAlgo)
- {
- Digest digest;
- int hashSz = 0;
- int ret = BAD_FUNC_ARG;
- byte* hash;
- (void)sigAlgo;
- hash = sig;
- /* Digest the signature data. */
- switch (hashAlgo) {
- #ifndef NO_WOLFSSL_SHA256
- case sha256_mac:
- ret = wc_InitSha256(&digest.sha256);
- if (ret == 0) {
- ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha256Final(&digest.sha256, hash);
- wc_Sha256Free(&digest.sha256);
- }
- hashSz = WC_SHA256_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ret = wc_InitSha384(&digest.sha384);
- if (ret == 0) {
- ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha384Final(&digest.sha384, hash);
- wc_Sha384Free(&digest.sha384);
- }
- hashSz = WC_SHA384_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- ret = wc_InitSha512(&digest.sha512);
- if (ret == 0) {
- ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha512Final(&digest.sha512, hash);
- wc_Sha512Free(&digest.sha512);
- }
- hashSz = WC_SHA512_DIGEST_SIZE;
- break;
- #endif
- }
- if (ret != 0)
- return ret;
- return hashSz;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- /* Encode the ECC signature.
- *
- * sigData The data to be signed.
- * sigDataSz The size of the data to be signed.
- * hashAlgo The hash algorithm to use when signing.
- * returns the length of the encoded signature or negative on error.
- */
- static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
- {
- Digest digest;
- int hashSz = 0;
- int ret = BAD_FUNC_ARG;
- /* Digest the signature data. */
- switch (hashAlgo) {
- #ifndef NO_WOLFSSL_SHA256
- case sha256_mac:
- ret = wc_InitSha256(&digest.sha256);
- if (ret == 0) {
- ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha256Final(&digest.sha256, sigData);
- wc_Sha256Free(&digest.sha256);
- }
- hashSz = WC_SHA256_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ret = wc_InitSha384(&digest.sha384);
- if (ret == 0) {
- ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha384Final(&digest.sha384, sigData);
- wc_Sha384Free(&digest.sha384);
- }
- hashSz = WC_SHA384_DIGEST_SIZE;
- break;
- #endif
- #ifdef WOLFSSL_SHA512
- case sha512_mac:
- ret = wc_InitSha512(&digest.sha512);
- if (ret == 0) {
- ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
- if (ret == 0)
- ret = wc_Sha512Final(&digest.sha512, sigData);
- wc_Sha512Free(&digest.sha512);
- }
- hashSz = WC_SHA512_DIGEST_SIZE;
- break;
- #endif
- default:
- break;
- }
- if (ret != 0)
- return ret;
- return hashSz;
- }
- #endif /* HAVE_ECC */
- #if !defined(NO_RSA) && defined(WC_RSA_PSS)
- /* Check that the decrypted signature matches the encoded signature
- * based on the digest of the signature data.
- *
- * ssl The SSL/TLS object.
- * sigAlgo The signature algorithm used to generate signature.
- * hashAlgo The hash algorithm used to generate signature.
- * decSig The decrypted signature.
- * decSigSz The size of the decrypted signature.
- * returns 0 on success, otherwise failure.
- */
- static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
- byte* decSig, word32 decSigSz)
- {
- int ret = 0;
- byte sigData[MAX_SIG_DATA_SZ];
- word16 sigDataSz;
- ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
- if (ret != 0)
- return ret;
- if (sigAlgo == rsa_pss_sa_algo) {
- enum wc_HashType hashType = WC_HASH_TYPE_NONE;
- word32 sigSz;
- ret = ConvertHashPss(hashAlgo, &hashType, NULL);
- if (ret < 0)
- return ret;
- /* PSS signature can be done in-place */
- ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
- sigAlgo, hashAlgo);
- if (ret < 0)
- return ret;
- sigSz = ret;
- ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
- hashType);
- }
- return ret;
- }
- #endif /* !NO_RSA && WC_RSA_PSS */
- #endif /* !NO_RSA || HAVE_ECC */
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
- /* Get the next certificate from the list for writing into the TLS v1.3
- * Certificate message.
- *
- * data The certificate list.
- * length The length of the certificate data in the list.
- * idx The index of the next certificate.
- * returns the length of the certificate data. 0 indicates no more certificates
- * in the list.
- */
- static word32 NextCert(byte* data, word32 length, word32* idx)
- {
- word32 len;
- /* Is index at end of list. */
- if (*idx == length)
- return 0;
- /* Length of the current ASN.1 encoded certificate. */
- c24to32(data + *idx, &len);
- /* Include the length field. */
- len += 3;
- /* Move index to next certificate and return the current certificate's
- * length.
- */
- *idx += len;
- return len;
- }
- /* Add certificate data and empty extension to output up to the fragment size.
- *
- * ssl SSL/TLS object.
- * cert The certificate data to write out.
- * len The length of the certificate data.
- * extSz Length of the extension data with the certificate.
- * idx The start of the certificate data to write out.
- * fragSz The maximum size of this fragment.
- * output The buffer to write to.
- * returns the number of bytes written.
- */
- static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz,
- word32 idx, word32 fragSz, byte* output)
- {
- word32 i = 0;
- word32 copySz = min(len - idx, fragSz);
- if (idx < len) {
- XMEMCPY(output, cert + idx, copySz);
- i = copySz;
- if (copySz == fragSz)
- return i;
- }
- copySz = len + extSz - idx - i;
- if (extSz == OPAQUE16_LEN) {
- if (copySz <= fragSz) {
- /* Empty extension */
- output[i++] = 0;
- output[i++] = 0;
- }
- }
- else {
- byte* certExts = ssl->buffers.certExts->buffer + idx + i - len;
- /* Put out as much of the extensions' data as will fit in fragment. */
- if (copySz > fragSz - i)
- copySz = fragSz - i;
- XMEMCPY(output + i, certExts, copySz);
- i += copySz;
- }
- return i;
- }
- /* handle generation TLS v1.3 certificate (11) */
- /* Send the certificate for this end and any CAs that help with validation.
- * This message is always encrypted in TLS v1.3.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13Certificate(WOLFSSL* ssl)
- {
- int ret = 0;
- word32 certSz, certChainSz, headerSz, listSz, payloadSz;
- word16 extSz = 0;
- word32 length, maxFragment;
- word32 len = 0;
- word32 idx = 0;
- word32 offset = OPAQUE16_LEN;
- byte* p = NULL;
- byte certReqCtxLen = 0;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- byte* certReqCtx = NULL;
- #endif
- #ifdef OPENSSL_EXTRA
- WOLFSSL_X509* x509 = NULL;
- WOLFSSL_EVP_PKEY* pkey = NULL;
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
- WOLFSSL_ENTER("SendTls13Certificate");
- ssl->options.buildingMsg = 1;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
- certReqCtxLen = ssl->certReqCtx->len;
- certReqCtx = &ssl->certReqCtx->ctx;
- }
- #endif
- #ifdef OPENSSL_EXTRA
- /* call client cert callback if no cert has been loaded */
- if ((ssl->ctx->CBClientCert != NULL) &&
- (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
- ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
- if (ret == 1) {
- if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
- (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
- ssl->options.sendVerify = SEND_CERT;
- }
- wolfSSL_X509_free(x509);
- wolfSSL_EVP_PKEY_free(pkey);
- }
- }
- #endif
- if (ssl->options.sendVerify == SEND_BLANK_CERT) {
- certSz = 0;
- certChainSz = 0;
- headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
- length = headerSz;
- listSz = 0;
- }
- else {
- #ifdef OPENSSL_EXTRA
- if ((ret = CertSetupCbWrapper(ssl)) != 0)
- return ret;
- #endif
- if (!ssl->buffers.certificate) {
- WOLFSSL_MSG("Send Cert missing certificate buffer");
- return BUFFER_ERROR;
- }
- /* Certificate Data */
- certSz = ssl->buffers.certificate->length;
- /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
- headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
- CERT_HEADER_SZ;
- ret = TLSX_GetResponseSize(ssl, certificate, &extSz);
- if (ret < 0)
- return ret;
- /* Create extensions' data if none already present. */
- if (extSz > OPAQUE16_LEN && ssl->buffers.certExts == NULL) {
- ret = AllocDer(&ssl->buffers.certExts, extSz, CERT_TYPE, ssl->heap);
- if (ret < 0)
- return ret;
- extSz = 0;
- ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer,
- certificate, &extSz);
- if (ret < 0)
- return ret;
- }
- /* Length of message data with one certificate and extensions. */
- length = headerSz + certSz + extSz;
- /* Length of list data with one certificate and extensions. */
- listSz = CERT_HEADER_SZ + certSz + extSz;
- /* Send rest of chain if sending cert (chain has leading size/s). */
- if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
- p = ssl->buffers.certChain->buffer;
- /* Chain length including extensions. */
- certChainSz = ssl->buffers.certChain->length +
- OPAQUE16_LEN * ssl->buffers.certChainCnt;
- length += certChainSz;
- listSz += certChainSz;
- }
- else
- certChainSz = 0;
- }
- payloadSz = length;
- if (ssl->fragOffset != 0)
- length -= (ssl->fragOffset + headerSz);
- maxFragment = wolfSSL_GetMaxFragSize(ssl, MAX_RECORD_SIZE);
- while (length > 0 && ret == 0) {
- byte* output = NULL;
- word32 fragSz = 0;
- word32 i = RECORD_HEADER_SZ;
- int sendSz = RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- i = Dtls13GetRlHeaderLength(ssl, 1);
- sendSz = (int)i;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (ssl->fragOffset == 0) {
- if (headerSz + certSz + extSz + certChainSz <=
- maxFragment - HANDSHAKE_HEADER_SZ) {
- fragSz = headerSz + certSz + extSz + certChainSz;
- }
- #ifdef WOLFSSL_DTLS13
- else if (ssl->options.dtls){
- /* short-circuit the fragmentation logic here. DTLS
- fragmentation will be done in dtls13HandshakeSend() */
- fragSz = headerSz + certSz + extSz + certChainSz;
- }
- #endif /* WOLFSSL_DTLS13 */
- else {
- fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
- }
- sendSz += fragSz + HANDSHAKE_HEADER_SZ;
- i += HANDSHAKE_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- sendSz += DTLS_HANDSHAKE_EXTRA;
- i += DTLS_HANDSHAKE_EXTRA;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- else {
- fragSz = min(length, maxFragment);
- sendSz += fragSz;
- }
- sendSz += MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- if (ssl->fragOffset == 0) {
- AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
- /* Request context. */
- output[i++] = certReqCtxLen;
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- if (certReqCtxLen > 0) {
- XMEMCPY(output + i, certReqCtx, certReqCtxLen);
- i += certReqCtxLen;
- }
- #endif
- length -= OPAQUE8_LEN + certReqCtxLen;
- fragSz -= OPAQUE8_LEN + certReqCtxLen;
- /* Certificate list length. */
- c32to24(listSz, output + i);
- i += CERT_HEADER_SZ;
- length -= CERT_HEADER_SZ;
- fragSz -= CERT_HEADER_SZ;
- /* Leaf certificate data length. */
- if (certSz > 0) {
- c32to24(certSz, output + i);
- i += CERT_HEADER_SZ;
- length -= CERT_HEADER_SZ;
- fragSz -= CERT_HEADER_SZ;
- }
- }
- else
- AddTls13RecordHeader(output, fragSz, handshake, ssl);
- if (certSz > 0 && ssl->fragOffset < certSz + extSz) {
- /* Put in the leaf certificate with extensions. */
- word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
- certSz, extSz, ssl->fragOffset, fragSz, output + i);
- i += copySz;
- ssl->fragOffset += copySz;
- length -= copySz;
- fragSz -= copySz;
- if (ssl->fragOffset == certSz + extSz)
- FreeDer(&ssl->buffers.certExts);
- }
- if (certChainSz > 0 && fragSz > 0) {
- /* Put in the CA certificates with empty extensions. */
- while (fragSz > 0) {
- word32 l;
- if (offset == len + OPAQUE16_LEN) {
- /* Find next CA certificate to write out. */
- offset = 0;
- /* Point to the start of current cert in chain buffer. */
- p = ssl->buffers.certChain->buffer + idx;
- len = NextCert(ssl->buffers.certChain->buffer,
- ssl->buffers.certChain->length, &idx);
- if (len == 0)
- break;
- }
- /* Write out certificate and empty extension. */
- l = AddCertExt(ssl, p, len, OPAQUE16_LEN, offset, fragSz,
- output + i);
- i += l;
- ssl->fragOffset += l;
- length -= l;
- fragSz -= l;
- offset += l;
- }
- }
- if ((int)i - RECORD_HEADER_SZ < 0) {
- WOLFSSL_MSG("Send Cert bad inputSz");
- return BUFFER_E;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- /* DTLS1.3 uses a separate variable and logic for fragments */
- ssl->options.buildingMsg = 0;
- ssl->fragOffset = 0;
- ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
- certificate, 1);
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- /* This message is always encrypted. */
- sendSz = BuildTls13Message(ssl, output, sendSz,
- output + RECORD_HEADER_SZ, i - RECORD_HEADER_SZ, handshake, 1,
- 0, 0);
- if (sendSz < 0)
- return sendSz;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "Certificate");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "Certificate", handshake, output,
- sendSz, WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- }
- }
- if (ret != WANT_WRITE) {
- /* Clean up the fragment offset. */
- ssl->options.buildingMsg = 0;
- ssl->fragOffset = 0;
- if (ssl->options.side == WOLFSSL_SERVER_END)
- ssl->options.serverState = SERVER_CERT_COMPLETE;
- }
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
- CertReqCtx* ctx = ssl->certReqCtx;
- ssl->certReqCtx = ssl->certReqCtx->next;
- XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- }
- #endif
- WOLFSSL_LEAVE("SendTls13Certificate", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
- return ret;
- }
- #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448) || defined(HAVE_PQC)) && \
- (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
- typedef struct Scv13Args {
- byte* output; /* not allocated */
- byte* verify; /* not allocated */
- word32 idx;
- word32 sigLen;
- int sendSz;
- word16 length;
- byte sigAlgo;
- byte* sigData;
- word16 sigDataSz;
- } Scv13Args;
- static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
- {
- Scv13Args* args = (Scv13Args*)pArgs;
- (void)ssl;
- if (args && args->sigData) {
- XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->sigData = NULL;
- }
- }
- /* handle generation TLS v1.3 certificate_verify (15) */
- /* Send the TLS v1.3 CertificateVerify message.
- * A hash of all the message so far is used.
- * The signed data is:
- * 0x20 * 64 | context string | 0x00 | hash of messages
- * This message is always encrypted in TLS v1.3.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13CertificateVerify(WOLFSSL* ssl)
- {
- int ret = 0;
- buffer* sig = &ssl->buffers.sig;
- #ifdef WOLFSSL_ASYNC_CRYPT
- Scv13Args* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- Scv13Args args[1];
- #endif
- #ifdef WOLFSSL_DTLS13
- int recordLayerHdrExtra;
- #endif /* WOLFSSL_DTLS13 */
- WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
- WOLFSSL_ENTER("SendTls13CertificateVerify");
- ssl->options.buildingMsg = 1;
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13SendCertVerify(ssl);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- goto exit_scv;
- }
- ret = 0;
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- #ifdef WOLFSSL_DTLS13
- /* can be negative */
- if (ssl->options.dtls)
- recordLayerHdrExtra = Dtls13GetRlHeaderLength(ssl, 1) - RECORD_HEADER_SZ;
- else
- recordLayerHdrExtra = 0;
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_scv);
- }
- args = (Scv13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_scv;
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(Scv13Args));
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeScv13Args;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- if (ssl->options.sendVerify == SEND_BLANK_CERT) {
- return 0; /* sent blank cert, can't verify */
- }
- args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
- /* Always encrypted. */
- args->sendSz += MAX_MSG_EXTRA;
- /* check for available size */
- if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
- goto exit_scv;
- }
- /* get output buffer */
- args->output = GetOutputBuffer(ssl);
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- int rem = ssl->buffers.outputBuffer.bufferSize
- - ssl->buffers.outputBuffer.length
- - RECORD_HEADER_SZ - HANDSHAKE_HEADER_SZ;
- /* idx is used to track verify pointer offset to output */
- args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- args->verify =
- &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- rem -= recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
- args->idx += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
- args->verify += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (ssl->buffers.key == NULL) {
- #ifdef HAVE_PK_CALLBACKS
- if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
- args->length = GetPrivateKeySigSize(ssl);
- else
- #endif
- ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
- }
- else {
- ret = DecodePrivateKey(ssl, &args->length);
- if (ret != 0)
- goto exit_scv;
- }
- if (rem < 0 || args->length > rem) {
- ERROR_OUT(BUFFER_E, exit_scv);
- }
- if (args->length == 0) {
- ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
- }
- /* Add signature algorithm. */
- if (ssl->hsType == DYNAMIC_TYPE_RSA)
- args->sigAlgo = rsa_pss_sa_algo;
- #ifdef HAVE_ECC
- else if (ssl->hsType == DYNAMIC_TYPE_ECC) {
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (ssl->buffers.keyType == sm2_sa_algo) {
- args->sigAlgo = sm2_sa_algo;
- }
- else
- #endif
- {
- args->sigAlgo = ecc_dsa_sa_algo;
- }
- }
- #endif
- #ifdef HAVE_ED25519
- else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
- args->sigAlgo = ed25519_sa_algo;
- #endif
- #ifdef HAVE_ED448
- else if (ssl->hsType == DYNAMIC_TYPE_ED448)
- args->sigAlgo = ed448_sa_algo;
- #endif
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- else if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
- falcon_key* fkey = (falcon_key*)ssl->hsKey;
- byte level = 0;
- if (wc_falcon_get_level(fkey, &level) != 0) {
- ERROR_OUT(ALGO_ID_E, exit_scv);
- }
- if (level == 1) {
- args->sigAlgo = falcon_level1_sa_algo;
- }
- else if (level == 5) {
- args->sigAlgo = falcon_level5_sa_algo;
- }
- else {
- ERROR_OUT(ALGO_ID_E, exit_scv);
- }
- }
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- else if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
- dilithium_key* fkey = (dilithium_key*)ssl->hsKey;
- byte level = 0;
- if (wc_dilithium_get_level(fkey, &level) != 0) {
- ERROR_OUT(ALGO_ID_E, exit_scv);
- }
- if (level == 2) {
- args->sigAlgo = dilithium_level2_sa_algo;
- }
- else if (level == 3) {
- args->sigAlgo = dilithium_level3_sa_algo;
- }
- else if (level == 5) {
- args->sigAlgo = dilithium_level5_sa_algo;
- }
- else {
- ERROR_OUT(ALGO_ID_E, exit_scv);
- }
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- else {
- ERROR_OUT(ALGO_ID_E, exit_scv);
- }
- EncodeSigAlg(ssl->options.hashAlgo, args->sigAlgo, args->verify);
- if (args->sigData == NULL) {
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- int sigLen = MAX_SIG_DATA_SZ;
- if (args->length > MAX_SIG_DATA_SZ)
- sigLen = args->length;
- args->sigData = (byte*)XMALLOC(sigLen, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- }
- else {
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- }
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_scv);
- }
- }
- /* Create the data to be signed. */
- ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
- if (ret != 0)
- goto exit_scv;
- #ifndef NO_RSA
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- /* build encoded signature buffer */
- sig->length = WC_MAX_DIGEST_SIZE;
- sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (sig->buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_scv);
- }
- ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
- args->sigDataSz, args->sigAlgo, ssl->options.hashAlgo);
- if (ret < 0)
- goto exit_scv;
- sig->length = ret;
- ret = 0;
- /* Maximum size of RSA Signature. */
- args->sigLen = args->length;
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- if (ssl->hsType == DYNAMIC_TYPE_ECC) {
- sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
- VERIFY_HEADER;
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (ssl->buffers.keyType != sm2_sa_algo)
- #endif
- {
- ret = CreateECCEncodedSig(args->sigData,
- args->sigDataSz, ssl->options.hashAlgo);
- if (ret < 0)
- goto exit_scv;
- args->sigDataSz = (word16)ret;
- ret = 0;
- }
- }
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
- ret = Ed25519CheckPubKey(ssl);
- if (ret < 0) {
- ERROR_OUT(ret, exit_scv);
- }
- sig->length = ED25519_SIG_SIZE;
- }
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- if (ssl->hsType == DYNAMIC_TYPE_ED448) {
- ret = Ed448CheckPubKey(ssl);
- if (ret < 0) {
- ERROR_OUT(ret, exit_scv);
- }
- sig->length = ED448_SIG_SIZE;
- }
- #endif /* HAVE_ED448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
- sig->length = FALCON_MAX_SIG_SIZE;
- }
- #endif
- #if defined(HAVE_DILITHIUM)
- if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
- sig->length = DILITHIUM_MAX_SIG_SIZE;
- }
- #endif
- #endif /* HAVE_PQC */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- #ifdef HAVE_ECC
- if (ssl->hsType == DYNAMIC_TYPE_ECC) {
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (ssl->buffers.keyType == sm2_sa_algo) {
- ret = Sm2wSm3Sign(ssl, TLS13_SM2_SIG_ID,
- TLS13_SM2_SIG_ID_SZ, args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- (word32*)&sig->length, (ecc_key*)ssl->hsKey, NULL);
- }
- else
- #endif
- {
- ret = EccSign(ssl, args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- (word32*)&sig->length, (ecc_key*)ssl->hsKey,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- }
- args->length = (word16)sig->length;
- }
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
- ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- (word32*)&sig->length, (ed25519_key*)ssl->hsKey,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- args->length = (word16)sig->length;
- }
- #endif
- #ifdef HAVE_ED448
- if (ssl->hsType == DYNAMIC_TYPE_ED448) {
- ret = Ed448Sign(ssl, args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- (word32*)&sig->length, (ed448_key*)ssl->hsKey,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- args->length = (word16)sig->length;
- }
- #endif
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
- ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE +
- VERIFY_HEADER, (word32*)&sig->length,
- (falcon_key*)ssl->hsKey);
- args->length = (word16)sig->length;
- }
- #endif
- #if defined(HAVE_DILITHIUM)
- if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
- ret = wc_dilithium_sign_msg(args->sigData, args->sigDataSz,
- args->verify + HASH_SIG_SIZE +
- VERIFY_HEADER, (word32*)&sig->length,
- (dilithium_key*)ssl->hsKey);
- args->length = (word16)sig->length;
- }
- #endif
- #endif /* HAVE_PQC */
- #ifndef NO_RSA
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- ret = RsaSign(ssl, sig->buffer, (word32)sig->length,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
- args->sigAlgo, ssl->options.hashAlgo,
- (RsaKey*)ssl->hsKey,
- ssl->buffers.key
- );
- if (ret == 0) {
- args->length = (word16)args->sigLen;
- XMEMCPY(args->sigData,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- args->sigLen);
- }
- }
- #endif /* !NO_RSA */
- /* Check for error */
- if (ret != 0) {
- goto exit_scv;
- }
- /* Add signature length. */
- c16toa(args->length, args->verify + HASH_SIG_SIZE);
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- #ifndef NO_RSA
- if (ssl->hsType == DYNAMIC_TYPE_RSA) {
- /* check for signature faults */
- ret = VerifyRsaSign(ssl, args->sigData, args->sigLen,
- sig->buffer, (word32)sig->length, args->sigAlgo,
- ssl->options.hashAlgo, (RsaKey*)ssl->hsKey,
- ssl->buffers.key
- );
- }
- #endif /* !NO_RSA */
- #if defined(HAVE_ECC) && defined(WOLFSSL_CHECK_SIG_FAULTS)
- if (ssl->hsType == DYNAMIC_TYPE_ECC) {
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (ssl->buffers.keyType == sm2_sa_algo) {
- ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID,
- TLS13_SM2_SIG_ID_SZ,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- sig->length, args->sigData, args->sigDataSz,
- (ecc_key*)ssl->hsKey, NULL);
- }
- else
- #endif
- {
- ret = EccVerify(ssl,
- args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
- sig->length, args->sigData, args->sigDataSz,
- (ecc_key*)ssl->hsKey,
- #ifdef HAVE_PK_CALLBACKS
- ssl->buffers.key
- #else
- NULL
- #endif
- );
- }
- }
- #endif
- /* Check for error */
- if (ret != 0) {
- goto exit_scv;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- /* Put the record and handshake headers on. */
- AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
- VERIFY_HEADER, certificate_verify, ssl);
- args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
- args->length + HASH_SIG_SIZE + VERIFY_HEADER;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- args->sendSz += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
- #endif /* WOLFSSL_DTLS13 */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ssl->options.buildingMsg = 0;
- ret = Dtls13HandshakeSend(ssl, args->output,
- MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA,
- (word16)args->sendSz, certificate_verify, 1);
- if (ret != 0)
- goto exit_scv;
- break;
- }
- #endif /* WOLFSSL_DTLS13 */
- /* This message is always encrypted. */
- ret = BuildTls13Message(ssl, args->output,
- MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
- args->output + RECORD_HEADER_SZ,
- args->sendSz - RECORD_HEADER_SZ, handshake,
- 1, 0, 0);
- if (ret < 0) {
- goto exit_scv;
- }
- else {
- args->sendSz = ret;
- ret = 0;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn)
- AddPacketName(ssl, "CertificateVerify");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "CertificateVerify", handshake,
- args->output, args->sendSz, WRITE_PROTO, 0,
- ssl->heap);
- if (ret != 0)
- goto exit_scv;
- }
- #endif
- ssl->buffers.outputBuffer.length += args->sendSz;
- ssl->options.buildingMsg = 0;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_scv:
- WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- return ret;
- }
- #endif /* WOLFSSL_ASYNC_CRYPT */
- /* Final cleanup */
- FreeScv13Args(ssl, args);
- FreeKeyExchange(ssl);
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #endif
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- }
- return ret;
- }
- #endif
- #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
- /* handle processing TLS v1.3 certificate (11) */
- /* Parse and handle a TLS v1.3 Certificate message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of Certificate.
- * On exit, the index of byte after the Certificate message.
- * totalSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- int ret = 0;
- WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
- WOLFSSL_ENTER("DoTls13Certificate");
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && ssl->options.handShakeDone) {
- /* certificate needs some special care after the handshake */
- ret = Dtls13RtxProcessingCertificate(
- ssl, input + *inOutIdx, totalSz);
- }
- #endif /* WOLFSSL_DTLS13 */
- if (ret == 0)
- ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
- if (ret == 0) {
- #if !defined(NO_WOLFSSL_CLIENT)
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- ssl->options.serverState = SERVER_CERT_COMPLETE;
- #endif
- #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.handShakeState == HANDSHAKE_DONE) {
- /* reset handshake states */
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- ssl->options.acceptState = TICKET_SENT;
- ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
- }
- #endif
- }
- WOLFSSL_LEAVE("DoTls13Certificate", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
- return ret;
- }
- #endif
- #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448)
- typedef struct Dcv13Args {
- byte* output; /* not allocated */
- word32 sendSz;
- word16 sz;
- word32 sigSz;
- word32 idx;
- word32 begin;
- byte hashAlgo;
- byte sigAlgo;
- byte* sigData;
- word16 sigDataSz;
- } Dcv13Args;
- static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
- {
- Dcv13Args* args = (Dcv13Args*)pArgs;
- if (args && args->sigData != NULL) {
- XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
- args->sigData = NULL;
- }
- (void)ssl;
- }
- /* handle processing TLS v1.3 certificate_verify (15) */
- /* Parse and handle a TLS v1.3 CertificateVerify message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of
- * CertificateVerify.
- * On exit, the index of byte after the CertificateVerify message.
- * totalSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
- word32* inOutIdx, word32 totalSz)
- {
- int ret = 0;
- buffer* sig = &ssl->buffers.sig;
- #ifdef WOLFSSL_ASYNC_CRYPT
- Dcv13Args* args = NULL;
- WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
- #else
- Dcv13Args args[1];
- #endif
- WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
- WOLFSSL_ENTER("DoTls13CertificateVerify");
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13CertificateVerify(ssl, input, inOutIdx, totalSz);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- goto exit_dcv;
- }
- ret = 0;
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->async == NULL) {
- ssl->async = (struct WOLFSSL_ASYNC*)
- XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
- DYNAMIC_TYPE_ASYNC);
- if (ssl->async == NULL)
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- args = (Dcv13Args*)ssl->async->args;
- ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- goto exit_dcv;
- }
- else
- #endif
- {
- /* Reset state */
- ret = 0;
- ssl->options.asyncState = TLS_ASYNC_BEGIN;
- XMEMSET(args, 0, sizeof(Dcv13Args));
- args->hashAlgo = sha_mac;
- args->sigAlgo = anonymous_sa_algo;
- args->idx = *inOutIdx;
- args->begin = *inOutIdx;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ssl->async->freeArgs = FreeDcv13Args;
- #endif
- }
- switch(ssl->options.asyncState)
- {
- case TLS_ASYNC_BEGIN:
- {
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify");
- if (ssl->toInfoOn) AddLateName("CertificateVerify",
- &ssl->timeoutInfo);
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_BUILD;
- } /* case TLS_ASYNC_BEGIN */
- FALL_THROUGH;
- case TLS_ASYNC_BUILD:
- {
- int validSigAlgo;
- /* Signature algorithm. */
- if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- ret = DecodeTls13SigAlg(input + args->idx, &args->hashAlgo,
- &args->sigAlgo);
- if (ret < 0)
- goto exit_dcv;
- args->idx += OPAQUE16_LEN;
- /* Signature length. */
- if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- ato16(input + args->idx, &args->sz);
- args->idx += OPAQUE16_LEN;
- /* Signature data. */
- if ((args->idx - args->begin) + args->sz > totalSz ||
- args->sz > ENCRYPT_LEN) {
- ERROR_OUT(BUFFER_ERROR, exit_dcv);
- }
- /* Check for public key of required type. */
- /* Assume invalid unless signature algo matches the key provided */
- validSigAlgo = 0;
- #ifdef HAVE_ED25519
- if (args->sigAlgo == ed25519_sa_algo) {
- WOLFSSL_MSG("Peer sent ED25519 sig");
- validSigAlgo = (ssl->peerEd25519Key != NULL) &&
- ssl->peerEd25519KeyPresent;
- }
- #endif
- #ifdef HAVE_ED448
- if (args->sigAlgo == ed448_sa_algo) {
- WOLFSSL_MSG("Peer sent ED448 sig");
- validSigAlgo = (ssl->peerEd448Key != NULL) &&
- ssl->peerEd448KeyPresent;
- }
- #endif
- #ifdef HAVE_ECC
- if (args->sigAlgo == ecc_dsa_sa_algo) {
- WOLFSSL_MSG("Peer sent ECC sig");
- validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
- ssl->peerEccDsaKeyPresent;
- }
- #endif
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (args->sigAlgo == sm2_sa_algo) {
- WOLFSSL_MSG("Peer sent SM2 sig");
- validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
- ssl->peerEccDsaKeyPresent;
- }
- #endif
- #ifdef HAVE_PQC
- if (args->sigAlgo == falcon_level1_sa_algo) {
- WOLFSSL_MSG("Peer sent Falcon Level 1 sig");
- validSigAlgo = (ssl->peerFalconKey != NULL) &&
- ssl->peerFalconKeyPresent;
- }
- if (args->sigAlgo == falcon_level5_sa_algo) {
- WOLFSSL_MSG("Peer sent Falcon Level 5 sig");
- validSigAlgo = (ssl->peerFalconKey != NULL) &&
- ssl->peerFalconKeyPresent;
- }
- if (args->sigAlgo == dilithium_level2_sa_algo) {
- WOLFSSL_MSG("Peer sent Dilithium Level 2 sig");
- validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
- ssl->peerDilithiumKeyPresent;
- }
- if (args->sigAlgo == dilithium_level3_sa_algo) {
- WOLFSSL_MSG("Peer sent Dilithium Level 3 sig");
- validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
- ssl->peerDilithiumKeyPresent;
- }
- if (args->sigAlgo == dilithium_level5_sa_algo) {
- WOLFSSL_MSG("Peer sent Dilithium Level 5 sig");
- validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
- ssl->peerDilithiumKeyPresent;
- }
- #endif
- #ifndef NO_RSA
- if (args->sigAlgo == rsa_sa_algo) {
- WOLFSSL_MSG("Peer sent PKCS#1.5 algo - not valid TLS 1.3");
- ERROR_OUT(INVALID_PARAMETER, exit_dcv);
- }
- if (args->sigAlgo == rsa_pss_sa_algo) {
- WOLFSSL_MSG("Peer sent RSA sig");
- validSigAlgo = (ssl->peerRsaKey != NULL) &&
- ssl->peerRsaKeyPresent;
- }
- #endif
- if (!validSigAlgo) {
- WOLFSSL_MSG("Sig algo doesn't correspond to certificate");
- ERROR_OUT(SIG_VERIFY_E, exit_dcv);
- }
- sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (sig->buffer == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- sig->length = args->sz;
- XMEMCPY(sig->buffer, input + args->idx, args->sz);
- #ifdef HAVE_ECC
- if (ssl->peerEccDsaKeyPresent) {
- WOLFSSL_MSG("Doing ECC peer cert verify");
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
- if (ret != 0)
- goto exit_dcv;
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (args->sigAlgo != sm2_sa_algo)
- #endif
- {
- ret = CreateECCEncodedSig(args->sigData,
- args->sigDataSz, args->hashAlgo);
- if (ret < 0)
- goto exit_dcv;
- args->sigDataSz = (word16)ret;
- ret = 0;
- }
- }
- #endif
- #ifdef HAVE_ED25519
- if (ssl->peerEd25519KeyPresent) {
- WOLFSSL_MSG("Doing ED25519 peer cert verify");
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
- ret = 0;
- }
- #endif
- #ifdef HAVE_ED448
- if (ssl->peerEd448KeyPresent) {
- WOLFSSL_MSG("Doing ED448 peer cert verify");
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
- ret = 0;
- }
- #endif
- #ifdef HAVE_PQC
- if (ssl->peerFalconKeyPresent) {
- WOLFSSL_MSG("Doing Falcon peer cert verify");
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
- ret = 0;
- }
- if (ssl->peerDilithiumKeyPresent) {
- WOLFSSL_MSG("Doing Dilithium peer cert verify");
- args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
- DYNAMIC_TYPE_SIGNATURE);
- if (args->sigData == NULL) {
- ERROR_OUT(MEMORY_E, exit_dcv);
- }
- CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
- ret = 0;
- }
- #endif
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_DO;
- } /* case TLS_ASYNC_BUILD */
- FALL_THROUGH;
- case TLS_ASYNC_DO:
- {
- #ifndef NO_RSA
- if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
- ret = RsaVerify(ssl, sig->buffer, (word32)sig->length, &args->output,
- args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerRsaKey
- #else
- NULL
- #endif
- );
- if (ret >= 0) {
- args->sendSz = ret;
- ret = 0;
- }
- }
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- if (ssl->peerEccDsaKeyPresent) {
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- if (args->sigAlgo == sm2_sa_algo) {
- ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID,
- TLS13_SM2_SIG_ID_SZ, input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- ssl->peerEccDsaKey, NULL);
- }
- else
- #endif
- {
- ret = EccVerify(ssl, input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- ssl->peerEccDsaKey,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEccDsaKey
- #else
- NULL
- #endif
- );
- }
- if (ret >= 0) {
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->options.peerAuthGood = 1;
- FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
- ssl->peerEccDsaKeyPresent = 0;
- }
- }
- #endif /* HAVE_ECC */
- #ifdef HAVE_ED25519
- if (ssl->peerEd25519KeyPresent) {
- ret = Ed25519Verify(ssl, input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- ssl->peerEd25519Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd25519Key
- #else
- NULL
- #endif
- );
- if (ret >= 0) {
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->options.peerAuthGood = 1;
- FreeKey(ssl, DYNAMIC_TYPE_ED25519,
- (void**)&ssl->peerEd25519Key);
- ssl->peerEd25519KeyPresent = 0;
- }
- }
- #endif
- #ifdef HAVE_ED448
- if (ssl->peerEd448KeyPresent) {
- ret = Ed448Verify(ssl, input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- ssl->peerEd448Key,
- #ifdef HAVE_PK_CALLBACKS
- &ssl->buffers.peerEd448Key
- #else
- NULL
- #endif
- );
- if (ret >= 0) {
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->options.peerAuthGood = 1;
- FreeKey(ssl, DYNAMIC_TYPE_ED448,
- (void**)&ssl->peerEd448Key);
- ssl->peerEd448KeyPresent = 0;
- }
- }
- #endif
- #if defined(HAVE_PQC) && defined(HAVE_FALCON)
- if (ssl->peerFalconKeyPresent) {
- int res = 0;
- WOLFSSL_MSG("Doing Falcon peer cert verify");
- ret = wc_falcon_verify_msg(input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- &res, ssl->peerFalconKey);
- if ((ret >= 0) && (res == 1)) {
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->options.peerAuthGood = 1;
- FreeKey(ssl, DYNAMIC_TYPE_FALCON,
- (void**)&ssl->peerFalconKey);
- ssl->peerFalconKeyPresent = 0;
- }
- }
- #endif /* HAVE_PQC && HAVE_FALCON */
- #if defined(HAVE_PQC) && defined(HAVE_DILITHIUM)
- if (ssl->peerDilithiumKeyPresent) {
- int res = 0;
- WOLFSSL_MSG("Doing Dilithium peer cert verify");
- ret = wc_dilithium_verify_msg(input + args->idx, args->sz,
- args->sigData, args->sigDataSz,
- &res, ssl->peerDilithiumKey);
- if ((ret >= 0) && (res == 1)) {
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->options.peerAuthGood = 1;
- FreeKey(ssl, DYNAMIC_TYPE_DILITHIUM,
- (void**)&ssl->peerDilithiumKey);
- ssl->peerDilithiumKeyPresent = 0;
- }
- }
- #endif /* HAVE_PQC && HAVE_DILITHIUM */
- /* Check for error */
- if (ret != 0) {
- goto exit_dcv;
- }
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_VERIFY;
- } /* case TLS_ASYNC_DO */
- FALL_THROUGH;
- case TLS_ASYNC_VERIFY:
- {
- #if !defined(NO_RSA) && defined(WC_RSA_PSS)
- if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
- ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
- args->output, args->sendSz);
- if (ret != 0)
- goto exit_dcv;
- /* CLIENT/SERVER: data verified with public key from
- * certificate. */
- ssl->peerRsaKeyPresent = 0;
- FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
- ssl->options.peerAuthGood = 1;
- }
- #endif /* !NO_RSA && WC_RSA_PSS */
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_FINALIZE;
- } /* case TLS_ASYNC_VERIFY */
- FALL_THROUGH;
- case TLS_ASYNC_FINALIZE:
- {
- ssl->options.havePeerVerify = 1;
- /* Set final index */
- args->idx += args->sz;
- *inOutIdx = args->idx;
- /* Encryption is always on: add padding */
- *inOutIdx += ssl->keys.padSz;
- /* Advance state and proceed */
- ssl->options.asyncState = TLS_ASYNC_END;
- #if !defined(NO_WOLFSSL_CLIENT)
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE;
- #endif
- } /* case TLS_ASYNC_FINALIZE */
- FALL_THROUGH;
- case TLS_ASYNC_END:
- {
- break;
- }
- default:
- ret = INPUT_CASE_ERROR;
- } /* switch(ssl->options.asyncState) */
- exit_dcv:
- WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
- WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* Handle async operation */
- if (ret == WC_PENDING_E) {
- /* Mark message as not received so it can process again */
- ssl->msgsReceived.got_certificate_verify = 0;
- return ret;
- }
- else
- #endif /* WOLFSSL_ASYNC_CRYPT */
- if (ret != 0) {
- WOLFSSL_ERROR_VERBOSE(ret);
- if (ret != INVALID_PARAMETER) {
- SendAlert(ssl, alert_fatal, decrypt_error);
- }
- }
- /* Final cleanup */
- FreeDcv13Args(ssl, args);
- FreeKeyExchange(ssl);
- #ifdef WOLFSSL_ASYNC_IO
- /* Cleanup async */
- FreeAsyncCtx(ssl, 0);
- #endif
- return ret;
- }
- #endif /* !NO_RSA || HAVE_ECC */
- #endif /* !NO_CERTS */
- /* Parse and handle a TLS v1.3 Finished message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of Finished.
- * On exit, the index of byte after the Finished message and padding.
- * size Length of message data.
- * totalSz Length of remaining data in the message buffer.
- * sniff Indicates whether we are sniffing packets.
- * returns 0 on success and otherwise failure.
- */
- int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 size, word32 totalSz, int sniff)
- {
- int ret;
- word32 finishedSz = 0;
- byte* secret;
- byte mac[WC_MAX_DIGEST_SIZE];
- WOLFSSL_START(WC_FUNC_FINISHED_DO);
- WOLFSSL_ENTER("DoTls13Finished");
- #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
- /* verify the client sent certificate if required */
- if (ssl->options.side == WOLFSSL_SERVER_END && !ssl->options.resuming &&
- (ssl->options.mutualAuth || ssl->options.failNoCert)) {
- #ifdef OPENSSL_COMPATIBLE_DEFAULTS
- if (ssl->options.isPSK) {
- WOLFSSL_MSG("TLS v1.3 client used PSK but cert required. Allowing "
- "for OpenSSL compatibility");
- }
- else
- #endif
- if (
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- !ssl->options.verifyPostHandshake &&
- #endif
- (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) {
- ret = NO_PEER_CERT; /* NO_PEER_VERIFY */
- WOLFSSL_MSG("TLS v1.3 client did not present peer cert");
- DoCertFatalAlert(ssl, ret);
- return ret;
- }
- }
- #endif
- /* check against totalSz */
- if (*inOutIdx + size > totalSz)
- return BUFFER_E;
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz);
- if (ret == 0) {
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- return ret;
- }
- if (ret == VERIFY_FINISHED_ERROR) {
- SendAlert(ssl, alert_fatal, decrypt_error);
- return ret;
- }
- if (ret != CRYPTOCB_UNAVAILABLE) {
- /* other errors */
- return ret;
- }
- ret = 0;
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- if (ssl->options.handShakeDone) {
- ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
- ssl->keys.client_write_MAC_secret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- return ret;
- secret = ssl->keys.client_write_MAC_secret;
- }
- else if (ssl->options.side == WOLFSSL_CLIENT_END) {
- /* All the handshake messages have been received to calculate
- * client and server finished keys.
- */
- ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
- ssl->keys.client_write_MAC_secret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- return ret;
- ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
- ssl->keys.server_write_MAC_secret,
- WOLFSSL_SERVER_END);
- if (ret != 0)
- return ret;
- secret = ssl->keys.server_write_MAC_secret;
- }
- else {
- secret = ssl->keys.client_write_MAC_secret;
- }
- if (sniff == NO_SNIFF) {
- ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- XMEMCPY(ssl->serverFinished, mac, finishedSz);
- ssl->serverFinished_len = finishedSz;
- }
- else {
- XMEMCPY(ssl->clientFinished, mac, finishedSz);
- ssl->clientFinished_len = finishedSz;
- }
- #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
- if (ret != 0)
- return ret;
- if (size != finishedSz)
- return BUFFER_ERROR;
- }
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
- if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
- #endif
- if (sniff == NO_SNIFF) {
- /* Actually check verify data. */
- if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
- WOLFSSL_MSG("Verify finished error on hashes");
- SendAlert(ssl, alert_fatal, decrypt_error);
- WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
- return VERIFY_FINISHED_ERROR;
- }
- }
- /* Force input exhaustion at ProcessReply by consuming padSz. */
- *inOutIdx += size + ssl->keys.padSz;
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- !ssl->options.handShakeDone) {
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
- return ret;
- }
- #endif
- /* Setup keys for application data messages from client. */
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- }
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- #endif
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- #endif
- #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_EARLY_DATA)
- if (ssl->options.dtls && ssl->earlyData > early_data_ext) {
- /* DTLSv1.3 has no EndOfearlydata messages. We stop processing EarlyData
- as soon we receive the client's finished message */
- ssl->earlyData = done_early_data;
- }
- #endif /* WOLFSSL_DTLS13 && WOLFSSL_EARLY_DATA */
- #if defined(WOLFSSL_QUIC) && defined(WOLFSSL_EARLY_DATA)
- if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData > early_data_ext) {
- /* QUIC has no EndOfEarlyData messages. We stop processing EarlyData
- as soon we receive the client's finished message */
- ssl->earlyData = done_early_data;
- }
- #endif /* WOLFSSL_QUIC && WOLFSSL_EARLY_DATA */
- WOLFSSL_LEAVE("DoTls13Finished", 0);
- WOLFSSL_END(WC_FUNC_FINISHED_DO);
- return 0;
- }
- #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
- /* Send the TLS v1.3 Finished message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13Finished(WOLFSSL* ssl)
- {
- int finishedSz = ssl->specs.hash_size;
- byte* input;
- byte* output;
- int ret;
- int headerSz = HANDSHAKE_HEADER_SZ;
- int outputSz;
- byte* secret;
- #ifdef WOLFSSL_DTLS13
- int dtlsRet = 0, isDtls = 0;
- #endif /* WOLFSSL_DTLS13 */
- WOLFSSL_START(WC_FUNC_FINISHED_SEND);
- WOLFSSL_ENTER("SendTls13Finished");
- ssl->options.buildingMsg = 1;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- headerSz = DTLS_HANDSHAKE_HEADER_SZ;
- /* using isDtls instead of ssl->options.dtls will abide clang static
- analyzer on using an uninitialized value */
- isDtls = 1;
- }
- #endif /* WOLFSSL_DTLS13 */
- outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
- return ret;
- /* get output buffer */
- output = GetOutputBuffer(ssl);
- input = output + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (isDtls)
- input = output + Dtls13GetRlHeaderLength(ssl, 1);
- #endif /* WOLFSSL_DTLS13 */
- AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
- #if defined(WOLFSSL_RENESAS_TSIP_TLS)
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ret = tsip_Tls13SendFinished(ssl, output, outputSz, input, 1);
- if (ret != CRYPTOCB_UNAVAILABLE) {
- return ret;
- }
- ret = 0;
- }
- #endif /* WOLFSSL_RENESAS_TSIP_TLS */
- /* make finished hashes */
- if (ssl->options.handShakeDone) {
- ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
- ssl->keys.client_write_MAC_secret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- return ret;
- secret = ssl->keys.client_write_MAC_secret;
- }
- else if (ssl->options.side == WOLFSSL_CLIENT_END)
- secret = ssl->keys.client_write_MAC_secret;
- else {
- /* All the handshake messages have been done to calculate client and
- * server finished keys.
- */
- ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
- ssl->keys.client_write_MAC_secret,
- WOLFSSL_SERVER_END);
- if (ret != 0)
- return ret;
- ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
- ssl->keys.server_write_MAC_secret,
- WOLFSSL_CLIENT_END);
- if (ret != 0)
- return ret;
- secret = ssl->keys.server_write_MAC_secret;
- }
- ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
- if (ret != 0)
- return ret;
- #ifdef WOLFSSL_HAVE_TLS_UNIQUE
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- XMEMCPY(ssl->clientFinished, &input[headerSz], finishedSz);
- ssl->clientFinished_len = finishedSz;
- }
- else {
- XMEMCPY(ssl->serverFinished, &input[headerSz], finishedSz);
- ssl->serverFinished_len = finishedSz;
- }
- #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
- #ifdef WOLFSSL_DTLS13
- if (isDtls) {
- dtlsRet = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
- (word16)(Dtls13GetRlHeaderLength(ssl, 1) + headerSz + finishedSz), finished,
- 1);
- if (dtlsRet != 0 && dtlsRet != WANT_WRITE)
- return ret;
- } else
- #endif /* WOLFSSL_DTLS13 */
- {
- /* This message is always encrypted. */
- int sendSz = BuildTls13Message(ssl, output, outputSz, input,
- headerSz + finishedSz, handshake, 1, 0, 0);
- if (sendSz < 0) {
- WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
- return BUILD_MSG_ERROR;
- }
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ssl->options.buildingMsg = 0;
- }
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- #ifdef WOLFSSL_EARLY_DATA
- byte storeTrafficDecKeys = ssl->earlyData == no_early_data;
- #endif
- /* Can send application data now. */
- if ((ret = DeriveMasterSecret(ssl)) != 0)
- return ret;
- /* Last use of preMasterSecret - zeroize as soon as possible. */
- ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
- #ifdef WOLFSSL_EARLY_DATA
- #ifdef WOLFSSL_DTLS13
- /* DTLS13 dynamically change keys and it needs all
- the keys in ssl->keys to save the keying material */
- if (isDtls)
- storeTrafficDecKeys = 1;
- #endif /* WOLFSSL_DTLS13 */
- if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
- != 0) {
- return ret;
- }
- if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
- storeTrafficDecKeys)) != 0) {
- return ret;
- }
- #else
- if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
- 1)) != 0) {
- return ret;
- }
- #endif
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS13
- if (isDtls) {
- w64wrapper epochTraffic0;
- epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
- ssl->dtls13Epoch = epochTraffic0;
- ssl->dtls13PeerEpoch = epochTraffic0;
- ret = Dtls13NewEpoch(
- ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- ret = Dtls13SetEpochKeys(
- ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- !ssl->options.handShakeDone) {
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
- 1)) != 0) {
- return ret;
- }
- }
- #endif
- /* Setup keys for application data messages. */
- if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
- return ret;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
- if (ret != 0)
- return ret;
- #endif
- #ifdef WOLFSSL_DTLS13
- if (isDtls) {
- w64wrapper epochTraffic0;
- epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
- ssl->dtls13Epoch = epochTraffic0;
- ssl->dtls13PeerEpoch = epochTraffic0;
- ret = Dtls13NewEpoch(
- ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- ret = Dtls13SetEpochKeys(
- ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
- ssl->options.handShakeState = HANDSHAKE_DONE;
- ssl->options.handShakeDone = 1;
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- ssl->options.serverState = SERVER_FINISHED_COMPLETE;
- }
- #endif
- #ifdef WOLFSSL_DTLS13
- if (isDtls) {
- WOLFSSL_LEAVE("SendTls13Finished", ret);
- WOLFSSL_END(WC_FUNC_FINISHED_SEND);
- return dtlsRet;
- }
- #endif /* WOLFSSL_DTLS13 */
- if ((ret = SendBuffered(ssl)) != 0)
- return ret;
- WOLFSSL_LEAVE("SendTls13Finished", ret);
- WOLFSSL_END(WC_FUNC_FINISHED_SEND);
- return ret;
- }
- #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */
- /* handle generation TLS v1.3 key_update (24) */
- /* Send the TLS v1.3 KeyUpdate message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13KeyUpdate(WOLFSSL* ssl)
- {
- byte* input;
- byte* output;
- int ret;
- int headerSz = HANDSHAKE_HEADER_SZ;
- int outputSz;
- word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND);
- WOLFSSL_ENTER("SendTls13KeyUpdate");
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
- #endif /* WOLFSSL_DTLS13 */
- outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
- return ret;
- /* get output buffer */
- output = GetOutputBuffer(ssl);
- input = output + RECORD_HEADER_SZ;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- input = output + Dtls13GetRlHeaderLength(ssl, 1);
- #endif /* WOLFSSL_DTLS13 */
- AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
- /* If:
- * 1. I haven't sent a KeyUpdate requesting a response and
- * 2. This isn't responding to peer KeyUpdate requiring a response then,
- * I want a response.
- */
- ssl->keys.updateResponseReq = output[i++] =
- !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
- /* Sent response, no longer need to respond. */
- ssl->keys.keyUpdateRespond = 0;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
- OPAQUE8_LEN + Dtls13GetRlHeaderLength(ssl, 1) +
- DTLS_HANDSHAKE_HEADER_SZ,
- key_update, 0);
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- /* This message is always encrypted. */
- int sendSz = BuildTls13Message(ssl, output, outputSz, input,
- headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
- if (sendSz < 0)
- return BUILD_MSG_ERROR;
- #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
- if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate");
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz,
- WRITE_PROTO, 0, ssl->heap);
- if (ret != 0)
- return ret;
- }
- #endif
- ssl->buffers.outputBuffer.length += sendSz;
- ret = SendBuffered(ssl);
- if (ret != 0 && ret != WANT_WRITE)
- return ret;
- }
- /* In DTLS we must wait for the ack before setting up the new keys */
- if (!ssl->options.dtls) {
- /* Future traffic uses new encryption keys. */
- if ((ret = DeriveTls13Keys(
- ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
- != 0)
- return ret;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- }
- WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
- WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND);
- return ret;
- }
- /* handle processing TLS v1.3 key_update (24) */
- /* Parse and handle a TLS v1.3 KeyUpdate message.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of Finished.
- * On exit, the index of byte after the Finished message and padding.
- * totalSz The length of the current handshake message.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- int ret;
- word32 i = *inOutIdx;
- WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO);
- WOLFSSL_ENTER("DoTls13KeyUpdate");
- /* check against totalSz */
- if (OPAQUE8_LEN != totalSz)
- return BUFFER_E;
- switch (input[i]) {
- case update_not_requested:
- /* This message in response to any outstanding request. */
- ssl->keys.keyUpdateRespond = 0;
- ssl->keys.updateResponseReq = 0;
- break;
- case update_requested:
- /* New key update requiring a response. */
- ssl->keys.keyUpdateRespond = 1;
- break;
- default:
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- /* Move index to byte after message. */
- *inOutIdx += totalSz;
- /* Always encrypted. */
- *inOutIdx += ssl->keys.padSz;
- /* Future traffic uses new decryption keys. */
- if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
- != 0) {
- return ret;
- }
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- w64Increment(&ssl->dtls13PeerEpoch);
- ret = Dtls13NewEpoch(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- ret = Dtls13SetEpochKeys(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- if (ssl->keys.keyUpdateRespond) {
- #ifdef WOLFSSL_DTLS13
- /* we already sent a keyUpdate (either in response to a previous
- KeyUpdate or initiated by the application) and we are waiting for the
- ack. We can't send a new KeyUpdate right away but to honor the RFC we
- should send another KeyUpdate after the one in-flight is acked. We
- don't do that as it looks redundant, it will make the code more
- complex and I don't see a good use case for that. */
- if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck) {
- ssl->keys.keyUpdateRespond = 0;
- return 0;
- }
- #endif /* WOLFSSL_DTLS13 */
- return SendTls13KeyUpdate(ssl);
- }
- WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
- WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO);
- return 0;
- }
- #ifdef WOLFSSL_EARLY_DATA
- #ifndef NO_WOLFSSL_CLIENT
- /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
- * more early application data.
- * The encryption key now changes to the pre-calculated handshake key.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success and otherwise failure.
- */
- static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
- {
- byte* output;
- int ret;
- int sendSz;
- word32 length;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND);
- WOLFSSL_ENTER("SendTls13EndOfEarlyData");
- length = 0;
- sendSz = idx + length + MAX_MSG_EXTRA;
- ssl->options.buildingMsg = 1;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(output, length, end_of_early_data, ssl);
- /* This message is always encrypted. */
- sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
- idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
- if (sendSz < 0)
- return sendSz;
- ssl->buffers.outputBuffer.length += sendSz;
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- ssl->options.buildingMsg = 0;
- if (!ssl->options.groupMessages)
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
- WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND);
- return ret;
- }
- #endif /* !NO_WOLFSSL_CLIENT */
- #ifndef NO_WOLFSSL_SERVER
- /* handle processing of TLS 1.3 end_of_early_data (5) */
- /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
- * no more early application data.
- * The decryption key now changes to the pre-calculated handshake key.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success and otherwise failure.
- */
- static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size)
- {
- int ret;
- word32 begin = *inOutIdx;
- (void)input;
- WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO);
- WOLFSSL_ENTER("DoTls13EndOfEarlyData");
- if ((*inOutIdx - begin) != size)
- return BUFFER_ERROR;
- if (ssl->earlyData == no_early_data) {
- WOLFSSL_MSG("EndOfEarlyData received unexpectedly");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- ssl->earlyData = done_early_data;
- /* Always encrypted. */
- *inOutIdx += ssl->keys.padSz;
- ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
- WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret);
- WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO);
- return ret;
- }
- #endif /* !NO_WOLFSSL_SERVER */
- #endif /* WOLFSSL_EARLY_DATA */
- #if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
- int SessionTicketNoncePopulate(WOLFSSL_SESSION *session, const byte *nonce,
- byte len)
- {
- if (session->ticketNonce.data
- != session->ticketNonce.dataStatic) {
- XFREE(session->ticketNonce.data, session->heap,
- DYNAMIC_TYPE_SESSION_TICK);
- session->ticketNonce.data = session->ticketNonce.dataStatic;
- session->ticketNonce.len = 0;
- }
- if (len > MAX_TICKET_NONCE_STATIC_SZ) {
- WOLFSSL_MSG("Using dynamic nonce buffer");
- session->ticketNonce.data = (byte*)XMALLOC(len,
- session->heap, DYNAMIC_TYPE_SESSION_TICK);
- if (session->ticketNonce.data == NULL)
- return MEMORY_ERROR;
- }
- XMEMCPY(session->ticketNonce.data, nonce, len);
- session->ticketNonce.len = len;
- return 0;
- }
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- /* Handle a New Session Ticket handshake message.
- * Message contains the information required to perform resumption.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the message buffer of Finished.
- * On exit, the index of byte after the Finished message and padding.
- * size The length of the current handshake message.
- * returns 0 on success, otherwise failure.
- */
- static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
- word32* inOutIdx, word32 size)
- {
- #ifdef HAVE_SESSION_TICKET
- int ret;
- word32 begin = *inOutIdx;
- word32 lifetime;
- word32 ageAdd;
- word16 length;
- #ifdef WOLFSSL_32BIT_MILLI_TIME
- word32 now;
- #else
- sword64 now;
- #endif
- const byte* nonce;
- byte nonceLength;
- WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
- WOLFSSL_ENTER("DoTls13NewSessionTicket");
- /* Lifetime hint. */
- if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
- return BUFFER_ERROR;
- ato32(input + *inOutIdx, &lifetime);
- *inOutIdx += SESSION_HINT_SZ;
- if (lifetime > MAX_LIFETIME) {
- WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR);
- return SERVER_HINT_ERROR;
- }
- /* Age add. */
- if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
- return BUFFER_ERROR;
- ato32(input + *inOutIdx, &ageAdd);
- *inOutIdx += SESSION_ADD_SZ;
- /* Ticket nonce. */
- if ((*inOutIdx - begin) + 1 > size)
- return BUFFER_ERROR;
- nonceLength = input[*inOutIdx];
- #if !defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3))
- if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
- WOLFSSL_MSG("Nonce length not supported");
- WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
- return INVALID_PARAMETER;
- }
- #endif /* WOLFSSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3) */
- *inOutIdx += 1;
- if ((*inOutIdx - begin) + nonceLength > size)
- return BUFFER_ERROR;
- nonce = input + *inOutIdx;
- *inOutIdx += nonceLength;
- /* Ticket length. */
- if ((*inOutIdx - begin) + LENGTH_SZ > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &length);
- *inOutIdx += LENGTH_SZ;
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
- if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
- return ret;
- *inOutIdx += length;
- now = TimeNowInMilliseconds();
- if (now == 0)
- return GETTIME_ERROR;
- /* Copy in ticket data (server identity). */
- ssl->timeout = lifetime;
- ssl->session->timeout = lifetime;
- ssl->session->cipherSuite0 = ssl->options.cipherSuite0;
- ssl->session->cipherSuite = ssl->options.cipherSuite;
- ssl->session->ticketSeen = now;
- ssl->session->ticketAdd = ageAdd;
- #ifdef WOLFSSL_EARLY_DATA
- ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
- #endif
- #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
- (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
- ret = SessionTicketNoncePopulate(ssl->session, nonce, nonceLength);
- if (ret != 0)
- return ret;
- #else
- ssl->session->ticketNonce.len = nonceLength;
- if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
- ret = BUFFER_ERROR;
- return ret;
- }
- if (nonceLength > 0)
- XMEMCPY(ssl->session->ticketNonce.data, nonce, nonceLength);
- #endif /* defined(WOLFSSL_TICKET_NONCE_MALLOC) && FIPS_VERSION_GE(5,3) */
- ssl->session->namedGroup = ssl->namedGroup;
- if ((*inOutIdx - begin) + EXTS_SZ > size)
- return BUFFER_ERROR;
- ato16(input + *inOutIdx, &length);
- *inOutIdx += EXTS_SZ;
- if ((*inOutIdx - begin) + length != size)
- return BUFFER_ERROR;
- #ifdef WOLFSSL_EARLY_DATA
- ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
- NULL);
- if (ret != 0)
- return ret;
- #endif
- *inOutIdx += length;
- SetupSession(ssl);
- #ifndef NO_SESSION_CACHE
- AddSession(ssl);
- #endif
- /* Always encrypted. */
- *inOutIdx += ssl->keys.padSz;
- ssl->expect_session_ticket = 0;
- #else
- (void)ssl;
- (void)input;
- WOLFSSL_ENTER("DoTls13NewSessionTicket");
- *inOutIdx += size + ssl->keys.padSz;
- #endif /* HAVE_SESSION_TICKET */
- WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
- WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
- return 0;
- }
- #endif /* NO_WOLFSSL_CLIENT */
- #ifndef NO_WOLFSSL_SERVER
- #ifdef HAVE_SESSION_TICKET
- #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
- /* Offset of the MAC size in the finished message. */
- #define FINISHED_MSG_SIZE_OFFSET 3
- /* Calculate the resumption secret which includes the unseen client finished
- * message.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int ExpectedResumptionSecret(WOLFSSL* ssl)
- {
- int ret;
- word32 finishedSz = 0;
- byte mac[WC_MAX_DIGEST_SIZE];
- Digest digest;
- static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
- /* Copy the running hash so we can restore it after. */
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- ret = wc_Sm3Copy(&ssl->hsHashes->hashSm3, &digest.sm3);
- if (ret != 0)
- return ret;
- break;
- #endif
- }
- /* Generate the Client's Finished message and hash it. */
- ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
- &finishedSz);
- if (ret != 0)
- return ret;
- header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
- ret = HashRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
- if (ret != 0)
- return ret;
- }
- #endif
- if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
- return ret;
- if ((ret = HashRaw(ssl, mac, finishedSz)) != 0)
- return ret;
- if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0)
- return ret;
- /* Restore the hash inline with currently seen messages. */
- switch (ssl->specs.mac_algorithm) {
- #ifndef NO_SHA256
- case sha256_mac:
- wc_Sha256Free(&ssl->hsHashes->hashSha256);
- ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
- wc_Sha256Free(&digest.sha256);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_SHA384
- case sha384_mac:
- wc_Sha384Free(&ssl->hsHashes->hashSha384);
- ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
- wc_Sha384Free(&digest.sha384);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_TLS13_SHA512
- case sha512_mac:
- wc_Sha512Free(&ssl->hsHashes->hashSha512);
- ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512);
- wc_Sha512Free(&digest.sha512);
- if (ret != 0)
- return ret;
- break;
- #endif
- #ifdef WOLFSSL_SM3
- case sm3_mac:
- wc_Sm3Free(&ssl->hsHashes->hashSm3);
- ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3);
- wc_Sm3Free(&digest.sm3);
- if (ret != 0)
- return ret;
- break;
- #endif
- }
- return ret;
- }
- #endif
- /* Send New Session Ticket handshake message.
- * Message contains the information required to perform resumption.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- static int SendTls13NewSessionTicket(WOLFSSL* ssl)
- {
- byte* output;
- int ret;
- int sendSz;
- word16 extSz;
- word32 length;
- word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
- WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND);
- WOLFSSL_ENTER("SendTls13NewSessionTicket");
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- idx = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
- #endif /* WOLFSSL_DTLS13 */
- #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
- if (!ssl->msgsReceived.got_finished) {
- if ((ret = ExpectedResumptionSecret(ssl)) != 0)
- return ret;
- }
- #endif
- /* Start ticket nonce at 0 and go up to 255. */
- if (ssl->session->ticketNonce.len == 0) {
- ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ;
- ssl->session->ticketNonce.data[0] = 0;
- }
- else
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ssl->error != WC_PENDING_E)
- #endif
- {
- ssl->session->ticketNonce.data[0]++;
- }
- if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
- /* In this case we only send the ID as the ticket. Let's generate a new
- * ID for the new ticket so that we don't overwrite any old ones */
- ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
- ID_LEN);
- if (ret != 0)
- return ret;
- ssl->session->haveAltSessionID = 1;
- }
- if (!ssl->options.noTicketTls13) {
- if ((ret = SetupTicket(ssl)) != 0)
- return ret;
- /* No need to create the ticket if we only send the ID */
- if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == 0) {
- if ((ret = CreateTicket(ssl)) != 0)
- return ret;
- }
- }
- #ifdef WOLFSSL_EARLY_DATA
- ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
- if (ssl->session->maxEarlyDataSz > 0)
- TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz, 1);
- extSz = 0;
- ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
- if (ret != 0)
- return ret;
- #else
- extSz = EXTS_SZ;
- #endif
- /* Lifetime | Age Add | Ticket session ID | Extensions */
- length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ;
- if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
- length += ID_LEN + extSz;
- else
- length += ssl->session->ticketLen + extSz;
- /* Nonce */
- length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
- sendSz = idx + length + MAX_MSG_EXTRA;
- /* Check buffers are big enough and grow if needed. */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
- /* Get position in output buffer to write new message to. */
- output = GetOutputBuffer(ssl);
- /* Put the record and handshake headers on. */
- AddTls13Headers(output, length, session_ticket, ssl);
- /* Lifetime hint */
- c32toa(ssl->ctx->ticketHint, output + idx);
- idx += SESSION_HINT_SZ;
- /* Age add - obfuscator */
- c32toa(ssl->session->ticketAdd, output + idx);
- idx += SESSION_ADD_SZ;
- output[idx++] = ssl->session->ticketNonce.len;
- output[idx++] = ssl->session->ticketNonce.data[0];
- /* length */
- if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
- c16toa(ID_LEN, output + idx);
- }
- else {
- c16toa(ssl->session->ticketLen, output + idx);
- }
- idx += LENGTH_SZ;
- /* ticket */
- if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
- if (ssl->session->haveAltSessionID)
- XMEMCPY(output + idx, ssl->session->altSessionID, ID_LEN);
- else
- return BAD_FUNC_ARG; /* Should not happen */
- idx += ID_LEN;
- }
- else {
- XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
- idx += ssl->session->ticketLen;
- }
- #ifdef WOLFSSL_EARLY_DATA
- extSz = 0;
- ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz);
- if (ret != 0)
- return ret;
- idx += extSz;
- #else
- /* No extension support - empty extensions. */
- c16toa(0, output + idx);
- idx += EXTS_SZ;
- #endif
- ssl->options.haveSessionId = 1;
- SetupSession(ssl);
- /* Only add to cache when support built in and when the ticket contains
- * an ID. Otherwise we have no way to actually retrieve the ticket from the
- * cache. */
- #if !defined(NO_SESSION_CACHE) && defined(WOLFSSL_TICKET_HAVE_ID)
- AddSession(ssl);
- #endif
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- return Dtls13HandshakeSend(ssl, output, sendSz, idx, session_ticket, 0);
- #endif /* WOLFSSL_DTLS13 */
- /* This message is always encrypted. */
- sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
- idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
- if (sendSz < 0)
- return sendSz;
- ssl->buffers.outputBuffer.length += sendSz;
- /* Always send as this is either directly after server's Finished or only
- * message after client's Finished.
- */
- ret = SendBuffered(ssl);
- WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
- WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND);
- return ret;
- }
- #endif /* HAVE_SESSION_TICKET */
- #endif /* NO_WOLFSSL_SERVER */
- /* Make sure no duplicates, no fast forward, or other problems
- *
- * ssl The SSL/TLS object.
- * type Type of handshake message received.
- * returns 0 on success, otherwise failure.
- */
- static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
- {
- /* verify not a duplicate, mark received, check state */
- switch (type) {
- #ifndef NO_WOLFSSL_SERVER
- case client_hello:
- #ifndef NO_WOLFSSL_CLIENT
- /* Only valid when received on SERVER side. */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- WOLFSSL_MSG("ClientHello received by client");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) {
- WOLFSSL_MSG("ClientHello received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Check previously seen. */
- /* Initial and after HelloRetryRequest - no more than 2. */
- if (ssl->msgsReceived.got_client_hello == 2) {
- WOLFSSL_MSG("Too many ClientHello received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- /* Second only after HelloRetryRequest seen. */
- if (ssl->msgsReceived.got_client_hello == 1 &&
- ssl->options.serverState !=
- SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- WOLFSSL_MSG("Duplicate ClientHello received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_client_hello++;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case server_hello:
- #ifndef NO_WOLFSSL_SERVER
- /* Only valid when received on CLIENT side. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("ServerHello received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- if (ssl->options.serverState >= SERVER_HELLO_COMPLETE) {
- WOLFSSL_MSG("ServerHello received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Check previously seen. */
- /* Only once after ClientHello.
- * HelloRetryRequest has ServerHello type but count fixed up later
- * - see DoTls13ServerHello().
- */
- if (ssl->msgsReceived.got_server_hello) {
- WOLFSSL_MSG("Duplicate ServerHello received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_server_hello = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case session_ticket:
- #ifndef NO_WOLFSSL_SERVER
- /* Only valid when received on CLIENT side. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("NewSessionTicket received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
- /* Only allowed after server's Finished message. */
- if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- WOLFSSL_MSG("NewSessionTicket received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #else
- /* Only allowed after client's Finished message. */
- if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
- WOLFSSL_MSG("NewSessionTicket received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- /* Many SessionTickets can be sent. */
- ssl->msgsReceived.got_session_ticket = 1;
- break;
- #endif
- #ifndef NO_WOLFSSL_SERVER
- #ifdef WOLFSSL_EARLY_DATA
- case end_of_early_data:
- #ifndef NO_WOLFSSL_CLIENT
- /* Only valid when received on SERVER side. */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- WOLFSSL_MSG("EndOfEarlyData received by client");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- /* Only after server's Finished and before client's Finished. */
- if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- WOLFSSL_MSG("EndOfEarlyData received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) {
- WOLFSSL_MSG("EndOfEarlyData received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Check previously seen. */
- if (ssl->msgsReceived.got_end_of_early_data) {
- WOLFSSL_MSG("Too many EndOfEarlyData received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_end_of_early_data = 1;
- break;
- #endif
- #endif
- #ifndef NO_WOLFSSL_CLIENT
- case encrypted_extensions:
- #ifndef NO_WOLFSSL_SERVER
- /* Only valid when received on CLIENT side. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("EncryptedExtensions received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- /* Must be received directly after ServerHello.
- * DoTls13EncryptedExtensions() changes state to:
- * SERVER_ENCRYPTED_EXTENSIONS_COMPLETE.
- */
- if (ssl->options.serverState != SERVER_HELLO_COMPLETE) {
- WOLFSSL_MSG("EncryptedExtensions received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Check previously seen. */
- if (ssl->msgsReceived.got_encrypted_extensions) {
- WOLFSSL_MSG("Duplicate EncryptedExtensions received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_encrypted_extensions = 1;
- break;
- #endif
- case certificate:
- /* Valid on both sides. */
- #ifndef NO_WOLFSSL_CLIENT
- /* Check state. */
- /* On client, seen after EncryptedExtension and CertificateRequest
- * (if sent) and before CertificateVerify and Finished.
- * DoTls13Certificate() sets serverState to SERVER_CERT_COMPLETE.
- */
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->options.serverState !=
- SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
- WOLFSSL_MSG("Certificate received out of order - Client");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Server's authenticating with PSK must not send this. */
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->options.serverState == SERVER_CERT_COMPLETE &&
- ssl->options.pskNegotiated) {
- WOLFSSL_MSG("Certificate received while using PSK");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- #endif
- #endif
- #ifndef NO_WOLFSSL_SERVER
- /* Check state. */
- /* On Server, valid after ClientHello received and ServerFinished
- * sent. */
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.clientState != CLIENT_HELLO_COMPLETE &&
- ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- WOLFSSL_MSG("Certificate received out of order - Server");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- /* Check previously seen. */
- if (ssl->msgsReceived.got_certificate) {
- WOLFSSL_MSG("Duplicate Certificate received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate = 1;
- break;
- #ifndef NO_WOLFSSL_CLIENT
- case certificate_request:
- #ifndef NO_WOLFSSL_SERVER
- /* Only valid when received on CLIENT side. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("CertificateRequest received by server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- #endif
- /* Check state. */
- #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
- /* Only valid when sent after EncryptedExtensions and before
- * Certificate. */
- if (ssl->options.serverState !=
- SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
- WOLFSSL_MSG("CertificateRequest received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #else
- /* Valid when sent after EncryptedExtensions and before Certificate
- * and after both client and server have sent Finished (Post
- * Handshake Authentication). */
- if (ssl->options.serverState !=
- SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
- (ssl->options.serverState < SERVER_FINISHED_COMPLETE ||
- ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) {
- WOLFSSL_MSG("CertificateRequest received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Server's authenticating with PSK must not send this. */
- if (ssl->options.pskNegotiated) {
- WOLFSSL_MSG("CertificateRequest received while using PSK");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- #endif
- /* Check previously seen. */
- #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
- /* Only once during handshake. */
- if (ssl->msgsReceived.got_certificate_request) {
- WOLFSSL_MSG("Duplicate CertificateRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- #else
- /* Only once during handshake. */
- if (ssl->msgsReceived.got_certificate_request &&
- ssl->options.clientState != CLIENT_FINISHED_COMPLETE) {
- WOLFSSL_MSG("Duplicate CertificateRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- #endif
- ssl->msgsReceived.got_certificate_request = 1;
- break;
- #endif
- case certificate_verify:
- /* Valid on both sides. */
- #ifndef NO_WOLFSSL_CLIENT
- /* Check state on client.
- * Valid only directly after a Certificate message. */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (ssl->options.serverState != SERVER_CERT_COMPLETE) {
- WOLFSSL_MSG("No Cert before CertVerify");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* Server's authenticating with PSK must not send this. */
- if (ssl->options.pskNegotiated) {
- WOLFSSL_MSG("CertificateVerify received while using PSK");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- #endif
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- /* Check state on server. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- /* Server must have sent Finished message. */
- if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- WOLFSSL_MSG("CertificateVerify received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Valid only directly after a Certificate message. */
- if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- WOLFSSL_MSG("CertificateVerify before ClientHello done");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (!ssl->msgsReceived.got_certificate) {
- WOLFSSL_MSG("No Cert before CertificateVerify");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- #endif
- /* Check previously seen. */
- if (ssl->msgsReceived.got_certificate_verify) {
- WOLFSSL_MSG("Duplicate CertificateVerify received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_certificate_verify = 1;
- break;
- case finished:
- /* Valid on both sides. */
- #ifndef NO_WOLFSSL_CLIENT
- /* Check state on client. */
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- /* After sending ClientHello */
- if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- WOLFSSL_MSG("Finished received out of order - clientState");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Must have seen certificate and verify from server except when
- * using PSK. */
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- if (ssl->options.pskNegotiated) {
- if (ssl->options.serverState !=
- SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
- WOLFSSL_MSG("Finished received out of order - PSK");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- else
- #endif
- if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) {
- WOLFSSL_MSG("Finished received out of order - serverState");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- #endif
- #ifndef NO_WOLFSSL_SERVER
- /* Check state on server. */
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- WOLFSSL_MSG("Finished received out of order - serverState");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- WOLFSSL_MSG("Finished received out of order - clientState");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData == process_early_data &&
- /* early data may be lost when using DTLS */
- !ssl->options.dtls
- /* QUIC does not use EndOfEarlyData records */
- && !WOLFSSL_IS_QUIC(ssl)) {
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- #endif
- }
- #endif
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- if (!ssl->options.pskNegotiated)
- #endif
- {
- /* Must have received a Certificate message from client if
- * verifying the peer. Empty certificate message indicates
- * no certificate available.
- */
- if (ssl->options.verifyPeer &&
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- !ssl->options.verifyPostHandshake &&
- #endif
- !ssl->msgsReceived.got_certificate) {
- WOLFSSL_MSG("Finished received out of order - "
- "missing Certificate message");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Mutual authentication on server requires a certificate from
- * peer. Verify peer set on client side requires a certificate
- * from peer as not doing PSK.
- */
- if ((ssl->options.mutualAuth ||
- (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->options.verifyPeer)) && !ssl->options.havePeerCert) {
- WOLFSSL_MSG("Finished received out of order - "
- "no valid certificate");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Must have received a valid CertificateVerify if verifying
- * peer and got a peer certificate.
- */
- if ((ssl->options.mutualAuth || ssl->options.verifyPeer) &&
- ssl->options.havePeerCert && !ssl->options.havePeerVerify) {
- WOLFSSL_MSG("Finished received out of order - "
- "Certificate message but no CertificateVerify");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- }
- /* Check previously seen. */
- if (ssl->msgsReceived.got_finished) {
- WOLFSSL_MSG("Duplicate Finished received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_finished = 1;
- break;
- case key_update:
- /* Valid on both sides. */
- /* Check state.
- * Client and server must have received finished message from other
- * side.
- */
- if (!ssl->msgsReceived.got_finished) {
- WOLFSSL_MSG("No KeyUpdate before Finished");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* Multiple KeyUpdates can be sent. */
- break;
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
- case hello_verify_request:
- if (!ssl->options.dtls) {
- WOLFSSL_MSG("HelloVerifyRequest when not in DTLS");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->msgsReceived.got_hello_verify_request) {
- WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- ssl->msgsReceived.got_hello_verify_request = 1;
- if (ssl->msgsReceived.got_hello_retry_request) {
- WOLFSSL_MSG(
- "Both HelloVerifyRequest and HelloRetryRequest received");
- WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
- return DUPLICATE_MSG_E;
- }
- if (ssl->options.serverState >=
- SERVER_HELLO_RETRY_REQUEST_COMPLETE ||
- ssl->options.connectState != CLIENT_HELLO_SENT) {
- WOLFSSL_MSG("HelloVerifyRequest received out of order");
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- WOLFSSL_MSG("HelloVerifyRequest received on the server");
- WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
- return SIDE_ERROR;
- }
- if (!ssl->options.downgrade ||
- ssl->options.minDowngrade < DTLSv1_2_MINOR) {
- WOLFSSL_MSG(
- "HelloVerifyRequest received but not DTLSv1.2 allowed");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- break;
- #endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_TLS12*/
- default:
- WOLFSSL_MSG("Unknown message type");
- WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
- return SANITY_MSG_E;
- }
- return 0;
- }
- /* Handle a type of handshake message that has been received.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the buffer of the current message.
- * On exit, the index into the buffer of the next message.
- * size The length of the current handshake message.
- * totalSz Length of remaining data in the message buffer.
- * returns 0 on success and otherwise failure.
- */
- int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- byte type, word32 size, word32 totalSz)
- {
- int ret = 0, tmp;
- word32 inIdx = *inOutIdx;
- int alertType = invalid_alert;
- #if defined(HAVE_ECH)
- TLSX* echX = NULL;
- word32 echInOutIdx;
- #endif
- (void)totalSz;
- WOLFSSL_ENTER("DoTls13HandShakeMsgType");
- /* make sure we can read the message */
- if (*inOutIdx + size > totalSz)
- return INCOMPLETE_DATA;
- /* sanity check msg received */
- if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
- WOLFSSL_MSG("Sanity Check on handshake message type received failed");
- if (ret == VERSION_ERROR)
- SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
- else
- SendAlert(ssl, alert_fatal, unexpected_message);
- return ret;
- }
- #if defined(WOLFSSL_CALLBACKS)
- /* add name later, add on record and handshake header part back on */
- if (ssl->toInfoOn) {
- ret = AddPacketInfo(ssl, 0, handshake, input + *inOutIdx -
- HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ, READ_PROTO,
- RECORD_HEADER_SZ, ssl->heap);
- if (ret != 0)
- return ret;
- AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
- }
- #endif
- if (ssl->options.handShakeState == HANDSHAKE_DONE &&
- type != session_ticket && type != certificate_request &&
- type != certificate && type != key_update && type != finished) {
- WOLFSSL_MSG("HandShake message after handshake complete");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_CLIENT_END &&
- ssl->options.serverState == NULL_STATE &&
- type != server_hello && type != hello_retry_request
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
- && (!ssl->options.dtls || type != hello_verify_request)
- #endif /* defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) */
- ) {
- WOLFSSL_MSG("First server message not server hello");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- if (ssl->options.side == WOLFSSL_SERVER_END &&
- ssl->options.clientState == NULL_STATE && type != client_hello) {
- WOLFSSL_MSG("First client message not client hello");
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
- return OUT_OF_ORDER_E;
- }
- /* above checks handshake state */
- switch (type) {
- #ifndef NO_WOLFSSL_CLIENT
- /* Messages only received by client. */
- case server_hello:
- WOLFSSL_MSG("processing server hello");
- ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type);
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
- IsAtLeastTLSv1_3(ssl->version)) {
- ssl->options.cacheMessages = 0;
- if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
- ssl->hsHashes->messages = NULL;
- }
- }
- #endif
- break;
- case encrypted_extensions:
- WOLFSSL_MSG("processing encrypted extensions");
- ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
- break;
- #ifndef NO_CERTS
- case certificate_request:
- WOLFSSL_MSG("processing certificate request");
- ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
- break;
- #endif
- case session_ticket:
- WOLFSSL_MSG("processing new session ticket");
- ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
- break;
- #endif /* !NO_WOLFSSL_CLIENT */
- #ifndef NO_WOLFSSL_SERVER
- /* Messages only received by server. */
- case client_hello:
- WOLFSSL_MSG("processing client hello");
- #if defined(HAVE_ECH)
- /* keep the start idx so we can restore it for the inner call */
- echInOutIdx = *inOutIdx;
- #endif
- ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
- ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
- (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
- if ((ssl->options.resuming || !ssl->options.verifyPeer ||
- !IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version))
- #ifdef WOLFSSL_DTLS13
- && (!ssl->options.dtls)
- #endif
- ) {
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
- if (ret != WC_PENDING_E && ret != OCSP_WANT_READ)
- #endif
- {
- ssl->options.cacheMessages = 0;
- if ((ssl->hsHashes != NULL) &&
- (ssl->hsHashes->messages != NULL)) {
- ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
- XFREE(ssl->hsHashes->messages, ssl->heap,
- DYNAMIC_TYPE_HASHES);
- ssl->hsHashes->messages = NULL;
- }
- }
- }
- #endif
- #if defined(HAVE_ECH)
- if (ret == 0) {
- echX = TLSX_Find(ssl->extensions, TLSX_ECH);
- if (echX != NULL &&
- ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE) {
- /* reset the inOutIdx to the outer start */
- *inOutIdx = echInOutIdx;
- /* call again with the inner hello */
- ret = DoTls13ClientHello(ssl,
- ((WOLFSSL_ECH*)echX->data)->innerClientHello,
- &echInOutIdx,
- ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen);
- /* if the inner ech parsed successfully we have successfully
- * handled the hello and can skip the whole message */
- if (ret == 0)
- *inOutIdx += size;
- }
- }
- #endif /* HAVE_ECH */
- break;
- #ifdef WOLFSSL_EARLY_DATA
- case end_of_early_data:
- WOLFSSL_MSG("processing end of early data");
- ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
- break;
- #endif
- #endif /* !NO_WOLFSSL_SERVER */
- /* Messages received by both client and server. */
- #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
- !defined(WOLFSSL_NO_CLIENT_AUTH))
- case certificate:
- WOLFSSL_MSG("processing certificate");
- ret = DoTls13Certificate(ssl, input, inOutIdx, size);
- break;
- #endif
- #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
- defined(HAVE_ED448) || defined(HAVE_PQC)
- case certificate_verify:
- WOLFSSL_MSG("processing certificate verify");
- ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
- break;
- #endif
- case finished:
- WOLFSSL_MSG("processing finished");
- ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
- break;
- case key_update:
- WOLFSSL_MSG("processing key update");
- ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
- break;
- #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) && \
- !defined(NO_WOLFSSL_CLIENT)
- case hello_verify_request:
- WOLFSSL_MSG("processing hello verify request");
- ret = DoHelloVerifyRequest(ssl, input, inOutIdx, size);
- break;
- #endif
- default:
- WOLFSSL_MSG("Unknown handshake message type");
- ret = UNKNOWN_HANDSHAKE_TYPE;
- break;
- }
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_ASYNC_IO)
- /* if async, offset index so this msg will be processed again */
- /* NOTE: check this now before other calls can overwrite ret */
- if ((ret == WC_PENDING_E || ret == OCSP_WANT_READ) && *inOutIdx > 0) {
- /* DTLS always stores a message in a buffer when async is enable, so we
- * don't need to adjust for the extra bytes here (*inOutIdx is always
- * == 0) */
- *inOutIdx -= HANDSHAKE_HEADER_SZ;
- }
- /* make sure async error is cleared */
- if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
- ssl->error = 0;
- }
- #endif
- if (ret == 0 && type != client_hello && type != session_ticket &&
- type != key_update) {
- ret = HashInput(ssl, input + inIdx, size);
- }
- alertType = TranslateErrorToAlert(ret);
- if (alertType != invalid_alert) {
- #ifdef WOLFSSL_DTLS13
- if (type == client_hello && ssl->options.dtls)
- DtlsSetSeqNumForReply(ssl);
- #endif
- tmp = SendAlert(ssl, alert_fatal, alertType);
- /* propagate socket error instead of tls error to be sure the error is
- * not ignored by DTLS code */
- if (tmp == SOCKET_ERROR_E)
- ret = SOCKET_ERROR_E;
- }
- if (ret == 0 && ssl->options.tls1_3) {
- /* Need to hash input message before deriving secrets. */
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_CLIENT_END) {
- if (type == server_hello) {
- if ((ret = DeriveEarlySecret(ssl)) != 0)
- return ret;
- if ((ret = DeriveHandshakeSecret(ssl)) != 0)
- return ret;
- if ((ret = DeriveTls13Keys(ssl, handshake_key,
- ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
- return ret;
- }
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
- return ret;
- }
- else
- #endif
- if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
- return ret;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- w64wrapper epochHandshake;
- epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
- ssl->dtls13Epoch = epochHandshake;
- ssl->dtls13PeerEpoch = epochHandshake;
- ret = Dtls13NewEpoch(
- ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- ret = Dtls13SetEpochKeys(
- ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
- if (ret != 0)
- return ret;
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- if (type == finished) {
- if ((ret = DeriveMasterSecret(ssl)) != 0)
- return ret;
- /* Last use of preMasterSecret - zeroize as soon as possible. */
- ForceZero(ssl->arrays->preMasterSecret,
- ssl->arrays->preMasterSz);
- #ifdef WOLFSSL_EARLY_DATA
- #ifdef WOLFSSL_QUIC
- if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData != no_early_data) {
- /* QUIC never sends/receives EndOfEarlyData, but having
- * early data means the last encrpytion keys had not been
- * set yet. */
- if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
- return ret;
- }
- #endif
- if ((ret = DeriveTls13Keys(ssl, traffic_key,
- ENCRYPT_AND_DECRYPT_SIDE,
- ssl->earlyData == no_early_data)) != 0) {
- return ret;
- }
- #else
- if ((ret = DeriveTls13Keys(ssl, traffic_key,
- ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
- return ret;
- }
- #endif
- }
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- if (type == certificate_request &&
- ssl->options.handShakeState == HANDSHAKE_DONE) {
- /* reset handshake states */
- ssl->options.clientState = CLIENT_HELLO_COMPLETE;
- ssl->options.connectState = FIRST_REPLY_DONE;
- ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
- ssl->options.processReply = 0; /* doProcessInit */
- /*
- DTLSv1.3 note: We can't reset serverState to
- SERVER_FINISHED_COMPLETE with the goal that this connect
- blocks until the cert/cert_verify/finished flight gets ACKed
- by the server. The problem is that we will invoke
- ProcessReplyEx() in that case, but we came here from
- ProcessReplyEx() and it is not re-entrant safe (the input
- buffer would still have the certificate_request message). */
- if (wolfSSL_connect_TLSv13(ssl) != WOLFSSL_SUCCESS) {
- ret = ssl->error;
- if (ret != WC_PENDING_E)
- ret = POST_HAND_AUTH_ERROR;
- }
- }
- #endif
- }
- #endif /* NO_WOLFSSL_CLIENT */
- #ifndef NO_WOLFSSL_SERVER
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
- ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
- if (ret != 0)
- return ret;
- }
- #endif
- #endif /* NO_WOLFSSL_SERVER */
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && !ssl->options.dtlsStateful) {
- DtlsResetState(ssl);
- if (DtlsIgnoreError(ret))
- ret = 0;
- }
- #endif
- WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
- return ret;
- }
- /* Handle a handshake message that has been received.
- *
- * ssl The SSL/TLS object.
- * input The message buffer.
- * inOutIdx On entry, the index into the buffer of the current message.
- * On exit, the index into the buffer of the next message.
- * totalSz Length of remaining data in the message buffer.
- * returns 0 on success and otherwise failure.
- */
- int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- word32 totalSz)
- {
- int ret = 0;
- word32 inputLength;
- byte type;
- word32 size = 0;
- WOLFSSL_ENTER("DoTls13HandShakeMsg");
- if (ssl->arrays == NULL) {
- if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
- totalSz) != 0) {
- SendAlert(ssl, alert_fatal, unexpected_message);
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- }
- inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
- /* If there is a pending fragmented handshake message,
- * pending message size will be non-zero. */
- if (ssl->arrays->pendingMsgSz == 0) {
- if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
- totalSz) != 0) {
- WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
- return PARSE_ERROR;
- }
- /* Cap the maximum size of a handshake message to something reasonable.
- * By default is the maximum size of a certificate message assuming
- * nine 2048-bit RSA certificates in the chain. */
- if (size > MAX_HANDSHAKE_SZ) {
- WOLFSSL_MSG("Handshake message too large");
- WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR);
- return HANDSHAKE_SIZE_ERROR;
- }
- /* size is the size of the certificate message payload */
- if (inputLength - HANDSHAKE_HEADER_SZ < size) {
- ssl->arrays->pendingMsgType = type;
- ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
- ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
- ssl->heap,
- DYNAMIC_TYPE_ARRAYS);
- if (ssl->arrays->pendingMsg == NULL)
- return MEMORY_E;
- XMEMCPY(ssl->arrays->pendingMsg,
- input + *inOutIdx - HANDSHAKE_HEADER_SZ,
- inputLength);
- ssl->arrays->pendingMsgOffset = inputLength;
- *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
- return 0;
- }
- ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
- totalSz);
- }
- else {
- if (inputLength + ssl->arrays->pendingMsgOffset >
- ssl->arrays->pendingMsgSz) {
- inputLength = ssl->arrays->pendingMsgSz -
- ssl->arrays->pendingMsgOffset;
- }
- XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
- input + *inOutIdx, inputLength);
- ssl->arrays->pendingMsgOffset += inputLength;
- *inOutIdx += inputLength + ssl->keys.padSz;
- if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
- {
- word32 idx = 0;
- ret = DoTls13HandShakeMsgType(ssl,
- ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
- &idx, ssl->arrays->pendingMsgType,
- ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
- ssl->arrays->pendingMsgSz);
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_PENDING_E) {
- /* setup to process fragment again */
- ssl->arrays->pendingMsgOffset -= inputLength;
- *inOutIdx -= inputLength + ssl->keys.padSz;
- }
- else
- #endif
- {
- XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
- ssl->arrays->pendingMsg = NULL;
- ssl->arrays->pendingMsgSz = 0;
- }
- }
- }
- WOLFSSL_LEAVE("DoTls13HandShakeMsg", ret);
- return ret;
- }
- #ifndef NO_WOLFSSL_CLIENT
- /* The client connecting to the server.
- * The protocol version is expecting to be TLS v1.3.
- * If the server downgrades, and older versions of the protocol are compiled
- * in, the client will fallback to wolfSSL_connect().
- * Please see note at top of README if you get an error from connect.
- *
- * ssl The SSL/TLS object.
- * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
- * unrecoverable error occurs and 0 otherwise.
- * For more error information use wolfSSL_get_error().
- */
- int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
- {
- int advanceState;
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_connect_TLSv13");
- #ifdef HAVE_ERRNO_H
- errno = 0;
- #endif
- if (ssl == NULL)
- return BAD_FUNC_ARG;
- if (ssl->options.side != WOLFSSL_CLIENT_END) {
- ssl->error = SIDE_ERROR;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- /* make sure this wolfSSL object has arrays and rng setup. Protects
- * case where the WOLFSSL object is re-used via wolfSSL_clear() */
- if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
- return ret;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->version.major == DTLS_MAJOR) {
- ssl->options.dtls = 1;
- ssl->options.dtlsStateful = 1;
- }
- #endif
- #ifdef WOLFSSL_WOLFSENTRY_HOOKS
- if ((ssl->ConnectFilter != NULL) &&
- (ssl->options.connectState == CONNECT_BEGIN))
- {
- wolfSSL_netfilter_decision_t res;
- if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) ==
- WOLFSSL_SUCCESS) &&
- (res == WOLFSSL_NETFILTER_REJECT)) {
- ssl->error = SOCKET_FILTERED_E;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_WOLFSENTRY_HOOKS */
- /* fragOffset is non-zero when sending fragments. On the last
- * fragment, fragOffset is zero again, and the state can be
- * advanced. Also, only advance from states in which we send data */
- advanceState = (ssl->options.connectState == CONNECT_BEGIN ||
- ssl->options.connectState == HELLO_AGAIN ||
- (ssl->options.connectState >= FIRST_REPLY_DONE &&
- ssl->options.connectState <= FIRST_REPLY_FOURTH));
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- advanceState = advanceState && !ssl->dtls13SendingFragments
- && !ssl->dtls13SendingAckOrRtx;
- #endif /* WOLFSSL_DTLS13 */
- if (ssl->buffers.outputBuffer.length > 0
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* do not send buffered or advance state if last error was an
- async pending operation */
- && ssl->error != WC_PENDING_E
- #endif
- ) {
- if ((ssl->error = SendBuffered(ssl)) == 0) {
- if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
- if (advanceState) {
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) &&
- ssl->options.connectState == FIRST_REPLY_FOURTH) {
- /* WAIT_FINISHED_ACK is a state added afterwards, but it
- can't follow FIRST_REPLY_FOURTH in the enum order. Indeed
- the value of the enum ConnectState is stored in
- serialized session. This would make importing serialized
- session from other wolfSSL version incompatible */
- ssl->options.connectState = WAIT_FINISHED_ACK;
- }
- else
- #endif /* WOLFSSL_DTLS13 */
- {
- ssl->options.connectState++;
- }
- WOLFSSL_MSG("connect state: "
- "Advanced from last buffered fragment send");
- #ifdef WOLFSSL_ASYNC_IO
- FreeAsyncCtx(ssl, 0);
- #endif
- }
- }
- else {
- WOLFSSL_MSG("connect state: "
- "Not advanced, more fragments to send");
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- ssl->dtls13SendingAckOrRtx = 0;
- #endif /* WOLFSSL_DTLS13 */
- }
- else {
- ssl->error = ret;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- ret = RetrySendAlert(ssl);
- if (ret != 0) {
- ssl->error = ret;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && ssl->dtls13SendingFragments) {
- if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- /* we sent all the fragments. Advance state. */
- ssl->options.connectState++;
- }
- #endif /* WOLFSSL_DTLS13 */
- switch (ssl->options.connectState) {
- case CONNECT_BEGIN:
- /* Always send client hello first. */
- if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.connectState = CLIENT_HELLO_SENT;
- WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
- if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat) {
- if ((ssl->error = SendChangeCipher(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.sentChangeCipher = 1;
- }
- #endif
- ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
- return WOLFSSL_SUCCESS;
- }
- #endif
- FALL_THROUGH;
- case CLIENT_HELLO_SENT:
- /* Get the response/s from the server. */
- while (ssl->options.serverState <
- SERVER_HELLOVERIFYREQUEST_COMPLETE) {
- if ((ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- if (!ssl->options.tls1_3) {
- #ifndef WOLFSSL_NO_TLS12
- if (ssl->options.downgrade)
- return wolfSSL_connect(ssl);
- #endif
- WOLFSSL_MSG("Client using higher version, fatal error");
- WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
- return VERSION_ERROR;
- }
- ssl->options.connectState = HELLO_AGAIN;
- WOLFSSL_MSG("connect state: HELLO_AGAIN");
- FALL_THROUGH;
- case HELLO_AGAIN:
- if (ssl->options.serverState ==
- SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
- if (!ssl->options.dtls && !ssl->options.sentChangeCipher
- && ssl->options.tls13MiddleBoxCompat) {
- if ((ssl->error = SendChangeCipher(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.sentChangeCipher = 1;
- }
- #endif
- /* Try again with different security parameters. */
- if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- ssl->options.connectState = HELLO_AGAIN_REPLY;
- WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
- FALL_THROUGH;
- case HELLO_AGAIN_REPLY:
- /* Get the response/s from the server. */
- while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
- if ((ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- ssl->options.connectState = FIRST_REPLY_DONE;
- WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
- FALL_THROUGH;
- case FIRST_REPLY_DONE:
- if (ssl->options.certOnly)
- return WOLFSSL_SUCCESS;
- #ifdef WOLFSSL_EARLY_DATA
- if (!ssl->options.dtls && ssl->earlyData != no_early_data
- && !WOLFSSL_IS_QUIC(ssl)) {
- if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- WOLFSSL_MSG("sent: end_of_early_data");
- }
- #endif
- ssl->options.connectState = FIRST_REPLY_FIRST;
- WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
- FALL_THROUGH;
- case FIRST_REPLY_FIRST:
- #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
- if (!ssl->options.sentChangeCipher && !ssl->options.dtls
- && ssl->options.tls13MiddleBoxCompat) {
- if ((ssl->error = SendChangeCipher(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.sentChangeCipher = 1;
- }
- #endif
- ssl->options.connectState = FIRST_REPLY_SECOND;
- WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
- FALL_THROUGH;
- case FIRST_REPLY_SECOND:
- /* CLIENT: check peer authentication. */
- if (!ssl->options.peerAuthGood) {
- WOLFSSL_MSG("Server authentication did not happen");
- WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifndef NO_CERTS
- if (!ssl->options.resuming && ssl->options.sendVerify) {
- ssl->error = SendTls13Certificate(ssl);
- if (ssl->error != 0) {
- #ifdef WOLFSSL_CHECK_ALERT_ON_ERR
- ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
- #endif
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- WOLFSSL_MSG("sent: certificate");
- }
- #endif
- ssl->options.connectState = FIRST_REPLY_THIRD;
- WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
- FALL_THROUGH;
- case FIRST_REPLY_THIRD:
- #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
- defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- defined(HAVE_PQC))) && (!defined(NO_WOLFSSL_SERVER) || \
- !defined(WOLFSSL_NO_CLIENT_AUTH))
- if (!ssl->options.resuming && ssl->options.sendVerify) {
- ssl->error = SendTls13CertificateVerify(ssl);
- if (ssl->error != 0) {
- #ifdef WOLFSSL_CHECK_ALERT_ON_ERR
- ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
- #endif
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- WOLFSSL_MSG("sent: certificate verify");
- }
- #endif
- ssl->options.connectState = FIRST_REPLY_FOURTH;
- WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH");
- FALL_THROUGH;
- case FIRST_REPLY_FOURTH:
- if ((ssl->error = SendTls13Finished(ssl)) != 0) {
- #ifdef WOLFSSL_CHECK_ALERT_ON_ERR
- ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
- #endif
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- WOLFSSL_MSG("sent: finished");
- #ifdef WOLFSSL_DTLS13
- ssl->options.connectState = WAIT_FINISHED_ACK;
- WOLFSSL_MSG("connect state: WAIT_FINISHED_ACK");
- FALL_THROUGH;
- case WAIT_FINISHED_ACK:
- if (ssl->options.dtls) {
- while (ssl->options.serverState != SERVER_FINISHED_ACKED) {
- if ((ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- ssl->options.connectState = FINISHED_DONE;
- WOLFSSL_MSG("connect state: FINISHED_DONE");
- FALL_THROUGH;
- case FINISHED_DONE:
- #ifndef NO_HANDSHAKE_DONE_CB
- if (ssl->hsDoneCb != NULL) {
- int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
- if (cbret < 0) {
- ssl->error = cbret;
- WOLFSSL_ERROR_VERBOSE(ssl->error);
- WOLFSSL_MSG("HandShake Done Cb don't continue error");
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* NO_HANDSHAKE_DONE_CB */
- if (!ssl->options.keepResources) {
- FreeHandshakeResources(ssl);
- }
- #if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
- /* Free the remaining async context if not using it for crypto */
- FreeAsyncCtx(ssl, 1);
- #endif
- ssl->error = 0; /* clear the error */
- WOLFSSL_LEAVE("wolfSSL_connect_TLSv13", WOLFSSL_SUCCESS);
- return WOLFSSL_SUCCESS;
- default:
- WOLFSSL_MSG("Unknown connect state ERROR");
- return WOLFSSL_FATAL_ERROR; /* unknown connect state */
- }
- }
- #endif
- #if defined(WOLFSSL_SEND_HRR_COOKIE)
- /* Send a cookie with the HelloRetryRequest to avoid storing state.
- *
- * ssl SSL/TLS object.
- * secret Secret to use when generating integrity check for cookie.
- * A value of NULL indicates to generate a new random secret.
- * secretSz Size of secret data in bytes.
- * Use a value of 0 to indicate use of default size.
- * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
- * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
- */
- int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
- unsigned int secretSz)
- {
- int ret;
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- if (secretSz == 0) {
- #if !defined(NO_SHA) && defined(NO_SHA256)
- secretSz = WC_SHA_DIGEST_SIZE;
- #endif /* NO_SHA */
- #ifndef NO_SHA256
- secretSz = WC_SHA256_DIGEST_SIZE;
- #endif /* NO_SHA256 */
- }
- if (secretSz != ssl->buffers.tls13CookieSecret.length) {
- byte* newSecret;
- if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
- ForceZero(ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- XFREE(ssl->buffers.tls13CookieSecret.buffer,
- ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
- }
- newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
- DYNAMIC_TYPE_COOKIE_PWD);
- if (newSecret == NULL) {
- ssl->buffers.tls13CookieSecret.buffer = NULL;
- ssl->buffers.tls13CookieSecret.length = 0;
- WOLFSSL_MSG("couldn't allocate new cookie secret");
- return MEMORY_ERROR;
- }
- ssl->buffers.tls13CookieSecret.buffer = newSecret;
- ssl->buffers.tls13CookieSecret.length = secretSz;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("wolfSSL_send_hrr_cookie secret",
- ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- #endif
- }
- /* If the supplied secret is NULL, randomly generate a new secret. */
- if (secret == NULL) {
- ret = wc_RNG_GenerateBlock(ssl->rng,
- ssl->buffers.tls13CookieSecret.buffer, secretSz);
- if (ret < 0)
- return ret;
- }
- else
- XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
- ssl->options.sendCookie = 1;
- ret = WOLFSSL_SUCCESS;
- #else
- (void)secret;
- (void)secretSz;
- ret = SIDE_ERROR;
- #endif
- return ret;
- }
- int wolfSSL_disable_hrr_cookie(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifdef NO_WOLFSSL_SERVER
- return SIDE_ERROR;
- #else
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
- ForceZero(ssl->buffers.tls13CookieSecret.buffer,
- ssl->buffers.tls13CookieSecret.length);
- XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap,
- DYNAMIC_TYPE_COOKIE_PWD);
- ssl->buffers.tls13CookieSecret.buffer = NULL;
- ssl->buffers.tls13CookieSecret.length = 0;
- }
- ssl->options.sendCookie = 0;
- return WOLFSSL_SUCCESS;
- #endif /* NO_WOLFSSL_SERVER */
- }
- #endif /* defined(WOLFSSL_SEND_HRR_COOKIE) */
- #ifdef HAVE_SUPPORTED_CURVES
- /* Create a key share entry from group.
- * Generates a key pair.
- *
- * ssl The SSL/TLS object.
- * group The named group.
- * returns 0 on success, otherwise failure.
- * for async can return WC_PENDING_E and should be called again
- */
- int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
- {
- int ret;
- if (ssl == NULL)
- return BAD_FUNC_ARG;
- #ifdef WOLFSSL_ASYNC_CRYPT
- ret = wolfSSL_AsyncPop(ssl, NULL);
- if (ret != WC_NO_PENDING_E) {
- /* Check for error */
- if (ret < 0)
- return ret;
- }
- #endif
- #ifdef HAVE_PQC
- if (WOLFSSL_NAMED_GROUP_IS_PQC(group)) {
- if (ssl->ctx != NULL && ssl->ctx->method != NULL &&
- !IsAtLeastTLSv1_3(ssl->version)) {
- return BAD_FUNC_ARG;
- }
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- /* If I am the server of a KEM connection, do not do keygen because I'm
- * going to encapsulate with the client's public key. Note that I might
- * be the client and ssl->option.side has not been properly set yet. In
- * that case the KeyGen operation will be deferred to connection time. */
- return WOLFSSL_SUCCESS;
- }
- }
- #endif
- #if defined(NO_TLS)
- (void)ret;
- (void)group;
- #else
- ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
- if (ret != 0)
- return ret;
- #endif /* NO_TLS */
- return WOLFSSL_SUCCESS;
- }
- /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
- *
- * ssl The SSL/TLS object.
- * returns 0 on success, otherwise failure.
- */
- int wolfSSL_NoKeyShares(WOLFSSL* ssl)
- {
- int ret;
- if (ssl == NULL)
- return BAD_FUNC_ARG;
- if (ssl->options.side == WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- #if defined(NO_TLS)
- (void)ret;
- #else
- ret = TLSX_KeyShare_Empty(ssl);
- if (ret != 0)
- return ret;
- #endif /* NO_TLS */
- return WOLFSSL_SUCCESS;
- }
- #endif
- /* Do not send a ticket after TLS v1.3 handshake for resumption.
- *
- * ctx The SSL/TLS CTX object.
- * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
- */
- int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- if (ctx->method->side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- #ifdef HAVE_SESSION_TICKET
- ctx->noTicketTls13 = 1;
- #endif
- return 0;
- }
- /* Do not send a ticket after TLS v1.3 handshake for resumption.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
- * a client and 0 on success.
- */
- int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- #ifdef HAVE_SESSION_TICKET
- ssl->options.noTicketTls13 = 1;
- #endif
- return 0;
- }
- /* Disallow (EC)DHE key exchange when using pre-shared keys.
- *
- * ctx The SSL/TLS CTX object.
- * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
- */
- int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ctx->noPskDheKe = 1;
- #endif
- return 0;
- }
- /* Disallow (EC)DHE key exchange when using pre-shared keys.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
- * success.
- */
- int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ssl->options.noPskDheKe = 1;
- #endif
- return 0;
- }
- #ifdef HAVE_SUPPORTED_CURVES
- /* Only allow (EC)DHE key exchange when using pre-shared keys.
- *
- * ctx The SSL/TLS CTX object.
- * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
- */
- int wolfSSL_CTX_only_dhe_psk(WOLFSSL_CTX* ctx)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ctx->onlyPskDheKe = 1;
- #endif
- return 0;
- }
- /* Only allow (EC)DHE key exchange when using pre-shared keys.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
- * success.
- */
- int wolfSSL_only_dhe_psk(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- ssl->options.onlyPskDheKe = 1;
- #endif
- return 0;
- }
- #endif /* HAVE_SUPPORTED_CURVES */
- int Tls13UpdateKeys(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifdef WOLFSSL_DTLS13
- /* we are already waiting for the ack of a sent key update message. We can't
- send another one before receiving its ack. Either wolfSSL_update_keys()
- was invoked multiple times over a short period of time or we replied to a
- KeyUpdate with update request. We'll just ignore sending this
- KeyUpdate. */
- /* TODO: add WOLFSSL_ERROR_ALREADY_IN_PROGRESS type of error here */
- if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck)
- return 0;
- #endif /* WOLFSSL_DTLS13 */
- return SendTls13KeyUpdate(ssl);
- }
- /* Update the keys for encryption and decryption.
- * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
- * calling wolfSSL_write() will have the message sent when ready.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
- * WOLFSSL_SUCCESS on success and otherwise failure.
- */
- int wolfSSL_update_keys(WOLFSSL* ssl)
- {
- int ret;
- ret = Tls13UpdateKeys(ssl);
- if (ret == WANT_WRITE)
- ret = WOLFSSL_ERROR_WANT_WRITE;
- else if (ret == 0)
- ret = WOLFSSL_SUCCESS;
- return ret;
- }
- /* Whether a response is waiting for key update request.
- *
- * ssl The SSL/TLS object.
- * required 0 when no key update response required.
- * 1 when no key update response required.
- * return 0 on success.
- * return BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3
- */
- int wolfSSL_key_update_response(WOLFSSL* ssl, int* required)
- {
- if (required == NULL || ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- *required = ssl->keys.updateResponseReq;
- return 0;
- }
- #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
- /* Allow post-handshake authentication in TLS v1.3 connections.
- *
- * ctx The SSL/TLS CTX object.
- * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and
- * 0 on success.
- */
- int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- if (ctx->method->side == WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- ctx->postHandshakeAuth = 1;
- return 0;
- }
- /* Allow post-handshake authentication in TLS v1.3 connection.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * SIDE_ERROR when not a client and 0 on success.
- */
- int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- if (ssl->options.side == WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- ssl->options.postHandshakeAuth = 1;
- return 0;
- }
- /* Request a certificate of the client.
- * Can be called any time after handshake completion.
- * A maximum of 256 requests can be sent on a connection.
- *
- * ssl SSL/TLS object.
- */
- int wolfSSL_request_certificate(WOLFSSL* ssl)
- {
- int ret;
- #ifndef NO_WOLFSSL_SERVER
- CertReqCtx* certReqCtx;
- #endif
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- if (ssl->options.handShakeState != HANDSHAKE_DONE)
- return NOT_READY_ERROR;
- if (!ssl->options.postHandshakeAuth)
- return POST_HAND_AUTH_ERROR;
- certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (certReqCtx == NULL)
- return MEMORY_E;
- XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
- certReqCtx->next = ssl->certReqCtx;
- certReqCtx->len = 1;
- if (certReqCtx->next != NULL)
- certReqCtx->ctx = certReqCtx->next->ctx + 1;
- ssl->certReqCtx = certReqCtx;
- ssl->msgsReceived.got_certificate = 0;
- ssl->msgsReceived.got_certificate_verify = 0;
- ssl->msgsReceived.got_finished = 0;
- ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
- if (ret == WANT_WRITE)
- ret = WOLFSSL_ERROR_WANT_WRITE;
- else if (ret == 0)
- ret = WOLFSSL_SUCCESS;
- #else
- ret = SIDE_ERROR;
- #endif
- return ret;
- }
- #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
- #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
- /* Get the preferred key exchange group.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3,
- * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete
- * and group number on success.
- */
- int wolfSSL_preferred_group(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- if (ssl->options.handShakeState != HANDSHAKE_DONE)
- return NOT_READY_ERROR;
- #ifdef HAVE_SUPPORTED_CURVES
- /* Return supported groups only. */
- return TLSX_SupportedCurve_Preferred(ssl, 1);
- #else
- return 0;
- #endif
- #else
- return SIDE_ERROR;
- #endif
- }
- #endif
- #if defined(HAVE_SUPPORTED_CURVES)
- /* Sets the key exchange groups in rank order on a context.
- *
- * ctx SSL/TLS context object.
- * groups Array of groups.
- * count Number of groups in array.
- * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or
- * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
- */
- int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
- {
- int ret, i;
- WOLFSSL_ENTER("wolfSSL_CTX_set_groups");
- if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
- return BAD_FUNC_ARG;
- if (!IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- ctx->numGroups = 0;
- #if !defined(NO_TLS)
- TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
- #endif /* !NO_TLS */
- for (i = 0; i < count; i++) {
- /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups
- * are valid */
- if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i]))
- != WOLFSSL_SUCCESS) {
- #if !defined(NO_TLS)
- TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
- #endif /* !NO_TLS */
- return ret;
- }
- ctx->group[i] = (word16)groups[i];
- }
- ctx->numGroups = (byte)count;
- return WOLFSSL_SUCCESS;
- }
- /* Sets the key exchange groups in rank order.
- *
- * ssl SSL/TLS object.
- * groups Array of groups.
- * count Number of groups in array.
- * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or
- * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
- */
- int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
- {
- int ret, i;
- WOLFSSL_ENTER("wolfSSL_set_groups");
- if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
- return BAD_FUNC_ARG;
- if (!IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- ssl->numGroups = 0;
- #if !defined(NO_TLS)
- TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
- #endif /* !NO_TLS */
- for (i = 0; i < count; i++) {
- /* Call to wolfSSL_UseSupportedCurve also checks if input groups
- * are valid */
- if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i]))
- != WOLFSSL_SUCCESS) {
- #if !defined(NO_TLS)
- TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
- #endif /* !NO_TLS */
- return ret;
- }
- ssl->group[i] = (word16)groups[i];
- }
- ssl->numGroups = (byte)count;
- return WOLFSSL_SUCCESS;
- }
- #endif /* HAVE_SUPPORTED_CURVES */
- #ifndef NO_PSK
- /* Set the PSK callback, that is passed the cipher suite, for a client to use
- * against context object.
- *
- * @param [in, out] ctx SSL/TLS context object.
- * @param [in] cb Client PSK callback passed a cipher suite.
- */
- void wolfSSL_CTX_set_psk_client_cs_callback(WOLFSSL_CTX* ctx,
- wc_psk_client_cs_callback cb)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_cs_callback");
- if (ctx == NULL)
- return;
- ctx->havePSK = 1;
- ctx->client_psk_cs_cb = cb;
- }
- /* Set the PSK callback, that is passed the cipher suite, for a client to use
- * against SSL object.
- *
- * @param [in, out] ssl SSL/TLS object.
- * @param [in] cb Client PSK callback passed a cipher suite.
- */
- void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
- wc_psk_client_cs_callback cb)
- {
- byte haveRSA = 1;
- int keySz = 0;
- WOLFSSL_ENTER("wolfSSL_set_psk_client_cs_callback");
- if (ssl == NULL)
- return;
- ssl->options.havePSK = 1;
- ssl->options.client_psk_cs_cb = cb;
- #ifdef NO_RSA
- haveRSA = 0;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- if (AllocateSuites(ssl) != 0)
- return;
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
- ssl->options.haveAnon, TRUE, ssl->options.side);
- }
- /* Set the PSK callback that returns the cipher suite for a client to use
- * against context object.
- *
- * @param [in, out] ctx SSL/TLS context object.
- * @param [in] cb Client PSK callback returning cipher suite.
- */
- void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx,
- wc_psk_client_tls13_callback cb)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_tls13_callback");
- if (ctx == NULL)
- return;
- ctx->havePSK = 1;
- ctx->client_psk_tls13_cb = cb;
- }
- /* Set the PSK callback that returns the cipher suite for a client to use
- * against SSL object.
- *
- * @param [in, out] ssl SSL/TLS object.
- * @param [in] cb Client PSK callback returning cipher suite.
- */
- void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
- wc_psk_client_tls13_callback cb)
- {
- byte haveRSA = 1;
- int keySz = 0;
- WOLFSSL_ENTER("wolfSSL_set_psk_client_tls13_callback");
- if (ssl == NULL)
- return;
- ssl->options.havePSK = 1;
- ssl->options.client_psk_tls13_cb = cb;
- #ifdef NO_RSA
- haveRSA = 0;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- if (AllocateSuites(ssl) != 0)
- return;
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
- ssl->options.haveAnon, TRUE, ssl->options.side);
- }
- /* Set the PSK callback that returns the cipher suite for a server to use
- * against context object.
- *
- * @param [in, out] ctx SSL/TLS context object.
- * @param [in] cb Server PSK callback returning cipher suite.
- */
- void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx,
- wc_psk_server_tls13_callback cb)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_set_psk_server_tls13_callback");
- if (ctx == NULL)
- return;
- ctx->havePSK = 1;
- ctx->server_psk_tls13_cb = cb;
- }
- /* Set the PSK callback that returns the cipher suite for a server to use
- * against SSL object.
- *
- * @param [in, out] ssl SSL/TLS object.
- * @param [in] cb Server PSK callback returning cipher suite.
- */
- void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
- wc_psk_server_tls13_callback cb)
- {
- byte haveRSA = 1;
- int keySz = 0;
- WOLFSSL_ENTER("wolfSSL_set_psk_server_tls13_callback");
- if (ssl == NULL)
- return;
- ssl->options.havePSK = 1;
- ssl->options.server_psk_tls13_cb = cb;
- #ifdef NO_RSA
- haveRSA = 0;
- #endif
- #ifndef NO_CERTS
- keySz = ssl->buffers.keySz;
- #endif
- if (AllocateSuites(ssl) != 0)
- return;
- InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
- ssl->options.haveDH, ssl->options.haveECDSAsig,
- ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
- ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
- ssl->options.haveAnon, TRUE, ssl->options.side);
- }
- /* Get name of first supported cipher suite that uses the hash indicated.
- *
- * @param [in] ssl SSL/TLS object.
- * @param [in] hash Name of hash algorithm. e.g. "SHA256", "SHA384"
- * @return Name of cipher suite.
- * @return NULL on failure.
- */
- const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash)
- {
- const char* name = NULL;
- byte mac = no_mac;
- int i;
- const Suites* suites = WOLFSSL_SUITES(ssl);
- if (XSTRCMP(hash, "SHA256") == 0) {
- mac = sha256_mac;
- }
- else if (XSTRCMP(hash, "SHA384") == 0) {
- mac = sha384_mac;
- }
- if (mac != no_mac) {
- for (i = 0; i < suites->suiteSz; i += 2) {
- if (SuiteMac(suites->suites + i) == mac) {
- name = GetCipherNameInternal(suites->suites[i + 0],
- suites->suites[i + 1]);
- break;
- }
- }
- }
- return name;
- }
- #endif /* !NO_PSK */
- #ifndef NO_WOLFSSL_SERVER
- /* The server accepting a connection from a client.
- * The protocol version is expecting to be TLS v1.3.
- * If the client downgrades, and older versions of the protocol are compiled
- * in, the server will fallback to wolfSSL_accept().
- * Please see note at top of README if you get an error from accept.
- *
- * ssl The SSL/TLS object.
- * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
- * unrecoverable error occurs and 0 otherwise.
- * For more error information use wolfSSL_get_error().
- */
- int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
- {
- #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
- word16 havePSK = 0;
- #endif
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_accept_TLSv13");
- #ifdef HAVE_ERRNO_H
- errno = 0;
- #endif
- if (ssl == NULL)
- return WOLFSSL_FATAL_ERROR;
- #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
- havePSK = ssl->options.havePSK;
- #endif
- if (ssl->options.side != WOLFSSL_SERVER_END) {
- ssl->error = SIDE_ERROR;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- /* make sure this wolfSSL object has arrays and rng setup. Protects
- * case where the WOLFSSL object is re-used via wolfSSL_clear() */
- if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
- return ret;
- }
- #ifdef WOLFSSL_DTLS
- if (ssl->version.major == DTLS_MAJOR) {
- ssl->options.dtls = 1;
- if (!IsDtlsNotSctpMode(ssl) || !ssl->options.sendCookie)
- ssl->options.dtlsStateful = 1;
- }
- #endif
- #ifdef WOLFSSL_WOLFSENTRY_HOOKS
- if ((ssl->AcceptFilter != NULL) &&
- ((ssl->options.acceptState == TLS13_ACCEPT_BEGIN)
- #ifdef HAVE_SECURE_RENEGOTIATION
- || (ssl->options.acceptState == TLS13_ACCEPT_BEGIN_RENEG)
- #endif
- ))
- {
- wolfSSL_netfilter_decision_t res;
- if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
- WOLFSSL_SUCCESS) &&
- (res == WOLFSSL_NETFILTER_REJECT)) {
- ssl->error = SOCKET_FILTERED_E;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_WOLFSENTRY_HOOKS */
- #ifndef NO_CERTS
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- if (!havePSK)
- #endif
- {
- #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
- defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
- if (ssl->ctx->certSetupCb != NULL) {
- WOLFSSL_MSG("CertSetupCb set. server cert and "
- "key not checked");
- }
- else
- #endif
- {
- if (!ssl->buffers.certificate ||
- !ssl->buffers.certificate->buffer) {
- WOLFSSL_MSG("accept error: server cert required");
- ssl->error = NO_PRIVATE_KEY;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
- /* allow no private key if using existing key */
- #ifdef WOLF_PRIVATE_KEY_ID
- if (ssl->devId != INVALID_DEVID
- #ifdef HAVE_PK_CALLBACKS
- || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
- #endif
- ) {
- WOLFSSL_MSG("Allowing no server private key (external)");
- }
- else
- #endif
- {
- WOLFSSL_MSG("accept error: server key required");
- ssl->error = NO_PRIVATE_KEY;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- }
- }
- #endif /* NO_CERTS */
- if (ssl->buffers.outputBuffer.length > 0
- #ifdef WOLFSSL_ASYNC_CRYPT
- /* do not send buffered or advance state if last error was an
- async pending operation */
- && ssl->error != WC_PENDING_E
- #endif
- ) {
- /* fragOffset is non-zero when sending fragments. On the last
- * fragment, fragOffset is zero again, and the state can be
- * advanced. */
- int advanceState =
- (ssl->options.acceptState == TLS13_ACCEPT_CLIENT_HELLO_DONE ||
- ssl->options.acceptState ==
- TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE ||
- ssl->options.acceptState == TLS13_ACCEPT_SECOND_REPLY_DONE ||
- ssl->options.acceptState == TLS13_SERVER_HELLO_SENT ||
- ssl->options.acceptState == TLS13_ACCEPT_THIRD_REPLY_DONE ||
- ssl->options.acceptState == TLS13_SERVER_EXTENSIONS_SENT ||
- ssl->options.acceptState == TLS13_CERT_REQ_SENT ||
- ssl->options.acceptState == TLS13_CERT_SENT ||
- ssl->options.acceptState == TLS13_CERT_VERIFY_SENT ||
- ssl->options.acceptState == TLS13_ACCEPT_FINISHED_SENT ||
- ssl->options.acceptState == TLS13_ACCEPT_FINISHED_DONE);
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- advanceState = advanceState && !ssl->dtls13SendingFragments
- && !ssl->dtls13SendingAckOrRtx;
- #endif /* WOLFSSL_DTLS13 */
- if ((ssl->error = SendBuffered(ssl)) == 0) {
- if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
- if (advanceState) {
- ssl->options.acceptState++;
- WOLFSSL_MSG("accept state: "
- "Advanced from last buffered fragment send");
- #ifdef WOLFSSL_ASYNC_IO
- FreeAsyncCtx(ssl, 0);
- #endif
- }
- }
- else {
- WOLFSSL_MSG("accept state: "
- "Not advanced, more fragments to send");
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls)
- ssl->dtls13SendingAckOrRtx = 0;
- #endif /* WOLFSSL_DTLS13 */
- }
- else {
- ssl->error = ret;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- ret = RetrySendAlert(ssl);
- if (ret != 0) {
- ssl->error = ret;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls && ssl->dtls13SendingFragments) {
- if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- /* we sent all the fragments. Advance state. */
- ssl->options.acceptState++;
- }
- #endif /* WOLFSSL_DTLS13 */
- switch (ssl->options.acceptState) {
- #ifdef HAVE_SECURE_RENEGOTIATION
- case TLS13_ACCEPT_BEGIN_RENEG:
- #endif
- case TLS13_ACCEPT_BEGIN :
- /* get client_hello */
- while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- if ((ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE;
- WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
- if (!IsAtLeastTLSv1_3(ssl->version))
- return wolfSSL_accept(ssl);
- FALL_THROUGH;
- case TLS13_ACCEPT_CLIENT_HELLO_DONE :
- if (ssl->options.serverState ==
- SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- if ((ssl->error = SendTls13ServerHello(ssl,
- hello_retry_request)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE;
- WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
- FALL_THROUGH;
- case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
- #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
- if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
- && ssl->options.serverState ==
- SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- if ((ssl->error = SendChangeCipher(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.sentChangeCipher = 1;
- ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
- }
- #endif
- ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
- WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
- FALL_THROUGH;
- case TLS13_ACCEPT_FIRST_REPLY_DONE :
- if (ssl->options.serverState ==
- SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
- ssl->options.clientState = CLIENT_HELLO_RETRY;
- while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
- if ((ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- }
- ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;
- WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
- FALL_THROUGH;
- case TLS13_ACCEPT_SECOND_REPLY_DONE :
- #ifdef WOLFSSL_DTLS
- if (ssl->chGoodCb != NULL) {
- int cbret = ssl->chGoodCb(ssl, ssl->chGoodCtx);
- if (cbret < 0) {
- ssl->error = cbret;
- WOLFSSL_MSG("ClientHello Good Cb don't continue error");
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif
- if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.acceptState = TLS13_SERVER_HELLO_SENT;
- WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
- FALL_THROUGH;
- case TLS13_SERVER_HELLO_SENT :
- #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
- if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
- && !ssl->options.sentChangeCipher && !ssl->options.dtls) {
- if ((ssl->error = SendChangeCipher(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.sentChangeCipher = 1;
- }
- #endif
- ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE;
- WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
- FALL_THROUGH;
- case TLS13_ACCEPT_THIRD_REPLY_DONE :
- #ifdef HAVE_SUPPORTED_CURVES
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- if (!ssl->options.noPskDheKe)
- #endif
- {
- ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
- if (ssl->error != 0)
- return WOLFSSL_FATAL_ERROR;
- }
- #endif
- if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT;
- WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
- FALL_THROUGH;
- case TLS13_SERVER_EXTENSIONS_SENT :
- #ifndef NO_CERTS
- if (!ssl->options.resuming) {
- if (ssl->options.verifyPeer
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- && !ssl->options.verifyPostHandshake
- #endif
- ) {
- ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
- if (ssl->error != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- else {
- /* SERVER: Peer auth good if not verifying client. */
- ssl->options.peerAuthGood = 1;
- }
- }
- #endif
- ssl->options.acceptState = TLS13_CERT_REQ_SENT;
- WOLFSSL_MSG("accept state CERT_REQ_SENT");
- FALL_THROUGH;
- case TLS13_CERT_REQ_SENT :
- #ifndef NO_CERTS
- if (!ssl->options.resuming && ssl->options.sendVerify) {
- if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif
- ssl->options.acceptState = TLS13_CERT_SENT;
- WOLFSSL_MSG("accept state CERT_SENT");
- FALL_THROUGH;
- case TLS13_CERT_SENT :
- #if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
- defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_PQC))
- if (!ssl->options.resuming && ssl->options.sendVerify) {
- if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif
- ssl->options.acceptState = TLS13_CERT_VERIFY_SENT;
- WOLFSSL_MSG("accept state CERT_VERIFY_SENT");
- FALL_THROUGH;
- case TLS13_CERT_VERIFY_SENT :
- if ((ssl->error = SendTls13Finished(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT;
- WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT");
- #ifdef WOLFSSL_EARLY_DATA
- if (ssl->earlyData != no_early_data) {
- ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
- return WOLFSSL_SUCCESS;
- }
- #endif
- FALL_THROUGH;
- case TLS13_ACCEPT_FINISHED_SENT :
- #ifdef HAVE_SESSION_TICKET
- #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
- if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 &&
- ssl->ctx->ticketEncCb != NULL) {
- if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.ticketsSent = 1;
- }
- #endif
- #endif /* HAVE_SESSION_TICKET */
- ssl->options.acceptState = TLS13_PRE_TICKET_SENT;
- WOLFSSL_MSG("accept state TICKET_SENT");
- FALL_THROUGH;
- case TLS13_PRE_TICKET_SENT :
- while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
- if ( (ssl->error = ProcessReply(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE;
- WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
- FALL_THROUGH;
- case TLS13_ACCEPT_FINISHED_DONE :
- /* SERVER: When not resuming and verifying peer but no certificate
- * received and not failing when not received then peer auth good.
- */
- if (!ssl->options.resuming && ssl->options.verifyPeer &&
- #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
- !ssl->options.verifyPostHandshake &&
- #endif
- !ssl->options.havePeerCert && !ssl->options.failNoCert) {
- ssl->options.peerAuthGood = 1;
- }
- /* SERVER: check peer authentication. */
- if (!ssl->options.peerAuthGood) {
- WOLFSSL_MSG("Client authentication did not happen");
- return WOLFSSL_FATAL_ERROR;
- }
- #ifdef HAVE_SESSION_TICKET
- while (ssl->options.ticketsSent < ssl->options.maxTicketTls13) {
- if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb
- != NULL) {
- if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- ssl->options.ticketsSent++;
- /* only one session ticket is sent on session resumption */
- if (ssl->options.resuming) {
- break;
- }
- }
- #endif /* HAVE_SESSION_TICKET */
- ssl->options.acceptState = TLS13_TICKET_SENT;
- WOLFSSL_MSG("accept state TICKET_SENT");
- FALL_THROUGH;
- case TLS13_TICKET_SENT :
- #ifndef NO_HANDSHAKE_DONE_CB
- if (ssl->hsDoneCb) {
- int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
- if (cbret < 0) {
- ssl->error = cbret;
- WOLFSSL_MSG("HandShake Done Cb don't continue error");
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* NO_HANDSHAKE_DONE_CB */
- if (!ssl->options.keepResources) {
- FreeHandshakeResources(ssl);
- }
- #if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
- /* Free the remaining async context if not using it for crypto */
- FreeAsyncCtx(ssl, 1);
- #endif
- ssl->error = 0; /* clear the error */
- WOLFSSL_LEAVE("wolfSSL_accept", WOLFSSL_SUCCESS);
- return WOLFSSL_SUCCESS;
- default :
- WOLFSSL_MSG("Unknown accept state ERROR");
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif
- #if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
- /* Server sends a session ticket to the peer.
- *
- * RFC 8446, section 4.6.1, para 1.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * SIDE_ERROR when not a server,
- * NOT_READY_ERROR when handshake not complete,
- * WOLFSSL_FATAL_ERROR when creating or sending message fails, and
- * WOLFSSL_SUCCESS on success.
- */
- int wolfSSL_send_SessionTicket(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- if (ssl->options.handShakeState != HANDSHAKE_DONE)
- return NOT_READY_ERROR;
- if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- ssl->options.ticketsSent++;
- return WOLFSSL_SUCCESS;
- }
- #endif
- #ifdef WOLFSSL_EARLY_DATA
- /* Sets the maximum amount of early data that can be seen by server when using
- * session tickets for resumption.
- * A value of zero indicates no early data is to be sent by client using session
- * tickets.
- *
- * ctx The SSL/TLS CTX object.
- * sz Maximum size of the early data.
- * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
- * 0 on success.
- */
- int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- if (ctx->method->side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- ctx->maxEarlyDataSz = sz;
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
- /* 1 on success in OpenSSL*/
- return WOLFSSL_SUCCESS;
- #else
- return 0;
- #endif
- }
- /* Sets the maximum amount of early data that a client or server would like
- * to exchange. Servers will advertise this value in session tickets sent
- * to a client.
- * A value of zero indicates no early data will be sent by a client, or
- * no early data is accepted by a server (and announced as such in send out
- * session tickets).
- *
- * ssl The SSL/TLS object.
- * sz Maximum size of the early data.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * and 0 on success.
- */
- int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- ssl->options.maxEarlyDataSz = sz;
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
- /* 1 on success in OpenSSL*/
- return WOLFSSL_SUCCESS;
- #else
- return 0;
- #endif
- }
- /* Gets the maximum amount of early data that can be seen by server when using
- * session tickets for resumption.
- * A value of zero indicates no early data is to be sent by client using session
- * tickets.
- *
- * ctx The SSL/TLS CTX object.
- * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
- * returns the maximum amount of early data to be set
- */
- int wolfSSL_CTX_get_max_early_data(WOLFSSL_CTX* ctx)
- {
- if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
- return BAD_FUNC_ARG;
- if (ctx->method->side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- return ctx->maxEarlyDataSz;
- }
- /* Gets the maximum amount of early data that can be seen by server when using
- * session tickets for resumption.
- * A value of zero indicates no early data is to be sent by client using session
- * tickets.
- *
- * ssl The SSL/TLS object.
- * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
- * SIDE_ERROR when not a server and
- * returns the maximum amount of early data to be set
- */
- int wolfSSL_get_max_early_data(WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- return ssl->options.maxEarlyDataSz;
- }
- /* Write early data to the server.
- *
- * ssl The SSL/TLS object.
- * data Early data to write
- * sz The size of the early data in bytes.
- * outSz The number of early data bytes written.
- * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
- * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
- * early data bytes written.
- */
- int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
- {
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_write_early_data");
- if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
- return BAD_FUNC_ARG;
- if (!IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifndef NO_WOLFSSL_CLIENT
- if (ssl->options.side == WOLFSSL_SERVER_END)
- return SIDE_ERROR;
- if (ssl->options.handShakeState == NULL_STATE) {
- if (ssl->error != WC_PENDING_E)
- ssl->earlyData = expecting_early_data;
- ret = wolfSSL_connect_TLSv13(ssl);
- if (ret != WOLFSSL_SUCCESS)
- return WOLFSSL_FATAL_ERROR;
- /* on client side, status is set to rejected */
- /* until sever accepts the early data extension. */
- ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED;
- }
- if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
- #ifdef OPENSSL_EXTRA
- /* when processed early data exceeds max size */
- if (ssl->session->maxEarlyDataSz > 0 &&
- (ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) {
- ssl->error = TOO_MUCH_EARLY_DATA;
- return WOLFSSL_FATAL_ERROR;
- }
- #endif
- ret = SendData(ssl, data, sz);
- if (ret > 0) {
- *outSz = ret;
- /* store amount of processed early data from client */
- ssl->earlyDataSz += ret;
- }
- }
- #else
- return SIDE_ERROR;
- #endif
- WOLFSSL_LEAVE("wolfSSL_write_early_data", ret);
- if (ret < 0)
- ret = WOLFSSL_FATAL_ERROR;
- return ret;
- }
- /* Read the any early data from the client.
- *
- * ssl The SSL/TLS object.
- * data Buffer to put the early data into.
- * sz The size of the buffer in bytes.
- * outSz The number of early data bytes read.
- * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
- * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
- * early data bytes read.
- */
- int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
- {
- int ret = 0;
- WOLFSSL_ENTER("wolfSSL_read_early_data");
- if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
- return BAD_FUNC_ARG;
- if (!IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- #ifndef NO_WOLFSSL_SERVER
- if (ssl->options.side == WOLFSSL_CLIENT_END)
- return SIDE_ERROR;
- if (ssl->options.handShakeState == NULL_STATE) {
- if (ssl->error != WC_PENDING_E)
- ssl->earlyData = expecting_early_data;
- /* this used to be: ret = wolfSSL_accept_TLSv13(ssl);
- * However, wolfSSL_accept_TLSv13() expects a certificate to
- * be installed already, which is not the case in servers
- * such as HAProxy. They do it after inspecting the ClientHello.
- * The common wolfssl_accept() allows that. */
- ret = wolfSSL_accept(ssl);
- if (ret <= 0)
- return WOLFSSL_FATAL_ERROR;
- }
- if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
- ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
- if (ret > 0)
- *outSz = ret;
- if (ssl->error == ZERO_RETURN) {
- ssl->error = WOLFSSL_ERROR_NONE;
- #ifdef WOLFSSL_DTLS13
- if (ssl->options.dtls) {
- ret = Dtls13DoScheduledWork(ssl);
- if (ret < 0) {
- ssl->error = ret;
- WOLFSSL_ERROR(ssl->error);
- return WOLFSSL_FATAL_ERROR;
- }
- }
- #endif /* WOLFSSL_DTLS13 */
- }
- }
- else
- ret = 0;
- #else
- return SIDE_ERROR;
- #endif
- WOLFSSL_LEAVE("wolfSSL_read_early_data", ret);
- if (ret < 0)
- ret = WOLFSSL_FATAL_ERROR;
- return ret;
- }
- /* Returns early data status
- *
- * ssl The SSL/TLS object.
- * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted
- * WOLFSSL_EARLY_DATA_REJECTED if the data was rejected
- * WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent
- */
- int wolfSSL_get_early_data_status(const WOLFSSL* ssl)
- {
- if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
- return BAD_FUNC_ARG;
- return ssl->earlyDataStatus;
- }
- #endif
- #ifdef HAVE_SECRET_CALLBACK
- int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx)
- {
- WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb");
- if (ssl == NULL)
- return WOLFSSL_FATAL_ERROR;
- ssl->tls13SecretCb = cb;
- ssl->tls13SecretCtx = ctx;
- return WOLFSSL_SUCCESS;
- }
- #if defined(SHOW_SECRETS) && defined(WOLFSSL_SSLKEYLOGFILE)
- int tls13ShowSecrets(WOLFSSL* ssl, int id, const unsigned char* secret,
- int secretSz, void* ctx)
- {
- int i;
- const char* str = NULL;
- byte clientRandom[RAN_LEN];
- int clientRandomSz;
- XFILE fp;
- (void) ctx;
- #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
- fp = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "ab");
- if (fp == XBADFILE) {
- return BAD_FUNC_ARG;
- }
- #else
- fp = stderr;
- #endif
- clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
- sizeof(clientRandom));
- if (clientRandomSz <= 0) {
- printf("Error getting server random %d\n", clientRandomSz);
- }
- #if 0
- printf("TLS Server Secret CB: Rand %d, Secret %d\n",
- serverRandomSz, secretSz);
- #endif
- switch (id) {
- case CLIENT_EARLY_TRAFFIC_SECRET:
- str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
- case EARLY_EXPORTER_SECRET:
- str = "EARLY_EXPORTER_SECRET"; break;
- case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
- str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
- case SERVER_HANDSHAKE_TRAFFIC_SECRET:
- str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
- case CLIENT_TRAFFIC_SECRET:
- str = "CLIENT_TRAFFIC_SECRET_0"; break;
- case SERVER_TRAFFIC_SECRET:
- str = "SERVER_TRAFFIC_SECRET_0"; break;
- case EXPORTER_SECRET:
- str = "EXPORTER_SECRET"; break;
- default:
- #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
- XFCLOSE(fp);
- #endif
- return BAD_FUNC_ARG;
- break;
- }
- fprintf(fp, "%s ", str);
- for (i = 0; i < (int)clientRandomSz; i++) {
- fprintf(fp, "%02x", clientRandom[i]);
- }
- fprintf(fp, " ");
- for (i = 0; i < secretSz; i++) {
- fprintf(fp, "%02x", secret[i]);
- }
- fprintf(fp, "\n");
- #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
- XFCLOSE(fp);
- #endif
- return 0;
- }
- #endif
- #endif
- #undef ERROR_OUT
- #endif /* !WOLFCRYPT_ONLY */
- #endif /* WOLFSSL_TLS13 */
|