#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if !defined(NO_TLS) && defined(WOLFSSL_TLS13)
#ifndef WOLFCRYPT_ONLY
#ifdef HAVE_ERRNO_H
#include <errno.h>
#endif
#if defined(__MACH__) || defined(__FreeBSD__) || \
defined(__INCLUDE_NUTTX_CONFIG_H) || defined(WOLFSSL_RIOT_OS)
#include <sys/time.h>
#endif
#include <wolfssl/internal.h>
#include <wolfssl/error-ssl.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/dh.h>
#include <wolfssl/wolfcrypt/kdf.h>
#include <wolfssl/wolfcrypt/signature.h>
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
#ifdef __sun
#include <sys/filio.h>
#endif
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#ifndef HAVE_AEAD
#ifndef _MSC_VER
#error "The build option HAVE_AEAD is required for TLS 1.3"
#else
#pragma \
message("error: The build option HAVE_AEAD is required for TLS 1.3")
#endif
#endif
#ifndef HAVE_HKDF
#ifndef _MSC_VER
#error "The build option HAVE_HKDF is required for TLS 1.3"
#else
#pragma message("error: The build option HAVE_HKDF is required for TLS 1.3")
#endif
#endif
#ifndef HAVE_TLS_EXTENSIONS
#ifndef _MSC_VER
#error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
#else
#pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
#endif
#endif
#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
#define TLS13_PROTOCOL_LABEL_SZ 6
static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
#ifdef WOLFSSL_DTLS13
#define DTLS13_PROTOCOL_LABEL_SZ 6
static const byte dtls13ProtocolLabel[DTLS13_PROTOCOL_LABEL_SZ + 1] = "dtls13";
#endif
#if defined(HAVE_ECH)
#define ECH_ACCEPT_CONFIRMATION_LABEL_SZ 23
#define ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ 27
static const byte
echAcceptConfirmationLabel[ECH_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =
"ech accept confirmation";
static const byte
echHrrAcceptConfirmationLabel[ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =
"hrr ech accept confirmation";
#endif
#ifndef NO_CERTS
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash);
#endif
#endif
static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
const byte* prk, word32 prkLen,
const byte* protocol, word32 protocolLen,
const byte* label, word32 labelLen,
const byte* info, word32 infoLen,
int digest)
{
int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
#if defined(HAVE_PK_CALLBACKS)
if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest,
WOLFSSL_CLIENT_END );
}
if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))
return ret;
#endif
(void)ssl;
PRIVATE_KEY_UNLOCK();
#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest,
ssl->heap, ssl->devId);
#else
ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest);
#endif
PRIVATE_KEY_LOCK();
return ret;
}
static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
const byte* prk, word32 prkLen,
const byte* protocol, word32 protocolLen,
const byte* label, word32 labelLen,
const byte* info, word32 infoLen,
int digest, int side)
{
int ret;
#if defined(HAVE_PK_CALLBACKS)
ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen,
digest, side);
}
if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))
return ret;
#endif
#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest,
ssl->heap, ssl->devId);
#elif defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)
ret = wc_Tls13_HKDF_Expand_Label_fips(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest);
#else
ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
protocol, protocolLen,
label, labelLen,
info, infoLen, digest);
#endif
(void)ssl;
(void)side;
return ret;
}
static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
const byte* secret, const byte* label, word32 labelLen,
byte* msg, int msgLen, int hashAlgo)
{
byte hash[WC_MAX_DIGEST_SIZE];
Digest digest;
word32 hashSz = 0;
const byte* protocol;
word32 protocolLen;
int digestAlg = -1;
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
switch (hashAlgo) {
#ifndef NO_SHA256
case sha256_mac:
ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_Sha256Update(&digest.sha256, msg, (word32)msgLen);
if (ret == 0)
ret = wc_Sha256Final(&digest.sha256, hash);
wc_Sha256Free(&digest.sha256);
}
hashSz = WC_SHA256_DIGEST_SIZE;
digestAlg = WC_SHA256;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_Sha384Update(&digest.sha384, msg, (word32)msgLen);
if (ret == 0)
ret = wc_Sha384Final(&digest.sha384, hash);
wc_Sha384Free(&digest.sha384);
}
hashSz = WC_SHA384_DIGEST_SIZE;
digestAlg = WC_SHA384;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_Sha512Update(&digest.sha512, msg, (word32)msgLen);
if (ret == 0)
ret = wc_Sha512Final(&digest.sha512, hash);
wc_Sha512Free(&digest.sha512);
}
hashSz = WC_SHA512_DIGEST_SIZE;
digestAlg = WC_SHA512;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
ret = wc_InitSm3(&digest.sm3, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_Sm3Update(&digest.sm3, msg, (word32)msgLen);
if (ret == 0)
ret = wc_Sm3Final(&digest.sm3, hash);
wc_Sm3Free(&digest.sm3);
}
hashSz = WC_SM3_DIGEST_SIZE;
digestAlg = WC_SM3;
break;
#endif
default:
ret = BAD_FUNC_ARG;
digestAlg = -1;
break;
}
if (digestAlg < 0)
return HASH_TYPE_E;
if (ret != 0)
return ret;
switch (ssl->version.minor) {
case TLSv1_3_MINOR:
protocol = tls13ProtocolLabel;
protocolLen = TLS13_PROTOCOL_LABEL_SZ;
break;
#ifdef WOLFSSL_DTLS13
case DTLSv1_3_MINOR:
if (!ssl->options.dtls)
return VERSION_ERROR;
protocol = dtls13ProtocolLabel;
protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
break;
#endif
default:
return VERSION_ERROR;
}
if (outputLen == -1)
outputLen = (int)hashSz;
ret = Tls13HKDFExpandLabel(ssl, output, (word32)outputLen, secret, hashSz,
protocol, protocolLen, label, labelLen,
hash, hashSz, digestAlg);
return ret;
}
int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
const byte* secret, const byte* label, word32 labelLen,
int hashAlgo, int includeMsgs, int side)
{
int ret = 0;
byte hash[WC_MAX_DIGEST_SIZE];
word32 hashSz = 0;
word32 hashOutSz = 0;
const byte* protocol;
word32 protocolLen;
int digestAlg = 0;
switch (hashAlgo) {
#ifndef NO_SHA256
case sha256_mac:
hashSz = WC_SHA256_DIGEST_SIZE;
digestAlg = WC_SHA256;
if (includeMsgs)
ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
hashSz = WC_SHA384_DIGEST_SIZE;
digestAlg = WC_SHA384;
if (includeMsgs)
ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
hashSz = WC_SHA512_DIGEST_SIZE;
digestAlg = WC_SHA512;
if (includeMsgs)
ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
hashSz = WC_SM3_DIGEST_SIZE;
digestAlg = WC_SM3;
if (includeMsgs)
ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
break;
#endif
default:
ret = HASH_TYPE_E;
break;
}
if (ret != 0)
return ret;
protocol = tls13ProtocolLabel;
protocolLen = TLS13_PROTOCOL_LABEL_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
protocol = dtls13ProtocolLabel;
protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
}
#endif
if (outputLen == -1) {
outputLen = (int)hashSz;
}
if (includeMsgs) {
hashOutSz = hashSz;
}
else {
XMEMSET(hash, 0, sizeof(hash));
hashOutSz = 0;
}
PRIVATE_KEY_UNLOCK();
ret = Tls13HKDFExpandKeyLabel(ssl, output, (word32)outputLen, secret, hashSz,
protocol, protocolLen, label, labelLen,
hash, hashOutSz, digestAlg, side);
PRIVATE_KEY_LOCK();
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("TLS 1.3 derived key", output, outputLen);
#endif
return ret;
}
static WC_INLINE int mac2hash(int mac)
{
int hash;
switch (mac) {
#ifndef NO_SHA256
case sha256_mac:
hash = WC_SHA256;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
hash = WC_SHA384;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
hash = WC_SHA512;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
hash = WC_SM3;
break;
#endif
default:
hash = WC_HASH_TYPE_NONE;
}
return hash;
}
#ifndef NO_PSK
#define BINDER_KEY_LABEL_SZ 10
static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
"ext binder";
static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
{
WOLFSSL_MSG("Derive Binder Key");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
binderKeyLabel, BINDER_KEY_LABEL_SZ,
NULL, 0, ssl->specs.mac_algorithm);
}
#endif
#if defined(HAVE_SESSION_TICKET) && \
(!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
#define BINDER_KEY_RESUME_LABEL_SZ 10
static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
"res binder";
static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
{
WOLFSSL_MSG("Derive Binder Key - Resumption");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
NULL, 0, ssl->specs.mac_algorithm);
}
#endif
#ifdef WOLFSSL_EARLY_DATA
#define EARLY_TRAFFIC_LABEL_SZ 11
static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
"c e traffic";
static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key, int side)
{
int ret;
WOLFSSL_MSG("Derive Early Traffic Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
if (ssl->snifferSecretCb != NULL) {
return ssl->snifferSecretCb(ssl->arrays->clientRandom,
SNIFFER_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,
key);
}
#endif
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->secret,
earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
ssl->specs.mac_algorithm, 1, side);
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#endif
#define CLIENT_HANDSHAKE_LABEL_SZ 12
static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
"c hs traffic";
static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
{
int ret;
WOLFSSL_MSG("Derive Client Handshake Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
if (ssl->snifferSecretCb != NULL) {
return ssl->snifferSecretCb(ssl->arrays->clientRandom,
SNIFFER_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
key);
}
#endif
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#define SERVER_HANDSHAKE_LABEL_SZ 12
static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
"s hs traffic";
static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
{
int ret;
WOLFSSL_MSG("Derive Server Handshake Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
if (ssl->snifferSecretCb != NULL) {
return ssl->snifferSecretCb(ssl->arrays->clientRandom,
SNIFFER_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET,
key);
}
#endif
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#define CLIENT_APP_LABEL_SZ 12
static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
"c ap traffic";
static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
{
int ret;
WOLFSSL_MSG("Derive Client Traffic Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
if (ssl->snifferSecretCb != NULL) {
return ssl->snifferSecretCb(ssl->arrays->clientRandom,
SNIFFER_SECRET_CLIENT_TRAFFIC_SECRET,
key);
}
#endif
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
clientAppLabel, CLIENT_APP_LABEL_SZ,
ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, CLIENT_TRAFFIC_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#define SERVER_APP_LABEL_SZ 12
static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
"s ap traffic";
static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
{
int ret;
WOLFSSL_MSG("Derive Server Traffic Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
if (ssl->snifferSecretCb != NULL) {
return ssl->snifferSecretCb(ssl->arrays->clientRandom,
SNIFFER_SECRET_SERVER_TRAFFIC_SECRET,
key);
}
#endif
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
serverAppLabel, SERVER_APP_LABEL_SZ,
ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, SERVER_TRAFFIC_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#ifdef HAVE_KEYING_MATERIAL
#define EXPORTER_MASTER_LABEL_SZ 10
static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
"exp master";
static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
{
int ret;
WOLFSSL_ENTER("Derive Exporter Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
ssl->specs.mac_algorithm, 1, 0 );
#ifdef HAVE_SECRET_CALLBACK
if (ret == 0 && ssl->tls13SecretCb != NULL) {
ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key,
ssl->specs.hash_size, ssl->tls13SecretCtx);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#ifdef OPENSSL_EXTRA
if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
ret = ssl->tls13KeyLogCb(ssl, EXPORTER_SECRET, key,
ssl->specs.hash_size, NULL);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
return TLS13_SECRET_CB_E;
}
}
#endif
#endif
return ret;
}
#define EXPORTER_LABEL_SZ 8
static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] =
"exporter";
#ifndef NO_SHA256
static const byte emptySHA256Hash[] = {
0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8,
0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C,
0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55
};
#endif
#ifdef WOLFSSL_SHA384
static const byte emptySHA384Hash[] = {
0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E,
0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43,
0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF,
0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B
};
#endif
#ifdef WOLFSSL_TLS13_SHA512
static const byte emptySHA512Hash[] = {
0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50,
0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC,
0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C,
0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F,
0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A,
0xF9, 0x27, 0xDA, 0x3E
};
#endif
#ifdef WOLFSSL_SM3
static const byte emptySM3Hash[] = {
0x1A, 0xB2, 0x1D, 0x83, 0x55, 0xCF, 0xA1, 0x7F, 0x8E, 0x61, 0x19, 0x48,
0x31, 0xE8, 0x1A, 0x8F, 0x22, 0xBE, 0xC8, 0xC7, 0x28, 0xFE, 0xFB, 0x74,
0x7E, 0xD0, 0x35, 0xEB, 0x50, 0x82, 0xAA, 0x2B
};
#endif
int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
const char *label, size_t labelLen,
const unsigned char *context, size_t contextLen)
{
int ret;
enum wc_HashType hashType = WC_HASH_TYPE_NONE;
word32 hashLen = 0;
byte hashOut[WC_MAX_DIGEST_SIZE];
const byte* emptyHash = NULL;
byte firstExpand[WC_MAX_DIGEST_SIZE];
const byte* protocol = tls13ProtocolLabel;
word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
if (ssl->options.dtls && ssl->version.minor != DTLSv1_3_MINOR)
return VERSION_ERROR;
if (!ssl->options.dtls && ssl->version.minor != TLSv1_3_MINOR)
return VERSION_ERROR;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
protocol = dtls13ProtocolLabel;
protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
}
#endif
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
hashType = WC_HASH_TYPE_SHA256;
hashLen = WC_SHA256_DIGEST_SIZE;
emptyHash = emptySHA256Hash;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
hashType = WC_HASH_TYPE_SHA384;
hashLen = WC_SHA384_DIGEST_SIZE;
emptyHash = emptySHA384Hash;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
hashType = WC_HASH_TYPE_SHA512;
hashLen = WC_SHA512_DIGEST_SIZE;
emptyHash = emptySHA512Hash;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
hashType = WC_HASH_TYPE_SM3;
hashLen = WC_SM3_DIGEST_SIZE;
emptyHash = emptySM3Hash;
break;
#endif
default:
return BAD_FUNC_ARG;
}
ret = Tls13HKDFExpandLabel(ssl, firstExpand, hashLen,
ssl->arrays->exporterSecret, hashLen,
protocol, protocolLen, (byte*)label, (word32)labelLen,
emptyHash, hashLen, (int)hashType);
if (ret != 0)
return ret;
if (contextLen > WOLFSSL_MAX_32BIT) {
return BAD_FUNC_ARG;
}
ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE);
if (ret != 0)
return ret;
ret = Tls13HKDFExpandLabel(ssl, out, (word32)outLen, firstExpand, hashLen,
protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ,
hashOut, hashLen, (int)hashType);
return ret;
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#define RESUME_MASTER_LABEL_SZ 10
static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
"res master";
int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
{
byte* masterSecret;
WOLFSSL_MSG("Derive Resumption Secret");
if (ssl == NULL) {
return BAD_FUNC_ARG;
}
if (ssl->arrays != NULL) {
masterSecret = ssl->arrays->masterSecret;
}
else {
masterSecret = ssl->session->masterSecret;
}
return Tls13DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1,
0 );
}
#endif
#define FINISHED_LABEL_SZ 8
static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret,
int side)
{
WOLFSSL_MSG("Derive Finished Secret");
return Tls13DeriveKey(ssl, secret, -1, key, finishedLabel,
FINISHED_LABEL_SZ, ssl->specs.mac_algorithm, 0,
side);
}
#define APP_TRAFFIC_LABEL_SZ 11
static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
"traffic upd";
static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret, int side)
{
WOLFSSL_MSG("Derive New Application Traffic Secret");
return Tls13DeriveKey(ssl, secret, -1, secret,
appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
ssl->specs.mac_algorithm, 0, side);
}
static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt,
int saltLen, byte* ikm, int ikmLen, int digest)
{
int ret;
#ifdef HAVE_PK_CALLBACKS
void *cb_ctx = ssl->HkdfExtractCtx;
CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb;
if (cb != NULL) {
ret = cb(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest, cb_ctx);
}
else
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if ((int)ssl->arrays->psk_keySz < 0) {
ret = PSK_KEY_ERROR;
}
else
#endif
{
#if !defined(HAVE_FIPS) || \
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_Tls13_HKDF_Extract_ex(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest,
ssl->heap, ssl->devId);
#else
ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest);
(void)ssl;
#endif
}
return ret;
}
int DeriveEarlySecret(WOLFSSL* ssl)
{
int ret;
WOLFSSL_MSG("Derive Early Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13DeriveEarlySecret(ssl);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
#endif
PRIVATE_KEY_UNLOCK();
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
ssl->arrays->psk_key, (int)ssl->arrays->psk_keySz,
mac2hash(ssl->specs.mac_algorithm));
#else
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
#endif
PRIVATE_KEY_LOCK();
return ret;
}
#define DERIVED_LABEL_SZ 7
static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
"derived";
int DeriveHandshakeSecret(WOLFSSL* ssl)
{
byte key[WC_MAX_DIGEST_SIZE];
int ret;
WOLFSSL_MSG("Derive Handshake Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13DeriveHandshakeSecret(ssl);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
#endif
ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
derivedLabel, DERIVED_LABEL_SZ,
NULL, 0, ssl->specs.mac_algorithm);
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret,
key, ssl->specs.hash_size,
ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz,
mac2hash(ssl->specs.mac_algorithm));
PRIVATE_KEY_LOCK();
}
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("DeriveHandshakeSecret key", key, WC_MAX_DIGEST_SIZE);
#endif
ForceZero(key, sizeof(key));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(key, sizeof(key));
#endif
return ret;
}
int DeriveMasterSecret(WOLFSSL* ssl)
{
byte key[WC_MAX_DIGEST_SIZE];
int ret;
WOLFSSL_MSG("Derive Master Secret");
if (ssl == NULL || ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13DeriveMasterSecret(ssl);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
#endif
ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
derivedLabel, DERIVED_LABEL_SZ,
NULL, 0, ssl->specs.mac_algorithm);
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret,
key, ssl->specs.hash_size,
ssl->arrays->masterSecret, 0,
mac2hash(ssl->specs.mac_algorithm));
PRIVATE_KEY_LOCK();
}
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("DeriveMasterSecret key", key, WC_MAX_DIGEST_SIZE);
#endif
ForceZero(key, sizeof(key));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(key, sizeof(key));
#endif
#ifdef HAVE_KEYING_MATERIAL
if (ret != 0)
return ret;
if (ssl->options.saveArrays)
ret = DeriveExporterSecret(ssl, ssl->arrays->exporterSecret);
#endif
return ret;
}
#if defined(HAVE_SESSION_TICKET)
#define RESUMPTION_LABEL_SZ 10
static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption";
int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
{
int digestAlg;
const byte* protocol = tls13ProtocolLabel;
word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
int ret;
WOLFSSL_MSG("Derive Resumption PSK");
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
protocol = dtls13ProtocolLabel;
protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
}
#endif
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
digestAlg = WC_SHA256;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
digestAlg = WC_SHA384;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
digestAlg = WC_SHA512;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
digestAlg = WC_SM3;
break;
#endif
default:
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
PRIVATE_KEY_UNLOCK();
ret = wc_Tls13_HKDF_Expand_Label_Alloc(secret, ssl->specs.hash_size,
ssl->session->masterSecret, ssl->specs.hash_size, protocol, protocolLen,
resumptionLabel, RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg,
ssl->heap);
PRIVATE_KEY_LOCK();
#else
ret = Tls13HKDFExpandLabel(ssl, secret, ssl->specs.hash_size,
ssl->session->masterSecret, ssl->specs.hash_size,
protocol, protocolLen, resumptionLabel,
RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
#endif
return ret;
}
#endif
static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
word32* pHashSz)
{
WC_DECLARE_VAR(verifyHmac, Hmac, 1, 0);
int hashType = WC_SHA256;
int hashSz = WC_SHA256_DIGEST_SIZE;
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
if (ssl == NULL || key == NULL || hash == NULL) {
return BAD_FUNC_ARG;
}
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
hashType = WC_SHA256;
hashSz = WC_SHA256_DIGEST_SIZE;
ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
hashType = WC_SHA384;
hashSz = WC_SHA384_DIGEST_SIZE;
ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
hashType = WC_SHA512;
hashSz = WC_SHA512_DIGEST_SIZE;
ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
hashType = WC_SM3;
hashSz = WC_SM3_DIGEST_SIZE;
ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
break;
#endif
default:
ret = BAD_FUNC_ARG;
break;
}
if (ret != 0)
return ret;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" Key");
WOLFSSL_BUFFER(key, ssl->specs.hash_size);
WOLFSSL_MSG(" Msg Hash");
WOLFSSL_BUFFER(hash, hashSz);
#endif
WC_ALLOC_VAR_EX(verifyHmac, Hmac, 1, NULL, DYNAMIC_TYPE_HMAC,
return MEMORY_E);
ret = wc_HmacInit(verifyHmac, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_HmacSetKey(verifyHmac, hashType, key, ssl->specs.hash_size);
if (ret == 0)
ret = wc_HmacUpdate(verifyHmac, hash, (word32)hashSz);
if (ret == 0)
ret = wc_HmacFinal(verifyHmac, hash);
wc_HmacFree(verifyHmac);
}
WC_FREE_VAR_EX(verifyHmac, NULL, DYNAMIC_TYPE_HMAC);
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG(" Hash");
WOLFSSL_BUFFER(hash, hashSz);
#endif
if (pHashSz)
*pHashSz = (word32)hashSz;
return ret;
}
#define WRITE_KEY_LABEL_SZ 3
#define WRITE_IV_LABEL_SZ 2
static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
{
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
int i = 0;
WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0);
int provision;
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13DeriveKeys(ssl, secret, side);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
}
ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
#endif
WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap,
DYNAMIC_TYPE_DIGEST, return MEMORY_E);
if (side == ENCRYPT_AND_DECRYPT_SIDE) {
provision = PROVISION_CLIENT_SERVER;
}
else {
provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
(side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
PROVISION_SERVER;
}
switch (secret) {
#ifdef WOLFSSL_EARLY_DATA
case early_data_key:
ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto end;
break;
#endif
case handshake_key:
if (provision & PROVISION_CLIENT) {
ret = DeriveClientHandshakeSecret(ssl,
ssl->clientSecret);
if (ret != 0)
goto end;
}
if (provision & PROVISION_SERVER) {
ret = DeriveServerHandshakeSecret(ssl,
ssl->serverSecret);
if (ret != 0)
goto end;
}
break;
case traffic_key:
if (provision & PROVISION_CLIENT) {
ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret);
if (ret != 0)
goto end;
}
if (provision & PROVISION_SERVER) {
ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret);
if (ret != 0)
goto end;
}
break;
case update_traffic_key:
if (provision & PROVISION_CLIENT) {
ret = DeriveTrafficSecret(ssl, ssl->clientSecret,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto end;
}
if (provision & PROVISION_SERVER) {
ret = DeriveTrafficSecret(ssl, ssl->serverSecret,
WOLFSSL_SERVER_END);
if (ret != 0)
goto end;
}
break;
case no_key:
ret = 0;
break;
default:
ret = BAD_FUNC_ARG;
break;
}
#ifdef WOLFSSL_QUIC
if (WOLFSSL_IS_QUIC(ssl)) {
ret = wolfSSL_quic_forward_secrets(ssl, secret, side);
if (ret != 0)
goto end;
}
#endif
if (!store)
goto end;
if (provision & PROVISION_CLIENT) {
WOLFSSL_MSG("Derive Client Key");
ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
ssl->clientSecret, writeKeyLabel,
WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto end;
i += ssl->specs.key_size;
}
if (provision & PROVISION_SERVER) {
WOLFSSL_MSG("Derive Server Key");
ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
ssl->serverSecret, writeKeyLabel,
WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
WOLFSSL_SERVER_END);
if (ret != 0)
goto end;
i += ssl->specs.key_size;
}
if (provision & PROVISION_CLIENT) {
WOLFSSL_MSG("Derive Client IV");
ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
ssl->clientSecret, writeIVLabel,
WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto end;
i += ssl->specs.iv_size;
}
if (provision & PROVISION_SERVER) {
WOLFSSL_MSG("Derive Server IV");
ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
ssl->serverSecret, writeIVLabel,
WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
WOLFSSL_SERVER_END);
if (ret != 0)
goto end;
i += ssl->specs.iv_size;
}
ret = StoreKeys(ssl, key_dig, provision);
#ifdef WOLFSSL_DTLS13
if (ret != 0)
goto end;
if (ssl->options.dtls) {
w64wrapper epochNumber;
ret = Dtls13DeriveSnKeys(ssl, provision);
if (ret != 0)
goto end;
switch (secret) {
case early_data_key:
epochNumber = w64From32(0, DTLS13_EPOCH_EARLYDATA);
break;
case handshake_key:
epochNumber = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
break;
case traffic_key:
case no_key:
epochNumber = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
break;
case update_traffic_key:
if (side == ENCRYPT_SIDE_ONLY) {
epochNumber = ssl->dtls13Epoch;
}
else if (side == DECRYPT_SIDE_ONLY) {
epochNumber = ssl->dtls13PeerEpoch;
}
else {
ret = BAD_STATE_E;
goto end;
}
w64Increment(&epochNumber);
break;
default:
ret = BAD_STATE_E;
goto end;
}
ret = Dtls13NewEpoch(ssl, epochNumber, side);
if (ret != 0)
goto end;
}
#endif
end:
ForceZero(key_dig, (word32)i);
#ifdef WOLFSSL_SMALL_STACK
XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
wc_MemZero_Check(key_dig, MAX_PRF_DIG);
#endif
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret);
}
return ret;
}
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) || defined(WOLFSSL_DTLS13)
#ifdef WOLFSSL_32BIT_MILLI_TIME
#ifndef NO_ASN_TIME
#if defined(USER_TICKS)
#if 0#endif
#elif defined(TIME_OVERRIDES)
#if !defined(NO_ASN) && !defined(NO_ASN_TIME)
word32 TimeNowInMilliseconds(void)
{
return (word32) wc_Time(0) * 1000;
}
#else
#ifndef HAVE_TIME_T_TYPE
typedef long time_t;
#endif
extern time_t XTIME(time_t * timer);
word32 TimeNowInMilliseconds(void)
{
return (word32) XTIME(0) * 1000;
}
#endif
#elif defined(XTIME_MS)
word32 TimeNowInMilliseconds(void)
{
return (word32)XTIME_MS(0);
}
#elif defined(USE_WINDOWS_API)
word32 TimeNowInMilliseconds(void)
{
static int init = 0;
static LARGE_INTEGER freq;
LARGE_INTEGER count;
if (!init) {
QueryPerformanceFrequency(&freq);
init = 1;
}
QueryPerformanceCounter(&count);
return (word32)(count.QuadPart / (freq.QuadPart / 1000));
}
#elif defined(HAVE_RTP_SYS)
#include "rtptime.h"
word32 TimeNowInMilliseconds(void)
{
return (word32)rtp_get_system_sec() * 1000;
}
#elif defined(WOLFSSL_DEOS)
word32 TimeNowInMilliseconds(void)
{
const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
word32 *systemTickPtr = systemTickPointer();
return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000;
}
#elif defined(MICRIUM)
word32 TimeNowInMilliseconds(void)
{
OS_TICK ticks = 0;
OS_ERR err;
ticks = OSTimeGet(&err);
return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
}
#elif defined(MICROCHIP_TCPIP_V5)
word32 TimeNowInMilliseconds(void)
{
return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
}
#elif defined(MICROCHIP_TCPIP)
#if defined(MICROCHIP_MPLAB_HARMONY)
#include <system/tmr/sys_tmr.h>
word32 TimeNowInMilliseconds(void)
{
return (word32)(SYS_TMR_TickCountGet() /
(SYS_TMR_TickCounterFrequencyGet() / 1000));
}
#else
word32 TimeNowInMilliseconds(void)
{
return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
}
#endif
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
word32 TimeNowInMilliseconds(void)
{
TIME_STRUCT mqxTime;
_time_get_elapsed(&mqxTime);
return (word32) mqxTime.SECONDS * 1000;
}
#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
#include "include/task.h"
word32 TimeNowInMilliseconds(void)
{
return (unsigned int)(((float)xTaskGetTickCount()) /
(configTICK_RATE_HZ / 1000));
}
#elif defined(FREESCALE_KSDK_BM)
#include "lwip/sys.h"
word32 TimeNowInMilliseconds(void)
{
return sys_now();
}
#elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
word32 TimeNowInMilliseconds(void)
{
return (word32)osKernelGetTickCount();
}
#elif defined(WOLFSSL_TIRTOS)
word32 TimeNowInMilliseconds(void)
{
return (word32) Seconds_get() * 1000;
}
#elif defined(WOLFSSL_UTASKER)
word32 TimeNowInMilliseconds(void)
{
return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
}
#elif defined(WOLFSSL_LINUXKM)
word32 TimeNowInMilliseconds(void)
{
s64 t;
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
struct timespec ts;
getnstimeofday(&ts);
t = ts.tv_sec * (s64)1000;
t += ts.tv_nsec / (s64)1000000;
#else
struct timespec64 ts;
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
ts = current_kernel_time64();
#else
ktime_get_coarse_real_ts64(&ts);
#endif
t = ts.tv_sec * 1000L;
t += ts.tv_nsec / 1000000L;
#endif
return (word32)t;
}
#elif defined(WOLFSSL_QNX_CAAM)
word32 TimeNowInMilliseconds(void)
{
struct timespec now;
clock_gettime(CLOCK_REALTIME, &now);
return (word32)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
}
#elif defined(FUSION_RTOS)
word32 TimeNowInMilliseconds(void)
{
struct timeval now;
if (FCL_GETTIMEOFDAY(&now, 0) < 0)
return 0;
return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
}
#elif defined(WOLFSSL_ZEPHYR)
word32 TimeNowInMilliseconds(void)
{
int64_t t;
#if defined(CONFIG_ARCH_POSIX)
k_cpu_idle();
#endif
t = k_uptime_get();
return (word32)t;
}
#elif defined(FREERTOS)
word32 TimeNowInMilliseconds(void)
{
return (word32)((uint64_t)(xTaskGetTickCount() * 1000) /
configTICK_RATE_HZ);
}
#else
word32 TimeNowInMilliseconds(void)
{
struct timeval now;
if (gettimeofday(&now, 0) < 0)
return 0;
return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
}
#endif
#else
#endif
#else
#ifndef NO_ASN_TIME
#if defined(USER_TICKS)
#if 0#endif
#elif defined(TIME_OVERRIDES)
#if !defined(NO_ASN) && !defined(NO_ASN_TIME)
sword64 TimeNowInMilliseconds(void)
{
return (sword64) wc_Time(0) * 1000;
}
#else
#ifndef HAVE_TIME_T_TYPE
typedef long time_t;
#endif
extern time_t XTIME(time_t * timer);
sword64 TimeNowInMilliseconds(void)
{
return (sword64) XTIME(0) * 1000;
}
#endif
#elif defined(XTIME_MS)
sword64 TimeNowInMilliseconds(void)
{
return (sword64)XTIME_MS(0);
}
#elif defined(USE_WINDOWS_API)
sword64 TimeNowInMilliseconds(void)
{
static int init = 0;
static LARGE_INTEGER freq;
LARGE_INTEGER count;
if (!init) {
QueryPerformanceFrequency(&freq);
init = 1;
}
QueryPerformanceCounter(&count);
return (sword64)(count.QuadPart / (freq.QuadPart / 1000));
}
#elif defined(HAVE_RTP_SYS)
#include "rtptime.h"
sword64 TimeNowInMilliseconds(void)
{
return (sword64)rtp_get_system_sec() * 1000;
}
#elif defined(WOLFSSL_DEOS)
sword64 TimeNowInMilliseconds(void)
{
const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
word32 *systemTickPtr = systemTickPointer();
return (sword64) (*systemTickPtr/systemTickTimeInHz) * 1000;
}
#elif defined(MICRIUM)
sword64 TimeNowInMilliseconds(void)
{
OS_TICK ticks = 0;
OS_ERR err;
ticks = OSTimeGet(&err);
return (sword64) (ticks / OSCfg_TickRate_Hz) * 1000;
}
#elif defined(MICROCHIP_TCPIP_V5)
sword64 TimeNowInMilliseconds(void)
{
return (sword64) (TickGet() / (TICKS_PER_SECOND / 1000));
}
#elif defined(MICROCHIP_TCPIP)
#if defined(MICROCHIP_MPLAB_HARMONY)
#include <system/tmr/sys_tmr.h>
sword64 TimeNowInMilliseconds(void)
{
return (sword64)SYS_TMR_TickCountGet() /
(SYS_TMR_TickCounterFrequencyGet() / 1000);
}
#else
sword64 TimeNowInMilliseconds(void)
{
return (sword64)SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000);
}
#endif
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
sword64 TimeNowInMilliseconds(void)
{
TIME_STRUCT mqxTime;
_time_get_elapsed(&mqxTime);
return (sword64) mqxTime.SECONDS * 1000;
}
#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
#include "include/task.h"
sword64 TimeNowInMilliseconds(void)
{
return (sword64)xTaskGetTickCount() / (configTICK_RATE_HZ / 1000);
}
#elif defined(FREESCALE_KSDK_BM)
#include "lwip/sys.h"
sword64 TimeNowInMilliseconds(void)
{
return sys_now();
}
#elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
sword64 TimeNowInMilliseconds(void)
{
return (sword64)osKernelGetTickCount();
}
#elif defined(WOLFSSL_TIRTOS)
sword64 TimeNowInMilliseconds(void)
{
return (sword64) Seconds_get() * 1000;
}
#elif defined(WOLFSSL_UTASKER)
sword64 TimeNowInMilliseconds(void)
{
return (sword64)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
}
#elif defined(WOLFSSL_LINUXKM)
sword64 TimeNowInMilliseconds(void)
{
s64 t;
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
struct timespec ts;
getnstimeofday(&ts);
t = ts.tv_sec * (s64)1000;
t += ts.tv_nsec / (s64)1000000;
#else
struct timespec64 ts;
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
ts = current_kernel_time64();
#else
ktime_get_coarse_real_ts64(&ts);
#endif
t = ts.tv_sec * 1000L;
t += ts.tv_nsec / 1000000L;
#endif
return (sword64)t;
}
#elif defined(WOLFSSL_QNX_CAAM)
sword64 TimeNowInMilliseconds(void)
{
struct timespec now;
clock_gettime(CLOCK_REALTIME, &now);
return (sword64)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
}
#elif defined(FUSION_RTOS)
sword64 TimeNowInMilliseconds(void)
{
struct timeval now;
if (FCL_GETTIMEOFDAY(&now, 0) < 0)
return 0;
return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
}
#elif defined(WOLFSSL_ZEPHYR)
sword64 TimeNowInMilliseconds(void)
{
int64_t t;
#if defined(CONFIG_ARCH_POSIX)
k_cpu_idle();
#endif
t = k_uptime_get();
return (sword64)t;
}
#elif defined(FREERTOS)
sword64 TimeNowInMilliseconds(void)
{
return (sword64)((uint64_t)(xTaskGetTickCount() * 1000) /
configTICK_RATE_HZ);
}
#else
sword64 TimeNowInMilliseconds(void)
{
struct timeval now;
if (gettimeofday(&now, 0) < 0)
return 0;
return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
}
#endif
#else
#endif
#endif
#endif
static void AddTls13RecordHeader(byte* output, word32 length, byte type,
WOLFSSL* ssl)
{
RecordLayerHeader* rl;
rl = (RecordLayerHeader*)output;
rl->type = type;
rl->pvMajor = ssl->version.major;
rl->pvMinor = TLSv1_2_MINOR;
c16toa((word16)length, rl->length);
}
static void AddTls13HandShakeHeader(byte* output, word32 length,
word32 fragOffset, word32 fragLength,
byte type, WOLFSSL* ssl)
{
HandShakeHeader* hs;
(void)fragOffset;
(void)fragLength;
(void)ssl;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && type != message_hash) {
Dtls13HandshakeAddHeader(ssl, output, (enum HandShakeType)type, length);
return;
}
#endif
hs = (HandShakeHeader*)output;
hs->type = type;
c32to24(length, hs->length);
}
static void AddTls13Headers(byte* output, word32 length, byte type,
WOLFSSL* ssl)
{
word32 lengthAdj = HANDSHAKE_HEADER_SZ;
word32 outputAdj = RECORD_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
return;
}
#endif
AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
}
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) \
&& !defined(NO_CERTS)
static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
word32 length, byte type, WOLFSSL* ssl)
{
word32 lengthAdj = HANDSHAKE_HEADER_SZ;
word32 outputAdj = RECORD_HEADER_SZ;
(void)fragSz;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
return;
}
#endif
AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
type, ssl);
}
#endif
static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out)
{
word32 seq[2] = {0, 0};
if (ssl->options.dtls) {
#ifdef WOLFSSL_DTLS13
Dtls13GetSeq(ssl, verifyOrder, seq, 1);
#endif
}
else if (verifyOrder == PEER_ORDER) {
seq[0] = ssl->keys.peer_sequence_number_hi;
seq[1] = ssl->keys.peer_sequence_number_lo++;
if (seq[1] > ssl->keys.peer_sequence_number_lo)
ssl->keys.peer_sequence_number_hi++;
}
else {
seq[0] = ssl->keys.sequence_number_hi;
seq[1] = ssl->keys.sequence_number_lo++;
if (seq[1] > ssl->keys.sequence_number_lo)
ssl->keys.sequence_number_hi++;
}
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG_EX("TLS 1.3 Write Sequence %d %d", seq[0], seq[1]);
#endif
c32toa(seq[0], out);
c32toa(seq[1], out + OPAQUE32_LEN);
}
static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
int ivSz, int order)
{
int seq_offset;
if (ivSz < AEAD_NONCE_SZ)
ivSz = AEAD_NONCE_SZ;
seq_offset = ivSz - SEQ_SZ;
WriteSEQTls13(ssl, order, nonce + seq_offset);
XMEMCPY(nonce, iv, seq_offset);
xorbuf(nonce + seq_offset, iv + seq_offset, SEQ_SZ);
}
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
const byte* input, word16 sz, byte* nonce,
const byte* aad, word16 aadSz, byte* tag)
{
int ret = 0;
byte poly[CHACHA20_256_KEY_SIZE];
XMEMSET(poly, 0, sizeof(poly));
ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
if (ret != 0)
return ret;
ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
if (ret != 0)
return ret;
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("ChaCha20Poly1305_Encrypt poly", poly, sizeof(poly));
#endif
ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1);
if (ret != 0)
return ret;
ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
if (ret != 0) {
ForceZero(poly, sizeof(poly));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(poly, sizeof(poly));
#endif
return ret;
}
ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
ForceZero(poly, sizeof(poly));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(poly, sizeof(poly));
#endif
if (ret != 0)
return ret;
ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, output, sz, tag,
POLY1305_AUTH_SZ);
return ret;
}
#endif
#ifdef HAVE_NULL_CIPHER
static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output,
const byte* input, word16 sz,
const byte* nonce,
const byte* aad, word16 aadSz, byte* tag)
{
int ret;
ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, ssl->specs.iv_size);
if (ret == 0)
ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz);
if (ret == 0)
ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz);
if (ret == 0)
ret = wc_HmacFinal(ssl->encrypt.hmac, tag);
if (ret == 0 && output != input)
XMEMCPY(output, input, sz);
return ret;
}
#endif
static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
word16 sz, const byte* aad, word16 aadSz, int asyncOkay)
{
int ret = 0;
word16 dataSz;
word16 macSz = ssl->specs.aead_mac_size;
word32 nonceSz = 0;
#ifdef WOLFSSL_ASYNC_CRYPT
WC_ASYNC_DEV* asyncDev = NULL;
word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
#endif
WOLFSSL_ENTER("EncryptTls13");
if (sz < ssl->specs.aead_mac_size)
return BUFFER_E;
dataSz = sz - ssl->specs.aead_mac_size;
(void)output;
(void)input;
(void)sz;
(void)dataSz;
(void)macSz;
(void)asyncOkay;
(void)nonceSz;
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ssl->error = 0;
}
#endif
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13AesEncrypt(ssl, output, input, dataSz);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
if (ret > 0) {
ret = 0;
}
return ret;
}
ret = 0;
#endif
switch (ssl->encrypt.state) {
case CIPHER_STATE_BEGIN:
{
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Data to encrypt");
WOLFSSL_BUFFER(input, dataSz);
WOLFSSL_MSG("Additional Authentication Data");
WOLFSSL_BUFFER(aad, aadSz);
#endif
#ifdef WOLFSSL_CIPHER_TEXT_CHECK
if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
XMEMCPY(ssl->encrypt.sanityCheck, input,
min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
}
#endif
#ifdef CIPHER_NONCE
if (ssl->encrypt.nonce == NULL) {
ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ,
ssl->heap, DYNAMIC_TYPE_CIPHER);
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (ssl->encrypt.nonce != NULL) {
wc_MemZero_Add("EncryptTls13 nonce", ssl->encrypt.nonce,
ssl->specs.iv_size);
}
#endif
}
if (ssl->encrypt.nonce == NULL)
return MEMORY_E;
BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
ssl->specs.iv_size, CUR_ORDER);
#endif
ssl->encrypt.state = CIPHER_STATE_DO;
}
FALL_THROUGH;
case CIPHER_STATE_DO:
{
switch (ssl->specs.bulk_cipher_algorithm) {
#ifdef BUILD_AESGCM
case wolfssl_aes_gcm:
#ifdef WOLFSSL_ASYNC_CRYPT
asyncDev = &ssl->encrypt.aes->asyncDev;
ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
if (ret != 0)
break;
#endif
nonceSz = AESGCM_NONCE_SZ;
#if defined(HAVE_PK_CALLBACKS)
ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
output, input, dataSz,
ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz,
aad, aadSz);
}
if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
#endif
{
#if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
dataSz, ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz, aad, aadSz);
#else
ret = wc_AesGcmSetExtIV(ssl->encrypt.aes,
ssl->encrypt.nonce, nonceSz);
if (ret == 0) {
ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output,
input, dataSz, ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz, aad, aadSz);
}
#endif
}
break;
#endif
#ifdef HAVE_AESCCM
case wolfssl_aes_ccm:
#ifdef WOLFSSL_ASYNC_CRYPT
asyncDev = &ssl->encrypt.aes->asyncDev;
ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
if (ret != 0)
break;
#endif
nonceSz = AESCCM_NONCE_SZ;
#if defined(HAVE_PK_CALLBACKS)
ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
output, input, dataSz,
ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz,
aad, aadSz);
}
if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
#endif
{
#if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
dataSz, ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz, aad, aadSz);
#else
ret = wc_AesCcmSetNonce(ssl->encrypt.aes,
ssl->encrypt.nonce, nonceSz);
if (ret == 0) {
ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output,
input, dataSz, ssl->encrypt.nonce, nonceSz,
output + dataSz, macSz, aad, aadSz);
}
#endif
}
break;
#endif
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
case wolfssl_chacha:
ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
ssl->encrypt.nonce, aad, aadSz, output + dataSz);
break;
#endif
#ifdef WOLFSSL_SM4_GCM
case wolfssl_sm4_gcm:
nonceSz = SM4_GCM_NONCE_SZ;
ret = wc_Sm4GcmEncrypt(ssl->encrypt.sm4, output, input,
dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
macSz, aad, aadSz);
break;
#endif
#ifdef WOLFSSL_SM4_CCM
case wolfssl_sm4_ccm:
nonceSz = SM4_CCM_NONCE_SZ;
ret = wc_Sm4CcmEncrypt(ssl->encrypt.sm4, output, input,
dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
macSz, aad, aadSz);
break;
#endif
#ifdef HAVE_NULL_CIPHER
case wolfssl_cipher_null:
ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz,
ssl->encrypt.nonce, aad, aadSz, output + dataSz);
break;
#endif
default:
WOLFSSL_MSG("wolfSSL Encrypt programming error");
return ENCRYPT_ERROR;
}
ssl->encrypt.state = CIPHER_STATE_END;
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
if (!asyncOkay) {
ret = wc_AsyncWait(ret, asyncDev, event_flags);
}
else {
return wolfSSL_AsyncPush(ssl, asyncDev);
}
}
#endif
}
FALL_THROUGH;
case CIPHER_STATE_END:
{
#ifdef WOLFSSL_DEBUG_TLS
#ifdef CIPHER_NONCE
WOLFSSL_MSG("Nonce");
WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
#endif
WOLFSSL_MSG("Encrypted data");
WOLFSSL_BUFFER(output, dataSz);
WOLFSSL_MSG("Authentication Tag");
WOLFSSL_BUFFER(output + dataSz, macSz);
#endif
#ifdef WOLFSSL_CIPHER_TEXT_CHECK
if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
XMEMCMP(output, ssl->encrypt.sanityCheck,
min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
return ENCRYPT_ERROR;
}
ForceZero(ssl->encrypt.sanityCheck,
sizeof(ssl->encrypt.sanityCheck));
#endif
#ifdef WOLFSSL_CHECK_MEM_ZERO
if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
(output != input) && (ret == 0)) {
wc_MemZero_Add("TLS 1.3 Encrypt plaintext", input, sz);
}
#endif
#ifdef CIPHER_NONCE
ForceZero(ssl->encrypt.nonce, ssl->specs.iv_size);
#endif
break;
}
default:
break;
}
ssl->encrypt.state = CIPHER_STATE_BEGIN;
return ret;
}
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
const byte* input, word16 sz, byte* nonce,
const byte* aad, word16 aadSz,
const byte* tagIn)
{
int ret;
byte tag[POLY1305_AUTH_SZ];
byte poly[CHACHA20_256_KEY_SIZE];
XMEMSET(poly, 0, sizeof(poly));
ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
if (ret != 0)
return ret;
ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
if (ret != 0)
return ret;
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("ChaCha20Poly1305_Decrypt poly", poly, sizeof(poly));
#endif
ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1);
if (ret != 0) {
ForceZero(poly, sizeof(poly));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(poly, sizeof(poly));
#endif
return ret;
}
ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
ForceZero(poly, sizeof(poly));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(poly, sizeof(poly));
#endif
if (ret != 0)
return ret;
if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, input, sz, tag,
sizeof(tag))) != 0) {
return ret;
}
if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
WOLFSSL_MSG("MAC did not match");
return VERIFY_MAC_ERROR;
}
ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
return ret;
}
#endif
#ifdef HAVE_NULL_CIPHER
static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
const byte* input, word16 sz,
const byte* nonce,
const byte* aad, word16 aadSz,
const byte* tagIn)
{
int ret;
byte hmac[WC_MAX_DIGEST_SIZE];
ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, ssl->specs.iv_size);
if (ret == 0)
ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz);
if (ret == 0)
ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz);
if (ret == 0)
ret = wc_HmacFinal(ssl->decrypt.hmac, hmac);
if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0)
ret = DECRYPT_ERROR;
if (ret == 0 && output != input)
XMEMCPY(output, input, sz);
ForceZero(hmac, sizeof(hmac));
return ret;
}
#endif
int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
const byte* aad, word16 aadSz)
{
int ret = 0;
word16 dataSz;
word16 macSz = ssl->specs.aead_mac_size;
word32 nonceSz = 0;
WOLFSSL_ENTER("DecryptTls13");
if (sz < ssl->specs.aead_mac_size) {
return BAD_FUNC_ARG;
}
dataSz = sz - ssl->specs.aead_mac_size;
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13AesDecrypt(ssl, output, input, sz);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
#ifndef WOLFSSL_EARLY_DATA
if (ret < 0) {
ret = VERIFY_MAC_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
}
#endif
return ret;
}
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
return ret;
ssl->error = 0;
}
else
#endif
{
ret = 0;
ssl->decrypt.state = CIPHER_STATE_BEGIN;
}
(void)output;
(void)input;
(void)sz;
(void)dataSz;
(void)macSz;
(void)nonceSz;
switch (ssl->decrypt.state) {
case CIPHER_STATE_BEGIN:
{
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Data to decrypt");
WOLFSSL_BUFFER(input, dataSz);
WOLFSSL_MSG("Additional Authentication Data");
WOLFSSL_BUFFER(aad, aadSz);
WOLFSSL_MSG("Authentication tag");
WOLFSSL_BUFFER(input + dataSz, macSz);
#endif
#ifdef CIPHER_NONCE
if (ssl->decrypt.nonce == NULL) {
ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ,
ssl->heap, DYNAMIC_TYPE_CIPHER);
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (ssl->decrypt.nonce != NULL) {
wc_MemZero_Add("DecryptTls13 nonce", ssl->decrypt.nonce,
ssl->specs.iv_size);
}
#endif
}
if (ssl->decrypt.nonce == NULL)
return MEMORY_E;
BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
ssl->specs.iv_size, PEER_ORDER);
#endif
ssl->decrypt.state = CIPHER_STATE_DO;
}
FALL_THROUGH;
case CIPHER_STATE_DO:
{
switch (ssl->specs.bulk_cipher_algorithm) {
#ifdef BUILD_AESGCM
case wolfssl_aes_gcm:
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
WC_ASYNC_FLAG_NONE);
if (ret != 0)
break;
#endif
nonceSz = AESGCM_NONCE_SZ;
#if defined(HAVE_PK_CALLBACKS)
ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
output, input, dataSz,
ssl->decrypt.nonce, nonceSz,
(byte *)(input + dataSz), macSz,
aad, aadSz);
}
if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
#endif
{
ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
dataSz, ssl->decrypt.nonce, nonceSz,
input + dataSz, macSz, aad, aadSz);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ret = wolfSSL_AsyncPush(ssl,
&ssl->decrypt.aes->asyncDev);
}
#endif
}
break;
#endif
#ifdef HAVE_AESCCM
case wolfssl_aes_ccm:
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
WC_ASYNC_FLAG_NONE);
if (ret != 0)
break;
#endif
nonceSz = AESCCM_NONCE_SZ;
#if defined(HAVE_PK_CALLBACKS)
ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
output, input, dataSz,
ssl->decrypt.nonce, nonceSz,
(byte *)(input + dataSz), macSz,
aad, aadSz);
}
if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
#endif
{
ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
dataSz, ssl->decrypt.nonce, nonceSz,
input + dataSz, macSz, aad, aadSz);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ret = wolfSSL_AsyncPush(ssl,
&ssl->decrypt.aes->asyncDev);
}
#endif
}
break;
#endif
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
case wolfssl_chacha:
ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
ssl->decrypt.nonce, aad, aadSz, input + dataSz);
break;
#endif
#ifdef WOLFSSL_SM4_GCM
case wolfssl_sm4_gcm:
nonceSz = SM4_GCM_NONCE_SZ;
ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input,
dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
macSz, aad, aadSz);
break;
#endif
#ifdef WOLFSSL_SM4_CCM
case wolfssl_sm4_ccm:
nonceSz = SM4_CCM_NONCE_SZ;
ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input,
dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
macSz, aad, aadSz);
break;
#endif
#ifdef HAVE_NULL_CIPHER
case wolfssl_cipher_null:
ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz,
ssl->decrypt.nonce, aad, aadSz, input + dataSz);
break;
#endif
default:
WOLFSSL_MSG("wolfSSL Decrypt programming error");
return DECRYPT_ERROR;
}
ssl->decrypt.state = CIPHER_STATE_END;
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
return ret;
}
#endif
}
FALL_THROUGH;
case CIPHER_STATE_END:
{
#ifdef WOLFSSL_DEBUG_TLS
#ifdef CIPHER_NONCE
WOLFSSL_MSG("Nonce");
WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
#endif
WOLFSSL_MSG("Decrypted data");
WOLFSSL_BUFFER(output, dataSz);
#endif
#ifdef WOLFSSL_CHECK_MEM_ZERO
if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
(ret == 0)) {
wc_MemZero_Add("TLS 1.3 Decrypted data", output, sz);
}
#endif
#ifdef CIPHER_NONCE
ForceZero(ssl->decrypt.nonce, ssl->specs.iv_size);
#endif
break;
}
default:
break;
}
if (ret < 0) {
WOLFSSL_ERROR_VERBOSE(ret);
}
return ret;
}
typedef struct BuildMsg13Args {
word32 sz;
word32 idx;
word32 headerSz;
word16 size;
word32 paddingSz;
} BuildMsg13Args;
static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
{
BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
(void)ssl;
(void)args;
}
int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
{
int ret;
BuildMsg13Args* args;
BuildMsg13Args lcl_args;
WOLFSSL_ENTER("BuildTls13Message");
#ifdef WOLFSSL_ASYNC_CRYPT
ret = WC_NO_PENDING_E;
if (asyncOkay) {
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
return MEMORY_E;
}
args = (BuildMsg13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0)
goto exit_buildmsg;
}
}
else
#endif
{
args = &lcl_args;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_NO_PENDING_E))
#endif
{
ret = 0;
ssl->options.buildMsgState = BUILD_MSG_BEGIN;
XMEMSET(args, 0, sizeof(BuildMsg13Args));
args->headerSz = RECORD_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->headerSz = Dtls13GetRlHeaderLength(ssl, 1);
#endif
args->sz = args->headerSz + (word32)inSz;
args->idx = args->headerSz;
#ifdef WOLFSSL_ASYNC_CRYPT
if (asyncOkay)
ssl->async->freeArgs = FreeBuildMsg13Args;
#endif
}
switch (ssl->options.buildMsgState) {
case BUILD_MSG_BEGIN:
{
if (sizeOnly) {
if (output || input) {
WOLFSSL_MSG("BuildTls13Message with sizeOnly "
"doesn't need input or output");
return BAD_FUNC_ARG;
}
}
else if (output == NULL || input == NULL) {
return BAD_FUNC_ARG;
}
args->sz++;
args->sz += ssl->specs.aead_mac_size;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls &&
args->sz < (word32)Dtls13MinimumRecordLength(ssl)) {
args->paddingSz = Dtls13MinimumRecordLength(ssl) - args->sz;
args->sz = Dtls13MinimumRecordLength(ssl);
}
#endif
if (sizeOnly)
return (int)args->sz;
if (args->sz > (word32)outSz) {
WOLFSSL_MSG("Oops, want to write past output buffer size");
return BUFFER_E;
}
args->size = (word16)(args->sz - args->headerSz);
if (ssl->options.dtls) {
#ifdef WOLFSSL_DTLS13
Dtls13RlAddCiphertextHeader(ssl, output, args->size);
#endif
}
else {
AddTls13RecordHeader(output, args->size, application_data, ssl);
}
if (input != output + args->idx)
XMEMCPY(output + args->idx, input, (size_t)inSz);
args->idx += (word32)inSz;
ssl->options.buildMsgState = BUILD_MSG_HASH;
}
FALL_THROUGH;
case BUILD_MSG_HASH:
{
if (hashOutput) {
ret = HashOutput(ssl, output, (int)args->headerSz + inSz, 0);
if (ret != 0)
goto exit_buildmsg;
}
output[args->idx++] = (byte)type;
XMEMSET(output + args->idx, 0, args->paddingSz);
args->idx += args->paddingSz;
ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
}
FALL_THROUGH;
case BUILD_MSG_ENCRYPT:
{
#ifdef WOLFSSL_QUIC
if (WOLFSSL_IS_QUIC(ssl)) {
AddTls13RecordHeader(output, (word32)inSz, (byte)type, ssl);
ret = (int)args->headerSz + inSz;
goto exit_buildmsg;
}
#endif
#ifdef ATOMIC_USER
if (ssl->ctx->MacEncryptCb) {
byte* mac = output + args->idx;
output += args->headerSz;
ret = ssl->ctx->MacEncryptCb(ssl, mac, output, (unsigned int)inSz, (byte)type, 0,
output, output, args->size, ssl->MacEncryptCtx);
}
else
#endif
{
const byte* aad = output;
output += args->headerSz;
ret = EncryptTls13(ssl, output, output, args->size, aad,
(word16)args->headerSz, asyncOkay);
if (ret != 0) {
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
{
ForceZero(output, args->size);
}
}
#ifdef WOLFSSL_DTLS13
if (ret == 0 && ssl->options.dtls) {
ret = Dtls13EncryptRecordNumber(ssl, (byte*)aad,
(word16)args->sz);
}
#endif
}
break;
}
default:
break;
}
exit_buildmsg:
WOLFSSL_LEAVE("BuildTls13Message", ret);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
return ret;
}
#endif
ssl->options.buildMsgState = BUILD_MSG_BEGIN;
if (ret == 0) {
ret = (int)args->sz;
}
else {
WOLFSSL_ERROR_VERBOSE(ret);
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (asyncOkay)
FreeAsyncCtx(ssl, 0);
else
#endif
FreeBuildMsg13Args(ssl, args);
return ret;
}
#if !defined(NO_WOLFSSL_CLIENT) || (!defined(NO_WOLFSSL_SERVER) && \
(defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
(defined(WOLFSSL_PSK_ONE_ID) || defined(WOLFSSL_PRIORITIZE_PSK)))
int FindSuiteSSL(const WOLFSSL* ssl, byte* suite)
{
word16 i;
const Suites* suites = WOLFSSL_SUITES(ssl);
for (i = 0; i < suites->suiteSz; i += 2) {
if (suites->suites[i+0] == suite[0] &&
suites->suites[i+1] == suite[1]) {
return 1;
}
}
return 0;
}
#endif
#ifndef NO_PSK
byte SuiteMac(const byte* suite)
{
byte mac = no_mac;
if (suite[0] == TLS13_BYTE) {
switch (suite[1]) {
#ifdef BUILD_TLS_AES_128_GCM_SHA256
case TLS_AES_128_GCM_SHA256:
mac = sha256_mac;
break;
#endif
#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
case TLS_CHACHA20_POLY1305_SHA256:
mac = sha256_mac;
break;
#endif
#ifdef BUILD_TLS_AES_128_CCM_SHA256
case TLS_AES_128_CCM_SHA256:
mac = sha256_mac;
break;
#endif
#ifdef BUILD_TLS_AES_128_CCM_8_SHA256
case TLS_AES_128_CCM_8_SHA256:
mac = sha256_mac;
break;
#endif
#ifdef BUILD_TLS_AES_256_GCM_SHA384
case TLS_AES_256_GCM_SHA384:
mac = sha384_mac;
break;
#endif
default:
break;
}
}
#if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \
defined(WOLFSSL_SM3)
else if (suite[0] == CIPHER_BYTE) {
switch (suite[1]) {
#ifdef BUILD_TLS_SM4_GCM_SM3
case TLS_SM4_GCM_SM3:
mac = sm3_mac;
break;
#endif
#ifdef BUILD_TLS_SM4_CCM_SM3
case TLS_SM4_CCM_SM3:
mac = sm3_mac;
break;
#endif
default:
break;
}
}
#endif
#ifdef HAVE_NULL_CIPHER
else if (suite[0] == ECC_BYTE) {
switch (suite[1]) {
#ifdef BUILD_TLS_SHA256_SHA256
case TLS_SHA256_SHA256:
mac = sha256_mac;
break;
#endif
#ifdef BUILD_TLS_SHA384_SHA384
case TLS_SHA384_SHA384:
mac = sha384_mac;
break;
#endif
default:
break;
}
}
#endif
return mac;
}
#endif
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
int CreateCookieExt(const WOLFSSL* ssl, byte* hash, word16 hashSz,
TLSX** exts, byte cipherSuite0, byte cipherSuite)
{
int ret;
byte mac[WC_MAX_DIGEST_SIZE] = {0};
Hmac cookieHmac;
byte cookieType = 0;
byte macSz = 0;
byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
TLSX* ext;
word16 cookieSz = 0;
if (hash == NULL || hashSz == 0) {
return BAD_FUNC_ARG;
}
if (ssl->buffers.tls13CookieSecret.buffer == NULL ||
ssl->buffers.tls13CookieSecret.length == 0) {
WOLFSSL_MSG("Missing DTLS 1.3 cookie secret");
return COOKIE_ERROR;
}
cookie[cookieSz++] = (byte)hashSz;
XMEMCPY(cookie + cookieSz, hash, hashSz);
cookieSz += hashSz;
cookie[cookieSz++] = cipherSuite0;
cookie[cookieSz++] = cipherSuite;
if ((ext = TLSX_Find(*exts, TLSX_KEY_SHARE)) != NULL) {
KeyShareEntry* kse = (KeyShareEntry*)ext->data;
if (kse == NULL) {
WOLFSSL_MSG("KeyShareEntry can't be empty when negotiating "
"parameters");
return BAD_STATE_E;
}
c16toa(kse->group, cookie + cookieSz);
cookieSz += OPAQUE16_LEN;
}
#ifndef NO_SHA256
cookieType = WC_SHA256;
macSz = WC_SHA256_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA384)
cookieType = WC_SHA384;
macSz = WC_SHA384_DIGEST_SIZE;
#elif defined(WOLFSSL_TLS13_SHA512)
cookieType = WC_SHA512;
macSz = WC_SHA512_DIGEST_SIZE;
#elif defined(WOLFSSL_SM3)
cookieType = WC_SM3;
macSz = WC_SM3_DIGEST_SIZE;
#else
#error "No digest to available to use with HMAC for cookies."
#endif
ret = wc_HmacInit(&cookieHmac, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_HmacSetKey(&cookieHmac, cookieType,
ssl->buffers.tls13CookieSecret.buffer,
ssl->buffers.tls13CookieSecret.length);
}
if (ret == 0)
ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz);
#ifdef WOLFSSL_DTLS13
if (ret == 0) {
if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
ret = wc_HmacUpdate(&cookieHmac,
(byte*)ssl->buffers.dtlsCtx.peer.sa,
ssl->buffers.dtlsCtx.peer.sz);
}
}
#endif
if (ret == 0)
ret = wc_HmacFinal(&cookieHmac, mac);
wc_HmacFree(&cookieHmac);
if (ret != 0)
return ret;
return TLSX_Cookie_Use(ssl, cookie, cookieSz, mac, macSz, 1, exts);
}
#endif
#ifdef WOLFSSL_DTLS13
#define HRR_MAX_HS_HEADER_SZ DTLS_HANDSHAKE_HEADER_SZ
#else
#define HRR_MAX_HS_HEADER_SZ HANDSHAKE_HEADER_SZ
#endif
static int CreateCookie(const WOLFSSL* ssl, byte** hash, byte* hashSz,
Hashes* hashes, TLSX** exts)
{
int ret = 0;
(void)exts;
*hash = NULL;
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
*hash = hashes->sha256;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
*hash = hashes->sha384;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
*hash = hashes->sha512;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
*hash = hashes->sm3;
break;
#endif
}
*hashSz = ssl->specs.hash_size;
if (*hash == NULL && *hashSz > 0)
return BAD_FUNC_ARG;
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
ret = CreateCookieExt(ssl, *hash, *hashSz, exts,
ssl->options.cipherSuite0, ssl->options.cipherSuite);
#endif
return ret;
}
int RestartHandshakeHash(WOLFSSL* ssl)
{
int ret;
byte header[HANDSHAKE_HEADER_SZ] = {0};
Hashes hashes;
byte* hash = NULL;
byte hashSz = 0;
ret = BuildCertHashes(ssl, &hashes);
if (ret != 0)
return ret;
ret = CreateCookie(ssl, &hash, &hashSz, &hashes, &ssl->extensions);
if (ret != 0)
return ret;
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
return 0;
#endif
AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Restart Hash");
WOLFSSL_BUFFER(hash, hashSz);
#endif
ret = InitHandshakeHashes(ssl);
if (ret != 0)
return ret;
ret = HashRaw(ssl, header, sizeof(header));
if (ret != 0)
return ret;
return HashRaw(ssl, hash, hashSz);
}
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
static byte helloRetryRequestRandom[] = {
0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
};
#endif
#ifdef HAVE_ECH
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
{
int i = 0;
if (!wc_HpkeKemIsSupported(config->kemId)) {
return WOLFSSL_FATAL_ERROR;
}
for (i = 0; i < config->numCipherSuites; i++) {
if (wc_HpkeKdfIsSupported(config->cipherSuites[i].kdfId) &&
wc_HpkeAeadIsSupported(config->cipherSuites[i].aeadId)) {
return i;
}
}
return WOLFSSL_FATAL_ERROR;
}
static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
{
int ret = 0;
int headerSz;
word32 realSz;
HS_Hashes* tmpHashes;
#ifndef NO_WOLFSSL_CLIENT
byte falseHeader[HRR_MAX_HS_HEADER_SZ];
#endif
if (ssl == NULL || ech == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_DTLS13
headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
HANDSHAKE_HEADER_SZ;
#else
headerSz = HANDSHAKE_HEADER_SZ;
#endif
realSz = ech->innerClientHelloLen;
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
realSz -= ech->paddingLen + ech->hpke->Nt;
}
#endif
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
if (ssl->options.echAccepted == 0 && ssl->hsHashes == NULL) {
ret = InitHandshakeHashes(ssl);
if (ret == 0) {
ssl->hsHashesEch = ssl->hsHashes;
ech->innerCount = 1;
}
}
if (ret == 0) {
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
AddTls13HandShakeHeader(falseHeader, realSz, 0, 0, client_hello,
ssl);
ret = HashRaw(ssl, falseHeader, headerSz);
if (ret == 0) {
ret = HashRaw(ssl, ech->innerClientHello, realSz);
}
}
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
ret = HashRaw(ssl, ech->innerClientHello, headerSz + realSz);
}
#endif
}
ssl->hsHashes = tmpHashes;
return ret;
}
static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
const byte* input, int acceptOffset, int helloSz, byte isHrr,
byte* acceptExpanded)
{
int ret = 0;
int digestType = 0;
int digestSize = 0;
int hashSz = 0;
int headerSz;
HS_Hashes* tmpHashes;
HS_Hashes* acceptHash = NULL;
byte zeros[WC_MAX_DIGEST_SIZE];
byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
byte clientHelloInnerHash[WC_MAX_DIGEST_SIZE];
byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
byte messageHashHeader[HRR_MAX_HS_HEADER_SZ];
XMEMSET(zeros, 0, sizeof(zeros));
XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
XMEMSET(clientHelloInnerHash, 0, sizeof(clientHelloInnerHash));
XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("ECH PRK", expandLabelPrk, sizeof(expandLabelPrk));
#endif
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
#ifdef WOLFSSL_DTLS13
headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
HANDSHAKE_HEADER_SZ;
#else
headerSz = HANDSHAKE_HEADER_SZ;
#endif
if (isHrr) {
hashSz = GetMsgHash(ssl, clientHelloInnerHash);
if (hashSz > 0) {
ret = 0;
}
if (ret == 0) {
ret = InitHandshakeHashes(ssl);
}
if (ret == 0) {
ssl->hsHashesEch = ssl->hsHashes;
AddTls13HandShakeHeader(messageHashHeader, (word32)hashSz, 0, 0,
message_hash, ssl);
ret = HashRaw(ssl, messageHashHeader, headerSz);
}
if (ret == 0) {
ret = HashRaw(ssl, clientHelloInnerHash, (word32)hashSz);
}
}
if (ret == 0) {
ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashesEch, &acceptHash);
}
if (ret == 0) {
ssl->hsHashes = acceptHash;
ret = HashRaw(ssl, input, acceptOffset);
}
if (ret == 0) {
ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
}
if (ret == 0) {
ret = HashRaw(ssl, input + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
helloSz + headerSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
}
if (ret == 0) {
ret = GetMsgHash(ssl, transcriptEchConf);
if (ret > 0) {
ret = 0;
}
}
if (ret == 0) {
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
digestType = WC_SHA256;
digestSize = WC_SHA256_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
digestType = WC_SHA384;
digestSize = WC_SHA384_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
digestType = WC_SHA512;
digestSize = WC_SHA512_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
digestType = WC_SM3;
digestSize = WC_SM3_DIGEST_SIZE;
break;
#endif
default:
ret = WOLFSSL_FATAL_ERROR;
break;
}
}
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
#if !defined(HAVE_FIPS) || \
(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk,
ssl->heap, ssl->devId);
#else
ret = wc_HKDF_Extract(digestType, zeros, digestSize,
ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk);
#endif
PRIVATE_KEY_LOCK();
}
if (ret == 0) {
PRIVATE_KEY_UNLOCK();
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded,
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
dtls13ProtocolLabel, DTLS13_PROTOCOL_LABEL_SZ, label, labelSz,
transcriptEchConf, (word32)digestSize, digestType,
WOLFSSL_SERVER_END);
}
else
#endif
{
ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded,
ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
transcriptEchConf, (word32)digestSize, digestType,
WOLFSSL_SERVER_END);
}
PRIVATE_KEY_LOCK();
}
if (acceptHash != NULL) {
ssl->hsHashes = acceptHash;
FreeHandshakeHashes(ssl);
}
ssl->hsHashes = tmpHashes;
ForceZero(expandLabelPrk, sizeof(expandLabelPrk));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(expandLabelPrk, sizeof(expandLabelPrk));
#endif
return ret;
}
#endif
#ifndef NO_WOLFSSL_CLIENT
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \
!defined(NO_PSK)
static const WOLFSSL_EVP_MD* ssl_handshake_md(const byte mac_alg)
{
switch(mac_alg) {
case no_mac:
return NULL;
#ifndef NO_MD5
case md5_mac:
return wolfSSL_EVP_md5();
#endif
#ifndef NO_SHA
case sha_mac:
return wolfSSL_EVP_sha1();
#endif
#ifdef WOLFSSL_SHA224
case sha224_mac:
return wolfSSL_EVP_sha224();
#endif
case sha256_mac:
return wolfSSL_EVP_sha256();
#ifdef WOLFSSL_SHA384
case sha384_mac:
return wolfSSL_EVP_sha384();
#endif
#ifdef WOLFSSL_SHA512
case sha512_mac:
return wolfSSL_EVP_sha512();
#endif
case rmd_mac:
case blake2b_mac:
WOLFSSL_MSG("no suitable EVP_MD");
return NULL;
default:
WOLFSSL_MSG("Unknown mac algorithm");
return NULL;
}
}
#endif
static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello)
{
#if defined(HAVE_SESSION_TICKET) || !defined(WOLFSSL_PSK_ONE_ID)
int ret;
#endif
byte suite[2];
if (psk == NULL)
return BAD_FUNC_ARG;
if (!HaveUniqueSessionObj(ssl)) {
WOLFSSL_MSG("Unable to have unique session object");
WOLFSSL_ERROR_VERBOSE(MEMORY_ERROR);
return MEMORY_ERROR;
}
suite[0] = ssl->options.cipherSuite0;
suite[1] = ssl->options.cipherSuite;
#ifdef HAVE_SESSION_TICKET
if (psk->resumption) {
if (clientHello) {
suite[0] = psk->cipherSuite0;
suite[1] = psk->cipherSuite;
if (!FindSuiteSSL(ssl, suite)) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ssl->options.cipherSuite0 = suite[0];
ssl->options.cipherSuite = suite[1];
ret = SetCipherSpecs(ssl);
if (ret != 0)
return ret;
}
#ifdef WOLFSSL_EARLY_DATA
if (ssl->session->maxEarlyDataSz == 0)
ssl->earlyData = no_early_data;
#endif
ssl->arrays->psk_keySz = ssl->specs.hash_size;
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
return ret;
}
if (!clientHello) {
ssl->options.peerAuthGood = 1;
}
}
#endif
#ifndef NO_PSK
if (!psk->resumption) {
#ifndef WOLFSSL_PSK_ONE_ID
const char* cipherName = NULL;
#ifdef OPENSSL_EXTRA
WOLFSSL_SESSION* psksession = NULL;
#endif
if (psk->identityLen > MAX_PSK_ID_LEN)
return PSK_KEY_ERROR;
XMEMSET(ssl->arrays->client_identity, 0,
sizeof(ssl->arrays->client_identity));
XMEMCPY(ssl->arrays->client_identity, psk->identity, psk->identityLen);
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("PSK cipher suite:");
WOLFSSL_MSG(GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
#endif
#ifdef OPENSSL_EXTRA
if (ssl->options.session_psk_cb != NULL) {
const unsigned char* id = NULL;
size_t idlen = 0;
const WOLFSSL_EVP_MD* handshake_md = NULL;
if (ssl->msgsReceived.got_hello_retry_request >= 1) {
handshake_md = ssl_handshake_md(ssl->specs.mac_algorithm);
}
if (ssl->options.session_psk_cb(ssl, handshake_md, &id, &idlen,
&psksession) == 0) {
wolfSSL_FreeSession(ssl->ctx, psksession);
WOLFSSL_MSG("psk session callback failed");
return PSK_KEY_ERROR;
}
if (psksession != NULL) {
if (idlen > MAX_PSK_KEY_LEN) {
wolfSSL_FreeSession(ssl->ctx, psksession);
WOLFSSL_MSG("psk key length is too long");
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ssl->arrays->psk_keySz = (word32)idlen;
XMEMCPY(ssl->arrays->psk_key, id, idlen);
suite[0] = psksession->cipherSuite0;
suite[1] = psksession->cipherSuite;
wolfSSL_FreeSession(ssl->ctx, psksession);
}
}
if (psksession != NULL) {
}
else
#endif
if (ssl->options.client_psk_cs_cb != NULL) {
#ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
ssl->arrays->client_identity[0] = 0;
#endif
ssl->arrays->psk_keySz = ssl->options.client_psk_cs_cb(
ssl, ssl->arrays->server_hint,
ssl->arrays->client_identity, MAX_PSK_ID_LEN,
ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
if (clientHello) {
ssl->options.cipherSuite0 = psk->cipherSuite0;
ssl->options.cipherSuite = psk->cipherSuite;
}
else {
byte pskCS[2];
pskCS[0] = psk->cipherSuite0;
pskCS[1] = psk->cipherSuite;
if (SuiteMac(pskCS) != SuiteMac(suite)) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
psk->cipherSuite0 = suite[0];
psk->cipherSuite = suite[1];
}
}
else if (ssl->options.client_psk_tls13_cb != NULL) {
byte cipherSuite0;
byte cipherSuite;
int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl,
ssl->arrays->server_hint, ssl->arrays->client_identity,
MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
&cipherName);
if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
&cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ssl->options.cipherSuite0 = cipherSuite0;
ssl->options.cipherSuite = cipherSuite;
(void)cipherSuiteFlags;
}
else {
ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
ssl->arrays->server_hint, ssl->arrays->client_identity,
MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
ssl->options.cipherSuite0 = TLS13_BYTE;
ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
}
if (ssl->arrays->psk_keySz == 0 ||
(ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
(int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ret = SetCipherSpecs(ssl);
if (ret != 0)
return ret;
#else
#endif
if (!clientHello && (psk->cipherSuite0 != suite[0] ||
psk->cipherSuite != suite[1])) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
if (!clientHello) {
ssl->options.peerAuthGood = 1;
}
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (!clientHello) {
TLSX* ext;
word32 modes;
KeyShareEntry* kse = NULL;
ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
if (ext == NULL) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
modes = ext->val;
ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if (ext != NULL) {
kse = (KeyShareEntry*)ext->data;
}
if (((modes & (1 << PSK_DHE_KE)) != 0) && (!ssl->options.noPskDheKe) &&
(kse != NULL) && kse->derived) {
if ((kse->session != 0) && (kse->session != kse->group)) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
}
else if (ssl->options.onlyPskDheKe) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
else if (ssl->options.noPskDheKe) {
ssl->arrays->preMasterSz = 0;
}
}
else
#endif
if (ssl->options.noPskDheKe) {
ssl->arrays->preMasterSz = 0;
}
return DeriveEarlySecret(ssl);
}
static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
{
int ret;
TLSX* ext;
PreSharedKey* current;
byte binderKey[WC_MAX_DIGEST_SIZE];
word16 len;
WOLFSSL_ENTER("WritePSKBinders");
if (idx > WOLFSSL_MAX_16BIT) {
return INPUT_SIZE_E;
}
ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
if (ext == NULL)
return SANITY_MSG_E;
ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
client_hello, &len);
if (ret < 0)
return ret;
idx -= len;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
ret = Dtls13HashHandshake(ssl, output + Dtls13GetRlHeaderLength(ssl, 0),
(word16)idx - Dtls13GetRlHeaderLength(ssl, 0));
else
#endif
ret = HashOutput(ssl, output, (int)idx, 0);
if (ret != 0)
return ret;
current = (PreSharedKey*)ext->data;
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (current != NULL) {
wc_MemZero_Add("WritePSKBinders binderKey", binderKey,
sizeof(binderKey));
}
#endif
while (current != NULL) {
if ((ret = SetupPskKey(ssl, current, 1)) != 0)
break;
#ifdef HAVE_SESSION_TICKET
if (current->resumption)
ret = DeriveBinderKeyResume(ssl, binderKey);
#endif
#ifndef NO_PSK
if (!current->resumption)
ret = DeriveBinderKey(ssl, binderKey);
#endif
if (ret != 0)
break;
ret = DeriveFinishedSecret(ssl, binderKey,
ssl->keys.client_write_MAC_secret,
0 );
if (ret != 0)
break;
ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
current->binder, ¤t->binderLen);
if (ret != 0)
break;
current = current->next;
}
ForceZero(binderKey, sizeof(binderKey));
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(binderKey, sizeof(binderKey));
#endif
if (ret != 0)
return ret;
ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
client_hello, &len);
if (ret < 0)
return ret;
ret = HashRaw(ssl, output + idx, len);
if (ret < 0)
return ret;
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data, 1)) != 0)
return ret;
ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
if (ret != 0)
return ret;
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
}
#endif
WOLFSSL_LEAVE("WritePSKBinders", ret);
return ret;
}
#endif
static void GetTls13SessionId(WOLFSSL* ssl, byte* output, word32* idx)
{
if (ssl->session->sessionIDSz > 0) {
if (ssl->session->sessionIDSz <= ID_LEN) {
if (output != NULL)
output[*idx] = ssl->session->sessionIDSz;
(*idx)++;
if (output != NULL) {
XMEMCPY(output + *idx, ssl->session->sessionID,
ssl->session->sessionIDSz);
}
*idx += ssl->session->sessionIDSz;
}
else {
ssl->session->sessionIDSz = 0;
if (output != NULL)
output[*idx] = 0;
(*idx)++;
}
}
else {
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (ssl->options.tls13MiddleBoxCompat) {
if (output != NULL)
output[*idx] = ID_LEN;
(*idx)++;
if (output != NULL)
XMEMCPY(output + *idx, ssl->arrays->clientRandom, ID_LEN);
*idx += ID_LEN;
}
else
#endif
{
if (output != NULL)
output[*idx] = 0;
(*idx)++;
}
}
}
typedef struct Sch13Args {
byte* output;
word32 idx;
int sendSz;
word32 length;
#if defined(HAVE_ECH)
int clientRandomOffset;
int preXLength;
WOLFSSL_ECH* ech;
#endif
} Sch13Args;
#ifdef WOLFSSL_EARLY_DATA
static int EarlyDataPossible(WOLFSSL* ssl)
{
if (ssl->options.resuming) {
return 1;
}
#ifndef NO_PSK
if (ssl->options.client_psk_tls13_cb != NULL ||
ssl->options.client_psk_cb != NULL) {
return 1;
}
#endif
return 0;
}
#endif
int SendTls13ClientHello(WOLFSSL* ssl)
{
int ret;
#ifdef WOLFSSL_ASYNC_CRYPT
Sch13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else
Sch13Args args[1];
#endif
byte major, tls12minor;
const Suites* suites;
WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
WOLFSSL_ENTER("SendTls13ClientHello");
if (ssl == NULL) {
return BAD_FUNC_ARG;
}
ssl->options.buildingMsg = 1;
major = SSLv3_MAJOR;
tls12minor = TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
major = DTLS_MAJOR;
tls12minor = DTLSv1_2_MINOR;
}
#endif
if (ssl->options.resuming &&
ssl->session->version.major != 0 &&
(ssl->session->version.major != ssl->version.major ||
ssl->session->version.minor != ssl->version.minor)) {
#ifndef WOLFSSL_NO_TLS12
if (ssl->session->version.major == ssl->version.major &&
ssl->session->version.minor < ssl->version.minor) {
ssl->options.resuming = 0;
ssl->version.major = ssl->session->version.major;
ssl->version.minor = ssl->session->version.minor;
return SendClientHello(ssl);
}
else
#endif
{
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
}
suites = WOLFSSL_SUITES(ssl);
if (suites == NULL) {
WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
return SUITES_ERROR;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
return MEMORY_E;
ssl->async->freeArgs = NULL;
}
args = (Sch13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0)
return ret;
}
else
#endif
{
ssl->options.asyncState = TLS_ASYNC_BEGIN;
XMEMSET(args, 0, sizeof(Sch13Args));
}
switch (ssl->options.asyncState) {
case TLS_ASYNC_BEGIN:
{
word32 sessIdSz = 0;
args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif
args->length = VERSION_SZ + RAN_LEN + suites->suiteSz +
SUITE_LEN + COMP_LEN + ENUM_LEN;
#ifdef WOLFSSL_QUIC
if (WOLFSSL_IS_QUIC(ssl)) {
ssl->session->sessionIDSz = 0;
ssl->options.tls13MiddleBoxCompat = 0;
}
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->options.tls13MiddleBoxCompat = 0;
}
#endif
GetTls13SessionId(ssl, NULL, &sessIdSz);
args->length += (word16)sessIdSz;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
args->length += ENUM_LEN;
if (ssl->arrays->cookieSz > 0 && ssl->options.downgrade)
args->length += ssl->arrays->cookieSz;
}
#endif
ssl->options.asyncState = TLS_ASYNC_BUILD;
}
FALL_THROUGH;
case TLS_ASYNC_BUILD:
case TLS_ASYNC_DO:
{
if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
return ret;
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
}
FALL_THROUGH;
case TLS_ASYNC_FINALIZE:
{
#ifdef WOLFSSL_EARLY_DATA
if (!EarlyDataPossible(ssl))
ssl->earlyData = no_early_data;
if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
ssl->earlyData = no_early_data;
if (ssl->earlyData == no_early_data)
TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap);
if (ssl->earlyData != no_early_data &&
(ret = TLSX_EarlyData_Use(ssl, 0, 0)) < 0) {
return ret;
}
#endif
#ifdef WOLFSSL_QUIC
if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) {
ret = wolfSSL_quic_add_transport_extensions(ssl, client_hello);
if (ret != 0)
return ret;
}
#endif
#if defined(HAVE_ECH)
if (ssl->echConfigs != NULL && !ssl->options.disableECH) {
TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX == NULL)
return WOLFSSL_FATAL_ERROR;
args->ech = (WOLFSSL_ECH*)echX->data;
if (args->ech == NULL)
return WOLFSSL_FATAL_ERROR;
if (ssl->options.echAccepted || args->ech->innerCount == 0) {
args->ech->type = ECH_TYPE_INNER;
args->preXLength = (int)args->length;
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
if (ret != 0)
return ret;
args->ech->type = 0;
args->ech->paddingLen = 31 - ((args->length - 1) % 32);
args->ech->innerClientHelloLen = (word16)(args->length +
args->ech->paddingLen + args->ech->hpke->Nt);
args->length = (word32)args->preXLength;
}
}
#endif
{
#ifdef WOLFSSL_DTLS_CH_FRAG
word16 maxFrag = wolfssl_local_GetMaxPlaintextSize(ssl);
word16 lenWithoutExts = args->length;
#endif
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
if (ret != 0)
return ret;
args->sendSz =
(int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
#endif
#ifdef WOLFSSL_DTLS_CH_FRAG
if (ssl->options.dtls && args->sendSz > maxFrag &&
TLSX_Find(ssl->extensions, TLSX_COOKIE) == NULL) {
ret = TLSX_KeyShare_Empty(ssl);
if (ret != 0)
return ret;
args->length = lenWithoutExts;
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
if (ret != 0)
return ret;
args->sendSz = (int)(args->length +
DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ);
if (args->sendSz > maxFrag) {
WOLFSSL_MSG("Can't fit first CH in one fragment.");
return BUFFER_ERROR;
}
WOLFSSL_MSG("Sending empty key share so we don't fragment CH1");
}
#endif
}
if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
return ret;
args->output = GetOutputBuffer(ssl);
AddTls13Headers(args->output, args->length, client_hello, ssl);
args->output[args->idx++] = major;
args->output[args->idx++] = tls12minor;
ssl->chVersion = ssl->version;
if (ssl->arrays == NULL) {
return BAD_FUNC_ARG;
}
if (ssl->options.connectState == CONNECT_BEGIN) {
ret = wc_RNG_GenerateBlock(ssl->rng, args->output + args->idx, RAN_LEN);
if (ret != 0)
return ret;
XMEMCPY(ssl->arrays->clientRandom, args->output + args->idx, RAN_LEN);
}
else
XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN);
#if defined(HAVE_ECH)
args->clientRandomOffset = (int)args->idx;
#endif
args->idx += RAN_LEN;
GetTls13SessionId(ssl, args->output, &args->idx);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
args->output[args->idx++] = ssl->arrays->cookieSz;
if (ssl->arrays->cookieSz > 0) {
if (!ssl->options.downgrade)
return VERSION_ERROR;
XMEMCPY(args->output + args->idx, ssl->arrays->cookie,
ssl->arrays->cookieSz);
args->idx += ssl->arrays->cookieSz;
}
}
#endif
c16toa(suites->suiteSz, args->output + args->idx);
args->idx += OPAQUE16_LEN;
XMEMCPY(args->output + args->idx, &suites->suites,
suites->suiteSz);
args->idx += suites->suiteSz;
#ifdef WOLFSSL_DEBUG_TLS
{
int ii;
WOLFSSL_MSG("Ciphers:");
for (ii = 0 ; ii < suites->suiteSz; ii += 2) {
WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0],
suites->suites[ii+1]));
}
}
#endif
args->output[args->idx++] = COMP_LEN;
args->output[args->idx++] = NO_COMPRESSION;
#if defined(HAVE_ECH)
if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
(ssl->options.echAccepted || args->ech->innerCount == 0)) {
args->ech->type = ECH_TYPE_INNER;
if (args->ech->innerClientHello != NULL) {
XFREE(args->ech->innerClientHello, ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER);
}
args->ech->innerClientHello =
(byte*)XMALLOC(args->ech->innerClientHelloLen - args->ech->hpke->Nt,
ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (args->ech->innerClientHello == NULL)
return MEMORY_E;
XMEMSET(args->ech->innerClientHello + args->ech->innerClientHelloLen -
args->ech->hpke->Nt - args->ech->paddingLen, 0,
args->ech->paddingLen);
XMEMCPY(args->ech->innerClientHello,
args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
args->idx - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ));
if (!ssl->options.echAccepted) {
XMEMCPY(ssl->arrays->clientRandomInner, ssl->arrays->clientRandom,
RAN_LEN);
}
else {
XMEMCPY(args->ech->innerClientHello + VERSION_SZ,
ssl->arrays->clientRandomInner, RAN_LEN);
}
ret = wc_RNG_GenerateBlock(ssl->rng, args->output +
args->clientRandomOffset, RAN_LEN);
if (ret != 0)
return ret;
XMEMCPY(ssl->arrays->clientRandom, args->output +
args->clientRandomOffset, RAN_LEN);
args->length = 0;
ret = TLSX_WriteRequest(ssl, args->ech->innerClientHello + args->idx -
(RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ), client_hello,
&args->length);
if (ret != 0)
return ret;
args->ech->type = 0;
}
#endif
args->length = 0;
ret = TLSX_WriteRequest(ssl, args->output + args->idx, client_hello,
&args->length);
if (ret != 0)
return ret;
args->idx += args->length;
#if defined(HAVE_ECH)
if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
(ssl->options.echAccepted || args->ech->innerCount == 0)) {
ret = TLSX_FinalizeEch(args->ech,
args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
(word32)(args->sendSz - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ)));
if (ret != 0)
return ret;
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) {
ret = WritePSKBinders(ssl, args->output, args->idx);
}
else
#endif
{
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
ret = Dtls13HashHandshake(ssl,
args->output + Dtls13GetRlHeaderLength(ssl, 0),
(word16)args->idx - Dtls13GetRlHeaderLength(ssl, 0));
else
#endif
{
#if defined(HAVE_ECH)
if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
(ssl->options.echAccepted || args->ech->innerCount == 0)) {
ret = EchHashHelloInner(ssl, args->ech);
}
#endif
if (ret == 0)
ret = HashOutput(ssl, args->output, (int)args->idx, 0);
}
}
if (ret != 0)
return ret;
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "ClientHello", handshake, args->output,
args->sendSz, WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
ssl->options.buildingMsg = 0;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13HandshakeSend(ssl, args->output, (word16)args->sendSz,
(word16)args->idx, client_hello, 0);
break;
}
#endif
ssl->buffers.outputBuffer.length += (word32)args->sendSz;
ssl->options.asyncState = TLS_ASYNC_END;
}
FALL_THROUGH;
case TLS_ASYNC_END:
{
#ifdef WOLFSSL_EARLY_DATA_GROUP
if (ssl->earlyData == no_early_data || WOLFSSL_IS_QUIC(ssl))
#endif
ret = SendBuffered(ssl);
break;
}
default:
ret = INPUT_CASE_ERROR;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == 0)
FreeAsyncCtx(ssl, 0);
#endif
WOLFSSL_LEAVE("SendTls13ClientHello", ret);
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
return ret;
}
#if defined(WOLFSSL_DTLS13) && !defined(NO_WOLFSSL_CLIENT)
static int Dtls13ClientDoDowngrade(WOLFSSL* ssl)
{
int ret;
if (ssl->dtls13ClientHello == NULL)
return BAD_STATE_E;
ret = InitHandshakeHashes(ssl);
if (ret != 0)
return ret;
ret = HashRaw(ssl, ssl->dtls13ClientHello, ssl->dtls13ClientHelloSz);
XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
ssl->dtls13ClientHello = NULL;
ssl->dtls13ClientHelloSz = 0;
ssl->keys.dtls_sequence_number_hi =
(word16)w64GetHigh32(ssl->dtls13EncryptEpoch->nextSeqNumber);
ssl->keys.dtls_sequence_number_lo =
w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber);
return ret;
}
#endif
#if defined(HAVE_ECH)
static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
const byte* input, int acceptOffset, int helloSz, byte msgType)
{
int ret = 0;
int headerSz;
HS_Hashes* tmpHashes;
byte acceptConfirmation[ECH_ACCEPT_CONFIRMATION_SZ];
XMEMSET(acceptConfirmation, 0, sizeof(acceptConfirmation));
#ifdef WOLFSSL_DTLS13
headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
HANDSHAKE_HEADER_SZ;
#else
headerSz = HANDSHAKE_HEADER_SZ;
#endif
ret = EchCalcAcceptance(ssl, label, labelSz, input, acceptOffset, helloSz,
msgType == hello_retry_request, acceptConfirmation);
if (ret == 0) {
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
ret = ConstantCompare(acceptConfirmation, input + acceptOffset,
ECH_ACCEPT_CONFIRMATION_SZ);
if (ret == 0) {
ssl->options.echAccepted = 1;
if (msgType == hello_retry_request) {
ret = HashRaw(ssl, input, helloSz + headerSz);
}
else {
ssl->hsHashes = tmpHashes;
FreeHandshakeHashes(ssl);
tmpHashes = ssl->hsHashesEch;
ssl->hsHashesEch = NULL;
}
}
else {
ssl->options.echAccepted = 0;
ret = 0;
FreeHandshakeHashes(ssl);
ssl->hsHashesEch = NULL;
}
ssl->hsHashes = tmpHashes;
}
return ret;
}
#endif
typedef struct Dsh13Args {
ProtocolVersion pv;
word32 idx;
word32 begin;
const byte* sessId;
word16 totalExtSz;
byte sessIdSz;
byte extMsgType;
#if defined(HAVE_ECH)
TLSX* echX;
byte* acceptLabel;
word32 acceptOffset;
word16 acceptLabelSz;
#endif
} Dsh13Args;
int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 helloSz, byte* extMsgType)
{
int ret;
byte suite[2];
byte tls12minor;
#ifdef WOLFSSL_ASYNC_CRYPT
Dsh13Args* args = NULL;
#else
Dsh13Args args[1];
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#endif
WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
WOLFSSL_ENTER("DoTls13ServerHello");
if (ssl == NULL || ssl->arrays == NULL)
return BAD_FUNC_ARG;
tls12minor = TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
tls12minor = DTLSv1_2_MINOR;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
return MEMORY_E;
ssl->async->freeArgs = NULL;
}
args = (Dsh13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0) {
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ssl->msgsReceived.got_server_hello = 0;
}
return ret;
}
}
else
#endif
{
ssl->options.asyncState = TLS_ASYNC_BEGIN;
XMEMSET(args, 0, sizeof(Dsh13Args));
}
switch (ssl->options.asyncState) {
case TLS_ASYNC_BEGIN:
{
byte b;
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
#endif
if (helloSz < OPAQUE16_LEN)
return BUFFER_ERROR;
args->idx = *inOutIdx;
args->begin = args->idx;
XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
args->idx += OPAQUE16_LEN;
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls &&
(args->pv.major != DTLS_MAJOR || args->pv.minor == DTLS_BOGUS_MINOR))
return VERSION_ERROR;
#endif
#ifndef WOLFSSL_NO_TLS12
{
byte wantDowngrade;
wantDowngrade = args->pv.major == ssl->version.major &&
args->pv.minor < TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
wantDowngrade = args->pv.major == ssl->version.major &&
args->pv.minor > DTLSv1_2_MINOR;
#endif
if (wantDowngrade && ssl->options.downgrade) {
ssl->chVersion.minor = TLSv1_2_MINOR;
ssl->version.minor = TLSv1_2_MINOR;
ssl->options.tls1_3 = 0;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->chVersion.minor = DTLSv1_2_MINOR;
ssl->version.minor = DTLSv1_2_MINOR;
ret = Dtls13ClientDoDowngrade(ssl);
if (ret != 0)
return ret;
}
#endif
return DoServerHello(ssl, input, inOutIdx, helloSz);
}
}
#endif
if (args->pv.major != ssl->version.major ||
args->pv.minor != tls12minor) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
if ((args->idx - args->begin) + RAN_LEN + ENUM_LEN > helloSz)
return BUFFER_ERROR;
if (XMEMCMP(input + args->idx, helloRetryRequestRandom, RAN_LEN) == 0) {
WOLFSSL_MSG("HelloRetryRequest format");
*extMsgType = hello_retry_request;
if (ssl->msgsReceived.got_hello_verify_request) {
WOLFSSL_MSG("Received HelloRetryRequest after a "
"HelloVerifyRequest");
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
if (ssl->msgsReceived.got_hello_retry_request) {
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
}
args->extMsgType = *extMsgType;
XMEMCPY(ssl->arrays->serverRandom, input + args->idx, RAN_LEN);
#if defined(HAVE_ECH)
args->acceptOffset = args->idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ;
#endif
args->idx += RAN_LEN;
args->sessIdSz = input[args->idx++];
if ((args->idx - args->begin) + args->sessIdSz > helloSz)
return BUFFER_ERROR;
args->sessId = input + args->idx;
args->idx += args->sessIdSz;
ssl->options.haveSessionId = 1;
if ((args->idx - args->begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
return BUFFER_ERROR;
ssl->options.cipherSuite0 = input[args->idx++];
ssl->options.cipherSuite = input[args->idx++];
if (*extMsgType == hello_retry_request) {
ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0;
ssl->options.hrrCipherSuite = ssl->options.cipherSuite;
}
else if (ssl->msgsReceived.got_hello_retry_request &&
(ssl->options.hrrCipherSuite0 != ssl->options.cipherSuite0 ||
ssl->options.hrrCipherSuite != ssl->options.cipherSuite)) {
WOLFSSL_MSG("Received ServerHello with different cipher suite than "
"HelloRetryRequest");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Chosen cipher suite:");
WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
ssl->options.cipherSuite));
#endif
b = input[args->idx++];
if (b != 0) {
WOLFSSL_MSG("Must be no compression types in list");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) {
if (!ssl->options.downgrade)
return BUFFER_ERROR;
#ifndef WOLFSSL_NO_TLS12
ssl->chVersion.minor = TLSv1_2_MINOR;
ssl->version.minor = TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->chVersion.minor = DTLSv1_2_MINOR;
ssl->version.minor = DTLSv1_2_MINOR;
ssl->options.tls1_3 = 0;
ret = Dtls13ClientDoDowngrade(ssl);
if (ret != 0)
return ret;
}
#endif
#endif
ssl->options.haveEMS = 0;
if (args->pv.minor < ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
return VERSION_ERROR;
}
#ifndef WOLFSSL_NO_TLS12
ssl->options.tls1_3 = 0;
return DoServerHello(ssl, input, inOutIdx, helloSz);
#else
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
return VERSION_ERROR;
#endif
}
if ((args->idx - args->begin) < helloSz) {
int foundVersion;
if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
return BUFFER_ERROR;
ato16(&input[args->idx], &args->totalExtSz);
args->idx += OPAQUE16_LEN;
if ((args->idx - args->begin) + args->totalExtSz > helloSz)
return BUFFER_ERROR;
if ((ret = TLSX_ParseVersion(ssl, input + args->idx,
args->totalExtSz, *extMsgType, &foundVersion))) {
return ret;
}
if (!foundVersion) {
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Server trying to downgrade to version less than "
"TLS v1.3");
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
defined(WOLFSSL_WPAS_SMALL)
if (args->pv.minor == TLSv1_2_MINOR &&
(ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2)
== WOLFSSL_OP_NO_TLSv1_2)
{
WOLFSSL_MSG("\tOption set to not allow TLSv1.2");
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
#endif
if (!ssl->options.dtls &&
args->pv.minor < ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
if (ssl->options.dtls &&
args->pv.minor > ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
ssl->version.minor = args->pv.minor;
ssl->options.tls1_3 = 0;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13ClientDoDowngrade(ssl);
if (ret != 0)
return ret;
}
#endif
}
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->dtls13ClientHello != NULL) {
XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
ssl->dtls13ClientHello = NULL;
ssl->dtls13ClientHelloSz = 0;
}
#endif
ssl->options.asyncState = TLS_ASYNC_BUILD;
}
FALL_THROUGH;
case TLS_ASYNC_BUILD:
case TLS_ASYNC_DO:
{
*extMsgType = args->extMsgType;
if (args->totalExtSz > 0 && IsAtLeastTLSv1_3(ssl->version)) {
ret = TLSX_Parse(ssl, input + args->idx, args->totalExtSz,
*extMsgType, NULL);
if (ret != 0) {
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ssl->msgsReceived.got_server_hello = 0;
}
#endif
return ret;
}
if (*extMsgType == hello_retry_request) {
ssl->msgsReceived.got_hello_retry_request = 1;
ssl->msgsReceived.got_server_hello = 0;
}
}
if (args->totalExtSz > 0) {
args->idx += args->totalExtSz;
}
#ifdef WOLFSSL_DTLS_CID
if (ssl->options.useDtlsCID && *extMsgType == server_hello)
DtlsCIDOnExtensionsParsed(ssl);
#endif
if (IsAtLeastTLSv1_3(ssl->version)) {
*inOutIdx = args->idx;
}
ssl->options.serverState = SERVER_HELLO_COMPLETE;
#ifdef HAVE_SECRET_CALLBACK
if (ssl->sessionSecretCb != NULL
#ifdef HAVE_SESSION_TICKET
&& ssl->session->ticketLen > 0
#endif
) {
int secretSz = SECRET_LEN;
ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
&secretSz, ssl->sessionSecretCtx);
if (ret != 0 || secretSz != SECRET_LEN) {
WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E);
return SESSION_SECRET_CB_E;
}
}
#endif
if (!IsAtLeastTLSv1_3(ssl->version)) {
#ifndef WOLFSSL_NO_TLS12
ssl->arrays->sessionIDSz = args->sessIdSz;
if (ssl->arrays->sessionIDSz > ID_LEN) {
WOLFSSL_MSG("Invalid session ID size");
ssl->arrays->sessionIDSz = 0;
return BUFFER_ERROR;
}
else if (ssl->arrays->sessionIDSz) {
XMEMCPY(ssl->arrays->sessionID, args->sessId,
ssl->arrays->sessionIDSz);
ssl->options.haveSessionId = 1;
}
if (ssl->options.dtls)
ssl->chVersion.minor = DTLSv1_2_MINOR;
else
ssl->chVersion.minor = TLSv1_2_MINOR;
ret = DoServerHello(ssl, input, inOutIdx, helloSz);
#else
WOLFSSL_MSG("Client using higher version, fatal error");
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
ret = VERSION_ERROR;
#endif
WOLFSSL_LEAVE("DoTls13ServerHello", ret);
return ret;
}
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
}
FALL_THROUGH;
case TLS_ASYNC_FINALIZE:
{
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (ssl->options.tls13MiddleBoxCompat) {
if (args->sessIdSz == 0) {
WOLFSSL_MSG("args->sessIdSz == 0");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
if (ssl->session->sessionIDSz != 0) {
if (ssl->session->sessionIDSz != args->sessIdSz ||
XMEMCMP(ssl->session->sessionID, args->sessId,
args->sessIdSz) != 0) {
WOLFSSL_MSG("session id doesn't match");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
}
else if (XMEMCMP(ssl->arrays->clientRandom, args->sessId,
args->sessIdSz) != 0) {
WOLFSSL_MSG("session id doesn't match client random");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
}
else
#endif
#if defined(WOLFSSL_QUIC) || defined(WOLFSSL_DTLS13)
if (0
#ifdef WOLFSSL_QUIC
|| WOLFSSL_IS_QUIC(ssl)
#endif
#ifdef WOLFSSL_DTLS13
|| ssl->options.dtls
#endif
) {
if (args->sessIdSz != 0) {
WOLFSSL_MSG("args->sessIdSz != 0");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
}
else
#endif
if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
{
WOLFSSL_MSG("Server sent different session id");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
ret = SetCipherSpecs(ssl);
if (ret != 0)
return ret;
#ifdef HAVE_NULL_CIPHER
if (ssl->options.cipherSuite0 == ECC_BYTE &&
(ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
;
}
else
#endif
#if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
;
}
else
#endif
#if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
;
}
else
#endif
if (ssl->options.cipherSuite0 != TLS13_BYTE) {
WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
suite[0] = ssl->options.cipherSuite0;
suite[1] = ssl->options.cipherSuite;
if (!FindSuiteSSL(ssl, suite)) {
WOLFSSL_MSG("Cipher suite not supported on client");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
#if defined(HAVE_ECH)
if (ssl->echConfigs != NULL && !ssl->options.disableECH) {
args->echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (args->extMsgType == hello_retry_request) {
args->acceptOffset =
(word32)(((WOLFSSL_ECH*)args->echX->data)->confBuf - input);
args->acceptLabel = (byte*)echHrrAcceptConfirmationLabel;
args->acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ;
}
else {
args->acceptLabel = (byte*)echAcceptConfirmationLabel;
args->acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ;
}
if (ret == 0) {
ret = EchCheckAcceptance(ssl, args->acceptLabel,
args->acceptLabelSz, input, args->acceptOffset, helloSz,
args->extMsgType);
}
if (ret != 0)
return ret;
if (args->extMsgType != hello_retry_request) {
XMEMCPY(ssl->arrays->clientRandom, ssl->arrays->clientRandomInner,
RAN_LEN);
}
}
#endif
if (*extMsgType == server_hello) {
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
PreSharedKey* psk = NULL;
TLSX* ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
if (ext != NULL)
psk = (PreSharedKey*)ext->data;
while (psk != NULL && !psk->chosen)
psk = psk->next;
if (psk == NULL) {
ssl->options.resuming = 0;
ssl->arrays->psk_keySz = 0;
XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
}
else {
if ((ret = SetupPskKey(ssl, psk, 0)) != 0)
return ret;
ssl->options.pskNegotiated = 1;
}
#else
ssl->options.resuming = 0;
#endif
if (
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.pskNegotiated == 0 &&
#endif
(ssl->session->namedGroup == 0 ||
ssl->options.shSentKeyShare == 0)) {
return EXT_MISSING;
}
ssl->keys.encryptionOn = 1;
ssl->options.serverState = SERVER_HELLO_COMPLETE;
}
else {
if (!ssl->options.hrrSentKeyShare
#ifdef WOLFSSL_SEND_HRR_COOKIE
&& !ssl->options.hrrSentCookie
#endif
) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return EXT_MISSING;
}
ssl->options.tls1_3 = 1;
ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
ret = RestartHandshakeHash(ssl);
}
break;
}
default:
ret = INPUT_CASE_ERROR;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == 0)
FreeAsyncCtx(ssl, 0);
#endif
WOLFSSL_LEAVE("DoTls13ServerHello", ret);
WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
return ret;
}
static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
word32* inOutIdx, word32 totalSz)
{
int ret;
word32 begin = *inOutIdx;
word32 i = begin;
word16 totalExtSz;
WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
WOLFSSL_ENTER("DoTls13EncryptedExtensions");
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions");
if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
#endif
if (totalSz < OPAQUE16_LEN)
return BUFFER_ERROR;
ato16(&input[i], &totalExtSz);
i += OPAQUE16_LEN;
if (i - begin + totalExtSz > totalSz)
return BUFFER_ERROR;
if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions,
NULL))) {
return ret;
}
*inOutIdx = i + totalExtSz;
*inOutIdx += ssl->keys.padSz;
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
if (ext == NULL || !ext->val)
ssl->earlyData = no_early_data;
}
if (ssl->earlyData == no_early_data) {
ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY);
if (ret != 0)
return ret;
}
#endif
ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
return ret;
}
#ifndef NO_CERTS
static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
word32* inOutIdx, word32 size)
{
word16 len;
word32 begin = *inOutIdx;
int ret = 0;
Suites peerSuites;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
CertReqCtx* certReqCtx;
#endif
WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
WOLFSSL_ENTER("DoTls13CertificateRequest");
XMEMSET(&peerSuites, 0, sizeof(Suites));
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest");
if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
#endif
if (OPAQUE8_LEN > size)
return BUFFER_ERROR;
len = input[(*inOutIdx)++];
if ((*inOutIdx - begin) + len > size)
return BUFFER_ERROR;
if (ssl->options.connectState < FINISHED_DONE && len > 0)
return BUFFER_ERROR;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + (len == 0 ? 0 : len - 1), ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (certReqCtx == NULL)
return MEMORY_E;
certReqCtx->next = ssl->certReqCtx;
certReqCtx->len = len;
XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
ssl->certReqCtx = certReqCtx;
#endif
*inOutIdx += len;
if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
return BUFFER_ERROR;
ato16(input + *inOutIdx, &len);
*inOutIdx += OPAQUE16_LEN;
if ((*inOutIdx - begin) + len > size)
return BUFFER_ERROR;
if (len == 0)
return INVALID_PARAMETER;
if ((ret = TLSX_Parse(ssl, input + *inOutIdx, len, certificate_request,
&peerSuites))) {
return ret;
}
*inOutIdx += len;
#ifdef WOLFSSL_CERT_SETUP_CB
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;
#endif
if ((ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
((ssl->buffers.key && ssl->buffers.key->buffer)
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
))
#ifdef OPENSSL_EXTRA
|| ssl->ctx->certSetupCb != NULL
#endif
) {
if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo,
peerSuites.hashSigAlgoSz, 0) != 0) {
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
ssl->options.sendVerify = SEND_CERT;
}
else {
#ifndef WOLFSSL_NO_CLIENT_CERT_ERROR
ssl->options.sendVerify = SEND_BLANK_CERT;
#else
WOLFSSL_MSG("Certificate required but none set on client");
SendAlert(ssl, alert_fatal, illegal_parameter);
WOLFSSL_ERROR_VERBOSE(NO_CERT_ERROR);
return NO_CERT_ERROR;
#endif
}
*inOutIdx += ssl->keys.padSz;
WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
return ret;
}
#endif
#endif
#ifndef NO_WOLFSSL_SERVER
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#ifndef NO_PSK
int FindPskSuite(const WOLFSSL* ssl, PreSharedKey* psk, byte* psk_key,
word32* psk_keySz, const byte* suite, int* found, byte* foundSuite)
{
const char* cipherName = NULL;
byte cipherSuite0 = TLS13_BYTE;
byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
int ret = 0;
*found = 0;
(void)suite;
if (ssl->options.server_psk_tls13_cb != NULL) {
*psk_keySz = ssl->options.server_psk_tls13_cb((WOLFSSL*)ssl,
(char*)psk->identity, psk_key, MAX_PSK_KEY_LEN, &cipherName);
if (*psk_keySz != 0) {
int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
*found = (GetCipherSuiteFromName(cipherName, &cipherSuite0,
&cipherSuite, NULL, NULL, &cipherSuiteFlags) == 0);
(void)cipherSuiteFlags;
}
}
if (*found == 0 && (ssl->options.server_psk_cb != NULL)) {
*psk_keySz = ssl->options.server_psk_cb((WOLFSSL*)ssl,
(char*)psk->identity, psk_key,
MAX_PSK_KEY_LEN);
*found = (*psk_keySz != 0);
}
if (*found) {
if (*psk_keySz > MAX_PSK_KEY_LEN &&
(int)*psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK)) {
WOLFSSL_MSG("Key len too long in FindPsk()");
ret = PSK_KEY_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
*found = 0;
}
if (ret == 0) {
#if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK)
*found = (suite[0] == cipherSuite0) && (suite[1] == cipherSuite);
#else
(void)suite;
{
byte s[2] = {
cipherSuite0,
cipherSuite,
};
*found = FindSuiteSSL(ssl, s);
}
#endif
}
}
if (*found && foundSuite != NULL) {
foundSuite[0] = cipherSuite0;
foundSuite[1] = cipherSuite;
}
return ret;
}
static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, const byte* suite, int* err)
{
int ret = 0;
int found = 0;
byte foundSuite[SUITE_LEN];
WOLFSSL_ENTER("FindPsk");
XMEMSET(foundSuite, 0, sizeof(foundSuite));
ret = FindPskSuite(ssl, psk, ssl->arrays->psk_key, &ssl->arrays->psk_keySz,
suite, &found, foundSuite);
if (ret == 0 && found) {
ssl->options.resuming = 0;
ssl->options.verifyPeer = 0;
if (psk->ticketAge != 0) {
ret = PSK_KEY_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
}
if (ret == 0) {
ssl->options.cipherSuite0 = foundSuite[0];
ssl->options.cipherSuite = foundSuite[1];
ret = SetCipherSpecs(ssl);
}
if (ret == 0) {
ret = DeriveEarlySecret(ssl);
}
if (ret == 0) {
ssl->options.isPSK = 1;
ssl->options.peerAuthGood = 1;
}
}
*err = ret;
WOLFSSL_LEAVE("FindPsk", found);
WOLFSSL_LEAVE("FindPsk", ret);
return found;
}
#endif
static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
const byte* suite, int* usingPSK, int* first)
{
int ret = 0;
TLSX* ext;
PreSharedKey* current;
byte binderKey[WC_MAX_DIGEST_SIZE];
byte binder[WC_MAX_DIGEST_SIZE];
word32 binderLen;
#ifdef NO_PSK
(void) suite;
#endif
WOLFSSL_ENTER("DoPreSharedKeys");
(void)suite;
ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
if (ext == NULL) {
WOLFSSL_MSG("No pre shared extension keys found");
ret = BAD_FUNC_ARG;
goto cleanup;
}
for (current = (PreSharedKey*)ext->data; current != NULL;
current = current->next) {
#ifndef NO_PSK
if (current->identityLen > MAX_PSK_ID_LEN) {
ret = BUFFER_ERROR;
goto cleanup;
}
XMEMCPY(ssl->arrays->client_identity, current->identity,
current->identityLen);
ssl->arrays->client_identity[current->identityLen] = '\0';
#endif
#ifdef HAVE_SESSION_TICKET
switch (current->decryptRet) {
case PSK_DECRYPT_NONE:
ret = DoClientTicket_ex(ssl, current, 1);
break;
case PSK_DECRYPT_OK:
ret = WOLFSSL_TICKET_RET_OK;
break;
case PSK_DECRYPT_CREATE:
ret = WOLFSSL_TICKET_RET_CREATE;
break;
case PSK_DECRYPT_FAIL:
ret = WOLFSSL_TICKET_RET_REJECT;
break;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
goto cleanup;
#endif
if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) {
current->sess_free_cb(ssl, current->sess,
¤t->sess_free_cb_ctx);
current->sess = NULL;
XMEMSET(¤t->sess_free_cb_ctx, 0,
sizeof(psk_sess_free_cb_ctx));
}
if (ret == WOLFSSL_TICKET_RET_OK) {
ret = DoClientTicketCheck(ssl, current, ssl->timeout, suite);
if (ret == 0)
DoClientTicketFinalize(ssl, current->it, current->sess);
if (current->sess_free_cb != NULL) {
current->sess_free_cb(ssl, current->sess,
¤t->sess_free_cb_ctx);
current->sess = NULL;
XMEMSET(¤t->sess_free_cb_ctx, 0,
sizeof(psk_sess_free_cb_ctx));
}
if (ret != 0)
continue;
ssl->options.peerAuthGood = 1;
#ifdef WOLFSSL_EARLY_DATA
ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz;
#endif
ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
ssl->options.cipherSuite = ssl->session->cipherSuite;
ret = SetCipherSpecs(ssl);
if (ret != 0)
goto cleanup;
ssl->arrays->psk_keySz = ssl->specs.hash_size;
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
goto cleanup;
}
ret = DeriveEarlySecret(ssl);
if (ret != 0)
goto cleanup;
ret = HashInput(ssl, input, (int)inputSz);
if (ret < 0)
goto cleanup;
ret = DeriveBinderKeyResume(ssl, binderKey);
if (ret != 0)
goto cleanup;
}
else
#endif
#ifndef NO_PSK
if (FindPsk(ssl, current, suite, &ret)) {
if (ret != 0)
goto cleanup;
ret = HashInput(ssl, input, (int)inputSz);
if (ret < 0)
goto cleanup;
ret = DeriveBinderKey(ssl, binderKey);
if (ret != 0)
goto cleanup;
}
else
#endif
{
continue;
}
ssl->options.sendVerify = 0;
ret = DeriveFinishedSecret(ssl, binderKey,
ssl->keys.client_write_MAC_secret,
0 );
if (ret != 0)
goto cleanup;
ret = BuildTls13HandshakeHmac(ssl,
ssl->keys.client_write_MAC_secret, binder, &binderLen);
if (ret != 0)
goto cleanup;
if (binderLen != current->binderLen ||
ConstantCompare(binder, current->binder,
binderLen) != 0) {
WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
ret = BAD_BINDER;
goto cleanup;
}
current->chosen = 1;
ext->resp = 1;
break;
}
if (current == NULL) {
#ifdef WOLFSSL_PSK_ID_PROTECTION
#ifndef NO_CERTS
if (ssl->buffers.certChainCnt != 0) {
ret = 0;
goto cleanup;
}
#endif
WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
ret = BAD_BINDER;
goto cleanup;
#else
ret = 0;
goto cleanup;
#endif
}
*first = (current == ext->data);
*usingPSK = 1;
cleanup:
ForceZero(binderKey, sizeof(binderKey));
ForceZero(binder, sizeof(binder));
WOLFSSL_LEAVE("DoPreSharedKeys", ret);
return ret;
}
static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
Suites* clSuites, int* usingPSK)
{
int ret;
TLSX* ext;
word16 bindersLen;
int first = 0;
#ifndef WOLFSSL_PSK_ONE_ID
int i;
const Suites* suites;
#else
byte suite[2];
#endif
WOLFSSL_ENTER("CheckPreSharedKeys");
ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
if (ext == NULL) {
#ifdef WOLFSSL_EARLY_DATA
ssl->earlyData = no_early_data;
#endif
if (usingPSK)
*usingPSK = 0;
ret = HashInput(ssl, input, (int)helloSz);
return ret;
}
if (ssl->extensions != ext) {
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ssl->options.resuming = 1;
ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
client_hello, &bindersLen);
if (ret < 0)
return ret;
if (bindersLen > helloSz)
return BUFFER_ERROR;
sslRefineSuites(ssl, clSuites);
#ifndef WOLFSSL_PSK_ONE_ID
if (usingPSK == NULL)
return BAD_FUNC_ARG;
suites = WOLFSSL_SUITES(ssl);
for (i = 0; !(*usingPSK) && i < suites->suiteSz; i += 2) {
ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen,
suites->suites + i, usingPSK, &first);
if (ret != 0) {
#ifdef HAVE_SESSION_TICKET
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
CleanupClientTickets((PreSharedKey*)ext->data);
#endif
WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
return ret;
}
}
#ifdef HAVE_SESSION_TICKET
CleanupClientTickets((PreSharedKey*)ext->data);
#endif
#else
ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, suite, usingPSK,
&first);
if (ret != 0) {
WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
return ret;
}
#endif
if (*usingPSK) {
ret = HashRaw(ssl, input + helloSz - bindersLen, bindersLen);
}
else {
ret = HashInput(ssl, input, (int)helloSz);
}
if (ret != 0)
return ret;
if (*usingPSK != 0) {
word32 modes;
#ifdef WOLFSSL_EARLY_DATA
TLSX* extEarlyData;
extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
if (extEarlyData != NULL) {
if (ssl->earlyData != no_early_data && first) {
extEarlyData->resp = 1;
ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY,
1);
if (ret != 0)
return ret;
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
ssl->keys.encryptionOn = 1;
ssl->earlyData = process_early_data;
}
else
extEarlyData->resp = 0;
}
#endif
ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
if (ext == NULL) {
WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA);
return MISSING_HANDSHAKE_DATA;
}
modes = ext->val;
#ifdef HAVE_SUPPORTED_CURVES
ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
ext != NULL) {
ssl->namedGroup = ssl->session->namedGroup;
*usingPSK = 2;
}
else if (ssl->options.onlyPskDheKe) {
return PSK_KEY_ERROR;
}
else
#endif
{
if ((modes & (1 << PSK_KE)) == 0) {
WOLFSSL_MSG("psk_ke mode does not allow key share");
WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
return PSK_KEY_ERROR;
}
ssl->options.noPskDheKe = 1;
ssl->arrays->preMasterSz = 0;
*usingPSK = 1;
}
}
#ifdef WOLFSSL_PSK_ID_PROTECTION
else {
#ifndef NO_CERTS
if (ssl->buffers.certChainCnt != 0)
return 0;
#endif
WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
return BAD_BINDER;
}
#endif
WOLFSSL_LEAVE("CheckPreSharedKeys", ret);
return 0;
}
#endif
#if defined(WOLFSSL_SEND_HRR_COOKIE)
int TlsCheckCookie(const WOLFSSL* ssl, const byte* cookie, word16 cookieSz)
{
int ret;
byte mac[WC_MAX_DIGEST_SIZE] = {0};
Hmac cookieHmac;
byte cookieType = 0;
byte macSz = 0;
if (ssl->buffers.tls13CookieSecret.buffer == NULL ||
ssl->buffers.tls13CookieSecret.length == 0) {
WOLFSSL_MSG("Missing DTLS 1.3 cookie secret");
return COOKIE_ERROR;
}
#ifndef NO_SHA256
cookieType = WC_SHA256;
macSz = WC_SHA256_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA384)
cookieType = WC_SHA384;
macSz = WC_SHA384_DIGEST_SIZE;
#elif defined(WOLFSSL_TLS13_SHA512)
cookieType = WC_SHA512;
macSz = WC_SHA512_DIGEST_SIZE;
#elif defined(WOLFSSL_SM3)
cookieType = WC_SM3;
macSz = WC_SM3_DIGEST_SIZE;
#else
#error "No digest to available to use with HMAC for cookies."
#endif
if (cookieSz < ssl->specs.hash_size + macSz)
return HRR_COOKIE_ERROR;
cookieSz -= macSz;
ret = wc_HmacInit(&cookieHmac, ssl->heap, ssl->devId);
if (ret == 0) {
ret = wc_HmacSetKey(&cookieHmac, cookieType,
ssl->buffers.tls13CookieSecret.buffer,
ssl->buffers.tls13CookieSecret.length);
}
if (ret == 0)
ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz);
#ifdef WOLFSSL_DTLS13
if (ret == 0) {
if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
ret = wc_HmacUpdate(&cookieHmac,
(byte*)ssl->buffers.dtlsCtx.peer.sa,
ssl->buffers.dtlsCtx.peer.sz);
}
}
#endif
if (ret == 0)
ret = wc_HmacFinal(&cookieHmac, mac);
wc_HmacFree(&cookieHmac);
if (ret != 0)
return ret;
if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) {
WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
return HRR_COOKIE_ERROR;
}
return cookieSz;
}
#define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
#define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
#define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
#define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \
SUITE_LEN + COMP_LEN + OPAQUE16_LEN)
#define MAX_HRR_SZ (HRR_MAX_HS_HEADER_SZ + \
HRR_BODY_SZ + \
HRR_KEY_SHARE_SZ + \
HRR_VERSIONS_SZ + \
HRR_COOKIE_HDR_SZ)
static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
{
byte header[HANDSHAKE_HEADER_SZ] = {0};
byte hrr[MAX_HRR_SZ] = {0};
int hrrIdx;
word32 idx;
byte hashSz;
byte* cookieData;
word16 cookieDataSz;
word16 length;
int keyShareExt = 0;
int ret;
byte sessIdSz;
ret = TlsCheckCookie(ssl, cookie->data, cookie->len);
if (ret < 0)
return ret;
cookieDataSz = (word16)ret;
hashSz = cookie->data[0];
cookieData = cookie->data;
idx = OPAQUE8_LEN;
AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
if ((ret = InitHandshakeHashes(ssl)) != 0)
return ret;
if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
return ret;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Restart Hash from Cookie");
WOLFSSL_BUFFER(cookieData + idx, hashSz);
#endif
if ((ret = HashRaw(ssl, cookieData + idx, hashSz)) != 0)
return ret;
sessIdSz = ssl->session->sessionIDSz;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
sessIdSz = 0;
#endif
length = HRR_BODY_SZ - ID_LEN + sessIdSz +
HRR_COOKIE_HDR_SZ + cookie->len;
length += HRR_VERSIONS_SZ;
if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) {
keyShareExt = 1;
length += HRR_KEY_SHARE_SZ;
}
AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl);
idx += hashSz;
hrrIdx = HANDSHAKE_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
hrrIdx += DTLS_HANDSHAKE_EXTRA;
#endif
hrr[hrrIdx++] = ssl->version.major;
hrr[hrrIdx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
hrrIdx += RAN_LEN;
hrr[hrrIdx++] = sessIdSz;
if (sessIdSz > 0) {
XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, sessIdSz);
hrrIdx += sessIdSz;
}
ssl->options.hrrCipherSuite0 = cookieData[idx];
hrr[hrrIdx++] = cookieData[idx++];
ssl->options.hrrCipherSuite = cookieData[idx];
hrr[hrrIdx++] = cookieData[idx++];
hrr[hrrIdx++] = 0;
length -= HRR_BODY_SZ - ID_LEN + sessIdSz;
c16toa(length, hrr + hrrIdx);
hrrIdx += 2;
if (keyShareExt) {
c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
hrrIdx += 2;
c16toa(OPAQUE16_LEN, hrr + hrrIdx);
hrrIdx += 2;
ato16(cookieData + idx, &ssl->hrr_keyshare_group);
hrr[hrrIdx++] = cookieData[idx++];
hrr[hrrIdx++] = cookieData[idx++];
}
c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx);
hrrIdx += 2;
c16toa(OPAQUE16_LEN, hrr + hrrIdx);
hrrIdx += 2;
#ifdef WOLFSSL_TLS13_DRAFT
hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
hrr[hrrIdx++] = TLS_DRAFT_MINOR;
#else
hrr[hrrIdx++] = ssl->version.major;
hrr[hrrIdx++] = ssl->version.minor;
#endif
c16toa(TLSX_COOKIE, hrr + hrrIdx);
hrrIdx += 2;
c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
hrrIdx += 2;
c16toa(cookie->len, hrr + hrrIdx);
hrrIdx += 2;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Reconstructed HelloRetryRequest");
WOLFSSL_BUFFER(hrr, hrrIdx);
WOLFSSL_MSG("Cookie");
WOLFSSL_BUFFER(cookieData, cookie->len);
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13HashHandshake(ssl, hrr, (word16)hrrIdx);
}
else
#endif
{
ret = HashRaw(ssl, hrr, hrrIdx);
}
if (ret != 0)
return ret;
return HashRaw(ssl, cookieData, cookie->len);
}
#endif
static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i,
word32 helloSz, int* wantDowngrade)
{
int ret;
byte b;
word16 suiteSz;
word16 totalExtSz;
int foundVersion = 0;
i += RAN_LEN;
b = input[i++];
if (i + b > helloSz) {
return BUFFER_ERROR;
}
i += b;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
b = input[i++];
if (i + b > helloSz) {
return BUFFER_ERROR;
}
i += b;
}
#endif
if (i + OPAQUE16_LEN > helloSz)
return BUFFER_ERROR;
ato16(input + i, &suiteSz);
i += OPAQUE16_LEN;
if (i + suiteSz + 1 > helloSz)
return BUFFER_ERROR;
i += suiteSz;
b = input[i++];
if (i + b > helloSz)
return BUFFER_ERROR;
i += b;
if (i < helloSz) {
if (i + OPAQUE16_LEN > helloSz)
return BUFFER_ERROR;
ato16(&input[i], &totalExtSz);
i += OPAQUE16_LEN;
if (totalExtSz != helloSz - i)
return BUFFER_ERROR;
if ((ret = TLSX_ParseVersion(ssl, input + i, totalExtSz, client_hello,
&foundVersion))) {
return ret;
}
}
*wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version);
return 0;
}
#ifdef HAVE_ECH
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
byte* output, int acceptOffset, int helloSz, byte msgType)
{
int ret = 0;
int headerSz;
HS_Hashes* tmpHashes;
#ifdef WOLFSSL_DTLS13
headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
HANDSHAKE_HEADER_SZ;
#else
headerSz = HANDSHAKE_HEADER_SZ;
#endif
ret = EchCalcAcceptance(ssl, label, labelSz, output, acceptOffset,
helloSz - headerSz, msgType == hello_retry_request,
output + acceptOffset);
if (ret == 0) {
tmpHashes = ssl->hsHashes;
ssl->hsHashes = ssl->hsHashesEch;
if (msgType == hello_retry_request) {
ret = HashRaw(ssl, output, helloSz);
}
else {
ssl->options.echAccepted = 1;
ssl->hsHashes = tmpHashes;
FreeHandshakeHashes(ssl);
tmpHashes = ssl->hsHashesEch;
ssl->hsHashesEch = NULL;
}
ssl->hsHashes = tmpHashes;
}
return ret;
}
#endif
typedef struct Dch13Args {
ProtocolVersion pv;
word32 idx;
word32 begin;
int usingPSK;
} Dch13Args;
static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
{
#ifndef OPENSSL_EXTRA
if (ssl->clSuites) {
XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
ssl->clSuites = NULL;
}
#endif
(void)ssl;
(void)pArgs;
}
int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 helloSz)
{
int ret;
#ifdef WOLFSSL_ASYNC_CRYPT
Dch13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else
Dch13Args args[1];
#endif
#if defined(HAVE_ECH)
TLSX* echX = NULL;
#endif
WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
WOLFSSL_ENTER("DoTls13ClientHello");
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
ERROR_OUT(MEMORY_E, exit_dch);
}
args = (Dch13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0) {
goto exit_dch;
}
}
else
#endif
{
ret = WC_NO_ERR_TRACE(VERSION_ERROR);
ssl->options.asyncState = TLS_ASYNC_BEGIN;
XMEMSET(args, 0, sizeof(Dch13Args));
#ifdef WOLFSSL_ASYNC_CRYPT
ssl->async->freeArgs = FreeDch13Args;
#endif
}
switch (ssl->options.asyncState) {
case TLS_ASYNC_BEGIN:
{
byte b;
byte sessIdSz;
int wantDowngrade = 0;
word16 totalExtSz = 0;
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
#endif
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
if (IsDtlsNotSctpMode(ssl) && ssl->options.sendCookie &&
!ssl->options.dtlsStateful) {
DtlsSetSeqNumForReply(ssl);
ret = DoClientHelloStateless(ssl, input + *inOutIdx, helloSz, 0, NULL);
if (ret != 0 || !ssl->options.dtlsStateful) {
*inOutIdx += helloSz;
goto exit_dch;
}
if (ssl->chGoodCb != NULL) {
int cbret = ssl->chGoodCb(ssl, ssl->chGoodCtx);
if (cbret < 0) {
ssl->error = cbret;
WOLFSSL_MSG("ClientHello Good Cb don't continue error");
return WOLFSSL_FATAL_ERROR;
}
}
}
ssl->options.dtlsStateful = 1;
#endif
args->idx = *inOutIdx;
args->begin = args->idx;
if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) {
ERROR_OUT(BUFFER_ERROR, exit_dch);
}
XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
ssl->chVersion = args->pv;
args->idx += OPAQUE16_LEN;
if (args->pv.major < SSLv3_MAJOR) {
WOLFSSL_MSG("Legacy version field contains unsupported value");
ERROR_OUT(VERSION_ERROR, exit_dch);
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls &&
args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) {
wantDowngrade = 1;
ssl->version.minor = args->pv.minor;
}
#endif
if (!ssl->options.dtls) {
#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION
if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) {
WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting.");
ERROR_OUT(VERSION_ERROR, exit_dch);
}
#endif
if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR &&
args->pv.minor >= TLSv1_3_MINOR)) {
args->pv.major = SSLv3_MAJOR;
args->pv.minor = TLSv1_2_MINOR;
wantDowngrade = 1;
ssl->version.minor = args->pv.minor;
}
else if (args->pv.major == SSLv3_MAJOR &&
args->pv.minor < TLSv1_2_MINOR) {
wantDowngrade = 1;
ssl->version.minor = args->pv.minor;
}
}
if (!wantDowngrade) {
ret = DoTls13SupportedVersions(ssl, input + args->begin,
args->idx - args->begin, helloSz, &wantDowngrade);
if (ret < 0)
goto exit_dch;
}
if (wantDowngrade) {
#ifndef WOLFSSL_NO_TLS12
byte realMinor;
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Client trying to connect with lesser version than "
"TLS v1.3");
ERROR_OUT(VERSION_ERROR, exit_dch);
}
if ((!ssl->options.dtls
&& args->pv.minor < ssl->options.minDowngrade) ||
(ssl->options.dtls && args->pv.minor > ssl->options.minDowngrade)) {
WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
ERROR_OUT(VERSION_ERROR, exit_dch);
}
realMinor = ssl->version.minor;
ssl->version.minor = args->pv.minor;
ret = HashInput(ssl, input + args->begin, (int)helloSz);
ssl->version.minor = realMinor;
if (ret == 0) {
ret = DoClientHello(ssl, input, inOutIdx, helloSz);
}
goto exit_dch;
#else
WOLFSSL_MSG("Client trying to connect with lesser version than "
"TLS v1.3");
ERROR_OUT(VERSION_ERROR, exit_dch);
#endif
}
XMEMCPY(ssl->arrays->clientRandom, input + args->idx, RAN_LEN);
args->idx += RAN_LEN;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("client random");
WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
#endif
sessIdSz = input[args->idx++];
if (sessIdSz > ID_LEN)
{
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
if (sessIdSz + args->idx > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->session->sessionIDSz = 0;
}
else
#endif
{
ssl->session->sessionIDSz = sessIdSz;
if (sessIdSz > 0)
XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
}
args->idx += sessIdSz;
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (sessIdSz == 0) {
ssl->options.tls13MiddleBoxCompat = 0;
}
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
byte cookieLen = input[args->idx++];
if (cookieLen != 0) {
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
}
#endif
XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
ssl->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
DYNAMIC_TYPE_SUITES);
if (ssl->clSuites == NULL) {
ERROR_OUT(MEMORY_E, exit_dch);
}
if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
ato16(&input[args->idx], &ssl->clSuites->suiteSz);
args->idx += OPAQUE16_LEN;
if ((ssl->clSuites->suiteSz % 2) != 0) {
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
if ((args->idx - args->begin) + ssl->clSuites->suiteSz + OPAQUE8_LEN >
helloSz) {
ERROR_OUT(BUFFER_ERROR, exit_dch);
}
if (ssl->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ)
ERROR_OUT(BUFFER_ERROR, exit_dch);
XMEMCPY(ssl->clSuites->suites, input + args->idx, ssl->clSuites->suiteSz);
args->idx += ssl->clSuites->suiteSz;
ssl->clSuites->hashSigAlgoSz = 0;
b = input[args->idx++];
if ((args->idx - args->begin) + b > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
if (b != COMP_LEN) {
WOLFSSL_MSG("Must be one compression type in list");
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
b = input[args->idx++];
if (b != NO_COMPRESSION) {
WOLFSSL_MSG("Must be no compression type in list");
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
if ((args->idx - args->begin) == helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
ato16(&input[args->idx], &totalExtSz);
args->idx += OPAQUE16_LEN;
if ((args->idx - args->begin) + totalExtSz > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch);
if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
goto exit_dch;
#if defined(HAVE_ECH)
if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX == NULL)
ERROR_OUT(WOLFSSL_FATAL_ERROR, exit_dch);
((WOLFSSL_ECH*)echX->data)->aad = input + HANDSHAKE_HEADER_SZ;
((WOLFSSL_ECH*)echX->data)->aadLen = helloSz;
}
#endif
if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello,
ssl->clSuites))) {
goto exit_dch;
}
#if defined(HAVE_ECH)
if (echX != NULL && ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE) {
if (((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
goto exit_dch;
}
else {
echX->resp = 0;
}
}
#endif
#ifdef HAVE_SNI
if ((ret = SNI_Callback(ssl)) != 0)
goto exit_dch;
ssl->options.side = WOLFSSL_SERVER_END;
#endif
args->idx += totalExtSz;
ssl->options.haveSessionId = 1;
ssl->options.sendVerify = SEND_CERT;
#if defined(WOLFSSL_SEND_HRR_COOKIE)
ssl->options.cookieGood = 0;
if (ssl->options.sendCookie &&
(ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE
#ifdef WOLFSSL_DTLS13
|| ssl->options.dtls
#endif
)) {
TLSX* ext = TLSX_Find(ssl->extensions, TLSX_COOKIE);
if (ext != NULL) {
if (ext->resp == 0) {
ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
if (ret != 0)
goto exit_dch;
ssl->options.cookieGood = 1;
}
else {
ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
}
}
else {
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS13_NO_HRR_ON_RESUME)
if (!ssl->options.dtls)
#endif
ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
}
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (ssl->hrr_keyshare_group != 0) {
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if (extension != NULL) {
KeyShareEntry* kse = (KeyShareEntry*)extension->data;
if (kse == NULL || kse->next != NULL ||
kse->group != ssl->hrr_keyshare_group) {
ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch);
}
}
else
ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch);
}
#endif
#if defined(HAVE_ECH)
if (echX != NULL && ssl->ctx->echConfigs != NULL &&
!ssl->options.disableECH &&
((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
ret = EchHashHelloInner(ssl, (WOLFSSL_ECH*)echX->data);
if (ret != 0)
goto exit_dch;
}
#endif
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
defined(HAVE_TLS_EXTENSIONS)
ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, ssl->clSuites,
&args->usingPSK);
if (ret != 0)
goto exit_dch;
#else
if ((ret = HashInput(ssl, input + args->begin, (int)helloSz)) != 0)
goto exit_dch;
#endif
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
defined(HAVE_TLS_EXTENSIONS)
if (!args->usingPSK)
#endif
{
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.noPskDheKe = 0;
#endif
#ifndef NO_CERTS
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
WOLFSSL_MSG("Client did not send a KeyShare extension");
ERROR_OUT(INCOMPLETE_DATA, exit_dch);
}
if (ssl->clSuites->hashSigAlgoSz == 0) {
WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
ERROR_OUT(INCOMPLETE_DATA, exit_dch);
}
#else
ERROR_OUT(INVALID_PARAMETER, exit_dch);
#endif
}
#ifdef HAVE_ALPN
if ((ret = ALPN_Select(ssl)) != 0)
goto exit_dch;
#endif
}
FALL_THROUGH;
case TLS_ASYNC_BUILD:
ssl->options.asyncState = TLS_ASYNC_DO;
FALL_THROUGH;
case TLS_ASYNC_DO:
{
#ifdef WOLFSSL_CERT_SETUP_CB
if ((ret = CertSetupCbWrapper(ssl)) != 0)
goto exit_dch;
#endif
#ifndef NO_CERTS
if (!args->usingPSK) {
if ((ret = MatchSuite(ssl, ssl->clSuites)) < 0) {
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
WOLFSSL_MSG("Unsupported cipher suite, ClientHello 1.3");
goto exit_dch;
}
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (args->usingPSK == 2) {
int doHelloRetry = 0;
ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);
if (doHelloRetry) {
if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
ERROR_OUT(INVALID_PARAMETER, exit_dch);
ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
ret = 0;
}
if (ret != 0)
goto exit_dch;
}
#endif
if ((ssl->msgsReceived.got_client_hello == 2
#ifdef WOLFSSL_SEND_HRR_COOKIE
|| ssl->options.cookieGood
#endif
) &&
(ssl->options.cipherSuite0 != ssl->options.hrrCipherSuite0 ||
ssl->options.cipherSuite != ssl->options.hrrCipherSuite)) {
WOLFSSL_MSG("Cipher suite in second ClientHello does not match "
"HelloRetryRequest");
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
ssl->options.asyncState = TLS_ASYNC_VERIFY;
}
FALL_THROUGH;
case TLS_ASYNC_VERIFY:
{
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SUPPORTED_CURVES)
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if (extension != NULL && extension->resp == 1) {
KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data;
if (serverKSE != NULL &&
serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
#if defined(WOLFSSL_HAVE_MLKEM)
if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(serverKSE->group)) {
ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE,
serverKSE->ke, serverKSE->keLen);
}
else
#endif
{
ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
}
if (ret != 0)
goto exit_dch;
}
}
#endif
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
}
FALL_THROUGH;
case TLS_ASYNC_FINALIZE:
{
*inOutIdx = args->idx;
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.pskNegotiated = (args->usingPSK != 0);
#endif
if (!args->usingPSK) {
#ifndef NO_CERTS
#ifdef HAVE_NULL_CIPHER
if (ssl->options.cipherSuite0 == ECC_BYTE &&
(ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
;
}
else
#endif
#if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
;
}
else
#endif
#if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
;
}
else
#endif
if (ssl->options.cipherSuite0 != TLS13_BYTE) {
WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
"TLS v1.3");
ERROR_OUT(MATCH_SUITE_ERROR, exit_dch);
}
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming) {
ssl->options.resuming = 0;
ssl->arrays->psk_keySz = 0;
XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
}
#endif
if ((ret = DeriveEarlySecret(ssl)) != 0)
goto exit_dch;
#endif
}
break;
}
default:
ret = INPUT_CASE_ERROR;
}
#ifdef WOLFSSL_SEND_HRR_COOKIE
if (ret == 0 && ssl->options.sendCookie) {
if (ssl->options.cookieGood &&
ssl->options.acceptState == TLS13_ACCEPT_FIRST_REPLY_DONE) {
ssl->options.serverState = NULL_STATE;
}
if (ssl->options.cookieGood &&
ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls &&
ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
ERROR_OUT(BAD_HELLO, exit_dch);
}
#endif
if (!ssl->options.cookieGood &&
ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
#ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME
if (!ssl->options.dtls || !ssl->options.dtls13NoHrrOnResume ||
!args->usingPSK)
#endif
ERROR_OUT(BAD_HELLO, exit_dch);
}
else
#endif
{
TLSX_Remove(&ssl->extensions, TLSX_KEY_SHARE, ssl->heap);
ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
}
}
}
#endif
#ifdef WOLFSSL_DTLS_CID
if (ret == 0 && ssl->options.dtls && ssl->options.useDtlsCID &&
ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE)
DtlsCIDOnExtensionsParsed(ssl);
#endif
exit_dch:
WOLFSSL_LEAVE("DoTls13ClientHello", ret);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ssl->msgsReceived.got_client_hello = 0;
return ret;
}
#endif
FreeDch13Args(ssl, args);
#ifdef WOLFSSL_ASYNC_CRYPT
FreeAsyncCtx(ssl, 0);
#endif
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret);
}
#if defined(HAVE_ECH)
if (ret == 0 && echX != NULL &&
((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE &&
((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
AddTls13HandShakeHeader(((WOLFSSL_ECH*)echX->data)->innerClientHello,
((WOLFSSL_ECH*)echX->data)->innerClientHelloLen, 0, 0,
client_hello, ssl);
}
#endif
return ret;
}
int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
{
int ret;
byte* output;
word16 length;
word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
int sendSz;
#if defined(HAVE_ECH)
TLSX* echX = NULL;
byte* acceptLabel = (byte*)echAcceptConfirmationLabel;
word32 acceptOffset;
word16 acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ;
#endif
WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
WOLFSSL_ENTER("SendTls13ServerHello");
if (extMsgType == hello_retry_request
#ifdef WOLFSSL_DTLS13
&& (!ssl->options.dtls || ssl->options.dtlsStateful)
#endif
) {
WOLFSSL_MSG("wolfSSL Sending HelloRetryRequest");
if ((ret = RestartHandshakeHash(ssl)) < 0)
return ret;
}
ssl->options.buildingMsg = 1;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
#endif
length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
SUITE_LEN + COMP_LEN;
ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
if (ret != 0)
return ret;
sendSz = (int)(idx + length);
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
AddTls13Headers(output, length, server_hello, ssl);
output[idx++] = ssl->version.major;
output[idx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
if (extMsgType == server_hello) {
if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
return ret;
}
else {
XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN);
}
#if defined(HAVE_ECH)
acceptOffset = idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ;
#endif
XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
idx += RAN_LEN;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Server random");
WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
output[idx++] = 0;
}
else
#endif
{
output[idx++] = ssl->session->sessionIDSz;
if (ssl->session->sessionIDSz > 0) {
XMEMCPY(output + idx, ssl->session->sessionID,
ssl->session->sessionIDSz);
idx += ssl->session->sessionIDSz;
}
}
output[idx++] = ssl->options.cipherSuite0;
output[idx++] = ssl->options.cipherSuite;
#ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Chosen cipher suite:");
WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
ssl->options.cipherSuite));
#endif
output[idx++] = 0;
ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL);
if (ret != 0)
return ret;
if (extMsgType == hello_retry_request
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
&& (!ssl->options.dtls || ssl->options.dtlsStateful)
#endif
) {
TLSX* ksExt = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if (ksExt != NULL) {
KeyShareEntry* kse = (KeyShareEntry*)ksExt->data;
if (kse != NULL)
ssl->hrr_keyshare_group = kse->group;
}
ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0;
ssl->options.hrrCipherSuite = ssl->options.cipherSuite;
}
#ifdef WOLFSSL_SEND_HRR_COOKIE
if (ssl->options.sendCookie && extMsgType == hello_retry_request) {
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && !ssl->options.dtlsStateful)
ret = 0;
else
#endif
ret = InitHandshakeHashes(ssl);
}
else
#endif
{
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13HashHandshake(
ssl,
output + Dtls13GetRlHeaderLength(ssl, 0) ,
(word16)sendSz - Dtls13GetRlHeaderLength(ssl, 0));
}
else
#endif
{
#if defined(HAVE_ECH)
if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX == NULL)
return WOLFSSL_FATAL_ERROR;
if (extMsgType == hello_retry_request) {
acceptOffset =
(word32)(((WOLFSSL_ECH*)echX->data)->confBuf - output);
acceptLabel = (byte*)echHrrAcceptConfirmationLabel;
acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ;
}
if (((WOLFSSL_ECH*)echX->data)->state == ECH_PARSED_INTERNAL) {
if (ret == 0) {
ret = EchWriteAcceptance(ssl, acceptLabel,
acceptLabelSz, output + RECORD_HEADER_SZ,
acceptOffset - RECORD_HEADER_SZ,
sendSz - RECORD_HEADER_SZ, extMsgType);
}
if (extMsgType == hello_retry_request) {
((WOLFSSL_ECH*)echX->data)->state = ECH_WRITE_NONE;
}
else {
if (ret == 0) {
XMEMCPY(ssl->arrays->serverRandom,
output + acceptOffset -
(RAN_LEN -ECH_ACCEPT_CONFIRMATION_SZ), RAN_LEN);
}
TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap);
}
}
}
#endif
if (ret == 0)
ret = HashOutput(ssl, output, sendSz, 0);
}
}
if (ret != 0)
return ret;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
AddPacketName(ssl, "ServerHello");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
if (extMsgType == server_hello)
ssl->options.serverState = SERVER_HELLO_COMPLETE;
ssl->options.buildingMsg = 0;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)sendSz,
(enum HandShakeType)extMsgType, 0);
WOLFSSL_LEAVE("SendTls13ServerHello", ret);
WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
return ret;
}
#endif
ssl->buffers.outputBuffer.length += (word32)sendSz;
if (!ssl->options.groupMessages || extMsgType != server_hello)
ret = SendBuffered(ssl);
WOLFSSL_LEAVE("SendTls13ServerHello", ret);
WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
return ret;
}
static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
{
int ret;
byte* output;
word16 length = 0;
word32 idx;
int sendSz;
WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
WOLFSSL_ENTER("SendTls13EncryptedExtensions");
ssl->options.buildingMsg = 1;
ssl->keys.encryptionOn = 1;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
idx = Dtls13GetHeadersLength(ssl, encrypted_extensions);
}
else
#endif
{
idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
}
#if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
return ret;
#endif
if ((ret = DeriveHandshakeSecret(ssl)) != 0)
return ret;
if ((ret = DeriveTls13Keys(ssl, handshake_key,
ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
return ret;
#ifdef WOLFSSL_EARLY_DATA
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
if (ssl->earlyData != process_early_data) {
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
}
#else
if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
return ret;
#endif
#ifdef WOLFSSL_QUIC
if (IsAtLeastTLSv1_3(ssl->version) && WOLFSSL_IS_QUIC(ssl)) {
ret = wolfSSL_quic_add_transport_extensions(ssl, encrypted_extensions);
if (ret != 0)
return ret;
}
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
w64wrapper epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
ssl->dtls13Epoch = epochHandshake;
ret = Dtls13SetEpochKeys(
ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
if (ret != 0)
return ret;
}
#endif
ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length);
if (ret != 0)
return ret;
sendSz = (int)(idx + length);
sendSz += MAX_MSG_EXTRA;
ret = CheckAvailableSize(ssl, sendSz);
if (ret != 0)
return ret;
output = GetOutputBuffer(ssl);
AddTls13Headers(output, length, encrypted_extensions, ssl);
ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL);
if (ret != 0)
return ret;
idx += length;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
AddPacketName(ssl, "EncryptedExtensions");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "EncryptedExtensions", handshake, output,
sendSz, WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->options.buildingMsg = 0;
ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)idx,
encrypted_extensions, 1);
if (ret == 0)
ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
return ret;
}
#endif
sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
(int)(idx - RECORD_HEADER_SZ),
handshake, 1, 0, 0);
if (sendSz < 0)
return sendSz;
ssl->buffers.outputBuffer.length += (word32)sendSz;
ssl->options.buildingMsg = 0;
ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
return ret;
}
#ifndef NO_CERTS
static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
word32 reqCtxLen)
{
byte* output;
int ret;
int sendSz;
word32 i;
word32 reqSz;
SignatureAlgorithms* sa;
WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
WOLFSSL_ENTER("SendTls13CertificateRequest");
ssl->options.buildingMsg = 1;
if (ssl->options.side != WOLFSSL_SERVER_END)
return SIDE_ERROR;
sa = TLSX_SignatureAlgorithms_New(ssl, 0, ssl->heap);
if (sa == NULL)
return MEMORY_ERROR;
ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap);
if (ret != 0) {
TLSX_SignatureAlgorithms_FreeAll(sa, ssl->heap);
return ret;
}
i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
#endif
reqSz = (word16)(OPAQUE8_LEN + reqCtxLen);
ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz);
if (ret != 0)
return ret;
sendSz = (int)(i + reqSz);
sendSz += MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
AddTls13Headers(output, reqSz, certificate_request, ssl);
output[i++] = (byte)reqCtxLen;
if (reqCtxLen != 0) {
XMEMCPY(output + i, reqCtx, reqCtxLen);
i += reqCtxLen;
}
reqSz = 0;
ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz);
if (ret != 0)
return ret;
i += reqSz;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->options.buildingMsg = 0;
ret =
Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
certificate_request, 1);
WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
return ret;
}
#endif
sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
(int)(i - RECORD_HEADER_SZ), handshake, 1, 0, 0);
if (sendSz < 0)
return sendSz;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
AddPacketName(ssl, "CertificateRequest");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "CertificateRequest", handshake, output,
sendSz, WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
ssl->buffers.outputBuffer.length += (word32)sendSz;
ssl->options.buildingMsg = 0;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
return ret;
}
#endif
#endif
#ifndef NO_CERTS
#if (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) && \
(!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM))
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo,
byte hsType, byte* output)
{
(void)ssl;
switch (hsType) {
#ifdef HAVE_ECC
case ecc_dsa_sa_algo:
if (ssl->pkCurveOID == ECC_BRAINPOOLP256R1_OID) {
output[0] = NEW_SA_MAJOR;
output[1] = ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR;
}
else if (ssl->pkCurveOID == ECC_BRAINPOOLP384R1_OID) {
output[0] = NEW_SA_MAJOR;
output[1] = ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR;
}
else if (ssl->pkCurveOID == ECC_BRAINPOOLP512R1_OID) {
output[0] = NEW_SA_MAJOR;
output[1] = ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR;
}
else {
output[0] = hashAlgo;
output[1] = ecc_dsa_sa_algo;
}
break;
#endif
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
case sm2_sa_algo:
output[0] = SM2_SA_MAJOR;
output[1] = SM2_SA_MINOR;
break;
#endif
#ifdef HAVE_ED25519
case ed25519_sa_algo:
output[0] = ED25519_SA_MAJOR;
output[1] = ED25519_SA_MINOR;
(void)hashAlgo;
break;
#endif
#ifdef HAVE_ED448
case ed448_sa_algo:
output[0] = ED448_SA_MAJOR;
output[1] = ED448_SA_MINOR;
(void)hashAlgo;
break;
#endif
#ifndef NO_RSA
case rsa_pss_sa_algo:
output[0] = rsa_pss_sa_algo;
#ifdef WC_RSA_PSS
if (ssl->useRsaPss &&
((ssl->pssAlgo & (1U << hashAlgo)) != 0U) &&
(sha256_mac <= hashAlgo) && (hashAlgo <= sha512_mac))
{
output[1] = PSS_RSAE_TO_PSS_PSS(hashAlgo);
}
else
#endif
{
output[1] = hashAlgo;
}
break;
#endif
#ifdef HAVE_FALCON
case falcon_level1_sa_algo:
output[0] = FALCON_LEVEL1_SA_MAJOR;
output[1] = FALCON_LEVEL1_SA_MINOR;
break;
case falcon_level5_sa_algo:
output[0] = FALCON_LEVEL5_SA_MAJOR;
output[1] = FALCON_LEVEL5_SA_MINOR;
break;
#endif
#ifdef HAVE_DILITHIUM
case dilithium_level2_sa_algo:
output[0] = DILITHIUM_LEVEL2_SA_MAJOR;
output[1] = DILITHIUM_LEVEL2_SA_MINOR;
break;
case dilithium_level3_sa_algo:
output[0] = DILITHIUM_LEVEL3_SA_MAJOR;
output[1] = DILITHIUM_LEVEL3_SA_MINOR;
break;
case dilithium_level5_sa_algo:
output[0] = DILITHIUM_LEVEL5_SA_MAJOR;
output[1] = DILITHIUM_LEVEL5_SA_MINOR;
break;
#endif
default:
break;
}
}
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
#ifdef WOLFSSL_DUAL_ALG_CERTS
#define HYBRID_SA_MAJOR 0xFE
#define HYBRID_P256_DILITHIUM_LEVEL2_SA_MINOR 0xA1
#define HYBRID_RSA3072_DILITHIUM_LEVEL2_SA_MINOR 0xA2
#define HYBRID_P384_DILITHIUM_LEVEL3_SA_MINOR 0xA4
#define HYBRID_P521_DILITHIUM_LEVEL5_SA_MINOR 0xA6
#define HYBRID_P256_FALCON_LEVEL1_SA_MINOR 0xAF
#define HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR 0xB0
#define HYBRID_P521_FALCON_LEVEL5_SA_MINOR 0xB2
#define HYBRID_DILITHIUM_LEVEL2_P256_SA_MINOR 0xD1
#define HYBRID_DILITHIUM_LEVEL2_RSA3072_SA_MINOR 0xD2
#define HYBRID_DILITHIUM_LEVEL3_P384_SA_MINOR 0xD3
#define HYBRID_DILITHIUM_LEVEL5_P521_SA_MINOR 0xD4
#define HYBRID_FALCON_LEVEL1_P256_SA_MINOR 0xD5
#define HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR 0xD6
#define HYBRID_FALCON_LEVEL5_P521_SA_MINOR 0xD7
static void EncodeDualSigAlg(byte sigAlg, byte altSigAlg, byte* output)
{
output[0] = 0x0;
output[1] = 0x0;
if (sigAlg == ecc_dsa_sa_algo && altSigAlg == dilithium_level2_sa_algo) {
output[1] = HYBRID_P256_DILITHIUM_LEVEL2_SA_MINOR;
}
else if (sigAlg == rsa_pss_sa_algo &&
altSigAlg == dilithium_level2_sa_algo) {
output[1] = HYBRID_RSA3072_DILITHIUM_LEVEL2_SA_MINOR;
}
else if (sigAlg == ecc_dsa_sa_algo &&
altSigAlg == dilithium_level3_sa_algo) {
output[1] = HYBRID_P384_DILITHIUM_LEVEL3_SA_MINOR;
}
else if (sigAlg == ecc_dsa_sa_algo &&
altSigAlg == dilithium_level5_sa_algo) {
output[1] = HYBRID_P521_DILITHIUM_LEVEL5_SA_MINOR;
}
else if (sigAlg == ecc_dsa_sa_algo &&
altSigAlg == falcon_level1_sa_algo) {
output[1] = HYBRID_P256_FALCON_LEVEL1_SA_MINOR;
}
else if (sigAlg == rsa_pss_sa_algo &&
altSigAlg == falcon_level1_sa_algo) {
output[1] = HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR;
}
else if (sigAlg == ecc_dsa_sa_algo &&
altSigAlg == falcon_level5_sa_algo) {
output[1] = HYBRID_P521_FALCON_LEVEL5_SA_MINOR;
}
else if (sigAlg == dilithium_level2_sa_algo &&
altSigAlg == ecc_dsa_sa_algo) {
output[1] = HYBRID_DILITHIUM_LEVEL2_P256_SA_MINOR;
}
else if (sigAlg == dilithium_level2_sa_algo &&
altSigAlg == rsa_pss_sa_algo) {
output[1] = HYBRID_DILITHIUM_LEVEL2_RSA3072_SA_MINOR;
}
else if (sigAlg == dilithium_level3_sa_algo &&
altSigAlg == ecc_dsa_sa_algo) {
output[1] = HYBRID_DILITHIUM_LEVEL3_P384_SA_MINOR;
}
else if (sigAlg == dilithium_level5_sa_algo &&
altSigAlg == ecc_dsa_sa_algo) {
output[1] = HYBRID_DILITHIUM_LEVEL5_P521_SA_MINOR;
}
else if (sigAlg == falcon_level1_sa_algo &&
altSigAlg == ecc_dsa_sa_algo) {
output[1] = HYBRID_FALCON_LEVEL1_P256_SA_MINOR;
}
else if (sigAlg == falcon_level1_sa_algo &&
altSigAlg == rsa_pss_sa_algo) {
output[1] = HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR;
}
else if (sigAlg == falcon_level5_sa_algo &&
altSigAlg == ecc_dsa_sa_algo) {
output[1] = HYBRID_FALCON_LEVEL5_P521_SA_MINOR;
}
if (output[1] != 0x0) {
output[0] = HYBRID_SA_MAJOR;
}
}
#endif
static enum wc_MACAlgorithm GetNewSAHashAlgo(int typeIn)
{
switch (typeIn) {
case RSA_PSS_RSAE_SHA256_MINOR:
case RSA_PSS_PSS_SHA256_MINOR:
case ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR:
return sha256_mac;
case RSA_PSS_RSAE_SHA384_MINOR:
case RSA_PSS_PSS_SHA384_MINOR:
case ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR:
return sha384_mac;
case RSA_PSS_RSAE_SHA512_MINOR:
case RSA_PSS_PSS_SHA512_MINOR:
case ED25519_SA_MINOR:
case ED448_SA_MINOR:
case ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR:
return sha512_mac;
default:
return no_mac;
}
}
static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
byte* hsType)
{
int ret = 0;
switch (input[0]) {
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
case SM2_SA_MAJOR:
if (input[1] == SM2_SA_MINOR) {
*hsType = sm2_sa_algo;
*hashAlgo = sm3_mac;
}
else
ret = INVALID_PARAMETER;
break;
#endif
case NEW_SA_MAJOR:
*hashAlgo = GetNewSAHashAlgo(input[1]);
if (input[1] >= RSA_PSS_RSAE_SHA256_MINOR &&
input[1] <= RSA_PSS_RSAE_SHA512_MINOR) {
*hsType = input[0];
}
else if (input[1] >= RSA_PSS_PSS_SHA256_MINOR &&
input[1] <= RSA_PSS_PSS_SHA512_MINOR) {
*hsType = input[0];
}
#ifdef HAVE_ED25519
else if (input[1] == ED25519_SA_MINOR) {
*hsType = ed25519_sa_algo;
}
#endif
#ifdef HAVE_ED448
else if (input[1] == ED448_SA_MINOR) {
*hsType = ed448_sa_algo;
}
#endif
#ifdef HAVE_ECC_BRAINPOOL
else if ((input[1] == ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR) ||
(input[1] == ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR) ||
(input[1] == ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR)) {
*hsType = ecc_dsa_sa_algo;
}
#endif
else
ret = INVALID_PARAMETER;
break;
#if defined(HAVE_FALCON)
case FALCON_SA_MAJOR:
if (input[1] == FALCON_LEVEL1_SA_MINOR) {
*hsType = falcon_level1_sa_algo;
*hashAlgo = sha512_mac;
} else if (input[1] == FALCON_LEVEL5_SA_MINOR) {
*hsType = falcon_level5_sa_algo;
*hashAlgo = sha512_mac;
}
else
ret = INVALID_PARAMETER;
break;
#endif
#if defined(HAVE_DILITHIUM)
case DILITHIUM_SA_MAJOR:
if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
*hsType = dilithium_level2_sa_algo;
*hashAlgo = sha512_mac;
} else if (input[1] == DILITHIUM_LEVEL3_SA_MINOR) {
*hsType = dilithium_level3_sa_algo;
*hashAlgo = sha512_mac;
} else if (input[1] == DILITHIUM_LEVEL5_SA_MINOR) {
*hsType = dilithium_level5_sa_algo;
*hashAlgo = sha512_mac;
}
else
{
ret = INVALID_PARAMETER;
}
break;
#endif
default:
*hashAlgo = input[0];
*hsType = input[1];
break;
}
return ret;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
static WC_INLINE int DecodeTls13HybridSigAlg(byte* input, byte* hashAlg,
byte *sigAlg, byte *altSigAlg)
{
if (input[0] != HYBRID_SA_MAJOR) {
return INVALID_PARAMETER;
}
if (input[1] == HYBRID_P256_DILITHIUM_LEVEL2_SA_MINOR) {
*sigAlg = ecc_dsa_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = dilithium_level2_sa_algo;
}
else if (input[1] == HYBRID_RSA3072_DILITHIUM_LEVEL2_SA_MINOR) {
*sigAlg = rsa_pss_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = dilithium_level2_sa_algo;
}
else if (input[1] == HYBRID_P384_DILITHIUM_LEVEL3_SA_MINOR) {
*sigAlg = ecc_dsa_sa_algo;
*hashAlg = sha384_mac;
*altSigAlg = dilithium_level3_sa_algo;
}
else if (input[1] == HYBRID_P521_DILITHIUM_LEVEL5_SA_MINOR) {
*sigAlg = ecc_dsa_sa_algo;
*hashAlg = sha512_mac;
*altSigAlg = dilithium_level5_sa_algo;
}
else if (input[1] == HYBRID_P256_FALCON_LEVEL1_SA_MINOR) {
*sigAlg = ecc_dsa_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = falcon_level1_sa_algo;
}
else if (input[1] == HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR) {
*sigAlg = rsa_pss_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = falcon_level1_sa_algo;
}
else if (input[1] == HYBRID_P521_FALCON_LEVEL5_SA_MINOR) {
*sigAlg = ecc_dsa_sa_algo;
*hashAlg = sha512_mac;
*altSigAlg = falcon_level5_sa_algo;
}
else if (input[1] == HYBRID_DILITHIUM_LEVEL2_P256_SA_MINOR) {
*sigAlg = dilithium_level2_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = ecc_dsa_sa_algo;
}
else if (input[1] == HYBRID_DILITHIUM_LEVEL2_RSA3072_SA_MINOR) {
*sigAlg = dilithium_level2_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = rsa_pss_sa_algo;
}
else if (input[1] == HYBRID_DILITHIUM_LEVEL3_P384_SA_MINOR) {
*sigAlg = dilithium_level3_sa_algo;
*hashAlg = sha384_mac;
*altSigAlg = ecc_dsa_sa_algo;
}
else if (input[1] == HYBRID_DILITHIUM_LEVEL5_P521_SA_MINOR) {
*sigAlg = dilithium_level5_sa_algo;
*hashAlg = sha512_mac;
*altSigAlg = ecc_dsa_sa_algo;
}
else if (input[1] == HYBRID_FALCON_LEVEL1_P256_SA_MINOR) {
*sigAlg = falcon_level1_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = ecc_dsa_sa_algo;
}
else if (input[1] == HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR) {
*sigAlg = falcon_level1_sa_algo;
*hashAlg = sha256_mac;
*altSigAlg = rsa_pss_sa_algo;
}
else if (input[1] == HYBRID_FALCON_LEVEL5_P521_SA_MINOR) {
*sigAlg = falcon_level5_sa_algo;
*hashAlg = sha512_mac;
*altSigAlg = ecc_dsa_sa_algo;
}
else {
return INVALID_PARAMETER;
}
return 0;
}
#endif
static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
{
int ret = 0;
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
if (ret == 0)
ret = WC_SHA256_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
if (ret == 0)
ret = WC_SHA384_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
if (ret == 0)
ret = WC_SHA512_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
if (ret == 0)
ret = WC_SM3_DIGEST_SIZE;
break;
#endif
default:
break;
}
return ret;
}
static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
"TLS 1.3, server CertificateVerify";
static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
"TLS 1.3, client CertificateVerify";
#define SIGNING_DATA_PREFIX_BYTE 0x20
int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
int check)
{
word16 idx;
int side = ssl->options.side;
int ret;
XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
idx = SIGNING_DATA_PREFIX_SZ;
if ((side == WOLFSSL_SERVER_END && check) ||
(side == WOLFSSL_CLIENT_END && !check)) {
XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
}
if ((side == WOLFSSL_CLIENT_END && check) ||
(side == WOLFSSL_SERVER_END && !check)) {
XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
}
idx += CERT_VFY_LABEL_SZ;
ret = GetMsgHash(ssl, &sigData[idx]);
if (ret < 0)
return ret;
*sigDataSz = (word16)(idx + ret);
ret = 0;
return ret;
}
#ifndef NO_RSA
int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
int sigAlgo, int hashAlgo)
{
Digest digest;
int hashSz = 0;
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
byte* hash;
(void)sigAlgo;
hash = sig;
switch (hashAlgo) {
#ifndef NO_SHA256
case sha256_mac:
ret = wc_InitSha256(&digest.sha256);
if (ret == 0) {
ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha256Final(&digest.sha256, hash);
wc_Sha256Free(&digest.sha256);
}
hashSz = WC_SHA256_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
ret = wc_InitSha384(&digest.sha384);
if (ret == 0) {
ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha384Final(&digest.sha384, hash);
wc_Sha384Free(&digest.sha384);
}
hashSz = WC_SHA384_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA512
case sha512_mac:
ret = wc_InitSha512(&digest.sha512);
if (ret == 0) {
ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha512Final(&digest.sha512, hash);
wc_Sha512Free(&digest.sha512);
}
hashSz = WC_SHA512_DIGEST_SIZE;
break;
#endif
default:
ret = BAD_FUNC_ARG;
break;
}
if (ret != 0)
return ret;
return hashSz;
}
#endif
#ifdef HAVE_ECC
static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
{
Digest digest;
int hashSz = 0;
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
switch (hashAlgo) {
#ifndef NO_SHA256
case sha256_mac:
ret = wc_InitSha256(&digest.sha256);
if (ret == 0) {
ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha256Final(&digest.sha256, sigData);
wc_Sha256Free(&digest.sha256);
}
hashSz = WC_SHA256_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
ret = wc_InitSha384(&digest.sha384);
if (ret == 0) {
ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha384Final(&digest.sha384, sigData);
wc_Sha384Free(&digest.sha384);
}
hashSz = WC_SHA384_DIGEST_SIZE;
break;
#endif
#ifdef WOLFSSL_SHA512
case sha512_mac:
ret = wc_InitSha512(&digest.sha512);
if (ret == 0) {
ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz);
if (ret == 0)
ret = wc_Sha512Final(&digest.sha512, sigData);
wc_Sha512Free(&digest.sha512);
}
hashSz = WC_SHA512_DIGEST_SIZE;
break;
#endif
default:
ret = BAD_FUNC_ARG;
break;
}
if (ret != 0)
return ret;
return hashSz;
}
#endif
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
byte* decSig, word32 decSigSz)
{
int ret = 0;
byte sigData[MAX_SIG_DATA_SZ];
word16 sigDataSz;
ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
if (ret != 0)
return ret;
if (sigAlgo == rsa_pss_sa_algo) {
enum wc_HashType hashType = WC_HASH_TYPE_NONE;
word32 sigSz;
ret = ConvertHashPss(hashAlgo, &hashType, NULL);
if (ret < 0)
return ret;
ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
sigAlgo, hashAlgo);
if (ret < 0)
return ret;
sigSz = (word32)ret;
ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
hashType);
}
return ret;
}
#endif
#endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
static word32 NextCert(byte* data, word32 length, word32* idx)
{
word32 len;
if (*idx + 3 > length)
return 0;
c24to32(data + *idx, &len);
len += 3;
if (*idx + len > length)
return 0;
*idx += len;
return len;
}
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
word16* extSz, word16 extSz_num)
{
int ret = 0;
TLSX* ext;
CertificateStatusRequest* csr;
word32 ex_offset = HELLO_EXT_TYPE_SZ + OPAQUE16_LEN
+ OPAQUE16_LEN ;
word32 totalSz = 0;
word32 tmpSz;
word32 extIdx;
DerBuffer* der;
ext = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
csr = ext ? (CertificateStatusRequest*)ext->data : NULL;
if (csr) {
for (extIdx = 0; extIdx < (word16)(extSz_num); extIdx++) {
tmpSz = TLSX_CSR_GetSize_ex(csr, 0, (int)extIdx);
if (tmpSz > (OPAQUE8_LEN + OPAQUE24_LEN) &&
certExts[extIdx] == NULL) {
if (tmpSz > WOLFSSL_MAX_16BIT)
return BUFFER_E;
extSz[extIdx] = (word16)tmpSz;
ret = AllocDer(&certExts[extIdx], extSz[extIdx] + ex_offset,
CERT_TYPE, ssl->heap);
if (ret < 0)
return ret;
der = certExts[extIdx];
c16toa(ext->type, der->buffer
+ OPAQUE16_LEN);
c16toa(extSz[extIdx], der->buffer
+ HELLO_EXT_TYPE_SZ + OPAQUE16_LEN);
extSz[extIdx] = (word16)TLSX_CSR_Write_ex(csr,
der->buffer + ex_offset, 0, extIdx);
extSz[extIdx] += (word16)ex_offset;
c16toa(extSz[extIdx] - OPAQUE16_LEN,
der->buffer);
}
totalSz += extSz[extIdx];
}
}
else {
totalSz += OPAQUE16_LEN * extSz_num;
}
return (int)totalSz;
}
#endif
static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz,
word32 idx, word32 fragSz, byte* output, word16 extIdx)
{
word32 i = 0;
word32 copySz = min(len - idx, fragSz);
if (idx < len) {
XMEMCPY(output, cert + idx, copySz);
i = copySz;
if (copySz == fragSz)
return i;
}
copySz = len + extSz - idx - i;
if (extSz == OPAQUE16_LEN) {
if (copySz <= fragSz) {
output[i++] = 0;
output[i++] = 0;
}
}
else {
byte* certExts = ssl->buffers.certExts[extIdx]->buffer + idx + i - len;
if (copySz > fragSz - i)
copySz = fragSz - i;
XMEMCPY(output + i, certExts, copySz);
i += copySz;
}
return i;
}
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
static int SetupOcspResp(WOLFSSL* ssl)
{
DecodedCert* cert = NULL;
CertificateStatusRequest* csr = NULL;
TLSX* extension = NULL;
int ret = 0;
OcspRequest* request = NULL;
extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
if (extension == NULL)
return 0;
csr = (CertificateStatusRequest*)extension->data;
if (csr == NULL)
return MEMORY_ERROR;
if (SSL_CM(ssl) != NULL &&
SSL_CM(ssl)->ocsp_stapling != NULL &&
SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) {
return TLSX_CSR_SetResponseWithStatusCB(ssl);
}
if (ssl->buffers.certificate == NULL) {
WOLFSSL_MSG("Certificate buffer not set!");
return BUFFER_ERROR;
}
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
DYNAMIC_TYPE_DCERT);
if (cert == NULL) {
return MEMORY_E;
}
InitDecodedCert(cert, ssl->buffers.certificate->buffer,
ssl->buffers.certificate->length, ssl->heap);
ret = ParseCert(cert, CERT_TYPE, NO_VERIFY, SSL_CM(ssl));
if (ret != 0) {
FreeDecodedCert(cert);
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
return ret;
}
ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap);
FreeDecodedCert(cert);
XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
if (ret != 0 )
return ret;
request = &csr->request.ocsp[0];
ret = CreateOcspResponse(ssl, &request, &csr->responses[0]);
if (request != &csr->request.ocsp[0] &&
ssl->buffers.weOwnCert) {
FreeOcspRequest(request);
XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
}
if (ret != 0)
return ret;
if (csr->responses[0].buffer)
extension->resp = 1;
#if defined(WOLFSSL_TLS_OCSP_MULTI)
if ((ret = ProcessChainOCSPRequest(ssl)) != 0) {
WOLFSSL_MSG("Process Cert Chain OCSP request failed");
WOLFSSL_ERROR_VERBOSE(ret);
return ret;
}
#endif
return ret;
}
#endif
static int SendTls13Certificate(WOLFSSL* ssl)
{
int ret = 0;
word32 certSz, certChainSz, headerSz, listSz, payloadSz;
word16 extSz[MAX_CERT_EXTENSIONS];
word16 extIdx = 0;
word32 maxFragment;
word32 totalextSz = 0;
word32 len = 0;
word32 idx = 0;
word32 offset = OPAQUE16_LEN;
byte* p = NULL;
byte certReqCtxLen = 0;
sword32 length;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
byte* certReqCtx = NULL;
#endif
#ifdef OPENSSL_EXTRA
WOLFSSL_X509* x509 = NULL;
WOLFSSL_EVP_PKEY* pkey = NULL;
#endif
WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
WOLFSSL_ENTER("SendTls13Certificate");
XMEMSET(extSz, 0, sizeof(extSz));
ssl->options.buildingMsg = 1;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
certReqCtxLen = ssl->certReqCtx->len;
certReqCtx = &ssl->certReqCtx->ctx;
}
#endif
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_SETUP_CB)
if ((ssl->ctx->CBClientCert != NULL) &&
(!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
if (ret == 1) {
if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
(wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
ssl->options.sendVerify = SEND_CERT;
}
wolfSSL_X509_free(x509);
x509 = NULL;
wolfSSL_EVP_PKEY_free(pkey);
}
}
#endif
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
certSz = 0;
certChainSz = 0;
headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
length = (sword32)headerSz;
listSz = 0;
}
else {
if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) {
WOLFSSL_MSG("Send Cert missing certificate buffer");
return NO_CERT_ERROR;
}
certSz = ssl->buffers.certificate->length;
headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
CERT_HEADER_SZ;
for (extIdx = 0; extIdx < (word16)XELEM_CNT(extSz); extIdx++)
extSz[extIdx] = OPAQUE16_LEN;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
if (ssl->options.side == WOLFSSL_SERVER_END) {
ret = SetupOcspResp(ssl);
if (ret != 0)
return ret;
ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
1 + (word16)ssl->buffers.certChainCnt);
if (ret < 0)
return ret;
totalextSz += ret;
ret = 0;
}
else
#endif
{
totalextSz += OPAQUE16_LEN;
totalextSz += OPAQUE16_LEN * ssl->buffers.certChainCnt;
}
length = (sword32)(headerSz + certSz + totalextSz);
listSz = CERT_HEADER_SZ + certSz + totalextSz;
if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
p = ssl->buffers.certChain->buffer;
certChainSz = ssl->buffers.certChain->length;
length += certChainSz;
listSz += certChainSz;
}
else
certChainSz = 0;
}
payloadSz = (word32)length;
if (ssl->fragOffset != 0)
length -= (ssl->fragOffset + headerSz);
maxFragment = (word32)wolfssl_local_GetMaxPlaintextSize(ssl);
extIdx = 0;
while (length > 0 && ret == 0) {
byte* output = NULL;
word32 fragSz = 0;
word32 i = RECORD_HEADER_SZ;
int sendSz = RECORD_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
i = Dtls13GetRlHeaderLength(ssl, 1);
sendSz = (int)i;
}
#endif
if (ssl->fragOffset == 0) {
if (headerSz + certSz + totalextSz + certChainSz <=
maxFragment - HANDSHAKE_HEADER_SZ) {
fragSz = headerSz + certSz + totalextSz + certChainSz;
}
#ifdef WOLFSSL_DTLS13
else if (ssl->options.dtls){
fragSz = headerSz + certSz + totalextSz + certChainSz;
}
#endif
else {
fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
}
sendSz += fragSz + HANDSHAKE_HEADER_SZ;
i += HANDSHAKE_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
sendSz += DTLS_HANDSHAKE_EXTRA;
i += DTLS_HANDSHAKE_EXTRA;
}
#endif
}
else {
fragSz = min((word32)length, maxFragment);
sendSz += fragSz;
}
sendSz += MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
if (ssl->fragOffset == 0) {
AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
output[i++] = certReqCtxLen;
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
if (certReqCtxLen > 0) {
XMEMCPY(output + i, certReqCtx, certReqCtxLen);
i += certReqCtxLen;
}
#endif
length -= OPAQUE8_LEN + certReqCtxLen;
fragSz -= OPAQUE8_LEN + certReqCtxLen;
c32to24(listSz, output + i);
i += CERT_HEADER_SZ;
length -= CERT_HEADER_SZ;
fragSz -= CERT_HEADER_SZ;
if (certSz > 0) {
c32to24(certSz, output + i);
i += CERT_HEADER_SZ;
length -= CERT_HEADER_SZ;
fragSz -= CERT_HEADER_SZ;
}
}
else
AddTls13RecordHeader(output, fragSz, handshake, ssl);
if (extIdx == 0) {
if (certSz > 0 && ssl->fragOffset < certSz + extSz[0]) {
word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
certSz, extSz[0], ssl->fragOffset, fragSz,
output + i, 0);
i += copySz;
ssl->fragOffset += copySz;
length -= copySz;
fragSz -= copySz;
if (ssl->fragOffset == certSz + extSz[0])
FreeDer(&ssl->buffers.certExts[0]);
}
}
if (certChainSz > 0 && fragSz > 0) {
while (fragSz > 0) {
word32 l;
if (offset == len + OPAQUE16_LEN) {
offset = 0;
p = ssl->buffers.certChain->buffer + idx;
len = NextCert(ssl->buffers.certChain->buffer,
ssl->buffers.certChain->length, &idx);
if (len == 0)
break;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
!defined(NO_WOLFSSL_SERVER)
if (extIdx + 1 < MAX_CERT_EXTENSIONS)
extIdx++;
#endif
}
l = AddCertExt(ssl, p, len, extSz[extIdx], offset, fragSz,
output + i, extIdx);
i += l;
ssl->fragOffset += l;
length -= l;
fragSz -= l;
offset += l;
if (extIdx != 0 && extIdx < MAX_CERT_EXTENSIONS &&
ssl->buffers.certExts[extIdx] != NULL &&
offset == len + extSz[extIdx]) {
FreeDer(&ssl->buffers.certExts[extIdx]);
len += extSz[extIdx] - OPAQUE16_LEN;
}
}
}
if ((int)i - RECORD_HEADER_SZ < 0) {
WOLFSSL_MSG("Send Cert bad inputSz");
return BUFFER_E;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->options.buildingMsg = 0;
ssl->fragOffset = 0;
if ((word32)sendSz > WOLFSSL_MAX_16BIT || i > WOLFSSL_MAX_16BIT) {
WOLFSSL_MSG("Send Cert DTLS size exceeds word16");
return BUFFER_E;
}
ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
certificate, 1);
}
else
#endif
{
sendSz = BuildTls13Message(ssl, output, sendSz,
output + RECORD_HEADER_SZ, (int)(i - RECORD_HEADER_SZ),
handshake, 1,
0, 0);
if (sendSz < 0)
return sendSz;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
AddPacketName(ssl, "Certificate");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "Certificate", handshake, output,
sendSz, WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
ssl->buffers.outputBuffer.length += (word32)sendSz;
ssl->options.buildingMsg = 0;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
}
}
if (ret != WC_NO_ERR_TRACE(WANT_WRITE)) {
ssl->options.buildingMsg = 0;
ssl->fragOffset = 0;
if (ssl->options.side == WOLFSSL_SERVER_END)
ssl->options.serverState = SERVER_CERT_COMPLETE;
}
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
CertReqCtx* ctx = ssl->certReqCtx;
ssl->certReqCtx = ssl->certReqCtx->next;
XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
#endif
WOLFSSL_LEAVE("SendTls13Certificate", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
return ret;
}
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || \
defined(HAVE_DILITHIUM)) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
typedef struct Scv13Args {
byte* output;
byte* verify;
word32 idx;
word32 sigLen;
int sendSz;
word16 length;
byte sigAlgo;
byte* sigData;
word16 sigDataSz;
#ifndef NO_RSA
byte* toSign;
word32 toSignSz;
#endif
#ifdef WOLFSSL_DUAL_ALG_CERTS
byte altSigAlgo;
word32 altSigLen;
byte* altSigData;
word16 altSigDataSz;
#endif
} Scv13Args;
static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
{
Scv13Args* args = (Scv13Args*)pArgs;
(void)ssl;
if (args && args->sigData) {
XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
args->sigData = NULL;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (args && args->altSigData != NULL) {
XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
args->altSigData = NULL;
}
#endif
}
static int SendTls13CertificateVerify(WOLFSSL* ssl)
{
int ret = 0;
#ifndef NO_RSA
buffer* rsaSigBuf = &ssl->buffers.sig;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
Scv13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else
Scv13Args args[1];
#endif
#ifdef WOLFSSL_DTLS13
int recordLayerHdrExtra;
#endif
WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
WOLFSSL_ENTER("SendTls13CertificateVerify");
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif
ssl->options.buildingMsg = 1;
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13SendCertVerify(ssl);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
goto exit_scv;
}
ret = 0;
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
recordLayerHdrExtra = Dtls13GetRlHeaderLength(ssl, 1) - RECORD_HEADER_SZ;
else
recordLayerHdrExtra = 0;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
ERROR_OUT(MEMORY_E, exit_scv);
}
args = (Scv13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0)
goto exit_scv;
}
else
#endif
{
ret = 0;
ssl->options.asyncState = TLS_ASYNC_BEGIN;
XMEMSET(args, 0, sizeof(Scv13Args));
#ifdef WOLFSSL_ASYNC_CRYPT
ssl->async->freeArgs = FreeScv13Args;
#endif
}
switch(ssl->options.asyncState)
{
case TLS_ASYNC_BEGIN:
{
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
wolfssl_priv_der_blind_toggle(ssl->buffers.key,
ssl->buffers.keyMask);
#endif
return 0;
}
args->sendSz = WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
args->sendSz += MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
goto exit_scv;
}
args->output = GetOutputBuffer(ssl);
ssl->options.asyncState = TLS_ASYNC_BUILD;
}
FALL_THROUGH;
case TLS_ASYNC_BUILD:
{
int rem = (int)(ssl->buffers.outputBuffer.bufferSize
- ssl->buffers.outputBuffer.length
- RECORD_HEADER_SZ - HANDSHAKE_HEADER_SZ);
args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
args->verify =
&args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
rem -= recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
args->idx += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
args->verify += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
}
#endif
if (ssl->buffers.key == NULL) {
#ifdef HAVE_PK_CALLBACKS
if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
args->sigLen = (word16)GetPrivateKeySigSize(ssl);
else
#endif
ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
}
else {
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
if (ssl->buffers.altKey == NULL) {
ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
}
ssl->buffers.keyType = ssl->buffers.altKeyType;
ssl->buffers.keySz = ssl->buffers.altKeySz;
if (ssl->buffers.weOwnKey) {
FreeDer(&ssl->buffers.key);
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
FreeDer(&ssl->buffers.keyMask);
#endif
}
ssl->buffers.key = ssl->buffers.altKey;
ssl->buffers.weOwnKey = ssl->buffers.weOwnAltKey;
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
ssl->buffers.keyMask = ssl->buffers.altKeyMask;
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
#endif
}
#endif
ret = DecodePrivateKey(ssl, &args->sigLen);
if (ret != 0)
goto exit_scv;
}
if (rem < 0 || (int)args->sigLen > rem) {
ERROR_OUT(BUFFER_E, exit_scv);
}
if (args->sigLen == 0) {
ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
}
if (ssl->hsType == DYNAMIC_TYPE_RSA)
args->sigAlgo = rsa_pss_sa_algo;
#ifdef HAVE_ECC
else if (ssl->hsType == DYNAMIC_TYPE_ECC) {
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->buffers.keyType == sm2_sa_algo) {
args->sigAlgo = sm2_sa_algo;
}
else
#endif
{
args->sigAlgo = ecc_dsa_sa_algo;
}
}
#endif
#ifdef HAVE_ED25519
else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
args->sigAlgo = ed25519_sa_algo;
#endif
#ifdef HAVE_ED448
else if (ssl->hsType == DYNAMIC_TYPE_ED448)
args->sigAlgo = ed448_sa_algo;
#endif
#if defined(HAVE_FALCON)
else if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
args->sigAlgo = ssl->buffers.keyType;
}
#endif
#if defined(HAVE_DILITHIUM)
else if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
args->sigAlgo = ssl->buffers.keyType;
}
#endif
else {
ERROR_OUT(ALGO_ID_E, exit_scv);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->peerSigSpec == NULL) {
ssl->sigSpec = NULL;
ssl->sigSpecSz = 0;
}
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
if (ssl->buffers.altKey == NULL) {
ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
}
ret = DecodeAltPrivateKey(ssl, &args->altSigLen);
if (ret != 0)
goto exit_scv;
if (ssl->buffers.altKeyType == ecc_dsa_sa_algo ||
ssl->buffers.altKeyType == falcon_level1_sa_algo ||
ssl->buffers.altKeyType == falcon_level5_sa_algo ||
ssl->buffers.altKeyType == dilithium_level2_sa_algo ||
ssl->buffers.altKeyType == dilithium_level3_sa_algo ||
ssl->buffers.altKeyType == dilithium_level5_sa_algo) {
args->altSigAlgo = ssl->buffers.altKeyType;
}
else if (ssl->buffers.altKeyType == rsa_sa_algo &&
ssl->hsAltType == DYNAMIC_TYPE_RSA) {
args->altSigAlgo = rsa_pss_sa_algo;
}
else {
ERROR_OUT(ALGO_ID_E, exit_scv);
}
EncodeDualSigAlg(args->sigAlgo, args->altSigAlgo, args->verify);
if (args->verify[0] == 0) {
ERROR_OUT(ALGO_ID_E, exit_scv);
}
}
else
#endif
EncodeSigAlg(ssl, ssl->options.hashAlgo, args->sigAlgo,
args->verify);
if (args->sigData == NULL) {
word32 sigLen = MAX_SIG_DATA_SZ;
if ((ssl->hsType == DYNAMIC_TYPE_RSA) &&
(args->sigLen > MAX_SIG_DATA_SZ)) {
sigLen = args->sigLen;
}
args->sigData = (byte*)XMALLOC(sigLen, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (args->sigData == NULL) {
ERROR_OUT(MEMORY_E, exit_scv);
}
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if ((ssl->sigSpec != NULL) &&
(*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) &&
(args->altSigData == NULL)) {
word32 sigLen = MAX_SIG_DATA_SZ;
if (ssl->hsAltType == DYNAMIC_TYPE_RSA &&
args->altSigLen > MAX_SIG_DATA_SZ) {
sigLen = args->altSigLen;
}
args->altSigData = (byte*)XMALLOC(sigLen, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (args->altSigData == NULL) {
ERROR_OUT(MEMORY_E, exit_scv);
}
}
#endif
ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
if (ret != 0)
goto exit_scv;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if ((ssl->sigSpec != NULL) &&
(*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) {
XMEMCPY(args->altSigData, args->sigData, args->sigDataSz);
args->altSigDataSz = args->sigDataSz;
}
#endif
#ifndef NO_RSA
if (ssl->hsType == DYNAMIC_TYPE_RSA) {
rsaSigBuf->length = WC_MAX_DIGEST_SIZE;
rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (rsaSigBuf->buffer == NULL) {
ERROR_OUT(MEMORY_E, exit_scv);
}
ret = CreateRSAEncodedSig(rsaSigBuf->buffer, args->sigData,
args->sigDataSz, args->sigAlgo, ssl->options.hashAlgo);
if (ret < 0)
goto exit_scv;
rsaSigBuf->length = (unsigned int)ret;
ret = 0;
}
#endif
#ifdef HAVE_ECC
if (ssl->hsType == DYNAMIC_TYPE_ECC) {
args->sigLen = (word32)args->sendSz - args->idx -
HASH_SIG_SIZE -
VERIFY_HEADER;
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->buffers.keyType != sm2_sa_algo)
#endif
{
ret = CreateECCEncodedSig(args->sigData,
args->sigDataSz, ssl->options.hashAlgo);
if (ret < 0)
goto exit_scv;
args->sigDataSz = (word16)ret;
ret = 0;
}
}
#endif
#ifdef HAVE_ED25519
if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
ret = Ed25519CheckPubKey(ssl);
if (ret < 0) {
ERROR_OUT(ret, exit_scv);
}
args->sigLen = ED25519_SIG_SIZE;
}
#endif
#ifdef HAVE_ED448
if (ssl->hsType == DYNAMIC_TYPE_ED448) {
ret = Ed448CheckPubKey(ssl);
if (ret < 0) {
ERROR_OUT(ret, exit_scv);
}
args->sigLen = ED448_SIG_SIZE;
}
#endif
#if defined(HAVE_FALCON)
if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
args->sigLen = FALCON_MAX_SIG_SIZE;
}
#endif
#if defined(HAVE_DILITHIUM)
if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
args->sigLen = DILITHIUM_MAX_SIG_SIZE;
}
#endif
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
#ifndef NO_RSA
if (ssl->hsAltType == DYNAMIC_TYPE_RSA) {
XFREE(rsaSigBuf->buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
rsaSigBuf->length = WC_MAX_DIGEST_SIZE;
rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length,
ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (rsaSigBuf->buffer == NULL) {
ERROR_OUT(MEMORY_E, exit_scv);
}
ret = CreateRSAEncodedSig(rsaSigBuf->buffer,
args->altSigData, args->altSigDataSz,
args->altSigAlgo, ssl->options.hashAlgo);
if (ret < 0)
goto exit_scv;
rsaSigBuf->length = ret;
ret = 0;
}
#endif
#ifdef HAVE_ECC
if (ssl->hsAltType == DYNAMIC_TYPE_ECC) {
ret = CreateECCEncodedSig(args->altSigData,
args->altSigDataSz, ssl->options.hashAlgo);
if (ret < 0)
goto exit_scv;
args->altSigDataSz = (word16)ret;
ret = 0;
}
#endif
}
#endif
ssl->options.asyncState = TLS_ASYNC_DO;
}
FALL_THROUGH;
case TLS_ASYNC_DO:
{
byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
sigOut += OPAQUE16_LEN;
}
#endif
#ifdef HAVE_ECC
if (ssl->hsType == DYNAMIC_TYPE_ECC) {
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->buffers.keyType == sm2_sa_algo) {
ret = Sm2wSm3Sign(ssl, TLS13_SM2_SIG_ID,
TLS13_SM2_SIG_ID_SZ, args->sigData, args->sigDataSz,
sigOut, &args->sigLen, (ecc_key*)ssl->hsKey, NULL);
}
else
#endif
{
ret = EccSign(ssl, args->sigData, args->sigDataSz,
sigOut, &args->sigLen, (ecc_key*)ssl->hsKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
}
args->length = (word16)args->sigLen;
}
#endif
#ifdef HAVE_ED25519
if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
sigOut, &args->sigLen, (ed25519_key*)ssl->hsKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
args->length = (word16)args->sigLen;
}
#endif
#ifdef HAVE_ED448
if (ssl->hsType == DYNAMIC_TYPE_ED448) {
ret = Ed448Sign(ssl, args->sigData, args->sigDataSz,
sigOut, &args->sigLen, (ed448_key*)ssl->hsKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.key
#else
NULL
#endif
);
args->length = (word16)args->sigLen;
}
#endif
#if defined(HAVE_FALCON)
if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz,
sigOut, &args->sigLen,
(falcon_key*)ssl->hsKey, ssl->rng);
args->length = (word16)args->sigLen;
}
#endif
#if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_SIGN)
if (ssl->hsType == DYNAMIC_TYPE_DILITHIUM) {
ret = wc_dilithium_sign_ctx_msg(NULL, 0, args->sigData,
args->sigDataSz, sigOut,
&args->sigLen,
(dilithium_key*)ssl->hsKey,
ssl->rng);
args->length = (word16)args->sigLen;
}
#endif
#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
!defined(WOLFSSL_RSA_VERIFY_ONLY)
if (ssl->hsType == DYNAMIC_TYPE_RSA) {
args->toSign = rsaSigBuf->buffer;
args->toSignSz = (word32)rsaSigBuf->length;
#if defined(HAVE_PK_CALLBACKS) && \
defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH)
if (ssl->ctx->RsaPssSignCb) {
args->toSign = args->sigData;
args->toSignSz = args->sigDataSz;
}
#endif
ret = RsaSign(ssl, (const byte*)args->toSign, args->toSignSz,
sigOut, &args->sigLen, args->sigAlgo,
ssl->options.hashAlgo, (RsaKey*)ssl->hsKey,
ssl->buffers.key);
if (ret == 0) {
args->length = (word16)args->sigLen;
XMEMCPY(args->sigData, sigOut, args->sigLen);
}
}
#endif
if (ret != 0) {
goto exit_scv;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
c16toa((word16)args->sigLen, sigOut - OPAQUE16_LEN);
args->length += OPAQUE16_LEN;
sigOut += args->sigLen + OPAQUE16_LEN;
#ifdef HAVE_ECC
if (ssl->hsAltType == DYNAMIC_TYPE_ECC) {
ret = EccSign(ssl, args->altSigData, args->altSigDataSz,
sigOut, &args->altSigLen,
(ecc_key*)ssl->hsAltKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.altKey
#else
NULL
#endif
);
}
#endif
#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
!defined(WOLFSSL_RSA_VERIFY_ONLY)
if (ssl->hsAltType == DYNAMIC_TYPE_RSA) {
args->toSign = rsaSigBuf->buffer;
args->toSignSz = (word32)rsaSigBuf->length;
#if defined(HAVE_PK_CALLBACKS) && \
defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH)
if (ssl->ctx->RsaPssSignCb) {
args->toSign = args->altSigData;
args->toSignSz = (word32)args->altSigDataSz;
}
#endif
ret = RsaSign(ssl, (const byte*)args->toSign,
args->toSignSz, sigOut, &args->altSigLen,
args->altSigAlgo, ssl->options.hashAlgo,
(RsaKey*)ssl->hsAltKey,
ssl->buffers.altKey);
if (ret == 0) {
XMEMCPY(args->altSigData, sigOut, args->altSigLen);
}
}
#endif
#if defined(HAVE_FALCON)
if (ssl->hsAltType == DYNAMIC_TYPE_FALCON) {
ret = wc_falcon_sign_msg(args->altSigData,
args->altSigDataSz, sigOut,
&args->altSigLen,
(falcon_key*)ssl->hsAltKey,
ssl->rng);
}
#endif
#if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_SIGN)
if (ssl->hsAltType == DYNAMIC_TYPE_DILITHIUM) {
ret = wc_dilithium_sign_ctx_msg(NULL, 0, args->altSigData,
args->altSigDataSz, sigOut, &args->altSigLen,
(dilithium_key*)ssl->hsAltKey, ssl->rng);
}
#endif
if (ret != 0) {
goto exit_scv;
}
c16toa((word16)args->altSigLen, sigOut - OPAQUE16_LEN);
args->length += args->altSigLen + OPAQUE16_LEN;
}
#endif
c16toa(args->length, args->verify + HASH_SIG_SIZE);
ssl->options.asyncState = TLS_ASYNC_VERIFY;
}
FALL_THROUGH;
case TLS_ASYNC_VERIFY:
{
#ifndef NO_RSA
if (ssl->hsType == DYNAMIC_TYPE_RSA) {
ret = VerifyRsaSign(ssl, args->sigData, args->sigLen,
rsaSigBuf->buffer, (word32)rsaSigBuf->length, args->sigAlgo,
ssl->options.hashAlgo, (RsaKey*)ssl->hsKey,
ssl->buffers.key);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
ssl->hsAltType == DYNAMIC_TYPE_RSA) {
ret = VerifyRsaSign(ssl, args->altSigData, args->altSigLen,
rsaSigBuf->buffer, (word32)rsaSigBuf->length,
args->altSigAlgo, ssl->options.hashAlgo,
(RsaKey*)ssl->hsAltKey, ssl->buffers.altKey);
}
#endif
#endif
#if defined(HAVE_ECC) && defined(WOLFSSL_CHECK_SIG_FAULTS)
if (ssl->hsType == DYNAMIC_TYPE_ECC) {
byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
sigOut += OPAQUE16_LEN;
}
#endif
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->buffers.keyType == sm2_sa_algo) {
ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID,
TLS13_SM2_SIG_ID_SZ,
sigOut, args->sigLen, args->sigData, args->sigDataSz,
(ecc_key*)ssl->hsKey, NULL);
}
else
#endif
{
#ifdef HAVE_PK_CALLBACKS
buffer tmp;
tmp.length = ssl->buffers.key->length;
tmp.buffer = ssl->buffers.key->buffer;
#endif
ret = EccVerify(ssl, sigOut, args->sigLen,
args->sigData, args->sigDataSz,
(ecc_key*)ssl->hsKey,
#ifdef HAVE_PK_CALLBACKS
&tmp
#else
NULL
#endif
);
}
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
ssl->hsAltType == DYNAMIC_TYPE_ECC) {
byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER +
args->sigLen + OPAQUE16_LEN + OPAQUE16_LEN;
ret = EccVerify(ssl, sigOut, args->altSigLen,
args->altSigData, args->altSigDataSz,
(ecc_key*)ssl->hsAltKey,
#ifdef HAVE_PK_CALLBACKS
ssl->buffers.altKey
#else
NULL
#endif
);
}
#endif
#endif
if (ret != 0) {
goto exit_scv;
}
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
}
FALL_THROUGH;
case TLS_ASYNC_FINALIZE:
{
AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
VERIFY_HEADER, certificate_verify, ssl);
args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
args->length + HASH_SIG_SIZE + VERIFY_HEADER;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
args->sendSz += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
#endif
ssl->options.asyncState = TLS_ASYNC_END;
}
FALL_THROUGH;
case TLS_ASYNC_END:
{
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ssl->options.buildingMsg = 0;
ret = Dtls13HandshakeSend(ssl, args->output,
WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA,
(word16)args->sendSz, certificate_verify, 1);
if (ret != 0)
goto exit_scv;
break;
}
#endif
ret = BuildTls13Message(ssl, args->output,
WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
args->output + RECORD_HEADER_SZ,
args->sendSz - RECORD_HEADER_SZ, handshake,
1, 0, 0);
if (ret < 0) {
goto exit_scv;
}
else {
args->sendSz = ret;
ret = 0;
}
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
AddPacketName(ssl, "CertificateVerify");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "CertificateVerify", handshake,
args->output, args->sendSz, WRITE_PROTO, 0,
ssl->heap);
if (ret != 0)
goto exit_scv;
}
#endif
ssl->buffers.outputBuffer.length += (word32)args->sendSz;
ssl->options.buildingMsg = 0;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
break;
}
default:
ret = INPUT_CASE_ERROR;
}
exit_scv:
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
if (ret == 0) {
ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
&ssl->buffers.keyMask);
}
else {
wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
}
#endif
WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
return ret;
}
#endif
FreeScv13Args(ssl, args);
FreeKeyExchange(ssl);
#ifdef WOLFSSL_ASYNC_IO
FreeAsyncCtx(ssl, 0);
#endif
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret);
}
return ret;
}
#endif
#endif
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
word32 totalSz)
{
int ret = 0;
WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
WOLFSSL_ENTER("DoTls13Certificate");
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->options.handShakeDone) {
ret = Dtls13RtxProcessingCertificate(
ssl, input + *inOutIdx, totalSz);
}
#endif
if (ret == 0)
ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
if (ret == 0) {
#if !defined(NO_WOLFSSL_CLIENT)
if (ssl->options.side == WOLFSSL_CLIENT_END)
ssl->options.serverState = SERVER_CERT_COMPLETE;
#endif
#if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (ssl->options.side == WOLFSSL_SERVER_END &&
ssl->options.handShakeState == HANDSHAKE_DONE) {
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
ssl->options.acceptState = TICKET_SENT;
ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
}
#endif
}
WOLFSSL_LEAVE("DoTls13Certificate", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
return ret;
}
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
typedef struct Dcv13Args {
byte* output;
word32 sendSz;
word16 sz;
word32 sigSz;
word32 idx;
word32 begin;
byte* sigData;
word16 sigDataSz;
#ifdef WOLFSSL_DUAL_ALG_CERTS
byte altSigAlgo;
byte* altSigData;
word32 altSigDataSz;
word32 altSignatureSz;
byte altPeerAuthGood;
#endif
} Dcv13Args;
static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
{
Dcv13Args* args = (Dcv13Args*)pArgs;
if (args && args->sigData != NULL) {
XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
args->sigData = NULL;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (args && args->altSigData != NULL) {
XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
args->altSigData = NULL;
}
#endif
(void)ssl;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
#ifndef NO_RSA
static int decodeRsaKey(WOLFSSL* ssl)
{
int keyRet;
word32 tmpIdx = 0;
if (ssl->peerRsaKeyPresent)
return INVALID_PARAMETER;
keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
if (keyRet != 0)
return PEER_KEY_ERROR;
ssl->peerRsaKeyPresent = 1;
keyRet = wc_RsaPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
ssl->peerRsaKey,
ssl->peerCert.sapkiLen);
if (keyRet != 0)
return PEER_KEY_ERROR;
return 0;
}
#endif
#ifdef HAVE_ECC
static int decodeEccKey(WOLFSSL* ssl)
{
int keyRet;
word32 tmpIdx = 0;
if (ssl->peerEccDsaKeyPresent)
return INVALID_PARAMETER;
keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
if (keyRet != 0)
return PEER_KEY_ERROR;
ssl->peerEccDsaKeyPresent = 1;
keyRet = wc_EccPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
ssl->peerEccDsaKey,
ssl->peerCert.sapkiLen);
if (keyRet != 0)
return PEER_KEY_ERROR;
return 0;
}
#endif
#ifdef HAVE_DILITHIUM
static int decodeDilithiumKey(WOLFSSL* ssl, int level)
{
int keyRet;
word32 tmpIdx = 0;
if (ssl->peerDilithiumKeyPresent)
return INVALID_PARAMETER;
keyRet = AllocKey(ssl, DYNAMIC_TYPE_DILITHIUM,
(void**)&ssl->peerDilithiumKey);
if (keyRet != 0)
return PEER_KEY_ERROR;
ssl->peerDilithiumKeyPresent = 1;
keyRet = wc_dilithium_set_level(ssl->peerDilithiumKey, level);
if (keyRet != 0)
return PEER_KEY_ERROR;
keyRet = wc_Dilithium_PublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
ssl->peerDilithiumKey,
ssl->peerCert.sapkiLen);
if (keyRet != 0)
return PEER_KEY_ERROR;
return 0;
}
#endif
#ifdef HAVE_FALCON
static int decodeFalconKey(WOLFSSL* ssl, int level)
{
int keyRet;
word32 tmpIdx = 0;
if (ssl->peerFalconKeyPresent)
return INVALID_PARAMETER;
keyRet = AllocKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
if (keyRet != 0)
return PEER_KEY_ERROR;
ssl->peerFalconKeyPresent = 1;
keyRet = wc_falcon_set_level(ssl->peerFalconKey, level);
if (keyRet != 0)
return PEER_KEY_ERROR;
keyRet = wc_Falcon_PublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
ssl->peerFalconKey,
ssl->peerCert.sapkiLen);
if (keyRet != 0)
return PEER_KEY_ERROR;
return 0;
}
#endif
#endif
static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
word32* inOutIdx, word32 totalSz)
{
int ret = 0;
byte* sig = NULL;
#ifndef NO_RSA
buffer* rsaSigBuf = &ssl->buffers.sig;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
Dcv13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else
Dcv13Args args[1];
#endif
WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
WOLFSSL_ENTER("DoTls13CertificateVerify");
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13CertificateVerify(ssl, input, inOutIdx, totalSz);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
goto exit_dcv;
}
ret = 0;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)
XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
DYNAMIC_TYPE_ASYNC);
if (ssl->async == NULL)
ERROR_OUT(MEMORY_E, exit_dcv);
}
args = (Dcv13Args*)ssl->async->args;
ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0)
goto exit_dcv;
}
else
#endif
{
ret = 0;
ssl->options.asyncState = TLS_ASYNC_BEGIN;
XMEMSET(args, 0, sizeof(Dcv13Args));
ssl->options.peerHashAlgo = sha_mac;
ssl->options.peerSigAlgo = anonymous_sa_algo;
args->idx = *inOutIdx;
args->begin = *inOutIdx;
#ifdef WOLFSSL_ASYNC_CRYPT
ssl->async->freeArgs = FreeDcv13Args;
#endif
}
switch(ssl->options.asyncState)
{
case TLS_ASYNC_BEGIN:
{
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify");
if (ssl->toInfoOn) AddLateName("CertificateVerify",
&ssl->timeoutInfo);
#endif
ssl->options.asyncState = TLS_ASYNC_BUILD;
}
FALL_THROUGH;
case TLS_ASYNC_BUILD:
{
int validSigAlgo;
const Suites* suites = WOLFSSL_SUITES(ssl);
word16 i;
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->peerSigSpec == NULL) {
ssl->sigSpec = NULL;
ssl->sigSpecSz = 0;
}
if (ssl->sigSpec == NULL ||
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_NATIVE ||
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
#endif
validSigAlgo = 0;
for (i = 0; i < suites->hashSigAlgoSz; i += 2) {
if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) &&
(suites->hashSigAlgo[i + 1] == input[args->idx + 1])) {
validSigAlgo = 1;
break;
}
}
if (!validSigAlgo) {
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
ret = DecodeTls13SigAlg(input + args->idx,
&ssl->options.peerHashAlgo, &ssl->options.peerSigAlgo);
#ifdef WOLFSSL_DUAL_ALG_CERTS
}
else {
ret = DecodeTls13HybridSigAlg(input + args->idx,
&ssl->options.peerHashAlgo,
&ssl->options.peerSigAlgo,
&args->altSigAlgo);
}
#endif
if (ret < 0)
goto exit_dcv;
args->idx += OPAQUE16_LEN;
if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
ato16(input + args->idx, &args->sz);
args->idx += OPAQUE16_LEN;
if ((args->idx - args->begin) + args->sz > totalSz) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if ((ssl->sigSpec != NULL) &&
(*ssl->sigSpec != WOLFSSL_CKS_SIGSPEC_NATIVE)) {
word16 sa;
if (args->altSigAlgo == 0)
sa = ssl->options.peerSigAlgo;
else
sa = args->altSigAlgo;
switch(sa) {
#ifndef NO_RSA
case rsa_pss_sa_algo:
ret = decodeRsaKey(ssl);
break;
#endif
#ifdef HAVE_ECC
case ecc_dsa_sa_algo:
ret = decodeEccKey(ssl);
break;
#endif
#ifdef HAVE_DILITHIUM
case dilithium_level2_sa_algo:
ret = decodeDilithiumKey(ssl, WC_ML_DSA_44);
break;
case dilithium_level3_sa_algo:
ret = decodeDilithiumKey(ssl, WC_ML_DSA_65);
break;
case dilithium_level5_sa_algo:
ret = decodeDilithiumKey(ssl, WC_ML_DSA_87);
break;
#endif
#ifdef HAVE_FALCON
case falcon_level1_sa_algo:
ret = decodeFalconKey(ssl, 1);
break;
case falcon_level5_sa_algo:
ret = decodeFalconKey(ssl, 5);
break;
#endif
default:
ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
}
if (ret != 0)
ERROR_OUT(ret, exit_dcv);
if (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
#ifndef NO_RSA
if (ssl->peerRsaKeyPresent && sa != rsa_pss_sa_algo) {
FreeKey(ssl, DYNAMIC_TYPE_RSA,
(void**)&ssl->peerRsaKey);
ssl->peerRsaKeyPresent = 0;
}
#endif
#ifdef HAVE_ECC
else if (ssl->peerEccDsaKeyPresent &&
sa != ecc_dsa_sa_algo) {
FreeKey(ssl, DYNAMIC_TYPE_ECC,
(void**)&ssl->peerEccDsaKey);
ssl->peerEccDsaKeyPresent = 0;
}
#endif
#ifdef HAVE_DILITHIUM
else if (ssl->peerDilithiumKeyPresent &&
sa != dilithium_level2_sa_algo &&
sa != dilithium_level3_sa_algo &&
sa != dilithium_level5_sa_algo) {
FreeKey(ssl, DYNAMIC_TYPE_DILITHIUM,
(void**)&ssl->peerDilithiumKey);
ssl->peerDilithiumKeyPresent = 0;
}
#endif
#ifdef HAVE_FALCON
else if (ssl->peerFalconKeyPresent &&
sa != falcon_level1_sa_algo &&
sa != falcon_level5_sa_algo) {
FreeKey(ssl, DYNAMIC_TYPE_FALCON,
(void**)&ssl->peerFalconKey);
ssl->peerFalconKeyPresent = 0;
}
#endif
else {
ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
}
}
}
#endif
validSigAlgo = 0;
#ifdef HAVE_ED25519
if (ssl->options.peerSigAlgo == ed25519_sa_algo) {
WOLFSSL_MSG("Peer sent ED25519 sig");
validSigAlgo = (ssl->peerEd25519Key != NULL) &&
ssl->peerEd25519KeyPresent;
}
#endif
#ifdef HAVE_ED448
if (ssl->options.peerSigAlgo == ed448_sa_algo) {
WOLFSSL_MSG("Peer sent ED448 sig");
validSigAlgo = (ssl->peerEd448Key != NULL) &&
ssl->peerEd448KeyPresent;
}
#endif
#ifdef HAVE_ECC
if (ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
WOLFSSL_MSG("Peer sent ECC sig");
validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
ssl->peerEccDsaKeyPresent;
}
#endif
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if (ssl->options.peerSigAlgo == sm2_sa_algo) {
WOLFSSL_MSG("Peer sent SM2 sig");
validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
ssl->peerEccDsaKeyPresent;
}
#endif
#ifdef HAVE_FALCON
if (ssl->options.peerSigAlgo == falcon_level1_sa_algo) {
WOLFSSL_MSG("Peer sent Falcon Level 1 sig");
validSigAlgo = (ssl->peerFalconKey != NULL) &&
ssl->peerFalconKeyPresent;
}
if (ssl->options.peerSigAlgo == falcon_level5_sa_algo) {
WOLFSSL_MSG("Peer sent Falcon Level 5 sig");
validSigAlgo = (ssl->peerFalconKey != NULL) &&
ssl->peerFalconKeyPresent;
}
#endif
#ifdef HAVE_DILITHIUM
if (ssl->options.peerSigAlgo == dilithium_level2_sa_algo) {
WOLFSSL_MSG("Peer sent Dilithium Level 2 sig");
validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
ssl->peerDilithiumKeyPresent;
}
if (ssl->options.peerSigAlgo == dilithium_level3_sa_algo) {
WOLFSSL_MSG("Peer sent Dilithium Level 3 sig");
validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
ssl->peerDilithiumKeyPresent;
}
if (ssl->options.peerSigAlgo == dilithium_level5_sa_algo) {
WOLFSSL_MSG("Peer sent Dilithium Level 5 sig");
validSigAlgo = (ssl->peerDilithiumKey != NULL) &&
ssl->peerDilithiumKeyPresent;
}
#endif
#ifndef NO_RSA
if (ssl->options.peerSigAlgo == rsa_sa_algo) {
WOLFSSL_MSG("Peer sent PKCS#1.5 algo - not valid TLS 1.3");
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
WOLFSSL_MSG("Peer sent RSA sig");
validSigAlgo = (ssl->peerRsaKey != NULL) &&
ssl->peerRsaKeyPresent;
}
#endif
if (!validSigAlgo) {
WOLFSSL_MSG("Sig algo doesn't correspond to certificate");
ERROR_OUT(SIG_VERIFY_E, exit_dcv);
}
args->sigSz = args->sz;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
word32 tmpIdx = args->idx;
word16 tmpSz = 0;
if (args->sz < OPAQUE16_LEN) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
ato16(input + tmpIdx, &tmpSz);
args->sigSz = tmpSz;
tmpIdx += OPAQUE16_LEN + args->sigSz;
if (tmpIdx - args->idx + OPAQUE16_LEN > args->sz) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
ato16(input + tmpIdx, &tmpSz);
args->altSignatureSz = tmpSz;
if (args->sz != (args->sigSz + args->altSignatureSz +
OPAQUE16_LEN + OPAQUE16_LEN)) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
}
#endif
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
word32 sigSz = args->sigSz;
sig = input + args->idx;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
if (ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
sig += OPAQUE16_LEN + OPAQUE16_LEN + args->sigSz;
sigSz = args->altSignatureSz;
}
else {
sig += OPAQUE16_LEN;
}
}
#endif
rsaSigBuf->buffer = (byte*)XMALLOC(sigSz, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (rsaSigBuf->buffer == NULL) {
ERROR_OUT(MEMORY_E, exit_dcv);
}
rsaSigBuf->length = sigSz;
XMEMCPY(rsaSigBuf->buffer, sig, rsaSigBuf->length);
}
#endif
args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (args->sigData == NULL) {
ERROR_OUT(MEMORY_E, exit_dcv);
}
ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
if (ret < 0)
goto exit_dcv;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if ((ssl->sigSpec != NULL) &&
(*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) {
args->altSigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
DYNAMIC_TYPE_SIGNATURE);
if (args->altSigData == NULL) {
ERROR_OUT(MEMORY_E, exit_dcv);
}
XMEMCPY(args->altSigData, args->sigData, args->sigDataSz);
args->altSigDataSz = args->sigDataSz;
}
#endif
#ifdef HAVE_ECC
if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) &&
(ssl->peerEccDsaKeyPresent)) {
ret = CreateECCEncodedSig(args->sigData,
args->sigDataSz, ssl->options.peerHashAlgo);
if (ret < 0)
goto exit_dcv;
args->sigDataSz = (word16)ret;
ret = 0;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if ((ssl->sigSpec != NULL) &&
(*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) &&
(args->altSigAlgo == ecc_dsa_sa_algo) &&
(ssl->peerEccDsaKeyPresent)) {
ret = CreateECCEncodedSig(args->altSigData,
args->altSigDataSz, ssl->options.peerHashAlgo);
if (ret < 0)
goto exit_dcv;
args->altSigDataSz = (word16)ret;
ret = 0;
}
#endif
#endif
ssl->options.asyncState = TLS_ASYNC_DO;
}
FALL_THROUGH;
case TLS_ASYNC_DO:
{
sig = input + args->idx;
(void)sig;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
sig += OPAQUE16_LEN;
}
#endif
#ifndef NO_RSA
if ((ssl->options.peerSigAlgo == rsa_pss_sa_algo) &&
(ssl->peerRsaKey != NULL) && (ssl->peerRsaKeyPresent != 0)) {
WOLFSSL_MSG("Doing RSA peer cert verify");
ret = RsaVerify(ssl, rsaSigBuf->buffer,
(word32)rsaSigBuf->length, &args->output,
ssl->options.peerSigAlgo,
ssl->options.peerHashAlgo, ssl->peerRsaKey,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerRsaKey
#else
NULL
#endif
);
if (ret >= 0) {
args->sendSz = (word32)ret;
ret = 0;
}
}
#endif
#ifdef HAVE_ECC
if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) &&
ssl->peerEccDsaKeyPresent) {
WOLFSSL_MSG("Doing ECC peer cert verify");
ret = EccVerify(ssl, sig, args->sigSz,
args->sigData, args->sigDataSz,
ssl->peerEccDsaKey,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerEccDsaKey
#else
NULL
#endif
);
if (ret >= 0) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
ssl->peerEccDsaKeyPresent = 0;
}
}
#endif
#if defined(HAVE_ECC) && defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
if ((ssl->options.peerSigAlgo == sm2_sa_algo) &&
ssl->peerEccDsaKeyPresent) {
WOLFSSL_MSG("Doing SM2/SM3 peer cert verify");
ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID, TLS13_SM2_SIG_ID_SZ,
sig, args->sigSz, args->sigData, args->sigDataSz,
ssl->peerEccDsaKey, NULL);
if (ret >= 0) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
ssl->peerEccDsaKeyPresent = 0;
}
}
#endif
#ifdef HAVE_ED25519
if ((ssl->options.peerSigAlgo == ed25519_sa_algo) &&
(ssl->peerEd25519KeyPresent)) {
WOLFSSL_MSG("Doing ED25519 peer cert verify");
ret = Ed25519Verify(ssl, sig, args->sigSz,
args->sigData, args->sigDataSz,
ssl->peerEd25519Key,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerEd25519Key
#else
NULL
#endif
);
if (ret >= 0) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_ED25519,
(void**)&ssl->peerEd25519Key);
ssl->peerEd25519KeyPresent = 0;
}
}
#endif
#ifdef HAVE_ED448
if ((ssl->options.peerSigAlgo == ed448_sa_algo) &&
(ssl->peerEd448KeyPresent)) {
WOLFSSL_MSG("Doing ED448 peer cert verify");
ret = Ed448Verify(ssl, sig, args->sigSz,
args->sigData, args->sigDataSz,
ssl->peerEd448Key,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerEd448Key
#else
NULL
#endif
);
if (ret >= 0) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_ED448,
(void**)&ssl->peerEd448Key);
ssl->peerEd448KeyPresent = 0;
}
}
#endif
#if defined(HAVE_FALCON)
if (((ssl->options.peerSigAlgo == falcon_level1_sa_algo) ||
(ssl->options.peerSigAlgo == falcon_level5_sa_algo)) &&
(ssl->peerFalconKeyPresent)) {
int res = 0;
WOLFSSL_MSG("Doing Falcon peer cert verify");
ret = wc_falcon_verify_msg(sig, args->sigSz,
args->sigData, args->sigDataSz,
&res, ssl->peerFalconKey);
if ((ret >= 0) && (res == 1)) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_FALCON,
(void**)&ssl->peerFalconKey);
ssl->peerFalconKeyPresent = 0;
}
else if ((ret >= 0) && (res == 0)) {
WOLFSSL_MSG("Falcon signature verification failed");
ret = SIG_VERIFY_E;
}
}
#endif
#if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY)
if (((ssl->options.peerSigAlgo == dilithium_level2_sa_algo) ||
(ssl->options.peerSigAlgo == dilithium_level3_sa_algo) ||
(ssl->options.peerSigAlgo == dilithium_level5_sa_algo)) &&
(ssl->peerDilithiumKeyPresent)) {
int res = 0;
WOLFSSL_MSG("Doing Dilithium peer cert verify");
ret = wc_dilithium_verify_ctx_msg(sig, args->sigSz, NULL, 0,
args->sigData, args->sigDataSz,
&res, ssl->peerDilithiumKey);
if ((ret >= 0) && (res == 1)) {
ssl->options.peerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_DILITHIUM,
(void**)&ssl->peerDilithiumKey);
ssl->peerDilithiumKeyPresent = 0;
}
else if ((ret >= 0) && (res == 0)) {
WOLFSSL_MSG("Dilithium signature verification failed");
ret = SIG_VERIFY_E;
}
}
#endif
if (ret != 0) {
goto exit_dcv;
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
sig += args->sigSz + OPAQUE16_LEN;
#ifndef NO_RSA
if ((args->altSigAlgo == rsa_pss_sa_algo) &&
(ssl->peerRsaKey != NULL) &&
(ssl->peerRsaKeyPresent != 0)) {
WOLFSSL_MSG("Doing RSA peer cert alt verify");
ret = RsaVerify(ssl, rsaSigBuf->buffer,
(word32)rsaSigBuf->length,
&args->output, args->altSigAlgo,
ssl->options.peerHashAlgo, ssl->peerRsaKey,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerRsaKey
#else
NULL
#endif
);
if (ret >= 0) {
args->sendSz = ret;
ret = 0;
}
}
#endif
#ifdef HAVE_ECC
if ((args->altSigAlgo == ecc_dsa_sa_algo) &&
(ssl->peerEccDsaKeyPresent)) {
WOLFSSL_MSG("Doing ECC peer cert alt verify");
ret = EccVerify(ssl, sig, args->altSignatureSz,
args->altSigData, args->altSigDataSz,
ssl->peerEccDsaKey,
#ifdef HAVE_PK_CALLBACKS
&ssl->buffers.peerEccDsaKey
#else
NULL
#endif
);
if (ret >= 0) {
args->altPeerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_ECC,
(void**)&ssl->peerEccDsaKey);
ssl->peerEccDsaKeyPresent = 0;
}
}
#endif
#if defined(HAVE_FALCON)
if (((args->altSigAlgo == falcon_level1_sa_algo) ||
(args->altSigAlgo == falcon_level5_sa_algo)) &&
(ssl->peerFalconKeyPresent)) {
int res = 0;
WOLFSSL_MSG("Doing Falcon peer cert alt verify");
ret = wc_falcon_verify_msg(sig, args->altSignatureSz,
args->altSigData, args->altSigDataSz,
&res, ssl->peerFalconKey);
if ((ret >= 0) && (res == 1)) {
args->altPeerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_FALCON,
(void**)&ssl->peerFalconKey);
ssl->peerFalconKeyPresent = 0;
}
else if ((ret >= 0) && (res == 0)) {
WOLFSSL_MSG("Falcon signature verification failed");
ret = SIG_VERIFY_E;
}
}
#endif
#if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY)
if (((args->altSigAlgo == dilithium_level2_sa_algo) ||
(args->altSigAlgo == dilithium_level3_sa_algo) ||
(args->altSigAlgo == dilithium_level5_sa_algo)) &&
(ssl->peerDilithiumKeyPresent)) {
int res = 0;
WOLFSSL_MSG("Doing Dilithium peer cert alt verify");
ret = wc_dilithium_verify_ctx_msg(sig, args->altSignatureSz,
NULL, 0, args->altSigData,
args->altSigDataSz, &res,
ssl->peerDilithiumKey);
if ((ret >= 0) && (res == 1)) {
args->altPeerAuthGood = 1;
FreeKey(ssl, DYNAMIC_TYPE_DILITHIUM,
(void**)&ssl->peerDilithiumKey);
ssl->peerDilithiumKeyPresent = 0;
}
else if ((ret >= 0) && (res == 0)) {
WOLFSSL_MSG("Dilithium signature verification failed");
ret = SIG_VERIFY_E;
}
}
#endif
if (ret != 0) {
goto exit_dcv;
}
}
#endif
ssl->options.asyncState = TLS_ASYNC_VERIFY;
}
FALL_THROUGH;
case TLS_ASYNC_VERIFY:
{
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
int sigAlgo = ssl->options.peerSigAlgo;
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
sigAlgo = args->altSigAlgo;
}
#endif
ret = CheckRSASignature(ssl, sigAlgo,
ssl->options.peerHashAlgo, args->output, args->sendSz);
if (ret != 0)
goto exit_dcv;
ssl->peerRsaKeyPresent = 0;
FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
args->altPeerAuthGood = 1;
}
else
#endif
ssl->options.peerAuthGood = 1;
}
#endif
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
}
FALL_THROUGH;
case TLS_ASYNC_FINALIZE:
{
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->options.peerAuthGood &&
ssl->sigSpec != NULL &&
*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
ssl->options.peerAuthGood = args->altPeerAuthGood;
}
#endif
ssl->options.havePeerVerify = 1;
args->idx += args->sz;
*inOutIdx = args->idx;
*inOutIdx += ssl->keys.padSz;
ssl->options.asyncState = TLS_ASYNC_END;
#if !defined(NO_WOLFSSL_CLIENT)
if (ssl->options.side == WOLFSSL_CLIENT_END)
ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE;
#endif
}
FALL_THROUGH;
case TLS_ASYNC_END:
{
break;
}
default:
ret = INPUT_CASE_ERROR;
}
exit_dcv:
WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
ssl->msgsReceived.got_certificate_verify = 0;
return ret;
}
else
#endif
if (ret != 0) {
WOLFSSL_ERROR_VERBOSE(ret);
if (ret != WC_NO_ERR_TRACE(INVALID_PARAMETER)) {
SendAlert(ssl, alert_fatal, decrypt_error);
}
}
FreeDcv13Args(ssl, args);
FreeKeyExchange(ssl);
#ifdef WOLFSSL_ASYNC_IO
FreeAsyncCtx(ssl, 0);
#endif
return ret;
}
#endif
#endif
int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 size, word32 totalSz, int sniff)
{
int ret;
word32 finishedSz = 0;
byte* secret;
byte mac[WC_MAX_DIGEST_SIZE];
WOLFSSL_START(WC_FUNC_FINISHED_DO);
WOLFSSL_ENTER("DoTls13Finished");
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
if (ssl->options.side == WOLFSSL_SERVER_END && !ssl->options.resuming &&
(ssl->options.mutualAuth || ssl->options.failNoCert)) {
#ifdef OPENSSL_COMPATIBLE_DEFAULTS
if (ssl->options.isPSK) {
WOLFSSL_MSG("TLS v1.3 client used PSK but cert required. Allowing "
"for OpenSSL compatibility");
}
else
#endif
if (
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
!ssl->options.verifyPostHandshake &&
#endif
(!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) {
ret = NO_PEER_CERT;
WOLFSSL_MSG("TLS v1.3 client did not present peer cert");
DoCertFatalAlert(ssl, ret);
goto cleanup;
}
}
#endif
if (*inOutIdx + size > totalSz) {
ret = BUFFER_E;
goto cleanup;
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz);
if (ret == 0) {
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
goto cleanup;
}
if (ret == WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR)) {
SendAlert(ssl, alert_fatal, decrypt_error);
goto cleanup;
}
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
goto cleanup;
}
ret = 0;
#endif
if (ssl->options.handShakeDone) {
ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto cleanup;
secret = ssl->keys.client_write_MAC_secret;
}
else if (ssl->options.side == WOLFSSL_CLIENT_END) {
ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
goto cleanup;
ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
ssl->keys.server_write_MAC_secret,
WOLFSSL_SERVER_END);
if (ret != 0)
goto cleanup;
secret = ssl->keys.server_write_MAC_secret;
}
else {
secret = ssl->keys.client_write_MAC_secret;
}
if (sniff == NO_SNIFF) {
ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
if (finishedSz > TLS_FINISHED_SZ_MAX) {
ret = BUFFER_ERROR;
goto cleanup;
}
if (ssl->options.side == WOLFSSL_CLIENT_END) {
XMEMCPY(ssl->serverFinished, mac, finishedSz);
ssl->serverFinished_len = (byte)finishedSz;
}
else {
XMEMCPY(ssl->clientFinished, mac, finishedSz);
ssl->clientFinished_len = (byte)finishedSz;
}
#endif
if (ret != 0)
goto cleanup;
if (size != finishedSz) {
ret = BUFFER_ERROR;
goto cleanup;
}
}
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
#endif
if (sniff == NO_SNIFF) {
if (size > WC_MAX_DIGEST_SIZE ||
ConstantCompare(input + *inOutIdx, mac, size) != 0){
WOLFSSL_MSG("Verify finished error on hashes");
SendAlert(ssl, alert_fatal, decrypt_error);
WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
ret = VERIFY_FINISHED_ERROR;
goto cleanup;
}
}
*inOutIdx += size + ssl->keys.padSz;
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END &&
!ssl->options.handShakeDone) {
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
goto cleanup;
}
#endif
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
goto cleanup;
}
#endif
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END)
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
}
#endif
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_EARLY_DATA)
if (ssl->options.dtls && ssl->earlyData > early_data_ext) {
ssl->earlyData = done_early_data;
}
#endif
#if defined(WOLFSSL_QUIC) && defined(WOLFSSL_EARLY_DATA)
if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData > early_data_ext) {
ssl->earlyData = done_early_data;
}
#endif
ret = 0;
cleanup:
ForceZero(mac, sizeof(mac));
WOLFSSL_LEAVE("DoTls13Finished", ret);
WOLFSSL_END(WC_FUNC_FINISHED_DO);
return ret;
}
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
static int SendTls13Finished(WOLFSSL* ssl)
{
byte finishedSz = ssl->specs.hash_size;
byte* input;
byte* output;
int ret;
int headerSz = HANDSHAKE_HEADER_SZ;
int outputSz;
byte* secret;
#ifdef WOLFSSL_DTLS13
int dtlsRet = 0, isDtls = 0;
#endif
WOLFSSL_START(WC_FUNC_FINISHED_SEND);
WOLFSSL_ENTER("SendTls13Finished");
ssl->options.buildingMsg = 1;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
headerSz = DTLS_HANDSHAKE_HEADER_SZ;
isDtls = 1;
}
#endif
outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
input = output + RECORD_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (isDtls)
input = output + Dtls13GetRlHeaderLength(ssl, 1);
#endif
AddTls13HandShakeHeader(input, (word32)finishedSz, 0, (word32)finishedSz,
finished, ssl);
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
if (ssl->options.side == WOLFSSL_CLIENT_END) {
ret = tsip_Tls13SendFinished(ssl, output, outputSz, input, 1);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
}
ret = 0;
}
#endif
if (ssl->options.handShakeDone) {
ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
return ret;
secret = ssl->keys.client_write_MAC_secret;
}
else if (ssl->options.side == WOLFSSL_CLIENT_END)
secret = ssl->keys.client_write_MAC_secret;
else {
ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
return ret;
ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
ssl->keys.server_write_MAC_secret,
WOLFSSL_SERVER_END);
if (ret != 0)
return ret;
secret = ssl->keys.server_write_MAC_secret;
}
ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
if (ret != 0)
return ret;
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
if (ssl->options.side == WOLFSSL_CLIENT_END) {
XMEMCPY(ssl->clientFinished, &input[headerSz], finishedSz);
ssl->clientFinished_len = finishedSz;
}
else {
XMEMCPY(ssl->serverFinished, &input[headerSz], finishedSz);
ssl->serverFinished_len = finishedSz;
}
#endif
#ifdef WOLFSSL_DTLS13
if (isDtls) {
dtlsRet = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
(word16)(Dtls13GetRlHeaderLength(ssl, 1) + headerSz + finishedSz), finished,
1);
if (dtlsRet != 0 && dtlsRet != WC_NO_ERR_TRACE(WANT_WRITE))
return dtlsRet;
} else
#endif
{
int sendSz = BuildTls13Message(ssl, output, outputSz, input,
headerSz + finishedSz, handshake, 1, 0, 0);
if (sendSz < 0) {
WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
return BUILD_MSG_ERROR;
}
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
ssl->buffers.outputBuffer.length += (word32)sendSz;
ssl->options.buildingMsg = 0;
}
if (ssl->options.side == WOLFSSL_SERVER_END) {
#ifdef WOLFSSL_EARLY_DATA
byte storeTrafficDecKeys = ssl->earlyData == no_early_data;
#endif
if ((ret = DeriveMasterSecret(ssl)) != 0)
return ret;
ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
#ifdef WOLFSSL_EARLY_DATA
#ifdef WOLFSSL_DTLS13
if (isDtls)
storeTrafficDecKeys = 1;
#endif
if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
!= 0) {
return ret;
}
if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
storeTrafficDecKeys)) != 0) {
return ret;
}
#else
if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
1)) != 0) {
return ret;
}
#endif
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
#ifdef WOLFSSL_DTLS13
if (isDtls) {
w64wrapper epochTraffic0;
epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
ssl->dtls13Epoch = epochTraffic0;
ssl->dtls13PeerEpoch = epochTraffic0;
ret = Dtls13SetEpochKeys(
ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
if (ret != 0)
return ret;
}
#endif
}
if (ssl->options.side == WOLFSSL_CLIENT_END &&
!ssl->options.handShakeDone) {
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_SIDE_ONLY,
1)) != 0) {
return ret;
}
}
#endif
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
#if defined(HAVE_SESSION_TICKET)
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
if (ret != 0)
return ret;
#endif
#ifdef WOLFSSL_DTLS13
if (isDtls) {
w64wrapper epochTraffic0;
epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
ssl->dtls13Epoch = epochTraffic0;
ssl->dtls13PeerEpoch = epochTraffic0;
ret = Dtls13SetEpochKeys(
ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
if (ret != 0)
return ret;
}
#endif
}
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
}
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
}
#endif
#ifdef WOLFSSL_DTLS13
if (isDtls) {
WOLFSSL_LEAVE("SendTls13Finished", ret);
WOLFSSL_END(WC_FUNC_FINISHED_SEND);
return dtlsRet;
}
#endif
if ((ret = SendBuffered(ssl)) != 0)
return ret;
WOLFSSL_LEAVE("SendTls13Finished", ret);
WOLFSSL_END(WC_FUNC_FINISHED_SEND);
return ret;
}
#endif
int SendTls13KeyUpdate(WOLFSSL* ssl)
{
byte* input;
byte* output;
int ret;
int headerSz = HANDSHAKE_HEADER_SZ;
int outputSz;
word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND);
WOLFSSL_ENTER("SendTls13KeyUpdate");
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
#endif
outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
input = output + RECORD_HEADER_SZ;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
input = output + Dtls13GetRlHeaderLength(ssl, 1);
#endif
AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
ssl->keys.updateResponseReq = output[i++] =
!ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
ssl->keys.keyUpdateRespond = 0;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
OPAQUE8_LEN + Dtls13GetRlHeaderLength(ssl, 1) +
DTLS_HANDSHAKE_HEADER_SZ,
key_update, 0);
}
else
#endif
{
int sendSz = BuildTls13Message(ssl, output, outputSz, input,
headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
if (sendSz < 0)
return BUILD_MSG_ERROR;
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate");
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz,
WRITE_PROTO, 0, ssl->heap);
if (ret != 0)
return ret;
}
#endif
ssl->buffers.outputBuffer.length += (word32)sendSz;
ret = SendBuffered(ssl);
if (ret != 0 && ret != WC_NO_ERR_TRACE(WANT_WRITE))
return ret;
}
if (!ssl->options.dtls) {
if ((ret = DeriveTls13Keys(
ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
!= 0)
return ret;
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
}
WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND);
return ret;
}
static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 totalSz)
{
int ret;
word32 i = *inOutIdx;
WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO);
WOLFSSL_ENTER("DoTls13KeyUpdate");
if (OPAQUE8_LEN != totalSz)
return BUFFER_E;
switch (input[i]) {
case update_not_requested:
ssl->keys.keyUpdateRespond = 0;
ssl->keys.updateResponseReq = 0;
break;
case update_requested:
ssl->keys.keyUpdateRespond = 1;
break;
default:
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
*inOutIdx += totalSz;
*inOutIdx += ssl->keys.padSz;
if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
!= 0) {
return ret;
}
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
w64Increment(&ssl->dtls13PeerEpoch);
ret = Dtls13SetEpochKeys(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY);
if (ret != 0)
return ret;
}
#endif
if (ssl->keys.keyUpdateRespond) {
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck) {
ssl->keys.keyUpdateRespond = 0;
return 0;
}
#endif
#if defined(HAVE_WRITE_DUP) && defined(WOLFSSL_TLS13)
if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
return BAD_MUTEX_E;
ssl->dupWrite->keyUpdateRespond = 1;
wc_UnLockMutex(&ssl->dupWrite->dupMutex);
ssl->keys.keyUpdateRespond = 0;
return 0;
}
#endif
#ifndef WOLFSSL_RW_THREADED
return SendTls13KeyUpdate(ssl);
#else
ssl->options.sendKeyUpdate = 1;
return 0;
#endif
}
WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO);
return 0;
}
#ifdef WOLFSSL_EARLY_DATA
#ifndef NO_WOLFSSL_CLIENT
static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
{
byte* output;
int ret;
int sendSz;
word32 length;
word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND);
WOLFSSL_ENTER("SendTls13EndOfEarlyData");
length = 0;
sendSz = (int)(idx + length + MAX_MSG_EXTRA);
ssl->options.buildingMsg = 1;
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
AddTls13Headers(output, length, end_of_early_data, ssl);
sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
if (sendSz < 0)
return sendSz;
ssl->buffers.outputBuffer.length += sendSz;
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
ssl->options.buildingMsg = 0;
if (!ssl->options.groupMessages)
ret = SendBuffered(ssl);
ssl->earlyData = done_early_data;
WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND);
return ret;
}
#endif
#ifndef NO_WOLFSSL_SERVER
static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
word32* inOutIdx, word32 size)
{
int ret;
word32 begin = *inOutIdx;
(void)input;
WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO);
WOLFSSL_ENTER("DoTls13EndOfEarlyData");
if ((*inOutIdx - begin) != size)
return BUFFER_ERROR;
if (ssl->earlyData == no_early_data) {
WOLFSSL_MSG("EndOfEarlyData received unexpectedly");
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
ssl->earlyData = done_early_data;
*inOutIdx += ssl->keys.padSz;
ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret);
WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO);
return ret;
}
#endif
#endif
#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
int SessionTicketNoncePopulate(WOLFSSL_SESSION *session, const byte *nonce,
byte len)
{
if (session->ticketNonce.data
!= session->ticketNonce.dataStatic) {
XFREE(session->ticketNonce.data, session->heap,
DYNAMIC_TYPE_SESSION_TICK);
session->ticketNonce.data = session->ticketNonce.dataStatic;
session->ticketNonce.len = 0;
}
if (len > MAX_TICKET_NONCE_STATIC_SZ) {
WOLFSSL_MSG("Using dynamic nonce buffer");
session->ticketNonce.data = (byte*)XMALLOC(len,
session->heap, DYNAMIC_TYPE_SESSION_TICK);
if (session->ticketNonce.data == NULL)
return MEMORY_ERROR;
}
XMEMCPY(session->ticketNonce.data, nonce, len);
session->ticketNonce.len = len;
return 0;
}
#endif
#ifndef NO_WOLFSSL_CLIENT
static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
word32* inOutIdx, word32 size)
{
#ifdef HAVE_SESSION_TICKET
int ret;
word32 begin = *inOutIdx;
word32 lifetime;
word32 ageAdd;
word16 length;
#ifdef WOLFSSL_32BIT_MILLI_TIME
word32 now;
#else
sword64 now;
#endif
const byte* nonce;
byte nonceLength;
WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
WOLFSSL_ENTER("DoTls13NewSessionTicket");
if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
return BUFFER_ERROR;
ato32(input + *inOutIdx, &lifetime);
*inOutIdx += SESSION_HINT_SZ;
if (lifetime > MAX_LIFETIME) {
WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR);
return SERVER_HINT_ERROR;
}
if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
return BUFFER_ERROR;
ato32(input + *inOutIdx, &ageAdd);
*inOutIdx += SESSION_ADD_SZ;
if ((*inOutIdx - begin) + 1 > size)
return BUFFER_ERROR;
nonceLength = input[*inOutIdx];
#if !defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
(!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3))
if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
WOLFSSL_MSG("Nonce length not supported");
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
#endif
*inOutIdx += 1;
if ((*inOutIdx - begin) + nonceLength > size)
return BUFFER_ERROR;
nonce = input + *inOutIdx;
*inOutIdx += nonceLength;
if ((*inOutIdx - begin) + LENGTH_SZ > size)
return BUFFER_ERROR;
ato16(input + *inOutIdx, &length);
*inOutIdx += LENGTH_SZ;
if ((*inOutIdx - begin) + length > size)
return BUFFER_ERROR;
if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
return ret;
*inOutIdx += length;
now = TimeNowInMilliseconds();
if (now == 0)
return GETTIME_ERROR;
ssl->timeout = lifetime;
ssl->session->timeout = lifetime;
ssl->session->cipherSuite0 = ssl->options.cipherSuite0;
ssl->session->cipherSuite = ssl->options.cipherSuite;
ssl->session->ticketSeen = now;
ssl->session->ticketAdd = ageAdd;
#ifdef WOLFSSL_EARLY_DATA
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
#endif
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \
(!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
ret = SessionTicketNoncePopulate(ssl->session, nonce, nonceLength);
if (ret != 0)
return ret;
#else
ssl->session->ticketNonce.len = nonceLength;
if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
ret = BUFFER_ERROR;
return ret;
}
if (nonceLength > 0)
XMEMCPY(ssl->session->ticketNonce.data, nonce, nonceLength);
#endif
ssl->session->namedGroup = ssl->namedGroup;
if ((*inOutIdx - begin) + EXTS_SZ > size)
return BUFFER_ERROR;
ato16(input + *inOutIdx, &length);
*inOutIdx += EXTS_SZ;
if ((*inOutIdx - begin) + length != size)
return BUFFER_ERROR;
#ifdef WOLFSSL_EARLY_DATA
ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
NULL);
if (ret != 0)
return ret;
#endif
*inOutIdx += length;
SetupSession(ssl);
#ifndef NO_SESSION_CACHE
AddSession(ssl);
#endif
*inOutIdx += ssl->keys.padSz;
ssl->expect_session_ticket = 0;
#else
(void)ssl;
(void)input;
WOLFSSL_ENTER("DoTls13NewSessionTicket");
*inOutIdx += size + ssl->keys.padSz;
#endif
WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
return 0;
}
#endif
#ifndef NO_WOLFSSL_SERVER
#ifdef HAVE_SESSION_TICKET
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
#define FINISHED_MSG_SIZE_OFFSET 3
static int ExpectedResumptionSecret(WOLFSSL* ssl)
{
int ret;
word32 finishedSz = 0;
byte mac[WC_MAX_DIGEST_SIZE];
Digest digest;
byte header[] = { 0x14, 0x00, 0x00, 0x00 };
XMEMSET(&digest, 0, sizeof(Digest));
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
ret = wc_Sm3Copy(&ssl->hsHashes->hashSm3, &digest.sm3);
if (ret != 0)
return ret;
break;
#endif
}
ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
&finishedSz);
if (ret != 0)
goto restore;
header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
ret = HashRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
if (ret != 0)
goto restore;
}
#endif
if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
goto restore;
if ((ret = HashRaw(ssl, mac, finishedSz)) != 0)
goto restore;
if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0)
goto restore;
restore:
switch (ssl->specs.mac_algorithm) {
#ifndef NO_SHA256
case sha256_mac:
wc_Sha256Free(&ssl->hsHashes->hashSha256);
ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
wc_Sha256Free(&digest.sha256);
break;
#endif
#ifdef WOLFSSL_SHA384
case sha384_mac:
wc_Sha384Free(&ssl->hsHashes->hashSha384);
ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
wc_Sha384Free(&digest.sha384);
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
case sha512_mac:
wc_Sha512Free(&ssl->hsHashes->hashSha512);
ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512);
wc_Sha512Free(&digest.sha512);
break;
#endif
#ifdef WOLFSSL_SM3
case sm3_mac:
wc_Sm3Free(&ssl->hsHashes->hashSm3);
ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3);
wc_Sm3Free(&digest.sm3);
break;
#endif
}
ForceZero(mac, sizeof(mac));
return ret;
}
#endif
static int SendTls13NewSessionTicket(WOLFSSL* ssl)
{
byte* output;
int ret;
word32 length;
int sendSz;
word16 extSz;
word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND);
WOLFSSL_ENTER("SendTls13NewSessionTicket");
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
idx = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
#endif
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
if (!ssl->msgsReceived.got_finished) {
if ((ret = ExpectedResumptionSecret(ssl)) != 0)
return ret;
}
#endif
if (ssl->session->ticketNonce.len == 0) {
ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ;
ssl->session->ticketNonce.data[0] = 0;
}
else
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif
{
if (ssl->session->ticketNonce.data[0] == 255) {
return SESSION_TICKET_NONCE_OVERFLOW;
}
else
ssl->session->ticketNonce.data[0]++;
}
if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
ID_LEN);
if (ret != 0)
return ret;
ssl->session->haveAltSessionID = 1;
}
if (!ssl->options.noTicketTls13) {
if ((ret = SetupTicket(ssl)) != 0)
return ret;
if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == 0) {
if ((ret = CreateTicket(ssl)) != 0)
return ret;
}
}
#ifdef WOLFSSL_EARLY_DATA
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
if (ssl->session->maxEarlyDataSz > 0)
TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz, 1);
extSz = 0;
ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
if (ret != 0)
return ret;
#else
extSz = EXTS_SZ;
#endif
length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ;
if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
length += ID_LEN + extSz;
else
length += ssl->session->ticketLen + extSz;
length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
sendSz = (int)(idx + length + MAX_MSG_EXTRA);
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
return ret;
output = GetOutputBuffer(ssl);
AddTls13Headers(output, length, session_ticket, ssl);
c32toa(ssl->ctx->ticketHint, output + idx);
idx += SESSION_HINT_SZ;
c32toa(ssl->session->ticketAdd, output + idx);
idx += SESSION_ADD_SZ;
output[idx++] = ssl->session->ticketNonce.len;
output[idx++] = ssl->session->ticketNonce.data[0];
if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
c16toa(ID_LEN, output + idx);
}
else {
c16toa(ssl->session->ticketLen, output + idx);
}
idx += LENGTH_SZ;
if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
if (ssl->session->haveAltSessionID)
XMEMCPY(output + idx, ssl->session->altSessionID, ID_LEN);
else
return BAD_FUNC_ARG;
idx += ID_LEN;
}
else {
XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
idx += ssl->session->ticketLen;
}
#ifdef WOLFSSL_EARLY_DATA
extSz = 0;
ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz);
if (ret != 0)
return ret;
idx += extSz;
#else
c16toa(0, output + idx);
idx += EXTS_SZ;
#endif
if (idx > WOLFSSL_MAX_16BIT ||
sendSz > (int)WOLFSSL_MAX_16BIT) {
return BAD_LENGTH_E;
}
ssl->options.haveSessionId = 1;
SetupSession(ssl);
#if !defined(NO_SESSION_CACHE) && defined(WOLFSSL_TICKET_HAVE_ID)
AddSession(ssl);
#endif
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
return Dtls13HandshakeSend(ssl, output, (word16)sendSz,
(word16)idx, session_ticket, 0);
#endif
sendSz = BuildTls13Message(ssl, output, sendSz,
output + RECORD_HEADER_SZ,
(word16)idx - RECORD_HEADER_SZ,
handshake, 0, 0, 0);
if (sendSz < 0)
return sendSz;
ssl->buffers.outputBuffer.length += sendSz;
ret = SendBuffered(ssl);
WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND);
return ret;
}
#endif
#endif
static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
{
switch (type) {
#ifndef NO_WOLFSSL_SERVER
case client_hello:
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
WOLFSSL_MSG("ClientHello received by client");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) {
WOLFSSL_MSG("ClientHello received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->msgsReceived.got_client_hello == 2) {
WOLFSSL_MSG("Too many ClientHello received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
if (ssl->msgsReceived.got_client_hello == 1 &&
ssl->options.serverState !=
SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
WOLFSSL_MSG("Duplicate ClientHello received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_client_hello++;
break;
#endif
#ifndef NO_WOLFSSL_CLIENT
case server_hello:
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
WOLFSSL_MSG("ServerHello received by server");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
if (ssl->options.serverState >= SERVER_HELLO_COMPLETE) {
WOLFSSL_MSG("ServerHello received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->msgsReceived.got_server_hello) {
WOLFSSL_MSG("Duplicate ServerHello received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_server_hello = 1;
break;
#endif
#ifndef NO_WOLFSSL_CLIENT
case session_ticket:
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
WOLFSSL_MSG("NewSessionTicket received by server");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("NewSessionTicket received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#else
if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
WOLFSSL_MSG("NewSessionTicket received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#endif
ssl->msgsReceived.got_session_ticket = 1;
break;
#endif
#ifndef NO_WOLFSSL_SERVER
#ifdef WOLFSSL_EARLY_DATA
case end_of_early_data:
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
WOLFSSL_MSG("EndOfEarlyData received by client");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("EndOfEarlyData received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) {
WOLFSSL_MSG("EndOfEarlyData received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->msgsReceived.got_end_of_early_data) {
WOLFSSL_MSG("Too many EndOfEarlyData received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_end_of_early_data = 1;
break;
#endif
#endif
#ifndef NO_WOLFSSL_CLIENT
case encrypted_extensions:
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
WOLFSSL_MSG("EncryptedExtensions received by server");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
if (ssl->options.serverState != SERVER_HELLO_COMPLETE) {
WOLFSSL_MSG("EncryptedExtensions received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->msgsReceived.got_encrypted_extensions) {
WOLFSSL_MSG("Duplicate EncryptedExtensions received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_encrypted_extensions = 1;
break;
#endif
case certificate:
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END &&
ssl->options.serverState !=
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
WOLFSSL_MSG("Certificate received out of order - Client");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.side == WOLFSSL_CLIENT_END &&
ssl->options.serverState == SERVER_CERT_COMPLETE &&
ssl->options.pskNegotiated) {
WOLFSSL_MSG("Certificate received while using PSK");
WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
return SANITY_MSG_E;
}
#endif
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END &&
ssl->options.clientState != CLIENT_HELLO_COMPLETE &&
ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("Certificate received out of order - Server");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#endif
if (ssl->msgsReceived.got_certificate) {
WOLFSSL_MSG("Duplicate Certificate received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_certificate = 1;
break;
#ifndef NO_WOLFSSL_CLIENT
case certificate_request:
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
WOLFSSL_MSG("CertificateRequest received by server");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
#endif
#ifndef WOLFSSL_POST_HANDSHAKE_AUTH
if (ssl->options.serverState !=
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
WOLFSSL_MSG("CertificateRequest received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#else
if (ssl->options.serverState !=
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
(ssl->options.serverState < SERVER_FINISHED_COMPLETE ||
ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) {
WOLFSSL_MSG("CertificateRequest received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.pskNegotiated) {
WOLFSSL_MSG("CertificateRequest received while using PSK");
WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
return SANITY_MSG_E;
}
#endif
#ifndef WOLFSSL_POST_HANDSHAKE_AUTH
if (ssl->msgsReceived.got_certificate_request) {
WOLFSSL_MSG("Duplicate CertificateRequest received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
#else
if (ssl->msgsReceived.got_certificate_request &&
ssl->options.clientState != CLIENT_FINISHED_COMPLETE) {
WOLFSSL_MSG("Duplicate CertificateRequest received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
#endif
ssl->msgsReceived.got_certificate_request = 1;
break;
#endif
case certificate_verify:
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
if (ssl->options.serverState != SERVER_CERT_COMPLETE) {
WOLFSSL_MSG("No Cert before CertVerify");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.pskNegotiated) {
WOLFSSL_MSG("CertificateVerify received while using PSK");
WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
return SANITY_MSG_E;
}
#endif
}
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("CertificateVerify received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
WOLFSSL_MSG("CertificateVerify before ClientHello done");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (!ssl->msgsReceived.got_certificate) {
WOLFSSL_MSG("No Cert before CertificateVerify");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
}
#endif
if (ssl->msgsReceived.got_certificate_verify) {
WOLFSSL_MSG("Duplicate CertificateVerify received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_certificate_verify = 1;
break;
case finished:
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
WOLFSSL_MSG("Finished received out of order - clientState");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.pskNegotiated) {
if (ssl->options.serverState !=
SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
WOLFSSL_MSG("Finished received out of order - PSK");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
}
else
#endif
if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) {
WOLFSSL_MSG("Finished received out of order - serverState");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
}
#endif
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END) {
if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
WOLFSSL_MSG("Finished received out of order - serverState");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
WOLFSSL_MSG("Finished received out of order - clientState");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData == process_early_data &&
!ssl->options.dtls
&& !WOLFSSL_IS_QUIC(ssl)) {
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
#endif
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (!ssl->options.pskNegotiated)
#endif
{
if (ssl->options.verifyPeer &&
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
!ssl->options.verifyPostHandshake &&
#endif
!ssl->msgsReceived.got_certificate) {
WOLFSSL_MSG("Finished received out of order - "
"missing Certificate message");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if ((ssl->options.mutualAuth ||
(ssl->options.side == WOLFSSL_CLIENT_END &&
ssl->options.verifyPeer)) && !ssl->options.havePeerCert) {
WOLFSSL_MSG("Finished received out of order - "
"no valid certificate");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if ((ssl->options.mutualAuth || ssl->options.verifyPeer) &&
ssl->options.havePeerCert && !ssl->options.havePeerVerify) {
WOLFSSL_MSG("Finished received out of order - "
"Certificate message but no CertificateVerify");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
}
if (ssl->msgsReceived.got_finished) {
WOLFSSL_MSG("Duplicate Finished received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_finished = 1;
break;
case key_update:
if (!ssl->msgsReceived.got_finished) {
WOLFSSL_MSG("No KeyUpdate before Finished");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
break;
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
case hello_verify_request:
if (!ssl->options.dtls) {
WOLFSSL_MSG("HelloVerifyRequest when not in DTLS");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->msgsReceived.got_hello_verify_request) {
WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_hello_verify_request = 1;
if (ssl->msgsReceived.got_hello_retry_request) {
WOLFSSL_MSG(
"Both HelloVerifyRequest and HelloRetryRequest received");
WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
return DUPLICATE_MSG_E;
}
if (ssl->options.serverState >=
SERVER_HELLO_RETRY_REQUEST_COMPLETE ||
ssl->options.connectState != CLIENT_HELLO_SENT) {
WOLFSSL_MSG("HelloVerifyRequest received out of order");
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.side == WOLFSSL_SERVER_END) {
WOLFSSL_MSG("HelloVerifyRequest received on the server");
WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
return SIDE_ERROR;
}
if (!ssl->options.downgrade ||
ssl->options.minDowngrade < DTLSv1_2_MINOR) {
WOLFSSL_MSG(
"HelloVerifyRequest received but not DTLSv1.2 allowed");
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
break;
#endif
default:
WOLFSSL_MSG("Unknown message type");
WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
return SANITY_MSG_E;
}
return 0;
}
int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
byte type, word32 size, word32 totalSz)
{
int ret = 0, tmp;
word32 inIdx = *inOutIdx;
int alertType;
#if defined(HAVE_ECH) && !defined(NO_WOLFSSL_SERVER)
TLSX* echX = NULL;
word32 echInOutIdx;
#endif
(void)totalSz;
WOLFSSL_ENTER("DoTls13HandShakeMsgType");
if (*inOutIdx + size > totalSz)
return INCOMPLETE_DATA;
if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
WOLFSSL_MSG("Sanity Check on handshake message type received failed");
if (ret == WC_NO_ERR_TRACE(VERSION_ERROR))
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
else
SendAlert(ssl, alert_fatal, unexpected_message);
return ret;
}
#if defined(WOLFSSL_CALLBACKS)
if (ssl->toInfoOn) {
ret = AddPacketInfo(ssl, 0, handshake, input + *inOutIdx -
HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ, READ_PROTO,
RECORD_HEADER_SZ, ssl->heap);
if (ret != 0)
return ret;
AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
}
#endif
if (ssl->options.handShakeState == HANDSHAKE_DONE &&
type != session_ticket && type != certificate_request &&
type != certificate && type != key_update && type != finished) {
WOLFSSL_MSG("HandShake message after handshake complete");
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.side == WOLFSSL_CLIENT_END &&
ssl->options.serverState == NULL_STATE &&
type != server_hello && type != hello_retry_request
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
&& (!ssl->options.dtls || type != hello_verify_request)
#endif
) {
WOLFSSL_MSG("First server message not server hello");
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
if (ssl->options.side == WOLFSSL_SERVER_END &&
ssl->options.clientState == NULL_STATE && type != client_hello) {
WOLFSSL_MSG("First client message not client hello");
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
return OUT_OF_ORDER_E;
}
switch (type) {
#ifndef NO_WOLFSSL_CLIENT
case server_hello:
WOLFSSL_MSG("processing server hello");
ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type);
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
(defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
IsAtLeastTLSv1_3(ssl->version)) {
ssl->options.cacheMessages = 0;
if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
ssl->hsHashes->messages = NULL;
}
}
#endif
break;
case encrypted_extensions:
WOLFSSL_MSG("processing encrypted extensions");
ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
break;
#ifndef NO_CERTS
case certificate_request:
WOLFSSL_MSG("processing certificate request");
ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
break;
#endif
case session_ticket:
WOLFSSL_MSG("processing new session ticket");
ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
break;
#endif
#ifndef NO_WOLFSSL_SERVER
case client_hello:
WOLFSSL_MSG("processing client hello");
#if defined(HAVE_ECH)
echInOutIdx = *inOutIdx;
#endif
ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
(defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
if ((ssl->options.resuming || !ssl->options.verifyPeer ||
!IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version))
#ifdef WOLFSSL_DTLS13
&& (!ssl->options.dtls)
#endif
) {
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E) &&
ret != WC_NO_ERR_TRACE(OCSP_WANT_READ))
#endif
{
ssl->options.cacheMessages = 0;
if ((ssl->hsHashes != NULL) &&
(ssl->hsHashes->messages != NULL)) {
ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
XFREE(ssl->hsHashes->messages, ssl->heap,
DYNAMIC_TYPE_HASHES);
ssl->hsHashes->messages = NULL;
}
}
}
#endif
#if defined(HAVE_ECH)
if (ret == 0) {
echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX != NULL &&
((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE &&
((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
byte copyRandom = ((WOLFSSL_ECH*)echX->data)->innerCount == 0;
*inOutIdx = echInOutIdx;
if (ret == 0) {
((WOLFSSL_ECH*)echX->data)->sniState = ECH_INNER_SNI;
ret = DoTls13ClientHello(ssl,
((WOLFSSL_ECH*)echX->data)->innerClientHello,
&echInOutIdx,
((WOLFSSL_ECH*)echX->data)->innerClientHelloLen);
((WOLFSSL_ECH*)echX->data)->sniState = ECH_SNI_DONE;
}
if (ret == 0) {
if (copyRandom) {
XMEMCPY(ssl->arrays->clientRandomInner,
((WOLFSSL_ECH*)echX->data)->innerClientHello +
HANDSHAKE_HEADER_SZ + VERSION_SZ, RAN_LEN);
}
*inOutIdx += size;
}
}
}
#endif
break;
#ifdef WOLFSSL_EARLY_DATA
case end_of_early_data:
WOLFSSL_MSG("processing end of early data");
ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
break;
#endif
#endif
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH))
case certificate:
WOLFSSL_MSG("processing certificate");
ret = DoTls13Certificate(ssl, input, inOutIdx, size);
break;
#endif
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
case certificate_verify:
WOLFSSL_MSG("processing certificate verify");
ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
break;
#endif
case finished:
WOLFSSL_MSG("processing finished");
ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
break;
case key_update:
WOLFSSL_MSG("processing key update");
ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
break;
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) && \
!defined(NO_WOLFSSL_CLIENT)
case hello_verify_request:
WOLFSSL_MSG("processing hello verify request");
ret = DoHelloVerifyRequest(ssl, input, inOutIdx, size);
break;
#endif
default:
WOLFSSL_MSG("Unknown handshake message type");
ret = UNKNOWN_HANDSHAKE_TYPE;
break;
}
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_ASYNC_IO)
if ((ret == WC_NO_ERR_TRACE(WC_PENDING_E) ||
ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) && *inOutIdx > 0) {
*inOutIdx -= HANDSHAKE_HEADER_SZ;
}
if (ret == 0 &&
(ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) ||
ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ))) {
ssl->error = 0;
}
#endif
if (ret == 0 && type != client_hello && type != session_ticket &&
type != key_update) {
ret = HashInput(ssl, input + inIdx, (int)size);
}
alertType = TranslateErrorToAlert(ret);
if (alertType != invalid_alert) {
#ifdef WOLFSSL_DTLS13
if (type == client_hello && ssl->options.dtls)
DtlsSetSeqNumForReply(ssl);
#endif
tmp = SendAlert(ssl, alert_fatal, alertType);
if (tmp == WC_NO_ERR_TRACE(SOCKET_ERROR_E))
ret = SOCKET_ERROR_E;
}
if (ret == 0 && ssl->options.tls1_3) {
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
if (type == server_hello) {
if ((ret = DeriveEarlySecret(ssl)) != 0)
return ret;
if ((ret = DeriveHandshakeSecret(ssl)) != 0)
return ret;
if ((ret = DeriveTls13Keys(ssl, handshake_key,
ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
return ret;
}
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
}
else
#endif
if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
return ret;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
w64wrapper epochHandshake;
epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
ssl->dtls13Epoch = epochHandshake;
ssl->dtls13PeerEpoch = epochHandshake;
ret = Dtls13SetEpochKeys(
ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
if (ret != 0)
return ret;
}
#endif
}
if (type == finished) {
if ((ret = DeriveMasterSecret(ssl)) != 0)
return ret;
ForceZero(ssl->arrays->preMasterSecret,
ssl->arrays->preMasterSz);
#ifdef WOLFSSL_EARLY_DATA
#ifdef WOLFSSL_QUIC
if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData != no_early_data) {
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
}
#endif
if ((ret = DeriveTls13Keys(ssl, traffic_key,
ENCRYPT_AND_DECRYPT_SIDE,
ssl->earlyData == no_early_data)) != 0) {
return ret;
}
if (ssl->earlyData != no_early_data) {
if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY,
1)) != 0) {
return ret;
}
}
#else
if ((ret = DeriveTls13Keys(ssl, traffic_key,
ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
return ret;
}
#endif
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
}
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
if (type == certificate_request &&
ssl->options.handShakeState == HANDSHAKE_DONE) {
#if defined(HAVE_WRITE_DUP)
if (ssl->dupSide == READ_DUP_SIDE) {
if (ssl->dupWrite == NULL)
return BAD_STATE_E;
if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
return BAD_MUTEX_E;
ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes,
&ssl->dupWrite->postHandshakeHashState);
if (ret == 0) {
CertReqCtx** tail = &ssl->certReqCtx;
while (*tail != NULL)
tail = &(*tail)->next;
*tail = ssl->dupWrite->postHandshakeCertReqCtx;
ssl->dupWrite->postHandshakeCertReqCtx = ssl->certReqCtx;
ssl->certReqCtx = NULL;
ssl->dupWrite->postHandshakeSendVerify =
ssl->options.sendVerify;
ssl->dupWrite->postHandshakeSigAlgo =
ssl->options.sigAlgo;
ssl->dupWrite->postHandshakeHashAlgo =
ssl->options.hashAlgo;
ssl->dupWrite->postHandshakeAuthPending = 1;
}
wc_UnLockMutex(&ssl->dupWrite->dupMutex);
}
else
#endif
{
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
ssl->options.connectState = FIRST_REPLY_DONE;
ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
ssl->options.processReply = 0;
if (wolfSSL_connect_TLSv13(ssl) != WOLFSSL_SUCCESS) {
ret = ssl->error;
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
ret = POST_HAND_AUTH_ERROR;
}
}
}
#endif
}
#endif
#ifndef NO_WOLFSSL_SERVER
#if defined(HAVE_SESSION_TICKET)
if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
if (ret != 0)
return ret;
}
#endif
#endif
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && !ssl->options.dtlsStateful) {
DtlsResetState(ssl);
if (DtlsIgnoreError(ret))
ret = 0;
}
#endif
WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
return ret;
}
int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
word32 totalSz)
{
int ret = 0;
word32 inputLength;
byte type;
word32 size = 0;
WOLFSSL_ENTER("DoTls13HandShakeMsg");
if (ssl->arrays == NULL) {
if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
totalSz) != 0) {
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
return PARSE_ERROR;
}
ret = EarlySanityCheckMsgReceived(ssl, type, size);
if (ret != 0) {
WOLFSSL_ERROR(ret);
return ret;
}
return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
totalSz);
}
inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
if (ssl->arrays->pendingMsgSz == 0) {
if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
totalSz) != 0) {
WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
return PARSE_ERROR;
}
ret = EarlySanityCheckMsgReceived(ssl, type,
(inputLength > HANDSHAKE_HEADER_SZ) ?
min(inputLength - HANDSHAKE_HEADER_SZ, size) : 0);
if (ret != 0) {
WOLFSSL_ERROR(ret);
return ret;
}
if (size > MAX_HANDSHAKE_SZ) {
WOLFSSL_MSG("Handshake message too large");
WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR);
return HANDSHAKE_SIZE_ERROR;
}
if (inputLength - HANDSHAKE_HEADER_SZ < size) {
ssl->arrays->pendingMsgType = type;
ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
ssl->heap,
DYNAMIC_TYPE_ARRAYS);
if (ssl->arrays->pendingMsg == NULL)
return MEMORY_E;
XMEMCPY(ssl->arrays->pendingMsg,
input + *inOutIdx - HANDSHAKE_HEADER_SZ,
inputLength);
ssl->arrays->pendingMsgOffset = inputLength;
*inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
return 0;
}
ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
totalSz);
}
else {
if (inputLength + ssl->arrays->pendingMsgOffset >
ssl->arrays->pendingMsgSz) {
inputLength = ssl->arrays->pendingMsgSz -
ssl->arrays->pendingMsgOffset;
}
ret = EarlySanityCheckMsgReceived(ssl, ssl->arrays->pendingMsgType,
inputLength);
if (ret != 0) {
WOLFSSL_ERROR(ret);
return ret;
}
XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
input + *inOutIdx, inputLength);
ssl->arrays->pendingMsgOffset += inputLength;
*inOutIdx += inputLength + ssl->keys.padSz;
if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
{
word32 idx = 0;
ret = DoTls13HandShakeMsgType(ssl,
ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
&idx, ssl->arrays->pendingMsgType,
ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
ssl->arrays->pendingMsgSz);
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E) ||
ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) {
ssl->arrays->pendingMsgOffset -= inputLength;
*inOutIdx -= inputLength + ssl->keys.padSz;
}
else
#endif
{
XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
ssl->arrays->pendingMsg = NULL;
ssl->arrays->pendingMsgSz = 0;
}
}
}
WOLFSSL_LEAVE("DoTls13HandShakeMsg", ret);
return ret;
}
#ifndef NO_WOLFSSL_CLIENT
int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
{
int advanceState;
int ret = 0;
WOLFSSL_ENTER("wolfSSL_connect_TLSv13");
#ifdef HAVE_ERRNO_H
errno = 0;
#endif
if (ssl == NULL)
return BAD_FUNC_ARG;
if (ssl->options.side != WOLFSSL_CLIENT_END) {
ssl->error = SIDE_ERROR;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
return ret;
}
#ifdef WOLFSSL_DTLS
if (ssl->version.major == DTLS_MAJOR) {
ssl->options.dtls = 1;
ssl->options.dtlsStateful = 1;
}
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if ((ssl->ConnectFilter != NULL) &&
(ssl->options.connectState == CONNECT_BEGIN))
{
wolfSSL_netfilter_decision_t res;
if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) ==
WOLFSSL_SUCCESS) &&
(res == WOLFSSL_NETFILTER_REJECT)) {
ssl->error = SOCKET_FILTERED_E;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
advanceState = (ssl->options.connectState == CONNECT_BEGIN ||
ssl->options.connectState == HELLO_AGAIN ||
(ssl->options.connectState >= FIRST_REPLY_DONE &&
ssl->options.connectState <= FIRST_REPLY_FOURTH));
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
advanceState = advanceState && !ssl->dtls13SendingFragments
&& !ssl->dtls13SendingAckOrRtx;
#endif
if (ssl->buffers.outputBuffer.length > 0
#ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)
#endif
) {
if ((ret = SendBuffered(ssl)) == 0) {
if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
if (advanceState) {
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) &&
ssl->options.connectState == FIRST_REPLY_FOURTH) {
ssl->options.connectState = WAIT_FINISHED_ACK;
}
else
#endif
{
ssl->options.connectState++;
}
WOLFSSL_MSG("connect state: "
"Advanced from last buffered fragment send");
#ifdef WOLFSSL_ASYNC_IO
FreeAsyncCtx(ssl, 0);
#endif
}
}
else {
WOLFSSL_MSG("connect state: "
"Not advanced, more fragments to send");
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
ssl->dtls13SendingAckOrRtx = 0;
#endif
}
else {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
ret = RetrySendAlert(ssl);
if (ret != 0) {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->dtls13SendingFragments) {
if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.connectState++;
}
#endif
switch (ssl->options.connectState) {
case CONNECT_BEGIN:
if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.connectState = CLIENT_HELLO_SENT;
WOLFSSL_MSG("TLSv13 connect state: CLIENT_HELLO_SENT");
FALL_THROUGH;
case CLIENT_HELLO_SENT:
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data &&
ssl->options.handShakeState != CLIENT_HELLO_COMPLETE) {
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
if (!ssl->options.dtls &&
ssl->options.tls13MiddleBoxCompat) {
if ((ssl->error = SendChangeCipher(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.sentChangeCipher = 1;
}
#endif
ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
return WOLFSSL_SUCCESS;
}
#endif
while (ssl->options.serverState <
SERVER_HELLOVERIFYREQUEST_COMPLETE) {
if ((ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
if (!ssl->options.tls1_3) {
#ifndef WOLFSSL_NO_TLS12
if (ssl->options.downgrade)
return wolfSSL_connect(ssl);
#endif
WOLFSSL_MSG("Client using higher version, fatal error");
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
ssl->options.connectState = HELLO_AGAIN;
WOLFSSL_MSG("connect state: HELLO_AGAIN");
FALL_THROUGH;
case HELLO_AGAIN:
if (ssl->options.serverState ==
SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
if (!ssl->options.dtls && !ssl->options.sentChangeCipher
&& ssl->options.tls13MiddleBoxCompat) {
if ((ssl->error = SendChangeCipher(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.sentChangeCipher = 1;
}
#endif
if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
ssl->options.connectState = HELLO_AGAIN_REPLY;
WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
FALL_THROUGH;
case HELLO_AGAIN_REPLY:
while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
#ifdef WOLFSSL_DTLS13
if (!IsAtLeastTLSv1_3(ssl->version)) {
#ifndef WOLFSSL_NO_TLS12
if (ssl->options.downgrade)
return wolfSSL_connect(ssl);
#endif
}
#endif
if ((ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
ssl->options.connectState = FIRST_REPLY_DONE;
WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
FALL_THROUGH;
case FIRST_REPLY_DONE:
if (ssl->options.certOnly)
return WOLFSSL_SUCCESS;
#ifdef WOLFSSL_EARLY_DATA
if (!ssl->options.dtls && ssl->earlyData != no_early_data
&& !WOLFSSL_IS_QUIC(ssl)) {
if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
WOLFSSL_MSG("sent: end_of_early_data");
}
#endif
ssl->options.connectState = FIRST_REPLY_FIRST;
WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
FALL_THROUGH;
case FIRST_REPLY_FIRST:
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
if (!ssl->options.sentChangeCipher && !ssl->options.dtls
&& ssl->options.tls13MiddleBoxCompat) {
if ((ssl->error = SendChangeCipher(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.sentChangeCipher = 1;
}
#endif
ssl->options.connectState = FIRST_REPLY_SECOND;
WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
FALL_THROUGH;
case FIRST_REPLY_SECOND:
if (!ssl->options.peerAuthGood) {
WOLFSSL_MSG("Server authentication did not happen");
WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
return WOLFSSL_FATAL_ERROR;
}
#ifndef NO_CERTS
if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13Certificate(ssl);
if (ssl->error != 0) {
wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
WOLFSSL_MSG("sent: certificate");
}
#endif
ssl->options.connectState = FIRST_REPLY_THIRD;
WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
FALL_THROUGH;
case FIRST_REPLY_THIRD:
#if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448) || \
defined(HAVE_FALCON) || defined(HAVE_DILITHIUM))) && \
(!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
if (!ssl->options.resuming && ssl->options.sendVerify) {
ssl->error = SendTls13CertificateVerify(ssl);
if (ssl->error != 0) {
wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
WOLFSSL_MSG("sent: certificate verify");
}
#endif
ssl->options.connectState = FIRST_REPLY_FOURTH;
WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH");
FALL_THROUGH;
case FIRST_REPLY_FOURTH:
if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
WOLFSSL_MSG("sent: finished");
#ifdef WOLFSSL_DTLS13
ssl->options.connectState = WAIT_FINISHED_ACK;
WOLFSSL_MSG("connect state: WAIT_FINISHED_ACK");
FALL_THROUGH;
case WAIT_FINISHED_ACK:
if (ssl->options.dtls) {
while (ssl->options.serverState != SERVER_FINISHED_ACKED) {
if ((ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
}
#endif
ssl->options.connectState = FINISHED_DONE;
WOLFSSL_MSG("connect state: FINISHED_DONE");
FALL_THROUGH;
case FINISHED_DONE:
#ifndef NO_HANDSHAKE_DONE_CB
if (ssl->hsDoneCb != NULL) {
int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
if (cbret < 0) {
ssl->error = cbret;
WOLFSSL_ERROR_VERBOSE(ssl->error);
WOLFSSL_MSG("HandShake Done Cb don't continue error");
return WOLFSSL_FATAL_ERROR;
}
}
#endif
if (!ssl->options.keepResources) {
FreeHandshakeResources(ssl);
}
#if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
FreeAsyncCtx(ssl, 1);
#endif
ssl->error = 0;
WOLFSSL_LEAVE("wolfSSL_connect_TLSv13", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS;
default:
WOLFSSL_MSG("Unknown connect state ERROR");
return WOLFSSL_FATAL_ERROR;
}
}
#endif
#if defined(WOLFSSL_SEND_HRR_COOKIE)
int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
unsigned int secretSz)
{
int ret;
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
if (secretSz == 0) {
#ifndef NO_SHA256
secretSz = WC_SHA256_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA384)
secretSz = WC_SHA384_DIGEST_SIZE;
#elif defined(WOLFSSL_TLS13_SHA512)
secretSz = WC_SHA512_DIGEST_SIZE;
#elif defined(WOLFSSL_SM3)
secretSz = WC_SM3_DIGEST_SIZE;
#else
#error "No digest to available to use with HMAC for cookies."
#endif
}
if (secretSz != ssl->buffers.tls13CookieSecret.length) {
byte* newSecret;
if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
ForceZero(ssl->buffers.tls13CookieSecret.buffer,
ssl->buffers.tls13CookieSecret.length);
XFREE(ssl->buffers.tls13CookieSecret.buffer,
ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
}
newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
DYNAMIC_TYPE_COOKIE_PWD);
if (newSecret == NULL) {
ssl->buffers.tls13CookieSecret.buffer = NULL;
ssl->buffers.tls13CookieSecret.length = 0;
WOLFSSL_MSG("couldn't allocate new cookie secret");
return MEMORY_ERROR;
}
ssl->buffers.tls13CookieSecret.buffer = newSecret;
ssl->buffers.tls13CookieSecret.length = secretSz;
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("wolfSSL_send_hrr_cookie secret",
ssl->buffers.tls13CookieSecret.buffer,
ssl->buffers.tls13CookieSecret.length);
#endif
}
if (secret == NULL) {
ret = wc_RNG_GenerateBlock(ssl->rng,
ssl->buffers.tls13CookieSecret.buffer, secretSz);
if (ret < 0)
return ret;
}
else
XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
ssl->options.sendCookie = 1;
ret = WOLFSSL_SUCCESS;
#else
(void)secret;
(void)secretSz;
ret = SIDE_ERROR;
#endif
return ret;
}
int wolfSSL_disable_hrr_cookie(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#ifdef NO_WOLFSSL_SERVER
return SIDE_ERROR;
#else
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
ForceZero(ssl->buffers.tls13CookieSecret.buffer,
ssl->buffers.tls13CookieSecret.length);
XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap,
DYNAMIC_TYPE_COOKIE_PWD);
ssl->buffers.tls13CookieSecret.buffer = NULL;
ssl->buffers.tls13CookieSecret.length = 0;
}
ssl->options.sendCookie = 0;
return WOLFSSL_SUCCESS;
#endif
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
{
int ret;
if (ssl == NULL)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wolfSSL_AsyncPop(ssl, NULL);
if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
if (ret < 0)
return ret;
}
#endif
#if defined(WOLFSSL_HAVE_MLKEM)
if (WOLFSSL_NAMED_GROUP_IS_PQC(group) ||
WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) {
if (ssl->ctx != NULL && ssl->ctx->method != NULL &&
!IsAtLeastTLSv1_3(ssl->version)) {
return BAD_FUNC_ARG;
}
if (ssl->options.side == WOLFSSL_SERVER_END) {
return WOLFSSL_SUCCESS;
}
}
#endif
#if defined(NO_TLS)
(void)ret;
(void)group;
#else
if (!TLSX_IsGroupSupported(group)) {
WOLFSSL_MSG("Group not supported.");
return BAD_FUNC_ARG;
}
ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
if (ret != 0)
return ret;
#endif
return WOLFSSL_SUCCESS;
}
int wolfSSL_NoKeyShares(WOLFSSL* ssl)
{
int ret;
if (ssl == NULL)
return BAD_FUNC_ARG;
if (ssl->options.side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
#if defined(NO_TLS)
(void)ret;
#else
ret = TLSX_KeyShare_Empty(ssl);
if (ret != 0)
return ret;
#endif
return WOLFSSL_SUCCESS;
}
#endif
#ifdef WOLFSSL_DUAL_ALG_CERTS
int wolfSSL_UseCKS(WOLFSSL* ssl, byte *sigSpec, word16 sigSpecSz)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->ctx->method->version) ||
sigSpec == NULL || sigSpecSz == 0)
return BAD_FUNC_ARG;
ssl->sigSpec = sigSpec;
ssl->sigSpecSz = sigSpecSz;
return WOLFSSL_SUCCESS;
}
int wolfSSL_CTX_UseCKS(WOLFSSL_CTX* ctx, byte *sigSpec, word16 sigSpecSz)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version) ||
sigSpec == NULL || sigSpecSz == 0)
return BAD_FUNC_ARG;
ctx->sigSpec = sigSpec;
ctx->sigSpecSz = sigSpecSz;
return WOLFSSL_SUCCESS;
}
#endif
int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
if (ctx->method->side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
#ifdef HAVE_SESSION_TICKET
ctx->noTicketTls13 = 1;
#endif
return 0;
}
int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
#ifdef HAVE_SESSION_TICKET
ssl->options.noTicketTls13 = 1;
#endif
return 0;
}
int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ctx->noPskDheKe = 1;
#endif
return 0;
}
int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.noPskDheKe = 1;
#endif
return 0;
}
#ifdef HAVE_SUPPORTED_CURVES
int wolfSSL_CTX_only_dhe_psk(WOLFSSL_CTX* ctx)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ctx->onlyPskDheKe = 1;
#endif
return 0;
}
int wolfSSL_only_dhe_psk(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.onlyPskDheKe = 1;
#endif
return 0;
}
#endif
int Tls13UpdateKeys(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck)
return 0;
#endif
return SendTls13KeyUpdate(ssl);
}
int wolfSSL_update_keys(WOLFSSL* ssl)
{
int ret;
ret = Tls13UpdateKeys(ssl);
if (ret == WC_NO_ERR_TRACE(WANT_WRITE))
ret = WOLFSSL_ERROR_WANT_WRITE;
else if (ret == 0)
ret = WOLFSSL_SUCCESS;
return ret;
}
int wolfSSL_key_update_response(WOLFSSL* ssl, int* required)
{
if (required == NULL || ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
*required = ssl->keys.updateResponseReq;
return 0;
}
#if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
if (ctx->method->side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
ctx->postHandshakeAuth = 1;
return 0;
}
int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
if (ssl->options.side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
ssl->options.postHandshakeAuth = 1;
return 0;
}
int wolfSSL_request_certificate(WOLFSSL* ssl)
{
int ret;
#ifndef NO_WOLFSSL_SERVER
CertReqCtx* certReqCtx;
#endif
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
if (ssl->options.handShakeState != HANDSHAKE_DONE)
return NOT_READY_ERROR;
if (!ssl->options.postHandshakeAuth)
return POST_HAND_AUTH_ERROR;
if (ssl->certReqCtx != NULL) {
if (ssl->certReqCtx->len != 1)
return BAD_STATE_E;
if (ssl->certReqCtx->ctx == 255)
return BAD_STATE_E;
}
certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (certReqCtx == NULL)
return MEMORY_E;
XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
certReqCtx->next = ssl->certReqCtx;
certReqCtx->len = 1;
if (certReqCtx->next != NULL)
certReqCtx->ctx = certReqCtx->next->ctx + 1;
ssl->certReqCtx = certReqCtx;
ssl->msgsReceived.got_certificate = 0;
ssl->msgsReceived.got_certificate_verify = 0;
ssl->msgsReceived.got_finished = 0;
ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
if (ret == WC_NO_ERR_TRACE(WANT_WRITE))
ret = WOLFSSL_ERROR_WANT_WRITE;
else if (ret == 0)
ret = WOLFSSL_SUCCESS;
#else
ret = SIDE_ERROR;
#endif
return ret;
}
#endif
#if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
int wolfSSL_preferred_group(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
if (ssl->options.handShakeState != HANDSHAKE_DONE)
return NOT_READY_ERROR;
#ifdef HAVE_SUPPORTED_CURVES
return TLSX_SupportedCurve_Preferred(ssl, 1);
#else
return 0;
#endif
#else
return SIDE_ERROR;
#endif
}
#endif
#ifndef NO_PSK
void wolfSSL_CTX_set_psk_client_cs_callback(WOLFSSL_CTX* ctx,
wc_psk_client_cs_callback cb)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_cs_callback");
if (ctx == NULL)
return;
ctx->havePSK = 1;
ctx->client_psk_cs_cb = cb;
}
void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
wc_psk_client_cs_callback cb)
{
byte haveRSA = 1;
int keySz = 0;
WOLFSSL_ENTER("wolfSSL_set_psk_client_cs_callback");
if (ssl == NULL)
return;
ssl->options.havePSK = 1;
ssl->options.client_psk_cs_cb = cb;
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_CERTS
keySz = ssl->buffers.keySz;
#endif
if (AllocateSuites(ssl) != 0)
return;
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
}
void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx,
wc_psk_client_tls13_callback cb)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_tls13_callback");
if (ctx == NULL)
return;
ctx->havePSK = 1;
ctx->client_psk_tls13_cb = cb;
}
void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
wc_psk_client_tls13_callback cb)
{
byte haveRSA = 1;
int keySz = 0;
WOLFSSL_ENTER("wolfSSL_set_psk_client_tls13_callback");
if (ssl == NULL)
return;
ssl->options.havePSK = 1;
ssl->options.client_psk_tls13_cb = cb;
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_CERTS
keySz = ssl->buffers.keySz;
#endif
if (AllocateSuites(ssl) != 0)
return;
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
}
void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx,
wc_psk_server_tls13_callback cb)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_psk_server_tls13_callback");
if (ctx == NULL)
return;
ctx->havePSK = 1;
ctx->server_psk_tls13_cb = cb;
}
void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
wc_psk_server_tls13_callback cb)
{
byte haveRSA = 1;
int keySz = 0;
WOLFSSL_ENTER("wolfSSL_set_psk_server_tls13_callback");
if (ssl == NULL)
return;
ssl->options.havePSK = 1;
ssl->options.server_psk_tls13_cb = cb;
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_CERTS
keySz = ssl->buffers.keySz;
#endif
if (AllocateSuites(ssl) != 0)
return;
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
}
const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash)
{
const char* name = NULL;
byte mac = no_mac;
int i;
const Suites* suites = WOLFSSL_SUITES(ssl);
if (XSTRCMP(hash, "SHA256") == 0) {
mac = sha256_mac;
}
else if (XSTRCMP(hash, "SHA384") == 0) {
mac = sha384_mac;
}
if (mac != no_mac) {
for (i = 0; i < suites->suiteSz; i += 2) {
if (SuiteMac(suites->suites + i) == mac) {
name = GetCipherNameInternal(suites->suites[i + 0],
suites->suites[i + 1]);
break;
}
}
}
return name;
}
#endif
#ifndef NO_WOLFSSL_SERVER
int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
{
#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
word16 havePSK = 0;
#endif
int ret = 0;
WOLFSSL_ENTER("wolfSSL_accept_TLSv13");
#ifdef HAVE_ERRNO_H
errno = 0;
#endif
if (ssl == NULL)
return WOLFSSL_FATAL_ERROR;
#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
havePSK = ssl->options.havePSK;
#endif
if (ssl->options.side != WOLFSSL_SERVER_END) {
ssl->error = SIDE_ERROR;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
return ret;
}
#ifdef WOLFSSL_DTLS
if (ssl->version.major == DTLS_MAJOR) {
ssl->options.dtls = 1;
if (!IsDtlsNotSctpMode(ssl) || !ssl->options.sendCookie)
ssl->options.dtlsStateful = 1;
}
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if ((ssl->AcceptFilter != NULL) &&
((ssl->options.acceptState == TLS13_ACCEPT_BEGIN)
#ifdef HAVE_SECURE_RENEGOTIATION
|| (ssl->options.acceptState == TLS13_ACCEPT_BEGIN_RENEG)
#endif
))
{
wolfSSL_netfilter_decision_t res;
if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
WOLFSSL_SUCCESS) &&
(res == WOLFSSL_NETFILTER_REJECT)) {
ssl->error = SOCKET_FILTERED_E;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
#ifndef NO_CERTS
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (!havePSK)
#endif
{
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
if (ssl->ctx->certSetupCb != NULL) {
WOLFSSL_MSG("CertSetupCb set. server cert and "
"key not checked");
}
else
#endif
{
if (!ssl->buffers.certificate ||
!ssl->buffers.certificate->buffer) {
WOLFSSL_MSG("accept error: server cert required");
ssl->error = NO_PRIVATE_KEY;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
) {
WOLFSSL_MSG("Allowing no server private key (external)");
}
else
#endif
{
WOLFSSL_MSG("accept error: server key required");
ssl->error = NO_PRIVATE_KEY;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
}
}
#endif
if (ssl->buffers.outputBuffer.length > 0
#ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)
#endif
) {
int advanceState =
(ssl->options.acceptState == TLS13_ACCEPT_CLIENT_HELLO_DONE ||
ssl->options.acceptState ==
TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE ||
ssl->options.acceptState == TLS13_ACCEPT_SECOND_REPLY_DONE ||
ssl->options.acceptState == TLS13_SERVER_HELLO_SENT ||
ssl->options.acceptState == TLS13_ACCEPT_THIRD_REPLY_DONE ||
ssl->options.acceptState == TLS13_SERVER_EXTENSIONS_SENT ||
ssl->options.acceptState == TLS13_CERT_REQ_SENT ||
ssl->options.acceptState == TLS13_CERT_SENT ||
ssl->options.acceptState == TLS13_CERT_VERIFY_SENT ||
ssl->options.acceptState == TLS13_ACCEPT_FINISHED_SENT ||
ssl->options.acceptState == TLS13_ACCEPT_FINISHED_DONE);
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
advanceState = advanceState && !ssl->dtls13SendingFragments
&& !ssl->dtls13SendingAckOrRtx;
#endif
ret = SendBuffered(ssl);
if (ret == 0) {
if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
if (advanceState) {
ssl->options.acceptState++;
WOLFSSL_MSG("accept state: "
"Advanced from last buffered fragment send");
#ifdef WOLFSSL_ASYNC_IO
FreeAsyncCtx(ssl, 0);
#endif
}
}
else {
WOLFSSL_MSG("accept state: "
"Not advanced, more fragments to send");
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls)
ssl->dtls13SendingAckOrRtx = 0;
#endif
}
else {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
ret = RetrySendAlert(ssl);
if (ret != 0) {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls && ssl->dtls13SendingFragments) {
if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.acceptState++;
}
#endif
switch (ssl->options.acceptState) {
#ifdef HAVE_SECURE_RENEGOTIATION
case TLS13_ACCEPT_BEGIN_RENEG:
#endif
case TLS13_ACCEPT_BEGIN :
while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
if ((ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE;
WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
if (!IsAtLeastTLSv1_3(ssl->version))
return wolfSSL_accept(ssl);
FALL_THROUGH;
case TLS13_ACCEPT_CLIENT_HELLO_DONE :
if (ssl->options.serverState ==
SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
if ((ssl->error = SendTls13ServerHello(ssl,
hello_retry_request)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE;
WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
FALL_THROUGH;
case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
&& ssl->options.serverState ==
SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
if ((ssl->error = SendChangeCipher(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.sentChangeCipher = 1;
ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
}
#endif
ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
FALL_THROUGH;
case TLS13_ACCEPT_FIRST_REPLY_DONE :
if (ssl->options.serverState ==
SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
ssl->options.clientState = CLIENT_HELLO_RETRY;
while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
if ((ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
}
ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;
WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
FALL_THROUGH;
case TLS13_ACCEPT_SECOND_REPLY_DONE :
if (ssl->options.returnOnGoodCh) {
ssl->error = WANT_WRITE;
return WOLFSSL_FATAL_ERROR;
}
if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.acceptState = TLS13_SERVER_HELLO_SENT;
WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
FALL_THROUGH;
case TLS13_SERVER_HELLO_SENT :
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
&& !ssl->options.sentChangeCipher && !ssl->options.dtls) {
if ((ssl->error = SendChangeCipher(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.sentChangeCipher = 1;
}
#endif
ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE;
WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
FALL_THROUGH;
case TLS13_ACCEPT_THIRD_REPLY_DONE :
#ifdef HAVE_SUPPORTED_CURVES
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (!ssl->options.noPskDheKe)
#endif
{
ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
if (ssl->error != 0)
return WOLFSSL_FATAL_ERROR;
}
#endif
if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT;
WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
FALL_THROUGH;
case TLS13_SERVER_EXTENSIONS_SENT :
#ifndef NO_CERTS
if (!ssl->options.resuming) {
if (ssl->options.verifyPeer
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
&& !ssl->options.verifyPostHandshake
#endif
) {
ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
if (ssl->error != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
else {
ssl->options.peerAuthGood = 1;
}
}
#endif
ssl->options.acceptState = TLS13_CERT_REQ_SENT;
WOLFSSL_MSG("accept state CERT_REQ_SENT");
FALL_THROUGH;
case TLS13_CERT_REQ_SENT :
#ifndef NO_CERTS
if (!ssl->options.resuming && ssl->options.sendVerify) {
if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
ssl->options.acceptState = TLS13_CERT_SENT;
WOLFSSL_MSG("accept state CERT_SENT");
FALL_THROUGH;
case TLS13_CERT_SENT :
#if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_FALCON) || \
defined(HAVE_DILITHIUM))
if (!ssl->options.resuming && ssl->options.sendVerify) {
if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
ssl->options.acceptState = TLS13_CERT_VERIFY_SENT;
WOLFSSL_MSG("accept state CERT_VERIFY_SENT");
FALL_THROUGH;
case TLS13_CERT_VERIFY_SENT :
if ((ssl->error = SendTls13Finished(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT;
WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT");
FALL_THROUGH;
case TLS13_ACCEPT_FINISHED_SENT:
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data &&
ssl->options.handShakeState != SERVER_FINISHED_COMPLETE) {
ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
return WOLFSSL_SUCCESS;
}
#endif
#ifdef HAVE_SESSION_TICKET
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 &&
ssl->ctx->ticketEncCb != NULL) {
if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.ticketsSent = 1;
}
#endif
#endif
ssl->options.acceptState = TLS13_PRE_TICKET_SENT;
WOLFSSL_MSG("accept state TICKET_SENT");
FALL_THROUGH;
case TLS13_PRE_TICKET_SENT :
while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
if ( (ssl->error = ProcessReply(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE;
WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
FALL_THROUGH;
case TLS13_ACCEPT_FINISHED_DONE :
if (!ssl->options.resuming && ssl->options.verifyPeer &&
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
!ssl->options.verifyPostHandshake &&
#endif
!ssl->options.havePeerCert && !ssl->options.failNoCert) {
ssl->options.peerAuthGood = 1;
}
if (!ssl->options.peerAuthGood) {
WOLFSSL_MSG("Client authentication did not happen");
return WOLFSSL_FATAL_ERROR;
}
#ifdef HAVE_SESSION_TICKET
while (ssl->options.ticketsSent < ssl->options.maxTicketTls13) {
if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb
!= NULL) {
if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
ssl->options.ticketsSent++;
if (ssl->options.resuming) {
break;
}
}
#endif
ssl->options.acceptState = TLS13_TICKET_SENT;
WOLFSSL_MSG("accept state TICKET_SENT");
FALL_THROUGH;
case TLS13_TICKET_SENT :
#ifndef NO_HANDSHAKE_DONE_CB
if (ssl->hsDoneCb) {
int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
if (cbret < 0) {
ssl->error = cbret;
WOLFSSL_MSG("HandShake Done Cb don't continue error");
return WOLFSSL_FATAL_ERROR;
}
}
#endif
if (!ssl->options.keepResources) {
FreeHandshakeResources(ssl);
}
#if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
FreeAsyncCtx(ssl, 1);
#endif
ssl->error = 0;
WOLFSSL_LEAVE("wolfSSL_accept", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS;
default:
WOLFSSL_MSG("Unknown accept state ERROR");
return WOLFSSL_FATAL_ERROR;
}
}
#endif
#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
int wolfSSL_send_SessionTicket(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
if (ssl->options.handShakeState != HANDSHAKE_DONE)
return NOT_READY_ERROR;
if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
ssl->options.ticketsSent++;
return WOLFSSL_SUCCESS;
}
#endif
#ifdef WOLFSSL_EARLY_DATA
int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
if (ctx->method->side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
ctx->maxEarlyDataSz = sz;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
return WOLFSSL_SUCCESS;
#else
return 0;
#endif
}
int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
ssl->options.maxEarlyDataSz = sz;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
return WOLFSSL_SUCCESS;
#else
return 0;
#endif
}
int wolfSSL_CTX_get_max_early_data(WOLFSSL_CTX* ctx)
{
if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
return BAD_FUNC_ARG;
if (ctx->method->side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
return ctx->maxEarlyDataSz;
}
int wolfSSL_get_max_early_data(WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
return ssl->options.maxEarlyDataSz;
}
int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
{
int ret = 0;
WOLFSSL_ENTER("wolfSSL_write_early_data");
if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
return BAD_FUNC_ARG;
if (!IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
*outSz = 0;
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_SERVER_END)
return SIDE_ERROR;
if (!EarlyDataPossible(ssl)) {
return BAD_STATE_E;
}
if (ssl->options.handShakeState == NULL_STATE) {
if (ssl->error == 0)
ssl->earlyData = expecting_early_data;
ret = wolfSSL_connect_TLSv13(ssl);
if (ret != WOLFSSL_SUCCESS)
return WOLFSSL_FATAL_ERROR;
ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED;
}
if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
#ifdef OPENSSL_EXTRA
if (ssl->session->maxEarlyDataSz > 0 &&
(ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) {
ssl->error = TOO_MUCH_EARLY_DATA;
return WOLFSSL_FATAL_ERROR;
}
#endif
ret = SendData(ssl, data, sz);
if (ret > 0) {
*outSz = ret;
ssl->earlyDataSz += ret;
}
}
#else
return SIDE_ERROR;
#endif
WOLFSSL_LEAVE("wolfSSL_write_early_data", ret);
if (ret < 0)
ret = WOLFSSL_FATAL_ERROR;
return ret;
}
int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
{
int ret = 0;
WOLFSSL_ENTER("wolfSSL_read_early_data");
if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
return BAD_FUNC_ARG;
if (!IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
*outSz = 0;
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_CLIENT_END)
return SIDE_ERROR;
if (ssl->options.handShakeState == NULL_STATE) {
if (ssl->earlyData < expecting_early_data)
ssl->earlyData = expecting_early_data;
ret = wolfSSL_accept(ssl);
if (ret <= 0)
return WOLFSSL_FATAL_ERROR;
}
if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
ssl->options.clientInEarlyData = 1;
ret = ReceiveData(ssl, (byte*)data, (size_t)sz, FALSE);
ssl->options.clientInEarlyData = 0;
if (ret > 0)
*outSz = ret;
if (ssl->error == WC_NO_ERR_TRACE(APP_DATA_READY)) {
ret = 0;
ssl->error = WOLFSSL_ERROR_NONE;
#ifdef WOLFSSL_DTLS13
if (ssl->options.dtls) {
ret = Dtls13DoScheduledWork(ssl);
if (ret < 0) {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
}
}
#ifdef WOLFSSL_DTLS13
else if (ssl->buffers.outputBuffer.length > 0 &&
ssl->options.dtls && ssl->dtls13SendingAckOrRtx) {
ret = SendBuffered(ssl);
if (ret == 0) {
ssl->dtls13SendingAckOrRtx = 0;
}
else {
ssl->error = ret;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
}
#endif
else
ret = 0;
#else
return SIDE_ERROR;
#endif
WOLFSSL_LEAVE("wolfSSL_read_early_data", ret);
if (ret < 0)
ret = WOLFSSL_FATAL_ERROR;
return ret;
}
int wolfSSL_get_early_data_status(const WOLFSSL* ssl)
{
if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
return BAD_FUNC_ARG;
return ssl->earlyDataStatus;
}
#endif
#ifdef HAVE_SECRET_CALLBACK
int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx)
{
WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb");
if (ssl == NULL)
return WOLFSSL_FATAL_ERROR;
ssl->tls13SecretCb = cb;
ssl->tls13SecretCtx = ctx;
return WOLFSSL_SUCCESS;
}
#if defined(SHOW_SECRETS) && defined(WOLFSSL_SSLKEYLOGFILE)
int tls13ShowSecrets(WOLFSSL* ssl, int id, const unsigned char* secret,
int secretSz, void* ctx)
{
int i;
const char* str = NULL;
byte clientRandom[RAN_LEN];
int clientRandomSz;
XFILE fp;
(void) ctx;
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
fp = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "ab");
if (fp == XBADFILE) {
return BAD_FUNC_ARG;
}
#else
fp = stderr;
#endif
clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
sizeof(clientRandom));
if (clientRandomSz <= 0) {
printf("Error getting server random %d\n", clientRandomSz);
return BAD_FUNC_ARG;
}
#if 0#endif
switch (id) {
case CLIENT_EARLY_TRAFFIC_SECRET:
str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
case EARLY_EXPORTER_SECRET:
str = "EARLY_EXPORTER_SECRET"; break;
case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
case SERVER_HANDSHAKE_TRAFFIC_SECRET:
str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
case CLIENT_TRAFFIC_SECRET:
str = "CLIENT_TRAFFIC_SECRET_0"; break;
case SERVER_TRAFFIC_SECRET:
str = "SERVER_TRAFFIC_SECRET_0"; break;
case EXPORTER_SECRET:
str = "EXPORTER_SECRET"; break;
default:
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
XFCLOSE(fp);
#endif
return BAD_FUNC_ARG;
break;
}
fprintf(fp, "%s ", str);
for (i = 0; i < (int)clientRandomSz; i++) {
fprintf(fp, "%02x", clientRandom[i]);
}
fprintf(fp, " ");
for (i = 0; i < secretSz; i++) {
fprintf(fp, "%02x", secret[i]);
}
fprintf(fp, "\n");
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
XFCLOSE(fp);
#endif
return 0;
}
#endif
#endif
#undef ERROR_OUT
#endif
#endif