wolfSSL | Mbed

Users » sPymbed » Code » wolfSSL

src/tls13.c@12:1a06964c2adb, 2017-08-22 (annotated)

Committer:: wolfSSL
Date:: Tue Aug 22 10:47:28 2017 +0000
Revision:: 12:1a06964c2adb

wolfSSL 3.12.0

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	12:1a06964c2adb	1	/* tls13.c
wolfSSL	12:1a06964c2adb	2	*
wolfSSL	12:1a06964c2adb	3	* Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL	12:1a06964c2adb	4	*
wolfSSL	12:1a06964c2adb	5	* This file is part of wolfSSL.
wolfSSL	12:1a06964c2adb	6	*
wolfSSL	12:1a06964c2adb	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	12:1a06964c2adb	8	* it under the terms of the GNU General Public License as published by
wolfSSL	12:1a06964c2adb	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	12:1a06964c2adb	10	* (at your option) any later version.
wolfSSL	12:1a06964c2adb	11	*
wolfSSL	12:1a06964c2adb	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	12:1a06964c2adb	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	12:1a06964c2adb	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	12:1a06964c2adb	15	* GNU General Public License for more details.
wolfSSL	12:1a06964c2adb	16	*
wolfSSL	12:1a06964c2adb	17	* You should have received a copy of the GNU General Public License
wolfSSL	12:1a06964c2adb	18	* along with this program; if not, write to the Free Software
wolfSSL	12:1a06964c2adb	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL	12:1a06964c2adb	20	*/
wolfSSL	12:1a06964c2adb	21
wolfSSL	12:1a06964c2adb	22
wolfSSL	12:1a06964c2adb	23	/*
wolfSSL	12:1a06964c2adb	24	* WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	25	* Conform with Draft 18 of the TLS v1.3 specification.
wolfSSL	12:1a06964c2adb	26	* WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	27	* Allow 0-RTT Handshake using Early Data extensions and handshake message
wolfSSL	12:1a06964c2adb	28	* WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	29	* Allow TLS v1.3 code to perform post-handshake authentication of the
wolfSSL	12:1a06964c2adb	30	* client.
wolfSSL	12:1a06964c2adb	31	* WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL	12:1a06964c2adb	32	* Allow a NewSessionTicket message to be sent by server before Client's
wolfSSL	12:1a06964c2adb	33	* Finished message.
wolfSSL	12:1a06964c2adb	34	* See TLS v.13 specification, Section 4.6.1, Paragraph 4 (Note).
wolfSSL	12:1a06964c2adb	35	* TLS13_SUPPORTS_EXPORTERS
wolfSSL	12:1a06964c2adb	36	* Gaurd to compile out any code for exporter keys.
wolfSSL	12:1a06964c2adb	37	* Feature not supported yet.
wolfSSL	12:1a06964c2adb	38	*/
wolfSSL	12:1a06964c2adb	39
wolfSSL	12:1a06964c2adb	40	#ifdef HAVE_CONFIG_H
wolfSSL	12:1a06964c2adb	41	#include <config.h>
wolfSSL	12:1a06964c2adb	42	#endif
wolfSSL	12:1a06964c2adb	43
wolfSSL	12:1a06964c2adb	44	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	12:1a06964c2adb	45
wolfSSL	12:1a06964c2adb	46	#ifdef WOLFSSL_TLS13
wolfSSL	12:1a06964c2adb	47	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	48	#include <sys/time.h>
wolfSSL	12:1a06964c2adb	49	#endif
wolfSSL	12:1a06964c2adb	50
wolfSSL	12:1a06964c2adb	51	#ifndef WOLFCRYPT_ONLY
wolfSSL	12:1a06964c2adb	52
wolfSSL	12:1a06964c2adb	53	#ifdef HAVE_ERRNO_H
wolfSSL	12:1a06964c2adb	54	#include <errno.h>
wolfSSL	12:1a06964c2adb	55	#endif
wolfSSL	12:1a06964c2adb	56
wolfSSL	12:1a06964c2adb	57	#include <wolfssl/internal.h>
wolfSSL	12:1a06964c2adb	58	#include <wolfssl/error-ssl.h>
wolfSSL	12:1a06964c2adb	59	#include <wolfssl/wolfcrypt/asn.h>
wolfSSL	12:1a06964c2adb	60	#include <wolfssl/wolfcrypt/dh.h>
wolfSSL	12:1a06964c2adb	61	#ifdef NO_INLINE
wolfSSL	12:1a06964c2adb	62	#include <wolfssl/wolfcrypt/misc.h>
wolfSSL	12:1a06964c2adb	63	#else
wolfSSL	12:1a06964c2adb	64	#define WOLFSSL_MISC_INCLUDED
wolfSSL	12:1a06964c2adb	65	#include <wolfcrypt/src/misc.c>
wolfSSL	12:1a06964c2adb	66	#endif
wolfSSL	12:1a06964c2adb	67
wolfSSL	12:1a06964c2adb	68	#ifdef HAVE_NTRU
wolfSSL	12:1a06964c2adb	69	#include "libntruencrypt/ntru_crypto.h"
wolfSSL	12:1a06964c2adb	70	#endif
wolfSSL	12:1a06964c2adb	71
wolfSSL	12:1a06964c2adb	72	#if defined(DEBUG_WOLFSSL) \|\| defined(WOLFSSL_DEBUG) \|\| \
wolfSSL	12:1a06964c2adb	73	defined(CHACHA_AEAD_TEST) \|\| defined(WOLFSSL_SESSION_EXPORT_DEBUG)
wolfSSL	12:1a06964c2adb	74	#if defined(FREESCALE_MQX) \|\| defined(FREESCALE_KSDK_MQX)
wolfSSL	12:1a06964c2adb	75	#if MQX_USE_IO_OLD
wolfSSL	12:1a06964c2adb	76	#include <fio.h>
wolfSSL	12:1a06964c2adb	77	#else
wolfSSL	12:1a06964c2adb	78	#include <nio.h>
wolfSSL	12:1a06964c2adb	79	#endif
wolfSSL	12:1a06964c2adb	80	#else
wolfSSL	12:1a06964c2adb	81	#include <stdio.h>
wolfSSL	12:1a06964c2adb	82	#endif
wolfSSL	12:1a06964c2adb	83	#endif
wolfSSL	12:1a06964c2adb	84
wolfSSL	12:1a06964c2adb	85	#ifdef __sun
wolfSSL	12:1a06964c2adb	86	#include <sys/filio.h>
wolfSSL	12:1a06964c2adb	87	#endif
wolfSSL	12:1a06964c2adb	88
wolfSSL	12:1a06964c2adb	89	#ifndef TRUE
wolfSSL	12:1a06964c2adb	90	#define TRUE 1
wolfSSL	12:1a06964c2adb	91	#endif
wolfSSL	12:1a06964c2adb	92	#ifndef FALSE
wolfSSL	12:1a06964c2adb	93	#define FALSE 0
wolfSSL	12:1a06964c2adb	94	#endif
wolfSSL	12:1a06964c2adb	95
wolfSSL	12:1a06964c2adb	96	/* Set ret to error value and jump to label.
wolfSSL	12:1a06964c2adb	97	*
wolfSSL	12:1a06964c2adb	98	* err The error value to set.
wolfSSL	12:1a06964c2adb	99	* eLabel The label to jump to.
wolfSSL	12:1a06964c2adb	100	*/
wolfSSL	12:1a06964c2adb	101	#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL	12:1a06964c2adb	102
wolfSSL	12:1a06964c2adb	103
wolfSSL	12:1a06964c2adb	104	#ifndef WOLFSSL_HAVE_MIN
wolfSSL	12:1a06964c2adb	105	#define WOLFSSL_HAVE_MIN
wolfSSL	12:1a06964c2adb	106	/* Return the minimum of the two values.
wolfSSL	12:1a06964c2adb	107	*
wolfSSL	12:1a06964c2adb	108	* a First value.
wolfSSL	12:1a06964c2adb	109	* b Second value.
wolfSSL	12:1a06964c2adb	110	* returns the minimum of a and b.
wolfSSL	12:1a06964c2adb	111	*/
wolfSSL	12:1a06964c2adb	112	static INLINE word32 min(word32 a, word32 b)
wolfSSL	12:1a06964c2adb	113	{
wolfSSL	12:1a06964c2adb	114	return a > b ? b : a;
wolfSSL	12:1a06964c2adb	115	}
wolfSSL	12:1a06964c2adb	116	#endif /* WOLFSSL_HAVE_MIN */
wolfSSL	12:1a06964c2adb	117
wolfSSL	12:1a06964c2adb	118	/* Convert 16-bit integer to opaque data.
wolfSSL	12:1a06964c2adb	119	*
wolfSSL	12:1a06964c2adb	120	* u16 Unsigned 16-bit value.
wolfSSL	12:1a06964c2adb	121	* c The buffer to write to.
wolfSSL	12:1a06964c2adb	122	*/
wolfSSL	12:1a06964c2adb	123	static INLINE void c16toa(word16 u16, byte* c)
wolfSSL	12:1a06964c2adb	124	{
wolfSSL	12:1a06964c2adb	125	c[0] = (u16 >> 8) & 0xff;
wolfSSL	12:1a06964c2adb	126	c[1] = u16 & 0xff;
wolfSSL	12:1a06964c2adb	127	}
wolfSSL	12:1a06964c2adb	128
wolfSSL	12:1a06964c2adb	129	/* Convert 32-bit integer to opaque data.
wolfSSL	12:1a06964c2adb	130	*
wolfSSL	12:1a06964c2adb	131	* u32 Unsigned 32-bit value.
wolfSSL	12:1a06964c2adb	132	* c The buffer to write to.
wolfSSL	12:1a06964c2adb	133	*/
wolfSSL	12:1a06964c2adb	134	static INLINE void c32toa(word32 u32, byte* c)
wolfSSL	12:1a06964c2adb	135	{
wolfSSL	12:1a06964c2adb	136	c[0] = (u32 >> 24) & 0xff;
wolfSSL	12:1a06964c2adb	137	c[1] = (u32 >> 16) & 0xff;
wolfSSL	12:1a06964c2adb	138	c[2] = (u32 >> 8) & 0xff;
wolfSSL	12:1a06964c2adb	139	c[3] = u32 & 0xff;
wolfSSL	12:1a06964c2adb	140	}
wolfSSL	12:1a06964c2adb	141
wolfSSL	12:1a06964c2adb	142
wolfSSL	12:1a06964c2adb	143	/* Convert 24-bit opaque data into a 32-bit value.
wolfSSL	12:1a06964c2adb	144	*
wolfSSL	12:1a06964c2adb	145	* u24 The opaque data holding a 24-bit integer.
wolfSSL	12:1a06964c2adb	146	* u32 Unsigned 32-bit value.
wolfSSL	12:1a06964c2adb	147	*/
wolfSSL	12:1a06964c2adb	148	static INLINE void c24to32(const word24 u24, word32* u32)
wolfSSL	12:1a06964c2adb	149	{
wolfSSL	12:1a06964c2adb	150	*u32 = (u24[0] << 16) \| (u24[1] << 8) \| u24[2];
wolfSSL	12:1a06964c2adb	151	}
wolfSSL	12:1a06964c2adb	152
wolfSSL	12:1a06964c2adb	153
wolfSSL	12:1a06964c2adb	154	/* Convert opaque data into a 16-bit value.
wolfSSL	12:1a06964c2adb	155	*
wolfSSL	12:1a06964c2adb	156	* c The opaque data.
wolfSSL	12:1a06964c2adb	157	* u16 Unsigned 16-bit value.
wolfSSL	12:1a06964c2adb	158	*/
wolfSSL	12:1a06964c2adb	159	static INLINE void ato16(const byte* c, word16* u16)
wolfSSL	12:1a06964c2adb	160	{
wolfSSL	12:1a06964c2adb	161	*u16 = (word16) ((c[0] << 8) \| (c[1]));
wolfSSL	12:1a06964c2adb	162	}
wolfSSL	12:1a06964c2adb	163
wolfSSL	12:1a06964c2adb	164	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	165	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	166	/* Convert opaque data into a 32-bit value.
wolfSSL	12:1a06964c2adb	167	*
wolfSSL	12:1a06964c2adb	168	* c The opaque data.
wolfSSL	12:1a06964c2adb	169	* u32 Unsigned 32-bit value.
wolfSSL	12:1a06964c2adb	170	*/
wolfSSL	12:1a06964c2adb	171	static INLINE void ato32(const byte* c, word32* u32)
wolfSSL	12:1a06964c2adb	172	{
wolfSSL	12:1a06964c2adb	173	*u32 = (c[0] << 24) \| (c[1] << 16) \| (c[2] << 8) \| c[3];
wolfSSL	12:1a06964c2adb	174	}
wolfSSL	12:1a06964c2adb	175	#endif
wolfSSL	12:1a06964c2adb	176	#endif
wolfSSL	12:1a06964c2adb	177
wolfSSL	12:1a06964c2adb	178	/* Extract data using HMAC, salt and input.
wolfSSL	12:1a06964c2adb	179	* RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
wolfSSL	12:1a06964c2adb	180	*
wolfSSL	12:1a06964c2adb	181	* prk The generated pseudorandom key.
wolfSSL	12:1a06964c2adb	182	* salt The salt.
wolfSSL	12:1a06964c2adb	183	* saltLen The length of the salt.
wolfSSL	12:1a06964c2adb	184	* ikm The input keying material.
wolfSSL	12:1a06964c2adb	185	* ikmLen The length of the input keying material.
wolfSSL	12:1a06964c2adb	186	* mac The type of digest to use.
wolfSSL	12:1a06964c2adb	187	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	188	*/
wolfSSL	12:1a06964c2adb	189	static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
wolfSSL	12:1a06964c2adb	190	byte* ikm, int ikmLen, int mac)
wolfSSL	12:1a06964c2adb	191	{
wolfSSL	12:1a06964c2adb	192	int ret;
wolfSSL	12:1a06964c2adb	193	int hash = 0;
wolfSSL	12:1a06964c2adb	194	int len = 0;
wolfSSL	12:1a06964c2adb	195
wolfSSL	12:1a06964c2adb	196	switch (mac) {
wolfSSL	12:1a06964c2adb	197	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	198	case sha256_mac:
wolfSSL	12:1a06964c2adb	199	hash = SHA256;
wolfSSL	12:1a06964c2adb	200	len = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	201	break;
wolfSSL	12:1a06964c2adb	202	#endif
wolfSSL	12:1a06964c2adb	203
wolfSSL	12:1a06964c2adb	204	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	205	case sha384_mac:
wolfSSL	12:1a06964c2adb	206	hash = SHA384;
wolfSSL	12:1a06964c2adb	207	len = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	208	break;
wolfSSL	12:1a06964c2adb	209	#endif
wolfSSL	12:1a06964c2adb	210
wolfSSL	12:1a06964c2adb	211	#ifdef WOLFSSL_TLS13_TLS13_SHA512
wolfSSL	12:1a06964c2adb	212	case sha512_mac:
wolfSSL	12:1a06964c2adb	213	hash = SHA512;
wolfSSL	12:1a06964c2adb	214	len = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	215	break;
wolfSSL	12:1a06964c2adb	216	#endif
wolfSSL	12:1a06964c2adb	217	}
wolfSSL	12:1a06964c2adb	218
wolfSSL	12:1a06964c2adb	219	/* When length is 0 then use zeroed data of digest length. */
wolfSSL	12:1a06964c2adb	220	if (ikmLen == 0) {
wolfSSL	12:1a06964c2adb	221	ikmLen = len;
wolfSSL	12:1a06964c2adb	222	XMEMSET(ikm, 0, len);
wolfSSL	12:1a06964c2adb	223	}
wolfSSL	12:1a06964c2adb	224
wolfSSL	12:1a06964c2adb	225	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	226	WOLFSSL_MSG(" Salt");
wolfSSL	12:1a06964c2adb	227	WOLFSSL_BUFFER(salt, saltLen);
wolfSSL	12:1a06964c2adb	228	WOLFSSL_MSG(" IKM");
wolfSSL	12:1a06964c2adb	229	WOLFSSL_BUFFER(ikm, ikmLen);
wolfSSL	12:1a06964c2adb	230	#endif
wolfSSL	12:1a06964c2adb	231
wolfSSL	12:1a06964c2adb	232	ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
wolfSSL	12:1a06964c2adb	233
wolfSSL	12:1a06964c2adb	234	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	235	WOLFSSL_MSG(" PRK");
wolfSSL	12:1a06964c2adb	236	WOLFSSL_BUFFER(prk, len);
wolfSSL	12:1a06964c2adb	237	#endif
wolfSSL	12:1a06964c2adb	238
wolfSSL	12:1a06964c2adb	239	return ret;
wolfSSL	12:1a06964c2adb	240	}
wolfSSL	12:1a06964c2adb	241
wolfSSL	12:1a06964c2adb	242	/* Expand data using HMAC, salt and label and info.
wolfSSL	12:1a06964c2adb	243	* TLS v1.3 defines this function.
wolfSSL	12:1a06964c2adb	244	*
wolfSSL	12:1a06964c2adb	245	* okm The generated pseudorandom key - output key material.
wolfSSL	12:1a06964c2adb	246	* prk The salt - pseudo-random key.
wolfSSL	12:1a06964c2adb	247	* prkLen The length of the salt - pseudo-random key.
wolfSSL	12:1a06964c2adb	248	* protocol The TLS protocol label.
wolfSSL	12:1a06964c2adb	249	* protocolLen The length of the TLS protocol label.
wolfSSL	12:1a06964c2adb	250	* info The information to expand.
wolfSSL	12:1a06964c2adb	251	* infoLen The length of the information.
wolfSSL	12:1a06964c2adb	252	* digest The type of digest to use.
wolfSSL	12:1a06964c2adb	253	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	254	*/
wolfSSL	12:1a06964c2adb	255	static int HKDF_Expand_Label(byte* okm, word32 okmLen,
wolfSSL	12:1a06964c2adb	256	const byte* prk, word32 prkLen,
wolfSSL	12:1a06964c2adb	257	const byte* protocol, word32 protocolLen,
wolfSSL	12:1a06964c2adb	258	const byte* label, word32 labelLen,
wolfSSL	12:1a06964c2adb	259	const byte* info, word32 infoLen,
wolfSSL	12:1a06964c2adb	260	int digest)
wolfSSL	12:1a06964c2adb	261	{
wolfSSL	12:1a06964c2adb	262	int ret = 0;
wolfSSL	12:1a06964c2adb	263	int idx = 0;
wolfSSL	12:1a06964c2adb	264	byte data[MAX_HKDF_LABEL_SZ];
wolfSSL	12:1a06964c2adb	265
wolfSSL	12:1a06964c2adb	266	/* Output length. */
wolfSSL	12:1a06964c2adb	267	data[idx++] = okmLen >> 8;
wolfSSL	12:1a06964c2adb	268	data[idx++] = okmLen;
wolfSSL	12:1a06964c2adb	269	/* Length of protocol \| label. */
wolfSSL	12:1a06964c2adb	270	data[idx++] = protocolLen + labelLen;
wolfSSL	12:1a06964c2adb	271	/* Protocol */
wolfSSL	12:1a06964c2adb	272	XMEMCPY(&data[idx], protocol, protocolLen);
wolfSSL	12:1a06964c2adb	273	idx += protocolLen;
wolfSSL	12:1a06964c2adb	274	/* Label */
wolfSSL	12:1a06964c2adb	275	XMEMCPY(&data[idx], label, labelLen);
wolfSSL	12:1a06964c2adb	276	idx += labelLen;
wolfSSL	12:1a06964c2adb	277	/* Length of hash of messages */
wolfSSL	12:1a06964c2adb	278	data[idx++] = infoLen;
wolfSSL	12:1a06964c2adb	279	/* Hash of messages */
wolfSSL	12:1a06964c2adb	280	XMEMCPY(&data[idx], info, infoLen);
wolfSSL	12:1a06964c2adb	281	idx += infoLen;
wolfSSL	12:1a06964c2adb	282
wolfSSL	12:1a06964c2adb	283	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	284	WOLFSSL_MSG(" PRK");
wolfSSL	12:1a06964c2adb	285	WOLFSSL_BUFFER(prk, prkLen);
wolfSSL	12:1a06964c2adb	286	WOLFSSL_MSG(" Info");
wolfSSL	12:1a06964c2adb	287	WOLFSSL_BUFFER(data, idx);
wolfSSL	12:1a06964c2adb	288	#endif
wolfSSL	12:1a06964c2adb	289
wolfSSL	12:1a06964c2adb	290	ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
wolfSSL	12:1a06964c2adb	291
wolfSSL	12:1a06964c2adb	292	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	293	WOLFSSL_MSG(" OKM");
wolfSSL	12:1a06964c2adb	294	WOLFSSL_BUFFER(okm, okmLen);
wolfSSL	12:1a06964c2adb	295	#endif
wolfSSL	12:1a06964c2adb	296
wolfSSL	12:1a06964c2adb	297	ForceZero(data, idx);
wolfSSL	12:1a06964c2adb	298
wolfSSL	12:1a06964c2adb	299	return ret;
wolfSSL	12:1a06964c2adb	300	}
wolfSSL	12:1a06964c2adb	301
wolfSSL	12:1a06964c2adb	302	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	303	/* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL	12:1a06964c2adb	304	#define TLS13_PROTOCOL_LABEL_SZ 9
wolfSSL	12:1a06964c2adb	305	/* The protocol label for TLS v1.3. */
wolfSSL	12:1a06964c2adb	306	static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
wolfSSL	12:1a06964c2adb	307	#else
wolfSSL	12:1a06964c2adb	308	/* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL	12:1a06964c2adb	309	#define TLS13_PROTOCOL_LABEL_SZ 6
wolfSSL	12:1a06964c2adb	310	/* The protocol label for TLS v1.3. */
wolfSSL	12:1a06964c2adb	311	static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
wolfSSL	12:1a06964c2adb	312	#endif
wolfSSL	12:1a06964c2adb	313
wolfSSL	12:1a06964c2adb	314	#if !defined(WOLFSSL_TLS13_DRAFT_18) \|\| defined(HAVE_SESSION_TICKET) \|\| \
wolfSSL	12:1a06964c2adb	315	!defined(NO_PSK)
wolfSSL	12:1a06964c2adb	316	/* Derive a key from a message.
wolfSSL	12:1a06964c2adb	317	*
wolfSSL	12:1a06964c2adb	318	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	319	* output The buffer to hold the derived key.
wolfSSL	12:1a06964c2adb	320	* outputLen The length of the derived key.
wolfSSL	12:1a06964c2adb	321	* secret The secret used to derive the key (HMAC secret).
wolfSSL	12:1a06964c2adb	322	* label The label used to distinguish the context.
wolfSSL	12:1a06964c2adb	323	* labelLen The length of the label.
wolfSSL	12:1a06964c2adb	324	* msg The message data to derive key from.
wolfSSL	12:1a06964c2adb	325	* msgLen The length of the message data to derive key from.
wolfSSL	12:1a06964c2adb	326	* hashAlgo The hash algorithm to use in the HMAC.
wolfSSL	12:1a06964c2adb	327	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	328	*/
wolfSSL	12:1a06964c2adb	329	static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL	12:1a06964c2adb	330	const byte* secret, const byte* label, word32 labelLen,
wolfSSL	12:1a06964c2adb	331	byte* msg, int msgLen, int hashAlgo)
wolfSSL	12:1a06964c2adb	332	{
wolfSSL	12:1a06964c2adb	333	byte hash[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	334	Digest digest;
wolfSSL	12:1a06964c2adb	335	word32 hashSz = 0;
wolfSSL	12:1a06964c2adb	336	const byte* protocol;
wolfSSL	12:1a06964c2adb	337	word32 protocolLen;
wolfSSL	12:1a06964c2adb	338	int digestAlg;
wolfSSL	12:1a06964c2adb	339	int ret = BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	340
wolfSSL	12:1a06964c2adb	341	switch (hashAlgo) {
wolfSSL	12:1a06964c2adb	342	#ifndef NO_WOLFSSL_SHA256
wolfSSL	12:1a06964c2adb	343	case sha256_mac:
wolfSSL	12:1a06964c2adb	344	ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
wolfSSL	12:1a06964c2adb	345	if (ret == 0) {
wolfSSL	12:1a06964c2adb	346	ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
wolfSSL	12:1a06964c2adb	347	if (ret == 0)
wolfSSL	12:1a06964c2adb	348	ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL	12:1a06964c2adb	349	wc_Sha256Free(&digest.sha256);
wolfSSL	12:1a06964c2adb	350	}
wolfSSL	12:1a06964c2adb	351	hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	352	digestAlg = SHA256;
wolfSSL	12:1a06964c2adb	353	break;
wolfSSL	12:1a06964c2adb	354	#endif
wolfSSL	12:1a06964c2adb	355	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	356	case sha384_mac:
wolfSSL	12:1a06964c2adb	357	ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
wolfSSL	12:1a06964c2adb	358	if (ret == 0) {
wolfSSL	12:1a06964c2adb	359	ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
wolfSSL	12:1a06964c2adb	360	if (ret == 0)
wolfSSL	12:1a06964c2adb	361	ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL	12:1a06964c2adb	362	wc_Sha384Free(&digest.sha384);
wolfSSL	12:1a06964c2adb	363	}
wolfSSL	12:1a06964c2adb	364	hashSz = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	365	digestAlg = SHA384;
wolfSSL	12:1a06964c2adb	366	break;
wolfSSL	12:1a06964c2adb	367	#endif
wolfSSL	12:1a06964c2adb	368	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	369	case sha512_mac:
wolfSSL	12:1a06964c2adb	370	ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
wolfSSL	12:1a06964c2adb	371	if (ret == 0) {
wolfSSL	12:1a06964c2adb	372	ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
wolfSSL	12:1a06964c2adb	373	if (ret == 0)
wolfSSL	12:1a06964c2adb	374	ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL	12:1a06964c2adb	375	wc_Sha512Free(&digest.sha512);
wolfSSL	12:1a06964c2adb	376	}
wolfSSL	12:1a06964c2adb	377	hashSz = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	378	digestAlg = SHA512;
wolfSSL	12:1a06964c2adb	379	break;
wolfSSL	12:1a06964c2adb	380	#endif
wolfSSL	12:1a06964c2adb	381	}
wolfSSL	12:1a06964c2adb	382
wolfSSL	12:1a06964c2adb	383	if (ret != 0)
wolfSSL	12:1a06964c2adb	384	return ret;
wolfSSL	12:1a06964c2adb	385
wolfSSL	12:1a06964c2adb	386	switch (ssl->version.minor) {
wolfSSL	12:1a06964c2adb	387	case TLSv1_3_MINOR:
wolfSSL	12:1a06964c2adb	388	protocol = tls13ProtocolLabel;
wolfSSL	12:1a06964c2adb	389	protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL	12:1a06964c2adb	390	break;
wolfSSL	12:1a06964c2adb	391
wolfSSL	12:1a06964c2adb	392	default:
wolfSSL	12:1a06964c2adb	393	return VERSION_ERROR;
wolfSSL	12:1a06964c2adb	394	}
wolfSSL	12:1a06964c2adb	395	if (outputLen == -1)
wolfSSL	12:1a06964c2adb	396	outputLen = hashSz;
wolfSSL	12:1a06964c2adb	397
wolfSSL	12:1a06964c2adb	398	return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL	12:1a06964c2adb	399	protocol, protocolLen, label, labelLen,
wolfSSL	12:1a06964c2adb	400	hash, hashSz, digestAlg);
wolfSSL	12:1a06964c2adb	401	}
wolfSSL	12:1a06964c2adb	402	#endif
wolfSSL	12:1a06964c2adb	403
wolfSSL	12:1a06964c2adb	404	/* Derive a key.
wolfSSL	12:1a06964c2adb	405	*
wolfSSL	12:1a06964c2adb	406	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	407	* output The buffer to hold the derived key.
wolfSSL	12:1a06964c2adb	408	* outputLen The length of the derived key.
wolfSSL	12:1a06964c2adb	409	* secret The secret used to derive the key (HMAC secret).
wolfSSL	12:1a06964c2adb	410	* label The label used to distinguish the context.
wolfSSL	12:1a06964c2adb	411	* labelLen The length of the label.
wolfSSL	12:1a06964c2adb	412	* hashAlgo The hash algorithm to use in the HMAC.
wolfSSL	12:1a06964c2adb	413	* includeMsgs Whether to include a hash of the handshake messages so far.
wolfSSL	12:1a06964c2adb	414	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	415	*/
wolfSSL	12:1a06964c2adb	416	static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL	12:1a06964c2adb	417	const byte* secret, const byte* label, word32 labelLen,
wolfSSL	12:1a06964c2adb	418	int hashAlgo, int includeMsgs)
wolfSSL	12:1a06964c2adb	419	{
wolfSSL	12:1a06964c2adb	420	int ret = 0;
wolfSSL	12:1a06964c2adb	421	byte hash[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	422	word32 hashSz = 0;
wolfSSL	12:1a06964c2adb	423	word32 hashOutSz = 0;
wolfSSL	12:1a06964c2adb	424	const byte* protocol;
wolfSSL	12:1a06964c2adb	425	word32 protocolLen;
wolfSSL	12:1a06964c2adb	426	int digestAlg = 0;
wolfSSL	12:1a06964c2adb	427
wolfSSL	12:1a06964c2adb	428	switch (hashAlgo) {
wolfSSL	12:1a06964c2adb	429	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	430	case sha256_mac:
wolfSSL	12:1a06964c2adb	431	hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	432	digestAlg = SHA256;
wolfSSL	12:1a06964c2adb	433	if (includeMsgs)
wolfSSL	12:1a06964c2adb	434	ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL	12:1a06964c2adb	435	break;
wolfSSL	12:1a06964c2adb	436	#endif
wolfSSL	12:1a06964c2adb	437
wolfSSL	12:1a06964c2adb	438	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	439	case sha384_mac:
wolfSSL	12:1a06964c2adb	440	hashSz = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	441	digestAlg = SHA384;
wolfSSL	12:1a06964c2adb	442	if (includeMsgs)
wolfSSL	12:1a06964c2adb	443	ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL	12:1a06964c2adb	444	break;
wolfSSL	12:1a06964c2adb	445	#endif
wolfSSL	12:1a06964c2adb	446
wolfSSL	12:1a06964c2adb	447	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	448	case sha512_mac:
wolfSSL	12:1a06964c2adb	449	hashSz = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	450	digestAlg = SHA512;
wolfSSL	12:1a06964c2adb	451	if (includeMsgs)
wolfSSL	12:1a06964c2adb	452	ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL	12:1a06964c2adb	453	break;
wolfSSL	12:1a06964c2adb	454	#endif
wolfSSL	12:1a06964c2adb	455	}
wolfSSL	12:1a06964c2adb	456	if (ret != 0)
wolfSSL	12:1a06964c2adb	457	return ret;
wolfSSL	12:1a06964c2adb	458
wolfSSL	12:1a06964c2adb	459	/* Only one protocol version defined at this time. */
wolfSSL	12:1a06964c2adb	460	protocol = tls13ProtocolLabel;
wolfSSL	12:1a06964c2adb	461	protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL	12:1a06964c2adb	462
wolfSSL	12:1a06964c2adb	463	if (outputLen == -1)
wolfSSL	12:1a06964c2adb	464	outputLen = hashSz;
wolfSSL	12:1a06964c2adb	465	if (includeMsgs)
wolfSSL	12:1a06964c2adb	466	hashOutSz = hashSz;
wolfSSL	12:1a06964c2adb	467
wolfSSL	12:1a06964c2adb	468	return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL	12:1a06964c2adb	469	protocol, protocolLen, label, labelLen,
wolfSSL	12:1a06964c2adb	470	hash, hashOutSz, digestAlg);
wolfSSL	12:1a06964c2adb	471	}
wolfSSL	12:1a06964c2adb	472
wolfSSL	12:1a06964c2adb	473
wolfSSL	12:1a06964c2adb	474	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	475	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	476	/* The length of the binder key label. */
wolfSSL	12:1a06964c2adb	477	#define BINDER_KEY_LABEL_SZ 23
wolfSSL	12:1a06964c2adb	478	/* The binder key label. */
wolfSSL	12:1a06964c2adb	479	static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	480	"external psk binder key";
wolfSSL	12:1a06964c2adb	481	#else
wolfSSL	12:1a06964c2adb	482	/* The length of the binder key label. */
wolfSSL	12:1a06964c2adb	483	#define BINDER_KEY_LABEL_SZ 10
wolfSSL	12:1a06964c2adb	484	/* The binder key label. */
wolfSSL	12:1a06964c2adb	485	static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	486	"ext binder";
wolfSSL	12:1a06964c2adb	487	#endif
wolfSSL	12:1a06964c2adb	488	/* Derive the binder key.
wolfSSL	12:1a06964c2adb	489	*
wolfSSL	12:1a06964c2adb	490	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	491	* key The derived key.
wolfSSL	12:1a06964c2adb	492	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	493	*/
wolfSSL	12:1a06964c2adb	494	static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	495	{
wolfSSL	12:1a06964c2adb	496	WOLFSSL_MSG("Derive Binder Key");
wolfSSL	12:1a06964c2adb	497	return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL	12:1a06964c2adb	498	binderKeyLabel, BINDER_KEY_LABEL_SZ,
wolfSSL	12:1a06964c2adb	499	NULL, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	500	}
wolfSSL	12:1a06964c2adb	501	#endif /* !NO_PSK */
wolfSSL	12:1a06964c2adb	502
wolfSSL	12:1a06964c2adb	503	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	504	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	505	/* The length of the binder key resume label. */
wolfSSL	12:1a06964c2adb	506	#define BINDER_KEY_RESUME_LABEL_SZ 25
wolfSSL	12:1a06964c2adb	507	/* The binder key resume label. */
wolfSSL	12:1a06964c2adb	508	static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	509	"resumption psk binder key";
wolfSSL	12:1a06964c2adb	510	#else
wolfSSL	12:1a06964c2adb	511	/* The length of the binder key resume label. */
wolfSSL	12:1a06964c2adb	512	#define BINDER_KEY_RESUME_LABEL_SZ 10
wolfSSL	12:1a06964c2adb	513	/* The binder key resume label. */
wolfSSL	12:1a06964c2adb	514	static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	515	"res binder";
wolfSSL	12:1a06964c2adb	516	#endif
wolfSSL	12:1a06964c2adb	517	/* Derive the binder resumption key.
wolfSSL	12:1a06964c2adb	518	*
wolfSSL	12:1a06964c2adb	519	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	520	* key The derived key.
wolfSSL	12:1a06964c2adb	521	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	522	*/
wolfSSL	12:1a06964c2adb	523	static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	524	{
wolfSSL	12:1a06964c2adb	525	WOLFSSL_MSG("Derive Binder Key - Resumption");
wolfSSL	12:1a06964c2adb	526	return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL	12:1a06964c2adb	527	binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
wolfSSL	12:1a06964c2adb	528	NULL, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	529	}
wolfSSL	12:1a06964c2adb	530	#endif /* HAVE_SESSION_TICKET */
wolfSSL	12:1a06964c2adb	531
wolfSSL	12:1a06964c2adb	532	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	533	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	534	/* The length of the early traffic label. */
wolfSSL	12:1a06964c2adb	535	#define EARLY_TRAFFIC_LABEL_SZ 27
wolfSSL	12:1a06964c2adb	536	/* The early traffic label. */
wolfSSL	12:1a06964c2adb	537	static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	538	"client early traffic secret";
wolfSSL	12:1a06964c2adb	539	#else
wolfSSL	12:1a06964c2adb	540	/* The length of the early traffic label. */
wolfSSL	12:1a06964c2adb	541	#define EARLY_TRAFFIC_LABEL_SZ 11
wolfSSL	12:1a06964c2adb	542	/* The early traffic label. */
wolfSSL	12:1a06964c2adb	543	static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	544	"c e traffic";
wolfSSL	12:1a06964c2adb	545	#endif
wolfSSL	12:1a06964c2adb	546	/* Derive the early traffic key.
wolfSSL	12:1a06964c2adb	547	*
wolfSSL	12:1a06964c2adb	548	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	549	* key The derived key.
wolfSSL	12:1a06964c2adb	550	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	551	*/
wolfSSL	12:1a06964c2adb	552	static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	553	{
wolfSSL	12:1a06964c2adb	554	WOLFSSL_MSG("Derive Early Traffic Secret");
wolfSSL	12:1a06964c2adb	555	return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL	12:1a06964c2adb	556	earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
wolfSSL	12:1a06964c2adb	557	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	558	}
wolfSSL	12:1a06964c2adb	559
wolfSSL	12:1a06964c2adb	560	#ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL	12:1a06964c2adb	561	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	562	/* The length of the early exporter label. */
wolfSSL	12:1a06964c2adb	563	#define EARLY_EXPORTER_LABEL_SZ 28
wolfSSL	12:1a06964c2adb	564	/* The early exporter label. */
wolfSSL	12:1a06964c2adb	565	static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	566	"early exporter master secret";
wolfSSL	12:1a06964c2adb	567	#else
wolfSSL	12:1a06964c2adb	568	/* The length of the early exporter label. */
wolfSSL	12:1a06964c2adb	569	#define EARLY_EXPORTER_LABEL_SZ 12
wolfSSL	12:1a06964c2adb	570	/* The early exporter label. */
wolfSSL	12:1a06964c2adb	571	static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	572	"e exp master";
wolfSSL	12:1a06964c2adb	573	#endif
wolfSSL	12:1a06964c2adb	574	/* Derive the early exporter key.
wolfSSL	12:1a06964c2adb	575	*
wolfSSL	12:1a06964c2adb	576	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	577	* key The derived key.
wolfSSL	12:1a06964c2adb	578	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	579	*/
wolfSSL	12:1a06964c2adb	580	static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	581	{
wolfSSL	12:1a06964c2adb	582	WOLFSSL_MSG("Derive Early Exporter Secret");
wolfSSL	12:1a06964c2adb	583	return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL	12:1a06964c2adb	584	earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
wolfSSL	12:1a06964c2adb	585	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	586	}
wolfSSL	12:1a06964c2adb	587	#endif
wolfSSL	12:1a06964c2adb	588	#endif
wolfSSL	12:1a06964c2adb	589
wolfSSL	12:1a06964c2adb	590	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	591	/* The length of the client hanshake label. */
wolfSSL	12:1a06964c2adb	592	#define CLIENT_HANDSHAKE_LABEL_SZ 31
wolfSSL	12:1a06964c2adb	593	/* The client hanshake label. */
wolfSSL	12:1a06964c2adb	594	static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	595	"client handshake traffic secret";
wolfSSL	12:1a06964c2adb	596	#else
wolfSSL	12:1a06964c2adb	597	/* The length of the client hanshake label. */
wolfSSL	12:1a06964c2adb	598	#define CLIENT_HANDSHAKE_LABEL_SZ 12
wolfSSL	12:1a06964c2adb	599	/* The client hanshake label. */
wolfSSL	12:1a06964c2adb	600	static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	601	"c hs traffic";
wolfSSL	12:1a06964c2adb	602	#endif
wolfSSL	12:1a06964c2adb	603	/* Derive the client handshake key.
wolfSSL	12:1a06964c2adb	604	*
wolfSSL	12:1a06964c2adb	605	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	606	* key The derived key.
wolfSSL	12:1a06964c2adb	607	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	608	*/
wolfSSL	12:1a06964c2adb	609	static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	610	{
wolfSSL	12:1a06964c2adb	611	WOLFSSL_MSG("Derive Client Handshake Secret");
wolfSSL	12:1a06964c2adb	612	return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL	12:1a06964c2adb	613	clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
wolfSSL	12:1a06964c2adb	614	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	615	}
wolfSSL	12:1a06964c2adb	616
wolfSSL	12:1a06964c2adb	617	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	618	/* The length of the server handshake label. */
wolfSSL	12:1a06964c2adb	619	#define SERVER_HANDSHAKE_LABEL_SZ 31
wolfSSL	12:1a06964c2adb	620	/* The server handshake label. */
wolfSSL	12:1a06964c2adb	621	static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	622	"server handshake traffic secret";
wolfSSL	12:1a06964c2adb	623	#else
wolfSSL	12:1a06964c2adb	624	/* The length of the server handshake label. */
wolfSSL	12:1a06964c2adb	625	#define SERVER_HANDSHAKE_LABEL_SZ 12
wolfSSL	12:1a06964c2adb	626	/* The server handshake label. */
wolfSSL	12:1a06964c2adb	627	static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	628	"s hs traffic";
wolfSSL	12:1a06964c2adb	629	#endif
wolfSSL	12:1a06964c2adb	630	/* Derive the server handshake key.
wolfSSL	12:1a06964c2adb	631	*
wolfSSL	12:1a06964c2adb	632	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	633	* key The derived key.
wolfSSL	12:1a06964c2adb	634	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	635	*/
wolfSSL	12:1a06964c2adb	636	static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	637	{
wolfSSL	12:1a06964c2adb	638	WOLFSSL_MSG("Derive Server Handshake Secret");
wolfSSL	12:1a06964c2adb	639	return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL	12:1a06964c2adb	640	serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
wolfSSL	12:1a06964c2adb	641	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	642	}
wolfSSL	12:1a06964c2adb	643
wolfSSL	12:1a06964c2adb	644	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	645	/* The length of the client application traffic label. */
wolfSSL	12:1a06964c2adb	646	#define CLIENT_APP_LABEL_SZ 33
wolfSSL	12:1a06964c2adb	647	/* The client application traffic label. */
wolfSSL	12:1a06964c2adb	648	static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	649	"client application traffic secret";
wolfSSL	12:1a06964c2adb	650	#else
wolfSSL	12:1a06964c2adb	651	/* The length of the client application traffic label. */
wolfSSL	12:1a06964c2adb	652	#define CLIENT_APP_LABEL_SZ 12
wolfSSL	12:1a06964c2adb	653	/* The client application traffic label. */
wolfSSL	12:1a06964c2adb	654	static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	655	"c ap traffic";
wolfSSL	12:1a06964c2adb	656	#endif
wolfSSL	12:1a06964c2adb	657	/* Derive the client application traffic key.
wolfSSL	12:1a06964c2adb	658	*
wolfSSL	12:1a06964c2adb	659	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	660	* key The derived key.
wolfSSL	12:1a06964c2adb	661	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	662	*/
wolfSSL	12:1a06964c2adb	663	static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	664	{
wolfSSL	12:1a06964c2adb	665	WOLFSSL_MSG("Derive Client Traffic Secret");
wolfSSL	12:1a06964c2adb	666	return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	667	clientAppLabel, CLIENT_APP_LABEL_SZ,
wolfSSL	12:1a06964c2adb	668	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	669	}
wolfSSL	12:1a06964c2adb	670
wolfSSL	12:1a06964c2adb	671	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	672	/* The length of the server application traffic label. */
wolfSSL	12:1a06964c2adb	673	#define SERVER_APP_LABEL_SZ 33
wolfSSL	12:1a06964c2adb	674	/* The server application traffic label. */
wolfSSL	12:1a06964c2adb	675	static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	676	"server application traffic secret";
wolfSSL	12:1a06964c2adb	677	#else
wolfSSL	12:1a06964c2adb	678	/* The length of the server application traffic label. */
wolfSSL	12:1a06964c2adb	679	#define SERVER_APP_LABEL_SZ 12
wolfSSL	12:1a06964c2adb	680	/* The server application traffic label. */
wolfSSL	12:1a06964c2adb	681	static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	682	"s ap traffic";
wolfSSL	12:1a06964c2adb	683	#endif
wolfSSL	12:1a06964c2adb	684	/* Derive the server application traffic key.
wolfSSL	12:1a06964c2adb	685	*
wolfSSL	12:1a06964c2adb	686	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	687	* key The derived key.
wolfSSL	12:1a06964c2adb	688	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	689	*/
wolfSSL	12:1a06964c2adb	690	static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	691	{
wolfSSL	12:1a06964c2adb	692	WOLFSSL_MSG("Derive Server Traffic Secret");
wolfSSL	12:1a06964c2adb	693	return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	694	serverAppLabel, SERVER_APP_LABEL_SZ,
wolfSSL	12:1a06964c2adb	695	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	696	}
wolfSSL	12:1a06964c2adb	697
wolfSSL	12:1a06964c2adb	698	#ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL	12:1a06964c2adb	699	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	700	/* The length of the exporter master secret label. */
wolfSSL	12:1a06964c2adb	701	#define EXPORTER_MASTER_LABEL_SZ 22
wolfSSL	12:1a06964c2adb	702	/* The exporter master secret label. */
wolfSSL	12:1a06964c2adb	703	static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	704	"exporter master secret";
wolfSSL	12:1a06964c2adb	705	#else
wolfSSL	12:1a06964c2adb	706	/* The length of the exporter master secret label. */
wolfSSL	12:1a06964c2adb	707	#define EXPORTER_MASTER_LABEL_SZ 10
wolfSSL	12:1a06964c2adb	708	/* The exporter master secret label. */
wolfSSL	12:1a06964c2adb	709	static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	710	"exp master";
wolfSSL	12:1a06964c2adb	711	#endif
wolfSSL	12:1a06964c2adb	712	/* Derive the exporter secret.
wolfSSL	12:1a06964c2adb	713	*
wolfSSL	12:1a06964c2adb	714	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	715	* key The derived key.
wolfSSL	12:1a06964c2adb	716	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	717	*/
wolfSSL	12:1a06964c2adb	718	static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	719	{
wolfSSL	12:1a06964c2adb	720	WOLFSSL_MSG("Derive Exporter Secret");
wolfSSL	12:1a06964c2adb	721	return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	722	exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
wolfSSL	12:1a06964c2adb	723	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	724	}
wolfSSL	12:1a06964c2adb	725	#endif
wolfSSL	12:1a06964c2adb	726
wolfSSL	12:1a06964c2adb	727	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	728	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	729	/* The length of the resumption master secret label. */
wolfSSL	12:1a06964c2adb	730	#define RESUME_MASTER_LABEL_SZ 24
wolfSSL	12:1a06964c2adb	731	/* The resumption master secret label. */
wolfSSL	12:1a06964c2adb	732	static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	733	"resumption master secret";
wolfSSL	12:1a06964c2adb	734	#else
wolfSSL	12:1a06964c2adb	735	/* The length of the resumption master secret label. */
wolfSSL	12:1a06964c2adb	736	#define RESUME_MASTER_LABEL_SZ 10
wolfSSL	12:1a06964c2adb	737	/* The resumption master secret label. */
wolfSSL	12:1a06964c2adb	738	static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	739	"res master";
wolfSSL	12:1a06964c2adb	740	#endif
wolfSSL	12:1a06964c2adb	741	/* Derive the resumption secret.
wolfSSL	12:1a06964c2adb	742	*
wolfSSL	12:1a06964c2adb	743	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	744	* key The derived key.
wolfSSL	12:1a06964c2adb	745	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	746	*/
wolfSSL	12:1a06964c2adb	747	static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
wolfSSL	12:1a06964c2adb	748	{
wolfSSL	12:1a06964c2adb	749	WOLFSSL_MSG("Derive Resumption Secret");
wolfSSL	12:1a06964c2adb	750	return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	751	resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
wolfSSL	12:1a06964c2adb	752	ssl->specs.mac_algorithm, 1);
wolfSSL	12:1a06964c2adb	753	}
wolfSSL	12:1a06964c2adb	754	#endif
wolfSSL	12:1a06964c2adb	755
wolfSSL	12:1a06964c2adb	756	/* Length of the finished label. */
wolfSSL	12:1a06964c2adb	757	#define FINISHED_LABEL_SZ 8
wolfSSL	12:1a06964c2adb	758	/* Finished label for generating finished key. */
wolfSSL	12:1a06964c2adb	759	static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
wolfSSL	12:1a06964c2adb	760	/* Derive the finished secret.
wolfSSL	12:1a06964c2adb	761	*
wolfSSL	12:1a06964c2adb	762	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	763	* key The key to use with the HMAC.
wolfSSL	12:1a06964c2adb	764	* secret The derived secret.
wolfSSL	12:1a06964c2adb	765	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	766	*/
wolfSSL	12:1a06964c2adb	767	static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
wolfSSL	12:1a06964c2adb	768	{
wolfSSL	12:1a06964c2adb	769	WOLFSSL_MSG("Derive Finished Secret");
wolfSSL	12:1a06964c2adb	770	return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
wolfSSL	12:1a06964c2adb	771	ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	772	}
wolfSSL	12:1a06964c2adb	773
wolfSSL	12:1a06964c2adb	774	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	775	/* The length of the application traffic label. */
wolfSSL	12:1a06964c2adb	776	#define APP_TRAFFIC_LABEL_SZ 26
wolfSSL	12:1a06964c2adb	777	/* The application traffic label. */
wolfSSL	12:1a06964c2adb	778	static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	779	"application traffic secret";
wolfSSL	12:1a06964c2adb	780	#else
wolfSSL	12:1a06964c2adb	781	/* The length of the application traffic label. */
wolfSSL	12:1a06964c2adb	782	#define APP_TRAFFIC_LABEL_SZ 11
wolfSSL	12:1a06964c2adb	783	/* The application traffic label. */
wolfSSL	12:1a06964c2adb	784	static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	785	"traffic upd";
wolfSSL	12:1a06964c2adb	786	#endif
wolfSSL	12:1a06964c2adb	787	/* Update the traffic secret.
wolfSSL	12:1a06964c2adb	788	*
wolfSSL	12:1a06964c2adb	789	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	790	* secret The previous secret and derived secret.
wolfSSL	12:1a06964c2adb	791	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	792	*/
wolfSSL	12:1a06964c2adb	793	static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
wolfSSL	12:1a06964c2adb	794	{
wolfSSL	12:1a06964c2adb	795	WOLFSSL_MSG("Derive New Application Traffic Secret");
wolfSSL	12:1a06964c2adb	796	return DeriveKey(ssl, secret, -1, secret,
wolfSSL	12:1a06964c2adb	797	appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
wolfSSL	12:1a06964c2adb	798	ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	799	}
wolfSSL	12:1a06964c2adb	800
wolfSSL	12:1a06964c2adb	801	/* Derive the early secret using HKDF Extract.
wolfSSL	12:1a06964c2adb	802	*
wolfSSL	12:1a06964c2adb	803	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	804	*/
wolfSSL	12:1a06964c2adb	805	static int DeriveEarlySecret(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	806	{
wolfSSL	12:1a06964c2adb	807	WOLFSSL_MSG("Derive Early Secret");
wolfSSL	12:1a06964c2adb	808	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	809	return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL	12:1a06964c2adb	810	ssl->arrays->psk_key, ssl->arrays->psk_keySz,
wolfSSL	12:1a06964c2adb	811	ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	812	#else
wolfSSL	12:1a06964c2adb	813	return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL	12:1a06964c2adb	814	ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	815	#endif
wolfSSL	12:1a06964c2adb	816	}
wolfSSL	12:1a06964c2adb	817
wolfSSL	12:1a06964c2adb	818	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	819	/* The length of the derived label. */
wolfSSL	12:1a06964c2adb	820	#define DERIVED_LABEL_SZ 7
wolfSSL	12:1a06964c2adb	821	/* The derived label. */
wolfSSL	12:1a06964c2adb	822	static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
wolfSSL	12:1a06964c2adb	823	"derived";
wolfSSL	12:1a06964c2adb	824	#endif
wolfSSL	12:1a06964c2adb	825	/* Derive the handshake secret using HKDF Extract.
wolfSSL	12:1a06964c2adb	826	*
wolfSSL	12:1a06964c2adb	827	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	828	*/
wolfSSL	12:1a06964c2adb	829	static int DeriveHandshakeSecret(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	830	{
wolfSSL	12:1a06964c2adb	831	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	832	WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL	12:1a06964c2adb	833	return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL	12:1a06964c2adb	834	ssl->arrays->secret, ssl->specs.hash_size,
wolfSSL	12:1a06964c2adb	835	ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL	12:1a06964c2adb	836	ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	837	#else
wolfSSL	12:1a06964c2adb	838	byte key[WC_MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	839	int ret;
wolfSSL	12:1a06964c2adb	840
wolfSSL	12:1a06964c2adb	841	WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL	12:1a06964c2adb	842
wolfSSL	12:1a06964c2adb	843	ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL	12:1a06964c2adb	844	derivedLabel, DERIVED_LABEL_SZ,
wolfSSL	12:1a06964c2adb	845	NULL, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	846	if (ret != 0)
wolfSSL	12:1a06964c2adb	847	return ret;
wolfSSL	12:1a06964c2adb	848
wolfSSL	12:1a06964c2adb	849	return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL	12:1a06964c2adb	850	key, ssl->specs.hash_size,
wolfSSL	12:1a06964c2adb	851	ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL	12:1a06964c2adb	852	ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	853	#endif
wolfSSL	12:1a06964c2adb	854	}
wolfSSL	12:1a06964c2adb	855
wolfSSL	12:1a06964c2adb	856	/* Derive the master secret using HKDF Extract.
wolfSSL	12:1a06964c2adb	857	*
wolfSSL	12:1a06964c2adb	858	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	859	*/
wolfSSL	12:1a06964c2adb	860	static int DeriveMasterSecret(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	861	{
wolfSSL	12:1a06964c2adb	862	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	863	WOLFSSL_MSG("Derive Master Secret");
wolfSSL	12:1a06964c2adb	864	return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	865	ssl->arrays->preMasterSecret, ssl->specs.hash_size,
wolfSSL	12:1a06964c2adb	866	ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	867	#else
wolfSSL	12:1a06964c2adb	868	byte key[WC_MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	869	int ret;
wolfSSL	12:1a06964c2adb	870
wolfSSL	12:1a06964c2adb	871	WOLFSSL_MSG("Derive Master Secret");
wolfSSL	12:1a06964c2adb	872
wolfSSL	12:1a06964c2adb	873	ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL	12:1a06964c2adb	874	derivedLabel, DERIVED_LABEL_SZ,
wolfSSL	12:1a06964c2adb	875	NULL, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	876	if (ret != 0)
wolfSSL	12:1a06964c2adb	877	return ret;
wolfSSL	12:1a06964c2adb	878
wolfSSL	12:1a06964c2adb	879	return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL	12:1a06964c2adb	880	key, ssl->specs.hash_size,
wolfSSL	12:1a06964c2adb	881	ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL	12:1a06964c2adb	882	#endif
wolfSSL	12:1a06964c2adb	883	}
wolfSSL	12:1a06964c2adb	884
wolfSSL	12:1a06964c2adb	885	/* Calculate the HMAC of message data to this point.
wolfSSL	12:1a06964c2adb	886	*
wolfSSL	12:1a06964c2adb	887	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	888	* key The HMAC key.
wolfSSL	12:1a06964c2adb	889	* hash The hash result - verify data.
wolfSSL	12:1a06964c2adb	890	* returns length of verify data generated.
wolfSSL	12:1a06964c2adb	891	*/
wolfSSL	12:1a06964c2adb	892	static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
wolfSSL	12:1a06964c2adb	893	word32* pHashSz)
wolfSSL	12:1a06964c2adb	894	{
wolfSSL	12:1a06964c2adb	895	Hmac verifyHmac;
wolfSSL	12:1a06964c2adb	896	int hashType = SHA256;
wolfSSL	12:1a06964c2adb	897	int hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	898	int ret = BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	899
wolfSSL	12:1a06964c2adb	900	/* Get the hash of the previous handshake messages. */
wolfSSL	12:1a06964c2adb	901	switch (ssl->specs.mac_algorithm) {
wolfSSL	12:1a06964c2adb	902	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	903	case sha256_mac:
wolfSSL	12:1a06964c2adb	904	hashType = SHA256;
wolfSSL	12:1a06964c2adb	905	hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	906	ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL	12:1a06964c2adb	907	break;
wolfSSL	12:1a06964c2adb	908	#endif /* !NO_SHA256 */
wolfSSL	12:1a06964c2adb	909	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	910	case sha384_mac:
wolfSSL	12:1a06964c2adb	911	hashType = SHA384;
wolfSSL	12:1a06964c2adb	912	hashSz = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	913	ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL	12:1a06964c2adb	914	break;
wolfSSL	12:1a06964c2adb	915	#endif /* WOLFSSL_SHA384 */
wolfSSL	12:1a06964c2adb	916	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	917	case sha512_mac:
wolfSSL	12:1a06964c2adb	918	hashType = SHA512;
wolfSSL	12:1a06964c2adb	919	hashSz = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	920	ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL	12:1a06964c2adb	921	break;
wolfSSL	12:1a06964c2adb	922	#endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL	12:1a06964c2adb	923	}
wolfSSL	12:1a06964c2adb	924	if (ret != 0)
wolfSSL	12:1a06964c2adb	925	return ret;
wolfSSL	12:1a06964c2adb	926
wolfSSL	12:1a06964c2adb	927	/* Calculate the verify data. */
wolfSSL	12:1a06964c2adb	928	ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId);
wolfSSL	12:1a06964c2adb	929	if (ret == 0) {
wolfSSL	12:1a06964c2adb	930	ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
wolfSSL	12:1a06964c2adb	931	if (ret == 0)
wolfSSL	12:1a06964c2adb	932	ret = wc_HmacUpdate(&verifyHmac, hash, hashSz);
wolfSSL	12:1a06964c2adb	933	if (ret == 0)
wolfSSL	12:1a06964c2adb	934	ret = wc_HmacFinal(&verifyHmac, hash);
wolfSSL	12:1a06964c2adb	935	wc_HmacFree(&verifyHmac);
wolfSSL	12:1a06964c2adb	936	}
wolfSSL	12:1a06964c2adb	937
wolfSSL	12:1a06964c2adb	938	if (pHashSz)
wolfSSL	12:1a06964c2adb	939	*pHashSz = hashSz;
wolfSSL	12:1a06964c2adb	940
wolfSSL	12:1a06964c2adb	941	return ret;
wolfSSL	12:1a06964c2adb	942	}
wolfSSL	12:1a06964c2adb	943
wolfSSL	12:1a06964c2adb	944	/* The length of the label to use when deriving keys. */
wolfSSL	12:1a06964c2adb	945	#define WRITE_KEY_LABEL_SZ 3
wolfSSL	12:1a06964c2adb	946	/* The length of the label to use when deriving IVs. */
wolfSSL	12:1a06964c2adb	947	#define WRITE_IV_LABEL_SZ 2
wolfSSL	12:1a06964c2adb	948	/* The label to use when deriving keys. */
wolfSSL	12:1a06964c2adb	949	static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
wolfSSL	12:1a06964c2adb	950	/* The label to use when deriving IVs. */
wolfSSL	12:1a06964c2adb	951	static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
wolfSSL	12:1a06964c2adb	952
wolfSSL	12:1a06964c2adb	953	/* Derive the keys and IVs for TLS v1.3.
wolfSSL	12:1a06964c2adb	954	*
wolfSSL	12:1a06964c2adb	955	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	956	* sercret early_data_key when deriving the key and IV for encrypting early
wolfSSL	12:1a06964c2adb	957	* data application data and end_of_early_data messages.
wolfSSL	12:1a06964c2adb	958	* handshake_key when deriving keys and IVs for encrypting handshake
wolfSSL	12:1a06964c2adb	959	* messages.
wolfSSL	12:1a06964c2adb	960	* traffic_key when deriving first keys and IVs for encrypting
wolfSSL	12:1a06964c2adb	961	* traffic messages.
wolfSSL	12:1a06964c2adb	962	* update_traffic_key when deriving next keys and IVs for encrypting
wolfSSL	12:1a06964c2adb	963	* traffic messages.
wolfSSL	12:1a06964c2adb	964	* side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
wolfSSL	12:1a06964c2adb	965	* DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
wolfSSL	12:1a06964c2adb	966	* ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
wolfSSL	12:1a06964c2adb	967	* store 1 indicates to derive the keys and IVs from derived secret and
wolfSSL	12:1a06964c2adb	968	* store ready for provisioning.
wolfSSL	12:1a06964c2adb	969	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	970	*/
wolfSSL	12:1a06964c2adb	971	static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
wolfSSL	12:1a06964c2adb	972	{
wolfSSL	12:1a06964c2adb	973	int ret;
wolfSSL	12:1a06964c2adb	974	int i = 0;
wolfSSL	12:1a06964c2adb	975	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	12:1a06964c2adb	976	byte* key_dig;
wolfSSL	12:1a06964c2adb	977	#else
wolfSSL	12:1a06964c2adb	978	byte key_dig[MAX_PRF_DIG];
wolfSSL	12:1a06964c2adb	979	#endif
wolfSSL	12:1a06964c2adb	980	int provision;
wolfSSL	12:1a06964c2adb	981
wolfSSL	12:1a06964c2adb	982	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	12:1a06964c2adb	983	key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL	12:1a06964c2adb	984	if (key_dig == NULL)
wolfSSL	12:1a06964c2adb	985	return MEMORY_E;
wolfSSL	12:1a06964c2adb	986	#endif
wolfSSL	12:1a06964c2adb	987
wolfSSL	12:1a06964c2adb	988	if (side == ENCRYPT_AND_DECRYPT_SIDE) {
wolfSSL	12:1a06964c2adb	989	provision = PROVISION_CLIENT_SERVER;
wolfSSL	12:1a06964c2adb	990	}
wolfSSL	12:1a06964c2adb	991	else {
wolfSSL	12:1a06964c2adb	992	provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
wolfSSL	12:1a06964c2adb	993	(side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
wolfSSL	12:1a06964c2adb	994	PROVISION_SERVER;
wolfSSL	12:1a06964c2adb	995	}
wolfSSL	12:1a06964c2adb	996
wolfSSL	12:1a06964c2adb	997	/* Derive the appropriate secret to use in the HKDF. */
wolfSSL	12:1a06964c2adb	998	switch (secret) {
wolfSSL	12:1a06964c2adb	999	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	1000	case early_data_key:
wolfSSL	12:1a06964c2adb	1001	ret = DeriveEarlyTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL	12:1a06964c2adb	1002	if (ret != 0)
wolfSSL	12:1a06964c2adb	1003	goto end;
wolfSSL	12:1a06964c2adb	1004	break;
wolfSSL	12:1a06964c2adb	1005	#endif
wolfSSL	12:1a06964c2adb	1006
wolfSSL	12:1a06964c2adb	1007	case handshake_key:
wolfSSL	12:1a06964c2adb	1008	if (provision & PROVISION_CLIENT) {
wolfSSL	12:1a06964c2adb	1009	ret = DeriveClientHandshakeSecret(ssl,
wolfSSL	12:1a06964c2adb	1010	ssl->arrays->clientSecret);
wolfSSL	12:1a06964c2adb	1011	if (ret != 0)
wolfSSL	12:1a06964c2adb	1012	goto end;
wolfSSL	12:1a06964c2adb	1013	}
wolfSSL	12:1a06964c2adb	1014	if (provision & PROVISION_SERVER) {
wolfSSL	12:1a06964c2adb	1015	ret = DeriveServerHandshakeSecret(ssl,
wolfSSL	12:1a06964c2adb	1016	ssl->arrays->serverSecret);
wolfSSL	12:1a06964c2adb	1017	if (ret != 0)
wolfSSL	12:1a06964c2adb	1018	goto end;
wolfSSL	12:1a06964c2adb	1019	}
wolfSSL	12:1a06964c2adb	1020	break;
wolfSSL	12:1a06964c2adb	1021
wolfSSL	12:1a06964c2adb	1022	case traffic_key:
wolfSSL	12:1a06964c2adb	1023	if (provision & PROVISION_CLIENT) {
wolfSSL	12:1a06964c2adb	1024	ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL	12:1a06964c2adb	1025	if (ret != 0)
wolfSSL	12:1a06964c2adb	1026	goto end;
wolfSSL	12:1a06964c2adb	1027	}
wolfSSL	12:1a06964c2adb	1028	if (provision & PROVISION_SERVER) {
wolfSSL	12:1a06964c2adb	1029	ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL	12:1a06964c2adb	1030	if (ret != 0)
wolfSSL	12:1a06964c2adb	1031	goto end;
wolfSSL	12:1a06964c2adb	1032	}
wolfSSL	12:1a06964c2adb	1033	break;
wolfSSL	12:1a06964c2adb	1034
wolfSSL	12:1a06964c2adb	1035	case update_traffic_key:
wolfSSL	12:1a06964c2adb	1036	if (provision & PROVISION_CLIENT) {
wolfSSL	12:1a06964c2adb	1037	ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL	12:1a06964c2adb	1038	if (ret != 0)
wolfSSL	12:1a06964c2adb	1039	goto end;
wolfSSL	12:1a06964c2adb	1040	}
wolfSSL	12:1a06964c2adb	1041	if (provision & PROVISION_SERVER) {
wolfSSL	12:1a06964c2adb	1042	ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL	12:1a06964c2adb	1043	if (ret != 0)
wolfSSL	12:1a06964c2adb	1044	goto end;
wolfSSL	12:1a06964c2adb	1045	}
wolfSSL	12:1a06964c2adb	1046	break;
wolfSSL	12:1a06964c2adb	1047	}
wolfSSL	12:1a06964c2adb	1048
wolfSSL	12:1a06964c2adb	1049	if (!store)
wolfSSL	12:1a06964c2adb	1050	goto end;
wolfSSL	12:1a06964c2adb	1051
wolfSSL	12:1a06964c2adb	1052	/* Key data = client key \| server key \| client IV \| server IV */
wolfSSL	12:1a06964c2adb	1053
wolfSSL	12:1a06964c2adb	1054	if (provision & PROVISION_CLIENT) {
wolfSSL	12:1a06964c2adb	1055	/* Derive the client key. */
wolfSSL	12:1a06964c2adb	1056	WOLFSSL_MSG("Derive Client Key");
wolfSSL	12:1a06964c2adb	1057	ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL	12:1a06964c2adb	1058	ssl->arrays->clientSecret, writeKeyLabel,
wolfSSL	12:1a06964c2adb	1059	WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	1060	if (ret != 0)
wolfSSL	12:1a06964c2adb	1061	goto end;
wolfSSL	12:1a06964c2adb	1062	i += ssl->specs.key_size;
wolfSSL	12:1a06964c2adb	1063	}
wolfSSL	12:1a06964c2adb	1064
wolfSSL	12:1a06964c2adb	1065	if (provision & PROVISION_SERVER) {
wolfSSL	12:1a06964c2adb	1066	/* Derive the server key. */
wolfSSL	12:1a06964c2adb	1067	WOLFSSL_MSG("Derive Server Key");
wolfSSL	12:1a06964c2adb	1068	ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL	12:1a06964c2adb	1069	ssl->arrays->serverSecret, writeKeyLabel,
wolfSSL	12:1a06964c2adb	1070	WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	1071	if (ret != 0)
wolfSSL	12:1a06964c2adb	1072	goto end;
wolfSSL	12:1a06964c2adb	1073	i += ssl->specs.key_size;
wolfSSL	12:1a06964c2adb	1074	}
wolfSSL	12:1a06964c2adb	1075
wolfSSL	12:1a06964c2adb	1076	if (provision & PROVISION_CLIENT) {
wolfSSL	12:1a06964c2adb	1077	/* Derive the client IV. */
wolfSSL	12:1a06964c2adb	1078	WOLFSSL_MSG("Derive Client IV");
wolfSSL	12:1a06964c2adb	1079	ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL	12:1a06964c2adb	1080	ssl->arrays->clientSecret, writeIVLabel,
wolfSSL	12:1a06964c2adb	1081	WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	1082	if (ret != 0)
wolfSSL	12:1a06964c2adb	1083	goto end;
wolfSSL	12:1a06964c2adb	1084	i += ssl->specs.iv_size;
wolfSSL	12:1a06964c2adb	1085	}
wolfSSL	12:1a06964c2adb	1086
wolfSSL	12:1a06964c2adb	1087	if (provision & PROVISION_SERVER) {
wolfSSL	12:1a06964c2adb	1088	/* Derive the server IV. */
wolfSSL	12:1a06964c2adb	1089	WOLFSSL_MSG("Derive Server IV");
wolfSSL	12:1a06964c2adb	1090	ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL	12:1a06964c2adb	1091	ssl->arrays->serverSecret, writeIVLabel,
wolfSSL	12:1a06964c2adb	1092	WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL	12:1a06964c2adb	1093	if (ret != 0)
wolfSSL	12:1a06964c2adb	1094	goto end;
wolfSSL	12:1a06964c2adb	1095	}
wolfSSL	12:1a06964c2adb	1096
wolfSSL	12:1a06964c2adb	1097	/* Store keys and IVs but don't activate them. */
wolfSSL	12:1a06964c2adb	1098	ret = StoreKeys(ssl, key_dig, provision);
wolfSSL	12:1a06964c2adb	1099
wolfSSL	12:1a06964c2adb	1100	end:
wolfSSL	12:1a06964c2adb	1101	#ifdef WOLFSSL_SMALL_STACK
wolfSSL	12:1a06964c2adb	1102	XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL	12:1a06964c2adb	1103	#endif
wolfSSL	12:1a06964c2adb	1104
wolfSSL	12:1a06964c2adb	1105	return ret;
wolfSSL	12:1a06964c2adb	1106	}
wolfSSL	12:1a06964c2adb	1107
wolfSSL	12:1a06964c2adb	1108	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	1109	#if defined(USER_TICKS)
wolfSSL	12:1a06964c2adb	1110	#if 0
wolfSSL	12:1a06964c2adb	1111	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1112	{
wolfSSL	12:1a06964c2adb	1113	/*
wolfSSL	12:1a06964c2adb	1114	write your own clock tick function if don't want gettimeofday()
wolfSSL	12:1a06964c2adb	1115	needs millisecond accuracy but doesn't have to correlated to EPOCH
wolfSSL	12:1a06964c2adb	1116	*/
wolfSSL	12:1a06964c2adb	1117	}
wolfSSL	12:1a06964c2adb	1118	#endif
wolfSSL	12:1a06964c2adb	1119
wolfSSL	12:1a06964c2adb	1120	#elif defined(TIME_OVERRIDES)
wolfSSL	12:1a06964c2adb	1121	#ifndef HAVE_TIME_T_TYPE
wolfSSL	12:1a06964c2adb	1122	typedef long time_t;
wolfSSL	12:1a06964c2adb	1123	#endif
wolfSSL	12:1a06964c2adb	1124	extern time_t XTIME(time_t * timer);
wolfSSL	12:1a06964c2adb	1125
wolfSSL	12:1a06964c2adb	1126	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1127	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1128	* sending.
wolfSSL	12:1a06964c2adb	1129	*
wolfSSL	12:1a06964c2adb	1130	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1131	*/
wolfSSL	12:1a06964c2adb	1132	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1133	{
wolfSSL	12:1a06964c2adb	1134	return (word32) XTIME(0) * 1000;
wolfSSL	12:1a06964c2adb	1135	}
wolfSSL	12:1a06964c2adb	1136	#elif defined(USE_WINDOWS_API)
wolfSSL	12:1a06964c2adb	1137	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1138	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1139	* sending.
wolfSSL	12:1a06964c2adb	1140	*
wolfSSL	12:1a06964c2adb	1141	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1142	*/
wolfSSL	12:1a06964c2adb	1143	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1144	{
wolfSSL	12:1a06964c2adb	1145	static int init = 0;
wolfSSL	12:1a06964c2adb	1146	static LARGE_INTEGER freq;
wolfSSL	12:1a06964c2adb	1147	LARGE_INTEGER count;
wolfSSL	12:1a06964c2adb	1148
wolfSSL	12:1a06964c2adb	1149	if (!init) {
wolfSSL	12:1a06964c2adb	1150	QueryPerformanceFrequency(&freq);
wolfSSL	12:1a06964c2adb	1151	init = 1;
wolfSSL	12:1a06964c2adb	1152	}
wolfSSL	12:1a06964c2adb	1153
wolfSSL	12:1a06964c2adb	1154	QueryPerformanceCounter(&count);
wolfSSL	12:1a06964c2adb	1155
wolfSSL	12:1a06964c2adb	1156	return (word32)(count.QuadPart / (freq.QuadPart / 1000));
wolfSSL	12:1a06964c2adb	1157	}
wolfSSL	12:1a06964c2adb	1158
wolfSSL	12:1a06964c2adb	1159	#elif defined(HAVE_RTP_SYS)
wolfSSL	12:1a06964c2adb	1160	#include "rtptime.h"
wolfSSL	12:1a06964c2adb	1161
wolfSSL	12:1a06964c2adb	1162	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1163	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1164	* sending.
wolfSSL	12:1a06964c2adb	1165	*
wolfSSL	12:1a06964c2adb	1166	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1167	*/
wolfSSL	12:1a06964c2adb	1168	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1169	{
wolfSSL	12:1a06964c2adb	1170	return (word32)rtp_get_system_sec() * 1000;
wolfSSL	12:1a06964c2adb	1171	}
wolfSSL	12:1a06964c2adb	1172	#elif defined(MICRIUM)
wolfSSL	12:1a06964c2adb	1173	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1174	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1175	* sending.
wolfSSL	12:1a06964c2adb	1176	*
wolfSSL	12:1a06964c2adb	1177	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1178	*/
wolfSSL	12:1a06964c2adb	1179	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1180	{
wolfSSL	12:1a06964c2adb	1181	NET_SECURE_OS_TICK clk = 0;
wolfSSL	12:1a06964c2adb	1182
wolfSSL	12:1a06964c2adb	1183	#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL	12:1a06964c2adb	1184	clk = NetSecure_OS_TimeGet();
wolfSSL	12:1a06964c2adb	1185	#endif
wolfSSL	12:1a06964c2adb	1186	return (word32)clk * 1000;
wolfSSL	12:1a06964c2adb	1187	}
wolfSSL	12:1a06964c2adb	1188	#elif defined(MICROCHIP_TCPIP_V5)
wolfSSL	12:1a06964c2adb	1189	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1190	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1191	* sending.
wolfSSL	12:1a06964c2adb	1192	*
wolfSSL	12:1a06964c2adb	1193	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1194	*/
wolfSSL	12:1a06964c2adb	1195	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1196	{
wolfSSL	12:1a06964c2adb	1197	return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
wolfSSL	12:1a06964c2adb	1198	}
wolfSSL	12:1a06964c2adb	1199	#elif defined(MICROCHIP_TCPIP)
wolfSSL	12:1a06964c2adb	1200	#if defined(MICROCHIP_MPLAB_HARMONY)
wolfSSL	12:1a06964c2adb	1201	#include <system/tmr/sys_tmr.h>
wolfSSL	12:1a06964c2adb	1202
wolfSSL	12:1a06964c2adb	1203	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1204	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1205	* sending.
wolfSSL	12:1a06964c2adb	1206	*
wolfSSL	12:1a06964c2adb	1207	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1208	*/
wolfSSL	12:1a06964c2adb	1209	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1210	{
wolfSSL	12:1a06964c2adb	1211	return (word32) (SYS_TMR_TickCountGet() /
wolfSSL	12:1a06964c2adb	1212	(SYS_TMR_TickCounterFrequencyGet() / 1000));
wolfSSL	12:1a06964c2adb	1213	}
wolfSSL	12:1a06964c2adb	1214	#else
wolfSSL	12:1a06964c2adb	1215	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1216	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1217	* sending.
wolfSSL	12:1a06964c2adb	1218	*
wolfSSL	12:1a06964c2adb	1219	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1220	*/
wolfSSL	12:1a06964c2adb	1221	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1222	{
wolfSSL	12:1a06964c2adb	1223	return (word32) (SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
wolfSSL	12:1a06964c2adb	1224	}
wolfSSL	12:1a06964c2adb	1225
wolfSSL	12:1a06964c2adb	1226	#endif
wolfSSL	12:1a06964c2adb	1227
wolfSSL	12:1a06964c2adb	1228	#elif defined(FREESCALE_MQX) \|\| defined(FREESCALE_KSDK_MQX)
wolfSSL	12:1a06964c2adb	1229	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1230	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1231	* sending.
wolfSSL	12:1a06964c2adb	1232	*
wolfSSL	12:1a06964c2adb	1233	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1234	*/
wolfSSL	12:1a06964c2adb	1235	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1236	{
wolfSSL	12:1a06964c2adb	1237	TIME_STRUCT mqxTime;
wolfSSL	12:1a06964c2adb	1238
wolfSSL	12:1a06964c2adb	1239	_time_get_elapsed(&mqxTime);
wolfSSL	12:1a06964c2adb	1240
wolfSSL	12:1a06964c2adb	1241	return (word32) mqxTime.SECONDS * 1000;
wolfSSL	12:1a06964c2adb	1242	}
wolfSSL	12:1a06964c2adb	1243	#elif defined(FREESCALE_FREE_RTOS) \|\| defined(FREESCALE_KSDK_FREERTOS)
wolfSSL	12:1a06964c2adb	1244	#include "include/task.h"
wolfSSL	12:1a06964c2adb	1245
wolfSSL	12:1a06964c2adb	1246	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1247	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1248	* sending.
wolfSSL	12:1a06964c2adb	1249	*
wolfSSL	12:1a06964c2adb	1250	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1251	*/
wolfSSL	12:1a06964c2adb	1252	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1253	{
wolfSSL	12:1a06964c2adb	1254	return (unsigned int)(((float)xTaskGetTickCount()) /
wolfSSL	12:1a06964c2adb	1255	(configTICK_RATE_HZ / 1000));
wolfSSL	12:1a06964c2adb	1256	}
wolfSSL	12:1a06964c2adb	1257	#elif defined(FREESCALE_KSDK_BM)
wolfSSL	12:1a06964c2adb	1258	#include "lwip/sys.h" /* lwIP */
wolfSSL	12:1a06964c2adb	1259
wolfSSL	12:1a06964c2adb	1260	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1261	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1262	* sending.
wolfSSL	12:1a06964c2adb	1263	*
wolfSSL	12:1a06964c2adb	1264	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1265	*/
wolfSSL	12:1a06964c2adb	1266	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1267	{
wolfSSL	12:1a06964c2adb	1268	return sys_now();
wolfSSL	12:1a06964c2adb	1269	}
wolfSSL	12:1a06964c2adb	1270	#elif defined(WOLFSSL_TIRTOS)
wolfSSL	12:1a06964c2adb	1271	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1272	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1273	* sending.
wolfSSL	12:1a06964c2adb	1274	*
wolfSSL	12:1a06964c2adb	1275	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1276	*/
wolfSSL	12:1a06964c2adb	1277	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1278	{
wolfSSL	12:1a06964c2adb	1279	return (word32) Seconds_get() * 1000;
wolfSSL	12:1a06964c2adb	1280	}
wolfSSL	12:1a06964c2adb	1281	#elif defined(WOLFSSL_UTASKER)
wolfSSL	12:1a06964c2adb	1282	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1283	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1284	* sending.
wolfSSL	12:1a06964c2adb	1285	*
wolfSSL	12:1a06964c2adb	1286	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1287	*/
wolfSSL	12:1a06964c2adb	1288	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1289	{
wolfSSL	12:1a06964c2adb	1290	return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
wolfSSL	12:1a06964c2adb	1291	}
wolfSSL	12:1a06964c2adb	1292	#else
wolfSSL	12:1a06964c2adb	1293	/* The time in milliseconds.
wolfSSL	12:1a06964c2adb	1294	* Used for tickets to represent difference between when first seen and when
wolfSSL	12:1a06964c2adb	1295	* sending.
wolfSSL	12:1a06964c2adb	1296	*
wolfSSL	12:1a06964c2adb	1297	* returns the time in milliseconds as a 32-bit value.
wolfSSL	12:1a06964c2adb	1298	*/
wolfSSL	12:1a06964c2adb	1299	word32 TimeNowInMilliseconds(void)
wolfSSL	12:1a06964c2adb	1300	{
wolfSSL	12:1a06964c2adb	1301	struct timeval now;
wolfSSL	12:1a06964c2adb	1302
wolfSSL	12:1a06964c2adb	1303	if (gettimeofday(&now, 0) < 0)
wolfSSL	12:1a06964c2adb	1304	return GETTIME_ERROR;
wolfSSL	12:1a06964c2adb	1305	/* Convert to milliseconds number. */
wolfSSL	12:1a06964c2adb	1306	return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
wolfSSL	12:1a06964c2adb	1307	}
wolfSSL	12:1a06964c2adb	1308	#endif
wolfSSL	12:1a06964c2adb	1309	#endif /* HAVE_SESSION_TICKET \|\| !NO_PSK */
wolfSSL	12:1a06964c2adb	1310
wolfSSL	12:1a06964c2adb	1311
wolfSSL	12:1a06964c2adb	1312	#if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) \|\| \
wolfSSL	12:1a06964c2adb	1313	!defined(NO_PSK))
wolfSSL	12:1a06964c2adb	1314	/* Add input to all handshake hashes.
wolfSSL	12:1a06964c2adb	1315	*
wolfSSL	12:1a06964c2adb	1316	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1317	* input The data to hash.
wolfSSL	12:1a06964c2adb	1318	* sz The size of the data to hash.
wolfSSL	12:1a06964c2adb	1319	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	1320	*/
wolfSSL	12:1a06964c2adb	1321	static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
wolfSSL	12:1a06964c2adb	1322	{
wolfSSL	12:1a06964c2adb	1323	int ret = BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	1324
wolfSSL	12:1a06964c2adb	1325	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	1326	ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
wolfSSL	12:1a06964c2adb	1327	if (ret != 0)
wolfSSL	12:1a06964c2adb	1328	return ret;
wolfSSL	12:1a06964c2adb	1329	#endif
wolfSSL	12:1a06964c2adb	1330	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	1331	ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
wolfSSL	12:1a06964c2adb	1332	if (ret != 0)
wolfSSL	12:1a06964c2adb	1333	return ret;
wolfSSL	12:1a06964c2adb	1334	#endif
wolfSSL	12:1a06964c2adb	1335	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	1336	ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
wolfSSL	12:1a06964c2adb	1337	if (ret != 0)
wolfSSL	12:1a06964c2adb	1338	return ret;
wolfSSL	12:1a06964c2adb	1339	#endif
wolfSSL	12:1a06964c2adb	1340
wolfSSL	12:1a06964c2adb	1341	return ret;
wolfSSL	12:1a06964c2adb	1342	}
wolfSSL	12:1a06964c2adb	1343	#endif
wolfSSL	12:1a06964c2adb	1344
wolfSSL	12:1a06964c2adb	1345	/* Extract the handshake header information.
wolfSSL	12:1a06964c2adb	1346	*
wolfSSL	12:1a06964c2adb	1347	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1348	* input The buffer holding the message data.
wolfSSL	12:1a06964c2adb	1349	* inOutIdx On entry, the index into the buffer of the handshake data.
wolfSSL	12:1a06964c2adb	1350	* On exit, the start of the hanshake data.
wolfSSL	12:1a06964c2adb	1351	* type Type of handshake message.
wolfSSL	12:1a06964c2adb	1352	* size The length of the handshake message data.
wolfSSL	12:1a06964c2adb	1353	* totalSz The total size of data in the buffer.
wolfSSL	12:1a06964c2adb	1354	* returns BUFFER_E if there is not enough input data and 0 on success.
wolfSSL	12:1a06964c2adb	1355	*/
wolfSSL	12:1a06964c2adb	1356	static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	1357	byte* type, word32* size, word32 totalSz)
wolfSSL	12:1a06964c2adb	1358	{
wolfSSL	12:1a06964c2adb	1359	const byte* ptr = input + *inOutIdx;
wolfSSL	12:1a06964c2adb	1360	(void)ssl;
wolfSSL	12:1a06964c2adb	1361
wolfSSL	12:1a06964c2adb	1362	*inOutIdx += HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1363	if (*inOutIdx > totalSz)
wolfSSL	12:1a06964c2adb	1364	return BUFFER_E;
wolfSSL	12:1a06964c2adb	1365
wolfSSL	12:1a06964c2adb	1366	*type = ptr[0];
wolfSSL	12:1a06964c2adb	1367	c24to32(&ptr[1], size);
wolfSSL	12:1a06964c2adb	1368
wolfSSL	12:1a06964c2adb	1369	return 0;
wolfSSL	12:1a06964c2adb	1370	}
wolfSSL	12:1a06964c2adb	1371
wolfSSL	12:1a06964c2adb	1372	/* Add record layer header to message.
wolfSSL	12:1a06964c2adb	1373	*
wolfSSL	12:1a06964c2adb	1374	* output The buffer to write the record layer header into.
wolfSSL	12:1a06964c2adb	1375	* length The length of the record data.
wolfSSL	12:1a06964c2adb	1376	* type The type of record message.
wolfSSL	12:1a06964c2adb	1377	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1378	*/
wolfSSL	12:1a06964c2adb	1379	static void AddTls13RecordHeader(byte* output, word32 length, byte type,
wolfSSL	12:1a06964c2adb	1380	WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	1381	{
wolfSSL	12:1a06964c2adb	1382	RecordLayerHeader* rl;
wolfSSL	12:1a06964c2adb	1383
wolfSSL	12:1a06964c2adb	1384	rl = (RecordLayerHeader*)output;
wolfSSL	12:1a06964c2adb	1385	rl->type = type;
wolfSSL	12:1a06964c2adb	1386	rl->pvMajor = ssl->version.major;
wolfSSL	12:1a06964c2adb	1387	rl->pvMinor = TLSv1_MINOR;
wolfSSL	12:1a06964c2adb	1388	c16toa((word16)length, rl->length);
wolfSSL	12:1a06964c2adb	1389	}
wolfSSL	12:1a06964c2adb	1390
wolfSSL	12:1a06964c2adb	1391	/* Add handshake header to message.
wolfSSL	12:1a06964c2adb	1392	*
wolfSSL	12:1a06964c2adb	1393	* output The buffer to write the hanshake header into.
wolfSSL	12:1a06964c2adb	1394	* length The length of the handshake data.
wolfSSL	12:1a06964c2adb	1395	* fragOffset The offset of the fragment data. (DTLS)
wolfSSL	12:1a06964c2adb	1396	* fragLength The length of the fragment data. (DTLS)
wolfSSL	12:1a06964c2adb	1397	* type The type of handshake message.
wolfSSL	12:1a06964c2adb	1398	* ssl The SSL/TLS object. (DTLS)
wolfSSL	12:1a06964c2adb	1399	*/
wolfSSL	12:1a06964c2adb	1400	static void AddTls13HandShakeHeader(byte* output, word32 length,
wolfSSL	12:1a06964c2adb	1401	word32 fragOffset, word32 fragLength,
wolfSSL	12:1a06964c2adb	1402	byte type, WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	1403	{
wolfSSL	12:1a06964c2adb	1404	HandShakeHeader* hs;
wolfSSL	12:1a06964c2adb	1405	(void)fragOffset;
wolfSSL	12:1a06964c2adb	1406	(void)fragLength;
wolfSSL	12:1a06964c2adb	1407	(void)ssl;
wolfSSL	12:1a06964c2adb	1408
wolfSSL	12:1a06964c2adb	1409	/* handshake header */
wolfSSL	12:1a06964c2adb	1410	hs = (HandShakeHeader*)output;
wolfSSL	12:1a06964c2adb	1411	hs->type = type;
wolfSSL	12:1a06964c2adb	1412	c32to24(length, hs->length);
wolfSSL	12:1a06964c2adb	1413	}
wolfSSL	12:1a06964c2adb	1414
wolfSSL	12:1a06964c2adb	1415
wolfSSL	12:1a06964c2adb	1416	/* Add both record layer and handshake header to message.
wolfSSL	12:1a06964c2adb	1417	*
wolfSSL	12:1a06964c2adb	1418	* output The buffer to write the headers into.
wolfSSL	12:1a06964c2adb	1419	* length The length of the handshake data.
wolfSSL	12:1a06964c2adb	1420	* type The type of record layer message.
wolfSSL	12:1a06964c2adb	1421	* ssl The SSL/TLS object. (DTLS)
wolfSSL	12:1a06964c2adb	1422	*/
wolfSSL	12:1a06964c2adb	1423	static void AddTls13Headers(byte* output, word32 length, byte type, WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	1424	{
wolfSSL	12:1a06964c2adb	1425	word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1426	word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1427
wolfSSL	12:1a06964c2adb	1428	AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
wolfSSL	12:1a06964c2adb	1429	AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
wolfSSL	12:1a06964c2adb	1430	}
wolfSSL	12:1a06964c2adb	1431
wolfSSL	12:1a06964c2adb	1432
wolfSSL	12:1a06964c2adb	1433	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	1434	/* Add both record layer and fragement handshake header to message.
wolfSSL	12:1a06964c2adb	1435	*
wolfSSL	12:1a06964c2adb	1436	* output The buffer to write the headers into.
wolfSSL	12:1a06964c2adb	1437	* fragOffset The offset of the fragment data. (DTLS)
wolfSSL	12:1a06964c2adb	1438	* fragLength The length of the fragment data. (DTLS)
wolfSSL	12:1a06964c2adb	1439	* length The length of the handshake data.
wolfSSL	12:1a06964c2adb	1440	* type The type of record layer message.
wolfSSL	12:1a06964c2adb	1441	* ssl The SSL/TLS object. (DTLS)
wolfSSL	12:1a06964c2adb	1442	*/
wolfSSL	12:1a06964c2adb	1443	static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
wolfSSL	12:1a06964c2adb	1444	word32 length, byte type, WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	1445	{
wolfSSL	12:1a06964c2adb	1446	word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1447	word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1448	(void)fragSz;
wolfSSL	12:1a06964c2adb	1449
wolfSSL	12:1a06964c2adb	1450	AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
wolfSSL	12:1a06964c2adb	1451	AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
wolfSSL	12:1a06964c2adb	1452	type, ssl);
wolfSSL	12:1a06964c2adb	1453	}
wolfSSL	12:1a06964c2adb	1454	#endif /* NO_CERTS */
wolfSSL	12:1a06964c2adb	1455
wolfSSL	12:1a06964c2adb	1456	/* Write the sequence number into the buffer.
wolfSSL	12:1a06964c2adb	1457	* No DTLS v1.3 support.
wolfSSL	12:1a06964c2adb	1458	*
wolfSSL	12:1a06964c2adb	1459	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1460	* verifyOrder Which set of sequence numbers to use.
wolfSSL	12:1a06964c2adb	1461	* out The buffer to write into.
wolfSSL	12:1a06964c2adb	1462	*/
wolfSSL	12:1a06964c2adb	1463	static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
wolfSSL	12:1a06964c2adb	1464	{
wolfSSL	12:1a06964c2adb	1465	word32 seq[2] = {0, 0};
wolfSSL	12:1a06964c2adb	1466
wolfSSL	12:1a06964c2adb	1467	if (verifyOrder) {
wolfSSL	12:1a06964c2adb	1468	seq[0] = ssl->keys.peer_sequence_number_hi;
wolfSSL	12:1a06964c2adb	1469	seq[1] = ssl->keys.peer_sequence_number_lo++;
wolfSSL	12:1a06964c2adb	1470	/* handle rollover */
wolfSSL	12:1a06964c2adb	1471	if (seq[1] > ssl->keys.peer_sequence_number_lo)
wolfSSL	12:1a06964c2adb	1472	ssl->keys.peer_sequence_number_hi++;
wolfSSL	12:1a06964c2adb	1473	}
wolfSSL	12:1a06964c2adb	1474	else {
wolfSSL	12:1a06964c2adb	1475	seq[0] = ssl->keys.sequence_number_hi;
wolfSSL	12:1a06964c2adb	1476	seq[1] = ssl->keys.sequence_number_lo++;
wolfSSL	12:1a06964c2adb	1477	/* handle rollover */
wolfSSL	12:1a06964c2adb	1478	if (seq[1] > ssl->keys.sequence_number_lo)
wolfSSL	12:1a06964c2adb	1479	ssl->keys.sequence_number_hi++;
wolfSSL	12:1a06964c2adb	1480	}
wolfSSL	12:1a06964c2adb	1481
wolfSSL	12:1a06964c2adb	1482	c32toa(seq[0], out);
wolfSSL	12:1a06964c2adb	1483	c32toa(seq[1], out + OPAQUE32_LEN);
wolfSSL	12:1a06964c2adb	1484	}
wolfSSL	12:1a06964c2adb	1485
wolfSSL	12:1a06964c2adb	1486	/* Build the nonce for TLS v1.3 encryption and decryption.
wolfSSL	12:1a06964c2adb	1487	*
wolfSSL	12:1a06964c2adb	1488	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1489	* nonce The nonce data to use when encrypting or decrypting.
wolfSSL	12:1a06964c2adb	1490	* iv The derived IV.
wolfSSL	12:1a06964c2adb	1491	* order The side on which the message is to be or was sent.
wolfSSL	12:1a06964c2adb	1492	*/
wolfSSL	12:1a06964c2adb	1493	static INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
wolfSSL	12:1a06964c2adb	1494	int order)
wolfSSL	12:1a06964c2adb	1495	{
wolfSSL	12:1a06964c2adb	1496	int i;
wolfSSL	12:1a06964c2adb	1497
wolfSSL	12:1a06964c2adb	1498	/* The nonce is the IV with the sequence XORed into the last bytes. */
wolfSSL	12:1a06964c2adb	1499	WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
wolfSSL	12:1a06964c2adb	1500	for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
wolfSSL	12:1a06964c2adb	1501	nonce[i] = iv[i];
wolfSSL	12:1a06964c2adb	1502	for (; i < AEAD_NONCE_SZ; i++)
wolfSSL	12:1a06964c2adb	1503	nonce[i] ^= iv[i];
wolfSSL	12:1a06964c2adb	1504	}
wolfSSL	12:1a06964c2adb	1505
wolfSSL	12:1a06964c2adb	1506	#ifdef HAVE_CHACHA
wolfSSL	12:1a06964c2adb	1507	/* Encrypt with ChaCha20 and create authenication tag with Poly1305.
wolfSSL	12:1a06964c2adb	1508	*
wolfSSL	12:1a06964c2adb	1509	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1510	* output The buffer to write encrypted data and authentication tag into.
wolfSSL	12:1a06964c2adb	1511	* May be the same pointer as input.
wolfSSL	12:1a06964c2adb	1512	* input The data to encrypt.
wolfSSL	12:1a06964c2adb	1513	* sz The number of bytes to encrypt.
wolfSSL	12:1a06964c2adb	1514	* nonce The nonce to use with ChaCha20.
wolfSSL	12:1a06964c2adb	1515	* tag The authentication tag buffer.
wolfSSL	12:1a06964c2adb	1516	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	1517	*/
wolfSSL	12:1a06964c2adb	1518	static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
wolfSSL	12:1a06964c2adb	1519	const byte* input, word16 sz, byte* nonce,
wolfSSL	12:1a06964c2adb	1520	byte* tag)
wolfSSL	12:1a06964c2adb	1521	{
wolfSSL	12:1a06964c2adb	1522	int ret = 0;
wolfSSL	12:1a06964c2adb	1523	byte poly[CHACHA20_256_KEY_SIZE];
wolfSSL	12:1a06964c2adb	1524
wolfSSL	12:1a06964c2adb	1525	/* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL	12:1a06964c2adb	1526	XMEMSET(poly, 0, sizeof(poly));
wolfSSL	12:1a06964c2adb	1527
wolfSSL	12:1a06964c2adb	1528	/* Set the nonce for ChaCha and get Poly1305 key. */
wolfSSL	12:1a06964c2adb	1529	ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
wolfSSL	12:1a06964c2adb	1530	if (ret != 0)
wolfSSL	12:1a06964c2adb	1531	return ret;
wolfSSL	12:1a06964c2adb	1532	/* Create Poly1305 key using ChaCha20 keystream. */
wolfSSL	12:1a06964c2adb	1533	ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
wolfSSL	12:1a06964c2adb	1534	if (ret != 0)
wolfSSL	12:1a06964c2adb	1535	return ret;
wolfSSL	12:1a06964c2adb	1536	/* Encrypt the plain text. */
wolfSSL	12:1a06964c2adb	1537	ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
wolfSSL	12:1a06964c2adb	1538	if (ret != 0) {
wolfSSL	12:1a06964c2adb	1539	ForceZero(poly, sizeof(poly));
wolfSSL	12:1a06964c2adb	1540	return ret;
wolfSSL	12:1a06964c2adb	1541	}
wolfSSL	12:1a06964c2adb	1542
wolfSSL	12:1a06964c2adb	1543	/* Set key for Poly1305. */
wolfSSL	12:1a06964c2adb	1544	ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL	12:1a06964c2adb	1545	ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL	12:1a06964c2adb	1546	if (ret != 0)
wolfSSL	12:1a06964c2adb	1547	return ret;
wolfSSL	12:1a06964c2adb	1548	/* Add authentication code of encrypted data to end. */
wolfSSL	12:1a06964c2adb	1549	ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, output, sz, tag,
wolfSSL	12:1a06964c2adb	1550	POLY1305_AUTH_SZ);
wolfSSL	12:1a06964c2adb	1551
wolfSSL	12:1a06964c2adb	1552	return ret;
wolfSSL	12:1a06964c2adb	1553	}
wolfSSL	12:1a06964c2adb	1554	#endif
wolfSSL	12:1a06964c2adb	1555
wolfSSL	12:1a06964c2adb	1556	/* Encrypt data for TLS v1.3.
wolfSSL	12:1a06964c2adb	1557	*
wolfSSL	12:1a06964c2adb	1558	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1559	* output The buffer to write encrypted data and authentication tag into.
wolfSSL	12:1a06964c2adb	1560	* May be the same pointer as input.
wolfSSL	12:1a06964c2adb	1561	* input The data to encrypt.
wolfSSL	12:1a06964c2adb	1562	* sz The number of bytes to encrypt.
wolfSSL	12:1a06964c2adb	1563	* asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL	12:1a06964c2adb	1564	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	1565	*/
wolfSSL	12:1a06964c2adb	1566	static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
wolfSSL	12:1a06964c2adb	1567	word16 sz, int asyncOkay)
wolfSSL	12:1a06964c2adb	1568	{
wolfSSL	12:1a06964c2adb	1569	int ret = 0;
wolfSSL	12:1a06964c2adb	1570	word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL	12:1a06964c2adb	1571	word16 macSz = ssl->specs.aead_mac_size;
wolfSSL	12:1a06964c2adb	1572	word32 nonceSz = 0;
wolfSSL	12:1a06964c2adb	1573	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1574	WC_ASYNC_DEV* asyncDev = NULL;
wolfSSL	12:1a06964c2adb	1575	word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
wolfSSL	12:1a06964c2adb	1576	#endif
wolfSSL	12:1a06964c2adb	1577
wolfSSL	12:1a06964c2adb	1578	WOLFSSL_ENTER("EncryptTls13");
wolfSSL	12:1a06964c2adb	1579
wolfSSL	12:1a06964c2adb	1580	(void)output;
wolfSSL	12:1a06964c2adb	1581	(void)input;
wolfSSL	12:1a06964c2adb	1582	(void)sz;
wolfSSL	12:1a06964c2adb	1583	(void)dataSz;
wolfSSL	12:1a06964c2adb	1584	(void)macSz;
wolfSSL	12:1a06964c2adb	1585	(void)asyncOkay;
wolfSSL	12:1a06964c2adb	1586	(void)nonceSz;
wolfSSL	12:1a06964c2adb	1587
wolfSSL	12:1a06964c2adb	1588	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1589	if (ssl->error == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	1590	ssl->error = 0; /* clear async */
wolfSSL	12:1a06964c2adb	1591	}
wolfSSL	12:1a06964c2adb	1592	#endif
wolfSSL	12:1a06964c2adb	1593
wolfSSL	12:1a06964c2adb	1594	switch (ssl->encrypt.state) {
wolfSSL	12:1a06964c2adb	1595	case CIPHER_STATE_BEGIN:
wolfSSL	12:1a06964c2adb	1596	{
wolfSSL	12:1a06964c2adb	1597	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	1598	WOLFSSL_MSG("Data to encrypt");
wolfSSL	12:1a06964c2adb	1599	WOLFSSL_BUFFER(input, dataSz);
wolfSSL	12:1a06964c2adb	1600	#endif
wolfSSL	12:1a06964c2adb	1601
wolfSSL	12:1a06964c2adb	1602	if (ssl->encrypt.nonce == NULL)
wolfSSL	12:1a06964c2adb	1603	ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL	12:1a06964c2adb	1604	ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL	12:1a06964c2adb	1605	if (ssl->encrypt.nonce == NULL)
wolfSSL	12:1a06964c2adb	1606	return MEMORY_E;
wolfSSL	12:1a06964c2adb	1607
wolfSSL	12:1a06964c2adb	1608	BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
wolfSSL	12:1a06964c2adb	1609	CUR_ORDER);
wolfSSL	12:1a06964c2adb	1610
wolfSSL	12:1a06964c2adb	1611	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	1612	ssl->encrypt.state = CIPHER_STATE_DO;
wolfSSL	12:1a06964c2adb	1613	}
wolfSSL	12:1a06964c2adb	1614	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	1615
wolfSSL	12:1a06964c2adb	1616	case CIPHER_STATE_DO:
wolfSSL	12:1a06964c2adb	1617	{
wolfSSL	12:1a06964c2adb	1618	switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL	12:1a06964c2adb	1619	#ifdef BUILD_AESGCM
wolfSSL	12:1a06964c2adb	1620	case wolfssl_aes_gcm:
wolfSSL	12:1a06964c2adb	1621	nonceSz = AESGCM_NONCE_SZ;
wolfSSL	12:1a06964c2adb	1622	ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL	12:1a06964c2adb	1623	dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL	12:1a06964c2adb	1624	output + dataSz, macSz, NULL, 0);
wolfSSL	12:1a06964c2adb	1625	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1626	asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL	12:1a06964c2adb	1627	#endif
wolfSSL	12:1a06964c2adb	1628	break;
wolfSSL	12:1a06964c2adb	1629	#endif
wolfSSL	12:1a06964c2adb	1630
wolfSSL	12:1a06964c2adb	1631	#ifdef HAVE_AESCCM
wolfSSL	12:1a06964c2adb	1632	case wolfssl_aes_ccm:
wolfSSL	12:1a06964c2adb	1633	nonceSz = AESCCM_NONCE_SZ;
wolfSSL	12:1a06964c2adb	1634	ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL	12:1a06964c2adb	1635	dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL	12:1a06964c2adb	1636	output + dataSz, macSz, NULL, 0);
wolfSSL	12:1a06964c2adb	1637	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1638	asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL	12:1a06964c2adb	1639	#endif
wolfSSL	12:1a06964c2adb	1640	break;
wolfSSL	12:1a06964c2adb	1641	#endif
wolfSSL	12:1a06964c2adb	1642
wolfSSL	12:1a06964c2adb	1643	#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL	12:1a06964c2adb	1644	case wolfssl_chacha:
wolfSSL	12:1a06964c2adb	1645	nonceSz = CHACHA_IV_BYTES;
wolfSSL	12:1a06964c2adb	1646	ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
wolfSSL	12:1a06964c2adb	1647	ssl->encrypt.nonce, output + dataSz);
wolfSSL	12:1a06964c2adb	1648	break;
wolfSSL	12:1a06964c2adb	1649	#endif
wolfSSL	12:1a06964c2adb	1650
wolfSSL	12:1a06964c2adb	1651	default:
wolfSSL	12:1a06964c2adb	1652	WOLFSSL_MSG("wolfSSL Encrypt programming error");
wolfSSL	12:1a06964c2adb	1653	return ENCRYPT_ERROR;
wolfSSL	12:1a06964c2adb	1654	}
wolfSSL	12:1a06964c2adb	1655
wolfSSL	12:1a06964c2adb	1656	/* Advance state */
wolfSSL	12:1a06964c2adb	1657	ssl->encrypt.state = CIPHER_STATE_END;
wolfSSL	12:1a06964c2adb	1658
wolfSSL	12:1a06964c2adb	1659	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1660	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	1661	/* if async is not okay, then block */
wolfSSL	12:1a06964c2adb	1662	if (!asyncOkay) {
wolfSSL	12:1a06964c2adb	1663	ret = wc_AsyncWait(ret, asyncDev, event_flags);
wolfSSL	12:1a06964c2adb	1664	}
wolfSSL	12:1a06964c2adb	1665	else {
wolfSSL	12:1a06964c2adb	1666	/* If pending, then leave and return will resume below */
wolfSSL	12:1a06964c2adb	1667	ret = wolfSSL_AsyncPush(ssl, asyncDev, event_flags);
wolfSSL	12:1a06964c2adb	1668
wolfSSL	12:1a06964c2adb	1669	return ret;
wolfSSL	12:1a06964c2adb	1670	}
wolfSSL	12:1a06964c2adb	1671	}
wolfSSL	12:1a06964c2adb	1672	#endif
wolfSSL	12:1a06964c2adb	1673	}
wolfSSL	12:1a06964c2adb	1674	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	1675
wolfSSL	12:1a06964c2adb	1676	case CIPHER_STATE_END:
wolfSSL	12:1a06964c2adb	1677	{
wolfSSL	12:1a06964c2adb	1678	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	1679	WOLFSSL_MSG("Nonce");
wolfSSL	12:1a06964c2adb	1680	WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
wolfSSL	12:1a06964c2adb	1681	WOLFSSL_MSG("Encrypted data");
wolfSSL	12:1a06964c2adb	1682	WOLFSSL_BUFFER(output, dataSz);
wolfSSL	12:1a06964c2adb	1683	WOLFSSL_MSG("Authentication Tag");
wolfSSL	12:1a06964c2adb	1684	WOLFSSL_BUFFER(output + dataSz, macSz);
wolfSSL	12:1a06964c2adb	1685	#endif
wolfSSL	12:1a06964c2adb	1686
wolfSSL	12:1a06964c2adb	1687	ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
wolfSSL	12:1a06964c2adb	1688
wolfSSL	12:1a06964c2adb	1689	break;
wolfSSL	12:1a06964c2adb	1690	}
wolfSSL	12:1a06964c2adb	1691	}
wolfSSL	12:1a06964c2adb	1692
wolfSSL	12:1a06964c2adb	1693	/* Reset state */
wolfSSL	12:1a06964c2adb	1694	ssl->encrypt.state = CIPHER_STATE_BEGIN;
wolfSSL	12:1a06964c2adb	1695
wolfSSL	12:1a06964c2adb	1696	return ret;
wolfSSL	12:1a06964c2adb	1697	}
wolfSSL	12:1a06964c2adb	1698
wolfSSL	12:1a06964c2adb	1699	#ifdef HAVE_CHACHA
wolfSSL	12:1a06964c2adb	1700	/* Decrypt with ChaCha20 and check authenication tag with Poly1305.
wolfSSL	12:1a06964c2adb	1701	*
wolfSSL	12:1a06964c2adb	1702	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1703	* output The buffer to write decrypted data into.
wolfSSL	12:1a06964c2adb	1704	* May be the same pointer as input.
wolfSSL	12:1a06964c2adb	1705	* input The data to decrypt.
wolfSSL	12:1a06964c2adb	1706	* sz The number of bytes to decrypt.
wolfSSL	12:1a06964c2adb	1707	* nonce The nonce to use with ChaCha20.
wolfSSL	12:1a06964c2adb	1708	* tagIn The authentication tag data from packet.
wolfSSL	12:1a06964c2adb	1709	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	1710	*/
wolfSSL	12:1a06964c2adb	1711	static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
wolfSSL	12:1a06964c2adb	1712	const byte* input, word16 sz, byte* nonce,
wolfSSL	12:1a06964c2adb	1713	const byte* tagIn)
wolfSSL	12:1a06964c2adb	1714	{
wolfSSL	12:1a06964c2adb	1715	int ret;
wolfSSL	12:1a06964c2adb	1716	byte tag[POLY1305_AUTH_SZ];
wolfSSL	12:1a06964c2adb	1717	byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
wolfSSL	12:1a06964c2adb	1718
wolfSSL	12:1a06964c2adb	1719	/* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL	12:1a06964c2adb	1720	XMEMSET(poly, 0, sizeof(poly));
wolfSSL	12:1a06964c2adb	1721
wolfSSL	12:1a06964c2adb	1722	/* Set nonce and get Poly1305 key. */
wolfSSL	12:1a06964c2adb	1723	ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
wolfSSL	12:1a06964c2adb	1724	if (ret != 0)
wolfSSL	12:1a06964c2adb	1725	return ret;
wolfSSL	12:1a06964c2adb	1726	/* Use ChaCha20 keystream to get Poly1305 key for tag. */
wolfSSL	12:1a06964c2adb	1727	ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
wolfSSL	12:1a06964c2adb	1728	if (ret != 0)
wolfSSL	12:1a06964c2adb	1729	return ret;
wolfSSL	12:1a06964c2adb	1730
wolfSSL	12:1a06964c2adb	1731	/* Set key for Poly1305. */
wolfSSL	12:1a06964c2adb	1732	ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL	12:1a06964c2adb	1733	ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL	12:1a06964c2adb	1734	if (ret != 0)
wolfSSL	12:1a06964c2adb	1735	return ret;
wolfSSL	12:1a06964c2adb	1736	/* Generate authentication tag for encrypted data. */
wolfSSL	12:1a06964c2adb	1737	if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, (byte*)input, sz,
wolfSSL	12:1a06964c2adb	1738	tag, sizeof(tag))) != 0) {
wolfSSL	12:1a06964c2adb	1739	return ret;
wolfSSL	12:1a06964c2adb	1740	}
wolfSSL	12:1a06964c2adb	1741
wolfSSL	12:1a06964c2adb	1742	/* Check tag sent along with packet. */
wolfSSL	12:1a06964c2adb	1743	if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
wolfSSL	12:1a06964c2adb	1744	WOLFSSL_MSG("MAC did not match");
wolfSSL	12:1a06964c2adb	1745	return VERIFY_MAC_ERROR;
wolfSSL	12:1a06964c2adb	1746	}
wolfSSL	12:1a06964c2adb	1747
wolfSSL	12:1a06964c2adb	1748	/* If the tag was good decrypt message. */
wolfSSL	12:1a06964c2adb	1749	ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
wolfSSL	12:1a06964c2adb	1750
wolfSSL	12:1a06964c2adb	1751	return ret;
wolfSSL	12:1a06964c2adb	1752	}
wolfSSL	12:1a06964c2adb	1753	#endif
wolfSSL	12:1a06964c2adb	1754
wolfSSL	12:1a06964c2adb	1755	/* Decrypt data for TLS v1.3.
wolfSSL	12:1a06964c2adb	1756	*
wolfSSL	12:1a06964c2adb	1757	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1758	* output The buffer to write decrypted data into.
wolfSSL	12:1a06964c2adb	1759	* May be the same pointer as input.
wolfSSL	12:1a06964c2adb	1760	* input The data to encrypt and authentication tag.
wolfSSL	12:1a06964c2adb	1761	* sz The length of the encrypted data plus authentication tag.
wolfSSL	12:1a06964c2adb	1762	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	1763	*/
wolfSSL	12:1a06964c2adb	1764	int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz)
wolfSSL	12:1a06964c2adb	1765	{
wolfSSL	12:1a06964c2adb	1766	int ret = 0;
wolfSSL	12:1a06964c2adb	1767	word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL	12:1a06964c2adb	1768	word16 macSz = ssl->specs.aead_mac_size;
wolfSSL	12:1a06964c2adb	1769	word32 nonceSz = 0;
wolfSSL	12:1a06964c2adb	1770
wolfSSL	12:1a06964c2adb	1771	WOLFSSL_ENTER("DecryptTls13");
wolfSSL	12:1a06964c2adb	1772
wolfSSL	12:1a06964c2adb	1773	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1774	ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
wolfSSL	12:1a06964c2adb	1775	if (ret != WC_NOT_PENDING_E) {
wolfSSL	12:1a06964c2adb	1776	/* check for still pending */
wolfSSL	12:1a06964c2adb	1777	if (ret == WC_PENDING_E)
wolfSSL	12:1a06964c2adb	1778	return ret;
wolfSSL	12:1a06964c2adb	1779
wolfSSL	12:1a06964c2adb	1780	ssl->error = 0; /* clear async */
wolfSSL	12:1a06964c2adb	1781
wolfSSL	12:1a06964c2adb	1782	/* let failures through so CIPHER_STATE_END logic is run */
wolfSSL	12:1a06964c2adb	1783	}
wolfSSL	12:1a06964c2adb	1784	else
wolfSSL	12:1a06964c2adb	1785	#endif
wolfSSL	12:1a06964c2adb	1786	{
wolfSSL	12:1a06964c2adb	1787	/* Reset state */
wolfSSL	12:1a06964c2adb	1788	ret = 0;
wolfSSL	12:1a06964c2adb	1789	ssl->decrypt.state = CIPHER_STATE_BEGIN;
wolfSSL	12:1a06964c2adb	1790	}
wolfSSL	12:1a06964c2adb	1791
wolfSSL	12:1a06964c2adb	1792	(void)output;
wolfSSL	12:1a06964c2adb	1793	(void)input;
wolfSSL	12:1a06964c2adb	1794	(void)sz;
wolfSSL	12:1a06964c2adb	1795	(void)dataSz;
wolfSSL	12:1a06964c2adb	1796	(void)macSz;
wolfSSL	12:1a06964c2adb	1797	(void)nonceSz;
wolfSSL	12:1a06964c2adb	1798
wolfSSL	12:1a06964c2adb	1799	switch (ssl->decrypt.state) {
wolfSSL	12:1a06964c2adb	1800	case CIPHER_STATE_BEGIN:
wolfSSL	12:1a06964c2adb	1801	{
wolfSSL	12:1a06964c2adb	1802	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	1803	WOLFSSL_MSG("Data to decrypt");
wolfSSL	12:1a06964c2adb	1804	WOLFSSL_BUFFER(input, dataSz);
wolfSSL	12:1a06964c2adb	1805	WOLFSSL_MSG("Authentication tag");
wolfSSL	12:1a06964c2adb	1806	WOLFSSL_BUFFER(input + dataSz, macSz);
wolfSSL	12:1a06964c2adb	1807	#endif
wolfSSL	12:1a06964c2adb	1808
wolfSSL	12:1a06964c2adb	1809	if (ssl->decrypt.nonce == NULL)
wolfSSL	12:1a06964c2adb	1810	ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL	12:1a06964c2adb	1811	ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL	12:1a06964c2adb	1812	if (ssl->decrypt.nonce == NULL)
wolfSSL	12:1a06964c2adb	1813	return MEMORY_E;
wolfSSL	12:1a06964c2adb	1814
wolfSSL	12:1a06964c2adb	1815	BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
wolfSSL	12:1a06964c2adb	1816	PEER_ORDER);
wolfSSL	12:1a06964c2adb	1817
wolfSSL	12:1a06964c2adb	1818	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	1819	ssl->decrypt.state = CIPHER_STATE_DO;
wolfSSL	12:1a06964c2adb	1820	}
wolfSSL	12:1a06964c2adb	1821	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	1822
wolfSSL	12:1a06964c2adb	1823	case CIPHER_STATE_DO:
wolfSSL	12:1a06964c2adb	1824	{
wolfSSL	12:1a06964c2adb	1825	switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL	12:1a06964c2adb	1826	#ifdef BUILD_AESGCM
wolfSSL	12:1a06964c2adb	1827	case wolfssl_aes_gcm:
wolfSSL	12:1a06964c2adb	1828	nonceSz = AESGCM_NONCE_SZ;
wolfSSL	12:1a06964c2adb	1829	ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL	12:1a06964c2adb	1830	dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL	12:1a06964c2adb	1831	input + dataSz, macSz, NULL, 0);
wolfSSL	12:1a06964c2adb	1832	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1833	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	1834	ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL	12:1a06964c2adb	1835	WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL	12:1a06964c2adb	1836	}
wolfSSL	12:1a06964c2adb	1837	#endif
wolfSSL	12:1a06964c2adb	1838	break;
wolfSSL	12:1a06964c2adb	1839	#endif
wolfSSL	12:1a06964c2adb	1840
wolfSSL	12:1a06964c2adb	1841	#ifdef HAVE_AESCCM
wolfSSL	12:1a06964c2adb	1842	case wolfssl_aes_ccm:
wolfSSL	12:1a06964c2adb	1843	nonceSz = AESCCM_NONCE_SZ;
wolfSSL	12:1a06964c2adb	1844	ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL	12:1a06964c2adb	1845	dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL	12:1a06964c2adb	1846	input + dataSz, macSz, NULL, 0);
wolfSSL	12:1a06964c2adb	1847	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1848	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	1849	ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL	12:1a06964c2adb	1850	WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL	12:1a06964c2adb	1851	}
wolfSSL	12:1a06964c2adb	1852	#endif
wolfSSL	12:1a06964c2adb	1853	break;
wolfSSL	12:1a06964c2adb	1854	#endif
wolfSSL	12:1a06964c2adb	1855
wolfSSL	12:1a06964c2adb	1856	#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL	12:1a06964c2adb	1857	case wolfssl_chacha:
wolfSSL	12:1a06964c2adb	1858	nonceSz = CHACHA_IV_BYTES;
wolfSSL	12:1a06964c2adb	1859	ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
wolfSSL	12:1a06964c2adb	1860	ssl->decrypt.nonce, input + dataSz);
wolfSSL	12:1a06964c2adb	1861	break;
wolfSSL	12:1a06964c2adb	1862	#endif
wolfSSL	12:1a06964c2adb	1863
wolfSSL	12:1a06964c2adb	1864	default:
wolfSSL	12:1a06964c2adb	1865	WOLFSSL_MSG("wolfSSL Decrypt programming error");
wolfSSL	12:1a06964c2adb	1866	return DECRYPT_ERROR;
wolfSSL	12:1a06964c2adb	1867	}
wolfSSL	12:1a06964c2adb	1868
wolfSSL	12:1a06964c2adb	1869	/* Advance state */
wolfSSL	12:1a06964c2adb	1870	ssl->decrypt.state = CIPHER_STATE_END;
wolfSSL	12:1a06964c2adb	1871
wolfSSL	12:1a06964c2adb	1872	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1873	/* If pending, leave now */
wolfSSL	12:1a06964c2adb	1874	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	1875	return ret;
wolfSSL	12:1a06964c2adb	1876	}
wolfSSL	12:1a06964c2adb	1877	#endif
wolfSSL	12:1a06964c2adb	1878	}
wolfSSL	12:1a06964c2adb	1879	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	1880
wolfSSL	12:1a06964c2adb	1881	case CIPHER_STATE_END:
wolfSSL	12:1a06964c2adb	1882	{
wolfSSL	12:1a06964c2adb	1883	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	1884	WOLFSSL_MSG("Nonce");
wolfSSL	12:1a06964c2adb	1885	WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
wolfSSL	12:1a06964c2adb	1886	WOLFSSL_MSG("Decrypted data");
wolfSSL	12:1a06964c2adb	1887	WOLFSSL_BUFFER(output, dataSz);
wolfSSL	12:1a06964c2adb	1888	#endif
wolfSSL	12:1a06964c2adb	1889
wolfSSL	12:1a06964c2adb	1890	ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
wolfSSL	12:1a06964c2adb	1891
wolfSSL	12:1a06964c2adb	1892	break;
wolfSSL	12:1a06964c2adb	1893	}
wolfSSL	12:1a06964c2adb	1894	}
wolfSSL	12:1a06964c2adb	1895
wolfSSL	12:1a06964c2adb	1896	#ifndef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	1897	if (ret < 0) {
wolfSSL	12:1a06964c2adb	1898	SendAlert(ssl, alert_fatal, bad_record_mac);
wolfSSL	12:1a06964c2adb	1899	ret = VERIFY_MAC_ERROR;
wolfSSL	12:1a06964c2adb	1900	}
wolfSSL	12:1a06964c2adb	1901	#endif
wolfSSL	12:1a06964c2adb	1902
wolfSSL	12:1a06964c2adb	1903	return ret;
wolfSSL	12:1a06964c2adb	1904	}
wolfSSL	12:1a06964c2adb	1905
wolfSSL	12:1a06964c2adb	1906	/* Persistable BuildTls13Message arguments */
wolfSSL	12:1a06964c2adb	1907	typedef struct BuildMsg13Args {
wolfSSL	12:1a06964c2adb	1908	word32 sz;
wolfSSL	12:1a06964c2adb	1909	word32 idx;
wolfSSL	12:1a06964c2adb	1910	word32 headerSz;
wolfSSL	12:1a06964c2adb	1911	word16 size;
wolfSSL	12:1a06964c2adb	1912	} BuildMsg13Args;
wolfSSL	12:1a06964c2adb	1913
wolfSSL	12:1a06964c2adb	1914	static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL	12:1a06964c2adb	1915	{
wolfSSL	12:1a06964c2adb	1916	BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
wolfSSL	12:1a06964c2adb	1917
wolfSSL	12:1a06964c2adb	1918	(void)ssl;
wolfSSL	12:1a06964c2adb	1919	(void)args;
wolfSSL	12:1a06964c2adb	1920
wolfSSL	12:1a06964c2adb	1921	/* no allocations in BuildTls13Message */
wolfSSL	12:1a06964c2adb	1922	}
wolfSSL	12:1a06964c2adb	1923
wolfSSL	12:1a06964c2adb	1924	/* Build SSL Message, encrypted.
wolfSSL	12:1a06964c2adb	1925	* TLS v1.3 encryption is AEAD only.
wolfSSL	12:1a06964c2adb	1926	*
wolfSSL	12:1a06964c2adb	1927	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	1928	* output The buffer to write record message to.
wolfSSL	12:1a06964c2adb	1929	* outSz Size of the buffer being written into.
wolfSSL	12:1a06964c2adb	1930	* input The record data to encrypt (excluding record header).
wolfSSL	12:1a06964c2adb	1931	* inSz The size of the record data.
wolfSSL	12:1a06964c2adb	1932	* type The recorder header content type.
wolfSSL	12:1a06964c2adb	1933	* hashOutput Whether to hash the unencrypted record data.
wolfSSL	12:1a06964c2adb	1934	* sizeOnly Only want the size of the record message.
wolfSSL	12:1a06964c2adb	1935	* asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL	12:1a06964c2adb	1936	* returns the size of the encrypted record message or negative value on error.
wolfSSL	12:1a06964c2adb	1937	*/
wolfSSL	12:1a06964c2adb	1938	int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
wolfSSL	12:1a06964c2adb	1939	int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
wolfSSL	12:1a06964c2adb	1940	{
wolfSSL	12:1a06964c2adb	1941	int ret = 0;
wolfSSL	12:1a06964c2adb	1942	BuildMsg13Args* args;
wolfSSL	12:1a06964c2adb	1943	BuildMsg13Args lcl_args;
wolfSSL	12:1a06964c2adb	1944	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1945	args = (BuildMsg13Args*)ssl->async.args;
wolfSSL	12:1a06964c2adb	1946	typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL	12:1a06964c2adb	1947	(void)sizeof(args_test);
wolfSSL	12:1a06964c2adb	1948	#endif
wolfSSL	12:1a06964c2adb	1949
wolfSSL	12:1a06964c2adb	1950	WOLFSSL_ENTER("BuildTls13Message");
wolfSSL	12:1a06964c2adb	1951
wolfSSL	12:1a06964c2adb	1952	ret = WC_NOT_PENDING_E;
wolfSSL	12:1a06964c2adb	1953	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1954	if (asyncOkay) {
wolfSSL	12:1a06964c2adb	1955	ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
wolfSSL	12:1a06964c2adb	1956	if (ret != WC_NOT_PENDING_E) {
wolfSSL	12:1a06964c2adb	1957	/* Check for error */
wolfSSL	12:1a06964c2adb	1958	if (ret < 0)
wolfSSL	12:1a06964c2adb	1959	goto exit_buildmsg;
wolfSSL	12:1a06964c2adb	1960	}
wolfSSL	12:1a06964c2adb	1961	}
wolfSSL	12:1a06964c2adb	1962	else
wolfSSL	12:1a06964c2adb	1963	#endif
wolfSSL	12:1a06964c2adb	1964	{
wolfSSL	12:1a06964c2adb	1965	args = &lcl_args;
wolfSSL	12:1a06964c2adb	1966	}
wolfSSL	12:1a06964c2adb	1967
wolfSSL	12:1a06964c2adb	1968	/* Reset state */
wolfSSL	12:1a06964c2adb	1969	if (ret == WC_NOT_PENDING_E) {
wolfSSL	12:1a06964c2adb	1970	ret = 0;
wolfSSL	12:1a06964c2adb	1971	ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL	12:1a06964c2adb	1972	XMEMSET(args, 0, sizeof(BuildMsg13Args));
wolfSSL	12:1a06964c2adb	1973
wolfSSL	12:1a06964c2adb	1974	args->sz = RECORD_HEADER_SZ + inSz;
wolfSSL	12:1a06964c2adb	1975	args->idx = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1976	args->headerSz = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	1977	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	1978	ssl->async.freeArgs = FreeBuildMsg13Args;
wolfSSL	12:1a06964c2adb	1979	#endif
wolfSSL	12:1a06964c2adb	1980	}
wolfSSL	12:1a06964c2adb	1981
wolfSSL	12:1a06964c2adb	1982	switch (ssl->options.buildMsgState) {
wolfSSL	12:1a06964c2adb	1983	case BUILD_MSG_BEGIN:
wolfSSL	12:1a06964c2adb	1984	{
wolfSSL	12:1a06964c2adb	1985	if (output == NULL \|\| input == NULL)
wolfSSL	12:1a06964c2adb	1986	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	1987	/* catch mistaken sizeOnly parameter */
wolfSSL	12:1a06964c2adb	1988	if (sizeOnly && (output \|\| input)) {
wolfSSL	12:1a06964c2adb	1989	WOLFSSL_MSG("BuildTls13Message with sizeOnly doesn't need "
wolfSSL	12:1a06964c2adb	1990	"input or output");
wolfSSL	12:1a06964c2adb	1991	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	1992	}
wolfSSL	12:1a06964c2adb	1993
wolfSSL	12:1a06964c2adb	1994	/* Record layer content type at the end of record data. */
wolfSSL	12:1a06964c2adb	1995	args->sz++;
wolfSSL	12:1a06964c2adb	1996	/* Authentication data at the end. */
wolfSSL	12:1a06964c2adb	1997	args->sz += ssl->specs.aead_mac_size;
wolfSSL	12:1a06964c2adb	1998
wolfSSL	12:1a06964c2adb	1999	if (sizeOnly)
wolfSSL	12:1a06964c2adb	2000	return args->sz;
wolfSSL	12:1a06964c2adb	2001
wolfSSL	12:1a06964c2adb	2002	if (args->sz > (word32)outSz) {
wolfSSL	12:1a06964c2adb	2003	WOLFSSL_MSG("Oops, want to write past output buffer size");
wolfSSL	12:1a06964c2adb	2004	return BUFFER_E;
wolfSSL	12:1a06964c2adb	2005	}
wolfSSL	12:1a06964c2adb	2006
wolfSSL	12:1a06964c2adb	2007	/* Record data length. */
wolfSSL	12:1a06964c2adb	2008	args->size = (word16)(args->sz - args->headerSz);
wolfSSL	12:1a06964c2adb	2009	/* Write/update the record header with the new size.
wolfSSL	12:1a06964c2adb	2010	* Always have the content type as application data for encrypted
wolfSSL	12:1a06964c2adb	2011	* messages in TLS v1.3.
wolfSSL	12:1a06964c2adb	2012	*/
wolfSSL	12:1a06964c2adb	2013	AddTls13RecordHeader(output, args->size, application_data, ssl);
wolfSSL	12:1a06964c2adb	2014
wolfSSL	12:1a06964c2adb	2015	/* TLS v1.3 can do in place encryption. */
wolfSSL	12:1a06964c2adb	2016	if (input != output + args->idx)
wolfSSL	12:1a06964c2adb	2017	XMEMCPY(output + args->idx, input, inSz);
wolfSSL	12:1a06964c2adb	2018	args->idx += inSz;
wolfSSL	12:1a06964c2adb	2019
wolfSSL	12:1a06964c2adb	2020	ssl->options.buildMsgState = BUILD_MSG_HASH;
wolfSSL	12:1a06964c2adb	2021	}
wolfSSL	12:1a06964c2adb	2022	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	2023
wolfSSL	12:1a06964c2adb	2024	case BUILD_MSG_HASH:
wolfSSL	12:1a06964c2adb	2025	{
wolfSSL	12:1a06964c2adb	2026	if (hashOutput) {
wolfSSL	12:1a06964c2adb	2027	ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
wolfSSL	12:1a06964c2adb	2028	if (ret != 0)
wolfSSL	12:1a06964c2adb	2029	goto exit_buildmsg;
wolfSSL	12:1a06964c2adb	2030	}
wolfSSL	12:1a06964c2adb	2031
wolfSSL	12:1a06964c2adb	2032	ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
wolfSSL	12:1a06964c2adb	2033	}
wolfSSL	12:1a06964c2adb	2034	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	2035
wolfSSL	12:1a06964c2adb	2036	case BUILD_MSG_ENCRYPT:
wolfSSL	12:1a06964c2adb	2037	{
wolfSSL	12:1a06964c2adb	2038	/* The real record content type goes at the end of the data. */
wolfSSL	12:1a06964c2adb	2039	output[args->idx++] = type;
wolfSSL	12:1a06964c2adb	2040
wolfSSL	12:1a06964c2adb	2041	#ifdef ATOMIC_USER
wolfSSL	12:1a06964c2adb	2042	if (ssl->ctx->MacEncryptCb) {
wolfSSL	12:1a06964c2adb	2043	/* User Record Layer Callback handling */
wolfSSL	12:1a06964c2adb	2044	byte* mac = output + args->idx;
wolfSSL	12:1a06964c2adb	2045	output += args->headerSz;
wolfSSL	12:1a06964c2adb	2046
wolfSSL	12:1a06964c2adb	2047	ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
wolfSSL	12:1a06964c2adb	2048	output, output, args->size, ssl->MacEncryptCtx);
wolfSSL	12:1a06964c2adb	2049	}
wolfSSL	12:1a06964c2adb	2050	else
wolfSSL	12:1a06964c2adb	2051	#endif
wolfSSL	12:1a06964c2adb	2052	{
wolfSSL	12:1a06964c2adb	2053	output += args->headerSz;
wolfSSL	12:1a06964c2adb	2054	ret = EncryptTls13(ssl, output, output, args->size, asyncOkay);
wolfSSL	12:1a06964c2adb	2055	}
wolfSSL	12:1a06964c2adb	2056	break;
wolfSSL	12:1a06964c2adb	2057	}
wolfSSL	12:1a06964c2adb	2058	}
wolfSSL	12:1a06964c2adb	2059
wolfSSL	12:1a06964c2adb	2060	exit_buildmsg:
wolfSSL	12:1a06964c2adb	2061
wolfSSL	12:1a06964c2adb	2062	WOLFSSL_LEAVE("BuildTls13Message", ret);
wolfSSL	12:1a06964c2adb	2063
wolfSSL	12:1a06964c2adb	2064	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	2065	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	2066	return ret;
wolfSSL	12:1a06964c2adb	2067	}
wolfSSL	12:1a06964c2adb	2068	#endif
wolfSSL	12:1a06964c2adb	2069
wolfSSL	12:1a06964c2adb	2070	/* make sure build message state is reset */
wolfSSL	12:1a06964c2adb	2071	ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL	12:1a06964c2adb	2072
wolfSSL	12:1a06964c2adb	2073	/* return sz on success */
wolfSSL	12:1a06964c2adb	2074	if (ret == 0)
wolfSSL	12:1a06964c2adb	2075	ret = args->sz;
wolfSSL	12:1a06964c2adb	2076
wolfSSL	12:1a06964c2adb	2077	/* Final cleanup */
wolfSSL	12:1a06964c2adb	2078	FreeBuildMsg13Args(ssl, args);
wolfSSL	12:1a06964c2adb	2079
wolfSSL	12:1a06964c2adb	2080	return ret;
wolfSSL	12:1a06964c2adb	2081	}
wolfSSL	12:1a06964c2adb	2082
wolfSSL	12:1a06964c2adb	2083	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	2084	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	2085	/* Setup pre-shared key based on the details in the extension data.
wolfSSL	12:1a06964c2adb	2086	*
wolfSSL	12:1a06964c2adb	2087	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	2088	* psk Pre-shared key extension data.
wolfSSL	12:1a06964c2adb	2089	* returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
wolfSSL	12:1a06964c2adb	2090	* other negative value on failure.
wolfSSL	12:1a06964c2adb	2091	*/
wolfSSL	12:1a06964c2adb	2092	static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
wolfSSL	12:1a06964c2adb	2093	{
wolfSSL	12:1a06964c2adb	2094	int ret;
wolfSSL	12:1a06964c2adb	2095
wolfSSL	12:1a06964c2adb	2096	ssl->options.cipherSuite0 = psk->cipherSuite0;
wolfSSL	12:1a06964c2adb	2097	ssl->options.cipherSuite = psk->cipherSuite;
wolfSSL	12:1a06964c2adb	2098	if ((ret = SetCipherSpecs(ssl)) != 0)
wolfSSL	12:1a06964c2adb	2099	return ret;
wolfSSL	12:1a06964c2adb	2100
wolfSSL	12:1a06964c2adb	2101	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	2102	if (psk->resumption) {
wolfSSL	12:1a06964c2adb	2103	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2104	if (ssl->session.maxEarlyDataSz == 0)
wolfSSL	12:1a06964c2adb	2105	ssl->earlyData = 0;
wolfSSL	12:1a06964c2adb	2106	#endif
wolfSSL	12:1a06964c2adb	2107	/* Resumption PSK is master secret. */
wolfSSL	12:1a06964c2adb	2108	ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL	12:1a06964c2adb	2109	XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL	12:1a06964c2adb	2110	ssl->arrays->psk_keySz);
wolfSSL	12:1a06964c2adb	2111	}
wolfSSL	12:1a06964c2adb	2112	#endif
wolfSSL	12:1a06964c2adb	2113	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	2114	if (!psk->resumption) {
wolfSSL	12:1a06964c2adb	2115	/* Get the pre-shared key. */
wolfSSL	12:1a06964c2adb	2116	ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
wolfSSL	12:1a06964c2adb	2117	(char *)psk->identity, ssl->arrays->client_identity,
wolfSSL	12:1a06964c2adb	2118	MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
wolfSSL	12:1a06964c2adb	2119	if (ssl->arrays->psk_keySz == 0 \|\|
wolfSSL	12:1a06964c2adb	2120	ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
wolfSSL	12:1a06964c2adb	2121	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	2122	}
wolfSSL	12:1a06964c2adb	2123	}
wolfSSL	12:1a06964c2adb	2124	#endif
wolfSSL	12:1a06964c2adb	2125
wolfSSL	12:1a06964c2adb	2126	/* Derive the early secret using the PSK. */
wolfSSL	12:1a06964c2adb	2127	return DeriveEarlySecret(ssl);
wolfSSL	12:1a06964c2adb	2128	}
wolfSSL	12:1a06964c2adb	2129
wolfSSL	12:1a06964c2adb	2130	/* Derive and write the binders into the ClientHello in space left when
wolfSSL	12:1a06964c2adb	2131	* writing the Pre-Shared Key extension.
wolfSSL	12:1a06964c2adb	2132	*
wolfSSL	12:1a06964c2adb	2133	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2134	* output The buffer containing the ClientHello.
wolfSSL	12:1a06964c2adb	2135	* idx The index at the end of the completed ClientHello.
wolfSSL	12:1a06964c2adb	2136	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2137	*/
wolfSSL	12:1a06964c2adb	2138	static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
wolfSSL	12:1a06964c2adb	2139	{
wolfSSL	12:1a06964c2adb	2140	int ret;
wolfSSL	12:1a06964c2adb	2141	TLSX* ext;
wolfSSL	12:1a06964c2adb	2142	PreSharedKey* current;
wolfSSL	12:1a06964c2adb	2143	byte binderKey[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	2144	word16 len;
wolfSSL	12:1a06964c2adb	2145
wolfSSL	12:1a06964c2adb	2146	ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL	12:1a06964c2adb	2147	if (ext == NULL)
wolfSSL	12:1a06964c2adb	2148	return SANITY_MSG_E;
wolfSSL	12:1a06964c2adb	2149
wolfSSL	12:1a06964c2adb	2150	/* Get the size of the binders to determine where to write binders. */
wolfSSL	12:1a06964c2adb	2151	idx -= TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL	12:1a06964c2adb	2152	client_hello);
wolfSSL	12:1a06964c2adb	2153
wolfSSL	12:1a06964c2adb	2154	/* Hash truncated ClientHello - up to binders. */
wolfSSL	12:1a06964c2adb	2155	ret = HashOutput(ssl, output, idx, 0);
wolfSSL	12:1a06964c2adb	2156	if (ret != 0)
wolfSSL	12:1a06964c2adb	2157	return ret;
wolfSSL	12:1a06964c2adb	2158
wolfSSL	12:1a06964c2adb	2159	current = (PreSharedKey*)ext->data;
wolfSSL	12:1a06964c2adb	2160	/* Calculate the binder for each identity based on previous handshake data.
wolfSSL	12:1a06964c2adb	2161	*/
wolfSSL	12:1a06964c2adb	2162	while (current != NULL) {
wolfSSL	12:1a06964c2adb	2163	if ((ret = SetupPskKey(ssl, current)) != 0)
wolfSSL	12:1a06964c2adb	2164	return ret;
wolfSSL	12:1a06964c2adb	2165
wolfSSL	12:1a06964c2adb	2166	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	2167	if (current->resumption)
wolfSSL	12:1a06964c2adb	2168	ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL	12:1a06964c2adb	2169	#endif
wolfSSL	12:1a06964c2adb	2170	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	2171	if (!current->resumption)
wolfSSL	12:1a06964c2adb	2172	ret = DeriveBinderKey(ssl, binderKey);
wolfSSL	12:1a06964c2adb	2173	#endif
wolfSSL	12:1a06964c2adb	2174	if (ret != 0)
wolfSSL	12:1a06964c2adb	2175	return ret;
wolfSSL	12:1a06964c2adb	2176
wolfSSL	12:1a06964c2adb	2177	/* Derive the Finished message secret. */
wolfSSL	12:1a06964c2adb	2178	ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL	12:1a06964c2adb	2179	ssl->keys.client_write_MAC_secret);
wolfSSL	12:1a06964c2adb	2180	if (ret != 0)
wolfSSL	12:1a06964c2adb	2181	return ret;
wolfSSL	12:1a06964c2adb	2182
wolfSSL	12:1a06964c2adb	2183	/* Build the HMAC of the handshake message data = binder. */
wolfSSL	12:1a06964c2adb	2184	ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
wolfSSL	12:1a06964c2adb	2185	current->binder, &current->binderLen);
wolfSSL	12:1a06964c2adb	2186	if (ret != 0)
wolfSSL	12:1a06964c2adb	2187	return ret;
wolfSSL	12:1a06964c2adb	2188
wolfSSL	12:1a06964c2adb	2189	current = current->next;
wolfSSL	12:1a06964c2adb	2190	}
wolfSSL	12:1a06964c2adb	2191
wolfSSL	12:1a06964c2adb	2192	/* Data entered into extension, now write to message. */
wolfSSL	12:1a06964c2adb	2193	len = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
wolfSSL	12:1a06964c2adb	2194	client_hello);
wolfSSL	12:1a06964c2adb	2195
wolfSSL	12:1a06964c2adb	2196	/* Hash binders to complete the hash of the ClientHello. */
wolfSSL	12:1a06964c2adb	2197	ret = HashOutputRaw(ssl, output + idx, len);
wolfSSL	12:1a06964c2adb	2198	if (ret < 0)
wolfSSL	12:1a06964c2adb	2199	return ret;
wolfSSL	12:1a06964c2adb	2200
wolfSSL	12:1a06964c2adb	2201	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2202	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	2203	if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0)
wolfSSL	12:1a06964c2adb	2204	return ret;
wolfSSL	12:1a06964c2adb	2205
wolfSSL	12:1a06964c2adb	2206	/* Derive early data encryption key. */
wolfSSL	12:1a06964c2adb	2207	ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
wolfSSL	12:1a06964c2adb	2208	if (ret != 0)
wolfSSL	12:1a06964c2adb	2209	return ret;
wolfSSL	12:1a06964c2adb	2210	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	2211	return ret;
wolfSSL	12:1a06964c2adb	2212	}
wolfSSL	12:1a06964c2adb	2213	#endif
wolfSSL	12:1a06964c2adb	2214	return ret;
wolfSSL	12:1a06964c2adb	2215	}
wolfSSL	12:1a06964c2adb	2216	#endif
wolfSSL	12:1a06964c2adb	2217
wolfSSL	12:1a06964c2adb	2218	/* Send a ClientHello message to the server.
wolfSSL	12:1a06964c2adb	2219	* Include the information required to start a handshake with servers using
wolfSSL	12:1a06964c2adb	2220	* protocol versions less than TLS v1.3.
wolfSSL	12:1a06964c2adb	2221	* Only a client will send this message.
wolfSSL	12:1a06964c2adb	2222	*
wolfSSL	12:1a06964c2adb	2223	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2224	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2225	*/
wolfSSL	12:1a06964c2adb	2226	int SendTls13ClientHello(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	2227	{
wolfSSL	12:1a06964c2adb	2228	byte* output;
wolfSSL	12:1a06964c2adb	2229	word32 length;
wolfSSL	12:1a06964c2adb	2230	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	2231	int sendSz;
wolfSSL	12:1a06964c2adb	2232	int ret;
wolfSSL	12:1a06964c2adb	2233
wolfSSL	12:1a06964c2adb	2234	WOLFSSL_ENTER("SendTls13ClientHello");
wolfSSL	12:1a06964c2adb	2235
wolfSSL	12:1a06964c2adb	2236	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	2237	if (ssl->options.resuming &&
wolfSSL	12:1a06964c2adb	2238	(ssl->session.version.major != ssl->version.major \|\|
wolfSSL	12:1a06964c2adb	2239	ssl->session.version.minor != ssl->version.minor)) {
wolfSSL	12:1a06964c2adb	2240	/* Cannot resume with a different protocol version - new handshake. */
wolfSSL	12:1a06964c2adb	2241	ssl->options.resuming = 0;
wolfSSL	12:1a06964c2adb	2242	ssl->version.major = ssl->session.version.major;
wolfSSL	12:1a06964c2adb	2243	ssl->version.minor = ssl->session.version.minor;
wolfSSL	12:1a06964c2adb	2244	return SendClientHello(ssl);
wolfSSL	12:1a06964c2adb	2245	}
wolfSSL	12:1a06964c2adb	2246	#endif
wolfSSL	12:1a06964c2adb	2247
wolfSSL	12:1a06964c2adb	2248	if (ssl->suites == NULL) {
wolfSSL	12:1a06964c2adb	2249	WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
wolfSSL	12:1a06964c2adb	2250	return SUITES_ERROR;
wolfSSL	12:1a06964c2adb	2251	}
wolfSSL	12:1a06964c2adb	2252
wolfSSL	12:1a06964c2adb	2253	/* Version \| Random \| Session Id \| Cipher Suites \| Compression \| Ext */
wolfSSL	12:1a06964c2adb	2254	length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
wolfSSL	12:1a06964c2adb	2255	SUITE_LEN + COMP_LEN + ENUM_LEN;
wolfSSL	12:1a06964c2adb	2256
wolfSSL	12:1a06964c2adb	2257	/* Auto populate extensions supported unless user defined. */
wolfSSL	12:1a06964c2adb	2258	if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
wolfSSL	12:1a06964c2adb	2259	return ret;
wolfSSL	12:1a06964c2adb	2260	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2261	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	2262	if (!ssl->options.resuming && ssl->options.client_psk_cb == NULL)
wolfSSL	12:1a06964c2adb	2263	#else
wolfSSL	12:1a06964c2adb	2264	if (!ssl->options.resuming)
wolfSSL	12:1a06964c2adb	2265	#endif
wolfSSL	12:1a06964c2adb	2266	ssl->earlyData = 0;
wolfSSL	12:1a06964c2adb	2267	if (ssl->earlyData && (ret = TLSX_EarlyData_Use(ssl, 0)) < 0)
wolfSSL	12:1a06964c2adb	2268	return ret;
wolfSSL	12:1a06964c2adb	2269	#endif
wolfSSL	12:1a06964c2adb	2270	#ifdef HAVE_QSH
wolfSSL	12:1a06964c2adb	2271	if (QSH_Init(ssl) != 0)
wolfSSL	12:1a06964c2adb	2272	return MEMORY_E;
wolfSSL	12:1a06964c2adb	2273	#endif
wolfSSL	12:1a06964c2adb	2274	/* Include length of TLS extensions. */
wolfSSL	12:1a06964c2adb	2275	length += TLSX_GetRequestSize(ssl, client_hello);
wolfSSL	12:1a06964c2adb	2276
wolfSSL	12:1a06964c2adb	2277	/* Total message size. */
wolfSSL	12:1a06964c2adb	2278	sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	2279
wolfSSL	12:1a06964c2adb	2280	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	2281	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	2282	return ret;
wolfSSL	12:1a06964c2adb	2283
wolfSSL	12:1a06964c2adb	2284	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	2285	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	2286	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	2287
wolfSSL	12:1a06964c2adb	2288	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	2289	AddTls13Headers(output, length, client_hello, ssl);
wolfSSL	12:1a06964c2adb	2290
wolfSSL	12:1a06964c2adb	2291	/* Protocol version. */
wolfSSL	12:1a06964c2adb	2292	output[idx++] = SSLv3_MAJOR;
wolfSSL	12:1a06964c2adb	2293	output[idx++] = TLSv1_2_MINOR;
wolfSSL	12:1a06964c2adb	2294	ssl->chVersion = ssl->version;
wolfSSL	12:1a06964c2adb	2295
wolfSSL	12:1a06964c2adb	2296	/* Client Random */
wolfSSL	12:1a06964c2adb	2297	if (ssl->options.connectState == CONNECT_BEGIN) {
wolfSSL	12:1a06964c2adb	2298	ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
wolfSSL	12:1a06964c2adb	2299	if (ret != 0)
wolfSSL	12:1a06964c2adb	2300	return ret;
wolfSSL	12:1a06964c2adb	2301
wolfSSL	12:1a06964c2adb	2302	/* Store random for possible second ClientHello. */
wolfSSL	12:1a06964c2adb	2303	XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
wolfSSL	12:1a06964c2adb	2304	}
wolfSSL	12:1a06964c2adb	2305	else
wolfSSL	12:1a06964c2adb	2306	XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
wolfSSL	12:1a06964c2adb	2307	idx += RAN_LEN;
wolfSSL	12:1a06964c2adb	2308
wolfSSL	12:1a06964c2adb	2309	/* TLS v1.3 does not use session id - 0 length. */
wolfSSL	12:1a06964c2adb	2310	output[idx++] = 0;
wolfSSL	12:1a06964c2adb	2311
wolfSSL	12:1a06964c2adb	2312	/* Cipher suites */
wolfSSL	12:1a06964c2adb	2313	c16toa(ssl->suites->suiteSz, output + idx);
wolfSSL	12:1a06964c2adb	2314	idx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2315	XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
wolfSSL	12:1a06964c2adb	2316	idx += ssl->suites->suiteSz;
wolfSSL	12:1a06964c2adb	2317
wolfSSL	12:1a06964c2adb	2318	/* Compression not supported in TLS v1.3. */
wolfSSL	12:1a06964c2adb	2319	output[idx++] = COMP_LEN;
wolfSSL	12:1a06964c2adb	2320	output[idx++] = NO_COMPRESSION;
wolfSSL	12:1a06964c2adb	2321
wolfSSL	12:1a06964c2adb	2322	/* Write out extensions for a request. */
wolfSSL	12:1a06964c2adb	2323	idx += TLSX_WriteRequest(ssl, output + idx, client_hello);
wolfSSL	12:1a06964c2adb	2324
wolfSSL	12:1a06964c2adb	2325	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	2326	/* Resumption has a specific set of extensions and binder is calculated
wolfSSL	12:1a06964c2adb	2327	* for each identity.
wolfSSL	12:1a06964c2adb	2328	*/
wolfSSL	12:1a06964c2adb	2329	if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY))
wolfSSL	12:1a06964c2adb	2330	ret = WritePSKBinders(ssl, output, idx);
wolfSSL	12:1a06964c2adb	2331	else
wolfSSL	12:1a06964c2adb	2332	#endif
wolfSSL	12:1a06964c2adb	2333	ret = HashOutput(ssl, output, idx, 0);
wolfSSL	12:1a06964c2adb	2334	if (ret != 0)
wolfSSL	12:1a06964c2adb	2335	return ret;
wolfSSL	12:1a06964c2adb	2336
wolfSSL	12:1a06964c2adb	2337	ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	2338
wolfSSL	12:1a06964c2adb	2339	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	2340	if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	2341	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	2342	AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	2343	ssl->heap);
wolfSSL	12:1a06964c2adb	2344	}
wolfSSL	12:1a06964c2adb	2345	#endif
wolfSSL	12:1a06964c2adb	2346
wolfSSL	12:1a06964c2adb	2347	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	2348
wolfSSL	12:1a06964c2adb	2349	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	2350
wolfSSL	12:1a06964c2adb	2351	WOLFSSL_LEAVE("SendTls13ClientHello", ret);
wolfSSL	12:1a06964c2adb	2352
wolfSSL	12:1a06964c2adb	2353	return ret;
wolfSSL	12:1a06964c2adb	2354	}
wolfSSL	12:1a06964c2adb	2355
wolfSSL	12:1a06964c2adb	2356	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	2357	#ifdef WOLFSSL_SEND_HRR_COOKIE
wolfSSL	12:1a06964c2adb	2358	/* Create Cookie extension using the hash of the first ClientHello.
wolfSSL	12:1a06964c2adb	2359	*
wolfSSL	12:1a06964c2adb	2360	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	2361	* hash The hash data.
wolfSSL	12:1a06964c2adb	2362	* hashSz The size of the hash data in bytes.
wolfSSL	12:1a06964c2adb	2363	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	2364	*/
wolfSSL	12:1a06964c2adb	2365	static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz)
wolfSSL	12:1a06964c2adb	2366	{
wolfSSL	12:1a06964c2adb	2367	int ret;
wolfSSL	12:1a06964c2adb	2368	byte mac[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	2369	Hmac cookieHmac;
wolfSSL	12:1a06964c2adb	2370	byte cookieType;
wolfSSL	12:1a06964c2adb	2371	byte macSz;
wolfSSL	12:1a06964c2adb	2372
wolfSSL	12:1a06964c2adb	2373	#if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL	12:1a06964c2adb	2374	cookieType = SHA;
wolfSSL	12:1a06964c2adb	2375	macSz = SHA_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	2376	#endif /* NO_SHA */
wolfSSL	12:1a06964c2adb	2377	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	2378	cookieType = SHA256;
wolfSSL	12:1a06964c2adb	2379	macSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	2380	#endif /* NO_SHA256 */
wolfSSL	12:1a06964c2adb	2381
wolfSSL	12:1a06964c2adb	2382	ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL	12:1a06964c2adb	2383	ssl->buffers.tls13CookieSecret.buffer,
wolfSSL	12:1a06964c2adb	2384	ssl->buffers.tls13CookieSecret.length);
wolfSSL	12:1a06964c2adb	2385	if (ret != 0)
wolfSSL	12:1a06964c2adb	2386	return ret;
wolfSSL	12:1a06964c2adb	2387	if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0)
wolfSSL	12:1a06964c2adb	2388	return ret;
wolfSSL	12:1a06964c2adb	2389	if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL	12:1a06964c2adb	2390	return ret;
wolfSSL	12:1a06964c2adb	2391
wolfSSL	12:1a06964c2adb	2392	/* The cookie data is the hash and the integrity check. */
wolfSSL	12:1a06964c2adb	2393	return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1);
wolfSSL	12:1a06964c2adb	2394	}
wolfSSL	12:1a06964c2adb	2395	#endif
wolfSSL	12:1a06964c2adb	2396
wolfSSL	12:1a06964c2adb	2397	/* Restart the Hanshake hash with a hash of the previous messages.
wolfSSL	12:1a06964c2adb	2398	*
wolfSSL	12:1a06964c2adb	2399	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2400	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	2401	*/
wolfSSL	12:1a06964c2adb	2402	static int RestartHandshakeHash(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	2403	{
wolfSSL	12:1a06964c2adb	2404	int ret;
wolfSSL	12:1a06964c2adb	2405	Hashes hashes;
wolfSSL	12:1a06964c2adb	2406	byte header[HANDSHAKE_HEADER_SZ];
wolfSSL	12:1a06964c2adb	2407	byte* hash = NULL;
wolfSSL	12:1a06964c2adb	2408	byte hashSz = 0;
wolfSSL	12:1a06964c2adb	2409
wolfSSL	12:1a06964c2adb	2410	ret = BuildCertHashes(ssl, &hashes);
wolfSSL	12:1a06964c2adb	2411	if (ret != 0)
wolfSSL	12:1a06964c2adb	2412	return ret;
wolfSSL	12:1a06964c2adb	2413	switch (ssl->specs.mac_algorithm) {
wolfSSL	12:1a06964c2adb	2414	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	2415	case sha256_mac:
wolfSSL	12:1a06964c2adb	2416	hash = hashes.sha256;
wolfSSL	12:1a06964c2adb	2417	break;
wolfSSL	12:1a06964c2adb	2418	#endif
wolfSSL	12:1a06964c2adb	2419	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	2420	case sha384_mac:
wolfSSL	12:1a06964c2adb	2421	hash = hashes.sha384;
wolfSSL	12:1a06964c2adb	2422	break;
wolfSSL	12:1a06964c2adb	2423	#endif
wolfSSL	12:1a06964c2adb	2424	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	2425	case sha512_mac:
wolfSSL	12:1a06964c2adb	2426	hash = hashes.sha512;
wolfSSL	12:1a06964c2adb	2427	break;
wolfSSL	12:1a06964c2adb	2428	#endif
wolfSSL	12:1a06964c2adb	2429	}
wolfSSL	12:1a06964c2adb	2430	hashSz = ssl->specs.hash_size;
wolfSSL	12:1a06964c2adb	2431	AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL	12:1a06964c2adb	2432
wolfSSL	12:1a06964c2adb	2433	WOLFSSL_MSG("Restart Hash");
wolfSSL	12:1a06964c2adb	2434	WOLFSSL_BUFFER(hash, hashSz);
wolfSSL	12:1a06964c2adb	2435
wolfSSL	12:1a06964c2adb	2436	#ifdef WOLFSSL_SEND_HRR_COOKIE
wolfSSL	12:1a06964c2adb	2437	if (ssl->options.sendCookie) {
wolfSSL	12:1a06964c2adb	2438	byte cookie[OPAQUE8_LEN + MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
wolfSSL	12:1a06964c2adb	2439	TLSX* ext;
wolfSSL	12:1a06964c2adb	2440	word32 idx = 0;
wolfSSL	12:1a06964c2adb	2441
wolfSSL	12:1a06964c2adb	2442	/* Cookie Data = Hash Len \| Hash \| CS \| KeyShare Group */
wolfSSL	12:1a06964c2adb	2443	cookie[idx++] = hashSz;
wolfSSL	12:1a06964c2adb	2444	XMEMCPY(cookie + idx, hash, hashSz);
wolfSSL	12:1a06964c2adb	2445	idx += hashSz;
wolfSSL	12:1a06964c2adb	2446	cookie[idx++] = ssl->options.cipherSuite0;
wolfSSL	12:1a06964c2adb	2447	cookie[idx++] = ssl->options.cipherSuite;
wolfSSL	12:1a06964c2adb	2448	if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) {
wolfSSL	12:1a06964c2adb	2449	KeyShareEntry* kse = (KeyShareEntry*)ext->data;
wolfSSL	12:1a06964c2adb	2450	c16toa(kse->group, cookie + idx);
wolfSSL	12:1a06964c2adb	2451	idx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2452	}
wolfSSL	12:1a06964c2adb	2453	return CreateCookie(ssl, cookie, idx);
wolfSSL	12:1a06964c2adb	2454	}
wolfSSL	12:1a06964c2adb	2455	#endif
wolfSSL	12:1a06964c2adb	2456
wolfSSL	12:1a06964c2adb	2457	ret = InitHandshakeHashes(ssl);
wolfSSL	12:1a06964c2adb	2458	if (ret != 0)
wolfSSL	12:1a06964c2adb	2459	return ret;
wolfSSL	12:1a06964c2adb	2460	ret = HashOutputRaw(ssl, header, sizeof(header));
wolfSSL	12:1a06964c2adb	2461	if (ret != 0)
wolfSSL	12:1a06964c2adb	2462	return ret;
wolfSSL	12:1a06964c2adb	2463	return HashOutputRaw(ssl, hash, hashSz);
wolfSSL	12:1a06964c2adb	2464	}
wolfSSL	12:1a06964c2adb	2465	#endif
wolfSSL	12:1a06964c2adb	2466
wolfSSL	12:1a06964c2adb	2467	/* Parse and handle a HelloRetryRequest message.
wolfSSL	12:1a06964c2adb	2468	* Only a client will receive this message.
wolfSSL	12:1a06964c2adb	2469	*
wolfSSL	12:1a06964c2adb	2470	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2471	* input The message buffer.
wolfSSL	12:1a06964c2adb	2472	* inOutIdx On entry, the index into the message buffer of
wolfSSL	12:1a06964c2adb	2473	* HelloRetryRequest.
wolfSSL	12:1a06964c2adb	2474	* On exit, the index of byte after the HelloRetryRequest message.
wolfSSL	12:1a06964c2adb	2475	* totalSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	2476	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2477	*/
wolfSSL	12:1a06964c2adb	2478	static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
wolfSSL	12:1a06964c2adb	2479	word32* inOutIdx, word32 totalSz)
wolfSSL	12:1a06964c2adb	2480	{
wolfSSL	12:1a06964c2adb	2481	int ret;
wolfSSL	12:1a06964c2adb	2482	word32 begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	2483	word32 i = begin;
wolfSSL	12:1a06964c2adb	2484	word16 totalExtSz;
wolfSSL	12:1a06964c2adb	2485	ProtocolVersion pv;
wolfSSL	12:1a06964c2adb	2486
wolfSSL	12:1a06964c2adb	2487	WOLFSSL_ENTER("DoTls13HelloRetryRequest");
wolfSSL	12:1a06964c2adb	2488
wolfSSL	12:1a06964c2adb	2489	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	2490	if (ssl->hsInfoOn) AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	2491	if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	2492	#endif
wolfSSL	12:1a06964c2adb	2493
wolfSSL	12:1a06964c2adb	2494	/* Version info and length field of extension data. */
wolfSSL	12:1a06964c2adb	2495	if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL	12:1a06964c2adb	2496	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2497
wolfSSL	12:1a06964c2adb	2498	/* Protocol version. */
wolfSSL	12:1a06964c2adb	2499	XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL	12:1a06964c2adb	2500	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2501	ret = CheckVersion(ssl, pv);
wolfSSL	12:1a06964c2adb	2502	if (ret != 0)
wolfSSL	12:1a06964c2adb	2503	return ret;
wolfSSL	12:1a06964c2adb	2504
wolfSSL	12:1a06964c2adb	2505	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	2506	/* Set the cipher suite from the message. */
wolfSSL	12:1a06964c2adb	2507	ssl->options.cipherSuite0 = input[i++];
wolfSSL	12:1a06964c2adb	2508	ssl->options.cipherSuite = input[i++];
wolfSSL	12:1a06964c2adb	2509	#endif
wolfSSL	12:1a06964c2adb	2510
wolfSSL	12:1a06964c2adb	2511	ret = SetCipherSpecs(ssl);
wolfSSL	12:1a06964c2adb	2512	if (ret != 0)
wolfSSL	12:1a06964c2adb	2513	return ret;
wolfSSL	12:1a06964c2adb	2514
wolfSSL	12:1a06964c2adb	2515	/* Length of extension data. */
wolfSSL	12:1a06964c2adb	2516	ato16(&input[i], &totalExtSz);
wolfSSL	12:1a06964c2adb	2517	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2518	if (totalExtSz == 0) {
wolfSSL	12:1a06964c2adb	2519	WOLFSSL_MSG("HelloRetryRequest must contain extensions");
wolfSSL	12:1a06964c2adb	2520	return MISSING_HANDSHAKE_DATA;
wolfSSL	12:1a06964c2adb	2521	}
wolfSSL	12:1a06964c2adb	2522
wolfSSL	12:1a06964c2adb	2523	/* Extension data. */
wolfSSL	12:1a06964c2adb	2524	if (i - begin + totalExtSz > totalSz)
wolfSSL	12:1a06964c2adb	2525	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2526	if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL	12:1a06964c2adb	2527	hello_retry_request, NULL)) != 0)
wolfSSL	12:1a06964c2adb	2528	return ret;
wolfSSL	12:1a06964c2adb	2529	/* The KeyShare extension parsing fails when not valid. */
wolfSSL	12:1a06964c2adb	2530
wolfSSL	12:1a06964c2adb	2531	/* Move index to byte after message. */
wolfSSL	12:1a06964c2adb	2532	*inOutIdx = i + totalExtSz;
wolfSSL	12:1a06964c2adb	2533
wolfSSL	12:1a06964c2adb	2534	ssl->options.tls1_3 = 1;
wolfSSL	12:1a06964c2adb	2535	ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST;
wolfSSL	12:1a06964c2adb	2536
wolfSSL	12:1a06964c2adb	2537	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	2538	ret = RestartHandshakeHash(ssl);
wolfSSL	12:1a06964c2adb	2539	#endif
wolfSSL	12:1a06964c2adb	2540
wolfSSL	12:1a06964c2adb	2541	WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);
wolfSSL	12:1a06964c2adb	2542
wolfSSL	12:1a06964c2adb	2543	return ret;
wolfSSL	12:1a06964c2adb	2544	}
wolfSSL	12:1a06964c2adb	2545
wolfSSL	12:1a06964c2adb	2546	/* Handle the ServerHello message from the server.
wolfSSL	12:1a06964c2adb	2547	* Only a client will receive this message.
wolfSSL	12:1a06964c2adb	2548	*
wolfSSL	12:1a06964c2adb	2549	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2550	* input The message buffer.
wolfSSL	12:1a06964c2adb	2551	* inOutIdx On entry, the index into the message buffer of ServerHello.
wolfSSL	12:1a06964c2adb	2552	* On exit, the index of byte after the ServerHello message.
wolfSSL	12:1a06964c2adb	2553	* helloSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	2554	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2555	*/
wolfSSL	12:1a06964c2adb	2556	int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	2557	word32 helloSz)
wolfSSL	12:1a06964c2adb	2558	{
wolfSSL	12:1a06964c2adb	2559	ProtocolVersion pv;
wolfSSL	12:1a06964c2adb	2560	word32 i = *inOutIdx;
wolfSSL	12:1a06964c2adb	2561	word32 begin = i;
wolfSSL	12:1a06964c2adb	2562	int ret;
wolfSSL	12:1a06964c2adb	2563	word16 totalExtSz;
wolfSSL	12:1a06964c2adb	2564	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	2565	TLSX* ext;
wolfSSL	12:1a06964c2adb	2566	PreSharedKey* psk = NULL;
wolfSSL	12:1a06964c2adb	2567	#endif
wolfSSL	12:1a06964c2adb	2568
wolfSSL	12:1a06964c2adb	2569	WOLFSSL_ENTER("DoTls13ServerHello");
wolfSSL	12:1a06964c2adb	2570
wolfSSL	12:1a06964c2adb	2571	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	2572	if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	2573	if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	2574	#endif
wolfSSL	12:1a06964c2adb	2575
wolfSSL	12:1a06964c2adb	2576	/* Protocol version length check. */
wolfSSL	12:1a06964c2adb	2577	if (OPAQUE16_LEN > helloSz)
wolfSSL	12:1a06964c2adb	2578	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2579
wolfSSL	12:1a06964c2adb	2580	/* Protocol version */
wolfSSL	12:1a06964c2adb	2581	XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL	12:1a06964c2adb	2582	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2583	ret = CheckVersion(ssl, pv);
wolfSSL	12:1a06964c2adb	2584	if (ret != 0)
wolfSSL	12:1a06964c2adb	2585	return ret;
wolfSSL	12:1a06964c2adb	2586	if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
wolfSSL	12:1a06964c2adb	2587	ssl->version = pv;
wolfSSL	12:1a06964c2adb	2588	return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL	12:1a06964c2adb	2589	}
wolfSSL	12:1a06964c2adb	2590
wolfSSL	12:1a06964c2adb	2591	/* Random, cipher suite and extensions length check. */
wolfSSL	12:1a06964c2adb	2592	if ((i - begin) + RAN_LEN + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
wolfSSL	12:1a06964c2adb	2593	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2594
wolfSSL	12:1a06964c2adb	2595	/* Server random - keep for debugging. */
wolfSSL	12:1a06964c2adb	2596	XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
wolfSSL	12:1a06964c2adb	2597	i += RAN_LEN;
wolfSSL	12:1a06964c2adb	2598
wolfSSL	12:1a06964c2adb	2599	/* Set the cipher suite from the message. */
wolfSSL	12:1a06964c2adb	2600	ssl->options.cipherSuite0 = input[i++];
wolfSSL	12:1a06964c2adb	2601	ssl->options.cipherSuite = input[i++];
wolfSSL	12:1a06964c2adb	2602
wolfSSL	12:1a06964c2adb	2603	/* Get extension length and length check. */
wolfSSL	12:1a06964c2adb	2604	ato16(&input[i], &totalExtSz);
wolfSSL	12:1a06964c2adb	2605	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2606	if ((i - begin) + totalExtSz > helloSz)
wolfSSL	12:1a06964c2adb	2607	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2608
wolfSSL	12:1a06964c2adb	2609	/* Parse and handle extensions. */
wolfSSL	12:1a06964c2adb	2610	ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, server_hello, NULL);
wolfSSL	12:1a06964c2adb	2611	if (ret != 0)
wolfSSL	12:1a06964c2adb	2612	return ret;
wolfSSL	12:1a06964c2adb	2613
wolfSSL	12:1a06964c2adb	2614	i += totalExtSz;
wolfSSL	12:1a06964c2adb	2615	*inOutIdx = i;
wolfSSL	12:1a06964c2adb	2616
wolfSSL	12:1a06964c2adb	2617	ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	2618
wolfSSL	12:1a06964c2adb	2619	#ifdef HAVE_SECRET_CALLBACK
wolfSSL	12:1a06964c2adb	2620	if (ssl->sessionSecretCb != NULL) {
wolfSSL	12:1a06964c2adb	2621	int secretSz = SECRET_LEN, ret;
wolfSSL	12:1a06964c2adb	2622	ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
wolfSSL	12:1a06964c2adb	2623	&secretSz, ssl->sessionSecretCtx);
wolfSSL	12:1a06964c2adb	2624	if (ret != 0 \|\| secretSz != SECRET_LEN)
wolfSSL	12:1a06964c2adb	2625	return SESSION_SECRET_CB_E;
wolfSSL	12:1a06964c2adb	2626	}
wolfSSL	12:1a06964c2adb	2627	#endif /* HAVE_SECRET_CALLBACK */
wolfSSL	12:1a06964c2adb	2628
wolfSSL	12:1a06964c2adb	2629	ret = SetCipherSpecs(ssl);
wolfSSL	12:1a06964c2adb	2630	if (ret != 0)
wolfSSL	12:1a06964c2adb	2631	return ret;
wolfSSL	12:1a06964c2adb	2632
wolfSSL	12:1a06964c2adb	2633	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	2634	ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL	12:1a06964c2adb	2635	if (ext != NULL)
wolfSSL	12:1a06964c2adb	2636	psk = (PreSharedKey*)ext->data;
wolfSSL	12:1a06964c2adb	2637	while (psk != NULL && !psk->chosen)
wolfSSL	12:1a06964c2adb	2638	psk = psk->next;
wolfSSL	12:1a06964c2adb	2639	if (psk == NULL) {
wolfSSL	12:1a06964c2adb	2640	ssl->options.resuming = 0;
wolfSSL	12:1a06964c2adb	2641	ssl->arrays->psk_keySz = 0;
wolfSSL	12:1a06964c2adb	2642	XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
wolfSSL	12:1a06964c2adb	2643	}
wolfSSL	12:1a06964c2adb	2644	else if ((ret = SetupPskKey(ssl, psk)) != 0)
wolfSSL	12:1a06964c2adb	2645	return ret;
wolfSSL	12:1a06964c2adb	2646	#endif
wolfSSL	12:1a06964c2adb	2647
wolfSSL	12:1a06964c2adb	2648	ssl->keys.encryptionOn = 1;
wolfSSL	12:1a06964c2adb	2649
wolfSSL	12:1a06964c2adb	2650	WOLFSSL_LEAVE("DoTls13ServerHello", ret);
wolfSSL	12:1a06964c2adb	2651
wolfSSL	12:1a06964c2adb	2652	return ret;
wolfSSL	12:1a06964c2adb	2653	}
wolfSSL	12:1a06964c2adb	2654
wolfSSL	12:1a06964c2adb	2655	/* Parse and handle an EncryptedExtensions message.
wolfSSL	12:1a06964c2adb	2656	* Only a client will receive this message.
wolfSSL	12:1a06964c2adb	2657	*
wolfSSL	12:1a06964c2adb	2658	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2659	* input The message buffer.
wolfSSL	12:1a06964c2adb	2660	* inOutIdx On entry, the index into the message buffer of
wolfSSL	12:1a06964c2adb	2661	* EncryptedExtensions.
wolfSSL	12:1a06964c2adb	2662	* On exit, the index of byte after the EncryptedExtensions
wolfSSL	12:1a06964c2adb	2663	* message.
wolfSSL	12:1a06964c2adb	2664	* totalSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	2665	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2666	*/
wolfSSL	12:1a06964c2adb	2667	static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
wolfSSL	12:1a06964c2adb	2668	word32* inOutIdx, word32 totalSz)
wolfSSL	12:1a06964c2adb	2669	{
wolfSSL	12:1a06964c2adb	2670	int ret;
wolfSSL	12:1a06964c2adb	2671	word32 begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	2672	word32 i = begin;
wolfSSL	12:1a06964c2adb	2673	word16 totalExtSz;
wolfSSL	12:1a06964c2adb	2674
wolfSSL	12:1a06964c2adb	2675	WOLFSSL_ENTER("DoTls13EncryptedExtensions");
wolfSSL	12:1a06964c2adb	2676
wolfSSL	12:1a06964c2adb	2677	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	2678	if (ssl->hsInfoOn) AddPacketName("EncryptedExtensions",
wolfSSL	12:1a06964c2adb	2679	&ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	2680	if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	2681	#endif
wolfSSL	12:1a06964c2adb	2682
wolfSSL	12:1a06964c2adb	2683	/* Length field of extension data. */
wolfSSL	12:1a06964c2adb	2684	if (totalSz < i - begin + OPAQUE16_LEN)
wolfSSL	12:1a06964c2adb	2685	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2686	ato16(&input[i], &totalExtSz);
wolfSSL	12:1a06964c2adb	2687	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2688
wolfSSL	12:1a06964c2adb	2689	/* Extension data. */
wolfSSL	12:1a06964c2adb	2690	if (i - begin + totalExtSz > totalSz)
wolfSSL	12:1a06964c2adb	2691	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2692	if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL	12:1a06964c2adb	2693	encrypted_extensions, NULL)))
wolfSSL	12:1a06964c2adb	2694	return ret;
wolfSSL	12:1a06964c2adb	2695
wolfSSL	12:1a06964c2adb	2696	/* Move index to byte after message. */
wolfSSL	12:1a06964c2adb	2697	*inOutIdx = i + totalExtSz;
wolfSSL	12:1a06964c2adb	2698
wolfSSL	12:1a06964c2adb	2699	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	2700	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	2701
wolfSSL	12:1a06964c2adb	2702	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2703	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	2704	TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL	12:1a06964c2adb	2705	if (ext == NULL \|\| !ext->val)
wolfSSL	12:1a06964c2adb	2706	ssl->earlyData = 0;
wolfSSL	12:1a06964c2adb	2707	}
wolfSSL	12:1a06964c2adb	2708	#endif
wolfSSL	12:1a06964c2adb	2709
wolfSSL	12:1a06964c2adb	2710	WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
wolfSSL	12:1a06964c2adb	2711
wolfSSL	12:1a06964c2adb	2712	return ret;
wolfSSL	12:1a06964c2adb	2713	}
wolfSSL	12:1a06964c2adb	2714
wolfSSL	12:1a06964c2adb	2715	/* Handle a TLS v1.3 CertificateRequest message.
wolfSSL	12:1a06964c2adb	2716	* This message is always encrypted.
wolfSSL	12:1a06964c2adb	2717	* Only a client will receive this message.
wolfSSL	12:1a06964c2adb	2718	*
wolfSSL	12:1a06964c2adb	2719	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2720	* input The message buffer.
wolfSSL	12:1a06964c2adb	2721	* inOutIdx On entry, the index into the message buffer of CertificateRequest.
wolfSSL	12:1a06964c2adb	2722	* On exit, the index of byte after the CertificateRequest message.
wolfSSL	12:1a06964c2adb	2723	* size The length of the current handshake message.
wolfSSL	12:1a06964c2adb	2724	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2725	*/
wolfSSL	12:1a06964c2adb	2726	static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
wolfSSL	12:1a06964c2adb	2727	word32* inOutIdx, word32 size)
wolfSSL	12:1a06964c2adb	2728	{
wolfSSL	12:1a06964c2adb	2729	word16 len;
wolfSSL	12:1a06964c2adb	2730	word32 begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	2731	int ret = 0;
wolfSSL	12:1a06964c2adb	2732	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	2733	Suites peerSuites;
wolfSSL	12:1a06964c2adb	2734	#endif
wolfSSL	12:1a06964c2adb	2735	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	2736	CertReqCtx* certReqCtx;
wolfSSL	12:1a06964c2adb	2737	#endif
wolfSSL	12:1a06964c2adb	2738
wolfSSL	12:1a06964c2adb	2739	WOLFSSL_ENTER("DoTls13CertificateRequest");
wolfSSL	12:1a06964c2adb	2740
wolfSSL	12:1a06964c2adb	2741	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	2742	if (ssl->hsInfoOn) AddPacketName("CertificateRequest", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	2743	if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	2744	#endif
wolfSSL	12:1a06964c2adb	2745
wolfSSL	12:1a06964c2adb	2746	if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
wolfSSL	12:1a06964c2adb	2747	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2748
wolfSSL	12:1a06964c2adb	2749	/* Length of the request context. */
wolfSSL	12:1a06964c2adb	2750	len = input[(*inOutIdx)++];
wolfSSL	12:1a06964c2adb	2751	if ((*inOutIdx - begin) + len > size)
wolfSSL	12:1a06964c2adb	2752	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2753	if (ssl->options.connectState < FINISHED_DONE && len > 0)
wolfSSL	12:1a06964c2adb	2754	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2755
wolfSSL	12:1a06964c2adb	2756	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	2757	/* CertReqCtx has one byte at end for context value.
wolfSSL	12:1a06964c2adb	2758	* Increase size to handle other implementations sending more than one byte.
wolfSSL	12:1a06964c2adb	2759	* That is, allocate extra space, over one byte, to hold the context value.
wolfSSL	12:1a06964c2adb	2760	*/
wolfSSL	12:1a06964c2adb	2761	certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
wolfSSL	12:1a06964c2adb	2762	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	12:1a06964c2adb	2763	if (certReqCtx == NULL)
wolfSSL	12:1a06964c2adb	2764	return MEMORY_E;
wolfSSL	12:1a06964c2adb	2765	certReqCtx->next = ssl->certReqCtx;
wolfSSL	12:1a06964c2adb	2766	certReqCtx->len = len;
wolfSSL	12:1a06964c2adb	2767	XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
wolfSSL	12:1a06964c2adb	2768	ssl->certReqCtx = certReqCtx;
wolfSSL	12:1a06964c2adb	2769	#endif
wolfSSL	12:1a06964c2adb	2770	*inOutIdx += len;
wolfSSL	12:1a06964c2adb	2771
wolfSSL	12:1a06964c2adb	2772	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	2773	/* Signature and hash algorithms. */
wolfSSL	12:1a06964c2adb	2774	if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL	12:1a06964c2adb	2775	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2776	ato16(input + *inOutIdx, &len);
wolfSSL	12:1a06964c2adb	2777	*inOutIdx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2778	if ((*inOutIdx - begin) + len > size)
wolfSSL	12:1a06964c2adb	2779	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2780	PickHashSigAlgo(ssl, input + *inOutIdx, len);
wolfSSL	12:1a06964c2adb	2781	*inOutIdx += len;
wolfSSL	12:1a06964c2adb	2782
wolfSSL	12:1a06964c2adb	2783	/* Length of certificate authority data. */
wolfSSL	12:1a06964c2adb	2784	if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL	12:1a06964c2adb	2785	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2786	ato16(input + *inOutIdx, &len);
wolfSSL	12:1a06964c2adb	2787	*inOutIdx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2788	if ((*inOutIdx - begin) + len > size)
wolfSSL	12:1a06964c2adb	2789	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2790
wolfSSL	12:1a06964c2adb	2791	/* Certificate authorities. */
wolfSSL	12:1a06964c2adb	2792	while (len) {
wolfSSL	12:1a06964c2adb	2793	word16 dnSz;
wolfSSL	12:1a06964c2adb	2794
wolfSSL	12:1a06964c2adb	2795	if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL	12:1a06964c2adb	2796	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2797
wolfSSL	12:1a06964c2adb	2798	ato16(input + *inOutIdx, &dnSz);
wolfSSL	12:1a06964c2adb	2799	*inOutIdx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2800
wolfSSL	12:1a06964c2adb	2801	if ((*inOutIdx - begin) + dnSz > size)
wolfSSL	12:1a06964c2adb	2802	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2803
wolfSSL	12:1a06964c2adb	2804	*inOutIdx += dnSz;
wolfSSL	12:1a06964c2adb	2805	len -= OPAQUE16_LEN + dnSz;
wolfSSL	12:1a06964c2adb	2806	}
wolfSSL	12:1a06964c2adb	2807
wolfSSL	12:1a06964c2adb	2808	/* Certificate extensions */
wolfSSL	12:1a06964c2adb	2809	if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL	12:1a06964c2adb	2810	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2811	ato16(input + *inOutIdx, &len);
wolfSSL	12:1a06964c2adb	2812	*inOutIdx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2813	if ((*inOutIdx - begin) + len > size)
wolfSSL	12:1a06964c2adb	2814	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2815	*inOutIdx += len;
wolfSSL	12:1a06964c2adb	2816	#else
wolfSSL	12:1a06964c2adb	2817	/* TODO: Add support for more extensions:
wolfSSL	12:1a06964c2adb	2818	* signed_certificate_timestamp, certificate_authorities, oid_filters.
wolfSSL	12:1a06964c2adb	2819	*/
wolfSSL	12:1a06964c2adb	2820	/* Certificate extensions */
wolfSSL	12:1a06964c2adb	2821	if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL	12:1a06964c2adb	2822	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2823	ato16(input + *inOutIdx, &len);
wolfSSL	12:1a06964c2adb	2824	*inOutIdx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	2825	if ((*inOutIdx - begin) + len > size)
wolfSSL	12:1a06964c2adb	2826	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	2827	if (len == 0)
wolfSSL	12:1a06964c2adb	2828	return INVALID_PARAMETER;
wolfSSL	12:1a06964c2adb	2829	if ((ret = TLSX_Parse(ssl, (byte )(input + inOutIdx), len,
wolfSSL	12:1a06964c2adb	2830	certificate_request, &peerSuites))) {
wolfSSL	12:1a06964c2adb	2831	return ret;
wolfSSL	12:1a06964c2adb	2832	}
wolfSSL	12:1a06964c2adb	2833	*inOutIdx += len;
wolfSSL	12:1a06964c2adb	2834
wolfSSL	12:1a06964c2adb	2835	PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, peerSuites.hashSigAlgoSz);
wolfSSL	12:1a06964c2adb	2836	#endif
wolfSSL	12:1a06964c2adb	2837
wolfSSL	12:1a06964c2adb	2838	if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
wolfSSL	12:1a06964c2adb	2839	ssl->buffers.key && ssl->buffers.key->buffer)
wolfSSL	12:1a06964c2adb	2840	ssl->options.sendVerify = SEND_CERT;
wolfSSL	12:1a06964c2adb	2841	else
wolfSSL	12:1a06964c2adb	2842	ssl->options.sendVerify = SEND_BLANK_CERT;
wolfSSL	12:1a06964c2adb	2843
wolfSSL	12:1a06964c2adb	2844	/* This message is always encrypted so add encryption padding. */
wolfSSL	12:1a06964c2adb	2845	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	2846
wolfSSL	12:1a06964c2adb	2847	#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL	12:1a06964c2adb	2848	if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL	12:1a06964c2adb	2849	ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL	12:1a06964c2adb	2850	/* reset handshake states */
wolfSSL	12:1a06964c2adb	2851	ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	2852	ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL	12:1a06964c2adb	2853	ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	2854	}
wolfSSL	12:1a06964c2adb	2855	#endif
wolfSSL	12:1a06964c2adb	2856
wolfSSL	12:1a06964c2adb	2857	WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
wolfSSL	12:1a06964c2adb	2858
wolfSSL	12:1a06964c2adb	2859	return ret;
wolfSSL	12:1a06964c2adb	2860	}
wolfSSL	12:1a06964c2adb	2861
wolfSSL	12:1a06964c2adb	2862	#endif /* !NO_WOLFSSL_CLIENT */
wolfSSL	12:1a06964c2adb	2863
wolfSSL	12:1a06964c2adb	2864	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	2865	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	2866	/* Handle any Pre-Shared Key (PSK) extension.
wolfSSL	12:1a06964c2adb	2867	* Must do this in ClientHello as it requires a hash of the truncated message.
wolfSSL	12:1a06964c2adb	2868	* Don't know size of binders until Pre-Shared Key extension has been parsed.
wolfSSL	12:1a06964c2adb	2869	*
wolfSSL	12:1a06964c2adb	2870	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	2871	* input The ClientHello message.
wolfSSL	12:1a06964c2adb	2872	* helloSz The size of the ClientHello message (including binders if present).
wolfSSL	12:1a06964c2adb	2873	* usingPSK Indicates handshake is using Pre-Shared Keys.
wolfSSL	12:1a06964c2adb	2874	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	2875	*/
wolfSSL	12:1a06964c2adb	2876	static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
wolfSSL	12:1a06964c2adb	2877	int* usingPSK)
wolfSSL	12:1a06964c2adb	2878	{
wolfSSL	12:1a06964c2adb	2879	int ret;
wolfSSL	12:1a06964c2adb	2880	TLSX* ext;
wolfSSL	12:1a06964c2adb	2881	word16 bindersLen;
wolfSSL	12:1a06964c2adb	2882	PreSharedKey* current;
wolfSSL	12:1a06964c2adb	2883	byte binderKey[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	2884	byte binder[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	2885	word32 binderLen;
wolfSSL	12:1a06964c2adb	2886	word16 modes;
wolfSSL	12:1a06964c2adb	2887	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2888	int pskCnt = 0;
wolfSSL	12:1a06964c2adb	2889	TLSX* extEarlyData;
wolfSSL	12:1a06964c2adb	2890	#endif
wolfSSL	12:1a06964c2adb	2891
wolfSSL	12:1a06964c2adb	2892	ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL	12:1a06964c2adb	2893	if (ext == NULL) {
wolfSSL	12:1a06964c2adb	2894	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2895	ssl->earlyData = 0;
wolfSSL	12:1a06964c2adb	2896	#endif
wolfSSL	12:1a06964c2adb	2897	return 0;
wolfSSL	12:1a06964c2adb	2898	}
wolfSSL	12:1a06964c2adb	2899
wolfSSL	12:1a06964c2adb	2900	/* Extensions pushed on stack/list and PSK must be last. */
wolfSSL	12:1a06964c2adb	2901	if (ssl->extensions != ext)
wolfSSL	12:1a06964c2adb	2902	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	2903
wolfSSL	12:1a06964c2adb	2904	/* Assume we are going to resume with a pre-shared key. */
wolfSSL	12:1a06964c2adb	2905	ssl->options.resuming = 1;
wolfSSL	12:1a06964c2adb	2906
wolfSSL	12:1a06964c2adb	2907	/* Find the pre-shared key extension and calculate hash of truncated
wolfSSL	12:1a06964c2adb	2908	* ClientHello for binders.
wolfSSL	12:1a06964c2adb	2909	*/
wolfSSL	12:1a06964c2adb	2910	bindersLen = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL	12:1a06964c2adb	2911	client_hello);
wolfSSL	12:1a06964c2adb	2912
wolfSSL	12:1a06964c2adb	2913	/* Hash data up to binders for deriving binders in PSK extension. */
wolfSSL	12:1a06964c2adb	2914	ret = HashInput(ssl, input, helloSz - bindersLen);
wolfSSL	12:1a06964c2adb	2915	if (ret != 0)
wolfSSL	12:1a06964c2adb	2916	return ret;
wolfSSL	12:1a06964c2adb	2917
wolfSSL	12:1a06964c2adb	2918	/* Look through all client's pre-shared keys for a match. */
wolfSSL	12:1a06964c2adb	2919	current = (PreSharedKey*)ext->data;
wolfSSL	12:1a06964c2adb	2920	while (current != NULL) {
wolfSSL	12:1a06964c2adb	2921	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2922	pskCnt++;
wolfSSL	12:1a06964c2adb	2923	#endif
wolfSSL	12:1a06964c2adb	2924
wolfSSL	12:1a06964c2adb	2925	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	2926	XMEMCPY(ssl->arrays->client_identity, current->identity,
wolfSSL	12:1a06964c2adb	2927	current->identityLen);
wolfSSL	12:1a06964c2adb	2928	ssl->arrays->client_identity[current->identityLen] = '\0';
wolfSSL	12:1a06964c2adb	2929	#endif
wolfSSL	12:1a06964c2adb	2930
wolfSSL	12:1a06964c2adb	2931	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	2932	/* Decode the identity. */
wolfSSL	12:1a06964c2adb	2933	if ((ret = DoClientTicket(ssl, current->identity, current->identityLen))
wolfSSL	12:1a06964c2adb	2934	== WOLFSSL_TICKET_RET_OK) {
wolfSSL	12:1a06964c2adb	2935	word32 now;
wolfSSL	12:1a06964c2adb	2936	int diff;
wolfSSL	12:1a06964c2adb	2937
wolfSSL	12:1a06964c2adb	2938	now = TimeNowInMilliseconds();
wolfSSL	12:1a06964c2adb	2939	if (now == (word32)GETTIME_ERROR)
wolfSSL	12:1a06964c2adb	2940	return now;
wolfSSL	12:1a06964c2adb	2941	diff = now - ssl->session.ticketSeen;
wolfSSL	12:1a06964c2adb	2942	diff -= current->ticketAge - ssl->session.ticketAdd;
wolfSSL	12:1a06964c2adb	2943	/* Check session and ticket age timeout.
wolfSSL	12:1a06964c2adb	2944	* Allow +/- 1000 milliseconds on ticket age.
wolfSSL	12:1a06964c2adb	2945	*/
wolfSSL	12:1a06964c2adb	2946	if (diff > (int)ssl->timeout * 1000 \|\| diff < -1000 \|\|
wolfSSL	12:1a06964c2adb	2947	diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
wolfSSL	12:1a06964c2adb	2948	/* Invalid difference, fallback to full handshake. */
wolfSSL	12:1a06964c2adb	2949	ssl->options.resuming = 0;
wolfSSL	12:1a06964c2adb	2950	break;
wolfSSL	12:1a06964c2adb	2951	}
wolfSSL	12:1a06964c2adb	2952
wolfSSL	12:1a06964c2adb	2953	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	2954	ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
wolfSSL	12:1a06964c2adb	2955	#endif
wolfSSL	12:1a06964c2adb	2956	/* Use the same cipher suite as before and set up for use. */
wolfSSL	12:1a06964c2adb	2957	ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
wolfSSL	12:1a06964c2adb	2958	ssl->options.cipherSuite = ssl->session.cipherSuite;
wolfSSL	12:1a06964c2adb	2959	ret = SetCipherSpecs(ssl);
wolfSSL	12:1a06964c2adb	2960	if (ret != 0)
wolfSSL	12:1a06964c2adb	2961	return ret;
wolfSSL	12:1a06964c2adb	2962
wolfSSL	12:1a06964c2adb	2963	/* Resumption PSK is resumption master secret. */
wolfSSL	12:1a06964c2adb	2964	ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL	12:1a06964c2adb	2965	XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL	12:1a06964c2adb	2966	ssl->specs.hash_size);
wolfSSL	12:1a06964c2adb	2967
wolfSSL	12:1a06964c2adb	2968	/* Derive the early secret using the PSK. */
wolfSSL	12:1a06964c2adb	2969	ret = DeriveEarlySecret(ssl);
wolfSSL	12:1a06964c2adb	2970	if (ret != 0)
wolfSSL	12:1a06964c2adb	2971	return ret;
wolfSSL	12:1a06964c2adb	2972	/* Derive the binder key to use to with HMAC. */
wolfSSL	12:1a06964c2adb	2973	ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL	12:1a06964c2adb	2974	if (ret != 0)
wolfSSL	12:1a06964c2adb	2975	return ret;
wolfSSL	12:1a06964c2adb	2976	}
wolfSSL	12:1a06964c2adb	2977	else
wolfSSL	12:1a06964c2adb	2978	#endif
wolfSSL	12:1a06964c2adb	2979	#ifndef NO_PSK
wolfSSL	12:1a06964c2adb	2980	if (ssl->options.server_psk_cb != NULL &&
wolfSSL	12:1a06964c2adb	2981	(ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
wolfSSL	12:1a06964c2adb	2982	ssl->arrays->client_identity, ssl->arrays->psk_key,
wolfSSL	12:1a06964c2adb	2983	MAX_PSK_KEY_LEN)) != 0) {
wolfSSL	12:1a06964c2adb	2984	if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
wolfSSL	12:1a06964c2adb	2985	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	2986
wolfSSL	12:1a06964c2adb	2987	ssl->options.resuming = 0;
wolfSSL	12:1a06964c2adb	2988
wolfSSL	12:1a06964c2adb	2989	/* PSK age is always zero. */
wolfSSL	12:1a06964c2adb	2990	if (current->ticketAge != ssl->session.ticketAdd)
wolfSSL	12:1a06964c2adb	2991	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	2992
wolfSSL	12:1a06964c2adb	2993	/* TODO: Callback should be able to change ciphersuite. */
wolfSSL	12:1a06964c2adb	2994	/* Default to ciphersuite if cb doesn't specify. */
wolfSSL	12:1a06964c2adb	2995	ssl->options.cipherSuite0 = TLS13_BYTE;
wolfSSL	12:1a06964c2adb	2996	ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
wolfSSL	12:1a06964c2adb	2997	ret = SetCipherSpecs(ssl);
wolfSSL	12:1a06964c2adb	2998	if (ret != 0)
wolfSSL	12:1a06964c2adb	2999	return ret;
wolfSSL	12:1a06964c2adb	3000
wolfSSL	12:1a06964c2adb	3001	/* Derive the early secret using the PSK. */
wolfSSL	12:1a06964c2adb	3002	ret = DeriveEarlySecret(ssl);
wolfSSL	12:1a06964c2adb	3003	if (ret != 0)
wolfSSL	12:1a06964c2adb	3004	return ret;
wolfSSL	12:1a06964c2adb	3005	/* Derive the binder key to use to with HMAC. */
wolfSSL	12:1a06964c2adb	3006	ret = DeriveBinderKey(ssl, binderKey);
wolfSSL	12:1a06964c2adb	3007	if (ret != 0)
wolfSSL	12:1a06964c2adb	3008	return ret;
wolfSSL	12:1a06964c2adb	3009	}
wolfSSL	12:1a06964c2adb	3010	else
wolfSSL	12:1a06964c2adb	3011	#endif
wolfSSL	12:1a06964c2adb	3012	{
wolfSSL	12:1a06964c2adb	3013	current = current->next;
wolfSSL	12:1a06964c2adb	3014	continue;
wolfSSL	12:1a06964c2adb	3015	}
wolfSSL	12:1a06964c2adb	3016
wolfSSL	12:1a06964c2adb	3017	ssl->options.sendVerify = 0;
wolfSSL	12:1a06964c2adb	3018
wolfSSL	12:1a06964c2adb	3019	/* Derive the Finished message secret. */
wolfSSL	12:1a06964c2adb	3020	ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL	12:1a06964c2adb	3021	ssl->keys.client_write_MAC_secret);
wolfSSL	12:1a06964c2adb	3022	if (ret != 0)
wolfSSL	12:1a06964c2adb	3023	return ret;
wolfSSL	12:1a06964c2adb	3024
wolfSSL	12:1a06964c2adb	3025	/* Derive the binder and compare with the one in the extension. */
wolfSSL	12:1a06964c2adb	3026	ret = BuildTls13HandshakeHmac(ssl,
wolfSSL	12:1a06964c2adb	3027	ssl->keys.client_write_MAC_secret, binder, &binderLen);
wolfSSL	12:1a06964c2adb	3028	if (ret != 0)
wolfSSL	12:1a06964c2adb	3029	return ret;
wolfSSL	12:1a06964c2adb	3030	if (binderLen != current->binderLen \|\|
wolfSSL	12:1a06964c2adb	3031	XMEMCMP(binder, current->binder, binderLen) != 0) {
wolfSSL	12:1a06964c2adb	3032	return BAD_BINDER;
wolfSSL	12:1a06964c2adb	3033	}
wolfSSL	12:1a06964c2adb	3034
wolfSSL	12:1a06964c2adb	3035	/* This PSK works, no need to try any more. */
wolfSSL	12:1a06964c2adb	3036	current->chosen = 1;
wolfSSL	12:1a06964c2adb	3037	ext->resp = 1;
wolfSSL	12:1a06964c2adb	3038	break;
wolfSSL	12:1a06964c2adb	3039	}
wolfSSL	12:1a06964c2adb	3040
wolfSSL	12:1a06964c2adb	3041	/* Hash the rest of the ClientHello. */
wolfSSL	12:1a06964c2adb	3042	ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
wolfSSL	12:1a06964c2adb	3043	if (ret != 0)
wolfSSL	12:1a06964c2adb	3044	return ret;
wolfSSL	12:1a06964c2adb	3045
wolfSSL	12:1a06964c2adb	3046	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	3047	extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL	12:1a06964c2adb	3048	if (extEarlyData != NULL) {
wolfSSL	12:1a06964c2adb	3049	if (ssl->earlyData && current == ext->data) {
wolfSSL	12:1a06964c2adb	3050	extEarlyData->resp = 1;
wolfSSL	12:1a06964c2adb	3051
wolfSSL	12:1a06964c2adb	3052	/* Derive early data decryption key. */
wolfSSL	12:1a06964c2adb	3053	ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1);
wolfSSL	12:1a06964c2adb	3054	if (ret != 0)
wolfSSL	12:1a06964c2adb	3055	return ret;
wolfSSL	12:1a06964c2adb	3056	if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	3057	return ret;
wolfSSL	12:1a06964c2adb	3058
wolfSSL	12:1a06964c2adb	3059	ssl->earlyData = 2;
wolfSSL	12:1a06964c2adb	3060	}
wolfSSL	12:1a06964c2adb	3061	else
wolfSSL	12:1a06964c2adb	3062	extEarlyData->resp = 0;
wolfSSL	12:1a06964c2adb	3063	}
wolfSSL	12:1a06964c2adb	3064	#endif
wolfSSL	12:1a06964c2adb	3065
wolfSSL	12:1a06964c2adb	3066	/* Get the PSK key exchange modes the client wants to negotiate. */
wolfSSL	12:1a06964c2adb	3067	ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
wolfSSL	12:1a06964c2adb	3068	if (ext == NULL)
wolfSSL	12:1a06964c2adb	3069	return MISSING_HANDSHAKE_DATA;
wolfSSL	12:1a06964c2adb	3070	modes = ext->val;
wolfSSL	12:1a06964c2adb	3071
wolfSSL	12:1a06964c2adb	3072	ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
wolfSSL	12:1a06964c2adb	3073	/* Use (EC)DHE for forward-security if possible. */
wolfSSL	12:1a06964c2adb	3074	if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
wolfSSL	12:1a06964c2adb	3075	ext != NULL) {
wolfSSL	12:1a06964c2adb	3076	/* Only use named group used in last session. */
wolfSSL	12:1a06964c2adb	3077	ssl->namedGroup = ssl->session.namedGroup;
wolfSSL	12:1a06964c2adb	3078
wolfSSL	12:1a06964c2adb	3079	/* Try to establish a new secret. */
wolfSSL	12:1a06964c2adb	3080	ret = TLSX_KeyShare_Establish(ssl);
wolfSSL	12:1a06964c2adb	3081	if (ret == KEY_SHARE_ERROR)
wolfSSL	12:1a06964c2adb	3082	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	3083	else if (ret < 0)
wolfSSL	12:1a06964c2adb	3084	return ret;
wolfSSL	12:1a06964c2adb	3085
wolfSSL	12:1a06964c2adb	3086	/* Send new public key to client. */
wolfSSL	12:1a06964c2adb	3087	ext->resp = 1;
wolfSSL	12:1a06964c2adb	3088	}
wolfSSL	12:1a06964c2adb	3089	else if ((modes & (1 << PSK_KE)) == 0)
wolfSSL	12:1a06964c2adb	3090	return PSK_KEY_ERROR;
wolfSSL	12:1a06964c2adb	3091
wolfSSL	12:1a06964c2adb	3092	*usingPSK = 1;
wolfSSL	12:1a06964c2adb	3093
wolfSSL	12:1a06964c2adb	3094	return ret;
wolfSSL	12:1a06964c2adb	3095	}
wolfSSL	12:1a06964c2adb	3096	#endif
wolfSSL	12:1a06964c2adb	3097
wolfSSL	12:1a06964c2adb	3098	#if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL	12:1a06964c2adb	3099	/* Check that the Cookie data's integrity.
wolfSSL	12:1a06964c2adb	3100	*
wolfSSL	12:1a06964c2adb	3101	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	3102	* cookie The cookie data - hash and MAC.
wolfSSL	12:1a06964c2adb	3103	* cookieSz The length of the cookie data in bytes.
wolfSSL	12:1a06964c2adb	3104	* returns Length of the hash on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3105	*/
wolfSSL	12:1a06964c2adb	3106	static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
wolfSSL	12:1a06964c2adb	3107	{
wolfSSL	12:1a06964c2adb	3108	int ret;
wolfSSL	12:1a06964c2adb	3109	byte mac[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	3110	Hmac cookieHmac;
wolfSSL	12:1a06964c2adb	3111	byte cookieType;
wolfSSL	12:1a06964c2adb	3112	byte macSz;
wolfSSL	12:1a06964c2adb	3113
wolfSSL	12:1a06964c2adb	3114	#if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL	12:1a06964c2adb	3115	cookieType = SHA;
wolfSSL	12:1a06964c2adb	3116	macSz = SHA_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	3117	#endif /* NO_SHA */
wolfSSL	12:1a06964c2adb	3118	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	3119	cookieType = SHA256;
wolfSSL	12:1a06964c2adb	3120	macSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	3121	#endif /* NO_SHA256 */
wolfSSL	12:1a06964c2adb	3122
wolfSSL	12:1a06964c2adb	3123	if (cookieSz < ssl->specs.hash_size + macSz)
wolfSSL	12:1a06964c2adb	3124	return HRR_COOKIE_ERROR;
wolfSSL	12:1a06964c2adb	3125	cookieSz -= macSz;
wolfSSL	12:1a06964c2adb	3126
wolfSSL	12:1a06964c2adb	3127	ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL	12:1a06964c2adb	3128	ssl->buffers.tls13CookieSecret.buffer,
wolfSSL	12:1a06964c2adb	3129	ssl->buffers.tls13CookieSecret.length);
wolfSSL	12:1a06964c2adb	3130	if (ret != 0)
wolfSSL	12:1a06964c2adb	3131	return ret;
wolfSSL	12:1a06964c2adb	3132	if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0)
wolfSSL	12:1a06964c2adb	3133	return ret;
wolfSSL	12:1a06964c2adb	3134	if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL	12:1a06964c2adb	3135	return ret;
wolfSSL	12:1a06964c2adb	3136
wolfSSL	12:1a06964c2adb	3137	if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
wolfSSL	12:1a06964c2adb	3138	return HRR_COOKIE_ERROR;
wolfSSL	12:1a06964c2adb	3139	return cookieSz;
wolfSSL	12:1a06964c2adb	3140	}
wolfSSL	12:1a06964c2adb	3141
wolfSSL	12:1a06964c2adb	3142	/* Length of the KeyShare Extension */
wolfSSL	12:1a06964c2adb	3143	#define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL	12:1a06964c2adb	3144	/* Length of the Cookie Extension excluding cookie data */
wolfSSL	12:1a06964c2adb	3145	#define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL	12:1a06964c2adb	3146	/* PV \| CipherSuite \| Ext Len */
wolfSSL	12:1a06964c2adb	3147	#define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL	12:1a06964c2adb	3148	/* HH \| PV \| CipherSuite \| Ext Len \| Key Share \| Cookie */
wolfSSL	12:1a06964c2adb	3149	#define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
wolfSSL	12:1a06964c2adb	3150	HRR_BODY_SZ + \
wolfSSL	12:1a06964c2adb	3151	HRR_KEY_SHARE_SZ + \
wolfSSL	12:1a06964c2adb	3152	HRR_COOKIE_HDR_SZ)
wolfSSL	12:1a06964c2adb	3153	/* Restart the Hanshake hash from the cookie value.
wolfSSL	12:1a06964c2adb	3154	*
wolfSSL	12:1a06964c2adb	3155	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	3156	* cookie Cookie data from client.
wolfSSL	12:1a06964c2adb	3157	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3158	*/
wolfSSL	12:1a06964c2adb	3159	static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
wolfSSL	12:1a06964c2adb	3160	{
wolfSSL	12:1a06964c2adb	3161	byte header[HANDSHAKE_HEADER_SZ];
wolfSSL	12:1a06964c2adb	3162	byte hrr[MAX_HRR_SZ];
wolfSSL	12:1a06964c2adb	3163	int hrrIdx;
wolfSSL	12:1a06964c2adb	3164	word32 idx;
wolfSSL	12:1a06964c2adb	3165	byte hashSz;
wolfSSL	12:1a06964c2adb	3166	byte* cookieData;
wolfSSL	12:1a06964c2adb	3167	byte cookieDataSz;
wolfSSL	12:1a06964c2adb	3168	word16 length;
wolfSSL	12:1a06964c2adb	3169	int keyShareExt = 0;
wolfSSL	12:1a06964c2adb	3170	int ret;
wolfSSL	12:1a06964c2adb	3171
wolfSSL	12:1a06964c2adb	3172	cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len);
wolfSSL	12:1a06964c2adb	3173	if (ret < 0)
wolfSSL	12:1a06964c2adb	3174	return ret;
wolfSSL	12:1a06964c2adb	3175	hashSz = cookie->data;
wolfSSL	12:1a06964c2adb	3176	cookieData = &cookie->data;
wolfSSL	12:1a06964c2adb	3177	idx = OPAQUE8_LEN;
wolfSSL	12:1a06964c2adb	3178
wolfSSL	12:1a06964c2adb	3179	/* Restart handshake hash with synthetic message hash. */
wolfSSL	12:1a06964c2adb	3180	AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL	12:1a06964c2adb	3181	if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL	12:1a06964c2adb	3182	return ret;
wolfSSL	12:1a06964c2adb	3183	if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL	12:1a06964c2adb	3184	return ret;
wolfSSL	12:1a06964c2adb	3185	if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0)
wolfSSL	12:1a06964c2adb	3186	return ret;
wolfSSL	12:1a06964c2adb	3187
wolfSSL	12:1a06964c2adb	3188	/* Reconstruct the HelloRetryMessage for handshake hash. */
wolfSSL	12:1a06964c2adb	3189	length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;
wolfSSL	12:1a06964c2adb	3190	if (cookieDataSz > hashSz + OPAQUE16_LEN) {
wolfSSL	12:1a06964c2adb	3191	keyShareExt = 1;
wolfSSL	12:1a06964c2adb	3192	length += HRR_KEY_SHARE_SZ;
wolfSSL	12:1a06964c2adb	3193	}
wolfSSL	12:1a06964c2adb	3194	AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl);
wolfSSL	12:1a06964c2adb	3195
wolfSSL	12:1a06964c2adb	3196	idx += hashSz;
wolfSSL	12:1a06964c2adb	3197	hrrIdx = HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3198	/* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL	12:1a06964c2adb	3199	* Use the TLS v1.3 draft version for now.
wolfSSL	12:1a06964c2adb	3200	*
wolfSSL	12:1a06964c2adb	3201	* Change to:
wolfSSL	12:1a06964c2adb	3202	* hrr[hrrIdx++] = ssl->version.major;
wolfSSL	12:1a06964c2adb	3203	* hrr[hrrIdx++] = ssl->version.minor;
wolfSSL	12:1a06964c2adb	3204	*/
wolfSSL	12:1a06964c2adb	3205	/* The negotiated protocol version. */
wolfSSL	12:1a06964c2adb	3206	hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
wolfSSL	12:1a06964c2adb	3207	hrr[hrrIdx++] = TLS_DRAFT_MINOR;
wolfSSL	12:1a06964c2adb	3208	/* Cipher Suite */
wolfSSL	12:1a06964c2adb	3209	hrr[hrrIdx++] = cookieData[idx++];
wolfSSL	12:1a06964c2adb	3210	hrr[hrrIdx++] = cookieData[idx++];
wolfSSL	12:1a06964c2adb	3211
wolfSSL	12:1a06964c2adb	3212	/* Extensions' length */
wolfSSL	12:1a06964c2adb	3213	length -= HRR_BODY_SZ;
wolfSSL	12:1a06964c2adb	3214	c16toa(length, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3215	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3216	/* Optional KeyShare Extension */
wolfSSL	12:1a06964c2adb	3217	if (keyShareExt) {
wolfSSL	12:1a06964c2adb	3218	c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3219	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3220	c16toa(OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3221	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3222	hrr[hrrIdx++] = cookieData[idx++];
wolfSSL	12:1a06964c2adb	3223	hrr[hrrIdx++] = cookieData[idx++];
wolfSSL	12:1a06964c2adb	3224	}
wolfSSL	12:1a06964c2adb	3225	/* Mandatory Cookie Extension */
wolfSSL	12:1a06964c2adb	3226	c16toa(TLSX_COOKIE, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3227	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3228	c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3229	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3230	c16toa(cookie->len, hrr + hrrIdx);
wolfSSL	12:1a06964c2adb	3231	hrrIdx += 2;
wolfSSL	12:1a06964c2adb	3232
wolfSSL	12:1a06964c2adb	3233	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	3234	WOLFSSL_MSG("Reconstucted HelloRetryRequest");
wolfSSL	12:1a06964c2adb	3235	WOLFSSL_BUFFER(hrr, hrrIdx);
wolfSSL	12:1a06964c2adb	3236	WOLFSSL_MSG("Cookie");
wolfSSL	12:1a06964c2adb	3237	WOLFSSL_BUFFER(cookieData, cookie->len);
wolfSSL	12:1a06964c2adb	3238	#endif
wolfSSL	12:1a06964c2adb	3239
wolfSSL	12:1a06964c2adb	3240	if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0)
wolfSSL	12:1a06964c2adb	3241	return ret;
wolfSSL	12:1a06964c2adb	3242	return HashOutputRaw(ssl, cookieData, cookie->len);
wolfSSL	12:1a06964c2adb	3243	}
wolfSSL	12:1a06964c2adb	3244	#endif
wolfSSL	12:1a06964c2adb	3245
wolfSSL	12:1a06964c2adb	3246	/* Handle a ClientHello handshake message.
wolfSSL	12:1a06964c2adb	3247	* If the protocol version in the message is not TLS v1.3 or higher, use
wolfSSL	12:1a06964c2adb	3248	* DoClientHello()
wolfSSL	12:1a06964c2adb	3249	* Only a server will receive this message.
wolfSSL	12:1a06964c2adb	3250	*
wolfSSL	12:1a06964c2adb	3251	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3252	* input The message buffer.
wolfSSL	12:1a06964c2adb	3253	* inOutIdx On entry, the index into the message buffer of ClientHello.
wolfSSL	12:1a06964c2adb	3254	* On exit, the index of byte after the ClientHello message and
wolfSSL	12:1a06964c2adb	3255	* padding.
wolfSSL	12:1a06964c2adb	3256	* helloSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	3257	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	3258	*/
wolfSSL	12:1a06964c2adb	3259	int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	3260	word32 helloSz)
wolfSSL	12:1a06964c2adb	3261	{
wolfSSL	12:1a06964c2adb	3262	int ret;
wolfSSL	12:1a06964c2adb	3263	byte b;
wolfSSL	12:1a06964c2adb	3264	ProtocolVersion pv;
wolfSSL	12:1a06964c2adb	3265	Suites clSuites;
wolfSSL	12:1a06964c2adb	3266	word32 i = *inOutIdx;
wolfSSL	12:1a06964c2adb	3267	word32 begin = i;
wolfSSL	12:1a06964c2adb	3268	word16 totalExtSz;
wolfSSL	12:1a06964c2adb	3269	int usingPSK = 0;
wolfSSL	12:1a06964c2adb	3270	byte sessIdSz;
wolfSSL	12:1a06964c2adb	3271
wolfSSL	12:1a06964c2adb	3272	WOLFSSL_ENTER("DoTls13ClientHello");
wolfSSL	12:1a06964c2adb	3273
wolfSSL	12:1a06964c2adb	3274	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	3275	if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	3276	if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	3277	#endif
wolfSSL	12:1a06964c2adb	3278
wolfSSL	12:1a06964c2adb	3279	/* protocol version, random and session id length check */
wolfSSL	12:1a06964c2adb	3280	if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
wolfSSL	12:1a06964c2adb	3281	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3282
wolfSSL	12:1a06964c2adb	3283	/* Protocol version */
wolfSSL	12:1a06964c2adb	3284	XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL	12:1a06964c2adb	3285	ssl->chVersion = pv; /* store */
wolfSSL	12:1a06964c2adb	3286	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	3287
wolfSSL	12:1a06964c2adb	3288	if (ssl->version.major == SSLv3_MAJOR &&
wolfSSL	12:1a06964c2adb	3289	ssl->version.minor < TLSv1_3_MINOR) {
wolfSSL	12:1a06964c2adb	3290	return DoClientHello(ssl, input, inOutIdx, helloSz);
wolfSSL	12:1a06964c2adb	3291	}
wolfSSL	12:1a06964c2adb	3292
wolfSSL	12:1a06964c2adb	3293	/* Client random */
wolfSSL	12:1a06964c2adb	3294	XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
wolfSSL	12:1a06964c2adb	3295	i += RAN_LEN;
wolfSSL	12:1a06964c2adb	3296
wolfSSL	12:1a06964c2adb	3297	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	3298	WOLFSSL_MSG("client random");
wolfSSL	12:1a06964c2adb	3299	WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
wolfSSL	12:1a06964c2adb	3300	#endif
wolfSSL	12:1a06964c2adb	3301
wolfSSL	12:1a06964c2adb	3302	/* Session id - empty in TLS v1.3 */
wolfSSL	12:1a06964c2adb	3303	sessIdSz = input[i++];
wolfSSL	12:1a06964c2adb	3304	if (sessIdSz > 0) {
wolfSSL	12:1a06964c2adb	3305	WOLFSSL_MSG("Client sent session id - not supported");
wolfSSL	12:1a06964c2adb	3306	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3307	}
wolfSSL	12:1a06964c2adb	3308
wolfSSL	12:1a06964c2adb	3309	/* Cipher suites */
wolfSSL	12:1a06964c2adb	3310	if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL	12:1a06964c2adb	3311	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3312	ato16(&input[i], &clSuites.suiteSz);
wolfSSL	12:1a06964c2adb	3313	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	3314	/* suites and compression length check */
wolfSSL	12:1a06964c2adb	3315	if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
wolfSSL	12:1a06964c2adb	3316	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3317	if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
wolfSSL	12:1a06964c2adb	3318	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3319	XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
wolfSSL	12:1a06964c2adb	3320	i += clSuites.suiteSz;
wolfSSL	12:1a06964c2adb	3321	clSuites.hashSigAlgoSz = 0;
wolfSSL	12:1a06964c2adb	3322
wolfSSL	12:1a06964c2adb	3323	/* Compression */
wolfSSL	12:1a06964c2adb	3324	b = input[i++];
wolfSSL	12:1a06964c2adb	3325	if ((i - begin) + b > helloSz)
wolfSSL	12:1a06964c2adb	3326	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3327	if (b != COMP_LEN) {
wolfSSL	12:1a06964c2adb	3328	WOLFSSL_MSG("Must be one compression type in list");
wolfSSL	12:1a06964c2adb	3329	return INVALID_PARAMETER;
wolfSSL	12:1a06964c2adb	3330	}
wolfSSL	12:1a06964c2adb	3331	b = input[i++];
wolfSSL	12:1a06964c2adb	3332	if (b != NO_COMPRESSION) {
wolfSSL	12:1a06964c2adb	3333	WOLFSSL_MSG("Must be no compression type in list");
wolfSSL	12:1a06964c2adb	3334	return INVALID_PARAMETER;
wolfSSL	12:1a06964c2adb	3335	}
wolfSSL	12:1a06964c2adb	3336
wolfSSL	12:1a06964c2adb	3337	/* TLS v1.3 ClientHello messages will have extensions. */
wolfSSL	12:1a06964c2adb	3338	if ((i - begin) >= helloSz) {
wolfSSL	12:1a06964c2adb	3339	WOLFSSL_MSG("ClientHello must have extensions in TLS v1.3");
wolfSSL	12:1a06964c2adb	3340	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3341	}
wolfSSL	12:1a06964c2adb	3342	if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL	12:1a06964c2adb	3343	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3344	ato16(&input[i], &totalExtSz);
wolfSSL	12:1a06964c2adb	3345	i += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	3346	if ((i - begin) + totalExtSz > helloSz)
wolfSSL	12:1a06964c2adb	3347	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	3348
wolfSSL	12:1a06964c2adb	3349	#ifdef HAVE_QSH
wolfSSL	12:1a06964c2adb	3350	QSH_Init(ssl);
wolfSSL	12:1a06964c2adb	3351	#endif
wolfSSL	12:1a06964c2adb	3352
wolfSSL	12:1a06964c2adb	3353	/* Auto populate extensions supported unless user defined. */
wolfSSL	12:1a06964c2adb	3354	if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
wolfSSL	12:1a06964c2adb	3355	return ret;
wolfSSL	12:1a06964c2adb	3356
wolfSSL	12:1a06964c2adb	3357	/* Parse extensions */
wolfSSL	12:1a06964c2adb	3358	if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
wolfSSL	12:1a06964c2adb	3359	&clSuites))) {
wolfSSL	12:1a06964c2adb	3360	return ret;
wolfSSL	12:1a06964c2adb	3361	}
wolfSSL	12:1a06964c2adb	3362
wolfSSL	12:1a06964c2adb	3363	#ifdef HAVE_STUNNEL
wolfSSL	12:1a06964c2adb	3364	if ((ret = SNI_Callback(ssl)) != 0)
wolfSSL	12:1a06964c2adb	3365	return ret;
wolfSSL	12:1a06964c2adb	3366	#endif /HAVE_STUNNEL/
wolfSSL	12:1a06964c2adb	3367
wolfSSL	12:1a06964c2adb	3368	if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL)
wolfSSL	12:1a06964c2adb	3369	ssl->version.minor = pv.minor;
wolfSSL	12:1a06964c2adb	3370
wolfSSL	12:1a06964c2adb	3371	#ifdef WOLFSSL_SEND_HRR_COOKIE
wolfSSL	12:1a06964c2adb	3372	if (ssl->options.sendCookie &&
wolfSSL	12:1a06964c2adb	3373	ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL	12:1a06964c2adb	3374	TLSX* ext;
wolfSSL	12:1a06964c2adb	3375
wolfSSL	12:1a06964c2adb	3376	if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL)
wolfSSL	12:1a06964c2adb	3377	return HRR_COOKIE_ERROR;
wolfSSL	12:1a06964c2adb	3378	/* Ensure the cookie came from client and isn't the one in the response
wolfSSL	12:1a06964c2adb	3379	* - HelloRetryRequest.
wolfSSL	12:1a06964c2adb	3380	*/
wolfSSL	12:1a06964c2adb	3381	if (ext->resp == 1)
wolfSSL	12:1a06964c2adb	3382	return HRR_COOKIE_ERROR;
wolfSSL	12:1a06964c2adb	3383	ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
wolfSSL	12:1a06964c2adb	3384	if (ret != 0)
wolfSSL	12:1a06964c2adb	3385	return ret;
wolfSSL	12:1a06964c2adb	3386	}
wolfSSL	12:1a06964c2adb	3387	#endif
wolfSSL	12:1a06964c2adb	3388
wolfSSL	12:1a06964c2adb	3389	ssl->options.sendVerify = SEND_CERT;
wolfSSL	12:1a06964c2adb	3390
wolfSSL	12:1a06964c2adb	3391	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	3392	/* Process the Pre-Shared Key extension if present. */
wolfSSL	12:1a06964c2adb	3393	ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
wolfSSL	12:1a06964c2adb	3394	if (ret != 0)
wolfSSL	12:1a06964c2adb	3395	return ret;
wolfSSL	12:1a06964c2adb	3396	#endif
wolfSSL	12:1a06964c2adb	3397
wolfSSL	12:1a06964c2adb	3398	if (!usingPSK) {
wolfSSL	12:1a06964c2adb	3399	if ((ret = MatchSuite(ssl, &clSuites)) < 0) {
wolfSSL	12:1a06964c2adb	3400	WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
wolfSSL	12:1a06964c2adb	3401	return ret;
wolfSSL	12:1a06964c2adb	3402	}
wolfSSL	12:1a06964c2adb	3403
wolfSSL	12:1a06964c2adb	3404	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	3405	if (ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	3406	ssl->options.resuming = 0;
wolfSSL	12:1a06964c2adb	3407	XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
wolfSSL	12:1a06964c2adb	3408	/* May or may not have done any hashing. */
wolfSSL	12:1a06964c2adb	3409	if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL	12:1a06964c2adb	3410	return ret;
wolfSSL	12:1a06964c2adb	3411	}
wolfSSL	12:1a06964c2adb	3412	#endif
wolfSSL	12:1a06964c2adb	3413
wolfSSL	12:1a06964c2adb	3414	if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
wolfSSL	12:1a06964c2adb	3415	return ret;
wolfSSL	12:1a06964c2adb	3416
wolfSSL	12:1a06964c2adb	3417	/* Derive early secret for handshake secret. */
wolfSSL	12:1a06964c2adb	3418	if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	3419	return ret;
wolfSSL	12:1a06964c2adb	3420	}
wolfSSL	12:1a06964c2adb	3421
wolfSSL	12:1a06964c2adb	3422	i += totalExtSz;
wolfSSL	12:1a06964c2adb	3423	*inOutIdx = i;
wolfSSL	12:1a06964c2adb	3424
wolfSSL	12:1a06964c2adb	3425	ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	3426
wolfSSL	12:1a06964c2adb	3427	WOLFSSL_LEAVE("DoTls13ClientHello", ret);
wolfSSL	12:1a06964c2adb	3428
wolfSSL	12:1a06964c2adb	3429	return ret;
wolfSSL	12:1a06964c2adb	3430	}
wolfSSL	12:1a06964c2adb	3431
wolfSSL	12:1a06964c2adb	3432	/* Send the HelloRetryRequest message to indicate the negotiated protocol
wolfSSL	12:1a06964c2adb	3433	* version and security parameters the server is willing to use.
wolfSSL	12:1a06964c2adb	3434	* Only a server will send this message.
wolfSSL	12:1a06964c2adb	3435	*
wolfSSL	12:1a06964c2adb	3436	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3437	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3438	*/
wolfSSL	12:1a06964c2adb	3439	int SendTls13HelloRetryRequest(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	3440	{
wolfSSL	12:1a06964c2adb	3441	int ret;
wolfSSL	12:1a06964c2adb	3442	byte* output;
wolfSSL	12:1a06964c2adb	3443	word32 length;
wolfSSL	12:1a06964c2adb	3444	word32 len;
wolfSSL	12:1a06964c2adb	3445	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3446	int sendSz;
wolfSSL	12:1a06964c2adb	3447
wolfSSL	12:1a06964c2adb	3448	WOLFSSL_ENTER("SendTls13HelloRetryRequest");
wolfSSL	12:1a06964c2adb	3449
wolfSSL	12:1a06964c2adb	3450	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	3451	if ((ret = RestartHandshakeHash(ssl)) < 0)
wolfSSL	12:1a06964c2adb	3452	return ret;
wolfSSL	12:1a06964c2adb	3453	#endif
wolfSSL	12:1a06964c2adb	3454
wolfSSL	12:1a06964c2adb	3455	/* Get the length of the extensions that will be written. */
wolfSSL	12:1a06964c2adb	3456	len = TLSX_GetResponseSize(ssl, hello_retry_request);
wolfSSL	12:1a06964c2adb	3457	/* There must be extensions sent to indicate what client needs to do. */
wolfSSL	12:1a06964c2adb	3458	if (len == 0)
wolfSSL	12:1a06964c2adb	3459	return MISSING_HANDSHAKE_DATA;
wolfSSL	12:1a06964c2adb	3460
wolfSSL	12:1a06964c2adb	3461	/* Protocol version + CipherSuite + Extensions */
wolfSSL	12:1a06964c2adb	3462	length = OPAQUE16_LEN + OPAQUE16_LEN + len;
wolfSSL	12:1a06964c2adb	3463	sendSz = idx + length;
wolfSSL	12:1a06964c2adb	3464
wolfSSL	12:1a06964c2adb	3465	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	3466	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	3467	return ret;
wolfSSL	12:1a06964c2adb	3468
wolfSSL	12:1a06964c2adb	3469	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	3470	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	3471	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	3472	/* Add record and hanshake headers. */
wolfSSL	12:1a06964c2adb	3473	AddTls13Headers(output, length, hello_retry_request, ssl);
wolfSSL	12:1a06964c2adb	3474
wolfSSL	12:1a06964c2adb	3475	/* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL	12:1a06964c2adb	3476	* Use the TLS v1.3 draft version for now.
wolfSSL	12:1a06964c2adb	3477	*
wolfSSL	12:1a06964c2adb	3478	* Change to:
wolfSSL	12:1a06964c2adb	3479	* output[idx++] = ssl->version.major;
wolfSSL	12:1a06964c2adb	3480	* output[idx++] = ssl->version.minor;
wolfSSL	12:1a06964c2adb	3481	*/
wolfSSL	12:1a06964c2adb	3482	/* The negotiated protocol version. */
wolfSSL	12:1a06964c2adb	3483	output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL	12:1a06964c2adb	3484	output[idx++] = TLS_DRAFT_MINOR;
wolfSSL	12:1a06964c2adb	3485
wolfSSL	12:1a06964c2adb	3486	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	3487	/* Chosen cipher suite */
wolfSSL	12:1a06964c2adb	3488	output[idx++] = ssl->options.cipherSuite0;
wolfSSL	12:1a06964c2adb	3489	output[idx++] = ssl->options.cipherSuite;
wolfSSL	12:1a06964c2adb	3490	#endif
wolfSSL	12:1a06964c2adb	3491
wolfSSL	12:1a06964c2adb	3492	/* Add TLS extensions. */
wolfSSL	12:1a06964c2adb	3493	TLSX_WriteResponse(ssl, output + idx, hello_retry_request);
wolfSSL	12:1a06964c2adb	3494	idx += len;
wolfSSL	12:1a06964c2adb	3495
wolfSSL	12:1a06964c2adb	3496	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	3497	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	3498	AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	3499	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	3500	AddPacketInfo("HelloRetryRequest", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	3501	ssl->heap);
wolfSSL	12:1a06964c2adb	3502	}
wolfSSL	12:1a06964c2adb	3503	#endif
wolfSSL	12:1a06964c2adb	3504
wolfSSL	12:1a06964c2adb	3505	if ((ret = HashOutput(ssl, output, idx, 0)) != 0)
wolfSSL	12:1a06964c2adb	3506	return ret;
wolfSSL	12:1a06964c2adb	3507
wolfSSL	12:1a06964c2adb	3508	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	3509
wolfSSL	12:1a06964c2adb	3510	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	3511	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	3512
wolfSSL	12:1a06964c2adb	3513	WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);
wolfSSL	12:1a06964c2adb	3514
wolfSSL	12:1a06964c2adb	3515	return ret;
wolfSSL	12:1a06964c2adb	3516	}
wolfSSL	12:1a06964c2adb	3517
wolfSSL	12:1a06964c2adb	3518	/* Send TLS v1.3 ServerHello message to client.
wolfSSL	12:1a06964c2adb	3519	* Only a server will send this message.
wolfSSL	12:1a06964c2adb	3520	*
wolfSSL	12:1a06964c2adb	3521	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3522	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3523	*/
wolfSSL	12:1a06964c2adb	3524	static int SendTls13ServerHello(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	3525	{
wolfSSL	12:1a06964c2adb	3526	byte* output;
wolfSSL	12:1a06964c2adb	3527	word32 length;
wolfSSL	12:1a06964c2adb	3528	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3529	int sendSz;
wolfSSL	12:1a06964c2adb	3530	int ret;
wolfSSL	12:1a06964c2adb	3531
wolfSSL	12:1a06964c2adb	3532	WOLFSSL_ENTER("SendTls13ServerHello");
wolfSSL	12:1a06964c2adb	3533
wolfSSL	12:1a06964c2adb	3534	/* Protocol version, server random, cipher suite and extensions. */
wolfSSL	12:1a06964c2adb	3535	length = VERSION_SZ + RAN_LEN + SUITE_LEN +
wolfSSL	12:1a06964c2adb	3536	TLSX_GetResponseSize(ssl, server_hello);
wolfSSL	12:1a06964c2adb	3537	sendSz = idx + length;
wolfSSL	12:1a06964c2adb	3538
wolfSSL	12:1a06964c2adb	3539	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	3540	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	3541	return ret;
wolfSSL	12:1a06964c2adb	3542
wolfSSL	12:1a06964c2adb	3543	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	3544	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	3545	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	3546
wolfSSL	12:1a06964c2adb	3547	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	3548	AddTls13Headers(output, length, server_hello, ssl);
wolfSSL	12:1a06964c2adb	3549
wolfSSL	12:1a06964c2adb	3550	/* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL	12:1a06964c2adb	3551	* Use the TLS v1.3 draft version for now.
wolfSSL	12:1a06964c2adb	3552	*
wolfSSL	12:1a06964c2adb	3553	* Change to:
wolfSSL	12:1a06964c2adb	3554	* output[idx++] = ssl->version.major;
wolfSSL	12:1a06964c2adb	3555	* output[idx++] = ssl->version.minor;
wolfSSL	12:1a06964c2adb	3556	*/
wolfSSL	12:1a06964c2adb	3557	/* The negotiated protocol version. */
wolfSSL	12:1a06964c2adb	3558	output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL	12:1a06964c2adb	3559	output[idx++] = TLS_DRAFT_MINOR;
wolfSSL	12:1a06964c2adb	3560
wolfSSL	12:1a06964c2adb	3561	/* Generate server random. */
wolfSSL	12:1a06964c2adb	3562	if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
wolfSSL	12:1a06964c2adb	3563	return ret;
wolfSSL	12:1a06964c2adb	3564	/* Store in SSL for debugging. */
wolfSSL	12:1a06964c2adb	3565	XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
wolfSSL	12:1a06964c2adb	3566	idx += RAN_LEN;
wolfSSL	12:1a06964c2adb	3567
wolfSSL	12:1a06964c2adb	3568	#ifdef WOLFSSL_DEBUG_TLS
wolfSSL	12:1a06964c2adb	3569	WOLFSSL_MSG("Server random");
wolfSSL	12:1a06964c2adb	3570	WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
wolfSSL	12:1a06964c2adb	3571	#endif
wolfSSL	12:1a06964c2adb	3572
wolfSSL	12:1a06964c2adb	3573	/* Chosen cipher suite */
wolfSSL	12:1a06964c2adb	3574	output[idx++] = ssl->options.cipherSuite0;
wolfSSL	12:1a06964c2adb	3575	output[idx++] = ssl->options.cipherSuite;
wolfSSL	12:1a06964c2adb	3576
wolfSSL	12:1a06964c2adb	3577	/* Extensions */
wolfSSL	12:1a06964c2adb	3578	TLSX_WriteResponse(ssl, output + idx, server_hello);
wolfSSL	12:1a06964c2adb	3579
wolfSSL	12:1a06964c2adb	3580	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	3581
wolfSSL	12:1a06964c2adb	3582	if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
wolfSSL	12:1a06964c2adb	3583	return ret;
wolfSSL	12:1a06964c2adb	3584
wolfSSL	12:1a06964c2adb	3585	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	3586	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	3587	AddPacketName("ServerHello", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	3588	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	3589	AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	3590	ssl->heap);
wolfSSL	12:1a06964c2adb	3591	}
wolfSSL	12:1a06964c2adb	3592	#endif
wolfSSL	12:1a06964c2adb	3593
wolfSSL	12:1a06964c2adb	3594	ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	3595
wolfSSL	12:1a06964c2adb	3596	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	3597	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	3598
wolfSSL	12:1a06964c2adb	3599	WOLFSSL_LEAVE("SendTls13ServerHello", ret);
wolfSSL	12:1a06964c2adb	3600
wolfSSL	12:1a06964c2adb	3601	return ret;
wolfSSL	12:1a06964c2adb	3602	}
wolfSSL	12:1a06964c2adb	3603
wolfSSL	12:1a06964c2adb	3604	/* Send the rest of the extensions encrypted under the handshake key.
wolfSSL	12:1a06964c2adb	3605	* This message is always encrypted in TLS v1.3.
wolfSSL	12:1a06964c2adb	3606	* Only a server will send this message.
wolfSSL	12:1a06964c2adb	3607	*
wolfSSL	12:1a06964c2adb	3608	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3609	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3610	*/
wolfSSL	12:1a06964c2adb	3611	static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	3612	{
wolfSSL	12:1a06964c2adb	3613	int ret;
wolfSSL	12:1a06964c2adb	3614	byte* output;
wolfSSL	12:1a06964c2adb	3615	word32 length;
wolfSSL	12:1a06964c2adb	3616	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3617	int sendSz;
wolfSSL	12:1a06964c2adb	3618
wolfSSL	12:1a06964c2adb	3619	WOLFSSL_ENTER("SendTls13EncryptedExtensions");
wolfSSL	12:1a06964c2adb	3620
wolfSSL	12:1a06964c2adb	3621	ssl->keys.encryptionOn = 1;
wolfSSL	12:1a06964c2adb	3622
wolfSSL	12:1a06964c2adb	3623	/* Derive the handshake secret now that we are at first message to be
wolfSSL	12:1a06964c2adb	3624	* encrypted under the keys.
wolfSSL	12:1a06964c2adb	3625	*/
wolfSSL	12:1a06964c2adb	3626	if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	3627	return ret;
wolfSSL	12:1a06964c2adb	3628	if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL	12:1a06964c2adb	3629	ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
wolfSSL	12:1a06964c2adb	3630	return ret;
wolfSSL	12:1a06964c2adb	3631
wolfSSL	12:1a06964c2adb	3632	/* Setup encrypt/decrypt keys for following messages. */
wolfSSL	12:1a06964c2adb	3633	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	3634	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	3635	return ret;
wolfSSL	12:1a06964c2adb	3636	if (ssl->earlyData != 2) {
wolfSSL	12:1a06964c2adb	3637	if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	3638	return ret;
wolfSSL	12:1a06964c2adb	3639	}
wolfSSL	12:1a06964c2adb	3640	#else
wolfSSL	12:1a06964c2adb	3641	if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL	12:1a06964c2adb	3642	return ret;
wolfSSL	12:1a06964c2adb	3643	#endif
wolfSSL	12:1a06964c2adb	3644
wolfSSL	12:1a06964c2adb	3645	length = TLSX_GetResponseSize(ssl, encrypted_extensions);
wolfSSL	12:1a06964c2adb	3646	sendSz = idx + length;
wolfSSL	12:1a06964c2adb	3647	/* Encryption always on. */
wolfSSL	12:1a06964c2adb	3648	sendSz += MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	3649
wolfSSL	12:1a06964c2adb	3650	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	3651	ret = CheckAvailableSize(ssl, sendSz);
wolfSSL	12:1a06964c2adb	3652	if (ret != 0)
wolfSSL	12:1a06964c2adb	3653	return ret;
wolfSSL	12:1a06964c2adb	3654
wolfSSL	12:1a06964c2adb	3655	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	3656	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	3657	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	3658
wolfSSL	12:1a06964c2adb	3659	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	3660	AddTls13Headers(output, length, encrypted_extensions, ssl);
wolfSSL	12:1a06964c2adb	3661
wolfSSL	12:1a06964c2adb	3662	TLSX_WriteResponse(ssl, output + idx, encrypted_extensions);
wolfSSL	12:1a06964c2adb	3663	idx += length;
wolfSSL	12:1a06964c2adb	3664
wolfSSL	12:1a06964c2adb	3665	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	3666	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	3667	AddPacketName("EncryptedExtensions", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	3668	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	3669	AddPacketInfo("EncryptedExtensions", &ssl->timeoutInfo, output,
wolfSSL	12:1a06964c2adb	3670	sendSz, ssl->heap);
wolfSSL	12:1a06964c2adb	3671	}
wolfSSL	12:1a06964c2adb	3672	#endif
wolfSSL	12:1a06964c2adb	3673
wolfSSL	12:1a06964c2adb	3674	/* This handshake message is always encrypted. */
wolfSSL	12:1a06964c2adb	3675	sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	3676	idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL	12:1a06964c2adb	3677	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	3678	return sendSz;
wolfSSL	12:1a06964c2adb	3679
wolfSSL	12:1a06964c2adb	3680	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	3681
wolfSSL	12:1a06964c2adb	3682	ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL	12:1a06964c2adb	3683
wolfSSL	12:1a06964c2adb	3684	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	3685	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	3686
wolfSSL	12:1a06964c2adb	3687	WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
wolfSSL	12:1a06964c2adb	3688
wolfSSL	12:1a06964c2adb	3689	return ret;
wolfSSL	12:1a06964c2adb	3690	}
wolfSSL	12:1a06964c2adb	3691
wolfSSL	12:1a06964c2adb	3692	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	3693	/* Send the TLS v1.3 CertificateRequest message.
wolfSSL	12:1a06964c2adb	3694	* This message is always encrypted in TLS v1.3.
wolfSSL	12:1a06964c2adb	3695	* Only a server will send this message.
wolfSSL	12:1a06964c2adb	3696	*
wolfSSL	12:1a06964c2adb	3697	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	3698	* reqCtx Request context.
wolfSSL	12:1a06964c2adb	3699	* reqCtxLen Length of context. 0 when sending as part of handshake.
wolfSSL	12:1a06964c2adb	3700	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	3701	*/
wolfSSL	12:1a06964c2adb	3702	static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
wolfSSL	12:1a06964c2adb	3703	int reqCtxLen)
wolfSSL	12:1a06964c2adb	3704	{
wolfSSL	12:1a06964c2adb	3705	byte* output;
wolfSSL	12:1a06964c2adb	3706	int ret;
wolfSSL	12:1a06964c2adb	3707	int sendSz;
wolfSSL	12:1a06964c2adb	3708	word32 i;
wolfSSL	12:1a06964c2adb	3709	int reqSz;
wolfSSL	12:1a06964c2adb	3710	#ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	3711	TLSX* ext;
wolfSSL	12:1a06964c2adb	3712	#endif
wolfSSL	12:1a06964c2adb	3713
wolfSSL	12:1a06964c2adb	3714	WOLFSSL_ENTER("SendTls13CertificateRequest");
wolfSSL	12:1a06964c2adb	3715
wolfSSL	12:1a06964c2adb	3716	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	3717	InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz);
wolfSSL	12:1a06964c2adb	3718
wolfSSL	12:1a06964c2adb	3719	#ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL	12:1a06964c2adb	3720	i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3721	reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3722	reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
wolfSSL	12:1a06964c2adb	3723
wolfSSL	12:1a06964c2adb	3724	sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
wolfSSL	12:1a06964c2adb	3725	/* Always encrypted and make room for padding. */
wolfSSL	12:1a06964c2adb	3726	sendSz += MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	3727
wolfSSL	12:1a06964c2adb	3728	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	3729	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	3730	return ret;
wolfSSL	12:1a06964c2adb	3731
wolfSSL	12:1a06964c2adb	3732	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	3733	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	3734	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	3735
wolfSSL	12:1a06964c2adb	3736	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	3737	AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL	12:1a06964c2adb	3738
wolfSSL	12:1a06964c2adb	3739	/* Certificate request context. */
wolfSSL	12:1a06964c2adb	3740	output[i++] = reqCtxLen;
wolfSSL	12:1a06964c2adb	3741	if (reqCtxLen != 0) {
wolfSSL	12:1a06964c2adb	3742	XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL	12:1a06964c2adb	3743	i += reqCtxLen;
wolfSSL	12:1a06964c2adb	3744	}
wolfSSL	12:1a06964c2adb	3745
wolfSSL	12:1a06964c2adb	3746	/* supported hash/sig */
wolfSSL	12:1a06964c2adb	3747	c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
wolfSSL	12:1a06964c2adb	3748	i += LENGTH_SZ;
wolfSSL	12:1a06964c2adb	3749
wolfSSL	12:1a06964c2adb	3750	XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
wolfSSL	12:1a06964c2adb	3751	i += ssl->suites->hashSigAlgoSz;
wolfSSL	12:1a06964c2adb	3752
wolfSSL	12:1a06964c2adb	3753	/* Certificate authorities not supported yet - empty buffer. */
wolfSSL	12:1a06964c2adb	3754	c16toa(0, &output[i]);
wolfSSL	12:1a06964c2adb	3755	i += REQ_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3756
wolfSSL	12:1a06964c2adb	3757	/* Certificate extensions. */
wolfSSL	12:1a06964c2adb	3758	c16toa(0, &output[i]); /* auth's */
wolfSSL	12:1a06964c2adb	3759	i += REQ_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3760	#else
wolfSSL	12:1a06964c2adb	3761	ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS);
wolfSSL	12:1a06964c2adb	3762	if (ext == NULL)
wolfSSL	12:1a06964c2adb	3763	return EXT_MISSING;
wolfSSL	12:1a06964c2adb	3764	ext->resp = 0;
wolfSSL	12:1a06964c2adb	3765
wolfSSL	12:1a06964c2adb	3766	i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	3767	reqSz = OPAQUE8_LEN + reqCtxLen +
wolfSSL	12:1a06964c2adb	3768	TLSX_GetRequestSize(ssl, certificate_request);
wolfSSL	12:1a06964c2adb	3769
wolfSSL	12:1a06964c2adb	3770	sendSz = i + reqSz;
wolfSSL	12:1a06964c2adb	3771	/* Always encrypted and make room for padding. */
wolfSSL	12:1a06964c2adb	3772	sendSz += MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	3773
wolfSSL	12:1a06964c2adb	3774	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	3775	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	3776	return ret;
wolfSSL	12:1a06964c2adb	3777
wolfSSL	12:1a06964c2adb	3778	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	3779	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	3780	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	3781
wolfSSL	12:1a06964c2adb	3782	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	3783	AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL	12:1a06964c2adb	3784
wolfSSL	12:1a06964c2adb	3785	/* Certificate request context. */
wolfSSL	12:1a06964c2adb	3786	output[i++] = reqCtxLen;
wolfSSL	12:1a06964c2adb	3787	if (reqCtxLen != 0) {
wolfSSL	12:1a06964c2adb	3788	XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL	12:1a06964c2adb	3789	i += reqCtxLen;
wolfSSL	12:1a06964c2adb	3790	}
wolfSSL	12:1a06964c2adb	3791
wolfSSL	12:1a06964c2adb	3792	/* Certificate extensions. */
wolfSSL	12:1a06964c2adb	3793	i += TLSX_WriteRequest(ssl, output + i, certificate_request);
wolfSSL	12:1a06964c2adb	3794	#endif
wolfSSL	12:1a06964c2adb	3795
wolfSSL	12:1a06964c2adb	3796	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	3797	sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	3798	i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL	12:1a06964c2adb	3799	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	3800	return sendSz;
wolfSSL	12:1a06964c2adb	3801
wolfSSL	12:1a06964c2adb	3802	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	3803	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	3804	AddPacketName("CertificateRequest", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	3805	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	3806	AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
wolfSSL	12:1a06964c2adb	3807	sendSz, ssl->heap);
wolfSSL	12:1a06964c2adb	3808	}
wolfSSL	12:1a06964c2adb	3809	#endif
wolfSSL	12:1a06964c2adb	3810
wolfSSL	12:1a06964c2adb	3811	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	3812	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	3813	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	3814
wolfSSL	12:1a06964c2adb	3815	WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
wolfSSL	12:1a06964c2adb	3816
wolfSSL	12:1a06964c2adb	3817	return ret;
wolfSSL	12:1a06964c2adb	3818	}
wolfSSL	12:1a06964c2adb	3819	#endif /* NO_CERTS */
wolfSSL	12:1a06964c2adb	3820	#endif /* NO_WOLFSSL_SERVER */
wolfSSL	12:1a06964c2adb	3821
wolfSSL	12:1a06964c2adb	3822	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	3823	#if !defined(NO_RSA) \|\| defined(HAVE_ECC)
wolfSSL	12:1a06964c2adb	3824	/* Encode the signature algorithm into buffer.
wolfSSL	12:1a06964c2adb	3825	*
wolfSSL	12:1a06964c2adb	3826	* hashalgo The hash algorithm.
wolfSSL	12:1a06964c2adb	3827	* hsType The signature type.
wolfSSL	12:1a06964c2adb	3828	* output The buffer to encode into.
wolfSSL	12:1a06964c2adb	3829	*/
wolfSSL	12:1a06964c2adb	3830	static INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
wolfSSL	12:1a06964c2adb	3831	{
wolfSSL	12:1a06964c2adb	3832	switch (hsType) {
wolfSSL	12:1a06964c2adb	3833	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	3834	case ecc_dsa_sa_algo:
wolfSSL	12:1a06964c2adb	3835	output[0] = hashAlgo;
wolfSSL	12:1a06964c2adb	3836	output[1] = ecc_dsa_sa_algo;
wolfSSL	12:1a06964c2adb	3837	break;
wolfSSL	12:1a06964c2adb	3838	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	3839	/* ED25519: 0x0807 */
wolfSSL	12:1a06964c2adb	3840	case ed25519_sa_algo:
wolfSSL	12:1a06964c2adb	3841	output[0] = ED25519_SA_MAJOR;
wolfSSL	12:1a06964c2adb	3842	output[1] = ED25519_SA_MINOR;
wolfSSL	12:1a06964c2adb	3843	break;
wolfSSL	12:1a06964c2adb	3844	#endif
wolfSSL	12:1a06964c2adb	3845	#endif
wolfSSL	12:1a06964c2adb	3846	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	3847	/* PSS signatures: 0x080[4-6] */
wolfSSL	12:1a06964c2adb	3848	case rsa_pss_sa_algo:
wolfSSL	12:1a06964c2adb	3849	output[0] = rsa_pss_sa_algo;
wolfSSL	12:1a06964c2adb	3850	output[1] = hashAlgo;
wolfSSL	12:1a06964c2adb	3851	break;
wolfSSL	12:1a06964c2adb	3852	#endif
wolfSSL	12:1a06964c2adb	3853	/* ED448: 0x0808 */
wolfSSL	12:1a06964c2adb	3854	}
wolfSSL	12:1a06964c2adb	3855	}
wolfSSL	12:1a06964c2adb	3856
wolfSSL	12:1a06964c2adb	3857	/* Decode the signature algorithm.
wolfSSL	12:1a06964c2adb	3858	*
wolfSSL	12:1a06964c2adb	3859	* input The encoded signature algorithm.
wolfSSL	12:1a06964c2adb	3860	* hashalgo The hash algorithm.
wolfSSL	12:1a06964c2adb	3861	* hsType The signature type.
wolfSSL	12:1a06964c2adb	3862	*/
wolfSSL	12:1a06964c2adb	3863	static INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType)
wolfSSL	12:1a06964c2adb	3864	{
wolfSSL	12:1a06964c2adb	3865	switch (input[0]) {
wolfSSL	12:1a06964c2adb	3866	case NEW_SA_MAJOR:
wolfSSL	12:1a06964c2adb	3867	/* PSS signatures: 0x080[4-6] */
wolfSSL	12:1a06964c2adb	3868	if (input[1] <= sha512_mac) {
wolfSSL	12:1a06964c2adb	3869	*hsType = input[0];
wolfSSL	12:1a06964c2adb	3870	*hashAlgo = input[1];
wolfSSL	12:1a06964c2adb	3871	}
wolfSSL	12:1a06964c2adb	3872	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	3873	/* ED25519: 0x0807 */
wolfSSL	12:1a06964c2adb	3874	if (input[1] == ED25519_SA_MINOR) {
wolfSSL	12:1a06964c2adb	3875	*hsType = ed25519_sa_algo;
wolfSSL	12:1a06964c2adb	3876	/* Hash performed as part of sign/verify operation. */
wolfSSL	12:1a06964c2adb	3877	*hashAlgo = sha512_mac;
wolfSSL	12:1a06964c2adb	3878	}
wolfSSL	12:1a06964c2adb	3879	#endif
wolfSSL	12:1a06964c2adb	3880	/* ED448: 0x0808 */
wolfSSL	12:1a06964c2adb	3881	break;
wolfSSL	12:1a06964c2adb	3882	default:
wolfSSL	12:1a06964c2adb	3883	*hashAlgo = input[0];
wolfSSL	12:1a06964c2adb	3884	*hsType = input[1];
wolfSSL	12:1a06964c2adb	3885	break;
wolfSSL	12:1a06964c2adb	3886	}
wolfSSL	12:1a06964c2adb	3887	}
wolfSSL	12:1a06964c2adb	3888
wolfSSL	12:1a06964c2adb	3889	/* Get the hash of the messages so far.
wolfSSL	12:1a06964c2adb	3890	*
wolfSSL	12:1a06964c2adb	3891	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3892	* hash The buffer to write the hash to.
wolfSSL	12:1a06964c2adb	3893	* returns the length of the hash.
wolfSSL	12:1a06964c2adb	3894	*/
wolfSSL	12:1a06964c2adb	3895	static INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
wolfSSL	12:1a06964c2adb	3896	{
wolfSSL	12:1a06964c2adb	3897	int ret = 0;
wolfSSL	12:1a06964c2adb	3898	switch (ssl->specs.mac_algorithm) {
wolfSSL	12:1a06964c2adb	3899	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	3900	case sha256_mac:
wolfSSL	12:1a06964c2adb	3901	ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL	12:1a06964c2adb	3902	if (ret == 0)
wolfSSL	12:1a06964c2adb	3903	ret = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	3904	break;
wolfSSL	12:1a06964c2adb	3905	#endif /* !NO_SHA256 */
wolfSSL	12:1a06964c2adb	3906	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	3907	case sha384_mac:
wolfSSL	12:1a06964c2adb	3908	ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL	12:1a06964c2adb	3909	if (ret == 0)
wolfSSL	12:1a06964c2adb	3910	ret = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	3911	break;
wolfSSL	12:1a06964c2adb	3912	#endif /* WOLFSSL_SHA384 */
wolfSSL	12:1a06964c2adb	3913	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	3914	case sha512_mac:
wolfSSL	12:1a06964c2adb	3915	ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL	12:1a06964c2adb	3916	if (ret == 0)
wolfSSL	12:1a06964c2adb	3917	ret = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	3918	break;
wolfSSL	12:1a06964c2adb	3919	#endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL	12:1a06964c2adb	3920	}
wolfSSL	12:1a06964c2adb	3921	return ret;
wolfSSL	12:1a06964c2adb	3922	}
wolfSSL	12:1a06964c2adb	3923
wolfSSL	12:1a06964c2adb	3924	/* The length of the certificate verification label - client and server. */
wolfSSL	12:1a06964c2adb	3925	#define CERT_VFY_LABEL_SZ 34
wolfSSL	12:1a06964c2adb	3926	/* The server certificate verification label. */
wolfSSL	12:1a06964c2adb	3927	static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL	12:1a06964c2adb	3928	"TLS 1.3, server CertificateVerify";
wolfSSL	12:1a06964c2adb	3929	/* The client certificate verification label. */
wolfSSL	12:1a06964c2adb	3930	static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL	12:1a06964c2adb	3931	"TLS 1.3, client CertificateVerify";
wolfSSL	12:1a06964c2adb	3932
wolfSSL	12:1a06964c2adb	3933	/* The number of prefix bytes for signature data. */
wolfSSL	12:1a06964c2adb	3934	#define SIGNING_DATA_PREFIX_SZ 64
wolfSSL	12:1a06964c2adb	3935	/* The prefix byte in the signature data. */
wolfSSL	12:1a06964c2adb	3936	#define SIGNING_DATA_PREFIX_BYTE 0x20
wolfSSL	12:1a06964c2adb	3937	/* Maximum length of the signature data. */
wolfSSL	12:1a06964c2adb	3938	#define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
wolfSSL	12:1a06964c2adb	3939	CERT_VFY_LABEL_SZ + \
wolfSSL	12:1a06964c2adb	3940	MAX_DIGEST_SIZE)
wolfSSL	12:1a06964c2adb	3941
wolfSSL	12:1a06964c2adb	3942	/* Create the signature data for TLS v1.3 certificate verification.
wolfSSL	12:1a06964c2adb	3943	*
wolfSSL	12:1a06964c2adb	3944	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	3945	* sigData The signature data.
wolfSSL	12:1a06964c2adb	3946	* sigDataSz The length of the signature data.
wolfSSL	12:1a06964c2adb	3947	* check Indicates this is a check not create.
wolfSSL	12:1a06964c2adb	3948	*/
wolfSSL	12:1a06964c2adb	3949	static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
wolfSSL	12:1a06964c2adb	3950	int check)
wolfSSL	12:1a06964c2adb	3951	{
wolfSSL	12:1a06964c2adb	3952	word16 idx;
wolfSSL	12:1a06964c2adb	3953	int side = ssl->options.side;
wolfSSL	12:1a06964c2adb	3954	int ret;
wolfSSL	12:1a06964c2adb	3955
wolfSSL	12:1a06964c2adb	3956	/* Signature Data = Prefix \| Label \| Handshake Hash */
wolfSSL	12:1a06964c2adb	3957	XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
wolfSSL	12:1a06964c2adb	3958	idx = SIGNING_DATA_PREFIX_SZ;
wolfSSL	12:1a06964c2adb	3959
wolfSSL	12:1a06964c2adb	3960	if ((side == WOLFSSL_SERVER_END && check) \|\|
wolfSSL	12:1a06964c2adb	3961	(side == WOLFSSL_CLIENT_END && !check)) {
wolfSSL	12:1a06964c2adb	3962	XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL	12:1a06964c2adb	3963	}
wolfSSL	12:1a06964c2adb	3964	if ((side == WOLFSSL_CLIENT_END && check) \|\|
wolfSSL	12:1a06964c2adb	3965	(side == WOLFSSL_SERVER_END && !check)) {
wolfSSL	12:1a06964c2adb	3966	XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL	12:1a06964c2adb	3967	}
wolfSSL	12:1a06964c2adb	3968	idx += CERT_VFY_LABEL_SZ;
wolfSSL	12:1a06964c2adb	3969
wolfSSL	12:1a06964c2adb	3970	ret = GetMsgHash(ssl, &sigData[idx]);
wolfSSL	12:1a06964c2adb	3971	if (ret < 0)
wolfSSL	12:1a06964c2adb	3972	return ret;
wolfSSL	12:1a06964c2adb	3973
wolfSSL	12:1a06964c2adb	3974	*sigDataSz = idx + ret;
wolfSSL	12:1a06964c2adb	3975	ret = 0;
wolfSSL	12:1a06964c2adb	3976
wolfSSL	12:1a06964c2adb	3977	return ret;
wolfSSL	12:1a06964c2adb	3978	}
wolfSSL	12:1a06964c2adb	3979
wolfSSL	12:1a06964c2adb	3980	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	3981	/* Encode the PKCS #1.5 RSA signature.
wolfSSL	12:1a06964c2adb	3982	*
wolfSSL	12:1a06964c2adb	3983	* sig The buffer to place the encoded signature into.
wolfSSL	12:1a06964c2adb	3984	* sigData The data to be signed.
wolfSSL	12:1a06964c2adb	3985	* sigDataSz The size of the data to be signed.
wolfSSL	12:1a06964c2adb	3986	* hashAlgo The hash algorithm to use when signing.
wolfSSL	12:1a06964c2adb	3987	* returns the length of the encoded signature or negative on error.
wolfSSL	12:1a06964c2adb	3988	*/
wolfSSL	12:1a06964c2adb	3989	static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
wolfSSL	12:1a06964c2adb	3990	int sigAlgo, int hashAlgo)
wolfSSL	12:1a06964c2adb	3991	{
wolfSSL	12:1a06964c2adb	3992	Digest digest;
wolfSSL	12:1a06964c2adb	3993	int hashSz = 0;
wolfSSL	12:1a06964c2adb	3994	int ret = BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	3995	byte* hash;
wolfSSL	12:1a06964c2adb	3996
wolfSSL	12:1a06964c2adb	3997	(void)sigAlgo;
wolfSSL	12:1a06964c2adb	3998
wolfSSL	12:1a06964c2adb	3999	hash = sig;
wolfSSL	12:1a06964c2adb	4000
wolfSSL	12:1a06964c2adb	4001	/* Digest the signature data. */
wolfSSL	12:1a06964c2adb	4002	switch (hashAlgo) {
wolfSSL	12:1a06964c2adb	4003	#ifndef NO_WOLFSSL_SHA256
wolfSSL	12:1a06964c2adb	4004	case sha256_mac:
wolfSSL	12:1a06964c2adb	4005	ret = wc_InitSha256(&digest.sha256);
wolfSSL	12:1a06964c2adb	4006	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4007	ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4008	if (ret == 0)
wolfSSL	12:1a06964c2adb	4009	ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL	12:1a06964c2adb	4010	wc_Sha256Free(&digest.sha256);
wolfSSL	12:1a06964c2adb	4011	}
wolfSSL	12:1a06964c2adb	4012	hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4013	break;
wolfSSL	12:1a06964c2adb	4014	#endif
wolfSSL	12:1a06964c2adb	4015	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	4016	case sha384_mac:
wolfSSL	12:1a06964c2adb	4017	ret = wc_InitSha384(&digest.sha384);
wolfSSL	12:1a06964c2adb	4018	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4019	ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4020	if (ret == 0)
wolfSSL	12:1a06964c2adb	4021	ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL	12:1a06964c2adb	4022	wc_Sha384Free(&digest.sha384);
wolfSSL	12:1a06964c2adb	4023	}
wolfSSL	12:1a06964c2adb	4024	hashSz = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4025	break;
wolfSSL	12:1a06964c2adb	4026	#endif
wolfSSL	12:1a06964c2adb	4027	#ifdef WOLFSSL_SHA512
wolfSSL	12:1a06964c2adb	4028	case sha512_mac:
wolfSSL	12:1a06964c2adb	4029	ret = wc_InitSha512(&digest.sha512);
wolfSSL	12:1a06964c2adb	4030	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4031	ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4032	if (ret == 0)
wolfSSL	12:1a06964c2adb	4033	ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL	12:1a06964c2adb	4034	wc_Sha512Free(&digest.sha512);
wolfSSL	12:1a06964c2adb	4035	}
wolfSSL	12:1a06964c2adb	4036	hashSz = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4037	break;
wolfSSL	12:1a06964c2adb	4038	#endif
wolfSSL	12:1a06964c2adb	4039	}
wolfSSL	12:1a06964c2adb	4040
wolfSSL	12:1a06964c2adb	4041	if (ret != 0)
wolfSSL	12:1a06964c2adb	4042	return ret;
wolfSSL	12:1a06964c2adb	4043
wolfSSL	12:1a06964c2adb	4044	return hashSz;
wolfSSL	12:1a06964c2adb	4045	}
wolfSSL	12:1a06964c2adb	4046	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	4047
wolfSSL	12:1a06964c2adb	4048	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	4049	/* Encode the ECC signature.
wolfSSL	12:1a06964c2adb	4050	*
wolfSSL	12:1a06964c2adb	4051	* sigData The data to be signed.
wolfSSL	12:1a06964c2adb	4052	* sigDataSz The size of the data to be signed.
wolfSSL	12:1a06964c2adb	4053	* hashAlgo The hash algorithm to use when signing.
wolfSSL	12:1a06964c2adb	4054	* returns the length of the encoded signature or negative on error.
wolfSSL	12:1a06964c2adb	4055	*/
wolfSSL	12:1a06964c2adb	4056	static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
wolfSSL	12:1a06964c2adb	4057	{
wolfSSL	12:1a06964c2adb	4058	Digest digest;
wolfSSL	12:1a06964c2adb	4059	int hashSz = 0;
wolfSSL	12:1a06964c2adb	4060	int ret = BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	4061
wolfSSL	12:1a06964c2adb	4062	/* Digest the signature data. */
wolfSSL	12:1a06964c2adb	4063	switch (hashAlgo) {
wolfSSL	12:1a06964c2adb	4064	#ifndef NO_WOLFSSL_SHA256
wolfSSL	12:1a06964c2adb	4065	case sha256_mac:
wolfSSL	12:1a06964c2adb	4066	ret = wc_InitSha256(&digest.sha256);
wolfSSL	12:1a06964c2adb	4067	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4068	ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4069	if (ret == 0)
wolfSSL	12:1a06964c2adb	4070	ret = wc_Sha256Final(&digest.sha256, sigData);
wolfSSL	12:1a06964c2adb	4071	wc_Sha256Free(&digest.sha256);
wolfSSL	12:1a06964c2adb	4072	}
wolfSSL	12:1a06964c2adb	4073	hashSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4074	break;
wolfSSL	12:1a06964c2adb	4075	#endif
wolfSSL	12:1a06964c2adb	4076	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	4077	case sha384_mac:
wolfSSL	12:1a06964c2adb	4078	ret = wc_InitSha384(&digest.sha384);
wolfSSL	12:1a06964c2adb	4079	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4080	ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4081	if (ret == 0)
wolfSSL	12:1a06964c2adb	4082	ret = wc_Sha384Final(&digest.sha384, sigData);
wolfSSL	12:1a06964c2adb	4083	wc_Sha384Free(&digest.sha384);
wolfSSL	12:1a06964c2adb	4084	}
wolfSSL	12:1a06964c2adb	4085	hashSz = SHA384_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4086	break;
wolfSSL	12:1a06964c2adb	4087	#endif
wolfSSL	12:1a06964c2adb	4088	#ifdef WOLFSSL_SHA512
wolfSSL	12:1a06964c2adb	4089	case sha512_mac:
wolfSSL	12:1a06964c2adb	4090	ret = wc_InitSha512(&digest.sha512);
wolfSSL	12:1a06964c2adb	4091	if (ret == 0) {
wolfSSL	12:1a06964c2adb	4092	ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL	12:1a06964c2adb	4093	if (ret == 0)
wolfSSL	12:1a06964c2adb	4094	ret = wc_Sha512Final(&digest.sha512, sigData);
wolfSSL	12:1a06964c2adb	4095	wc_Sha512Free(&digest.sha512);
wolfSSL	12:1a06964c2adb	4096	}
wolfSSL	12:1a06964c2adb	4097	hashSz = SHA512_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	4098	break;
wolfSSL	12:1a06964c2adb	4099	#endif
wolfSSL	12:1a06964c2adb	4100	}
wolfSSL	12:1a06964c2adb	4101
wolfSSL	12:1a06964c2adb	4102	if (ret != 0)
wolfSSL	12:1a06964c2adb	4103	return ret;
wolfSSL	12:1a06964c2adb	4104
wolfSSL	12:1a06964c2adb	4105	return hashSz;
wolfSSL	12:1a06964c2adb	4106	}
wolfSSL	12:1a06964c2adb	4107	#endif /* HAVE_ECC */
wolfSSL	12:1a06964c2adb	4108
wolfSSL	12:1a06964c2adb	4109	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4110	/* Check that the decrypted signature matches the encoded signature
wolfSSL	12:1a06964c2adb	4111	* based on the digest of the signature data.
wolfSSL	12:1a06964c2adb	4112	*
wolfSSL	12:1a06964c2adb	4113	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	4114	* hashAlgo The signature algorithm used to generate signature.
wolfSSL	12:1a06964c2adb	4115	* hashAlgo The hash algorithm used to generate signature.
wolfSSL	12:1a06964c2adb	4116	* decSig The decrypted signature.
wolfSSL	12:1a06964c2adb	4117	* decSigSz The size of the decrypted signature.
wolfSSL	12:1a06964c2adb	4118	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	4119	*/
wolfSSL	12:1a06964c2adb	4120	static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
wolfSSL	12:1a06964c2adb	4121	byte* decSig, word32 decSigSz)
wolfSSL	12:1a06964c2adb	4122	{
wolfSSL	12:1a06964c2adb	4123	int ret = 0;
wolfSSL	12:1a06964c2adb	4124	byte sigData[MAX_SIG_DATA_SZ];
wolfSSL	12:1a06964c2adb	4125	word16 sigDataSz;
wolfSSL	12:1a06964c2adb	4126	word32 sigSz;
wolfSSL	12:1a06964c2adb	4127
wolfSSL	12:1a06964c2adb	4128	ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
wolfSSL	12:1a06964c2adb	4129	if (ret != 0)
wolfSSL	12:1a06964c2adb	4130	return ret;
wolfSSL	12:1a06964c2adb	4131
wolfSSL	12:1a06964c2adb	4132	if (sigAlgo == rsa_pss_sa_algo) {
wolfSSL	12:1a06964c2adb	4133	enum wc_HashType hashType = WC_HASH_TYPE_NONE;
wolfSSL	12:1a06964c2adb	4134
wolfSSL	12:1a06964c2adb	4135	ret = ConvertHashPss(hashAlgo, &hashType, NULL);
wolfSSL	12:1a06964c2adb	4136	if (ret < 0)
wolfSSL	12:1a06964c2adb	4137	return ret;
wolfSSL	12:1a06964c2adb	4138
wolfSSL	12:1a06964c2adb	4139	/* PSS signature can be done in-pace */
wolfSSL	12:1a06964c2adb	4140	ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
wolfSSL	12:1a06964c2adb	4141	sigAlgo, hashAlgo);
wolfSSL	12:1a06964c2adb	4142	if (ret < 0)
wolfSSL	12:1a06964c2adb	4143	return ret;
wolfSSL	12:1a06964c2adb	4144	sigSz = ret;
wolfSSL	12:1a06964c2adb	4145
wolfSSL	12:1a06964c2adb	4146	ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
wolfSSL	12:1a06964c2adb	4147	hashType);
wolfSSL	12:1a06964c2adb	4148	}
wolfSSL	12:1a06964c2adb	4149
wolfSSL	12:1a06964c2adb	4150	return ret;
wolfSSL	12:1a06964c2adb	4151	}
wolfSSL	12:1a06964c2adb	4152	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	4153	#endif /* !NO_RSA \|\| HAVE_ECC */
wolfSSL	12:1a06964c2adb	4154
wolfSSL	12:1a06964c2adb	4155	/* Get the next certificate from the list for writing into the TLS v1.3
wolfSSL	12:1a06964c2adb	4156	* Certificate message.
wolfSSL	12:1a06964c2adb	4157	*
wolfSSL	12:1a06964c2adb	4158	* data The certificate list.
wolfSSL	12:1a06964c2adb	4159	* length The length of the certificate data in the list.
wolfSSL	12:1a06964c2adb	4160	* idx The index of the next certificate.
wolfSSL	12:1a06964c2adb	4161	* returns the length of the certificate data. 0 indicates no more certificates
wolfSSL	12:1a06964c2adb	4162	* in the list.
wolfSSL	12:1a06964c2adb	4163	*/
wolfSSL	12:1a06964c2adb	4164	static word32 NextCert(byte* data, word32 length, word32* idx)
wolfSSL	12:1a06964c2adb	4165	{
wolfSSL	12:1a06964c2adb	4166	word32 len;
wolfSSL	12:1a06964c2adb	4167
wolfSSL	12:1a06964c2adb	4168	/* Is index at end of list. */
wolfSSL	12:1a06964c2adb	4169	if (*idx == length)
wolfSSL	12:1a06964c2adb	4170	return 0;
wolfSSL	12:1a06964c2adb	4171
wolfSSL	12:1a06964c2adb	4172	/* Length of the current ASN.1 encoded certificate. */
wolfSSL	12:1a06964c2adb	4173	c24to32(data + *idx, &len);
wolfSSL	12:1a06964c2adb	4174	/* Include the length field. */
wolfSSL	12:1a06964c2adb	4175	len += 3;
wolfSSL	12:1a06964c2adb	4176
wolfSSL	12:1a06964c2adb	4177	/* Move index to next certificate and return the current certificate's
wolfSSL	12:1a06964c2adb	4178	* length.
wolfSSL	12:1a06964c2adb	4179	*/
wolfSSL	12:1a06964c2adb	4180	*idx += len;
wolfSSL	12:1a06964c2adb	4181	return len;
wolfSSL	12:1a06964c2adb	4182	}
wolfSSL	12:1a06964c2adb	4183
wolfSSL	12:1a06964c2adb	4184	/* Add certificate data and empty extension to output up to the fragment size.
wolfSSL	12:1a06964c2adb	4185	*
wolfSSL	12:1a06964c2adb	4186	* cert The certificate data to write out.
wolfSSL	12:1a06964c2adb	4187	* len The length of the certificate data.
wolfSSL	12:1a06964c2adb	4188	* idx The start of the certificate data to write out.
wolfSSL	12:1a06964c2adb	4189	* fragSz The maximum size of this fragment.
wolfSSL	12:1a06964c2adb	4190	* output The buffer to write to.
wolfSSL	12:1a06964c2adb	4191	* returns the number of bytes written.
wolfSSL	12:1a06964c2adb	4192	*/
wolfSSL	12:1a06964c2adb	4193	static word32 AddCertExt(byte* cert, word32 len, word32 idx, word32 fragSz,
wolfSSL	12:1a06964c2adb	4194	byte* output)
wolfSSL	12:1a06964c2adb	4195	{
wolfSSL	12:1a06964c2adb	4196	word32 i = 0;
wolfSSL	12:1a06964c2adb	4197	word32 copySz = min(len - idx, fragSz);
wolfSSL	12:1a06964c2adb	4198
wolfSSL	12:1a06964c2adb	4199	if (idx < len) {
wolfSSL	12:1a06964c2adb	4200	XMEMCPY(output, cert + idx, copySz);
wolfSSL	12:1a06964c2adb	4201	i = copySz;
wolfSSL	12:1a06964c2adb	4202	}
wolfSSL	12:1a06964c2adb	4203
wolfSSL	12:1a06964c2adb	4204	if (copySz + OPAQUE16_LEN <= fragSz) {
wolfSSL	12:1a06964c2adb	4205	/* Empty extension */
wolfSSL	12:1a06964c2adb	4206	output[i++] = 0;
wolfSSL	12:1a06964c2adb	4207	output[i++] = 0;
wolfSSL	12:1a06964c2adb	4208	}
wolfSSL	12:1a06964c2adb	4209
wolfSSL	12:1a06964c2adb	4210	return i;
wolfSSL	12:1a06964c2adb	4211	}
wolfSSL	12:1a06964c2adb	4212
wolfSSL	12:1a06964c2adb	4213	/* Send the certificate for this end and any CAs that help with validation.
wolfSSL	12:1a06964c2adb	4214	* This message is always encrypted in TLS v1.3.
wolfSSL	12:1a06964c2adb	4215	*
wolfSSL	12:1a06964c2adb	4216	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	4217	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	4218	*/
wolfSSL	12:1a06964c2adb	4219	static int SendTls13Certificate(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	4220	{
wolfSSL	12:1a06964c2adb	4221	int ret = 0;
wolfSSL	12:1a06964c2adb	4222	word32 certSz, certChainSz, headerSz, listSz, payloadSz;
wolfSSL	12:1a06964c2adb	4223	word32 length, maxFragment;
wolfSSL	12:1a06964c2adb	4224	word32 len = 0;
wolfSSL	12:1a06964c2adb	4225	word32 idx = 0;
wolfSSL	12:1a06964c2adb	4226	word32 offset = OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	4227	byte* p = NULL;
wolfSSL	12:1a06964c2adb	4228	byte certReqCtxLen = 0;
wolfSSL	12:1a06964c2adb	4229	byte* certReqCtx = NULL;
wolfSSL	12:1a06964c2adb	4230
wolfSSL	12:1a06964c2adb	4231	WOLFSSL_ENTER("SendTls13Certificate");
wolfSSL	12:1a06964c2adb	4232
wolfSSL	12:1a06964c2adb	4233	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	4234	if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL	12:1a06964c2adb	4235	certReqCtxLen = ssl->certReqCtx->len;
wolfSSL	12:1a06964c2adb	4236	certReqCtx = &ssl->certReqCtx->ctx;
wolfSSL	12:1a06964c2adb	4237	}
wolfSSL	12:1a06964c2adb	4238	#endif
wolfSSL	12:1a06964c2adb	4239
wolfSSL	12:1a06964c2adb	4240	if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL	12:1a06964c2adb	4241	certSz = 0;
wolfSSL	12:1a06964c2adb	4242	certChainSz = 0;
wolfSSL	12:1a06964c2adb	4243	headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4244	length = headerSz;
wolfSSL	12:1a06964c2adb	4245	listSz = 0;
wolfSSL	12:1a06964c2adb	4246	}
wolfSSL	12:1a06964c2adb	4247	else {
wolfSSL	12:1a06964c2adb	4248	if (!ssl->buffers.certificate) {
wolfSSL	12:1a06964c2adb	4249	WOLFSSL_MSG("Send Cert missing certificate buffer");
wolfSSL	12:1a06964c2adb	4250	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	4251	}
wolfSSL	12:1a06964c2adb	4252	/* Certificate Data */
wolfSSL	12:1a06964c2adb	4253	certSz = ssl->buffers.certificate->length;
wolfSSL	12:1a06964c2adb	4254	/* Cert Req Ctx Len \| Cert Req Ctx \| Cert List Len \| Cert Data Len */
wolfSSL	12:1a06964c2adb	4255	headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
wolfSSL	12:1a06964c2adb	4256	CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4257	/* Length of message data with one certificate and empty extensions. */
wolfSSL	12:1a06964c2adb	4258	length = headerSz + certSz + OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	4259	/* Length of list data with one certificate and empty extensions. */
wolfSSL	12:1a06964c2adb	4260	listSz = CERT_HEADER_SZ + certSz + OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	4261
wolfSSL	12:1a06964c2adb	4262	/* Send rest of chain if sending cert (chain has leading size/s). */
wolfSSL	12:1a06964c2adb	4263	if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
wolfSSL	12:1a06964c2adb	4264	/* The pointer to the current spot in the cert chain buffer. */
wolfSSL	12:1a06964c2adb	4265	p = ssl->buffers.certChain->buffer;
wolfSSL	12:1a06964c2adb	4266	/* Chain length including extensions. */
wolfSSL	12:1a06964c2adb	4267	certChainSz = ssl->buffers.certChain->length +
wolfSSL	12:1a06964c2adb	4268	OPAQUE16_LEN * ssl->buffers.certChainCnt;
wolfSSL	12:1a06964c2adb	4269	length += certChainSz;
wolfSSL	12:1a06964c2adb	4270	listSz += certChainSz;
wolfSSL	12:1a06964c2adb	4271	}
wolfSSL	12:1a06964c2adb	4272	else
wolfSSL	12:1a06964c2adb	4273	certChainSz = 0;
wolfSSL	12:1a06964c2adb	4274	}
wolfSSL	12:1a06964c2adb	4275
wolfSSL	12:1a06964c2adb	4276	payloadSz = length;
wolfSSL	12:1a06964c2adb	4277
wolfSSL	12:1a06964c2adb	4278	if (ssl->fragOffset != 0)
wolfSSL	12:1a06964c2adb	4279	length -= (ssl->fragOffset + headerSz);
wolfSSL	12:1a06964c2adb	4280
wolfSSL	12:1a06964c2adb	4281	maxFragment = MAX_RECORD_SIZE;
wolfSSL	12:1a06964c2adb	4282
wolfSSL	12:1a06964c2adb	4283	#ifdef HAVE_MAX_FRAGMENT
wolfSSL	12:1a06964c2adb	4284	if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment)
wolfSSL	12:1a06964c2adb	4285	maxFragment = ssl->max_fragment;
wolfSSL	12:1a06964c2adb	4286	#endif /* HAVE_MAX_FRAGMENT */
wolfSSL	12:1a06964c2adb	4287
wolfSSL	12:1a06964c2adb	4288	while (length > 0 && ret == 0) {
wolfSSL	12:1a06964c2adb	4289	byte* output = NULL;
wolfSSL	12:1a06964c2adb	4290	word32 fragSz = 0;
wolfSSL	12:1a06964c2adb	4291	word32 i = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4292	int sendSz = RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4293
wolfSSL	12:1a06964c2adb	4294	if (ssl->fragOffset == 0) {
wolfSSL	12:1a06964c2adb	4295	if (headerSz + certSz + OPAQUE16_LEN + certChainSz <=
wolfSSL	12:1a06964c2adb	4296	maxFragment - HANDSHAKE_HEADER_SZ) {
wolfSSL	12:1a06964c2adb	4297
wolfSSL	12:1a06964c2adb	4298	fragSz = headerSz + certSz + OPAQUE16_LEN + certChainSz;
wolfSSL	12:1a06964c2adb	4299	}
wolfSSL	12:1a06964c2adb	4300	else {
wolfSSL	12:1a06964c2adb	4301	fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4302	}
wolfSSL	12:1a06964c2adb	4303	sendSz += fragSz + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4304	i += HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4305	}
wolfSSL	12:1a06964c2adb	4306	else {
wolfSSL	12:1a06964c2adb	4307	fragSz = min(length, maxFragment);
wolfSSL	12:1a06964c2adb	4308	sendSz += fragSz;
wolfSSL	12:1a06964c2adb	4309	}
wolfSSL	12:1a06964c2adb	4310
wolfSSL	12:1a06964c2adb	4311	sendSz += MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	4312
wolfSSL	12:1a06964c2adb	4313	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	4314	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	4315	return ret;
wolfSSL	12:1a06964c2adb	4316
wolfSSL	12:1a06964c2adb	4317	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	4318	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	4319	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	4320
wolfSSL	12:1a06964c2adb	4321	if (ssl->fragOffset == 0) {
wolfSSL	12:1a06964c2adb	4322	AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
wolfSSL	12:1a06964c2adb	4323
wolfSSL	12:1a06964c2adb	4324	/* Request context. */
wolfSSL	12:1a06964c2adb	4325	output[i++] = certReqCtxLen;
wolfSSL	12:1a06964c2adb	4326	if (certReqCtxLen > 0) {
wolfSSL	12:1a06964c2adb	4327	XMEMCPY(output + i, certReqCtx, certReqCtxLen);
wolfSSL	12:1a06964c2adb	4328	i += certReqCtxLen;
wolfSSL	12:1a06964c2adb	4329	}
wolfSSL	12:1a06964c2adb	4330	length -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL	12:1a06964c2adb	4331	fragSz -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL	12:1a06964c2adb	4332	/* Certificate list length. */
wolfSSL	12:1a06964c2adb	4333	c32to24(listSz, output + i);
wolfSSL	12:1a06964c2adb	4334	i += CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4335	length -= CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4336	fragSz -= CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4337	/* Leaf certificate data length. */
wolfSSL	12:1a06964c2adb	4338	if (certSz > 0) {
wolfSSL	12:1a06964c2adb	4339	c32to24(certSz, output + i);
wolfSSL	12:1a06964c2adb	4340	i += CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4341	length -= CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4342	fragSz -= CERT_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4343	}
wolfSSL	12:1a06964c2adb	4344	}
wolfSSL	12:1a06964c2adb	4345	else
wolfSSL	12:1a06964c2adb	4346	AddTls13RecordHeader(output, fragSz, handshake, ssl);
wolfSSL	12:1a06964c2adb	4347
wolfSSL	12:1a06964c2adb	4348	if (certSz > 0 && ssl->fragOffset < certSz + OPAQUE16_LEN) {
wolfSSL	12:1a06964c2adb	4349	/* Put in the leaf certificate and empty extension. */
wolfSSL	12:1a06964c2adb	4350	word32 copySz = AddCertExt(ssl->buffers.certificate->buffer, certSz,
wolfSSL	12:1a06964c2adb	4351	ssl->fragOffset, fragSz, output + i);
wolfSSL	12:1a06964c2adb	4352
wolfSSL	12:1a06964c2adb	4353	i += copySz;
wolfSSL	12:1a06964c2adb	4354	ssl->fragOffset += copySz;
wolfSSL	12:1a06964c2adb	4355	length -= copySz;
wolfSSL	12:1a06964c2adb	4356	fragSz -= copySz;
wolfSSL	12:1a06964c2adb	4357	}
wolfSSL	12:1a06964c2adb	4358	if (certChainSz > 0 && fragSz > 0) {
wolfSSL	12:1a06964c2adb	4359	/* Put in the CA certificates with empty extensions. */
wolfSSL	12:1a06964c2adb	4360	while (fragSz > 0) {
wolfSSL	12:1a06964c2adb	4361	word32 l;
wolfSSL	12:1a06964c2adb	4362
wolfSSL	12:1a06964c2adb	4363	if (offset == len + OPAQUE16_LEN) {
wolfSSL	12:1a06964c2adb	4364	/* Find next CA certificate to write out. */
wolfSSL	12:1a06964c2adb	4365	offset = 0;
wolfSSL	12:1a06964c2adb	4366	len = NextCert(ssl->buffers.certChain->buffer,
wolfSSL	12:1a06964c2adb	4367	ssl->buffers.certChain->length, &idx);
wolfSSL	12:1a06964c2adb	4368	if (len == 0)
wolfSSL	12:1a06964c2adb	4369	break;
wolfSSL	12:1a06964c2adb	4370	}
wolfSSL	12:1a06964c2adb	4371
wolfSSL	12:1a06964c2adb	4372	/* Write out certificate and empty extension. */
wolfSSL	12:1a06964c2adb	4373	l = AddCertExt(p, len, offset, fragSz, output + i);
wolfSSL	12:1a06964c2adb	4374	i += l;
wolfSSL	12:1a06964c2adb	4375	ssl->fragOffset += l;
wolfSSL	12:1a06964c2adb	4376	length -= l;
wolfSSL	12:1a06964c2adb	4377	fragSz -= l;
wolfSSL	12:1a06964c2adb	4378	offset += l;
wolfSSL	12:1a06964c2adb	4379	}
wolfSSL	12:1a06964c2adb	4380	}
wolfSSL	12:1a06964c2adb	4381
wolfSSL	12:1a06964c2adb	4382	if ((int)i - RECORD_HEADER_SZ < 0) {
wolfSSL	12:1a06964c2adb	4383	WOLFSSL_MSG("Send Cert bad inputSz");
wolfSSL	12:1a06964c2adb	4384	return BUFFER_E;
wolfSSL	12:1a06964c2adb	4385	}
wolfSSL	12:1a06964c2adb	4386
wolfSSL	12:1a06964c2adb	4387	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	4388	sendSz = BuildTls13Message(ssl, output, sendSz,
wolfSSL	12:1a06964c2adb	4389	output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	4390	i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL	12:1a06964c2adb	4391	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	4392	return sendSz;
wolfSSL	12:1a06964c2adb	4393
wolfSSL	12:1a06964c2adb	4394	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	4395	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	4396	AddPacketName("Certificate", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	4397	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	4398	AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	4399	ssl->heap);
wolfSSL	12:1a06964c2adb	4400	}
wolfSSL	12:1a06964c2adb	4401	#endif
wolfSSL	12:1a06964c2adb	4402
wolfSSL	12:1a06964c2adb	4403	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	4404	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	4405	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	4406	}
wolfSSL	12:1a06964c2adb	4407
wolfSSL	12:1a06964c2adb	4408	if (ret != WANT_WRITE) {
wolfSSL	12:1a06964c2adb	4409	/* Clean up the fragment offset. */
wolfSSL	12:1a06964c2adb	4410	ssl->fragOffset = 0;
wolfSSL	12:1a06964c2adb	4411	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	4412	ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL	12:1a06964c2adb	4413	}
wolfSSL	12:1a06964c2adb	4414
wolfSSL	12:1a06964c2adb	4415	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	4416	if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL	12:1a06964c2adb	4417	CertReqCtx* ctx = ssl->certReqCtx;
wolfSSL	12:1a06964c2adb	4418	ssl->certReqCtx = ssl->certReqCtx->next;
wolfSSL	12:1a06964c2adb	4419	XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	12:1a06964c2adb	4420	}
wolfSSL	12:1a06964c2adb	4421	#endif
wolfSSL	12:1a06964c2adb	4422
wolfSSL	12:1a06964c2adb	4423	WOLFSSL_LEAVE("SendTls13Certificate", ret);
wolfSSL	12:1a06964c2adb	4424
wolfSSL	12:1a06964c2adb	4425	return ret;
wolfSSL	12:1a06964c2adb	4426	}
wolfSSL	12:1a06964c2adb	4427
wolfSSL	12:1a06964c2adb	4428	typedef struct Scv13Args {
wolfSSL	12:1a06964c2adb	4429	byte* output; /* not allocated */
wolfSSL	12:1a06964c2adb	4430	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4431	byte* verifySig;
wolfSSL	12:1a06964c2adb	4432	#endif
wolfSSL	12:1a06964c2adb	4433	byte* verify; /* not allocated */
wolfSSL	12:1a06964c2adb	4434	word32 idx;
wolfSSL	12:1a06964c2adb	4435	word32 sigLen;
wolfSSL	12:1a06964c2adb	4436	int sendSz;
wolfSSL	12:1a06964c2adb	4437	word16 length;
wolfSSL	12:1a06964c2adb	4438
wolfSSL	12:1a06964c2adb	4439	byte sigAlgo;
wolfSSL	12:1a06964c2adb	4440	byte* sigData;
wolfSSL	12:1a06964c2adb	4441	word16 sigDataSz;
wolfSSL	12:1a06964c2adb	4442	} Scv13Args;
wolfSSL	12:1a06964c2adb	4443
wolfSSL	12:1a06964c2adb	4444	static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL	12:1a06964c2adb	4445	{
wolfSSL	12:1a06964c2adb	4446	Scv13Args* args = (Scv13Args*)pArgs;
wolfSSL	12:1a06964c2adb	4447
wolfSSL	12:1a06964c2adb	4448	(void)ssl;
wolfSSL	12:1a06964c2adb	4449
wolfSSL	12:1a06964c2adb	4450	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4451	if (args->verifySig) {
wolfSSL	12:1a06964c2adb	4452	XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4453	args->verifySig = NULL;
wolfSSL	12:1a06964c2adb	4454	}
wolfSSL	12:1a06964c2adb	4455	#endif
wolfSSL	12:1a06964c2adb	4456	if (args->sigData) {
wolfSSL	12:1a06964c2adb	4457	XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4458	args->sigData = NULL;
wolfSSL	12:1a06964c2adb	4459	}
wolfSSL	12:1a06964c2adb	4460	}
wolfSSL	12:1a06964c2adb	4461
wolfSSL	12:1a06964c2adb	4462	/* Send the TLS v1.3 CertificateVerify message.
wolfSSL	12:1a06964c2adb	4463	* A hash of all the message so far is used.
wolfSSL	12:1a06964c2adb	4464	* The signed data is:
wolfSSL	12:1a06964c2adb	4465	* 0x20 * 64 \| context string \| 0x00 \| hash of messages
wolfSSL	12:1a06964c2adb	4466	* This message is always encrypted in TLS v1.3.
wolfSSL	12:1a06964c2adb	4467	*
wolfSSL	12:1a06964c2adb	4468	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	4469	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	4470	*/
wolfSSL	12:1a06964c2adb	4471	static int SendTls13CertificateVerify(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	4472	{
wolfSSL	12:1a06964c2adb	4473	int ret = 0;
wolfSSL	12:1a06964c2adb	4474	buffer* sig = &ssl->buffers.sig;
wolfSSL	12:1a06964c2adb	4475	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4476	Scv13Args* args = (Scv13Args*)ssl->async.args;
wolfSSL	12:1a06964c2adb	4477	typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL	12:1a06964c2adb	4478	(void)sizeof(args_test);
wolfSSL	12:1a06964c2adb	4479	#else
wolfSSL	12:1a06964c2adb	4480	Scv13Args args[1];
wolfSSL	12:1a06964c2adb	4481	#endif
wolfSSL	12:1a06964c2adb	4482
wolfSSL	12:1a06964c2adb	4483	WOLFSSL_ENTER("SendTls13CertificateVerify");
wolfSSL	12:1a06964c2adb	4484
wolfSSL	12:1a06964c2adb	4485	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4486	ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL	12:1a06964c2adb	4487	if (ret != WC_NOT_PENDING_E) {
wolfSSL	12:1a06964c2adb	4488	/* Check for error */
wolfSSL	12:1a06964c2adb	4489	if (ret < 0)
wolfSSL	12:1a06964c2adb	4490	goto exit_scv;
wolfSSL	12:1a06964c2adb	4491	}
wolfSSL	12:1a06964c2adb	4492	else
wolfSSL	12:1a06964c2adb	4493	#endif
wolfSSL	12:1a06964c2adb	4494	{
wolfSSL	12:1a06964c2adb	4495	/* Reset state */
wolfSSL	12:1a06964c2adb	4496	ret = 0;
wolfSSL	12:1a06964c2adb	4497	ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL	12:1a06964c2adb	4498	XMEMSET(args, 0, sizeof(Scv13Args));
wolfSSL	12:1a06964c2adb	4499	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4500	ssl->async.freeArgs = FreeScv13Args;
wolfSSL	12:1a06964c2adb	4501	#endif
wolfSSL	12:1a06964c2adb	4502	}
wolfSSL	12:1a06964c2adb	4503
wolfSSL	12:1a06964c2adb	4504	switch(ssl->options.asyncState)
wolfSSL	12:1a06964c2adb	4505	{
wolfSSL	12:1a06964c2adb	4506	case TLS_ASYNC_BEGIN:
wolfSSL	12:1a06964c2adb	4507	{
wolfSSL	12:1a06964c2adb	4508	if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL	12:1a06964c2adb	4509	return 0; /* sent blank cert, can't verify */
wolfSSL	12:1a06964c2adb	4510	}
wolfSSL	12:1a06964c2adb	4511
wolfSSL	12:1a06964c2adb	4512	args->sendSz = MAX_CERT_VERIFY_SZ;
wolfSSL	12:1a06964c2adb	4513	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	4514	args->sendSz += MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	4515
wolfSSL	12:1a06964c2adb	4516	/* check for available size */
wolfSSL	12:1a06964c2adb	4517	if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
wolfSSL	12:1a06964c2adb	4518	goto exit_scv;
wolfSSL	12:1a06964c2adb	4519	}
wolfSSL	12:1a06964c2adb	4520
wolfSSL	12:1a06964c2adb	4521	/* get output buffer */
wolfSSL	12:1a06964c2adb	4522	args->output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	4523	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	4524
wolfSSL	12:1a06964c2adb	4525	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4526	ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL	12:1a06964c2adb	4527	} /* case TLS_ASYNC_BEGIN */
wolfSSL	12:1a06964c2adb	4528	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4529
wolfSSL	12:1a06964c2adb	4530	case TLS_ASYNC_BUILD:
wolfSSL	12:1a06964c2adb	4531	{
wolfSSL	12:1a06964c2adb	4532	/* idx is used to track verify pointer offset to output */
wolfSSL	12:1a06964c2adb	4533	args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	4534	args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
wolfSSL	12:1a06964c2adb	4535
wolfSSL	12:1a06964c2adb	4536	ret = DecodePrivateKey(ssl, &args->length);
wolfSSL	12:1a06964c2adb	4537	if (ret != 0)
wolfSSL	12:1a06964c2adb	4538	goto exit_scv;
wolfSSL	12:1a06964c2adb	4539
wolfSSL	12:1a06964c2adb	4540	/* Add signature algorithm. */
wolfSSL	12:1a06964c2adb	4541	if (ssl->hsType == DYNAMIC_TYPE_RSA)
wolfSSL	12:1a06964c2adb	4542	args->sigAlgo = rsa_pss_sa_algo;
wolfSSL	12:1a06964c2adb	4543	else if (ssl->hsType == DYNAMIC_TYPE_ECC)
wolfSSL	12:1a06964c2adb	4544	args->sigAlgo = ecc_dsa_sa_algo;
wolfSSL	12:1a06964c2adb	4545	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	4546	else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
wolfSSL	12:1a06964c2adb	4547	args->sigAlgo = ed25519_sa_algo;
wolfSSL	12:1a06964c2adb	4548	#endif
wolfSSL	12:1a06964c2adb	4549	EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify);
wolfSSL	12:1a06964c2adb	4550
wolfSSL	12:1a06964c2adb	4551	/* Create the data to be signed. */
wolfSSL	12:1a06964c2adb	4552	args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL	12:1a06964c2adb	4553	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4554	if (args->sigData == NULL) {
wolfSSL	12:1a06964c2adb	4555	ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL	12:1a06964c2adb	4556	}
wolfSSL	12:1a06964c2adb	4557
wolfSSL	12:1a06964c2adb	4558	ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
wolfSSL	12:1a06964c2adb	4559	if (ret != 0)
wolfSSL	12:1a06964c2adb	4560	goto exit_scv;
wolfSSL	12:1a06964c2adb	4561
wolfSSL	12:1a06964c2adb	4562	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4563	if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL	12:1a06964c2adb	4564	/* build encoded signature buffer */
wolfSSL	12:1a06964c2adb	4565	sig->length = MAX_ENCODED_SIG_SZ;
wolfSSL	12:1a06964c2adb	4566	sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
wolfSSL	12:1a06964c2adb	4567	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4568	if (sig->buffer == NULL) {
wolfSSL	12:1a06964c2adb	4569	ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL	12:1a06964c2adb	4570	}
wolfSSL	12:1a06964c2adb	4571
wolfSSL	12:1a06964c2adb	4572	ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
wolfSSL	12:1a06964c2adb	4573	args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo);
wolfSSL	12:1a06964c2adb	4574	if (ret < 0)
wolfSSL	12:1a06964c2adb	4575	goto exit_scv;
wolfSSL	12:1a06964c2adb	4576	sig->length = ret;
wolfSSL	12:1a06964c2adb	4577	ret = 0;
wolfSSL	12:1a06964c2adb	4578
wolfSSL	12:1a06964c2adb	4579	/* Maximum size of RSA Signature. */
wolfSSL	12:1a06964c2adb	4580	args->sigLen = args->length;
wolfSSL	12:1a06964c2adb	4581	}
wolfSSL	12:1a06964c2adb	4582	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	4583	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	4584	if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL	12:1a06964c2adb	4585	sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
wolfSSL	12:1a06964c2adb	4586	VERIFY_HEADER;
wolfSSL	12:1a06964c2adb	4587	ret = CreateECCEncodedSig(args->sigData,
wolfSSL	12:1a06964c2adb	4588	args->sigDataSz, ssl->suites->hashAlgo);
wolfSSL	12:1a06964c2adb	4589	if (ret < 0)
wolfSSL	12:1a06964c2adb	4590	goto exit_scv;
wolfSSL	12:1a06964c2adb	4591	args->sigDataSz = ret;
wolfSSL	12:1a06964c2adb	4592	ret = 0;
wolfSSL	12:1a06964c2adb	4593	}
wolfSSL	12:1a06964c2adb	4594	#endif /* HAVE_ECC */
wolfSSL	12:1a06964c2adb	4595	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	4596	if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL	12:1a06964c2adb	4597	/* Nothing to do */
wolfSSL	12:1a06964c2adb	4598	sig->length = ED25519_SIG_SIZE;
wolfSSL	12:1a06964c2adb	4599	}
wolfSSL	12:1a06964c2adb	4600	#endif /* HAVE_ECC */
wolfSSL	12:1a06964c2adb	4601
wolfSSL	12:1a06964c2adb	4602	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4603	ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL	12:1a06964c2adb	4604	} /* case TLS_ASYNC_BUILD */
wolfSSL	12:1a06964c2adb	4605	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4606
wolfSSL	12:1a06964c2adb	4607	case TLS_ASYNC_DO:
wolfSSL	12:1a06964c2adb	4608	{
wolfSSL	12:1a06964c2adb	4609	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	4610	if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL	12:1a06964c2adb	4611	ret = EccSign(ssl, args->sigData, args->sigDataSz,
wolfSSL	12:1a06964c2adb	4612	args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL	12:1a06964c2adb	4613	&sig->length, (ecc_key*)ssl->hsKey,
wolfSSL	12:1a06964c2adb	4614	#if defined(HAVE_PK_CALLBACKS)
wolfSSL	12:1a06964c2adb	4615	ssl->buffers.key->buffer, ssl->buffers.key->length,
wolfSSL	12:1a06964c2adb	4616	ssl->EccSignCtx
wolfSSL	12:1a06964c2adb	4617	#else
wolfSSL	12:1a06964c2adb	4618	NULL, 0, NULL
wolfSSL	12:1a06964c2adb	4619	#endif
wolfSSL	12:1a06964c2adb	4620	);
wolfSSL	12:1a06964c2adb	4621	args->length = sig->length;
wolfSSL	12:1a06964c2adb	4622	}
wolfSSL	12:1a06964c2adb	4623	#endif /* HAVE_ECC */
wolfSSL	12:1a06964c2adb	4624	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	4625	if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL	12:1a06964c2adb	4626	ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
wolfSSL	12:1a06964c2adb	4627	args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL	12:1a06964c2adb	4628	&sig->length, (ed25519_key*)ssl->hsKey,
wolfSSL	12:1a06964c2adb	4629	#if defined(HAVE_PK_CALLBACKS)
wolfSSL	12:1a06964c2adb	4630	ssl->buffers.key->buffer, ssl->buffers.key->length,
wolfSSL	12:1a06964c2adb	4631	ssl->Ed25519SignCtx
wolfSSL	12:1a06964c2adb	4632	#else
wolfSSL	12:1a06964c2adb	4633	NULL, 0, NULL
wolfSSL	12:1a06964c2adb	4634	#endif
wolfSSL	12:1a06964c2adb	4635	);
wolfSSL	12:1a06964c2adb	4636	args->length = sig->length;
wolfSSL	12:1a06964c2adb	4637	}
wolfSSL	12:1a06964c2adb	4638	#endif
wolfSSL	12:1a06964c2adb	4639	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4640	if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL	12:1a06964c2adb	4641
wolfSSL	12:1a06964c2adb	4642	ret = RsaSign(ssl, sig->buffer, sig->length,
wolfSSL	12:1a06964c2adb	4643	args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
wolfSSL	12:1a06964c2adb	4644	args->sigAlgo, ssl->suites->hashAlgo,
wolfSSL	12:1a06964c2adb	4645	(RsaKey*)ssl->hsKey,
wolfSSL	12:1a06964c2adb	4646	ssl->buffers.key->buffer, ssl->buffers.key->length,
wolfSSL	12:1a06964c2adb	4647	#ifdef HAVE_PK_CALLBACKS
wolfSSL	12:1a06964c2adb	4648	ssl->RsaSignCtx
wolfSSL	12:1a06964c2adb	4649	#else
wolfSSL	12:1a06964c2adb	4650	NULL
wolfSSL	12:1a06964c2adb	4651	#endif
wolfSSL	12:1a06964c2adb	4652	);
wolfSSL	12:1a06964c2adb	4653	args->length = args->sigLen;
wolfSSL	12:1a06964c2adb	4654	}
wolfSSL	12:1a06964c2adb	4655	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	4656
wolfSSL	12:1a06964c2adb	4657	/* Check for error */
wolfSSL	12:1a06964c2adb	4658	if (ret != 0) {
wolfSSL	12:1a06964c2adb	4659	goto exit_scv;
wolfSSL	12:1a06964c2adb	4660	}
wolfSSL	12:1a06964c2adb	4661
wolfSSL	12:1a06964c2adb	4662	/* Add signature length. */
wolfSSL	12:1a06964c2adb	4663	c16toa(args->length, args->verify + HASH_SIG_SIZE);
wolfSSL	12:1a06964c2adb	4664
wolfSSL	12:1a06964c2adb	4665	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4666	ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL	12:1a06964c2adb	4667	} /* case TLS_ASYNC_DO */
wolfSSL	12:1a06964c2adb	4668	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4669
wolfSSL	12:1a06964c2adb	4670	case TLS_ASYNC_VERIFY:
wolfSSL	12:1a06964c2adb	4671	{
wolfSSL	12:1a06964c2adb	4672	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4673	if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL	12:1a06964c2adb	4674	if (args->verifySig == NULL) {
wolfSSL	12:1a06964c2adb	4675	args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap,
wolfSSL	12:1a06964c2adb	4676	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4677	if (args->verifySig == NULL) {
wolfSSL	12:1a06964c2adb	4678	ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL	12:1a06964c2adb	4679	}
wolfSSL	12:1a06964c2adb	4680	XMEMCPY(args->verifySig,
wolfSSL	12:1a06964c2adb	4681	args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL	12:1a06964c2adb	4682	args->sigLen);
wolfSSL	12:1a06964c2adb	4683	}
wolfSSL	12:1a06964c2adb	4684
wolfSSL	12:1a06964c2adb	4685	/* check for signature faults */
wolfSSL	12:1a06964c2adb	4686	ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
wolfSSL	12:1a06964c2adb	4687	sig->buffer, sig->length, args->sigAlgo,
wolfSSL	12:1a06964c2adb	4688	ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey);
wolfSSL	12:1a06964c2adb	4689	}
wolfSSL	12:1a06964c2adb	4690	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	4691
wolfSSL	12:1a06964c2adb	4692	/* Check for error */
wolfSSL	12:1a06964c2adb	4693	if (ret != 0) {
wolfSSL	12:1a06964c2adb	4694	goto exit_scv;
wolfSSL	12:1a06964c2adb	4695	}
wolfSSL	12:1a06964c2adb	4696
wolfSSL	12:1a06964c2adb	4697	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4698	ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL	12:1a06964c2adb	4699	} /* case TLS_ASYNC_VERIFY */
wolfSSL	12:1a06964c2adb	4700	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4701
wolfSSL	12:1a06964c2adb	4702	case TLS_ASYNC_FINALIZE:
wolfSSL	12:1a06964c2adb	4703	{
wolfSSL	12:1a06964c2adb	4704	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	4705	AddTls13Headers(args->output, args->length + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL	12:1a06964c2adb	4706	certificate_verify, ssl);
wolfSSL	12:1a06964c2adb	4707
wolfSSL	12:1a06964c2adb	4708	args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + args->length +
wolfSSL	12:1a06964c2adb	4709	HASH_SIG_SIZE + VERIFY_HEADER;
wolfSSL	12:1a06964c2adb	4710
wolfSSL	12:1a06964c2adb	4711	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4712	ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL	12:1a06964c2adb	4713	} /* case TLS_ASYNC_FINALIZE */
wolfSSL	12:1a06964c2adb	4714	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4715
wolfSSL	12:1a06964c2adb	4716	case TLS_ASYNC_END:
wolfSSL	12:1a06964c2adb	4717	{
wolfSSL	12:1a06964c2adb	4718	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	4719	ret = BuildTls13Message(ssl, args->output,
wolfSSL	12:1a06964c2adb	4720	MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
wolfSSL	12:1a06964c2adb	4721	args->output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	4722	args->sendSz - RECORD_HEADER_SZ, handshake,
wolfSSL	12:1a06964c2adb	4723	1, 0, 0);
wolfSSL	12:1a06964c2adb	4724
wolfSSL	12:1a06964c2adb	4725	if (ret < 0) {
wolfSSL	12:1a06964c2adb	4726	goto exit_scv;
wolfSSL	12:1a06964c2adb	4727	}
wolfSSL	12:1a06964c2adb	4728	else {
wolfSSL	12:1a06964c2adb	4729	args->sendSz = ret;
wolfSSL	12:1a06964c2adb	4730	ret = 0;
wolfSSL	12:1a06964c2adb	4731	}
wolfSSL	12:1a06964c2adb	4732
wolfSSL	12:1a06964c2adb	4733	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	4734	if (ssl->hsInfoOn)
wolfSSL	12:1a06964c2adb	4735	AddPacketName("CertificateVerify", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	4736	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	4737	AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
wolfSSL	12:1a06964c2adb	4738	args->output, args->sendSz, ssl->heap);
wolfSSL	12:1a06964c2adb	4739	}
wolfSSL	12:1a06964c2adb	4740	#endif
wolfSSL	12:1a06964c2adb	4741
wolfSSL	12:1a06964c2adb	4742	ssl->buffers.outputBuffer.length += args->sendSz;
wolfSSL	12:1a06964c2adb	4743
wolfSSL	12:1a06964c2adb	4744	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	4745	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	4746	break;
wolfSSL	12:1a06964c2adb	4747	}
wolfSSL	12:1a06964c2adb	4748	default:
wolfSSL	12:1a06964c2adb	4749	ret = INPUT_CASE_ERROR;
wolfSSL	12:1a06964c2adb	4750	} /* switch(ssl->options.asyncState) */
wolfSSL	12:1a06964c2adb	4751
wolfSSL	12:1a06964c2adb	4752	exit_scv:
wolfSSL	12:1a06964c2adb	4753
wolfSSL	12:1a06964c2adb	4754	WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
wolfSSL	12:1a06964c2adb	4755
wolfSSL	12:1a06964c2adb	4756	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4757	/* Handle async operation */
wolfSSL	12:1a06964c2adb	4758	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	4759	return ret;
wolfSSL	12:1a06964c2adb	4760	}
wolfSSL	12:1a06964c2adb	4761	#endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL	12:1a06964c2adb	4762
wolfSSL	12:1a06964c2adb	4763	/* Final cleanup */
wolfSSL	12:1a06964c2adb	4764	FreeScv13Args(ssl, args);
wolfSSL	12:1a06964c2adb	4765	FreeKeyExchange(ssl);
wolfSSL	12:1a06964c2adb	4766
wolfSSL	12:1a06964c2adb	4767	return ret;
wolfSSL	12:1a06964c2adb	4768	}
wolfSSL	12:1a06964c2adb	4769
wolfSSL	12:1a06964c2adb	4770
wolfSSL	12:1a06964c2adb	4771	/* Parse and handle a TLS v1.3 Certificate message.
wolfSSL	12:1a06964c2adb	4772	*
wolfSSL	12:1a06964c2adb	4773	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	4774	* input The message buffer.
wolfSSL	12:1a06964c2adb	4775	* inOutIdx On entry, the index into the message buffer of Certificate.
wolfSSL	12:1a06964c2adb	4776	* On exit, the index of byte after the Certificate message.
wolfSSL	12:1a06964c2adb	4777	* totalSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	4778	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	4779	*/
wolfSSL	12:1a06964c2adb	4780	static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	4781	word32 totalSz)
wolfSSL	12:1a06964c2adb	4782	{
wolfSSL	12:1a06964c2adb	4783	int ret;
wolfSSL	12:1a06964c2adb	4784
wolfSSL	12:1a06964c2adb	4785	WOLFSSL_ENTER("DoTls13Certificate");
wolfSSL	12:1a06964c2adb	4786
wolfSSL	12:1a06964c2adb	4787	ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
wolfSSL	12:1a06964c2adb	4788
wolfSSL	12:1a06964c2adb	4789	#if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL	12:1a06964c2adb	4790	if (ret == 0 && ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL	12:1a06964c2adb	4791	ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL	12:1a06964c2adb	4792	/* reset handshake states */
wolfSSL	12:1a06964c2adb	4793	ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL	12:1a06964c2adb	4794	ssl->options.acceptState = TICKET_SENT;
wolfSSL	12:1a06964c2adb	4795	ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL	12:1a06964c2adb	4796	}
wolfSSL	12:1a06964c2adb	4797	#endif
wolfSSL	12:1a06964c2adb	4798
wolfSSL	12:1a06964c2adb	4799	WOLFSSL_LEAVE("DoTls13Certificate", ret);
wolfSSL	12:1a06964c2adb	4800
wolfSSL	12:1a06964c2adb	4801	return ret;
wolfSSL	12:1a06964c2adb	4802	}
wolfSSL	12:1a06964c2adb	4803
wolfSSL	12:1a06964c2adb	4804	#if !defined(NO_RSA) \|\| defined(HAVE_ECC)
wolfSSL	12:1a06964c2adb	4805
wolfSSL	12:1a06964c2adb	4806	typedef struct Dcv13Args {
wolfSSL	12:1a06964c2adb	4807	byte* output; /* not allocated */
wolfSSL	12:1a06964c2adb	4808	word32 sendSz;
wolfSSL	12:1a06964c2adb	4809	word16 sz;
wolfSSL	12:1a06964c2adb	4810	word32 sigSz;
wolfSSL	12:1a06964c2adb	4811	word32 idx;
wolfSSL	12:1a06964c2adb	4812	word32 begin;
wolfSSL	12:1a06964c2adb	4813	byte hashAlgo;
wolfSSL	12:1a06964c2adb	4814	byte sigAlgo;
wolfSSL	12:1a06964c2adb	4815
wolfSSL	12:1a06964c2adb	4816	byte* sigData;
wolfSSL	12:1a06964c2adb	4817	word16 sigDataSz;
wolfSSL	12:1a06964c2adb	4818	} Dcv13Args;
wolfSSL	12:1a06964c2adb	4819
wolfSSL	12:1a06964c2adb	4820	static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL	12:1a06964c2adb	4821	{
wolfSSL	12:1a06964c2adb	4822	Dcv13Args* args = (Dcv13Args*)pArgs;
wolfSSL	12:1a06964c2adb	4823
wolfSSL	12:1a06964c2adb	4824	if (args->sigData != NULL) {
wolfSSL	12:1a06964c2adb	4825	XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4826	args->sigData = NULL;
wolfSSL	12:1a06964c2adb	4827	}
wolfSSL	12:1a06964c2adb	4828
wolfSSL	12:1a06964c2adb	4829	(void)ssl;
wolfSSL	12:1a06964c2adb	4830	}
wolfSSL	12:1a06964c2adb	4831
wolfSSL	12:1a06964c2adb	4832	/* Parse and handle a TLS v1.3 CertificateVerify message.
wolfSSL	12:1a06964c2adb	4833	*
wolfSSL	12:1a06964c2adb	4834	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	4835	* input The message buffer.
wolfSSL	12:1a06964c2adb	4836	* inOutIdx On entry, the index into the message buffer of
wolfSSL	12:1a06964c2adb	4837	* CertificateVerify.
wolfSSL	12:1a06964c2adb	4838	* On exit, the index of byte after the CertificateVerify message.
wolfSSL	12:1a06964c2adb	4839	* totalSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	4840	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	4841	*/
wolfSSL	12:1a06964c2adb	4842	static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
wolfSSL	12:1a06964c2adb	4843	word32* inOutIdx, word32 totalSz)
wolfSSL	12:1a06964c2adb	4844	{
wolfSSL	12:1a06964c2adb	4845	int ret = 0;
wolfSSL	12:1a06964c2adb	4846	buffer* sig = &ssl->buffers.sig;
wolfSSL	12:1a06964c2adb	4847	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4848	Dcv13Args* args = (Dcv13Args*)ssl->async.args;
wolfSSL	12:1a06964c2adb	4849	typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL	12:1a06964c2adb	4850	(void)sizeof(args_test);
wolfSSL	12:1a06964c2adb	4851	#else
wolfSSL	12:1a06964c2adb	4852	Dcv13Args args[1];
wolfSSL	12:1a06964c2adb	4853	#endif
wolfSSL	12:1a06964c2adb	4854
wolfSSL	12:1a06964c2adb	4855	WOLFSSL_ENTER("DoTls13CertificateVerify");
wolfSSL	12:1a06964c2adb	4856
wolfSSL	12:1a06964c2adb	4857	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4858	ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL	12:1a06964c2adb	4859	if (ret != WC_NOT_PENDING_E) {
wolfSSL	12:1a06964c2adb	4860	/* Check for error */
wolfSSL	12:1a06964c2adb	4861	if (ret < 0)
wolfSSL	12:1a06964c2adb	4862	goto exit_dcv;
wolfSSL	12:1a06964c2adb	4863	}
wolfSSL	12:1a06964c2adb	4864	else
wolfSSL	12:1a06964c2adb	4865	#endif
wolfSSL	12:1a06964c2adb	4866	{
wolfSSL	12:1a06964c2adb	4867	/* Reset state */
wolfSSL	12:1a06964c2adb	4868	ret = 0;
wolfSSL	12:1a06964c2adb	4869	ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL	12:1a06964c2adb	4870	XMEMSET(args, 0, sizeof(Dcv13Args));
wolfSSL	12:1a06964c2adb	4871	args->hashAlgo = sha_mac;
wolfSSL	12:1a06964c2adb	4872	args->sigAlgo = anonymous_sa_algo;
wolfSSL	12:1a06964c2adb	4873	args->idx = *inOutIdx;
wolfSSL	12:1a06964c2adb	4874	args->begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	4875	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	4876	ssl->async.freeArgs = FreeDcv13Args;
wolfSSL	12:1a06964c2adb	4877	#endif
wolfSSL	12:1a06964c2adb	4878	}
wolfSSL	12:1a06964c2adb	4879
wolfSSL	12:1a06964c2adb	4880	switch(ssl->options.asyncState)
wolfSSL	12:1a06964c2adb	4881	{
wolfSSL	12:1a06964c2adb	4882	case TLS_ASYNC_BEGIN:
wolfSSL	12:1a06964c2adb	4883	{
wolfSSL	12:1a06964c2adb	4884	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	4885	if (ssl->hsInfoOn) AddPacketName("CertificateVerify",
wolfSSL	12:1a06964c2adb	4886	&ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	4887	if (ssl->toInfoOn) AddLateName("CertificateVerify",
wolfSSL	12:1a06964c2adb	4888	&ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	4889	#endif
wolfSSL	12:1a06964c2adb	4890
wolfSSL	12:1a06964c2adb	4891	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4892	ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL	12:1a06964c2adb	4893	} /* case TLS_ASYNC_BEGIN */
wolfSSL	12:1a06964c2adb	4894	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4895
wolfSSL	12:1a06964c2adb	4896	case TLS_ASYNC_BUILD:
wolfSSL	12:1a06964c2adb	4897	{
wolfSSL	12:1a06964c2adb	4898	/* Signature algorithm. */
wolfSSL	12:1a06964c2adb	4899	if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
wolfSSL	12:1a06964c2adb	4900	ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL	12:1a06964c2adb	4901	}
wolfSSL	12:1a06964c2adb	4902	DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo);
wolfSSL	12:1a06964c2adb	4903	args->idx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	4904
wolfSSL	12:1a06964c2adb	4905	/* Signature length. */
wolfSSL	12:1a06964c2adb	4906	if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
wolfSSL	12:1a06964c2adb	4907	ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL	12:1a06964c2adb	4908	}
wolfSSL	12:1a06964c2adb	4909	ato16(input + args->idx, &args->sz);
wolfSSL	12:1a06964c2adb	4910	args->idx += OPAQUE16_LEN;
wolfSSL	12:1a06964c2adb	4911
wolfSSL	12:1a06964c2adb	4912	/* Signature data. */
wolfSSL	12:1a06964c2adb	4913	if ((args->idx - args->begin) + args->sz > totalSz \|\|
wolfSSL	12:1a06964c2adb	4914	args->sz > ENCRYPT_LEN) {
wolfSSL	12:1a06964c2adb	4915	ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL	12:1a06964c2adb	4916	}
wolfSSL	12:1a06964c2adb	4917
wolfSSL	12:1a06964c2adb	4918	/* Check for public key of required type. */
wolfSSL	12:1a06964c2adb	4919	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	4920	if (args->sigAlgo == ed25519_sa_algo &&
wolfSSL	12:1a06964c2adb	4921	!ssl->peerEd25519KeyPresent) {
wolfSSL	12:1a06964c2adb	4922	WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
wolfSSL	12:1a06964c2adb	4923	}
wolfSSL	12:1a06964c2adb	4924	#endif
wolfSSL	12:1a06964c2adb	4925	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	4926	if (args->sigAlgo == ecc_dsa_sa_algo &&
wolfSSL	12:1a06964c2adb	4927	!ssl->peerEccDsaKeyPresent) {
wolfSSL	12:1a06964c2adb	4928	WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
wolfSSL	12:1a06964c2adb	4929	}
wolfSSL	12:1a06964c2adb	4930	#endif
wolfSSL	12:1a06964c2adb	4931	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4932	if ((args->sigAlgo == rsa_sa_algo \|\|
wolfSSL	12:1a06964c2adb	4933	args->sigAlgo == rsa_pss_sa_algo) &&
wolfSSL	12:1a06964c2adb	4934	(ssl->peerRsaKey == NULL \|\| !ssl->peerRsaKeyPresent)) {
wolfSSL	12:1a06964c2adb	4935	WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
wolfSSL	12:1a06964c2adb	4936	}
wolfSSL	12:1a06964c2adb	4937	#endif
wolfSSL	12:1a06964c2adb	4938
wolfSSL	12:1a06964c2adb	4939	sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
wolfSSL	12:1a06964c2adb	4940	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4941	if (sig->buffer == NULL) {
wolfSSL	12:1a06964c2adb	4942	ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL	12:1a06964c2adb	4943	}
wolfSSL	12:1a06964c2adb	4944	sig->length = args->sz;
wolfSSL	12:1a06964c2adb	4945	XMEMCPY(sig->buffer, input + args->idx, args->sz);
wolfSSL	12:1a06964c2adb	4946
wolfSSL	12:1a06964c2adb	4947	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	4948	if (ssl->peerEccDsaKeyPresent) {
wolfSSL	12:1a06964c2adb	4949	WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL	12:1a06964c2adb	4950
wolfSSL	12:1a06964c2adb	4951	args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL	12:1a06964c2adb	4952	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4953	if (args->sigData == NULL) {
wolfSSL	12:1a06964c2adb	4954	ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL	12:1a06964c2adb	4955	}
wolfSSL	12:1a06964c2adb	4956
wolfSSL	12:1a06964c2adb	4957	ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL	12:1a06964c2adb	4958	if (ret != 0)
wolfSSL	12:1a06964c2adb	4959	goto exit_dcv;
wolfSSL	12:1a06964c2adb	4960	ret = CreateECCEncodedSig(args->sigData,
wolfSSL	12:1a06964c2adb	4961	args->sigDataSz, args->hashAlgo);
wolfSSL	12:1a06964c2adb	4962	if (ret < 0)
wolfSSL	12:1a06964c2adb	4963	goto exit_dcv;
wolfSSL	12:1a06964c2adb	4964	args->sigDataSz = ret;
wolfSSL	12:1a06964c2adb	4965	ret = 0;
wolfSSL	12:1a06964c2adb	4966	}
wolfSSL	12:1a06964c2adb	4967	#endif
wolfSSL	12:1a06964c2adb	4968	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	4969	if (ssl->peerEd25519KeyPresent) {
wolfSSL	12:1a06964c2adb	4970	WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL	12:1a06964c2adb	4971
wolfSSL	12:1a06964c2adb	4972	args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL	12:1a06964c2adb	4973	DYNAMIC_TYPE_SIGNATURE);
wolfSSL	12:1a06964c2adb	4974	if (args->sigData == NULL) {
wolfSSL	12:1a06964c2adb	4975	ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL	12:1a06964c2adb	4976	}
wolfSSL	12:1a06964c2adb	4977
wolfSSL	12:1a06964c2adb	4978	CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL	12:1a06964c2adb	4979	ret = 0;
wolfSSL	12:1a06964c2adb	4980	}
wolfSSL	12:1a06964c2adb	4981	#endif
wolfSSL	12:1a06964c2adb	4982
wolfSSL	12:1a06964c2adb	4983	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	4984	ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL	12:1a06964c2adb	4985	} /* case TLS_ASYNC_BUILD */
wolfSSL	12:1a06964c2adb	4986	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	4987
wolfSSL	12:1a06964c2adb	4988	case TLS_ASYNC_DO:
wolfSSL	12:1a06964c2adb	4989	{
wolfSSL	12:1a06964c2adb	4990	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	4991	if (args->sigAlgo == rsa_sa_algo \|\|
wolfSSL	12:1a06964c2adb	4992	args->sigAlgo == rsa_pss_sa_algo) {
wolfSSL	12:1a06964c2adb	4993	WOLFSSL_MSG("Doing RSA peer cert verify");
wolfSSL	12:1a06964c2adb	4994
wolfSSL	12:1a06964c2adb	4995	ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output,
wolfSSL	12:1a06964c2adb	4996	args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
wolfSSL	12:1a06964c2adb	4997	#ifdef HAVE_PK_CALLBACKS
wolfSSL	12:1a06964c2adb	4998	ssl->buffers.peerRsaKey.buffer,
wolfSSL	12:1a06964c2adb	4999	ssl->buffers.peerRsaKey.length,
wolfSSL	12:1a06964c2adb	5000	ssl->RsaVerifyCtx
wolfSSL	12:1a06964c2adb	5001	#else
wolfSSL	12:1a06964c2adb	5002	NULL, 0, NULL
wolfSSL	12:1a06964c2adb	5003	#endif
wolfSSL	12:1a06964c2adb	5004	);
wolfSSL	12:1a06964c2adb	5005	if (ret >= 0) {
wolfSSL	12:1a06964c2adb	5006	args->sendSz = ret;
wolfSSL	12:1a06964c2adb	5007	ret = 0;
wolfSSL	12:1a06964c2adb	5008	}
wolfSSL	12:1a06964c2adb	5009	}
wolfSSL	12:1a06964c2adb	5010	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	5011	#ifdef HAVE_ECC
wolfSSL	12:1a06964c2adb	5012	if (ssl->peerEccDsaKeyPresent) {
wolfSSL	12:1a06964c2adb	5013	WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL	12:1a06964c2adb	5014
wolfSSL	12:1a06964c2adb	5015	ret = EccVerify(ssl, input + args->idx, args->sz,
wolfSSL	12:1a06964c2adb	5016	args->sigData, args->sigDataSz,
wolfSSL	12:1a06964c2adb	5017	ssl->peerEccDsaKey,
wolfSSL	12:1a06964c2adb	5018	#ifdef HAVE_PK_CALLBACKS
wolfSSL	12:1a06964c2adb	5019	ssl->buffers.peerEccDsaKey.buffer,
wolfSSL	12:1a06964c2adb	5020	ssl->buffers.peerEccDsaKey.length,
wolfSSL	12:1a06964c2adb	5021	ssl->EccVerifyCtx
wolfSSL	12:1a06964c2adb	5022	#else
wolfSSL	12:1a06964c2adb	5023	NULL, 0, NULL
wolfSSL	12:1a06964c2adb	5024	#endif
wolfSSL	12:1a06964c2adb	5025	);
wolfSSL	12:1a06964c2adb	5026	}
wolfSSL	12:1a06964c2adb	5027	#endif /* HAVE_ECC */
wolfSSL	12:1a06964c2adb	5028	#ifdef HAVE_ED25519
wolfSSL	12:1a06964c2adb	5029	if (ssl->peerEd25519KeyPresent) {
wolfSSL	12:1a06964c2adb	5030	WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL	12:1a06964c2adb	5031
wolfSSL	12:1a06964c2adb	5032	ret = Ed25519Verify(ssl, input + args->idx, args->sz,
wolfSSL	12:1a06964c2adb	5033	args->sigData, args->sigDataSz,
wolfSSL	12:1a06964c2adb	5034	ssl->peerEd25519Key,
wolfSSL	12:1a06964c2adb	5035	#ifdef HAVE_PK_CALLBACKS
wolfSSL	12:1a06964c2adb	5036	ssl->buffers.peerEd25519Key.buffer,
wolfSSL	12:1a06964c2adb	5037	ssl->buffers.peerEd25519Key.length,
wolfSSL	12:1a06964c2adb	5038	ssl->Ed25519VerifyCtx
wolfSSL	12:1a06964c2adb	5039	#else
wolfSSL	12:1a06964c2adb	5040	NULL, 0, NULL
wolfSSL	12:1a06964c2adb	5041	#endif
wolfSSL	12:1a06964c2adb	5042	);
wolfSSL	12:1a06964c2adb	5043	}
wolfSSL	12:1a06964c2adb	5044	#endif
wolfSSL	12:1a06964c2adb	5045
wolfSSL	12:1a06964c2adb	5046	/* Check for error */
wolfSSL	12:1a06964c2adb	5047	if (ret != 0) {
wolfSSL	12:1a06964c2adb	5048	goto exit_dcv;
wolfSSL	12:1a06964c2adb	5049	}
wolfSSL	12:1a06964c2adb	5050
wolfSSL	12:1a06964c2adb	5051	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	5052	ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL	12:1a06964c2adb	5053	} /* case TLS_ASYNC_DO */
wolfSSL	12:1a06964c2adb	5054	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	5055
wolfSSL	12:1a06964c2adb	5056	case TLS_ASYNC_VERIFY:
wolfSSL	12:1a06964c2adb	5057	{
wolfSSL	12:1a06964c2adb	5058	#ifndef NO_RSA
wolfSSL	12:1a06964c2adb	5059	if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
wolfSSL	12:1a06964c2adb	5060	ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
wolfSSL	12:1a06964c2adb	5061	args->output, args->sendSz);
wolfSSL	12:1a06964c2adb	5062	if (ret != 0)
wolfSSL	12:1a06964c2adb	5063	goto exit_dcv;
wolfSSL	12:1a06964c2adb	5064	}
wolfSSL	12:1a06964c2adb	5065	#endif /* !NO_RSA */
wolfSSL	12:1a06964c2adb	5066
wolfSSL	12:1a06964c2adb	5067	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	5068	ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL	12:1a06964c2adb	5069	} /* case TLS_ASYNC_VERIFY */
wolfSSL	12:1a06964c2adb	5070	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	5071
wolfSSL	12:1a06964c2adb	5072	case TLS_ASYNC_FINALIZE:
wolfSSL	12:1a06964c2adb	5073	{
wolfSSL	12:1a06964c2adb	5074	ssl->options.havePeerVerify = 1;
wolfSSL	12:1a06964c2adb	5075
wolfSSL	12:1a06964c2adb	5076	/* Set final index */
wolfSSL	12:1a06964c2adb	5077	args->idx += args->sz;
wolfSSL	12:1a06964c2adb	5078	*inOutIdx = args->idx;
wolfSSL	12:1a06964c2adb	5079
wolfSSL	12:1a06964c2adb	5080	/* Encryption is always on: add padding */
wolfSSL	12:1a06964c2adb	5081	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5082
wolfSSL	12:1a06964c2adb	5083	/* Advance state and proceed */
wolfSSL	12:1a06964c2adb	5084	ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL	12:1a06964c2adb	5085	} /* case TLS_ASYNC_FINALIZE */
wolfSSL	12:1a06964c2adb	5086
wolfSSL	12:1a06964c2adb	5087	case TLS_ASYNC_END:
wolfSSL	12:1a06964c2adb	5088	{
wolfSSL	12:1a06964c2adb	5089	break;
wolfSSL	12:1a06964c2adb	5090	}
wolfSSL	12:1a06964c2adb	5091	default:
wolfSSL	12:1a06964c2adb	5092	ret = INPUT_CASE_ERROR;
wolfSSL	12:1a06964c2adb	5093	} /* switch(ssl->options.asyncState) */
wolfSSL	12:1a06964c2adb	5094
wolfSSL	12:1a06964c2adb	5095	exit_dcv:
wolfSSL	12:1a06964c2adb	5096
wolfSSL	12:1a06964c2adb	5097	WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
wolfSSL	12:1a06964c2adb	5098
wolfSSL	12:1a06964c2adb	5099	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	5100	/* Handle async operation */
wolfSSL	12:1a06964c2adb	5101	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	5102	/* Mark message as not recevied so it can process again */
wolfSSL	12:1a06964c2adb	5103	ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL	12:1a06964c2adb	5104
wolfSSL	12:1a06964c2adb	5105	return ret;
wolfSSL	12:1a06964c2adb	5106	}
wolfSSL	12:1a06964c2adb	5107	#endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL	12:1a06964c2adb	5108
wolfSSL	12:1a06964c2adb	5109	/* Final cleanup */
wolfSSL	12:1a06964c2adb	5110	FreeDcv13Args(ssl, args);
wolfSSL	12:1a06964c2adb	5111	FreeKeyExchange(ssl);
wolfSSL	12:1a06964c2adb	5112
wolfSSL	12:1a06964c2adb	5113	return ret;
wolfSSL	12:1a06964c2adb	5114	}
wolfSSL	12:1a06964c2adb	5115	#endif /* !NO_RSA \|\| HAVE_ECC */
wolfSSL	12:1a06964c2adb	5116
wolfSSL	12:1a06964c2adb	5117	/* Parse and handle a TLS v1.3 Finished message.
wolfSSL	12:1a06964c2adb	5118	*
wolfSSL	12:1a06964c2adb	5119	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5120	* input The message buffer.
wolfSSL	12:1a06964c2adb	5121	* inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL	12:1a06964c2adb	5122	* On exit, the index of byte after the Finished message and padding.
wolfSSL	12:1a06964c2adb	5123	* size Length of message data.
wolfSSL	12:1a06964c2adb	5124	* totalSz Length of remaining data in the message buffer.
wolfSSL	12:1a06964c2adb	5125	* sniff Indicates whether we are sniffing packets.
wolfSSL	12:1a06964c2adb	5126	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	5127	*/
wolfSSL	12:1a06964c2adb	5128	static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	5129	word32 size, word32 totalSz, int sniff)
wolfSSL	12:1a06964c2adb	5130	{
wolfSSL	12:1a06964c2adb	5131	int ret;
wolfSSL	12:1a06964c2adb	5132	word32 finishedSz = 0;
wolfSSL	12:1a06964c2adb	5133	byte* secret;
wolfSSL	12:1a06964c2adb	5134	byte mac[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	5135
wolfSSL	12:1a06964c2adb	5136	WOLFSSL_ENTER("DoTls13Finished");
wolfSSL	12:1a06964c2adb	5137
wolfSSL	12:1a06964c2adb	5138	/* check against totalSz */
wolfSSL	12:1a06964c2adb	5139	if (*inOutIdx + size + ssl->keys.padSz > totalSz)
wolfSSL	12:1a06964c2adb	5140	return BUFFER_E;
wolfSSL	12:1a06964c2adb	5141
wolfSSL	12:1a06964c2adb	5142	if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	5143	/* All the handshake messages have been received to calculate
wolfSSL	12:1a06964c2adb	5144	* client and server finished keys.
wolfSSL	12:1a06964c2adb	5145	*/
wolfSSL	12:1a06964c2adb	5146	ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL	12:1a06964c2adb	5147	ssl->keys.client_write_MAC_secret);
wolfSSL	12:1a06964c2adb	5148	if (ret != 0)
wolfSSL	12:1a06964c2adb	5149	return ret;
wolfSSL	12:1a06964c2adb	5150
wolfSSL	12:1a06964c2adb	5151	ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL	12:1a06964c2adb	5152	ssl->keys.server_write_MAC_secret);
wolfSSL	12:1a06964c2adb	5153	if (ret != 0)
wolfSSL	12:1a06964c2adb	5154	return ret;
wolfSSL	12:1a06964c2adb	5155
wolfSSL	12:1a06964c2adb	5156	secret = ssl->keys.server_write_MAC_secret;
wolfSSL	12:1a06964c2adb	5157	}
wolfSSL	12:1a06964c2adb	5158	else
wolfSSL	12:1a06964c2adb	5159	secret = ssl->keys.client_write_MAC_secret;
wolfSSL	12:1a06964c2adb	5160
wolfSSL	12:1a06964c2adb	5161	ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
wolfSSL	12:1a06964c2adb	5162	if (ret != 0)
wolfSSL	12:1a06964c2adb	5163	return ret;
wolfSSL	12:1a06964c2adb	5164	if (size != finishedSz)
wolfSSL	12:1a06964c2adb	5165	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5166
wolfSSL	12:1a06964c2adb	5167	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	5168	if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	5169	if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	5170	#endif
wolfSSL	12:1a06964c2adb	5171
wolfSSL	12:1a06964c2adb	5172	if (sniff == NO_SNIFF) {
wolfSSL	12:1a06964c2adb	5173	/* Actually check verify data. */
wolfSSL	12:1a06964c2adb	5174	if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
wolfSSL	12:1a06964c2adb	5175	WOLFSSL_MSG("Verify finished error on hashes");
wolfSSL	12:1a06964c2adb	5176	return VERIFY_FINISHED_ERROR;
wolfSSL	12:1a06964c2adb	5177	}
wolfSSL	12:1a06964c2adb	5178	}
wolfSSL	12:1a06964c2adb	5179
wolfSSL	12:1a06964c2adb	5180	/* Force input exhaustion at ProcessReply by consuming padSz. */
wolfSSL	12:1a06964c2adb	5181	*inOutIdx += size + ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5182
wolfSSL	12:1a06964c2adb	5183	if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL	12:1a06964c2adb	5184	!ssl->options.handShakeDone) {
wolfSSL	12:1a06964c2adb	5185	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5186	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	5187	if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
wolfSSL	12:1a06964c2adb	5188	return ret;
wolfSSL	12:1a06964c2adb	5189	}
wolfSSL	12:1a06964c2adb	5190	#endif
wolfSSL	12:1a06964c2adb	5191	/* Setup keys for application data messages from client. */
wolfSSL	12:1a06964c2adb	5192	if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	5193	return ret;
wolfSSL	12:1a06964c2adb	5194	}
wolfSSL	12:1a06964c2adb	5195
wolfSSL	12:1a06964c2adb	5196	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5197	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	5198	ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL	12:1a06964c2adb	5199	#endif
wolfSSL	12:1a06964c2adb	5200	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5201	if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL	12:1a06964c2adb	5202	ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL	12:1a06964c2adb	5203	ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL	12:1a06964c2adb	5204	ssl->options.handShakeDone = 1;
wolfSSL	12:1a06964c2adb	5205	}
wolfSSL	12:1a06964c2adb	5206	#endif
wolfSSL	12:1a06964c2adb	5207
wolfSSL	12:1a06964c2adb	5208	WOLFSSL_LEAVE("DoTls13Finished", 0);
wolfSSL	12:1a06964c2adb	5209
wolfSSL	12:1a06964c2adb	5210	return 0;
wolfSSL	12:1a06964c2adb	5211	}
wolfSSL	12:1a06964c2adb	5212	#endif /* NO_CERTS */
wolfSSL	12:1a06964c2adb	5213
wolfSSL	12:1a06964c2adb	5214	/* Send the TLS v1.3 Finished message.
wolfSSL	12:1a06964c2adb	5215	*
wolfSSL	12:1a06964c2adb	5216	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5217	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5218	*/
wolfSSL	12:1a06964c2adb	5219	static int SendTls13Finished(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	5220	{
wolfSSL	12:1a06964c2adb	5221	int sendSz;
wolfSSL	12:1a06964c2adb	5222	int finishedSz = ssl->specs.hash_size;
wolfSSL	12:1a06964c2adb	5223	byte* input;
wolfSSL	12:1a06964c2adb	5224	byte* output;
wolfSSL	12:1a06964c2adb	5225	int ret;
wolfSSL	12:1a06964c2adb	5226	int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5227	int outputSz;
wolfSSL	12:1a06964c2adb	5228	byte* secret;
wolfSSL	12:1a06964c2adb	5229
wolfSSL	12:1a06964c2adb	5230	WOLFSSL_ENTER("SendTls13Finished");
wolfSSL	12:1a06964c2adb	5231
wolfSSL	12:1a06964c2adb	5232	outputSz = MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	5233	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	5234	if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL	12:1a06964c2adb	5235	return ret;
wolfSSL	12:1a06964c2adb	5236
wolfSSL	12:1a06964c2adb	5237	/* get output buffer */
wolfSSL	12:1a06964c2adb	5238	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	5239	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	5240	input = output + RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5241
wolfSSL	12:1a06964c2adb	5242	AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
wolfSSL	12:1a06964c2adb	5243
wolfSSL	12:1a06964c2adb	5244	/* make finished hashes */
wolfSSL	12:1a06964c2adb	5245	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	5246	secret = ssl->keys.client_write_MAC_secret;
wolfSSL	12:1a06964c2adb	5247	else {
wolfSSL	12:1a06964c2adb	5248	/* All the handshake messages have been done to calculate client and
wolfSSL	12:1a06964c2adb	5249	* server finished keys.
wolfSSL	12:1a06964c2adb	5250	*/
wolfSSL	12:1a06964c2adb	5251	ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL	12:1a06964c2adb	5252	ssl->keys.client_write_MAC_secret);
wolfSSL	12:1a06964c2adb	5253	if (ret != 0)
wolfSSL	12:1a06964c2adb	5254	return ret;
wolfSSL	12:1a06964c2adb	5255
wolfSSL	12:1a06964c2adb	5256	ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL	12:1a06964c2adb	5257	ssl->keys.server_write_MAC_secret);
wolfSSL	12:1a06964c2adb	5258	if (ret != 0)
wolfSSL	12:1a06964c2adb	5259	return ret;
wolfSSL	12:1a06964c2adb	5260
wolfSSL	12:1a06964c2adb	5261	secret = ssl->keys.server_write_MAC_secret;
wolfSSL	12:1a06964c2adb	5262	}
wolfSSL	12:1a06964c2adb	5263	ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
wolfSSL	12:1a06964c2adb	5264	if (ret != 0)
wolfSSL	12:1a06964c2adb	5265	return ret;
wolfSSL	12:1a06964c2adb	5266
wolfSSL	12:1a06964c2adb	5267	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	5268	sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL	12:1a06964c2adb	5269	headerSz + finishedSz, handshake, 1, 0, 0);
wolfSSL	12:1a06964c2adb	5270	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	5271	return BUILD_MSG_ERROR;
wolfSSL	12:1a06964c2adb	5272
wolfSSL	12:1a06964c2adb	5273	if (!ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	5274	#ifndef NO_SESSION_CACHE
wolfSSL	12:1a06964c2adb	5275	AddSession(ssl); /* just try */
wolfSSL	12:1a06964c2adb	5276	#endif
wolfSSL	12:1a06964c2adb	5277	}
wolfSSL	12:1a06964c2adb	5278
wolfSSL	12:1a06964c2adb	5279	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	5280	if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	5281	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	5282	AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	5283	ssl->heap);
wolfSSL	12:1a06964c2adb	5284	}
wolfSSL	12:1a06964c2adb	5285	#endif
wolfSSL	12:1a06964c2adb	5286
wolfSSL	12:1a06964c2adb	5287	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	5288
wolfSSL	12:1a06964c2adb	5289	if ((ret = SendBuffered(ssl)) != 0)
wolfSSL	12:1a06964c2adb	5290	return ret;
wolfSSL	12:1a06964c2adb	5291
wolfSSL	12:1a06964c2adb	5292	if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL	12:1a06964c2adb	5293	/* Can send application data now. */
wolfSSL	12:1a06964c2adb	5294	if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	5295	return ret;
wolfSSL	12:1a06964c2adb	5296	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5297	if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL	12:1a06964c2adb	5298	!= 0) {
wolfSSL	12:1a06964c2adb	5299	return ret;
wolfSSL	12:1a06964c2adb	5300	}
wolfSSL	12:1a06964c2adb	5301	if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
wolfSSL	12:1a06964c2adb	5302	!ssl->earlyData)) != 0) {
wolfSSL	12:1a06964c2adb	5303	return ret;
wolfSSL	12:1a06964c2adb	5304	}
wolfSSL	12:1a06964c2adb	5305	#else
wolfSSL	12:1a06964c2adb	5306	if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL	12:1a06964c2adb	5307	1)) != 0) {
wolfSSL	12:1a06964c2adb	5308	return ret;
wolfSSL	12:1a06964c2adb	5309	}
wolfSSL	12:1a06964c2adb	5310	#endif
wolfSSL	12:1a06964c2adb	5311	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	5312	return ret;
wolfSSL	12:1a06964c2adb	5313	}
wolfSSL	12:1a06964c2adb	5314
wolfSSL	12:1a06964c2adb	5315	if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL	12:1a06964c2adb	5316	!ssl->options.handShakeDone) {
wolfSSL	12:1a06964c2adb	5317	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5318	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	5319	if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL	12:1a06964c2adb	5320	1)) != 0) {
wolfSSL	12:1a06964c2adb	5321	return ret;
wolfSSL	12:1a06964c2adb	5322	}
wolfSSL	12:1a06964c2adb	5323	}
wolfSSL	12:1a06964c2adb	5324	#endif
wolfSSL	12:1a06964c2adb	5325	/* Setup keys for application data messages. */
wolfSSL	12:1a06964c2adb	5326	if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL	12:1a06964c2adb	5327	return ret;
wolfSSL	12:1a06964c2adb	5328
wolfSSL	12:1a06964c2adb	5329	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	5330	ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL	12:1a06964c2adb	5331	#endif
wolfSSL	12:1a06964c2adb	5332	}
wolfSSL	12:1a06964c2adb	5333
wolfSSL	12:1a06964c2adb	5334	if (ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	5335	if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	5336	ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL	12:1a06964c2adb	5337	ssl->options.handShakeDone = 1;
wolfSSL	12:1a06964c2adb	5338	}
wolfSSL	12:1a06964c2adb	5339	}
wolfSSL	12:1a06964c2adb	5340	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5341	if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	5342	if (!ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	5343	ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL	12:1a06964c2adb	5344	ssl->options.handShakeDone = 1;
wolfSSL	12:1a06964c2adb	5345	}
wolfSSL	12:1a06964c2adb	5346	}
wolfSSL	12:1a06964c2adb	5347	#endif
wolfSSL	12:1a06964c2adb	5348
wolfSSL	12:1a06964c2adb	5349	WOLFSSL_LEAVE("SendTls13Finished", ret);
wolfSSL	12:1a06964c2adb	5350
wolfSSL	12:1a06964c2adb	5351	return ret;
wolfSSL	12:1a06964c2adb	5352	}
wolfSSL	12:1a06964c2adb	5353
wolfSSL	12:1a06964c2adb	5354	/* Send the TLS v1.3 KeyUpdate message.
wolfSSL	12:1a06964c2adb	5355	*
wolfSSL	12:1a06964c2adb	5356	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5357	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5358	*/
wolfSSL	12:1a06964c2adb	5359	static int SendTls13KeyUpdate(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	5360	{
wolfSSL	12:1a06964c2adb	5361	int sendSz;
wolfSSL	12:1a06964c2adb	5362	byte* input;
wolfSSL	12:1a06964c2adb	5363	byte* output;
wolfSSL	12:1a06964c2adb	5364	int ret;
wolfSSL	12:1a06964c2adb	5365	int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5366	int outputSz;
wolfSSL	12:1a06964c2adb	5367	word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5368
wolfSSL	12:1a06964c2adb	5369	WOLFSSL_ENTER("SendTls13KeyUpdate");
wolfSSL	12:1a06964c2adb	5370
wolfSSL	12:1a06964c2adb	5371	outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	5372	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	5373	if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL	12:1a06964c2adb	5374	return ret;
wolfSSL	12:1a06964c2adb	5375
wolfSSL	12:1a06964c2adb	5376	/* get output buffer */
wolfSSL	12:1a06964c2adb	5377	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	5378	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	5379	input = output + RECORD_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5380
wolfSSL	12:1a06964c2adb	5381	AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
wolfSSL	12:1a06964c2adb	5382
wolfSSL	12:1a06964c2adb	5383	/* If:
wolfSSL	12:1a06964c2adb	5384	* 1. I haven't sent a KeyUpdate requesting a response and
wolfSSL	12:1a06964c2adb	5385	* 2. This isn't responding to peer KeyUpdate requiring a response then,
wolfSSL	12:1a06964c2adb	5386	* I want a response.
wolfSSL	12:1a06964c2adb	5387	*/
wolfSSL	12:1a06964c2adb	5388	ssl->keys.updateResponseReq = output[i++] =
wolfSSL	12:1a06964c2adb	5389	!ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
wolfSSL	12:1a06964c2adb	5390	/* Sent response, no longer need to respond. */
wolfSSL	12:1a06964c2adb	5391	ssl->keys.keyUpdateRespond = 0;
wolfSSL	12:1a06964c2adb	5392
wolfSSL	12:1a06964c2adb	5393	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	5394	sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL	12:1a06964c2adb	5395	headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
wolfSSL	12:1a06964c2adb	5396	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	5397	return BUILD_MSG_ERROR;
wolfSSL	12:1a06964c2adb	5398
wolfSSL	12:1a06964c2adb	5399	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	5400	if (ssl->hsInfoOn) AddPacketName("KeyUpdate", &ssl->handShakeInfo);
wolfSSL	12:1a06964c2adb	5401	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	5402	AddPacketInfo("KeyUpdate", &ssl->timeoutInfo, output, sendSz,
wolfSSL	12:1a06964c2adb	5403	ssl->heap);
wolfSSL	12:1a06964c2adb	5404	}
wolfSSL	12:1a06964c2adb	5405	#endif
wolfSSL	12:1a06964c2adb	5406
wolfSSL	12:1a06964c2adb	5407	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	5408
wolfSSL	12:1a06964c2adb	5409	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	5410	if (ret != 0 && ret != WANT_WRITE)
wolfSSL	12:1a06964c2adb	5411	return ret;
wolfSSL	12:1a06964c2adb	5412
wolfSSL	12:1a06964c2adb	5413	/* Future traffic uses new encryption keys. */
wolfSSL	12:1a06964c2adb	5414	if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL	12:1a06964c2adb	5415	!= 0)
wolfSSL	12:1a06964c2adb	5416	return ret;
wolfSSL	12:1a06964c2adb	5417	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	5418	return ret;
wolfSSL	12:1a06964c2adb	5419
wolfSSL	12:1a06964c2adb	5420	WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
wolfSSL	12:1a06964c2adb	5421
wolfSSL	12:1a06964c2adb	5422	return ret;
wolfSSL	12:1a06964c2adb	5423	}
wolfSSL	12:1a06964c2adb	5424
wolfSSL	12:1a06964c2adb	5425	/* Parse and handle a TLS v1.3 KeyUpdate message.
wolfSSL	12:1a06964c2adb	5426	*
wolfSSL	12:1a06964c2adb	5427	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5428	* input The message buffer.
wolfSSL	12:1a06964c2adb	5429	* inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL	12:1a06964c2adb	5430	* On exit, the index of byte after the Finished message and padding.
wolfSSL	12:1a06964c2adb	5431	* totalSz The length of the current handshake message.
wolfSSL	12:1a06964c2adb	5432	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	5433	*/
wolfSSL	12:1a06964c2adb	5434	static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	5435	word32 totalSz)
wolfSSL	12:1a06964c2adb	5436	{
wolfSSL	12:1a06964c2adb	5437	int ret;
wolfSSL	12:1a06964c2adb	5438	word32 i = *inOutIdx;
wolfSSL	12:1a06964c2adb	5439
wolfSSL	12:1a06964c2adb	5440	WOLFSSL_ENTER("DoTls13KeyUpdate");
wolfSSL	12:1a06964c2adb	5441
wolfSSL	12:1a06964c2adb	5442	/* check against totalSz */
wolfSSL	12:1a06964c2adb	5443	if (OPAQUE8_LEN != totalSz)
wolfSSL	12:1a06964c2adb	5444	return BUFFER_E;
wolfSSL	12:1a06964c2adb	5445
wolfSSL	12:1a06964c2adb	5446	switch (input[i]) {
wolfSSL	12:1a06964c2adb	5447	case update_not_requested:
wolfSSL	12:1a06964c2adb	5448	/* This message in response to any oustanding request. */
wolfSSL	12:1a06964c2adb	5449	ssl->keys.keyUpdateRespond = 0;
wolfSSL	12:1a06964c2adb	5450	ssl->keys.updateResponseReq = 0;
wolfSSL	12:1a06964c2adb	5451	break;
wolfSSL	12:1a06964c2adb	5452	case update_requested:
wolfSSL	12:1a06964c2adb	5453	/* New key update requiring a response. */
wolfSSL	12:1a06964c2adb	5454	ssl->keys.keyUpdateRespond = 1;
wolfSSL	12:1a06964c2adb	5455	break;
wolfSSL	12:1a06964c2adb	5456	default:
wolfSSL	12:1a06964c2adb	5457	return INVALID_PARAMETER;
wolfSSL	12:1a06964c2adb	5458	break;
wolfSSL	12:1a06964c2adb	5459	}
wolfSSL	12:1a06964c2adb	5460
wolfSSL	12:1a06964c2adb	5461	/* Move index to byte after message. */
wolfSSL	12:1a06964c2adb	5462	*inOutIdx += totalSz;
wolfSSL	12:1a06964c2adb	5463	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	5464	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5465
wolfSSL	12:1a06964c2adb	5466	/* Future traffic uses new decryption keys. */
wolfSSL	12:1a06964c2adb	5467	if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
wolfSSL	12:1a06964c2adb	5468	!= 0) {
wolfSSL	12:1a06964c2adb	5469	return ret;
wolfSSL	12:1a06964c2adb	5470	}
wolfSSL	12:1a06964c2adb	5471	if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	5472	return ret;
wolfSSL	12:1a06964c2adb	5473
wolfSSL	12:1a06964c2adb	5474	if (ssl->keys.keyUpdateRespond)
wolfSSL	12:1a06964c2adb	5475	return SendTls13KeyUpdate(ssl);
wolfSSL	12:1a06964c2adb	5476
wolfSSL	12:1a06964c2adb	5477	WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
wolfSSL	12:1a06964c2adb	5478
wolfSSL	12:1a06964c2adb	5479	return 0;
wolfSSL	12:1a06964c2adb	5480	}
wolfSSL	12:1a06964c2adb	5481
wolfSSL	12:1a06964c2adb	5482	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5483	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5484	/* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
wolfSSL	12:1a06964c2adb	5485	* more early application data.
wolfSSL	12:1a06964c2adb	5486	* The encryption key now changes to the pre-calculated handshake key.
wolfSSL	12:1a06964c2adb	5487	*
wolfSSL	12:1a06964c2adb	5488	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5489	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	5490	*/
wolfSSL	12:1a06964c2adb	5491	static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	5492	{
wolfSSL	12:1a06964c2adb	5493	byte* output;
wolfSSL	12:1a06964c2adb	5494	int ret;
wolfSSL	12:1a06964c2adb	5495	int sendSz;
wolfSSL	12:1a06964c2adb	5496	word32 length;
wolfSSL	12:1a06964c2adb	5497	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5498
wolfSSL	12:1a06964c2adb	5499	WOLFSSL_ENTER("SendTls13EndOfEarlyData");
wolfSSL	12:1a06964c2adb	5500
wolfSSL	12:1a06964c2adb	5501	length = 0;
wolfSSL	12:1a06964c2adb	5502	sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	5503
wolfSSL	12:1a06964c2adb	5504	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	5505	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	5506	return ret;
wolfSSL	12:1a06964c2adb	5507
wolfSSL	12:1a06964c2adb	5508	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	5509	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	5510	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	5511
wolfSSL	12:1a06964c2adb	5512	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	5513	AddTls13Headers(output, length, end_of_early_data, ssl);
wolfSSL	12:1a06964c2adb	5514
wolfSSL	12:1a06964c2adb	5515	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	5516	sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	5517	idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL	12:1a06964c2adb	5518	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	5519	return sendSz;
wolfSSL	12:1a06964c2adb	5520
wolfSSL	12:1a06964c2adb	5521	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	5522
wolfSSL	12:1a06964c2adb	5523	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	5524	return ret;
wolfSSL	12:1a06964c2adb	5525
wolfSSL	12:1a06964c2adb	5526	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	5527	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	5528
wolfSSL	12:1a06964c2adb	5529	WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
wolfSSL	12:1a06964c2adb	5530
wolfSSL	12:1a06964c2adb	5531	return ret;
wolfSSL	12:1a06964c2adb	5532	}
wolfSSL	12:1a06964c2adb	5533	#endif /* !NO_WOLFSSL_CLIENT */
wolfSSL	12:1a06964c2adb	5534
wolfSSL	12:1a06964c2adb	5535	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5536	/* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
wolfSSL	12:1a06964c2adb	5537	* no more early application data.
wolfSSL	12:1a06964c2adb	5538	* The decryption key now changes to the pre-calculated handshake key.
wolfSSL	12:1a06964c2adb	5539	*
wolfSSL	12:1a06964c2adb	5540	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5541	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	5542	*/
wolfSSL	12:1a06964c2adb	5543	static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
wolfSSL	12:1a06964c2adb	5544	word32* inOutIdx, word32 size)
wolfSSL	12:1a06964c2adb	5545	{
wolfSSL	12:1a06964c2adb	5546	int ret;
wolfSSL	12:1a06964c2adb	5547	word32 begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	5548
wolfSSL	12:1a06964c2adb	5549	(void)input;
wolfSSL	12:1a06964c2adb	5550
wolfSSL	12:1a06964c2adb	5551	WOLFSSL_ENTER("DoTls13EndOfEarlyData");
wolfSSL	12:1a06964c2adb	5552
wolfSSL	12:1a06964c2adb	5553	if ((*inOutIdx - begin) != size)
wolfSSL	12:1a06964c2adb	5554	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5555
wolfSSL	12:1a06964c2adb	5556	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	5557	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5558
wolfSSL	12:1a06964c2adb	5559	ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
wolfSSL	12:1a06964c2adb	5560
wolfSSL	12:1a06964c2adb	5561	WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
wolfSSL	12:1a06964c2adb	5562
wolfSSL	12:1a06964c2adb	5563	return ret;
wolfSSL	12:1a06964c2adb	5564	}
wolfSSL	12:1a06964c2adb	5565	#endif /* !NO_WOLFSSL_SERVER */
wolfSSL	12:1a06964c2adb	5566	#endif /* WOLFSSL_EARLY_DATA */
wolfSSL	12:1a06964c2adb	5567
wolfSSL	12:1a06964c2adb	5568	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5569	/* Handle a New Session Ticket handshake message.
wolfSSL	12:1a06964c2adb	5570	* Message contains the information required to perform resumption.
wolfSSL	12:1a06964c2adb	5571	*
wolfSSL	12:1a06964c2adb	5572	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5573	* input The message buffer.
wolfSSL	12:1a06964c2adb	5574	* inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL	12:1a06964c2adb	5575	* On exit, the index of byte after the Finished message and padding.
wolfSSL	12:1a06964c2adb	5576	* size The length of the current handshake message.
wolfSSL	12:1a06964c2adb	5577	* retuns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5578	*/
wolfSSL	12:1a06964c2adb	5579	static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
wolfSSL	12:1a06964c2adb	5580	word32* inOutIdx, word32 size)
wolfSSL	12:1a06964c2adb	5581	{
wolfSSL	12:1a06964c2adb	5582	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	5583	int ret;
wolfSSL	12:1a06964c2adb	5584	word32 begin = *inOutIdx;
wolfSSL	12:1a06964c2adb	5585	word32 lifetime;
wolfSSL	12:1a06964c2adb	5586	word32 ageAdd;
wolfSSL	12:1a06964c2adb	5587	word16 length;
wolfSSL	12:1a06964c2adb	5588	word32 now;
wolfSSL	12:1a06964c2adb	5589
wolfSSL	12:1a06964c2adb	5590	WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL	12:1a06964c2adb	5591
wolfSSL	12:1a06964c2adb	5592	/* Lifetime hint. */
wolfSSL	12:1a06964c2adb	5593	if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
wolfSSL	12:1a06964c2adb	5594	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5595	ato32(input + *inOutIdx, &lifetime);
wolfSSL	12:1a06964c2adb	5596	*inOutIdx += SESSION_HINT_SZ;
wolfSSL	12:1a06964c2adb	5597	if (lifetime > MAX_LIFETIME)
wolfSSL	12:1a06964c2adb	5598	return SERVER_HINT_ERROR;
wolfSSL	12:1a06964c2adb	5599
wolfSSL	12:1a06964c2adb	5600	/* Age add. */
wolfSSL	12:1a06964c2adb	5601	if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
wolfSSL	12:1a06964c2adb	5602	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5603	ato32(input + *inOutIdx, &ageAdd);
wolfSSL	12:1a06964c2adb	5604	*inOutIdx += SESSION_ADD_SZ;
wolfSSL	12:1a06964c2adb	5605
wolfSSL	12:1a06964c2adb	5606	/* Ticket length. */
wolfSSL	12:1a06964c2adb	5607	if ((*inOutIdx - begin) + LENGTH_SZ > size)
wolfSSL	12:1a06964c2adb	5608	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5609	ato16(input + *inOutIdx, &length);
wolfSSL	12:1a06964c2adb	5610	*inOutIdx += LENGTH_SZ;
wolfSSL	12:1a06964c2adb	5611	if ((*inOutIdx - begin) + length > size)
wolfSSL	12:1a06964c2adb	5612	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5613
wolfSSL	12:1a06964c2adb	5614	if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
wolfSSL	12:1a06964c2adb	5615	return ret;
wolfSSL	12:1a06964c2adb	5616	*inOutIdx += length;
wolfSSL	12:1a06964c2adb	5617
wolfSSL	12:1a06964c2adb	5618	now = TimeNowInMilliseconds();
wolfSSL	12:1a06964c2adb	5619	if (now == (word32)GETTIME_ERROR)
wolfSSL	12:1a06964c2adb	5620	return now;
wolfSSL	12:1a06964c2adb	5621	/* Copy in ticket data (server identity). */
wolfSSL	12:1a06964c2adb	5622	ssl->timeout = lifetime;
wolfSSL	12:1a06964c2adb	5623	ssl->session.timeout = lifetime;
wolfSSL	12:1a06964c2adb	5624	ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
wolfSSL	12:1a06964c2adb	5625	ssl->session.cipherSuite = ssl->options.cipherSuite;
wolfSSL	12:1a06964c2adb	5626	ssl->session.ticketSeen = now;
wolfSSL	12:1a06964c2adb	5627	ssl->session.ticketAdd = ageAdd;
wolfSSL	12:1a06964c2adb	5628	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5629	ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL	12:1a06964c2adb	5630	#endif
wolfSSL	12:1a06964c2adb	5631
wolfSSL	12:1a06964c2adb	5632	if ((*inOutIdx - begin) + EXTS_SZ > size)
wolfSSL	12:1a06964c2adb	5633	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5634	ato16(input + *inOutIdx, &length);
wolfSSL	12:1a06964c2adb	5635	*inOutIdx += EXTS_SZ;
wolfSSL	12:1a06964c2adb	5636	if ((*inOutIdx - begin) + length != size)
wolfSSL	12:1a06964c2adb	5637	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	5638	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5639	ret = TLSX_Parse(ssl, (byte )input + (inOutIdx), length, session_ticket,
wolfSSL	12:1a06964c2adb	5640	NULL);
wolfSSL	12:1a06964c2adb	5641	if (ret != 0)
wolfSSL	12:1a06964c2adb	5642	return ret;
wolfSSL	12:1a06964c2adb	5643	#endif
wolfSSL	12:1a06964c2adb	5644	*inOutIdx += length;
wolfSSL	12:1a06964c2adb	5645
wolfSSL	12:1a06964c2adb	5646	#ifndef NO_SESSION_CACHE
wolfSSL	12:1a06964c2adb	5647	AddSession(ssl);
wolfSSL	12:1a06964c2adb	5648	#endif
wolfSSL	12:1a06964c2adb	5649
wolfSSL	12:1a06964c2adb	5650	/* Always encrypted. */
wolfSSL	12:1a06964c2adb	5651	*inOutIdx += ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5652
wolfSSL	12:1a06964c2adb	5653	ssl->expect_session_ticket = 0;
wolfSSL	12:1a06964c2adb	5654	#else
wolfSSL	12:1a06964c2adb	5655	(void)ssl;
wolfSSL	12:1a06964c2adb	5656	(void)input;
wolfSSL	12:1a06964c2adb	5657
wolfSSL	12:1a06964c2adb	5658	WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL	12:1a06964c2adb	5659
wolfSSL	12:1a06964c2adb	5660	*inOutIdx += size + ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	5661	#endif /* HAVE_SESSION_TICKET */
wolfSSL	12:1a06964c2adb	5662
wolfSSL	12:1a06964c2adb	5663	WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
wolfSSL	12:1a06964c2adb	5664
wolfSSL	12:1a06964c2adb	5665	return 0;
wolfSSL	12:1a06964c2adb	5666	}
wolfSSL	12:1a06964c2adb	5667	#endif /* NO_WOLFSSL_CLIENT */
wolfSSL	12:1a06964c2adb	5668
wolfSSL	12:1a06964c2adb	5669	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5670	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	5671
wolfSSL	12:1a06964c2adb	5672	#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL	12:1a06964c2adb	5673	/* Offset of the MAC size in the finished message. */
wolfSSL	12:1a06964c2adb	5674	#define FINISHED_MSG_SIZE_OFFSET 3
wolfSSL	12:1a06964c2adb	5675
wolfSSL	12:1a06964c2adb	5676	/* Calculate the resumption secret which includes the unseen client finished
wolfSSL	12:1a06964c2adb	5677	* message.
wolfSSL	12:1a06964c2adb	5678	*
wolfSSL	12:1a06964c2adb	5679	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5680	* retuns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5681	*/
wolfSSL	12:1a06964c2adb	5682	static int ExpectedResumptionSecret(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	5683	{
wolfSSL	12:1a06964c2adb	5684	int ret;
wolfSSL	12:1a06964c2adb	5685	word32 finishedSz = 0;
wolfSSL	12:1a06964c2adb	5686	byte mac[MAX_DIGEST_SIZE];
wolfSSL	12:1a06964c2adb	5687	Digest digest;
wolfSSL	12:1a06964c2adb	5688	static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
wolfSSL	12:1a06964c2adb	5689
wolfSSL	12:1a06964c2adb	5690	/* Copy the running hash so we cna restore it after. */
wolfSSL	12:1a06964c2adb	5691	switch (ssl->specs.mac_algorithm) {
wolfSSL	12:1a06964c2adb	5692	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	5693	case sha256_mac:
wolfSSL	12:1a06964c2adb	5694	ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
wolfSSL	12:1a06964c2adb	5695	if (ret != 0)
wolfSSL	12:1a06964c2adb	5696	return ret;
wolfSSL	12:1a06964c2adb	5697	break;
wolfSSL	12:1a06964c2adb	5698	#endif
wolfSSL	12:1a06964c2adb	5699	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	5700	case sha384_mac:
wolfSSL	12:1a06964c2adb	5701	ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
wolfSSL	12:1a06964c2adb	5702	if (ret != 0)
wolfSSL	12:1a06964c2adb	5703	return ret;
wolfSSL	12:1a06964c2adb	5704	break;
wolfSSL	12:1a06964c2adb	5705	#endif
wolfSSL	12:1a06964c2adb	5706	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	5707	case sha512_mac:
wolfSSL	12:1a06964c2adb	5708	ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
wolfSSL	12:1a06964c2adb	5709	if (ret != 0)
wolfSSL	12:1a06964c2adb	5710	return ret;
wolfSSL	12:1a06964c2adb	5711	break;
wolfSSL	12:1a06964c2adb	5712	#endif
wolfSSL	12:1a06964c2adb	5713	}
wolfSSL	12:1a06964c2adb	5714
wolfSSL	12:1a06964c2adb	5715	/* Generate the Client's Finished message and hash it. */
wolfSSL	12:1a06964c2adb	5716	ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
wolfSSL	12:1a06964c2adb	5717	&finishedSz);
wolfSSL	12:1a06964c2adb	5718	if (ret != 0)
wolfSSL	12:1a06964c2adb	5719	return ret;
wolfSSL	12:1a06964c2adb	5720	header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
wolfSSL	12:1a06964c2adb	5721	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5722	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	5723	static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
wolfSSL	12:1a06964c2adb	5724	ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
wolfSSL	12:1a06964c2adb	5725	if (ret != 0)
wolfSSL	12:1a06964c2adb	5726	return ret;
wolfSSL	12:1a06964c2adb	5727	}
wolfSSL	12:1a06964c2adb	5728	#endif
wolfSSL	12:1a06964c2adb	5729	if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL	12:1a06964c2adb	5730	return ret;
wolfSSL	12:1a06964c2adb	5731	if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0)
wolfSSL	12:1a06964c2adb	5732	return ret;
wolfSSL	12:1a06964c2adb	5733
wolfSSL	12:1a06964c2adb	5734	if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
wolfSSL	12:1a06964c2adb	5735	return ret;
wolfSSL	12:1a06964c2adb	5736
wolfSSL	12:1a06964c2adb	5737	/* Restore the hash inline with currently seen messages. */
wolfSSL	12:1a06964c2adb	5738	switch (ssl->specs.mac_algorithm) {
wolfSSL	12:1a06964c2adb	5739	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	5740	case sha256_mac:
wolfSSL	12:1a06964c2adb	5741	ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
wolfSSL	12:1a06964c2adb	5742	if (ret != 0)
wolfSSL	12:1a06964c2adb	5743	return ret;
wolfSSL	12:1a06964c2adb	5744	break;
wolfSSL	12:1a06964c2adb	5745	#endif
wolfSSL	12:1a06964c2adb	5746	#ifdef WOLFSSL_SHA384
wolfSSL	12:1a06964c2adb	5747	case sha384_mac:
wolfSSL	12:1a06964c2adb	5748	ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
wolfSSL	12:1a06964c2adb	5749	if (ret != 0)
wolfSSL	12:1a06964c2adb	5750	return ret;
wolfSSL	12:1a06964c2adb	5751	break;
wolfSSL	12:1a06964c2adb	5752	#endif
wolfSSL	12:1a06964c2adb	5753	#ifdef WOLFSSL_TLS13_SHA512
wolfSSL	12:1a06964c2adb	5754	case sha512_mac:
wolfSSL	12:1a06964c2adb	5755	ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384);
wolfSSL	12:1a06964c2adb	5756	if (ret != 0)
wolfSSL	12:1a06964c2adb	5757	return ret;
wolfSSL	12:1a06964c2adb	5758	break;
wolfSSL	12:1a06964c2adb	5759	#endif
wolfSSL	12:1a06964c2adb	5760	}
wolfSSL	12:1a06964c2adb	5761
wolfSSL	12:1a06964c2adb	5762	return ret;
wolfSSL	12:1a06964c2adb	5763	}
wolfSSL	12:1a06964c2adb	5764	#endif
wolfSSL	12:1a06964c2adb	5765
wolfSSL	12:1a06964c2adb	5766	/* Send New Session Ticket handshake message.
wolfSSL	12:1a06964c2adb	5767	* Message contains the information required to perform resumption.
wolfSSL	12:1a06964c2adb	5768	*
wolfSSL	12:1a06964c2adb	5769	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5770	* retuns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5771	*/
wolfSSL	12:1a06964c2adb	5772	static int SendTls13NewSessionTicket(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	5773	{
wolfSSL	12:1a06964c2adb	5774	byte* output;
wolfSSL	12:1a06964c2adb	5775	int ret;
wolfSSL	12:1a06964c2adb	5776	int sendSz;
wolfSSL	12:1a06964c2adb	5777	word32 extSz;
wolfSSL	12:1a06964c2adb	5778	word32 length;
wolfSSL	12:1a06964c2adb	5779	word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	5780
wolfSSL	12:1a06964c2adb	5781	WOLFSSL_ENTER("SendTls13NewSessionTicket");
wolfSSL	12:1a06964c2adb	5782
wolfSSL	12:1a06964c2adb	5783	#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL	12:1a06964c2adb	5784	if (!ssl->msgsReceived.got_finished) {
wolfSSL	12:1a06964c2adb	5785	if ((ret = ExpectedResumptionSecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	5786	return ret;
wolfSSL	12:1a06964c2adb	5787	}
wolfSSL	12:1a06964c2adb	5788	#endif
wolfSSL	12:1a06964c2adb	5789
wolfSSL	12:1a06964c2adb	5790	if (!ssl->options.noTicketTls13) {
wolfSSL	12:1a06964c2adb	5791	if ((ret = CreateTicket(ssl)) != 0)
wolfSSL	12:1a06964c2adb	5792	return ret;
wolfSSL	12:1a06964c2adb	5793	}
wolfSSL	12:1a06964c2adb	5794
wolfSSL	12:1a06964c2adb	5795	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5796	ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL	12:1a06964c2adb	5797	if (ssl->session.maxEarlyDataSz > 0)
wolfSSL	12:1a06964c2adb	5798	TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
wolfSSL	12:1a06964c2adb	5799	extSz = TLSX_GetResponseSize(ssl, session_ticket);
wolfSSL	12:1a06964c2adb	5800	#else
wolfSSL	12:1a06964c2adb	5801	extSz = EXTS_SZ;
wolfSSL	12:1a06964c2adb	5802	#endif
wolfSSL	12:1a06964c2adb	5803
wolfSSL	12:1a06964c2adb	5804	/* Lifetime \| Age Add \| Ticket \| Extensions */
wolfSSL	12:1a06964c2adb	5805	length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
wolfSSL	12:1a06964c2adb	5806	ssl->session.ticketLen + extSz;
wolfSSL	12:1a06964c2adb	5807	sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL	12:1a06964c2adb	5808
wolfSSL	12:1a06964c2adb	5809	/* Check buffers are big enough and grow if needed. */
wolfSSL	12:1a06964c2adb	5810	if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL	12:1a06964c2adb	5811	return ret;
wolfSSL	12:1a06964c2adb	5812
wolfSSL	12:1a06964c2adb	5813	/* Get position in output buffer to write new message to. */
wolfSSL	12:1a06964c2adb	5814	output = ssl->buffers.outputBuffer.buffer +
wolfSSL	12:1a06964c2adb	5815	ssl->buffers.outputBuffer.length;
wolfSSL	12:1a06964c2adb	5816
wolfSSL	12:1a06964c2adb	5817	/* Put the record and handshake headers on. */
wolfSSL	12:1a06964c2adb	5818	AddTls13Headers(output, length, session_ticket, ssl);
wolfSSL	12:1a06964c2adb	5819
wolfSSL	12:1a06964c2adb	5820	/* Lifetime hint */
wolfSSL	12:1a06964c2adb	5821	c32toa(ssl->ctx->ticketHint, output + idx);
wolfSSL	12:1a06964c2adb	5822	idx += SESSION_HINT_SZ;
wolfSSL	12:1a06964c2adb	5823	/* Age add - obfuscator */
wolfSSL	12:1a06964c2adb	5824	c32toa(ssl->session.ticketAdd, output + idx);
wolfSSL	12:1a06964c2adb	5825	idx += SESSION_ADD_SZ;
wolfSSL	12:1a06964c2adb	5826
wolfSSL	12:1a06964c2adb	5827	/* length */
wolfSSL	12:1a06964c2adb	5828	c16toa(ssl->session.ticketLen, output + idx);
wolfSSL	12:1a06964c2adb	5829	idx += LENGTH_SZ;
wolfSSL	12:1a06964c2adb	5830	/* ticket */
wolfSSL	12:1a06964c2adb	5831	XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
wolfSSL	12:1a06964c2adb	5832	idx += ssl->session.ticketLen;
wolfSSL	12:1a06964c2adb	5833
wolfSSL	12:1a06964c2adb	5834	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5835	idx += TLSX_WriteResponse(ssl, output + idx, session_ticket);
wolfSSL	12:1a06964c2adb	5836	#else
wolfSSL	12:1a06964c2adb	5837	/* No extension support - empty extensions. */
wolfSSL	12:1a06964c2adb	5838	c16toa(0, output + idx);
wolfSSL	12:1a06964c2adb	5839	idx += EXTS_SZ;
wolfSSL	12:1a06964c2adb	5840	#endif
wolfSSL	12:1a06964c2adb	5841
wolfSSL	12:1a06964c2adb	5842	ssl->options.haveSessionId = 1;
wolfSSL	12:1a06964c2adb	5843
wolfSSL	12:1a06964c2adb	5844	#ifndef NO_SESSION_CACHE
wolfSSL	12:1a06964c2adb	5845	AddSession(ssl);
wolfSSL	12:1a06964c2adb	5846	#endif
wolfSSL	12:1a06964c2adb	5847
wolfSSL	12:1a06964c2adb	5848	/* This message is always encrypted. */
wolfSSL	12:1a06964c2adb	5849	sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL	12:1a06964c2adb	5850	idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
wolfSSL	12:1a06964c2adb	5851	if (sendSz < 0)
wolfSSL	12:1a06964c2adb	5852	return sendSz;
wolfSSL	12:1a06964c2adb	5853
wolfSSL	12:1a06964c2adb	5854	ssl->buffers.outputBuffer.length += sendSz;
wolfSSL	12:1a06964c2adb	5855
wolfSSL	12:1a06964c2adb	5856	if (!ssl->options.groupMessages)
wolfSSL	12:1a06964c2adb	5857	ret = SendBuffered(ssl);
wolfSSL	12:1a06964c2adb	5858
wolfSSL	12:1a06964c2adb	5859	WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
wolfSSL	12:1a06964c2adb	5860
wolfSSL	12:1a06964c2adb	5861	return ret;
wolfSSL	12:1a06964c2adb	5862	}
wolfSSL	12:1a06964c2adb	5863	#endif /* HAVE_SESSION_TICKET */
wolfSSL	12:1a06964c2adb	5864	#endif /* NO_WOLFSSL_SERVER */
wolfSSL	12:1a06964c2adb	5865
wolfSSL	12:1a06964c2adb	5866	/* Make sure no duplicates, no fast forward, or other problems
wolfSSL	12:1a06964c2adb	5867	*
wolfSSL	12:1a06964c2adb	5868	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	5869	* type Type of handshake message received.
wolfSSL	12:1a06964c2adb	5870	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	5871	*/
wolfSSL	12:1a06964c2adb	5872	static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
wolfSSL	12:1a06964c2adb	5873	{
wolfSSL	12:1a06964c2adb	5874	/* verify not a duplicate, mark received, check state */
wolfSSL	12:1a06964c2adb	5875	switch (type) {
wolfSSL	12:1a06964c2adb	5876
wolfSSL	12:1a06964c2adb	5877	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5878	case client_hello:
wolfSSL	12:1a06964c2adb	5879	if (ssl->msgsReceived.got_client_hello == 2) {
wolfSSL	12:1a06964c2adb	5880	WOLFSSL_MSG("Too many ClientHello received");
wolfSSL	12:1a06964c2adb	5881	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5882	}
wolfSSL	12:1a06964c2adb	5883	ssl->msgsReceived.got_client_hello++;
wolfSSL	12:1a06964c2adb	5884
wolfSSL	12:1a06964c2adb	5885	break;
wolfSSL	12:1a06964c2adb	5886	#endif
wolfSSL	12:1a06964c2adb	5887
wolfSSL	12:1a06964c2adb	5888	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5889	case server_hello:
wolfSSL	12:1a06964c2adb	5890	if (ssl->msgsReceived.got_server_hello) {
wolfSSL	12:1a06964c2adb	5891	WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL	12:1a06964c2adb	5892	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5893	}
wolfSSL	12:1a06964c2adb	5894	ssl->msgsReceived.got_server_hello = 1;
wolfSSL	12:1a06964c2adb	5895
wolfSSL	12:1a06964c2adb	5896	break;
wolfSSL	12:1a06964c2adb	5897	#endif
wolfSSL	12:1a06964c2adb	5898
wolfSSL	12:1a06964c2adb	5899	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5900	case session_ticket:
wolfSSL	12:1a06964c2adb	5901	if (ssl->msgsReceived.got_session_ticket) {
wolfSSL	12:1a06964c2adb	5902	WOLFSSL_MSG("Duplicate SessionTicket received");
wolfSSL	12:1a06964c2adb	5903	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5904	}
wolfSSL	12:1a06964c2adb	5905	ssl->msgsReceived.got_session_ticket = 1;
wolfSSL	12:1a06964c2adb	5906
wolfSSL	12:1a06964c2adb	5907	break;
wolfSSL	12:1a06964c2adb	5908	#endif
wolfSSL	12:1a06964c2adb	5909
wolfSSL	12:1a06964c2adb	5910	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5911	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	5912	case end_of_early_data:
wolfSSL	12:1a06964c2adb	5913	if (ssl->msgsReceived.got_end_of_early_data == 1) {
wolfSSL	12:1a06964c2adb	5914	WOLFSSL_MSG("Too many EndOfEarlyData received");
wolfSSL	12:1a06964c2adb	5915	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5916	}
wolfSSL	12:1a06964c2adb	5917	ssl->msgsReceived.got_end_of_early_data++;
wolfSSL	12:1a06964c2adb	5918
wolfSSL	12:1a06964c2adb	5919	break;
wolfSSL	12:1a06964c2adb	5920	#endif
wolfSSL	12:1a06964c2adb	5921	#endif
wolfSSL	12:1a06964c2adb	5922
wolfSSL	12:1a06964c2adb	5923	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5924	case hello_retry_request:
wolfSSL	12:1a06964c2adb	5925	if (ssl->msgsReceived.got_hello_retry_request) {
wolfSSL	12:1a06964c2adb	5926	WOLFSSL_MSG("Duplicate HelloRetryRequest received");
wolfSSL	12:1a06964c2adb	5927	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5928	}
wolfSSL	12:1a06964c2adb	5929	ssl->msgsReceived.got_hello_retry_request = 1;
wolfSSL	12:1a06964c2adb	5930
wolfSSL	12:1a06964c2adb	5931	break;
wolfSSL	12:1a06964c2adb	5932	#endif
wolfSSL	12:1a06964c2adb	5933
wolfSSL	12:1a06964c2adb	5934	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5935	case encrypted_extensions:
wolfSSL	12:1a06964c2adb	5936	if (ssl->msgsReceived.got_encrypted_extensions) {
wolfSSL	12:1a06964c2adb	5937	WOLFSSL_MSG("Duplicate EncryptedExtensions received");
wolfSSL	12:1a06964c2adb	5938	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5939	}
wolfSSL	12:1a06964c2adb	5940	ssl->msgsReceived.got_encrypted_extensions = 1;
wolfSSL	12:1a06964c2adb	5941
wolfSSL	12:1a06964c2adb	5942	break;
wolfSSL	12:1a06964c2adb	5943	#endif
wolfSSL	12:1a06964c2adb	5944
wolfSSL	12:1a06964c2adb	5945	case certificate:
wolfSSL	12:1a06964c2adb	5946	if (ssl->msgsReceived.got_certificate) {
wolfSSL	12:1a06964c2adb	5947	WOLFSSL_MSG("Duplicate Certificate received");
wolfSSL	12:1a06964c2adb	5948	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5949	}
wolfSSL	12:1a06964c2adb	5950	ssl->msgsReceived.got_certificate = 1;
wolfSSL	12:1a06964c2adb	5951
wolfSSL	12:1a06964c2adb	5952	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5953	if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	5954	if ( ssl->msgsReceived.got_server_hello == 0) {
wolfSSL	12:1a06964c2adb	5955	WOLFSSL_MSG("No ServerHello before Cert");
wolfSSL	12:1a06964c2adb	5956	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	5957	}
wolfSSL	12:1a06964c2adb	5958	}
wolfSSL	12:1a06964c2adb	5959	#endif
wolfSSL	12:1a06964c2adb	5960	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	5961	if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL	12:1a06964c2adb	5962	if ( ssl->msgsReceived.got_client_hello == 0) {
wolfSSL	12:1a06964c2adb	5963	WOLFSSL_MSG("No ClientHello before Cert");
wolfSSL	12:1a06964c2adb	5964	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	5965	}
wolfSSL	12:1a06964c2adb	5966	}
wolfSSL	12:1a06964c2adb	5967	#endif
wolfSSL	12:1a06964c2adb	5968	break;
wolfSSL	12:1a06964c2adb	5969
wolfSSL	12:1a06964c2adb	5970	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	5971	case certificate_request:
wolfSSL	12:1a06964c2adb	5972	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	5973	if (ssl->msgsReceived.got_finished)
wolfSSL	12:1a06964c2adb	5974	;
wolfSSL	12:1a06964c2adb	5975	else
wolfSSL	12:1a06964c2adb	5976	#endif
wolfSSL	12:1a06964c2adb	5977	if (ssl->msgsReceived.got_certificate_request) {
wolfSSL	12:1a06964c2adb	5978	WOLFSSL_MSG("Duplicate CertificateRequest received");
wolfSSL	12:1a06964c2adb	5979	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5980	}
wolfSSL	12:1a06964c2adb	5981	ssl->msgsReceived.got_certificate_request = 1;
wolfSSL	12:1a06964c2adb	5982
wolfSSL	12:1a06964c2adb	5983	break;
wolfSSL	12:1a06964c2adb	5984	#endif
wolfSSL	12:1a06964c2adb	5985
wolfSSL	12:1a06964c2adb	5986	case certificate_verify:
wolfSSL	12:1a06964c2adb	5987	if (ssl->msgsReceived.got_certificate_verify) {
wolfSSL	12:1a06964c2adb	5988	WOLFSSL_MSG("Duplicate CertificateVerify received");
wolfSSL	12:1a06964c2adb	5989	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	5990	}
wolfSSL	12:1a06964c2adb	5991	ssl->msgsReceived.got_certificate_verify = 1;
wolfSSL	12:1a06964c2adb	5992
wolfSSL	12:1a06964c2adb	5993	if (ssl->msgsReceived.got_certificate == 0) {
wolfSSL	12:1a06964c2adb	5994	WOLFSSL_MSG("No Cert before CertVerify");
wolfSSL	12:1a06964c2adb	5995	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	5996	}
wolfSSL	12:1a06964c2adb	5997	break;
wolfSSL	12:1a06964c2adb	5998
wolfSSL	12:1a06964c2adb	5999	case finished:
wolfSSL	12:1a06964c2adb	6000	#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL	12:1a06964c2adb	6001	if (1) {
wolfSSL	12:1a06964c2adb	6002	}
wolfSSL	12:1a06964c2adb	6003	else
wolfSSL	12:1a06964c2adb	6004	#endif
wolfSSL	12:1a06964c2adb	6005	if (ssl->msgsReceived.got_finished) {
wolfSSL	12:1a06964c2adb	6006	WOLFSSL_MSG("Duplicate Finished received");
wolfSSL	12:1a06964c2adb	6007	return DUPLICATE_MSG_E;
wolfSSL	12:1a06964c2adb	6008	}
wolfSSL	12:1a06964c2adb	6009	ssl->msgsReceived.got_finished = 1;
wolfSSL	12:1a06964c2adb	6010
wolfSSL	12:1a06964c2adb	6011	break;
wolfSSL	12:1a06964c2adb	6012
wolfSSL	12:1a06964c2adb	6013	case key_update:
wolfSSL	12:1a06964c2adb	6014	if (!ssl->msgsReceived.got_finished) {
wolfSSL	12:1a06964c2adb	6015	WOLFSSL_MSG("No KeyUpdate before Finished");
wolfSSL	12:1a06964c2adb	6016	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	6017	}
wolfSSL	12:1a06964c2adb	6018	break;
wolfSSL	12:1a06964c2adb	6019
wolfSSL	12:1a06964c2adb	6020	default:
wolfSSL	12:1a06964c2adb	6021	WOLFSSL_MSG("Unknown message type");
wolfSSL	12:1a06964c2adb	6022	return SANITY_MSG_E;
wolfSSL	12:1a06964c2adb	6023	}
wolfSSL	12:1a06964c2adb	6024
wolfSSL	12:1a06964c2adb	6025	return 0;
wolfSSL	12:1a06964c2adb	6026	}
wolfSSL	12:1a06964c2adb	6027
wolfSSL	12:1a06964c2adb	6028	/* Handle a type of handshake message that has been received.
wolfSSL	12:1a06964c2adb	6029	*
wolfSSL	12:1a06964c2adb	6030	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6031	* input The message buffer.
wolfSSL	12:1a06964c2adb	6032	* inOutIdx On entry, the index into the buffer of the current message.
wolfSSL	12:1a06964c2adb	6033	* On exit, the index into the buffer of the next message.
wolfSSL	12:1a06964c2adb	6034	* size The length of the current handshake message.
wolfSSL	12:1a06964c2adb	6035	* totalSz Length of remaining data in the message buffer.
wolfSSL	12:1a06964c2adb	6036	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	6037	*/
wolfSSL	12:1a06964c2adb	6038	int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	6039	byte type, word32 size, word32 totalSz)
wolfSSL	12:1a06964c2adb	6040	{
wolfSSL	12:1a06964c2adb	6041	int ret = 0;
wolfSSL	12:1a06964c2adb	6042	(void)totalSz;
wolfSSL	12:1a06964c2adb	6043	word32 inIdx = *inOutIdx;
wolfSSL	12:1a06964c2adb	6044
wolfSSL	12:1a06964c2adb	6045	WOLFSSL_ENTER("DoTls13HandShakeMsgType");
wolfSSL	12:1a06964c2adb	6046
wolfSSL	12:1a06964c2adb	6047	/* make sure can read the message */
wolfSSL	12:1a06964c2adb	6048	if (*inOutIdx + size > totalSz)
wolfSSL	12:1a06964c2adb	6049	return INCOMPLETE_DATA;
wolfSSL	12:1a06964c2adb	6050
wolfSSL	12:1a06964c2adb	6051	/* sanity check msg received */
wolfSSL	12:1a06964c2adb	6052	if ( (ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
wolfSSL	12:1a06964c2adb	6053	WOLFSSL_MSG("Sanity Check on handshake message type received failed");
wolfSSL	12:1a06964c2adb	6054	return ret;
wolfSSL	12:1a06964c2adb	6055	}
wolfSSL	12:1a06964c2adb	6056
wolfSSL	12:1a06964c2adb	6057	#ifdef WOLFSSL_CALLBACKS
wolfSSL	12:1a06964c2adb	6058	/* add name later, add on record and handshake header part back on */
wolfSSL	12:1a06964c2adb	6059	if (ssl->toInfoOn) {
wolfSSL	12:1a06964c2adb	6060	int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	6061	AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
wolfSSL	12:1a06964c2adb	6062	size + add, ssl->heap);
wolfSSL	12:1a06964c2adb	6063	AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
wolfSSL	12:1a06964c2adb	6064	}
wolfSSL	12:1a06964c2adb	6065	#endif
wolfSSL	12:1a06964c2adb	6066
wolfSSL	12:1a06964c2adb	6067	if (ssl->options.handShakeState == HANDSHAKE_DONE &&
wolfSSL	12:1a06964c2adb	6068	type != session_ticket && type != certificate_request &&
wolfSSL	12:1a06964c2adb	6069	type != certificate && type != key_update) {
wolfSSL	12:1a06964c2adb	6070	WOLFSSL_MSG("HandShake message after handshake complete");
wolfSSL	12:1a06964c2adb	6071	SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL	12:1a06964c2adb	6072	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	6073	}
wolfSSL	12:1a06964c2adb	6074
wolfSSL	12:1a06964c2adb	6075	if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL	12:1a06964c2adb	6076	ssl->options.serverState == NULL_STATE &&
wolfSSL	12:1a06964c2adb	6077	type != server_hello && type != hello_retry_request) {
wolfSSL	12:1a06964c2adb	6078	WOLFSSL_MSG("First server message not server hello");
wolfSSL	12:1a06964c2adb	6079	SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL	12:1a06964c2adb	6080	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	6081	}
wolfSSL	12:1a06964c2adb	6082
wolfSSL	12:1a06964c2adb	6083	if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL	12:1a06964c2adb	6084	ssl->options.clientState == NULL_STATE && type != client_hello) {
wolfSSL	12:1a06964c2adb	6085	WOLFSSL_MSG("First client message not client hello");
wolfSSL	12:1a06964c2adb	6086	SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL	12:1a06964c2adb	6087	return OUT_OF_ORDER_E;
wolfSSL	12:1a06964c2adb	6088	}
wolfSSL	12:1a06964c2adb	6089
wolfSSL	12:1a06964c2adb	6090	/* above checks handshake state */
wolfSSL	12:1a06964c2adb	6091	switch (type) {
wolfSSL	12:1a06964c2adb	6092
wolfSSL	12:1a06964c2adb	6093	#ifndef NO_WOLFSSL_CLIENT
wolfSSL	12:1a06964c2adb	6094	case hello_retry_request:
wolfSSL	12:1a06964c2adb	6095	WOLFSSL_MSG("processing hello rety request");
wolfSSL	12:1a06964c2adb	6096	ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6097	break;
wolfSSL	12:1a06964c2adb	6098
wolfSSL	12:1a06964c2adb	6099	case server_hello:
wolfSSL	12:1a06964c2adb	6100	WOLFSSL_MSG("processing server hello");
wolfSSL	12:1a06964c2adb	6101	ret = DoTls13ServerHello(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6102	break;
wolfSSL	12:1a06964c2adb	6103
wolfSSL	12:1a06964c2adb	6104	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6105	case certificate_request:
wolfSSL	12:1a06964c2adb	6106	WOLFSSL_MSG("processing certificate request");
wolfSSL	12:1a06964c2adb	6107	ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6108	break;
wolfSSL	12:1a06964c2adb	6109	#endif
wolfSSL	12:1a06964c2adb	6110
wolfSSL	12:1a06964c2adb	6111	case session_ticket:
wolfSSL	12:1a06964c2adb	6112	WOLFSSL_MSG("processing new session ticket");
wolfSSL	12:1a06964c2adb	6113	ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6114	break;
wolfSSL	12:1a06964c2adb	6115
wolfSSL	12:1a06964c2adb	6116	case encrypted_extensions:
wolfSSL	12:1a06964c2adb	6117	WOLFSSL_MSG("processing encrypted extensions");
wolfSSL	12:1a06964c2adb	6118	ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6119	break;
wolfSSL	12:1a06964c2adb	6120	#endif /* !NO_WOLFSSL_CLIENT */
wolfSSL	12:1a06964c2adb	6121
wolfSSL	12:1a06964c2adb	6122	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6123	case certificate:
wolfSSL	12:1a06964c2adb	6124	WOLFSSL_MSG("processing certificate");
wolfSSL	12:1a06964c2adb	6125	ret = DoTls13Certificate(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6126	break;
wolfSSL	12:1a06964c2adb	6127	#endif
wolfSSL	12:1a06964c2adb	6128
wolfSSL	12:1a06964c2adb	6129	#if !defined(NO_RSA) \|\| defined(HAVE_ECC)
wolfSSL	12:1a06964c2adb	6130	case certificate_verify:
wolfSSL	12:1a06964c2adb	6131	WOLFSSL_MSG("processing certificate verify");
wolfSSL	12:1a06964c2adb	6132	ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6133	break;
wolfSSL	12:1a06964c2adb	6134	#endif /* !NO_RSA \|\| HAVE_ECC */
wolfSSL	12:1a06964c2adb	6135
wolfSSL	12:1a06964c2adb	6136	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6137	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	6138	case end_of_early_data:
wolfSSL	12:1a06964c2adb	6139	WOLFSSL_MSG("processing end of early data");
wolfSSL	12:1a06964c2adb	6140	ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6141	break;
wolfSSL	12:1a06964c2adb	6142	#endif
wolfSSL	12:1a06964c2adb	6143	#endif
wolfSSL	12:1a06964c2adb	6144
wolfSSL	12:1a06964c2adb	6145	case finished:
wolfSSL	12:1a06964c2adb	6146	WOLFSSL_MSG("processing finished");
wolfSSL	12:1a06964c2adb	6147	ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
wolfSSL	12:1a06964c2adb	6148	break;
wolfSSL	12:1a06964c2adb	6149
wolfSSL	12:1a06964c2adb	6150	case key_update:
wolfSSL	12:1a06964c2adb	6151	WOLFSSL_MSG("processing finished");
wolfSSL	12:1a06964c2adb	6152	ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6153	break;
wolfSSL	12:1a06964c2adb	6154
wolfSSL	12:1a06964c2adb	6155	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	6156	case client_hello:
wolfSSL	12:1a06964c2adb	6157	WOLFSSL_MSG("processing client hello");
wolfSSL	12:1a06964c2adb	6158	ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
wolfSSL	12:1a06964c2adb	6159	break;
wolfSSL	12:1a06964c2adb	6160	#endif /* !NO_WOLFSSL_SERVER */
wolfSSL	12:1a06964c2adb	6161
wolfSSL	12:1a06964c2adb	6162	default:
wolfSSL	12:1a06964c2adb	6163	WOLFSSL_MSG("Unknown handshake message type");
wolfSSL	12:1a06964c2adb	6164	ret = UNKNOWN_HANDSHAKE_TYPE;
wolfSSL	12:1a06964c2adb	6165	break;
wolfSSL	12:1a06964c2adb	6166	}
wolfSSL	12:1a06964c2adb	6167
wolfSSL	12:1a06964c2adb	6168	/* reset error */
wolfSSL	12:1a06964c2adb	6169	if (ret == 0 && ssl->error == WC_PENDING_E)
wolfSSL	12:1a06964c2adb	6170	ssl->error = 0;
wolfSSL	12:1a06964c2adb	6171
wolfSSL	12:1a06964c2adb	6172
wolfSSL	12:1a06964c2adb	6173	if (ret == 0 && type != client_hello && type != session_ticket &&
wolfSSL	12:1a06964c2adb	6174	type != key_update && ssl->error != WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	6175	ret = HashInput(ssl, input + inIdx, size);
wolfSSL	12:1a06964c2adb	6176	}
wolfSSL	12:1a06964c2adb	6177
wolfSSL	12:1a06964c2adb	6178	if (ret == BUFFER_ERROR \|\| ret == MISSING_HANDSHAKE_DATA)
wolfSSL	12:1a06964c2adb	6179	SendAlert(ssl, alert_fatal, decode_error);
wolfSSL	12:1a06964c2adb	6180
wolfSSL	12:1a06964c2adb	6181	if (ret == EXT_NOT_ALLOWED \|\| ret == PEER_KEY_ERROR \|\|
wolfSSL	12:1a06964c2adb	6182	ret == ECC_PEERKEY_ERROR \|\| ret == BAD_KEY_SHARE_DATA \|\|
wolfSSL	12:1a06964c2adb	6183	ret == PSK_KEY_ERROR \|\| ret == INVALID_PARAMETER) {
wolfSSL	12:1a06964c2adb	6184	SendAlert(ssl, alert_fatal, illegal_parameter);
wolfSSL	12:1a06964c2adb	6185	}
wolfSSL	12:1a06964c2adb	6186
wolfSSL	12:1a06964c2adb	6187	if (ssl->options.tls1_3) {
wolfSSL	12:1a06964c2adb	6188	if (type == server_hello && ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	6189	if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	6190	return ret;
wolfSSL	12:1a06964c2adb	6191	if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	6192	return ret;
wolfSSL	12:1a06964c2adb	6193
wolfSSL	12:1a06964c2adb	6194	if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL	12:1a06964c2adb	6195	ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL	12:1a06964c2adb	6196	return ret;
wolfSSL	12:1a06964c2adb	6197	}
wolfSSL	12:1a06964c2adb	6198	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6199	if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	6200	return ret;
wolfSSL	12:1a06964c2adb	6201	#else
wolfSSL	12:1a06964c2adb	6202	if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL	12:1a06964c2adb	6203	return ret;
wolfSSL	12:1a06964c2adb	6204	#endif
wolfSSL	12:1a06964c2adb	6205	}
wolfSSL	12:1a06964c2adb	6206	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6207	if (type == encrypted_extensions &&
wolfSSL	12:1a06964c2adb	6208	ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	6209	if (!ssl->earlyData)
wolfSSL	12:1a06964c2adb	6210	{
wolfSSL	12:1a06964c2adb	6211	if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL	12:1a06964c2adb	6212	return ret;
wolfSSL	12:1a06964c2adb	6213	}
wolfSSL	12:1a06964c2adb	6214	}
wolfSSL	12:1a06964c2adb	6215	#endif
wolfSSL	12:1a06964c2adb	6216
wolfSSL	12:1a06964c2adb	6217	if (type == finished && ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	6218	if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL	12:1a06964c2adb	6219	return ret;
wolfSSL	12:1a06964c2adb	6220	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6221	if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL	12:1a06964c2adb	6222	ENCRYPT_AND_DECRYPT_SIDE, !ssl->earlyData)) != 0) {
wolfSSL	12:1a06964c2adb	6223	return ret;
wolfSSL	12:1a06964c2adb	6224	}
wolfSSL	12:1a06964c2adb	6225	#else
wolfSSL	12:1a06964c2adb	6226	if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL	12:1a06964c2adb	6227	ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL	12:1a06964c2adb	6228	return ret;
wolfSSL	12:1a06964c2adb	6229	}
wolfSSL	12:1a06964c2adb	6230	#endif
wolfSSL	12:1a06964c2adb	6231	}
wolfSSL	12:1a06964c2adb	6232
wolfSSL	12:1a06964c2adb	6233	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	6234	if (type == finished && ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL	12:1a06964c2adb	6235	ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL	12:1a06964c2adb	6236	if (ret != 0)
wolfSSL	12:1a06964c2adb	6237	return ret;
wolfSSL	12:1a06964c2adb	6238	}
wolfSSL	12:1a06964c2adb	6239	#endif
wolfSSL	12:1a06964c2adb	6240	}
wolfSSL	12:1a06964c2adb	6241
wolfSSL	12:1a06964c2adb	6242	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	6243	/* if async, offset index so this msg will be processed again */
wolfSSL	12:1a06964c2adb	6244	if (ret == WC_PENDING_E && *inOutIdx > 0) {
wolfSSL	12:1a06964c2adb	6245	*inOutIdx -= HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	6246	}
wolfSSL	12:1a06964c2adb	6247	#endif
wolfSSL	12:1a06964c2adb	6248
wolfSSL	12:1a06964c2adb	6249	WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
wolfSSL	12:1a06964c2adb	6250	return ret;
wolfSSL	12:1a06964c2adb	6251	}
wolfSSL	12:1a06964c2adb	6252
wolfSSL	12:1a06964c2adb	6253
wolfSSL	12:1a06964c2adb	6254	/* Handle a handshake message that has been received.
wolfSSL	12:1a06964c2adb	6255	*
wolfSSL	12:1a06964c2adb	6256	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6257	* input The message buffer.
wolfSSL	12:1a06964c2adb	6258	* inOutIdx On entry, the index into the buffer of the current message.
wolfSSL	12:1a06964c2adb	6259	* On exit, the index into the buffer of the next message.
wolfSSL	12:1a06964c2adb	6260	* totalSz Length of remaining data in the message buffer.
wolfSSL	12:1a06964c2adb	6261	* returns 0 on success and otherwise failure.
wolfSSL	12:1a06964c2adb	6262	*/
wolfSSL	12:1a06964c2adb	6263	int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL	12:1a06964c2adb	6264	word32 totalSz)
wolfSSL	12:1a06964c2adb	6265	{
wolfSSL	12:1a06964c2adb	6266	int ret = 0;
wolfSSL	12:1a06964c2adb	6267	word32 inputLength;
wolfSSL	12:1a06964c2adb	6268
wolfSSL	12:1a06964c2adb	6269	WOLFSSL_ENTER("DoTls13HandShakeMsg()");
wolfSSL	12:1a06964c2adb	6270
wolfSSL	12:1a06964c2adb	6271	if (ssl->arrays == NULL) {
wolfSSL	12:1a06964c2adb	6272	byte type;
wolfSSL	12:1a06964c2adb	6273	word32 size;
wolfSSL	12:1a06964c2adb	6274
wolfSSL	12:1a06964c2adb	6275	if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
wolfSSL	12:1a06964c2adb	6276	return PARSE_ERROR;
wolfSSL	12:1a06964c2adb	6277
wolfSSL	12:1a06964c2adb	6278	return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL	12:1a06964c2adb	6279	totalSz);
wolfSSL	12:1a06964c2adb	6280	}
wolfSSL	12:1a06964c2adb	6281
wolfSSL	12:1a06964c2adb	6282	inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	6283
wolfSSL	12:1a06964c2adb	6284	/* If there is a pending fragmented handshake message,
wolfSSL	12:1a06964c2adb	6285	* pending message size will be non-zero. */
wolfSSL	12:1a06964c2adb	6286	if (ssl->arrays->pendingMsgSz == 0) {
wolfSSL	12:1a06964c2adb	6287	byte type;
wolfSSL	12:1a06964c2adb	6288	word32 size;
wolfSSL	12:1a06964c2adb	6289
wolfSSL	12:1a06964c2adb	6290	if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
wolfSSL	12:1a06964c2adb	6291	return PARSE_ERROR;
wolfSSL	12:1a06964c2adb	6292
wolfSSL	12:1a06964c2adb	6293	/* Cap the maximum size of a handshake message to something reasonable.
wolfSSL	12:1a06964c2adb	6294	* By default is the maximum size of a certificate message assuming
wolfSSL	12:1a06964c2adb	6295	* nine 2048-bit RSA certificates in the chain. */
wolfSSL	12:1a06964c2adb	6296	if (size > MAX_HANDSHAKE_SZ) {
wolfSSL	12:1a06964c2adb	6297	WOLFSSL_MSG("Handshake message too large");
wolfSSL	12:1a06964c2adb	6298	return HANDSHAKE_SIZE_ERROR;
wolfSSL	12:1a06964c2adb	6299	}
wolfSSL	12:1a06964c2adb	6300
wolfSSL	12:1a06964c2adb	6301	/* size is the size of the certificate message payload */
wolfSSL	12:1a06964c2adb	6302	if (inputLength - HANDSHAKE_HEADER_SZ < size) {
wolfSSL	12:1a06964c2adb	6303	ssl->arrays->pendingMsgType = type;
wolfSSL	12:1a06964c2adb	6304	ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	6305	ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
wolfSSL	12:1a06964c2adb	6306	ssl->heap,
wolfSSL	12:1a06964c2adb	6307	DYNAMIC_TYPE_ARRAYS);
wolfSSL	12:1a06964c2adb	6308	if (ssl->arrays->pendingMsg == NULL)
wolfSSL	12:1a06964c2adb	6309	return MEMORY_E;
wolfSSL	12:1a06964c2adb	6310	XMEMCPY(ssl->arrays->pendingMsg,
wolfSSL	12:1a06964c2adb	6311	input + *inOutIdx - HANDSHAKE_HEADER_SZ,
wolfSSL	12:1a06964c2adb	6312	inputLength);
wolfSSL	12:1a06964c2adb	6313	ssl->arrays->pendingMsgOffset = inputLength;
wolfSSL	12:1a06964c2adb	6314	*inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
wolfSSL	12:1a06964c2adb	6315	return 0;
wolfSSL	12:1a06964c2adb	6316	}
wolfSSL	12:1a06964c2adb	6317
wolfSSL	12:1a06964c2adb	6318	ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL	12:1a06964c2adb	6319	totalSz);
wolfSSL	12:1a06964c2adb	6320	}
wolfSSL	12:1a06964c2adb	6321	else {
wolfSSL	12:1a06964c2adb	6322	if (inputLength + ssl->arrays->pendingMsgOffset >
wolfSSL	12:1a06964c2adb	6323	ssl->arrays->pendingMsgSz) {
wolfSSL	12:1a06964c2adb	6324	return BUFFER_ERROR;
wolfSSL	12:1a06964c2adb	6325	}
wolfSSL	12:1a06964c2adb	6326
wolfSSL	12:1a06964c2adb	6327	XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
wolfSSL	12:1a06964c2adb	6328	input + *inOutIdx, inputLength);
wolfSSL	12:1a06964c2adb	6329	ssl->arrays->pendingMsgOffset += inputLength;
wolfSSL	12:1a06964c2adb	6330	*inOutIdx += inputLength + ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	6331
wolfSSL	12:1a06964c2adb	6332	if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
wolfSSL	12:1a06964c2adb	6333	{
wolfSSL	12:1a06964c2adb	6334	word32 idx = 0;
wolfSSL	12:1a06964c2adb	6335	ret = DoTls13HandShakeMsgType(ssl,
wolfSSL	12:1a06964c2adb	6336	ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
wolfSSL	12:1a06964c2adb	6337	&idx, ssl->arrays->pendingMsgType,
wolfSSL	12:1a06964c2adb	6338	ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
wolfSSL	12:1a06964c2adb	6339	ssl->arrays->pendingMsgSz);
wolfSSL	12:1a06964c2adb	6340	#ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL	12:1a06964c2adb	6341	if (ret == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	6342	/* setup to process fragment again */
wolfSSL	12:1a06964c2adb	6343	ssl->arrays->pendingMsgOffset -= inputLength;
wolfSSL	12:1a06964c2adb	6344	*inOutIdx -= inputLength + ssl->keys.padSz;
wolfSSL	12:1a06964c2adb	6345	}
wolfSSL	12:1a06964c2adb	6346	else
wolfSSL	12:1a06964c2adb	6347	#endif
wolfSSL	12:1a06964c2adb	6348	{
wolfSSL	12:1a06964c2adb	6349	XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
wolfSSL	12:1a06964c2adb	6350	ssl->arrays->pendingMsg = NULL;
wolfSSL	12:1a06964c2adb	6351	ssl->arrays->pendingMsgSz = 0;
wolfSSL	12:1a06964c2adb	6352	}
wolfSSL	12:1a06964c2adb	6353	}
wolfSSL	12:1a06964c2adb	6354	}
wolfSSL	12:1a06964c2adb	6355
wolfSSL	12:1a06964c2adb	6356	WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
wolfSSL	12:1a06964c2adb	6357	return ret;
wolfSSL	12:1a06964c2adb	6358	}
wolfSSL	12:1a06964c2adb	6359
wolfSSL	12:1a06964c2adb	6360
wolfSSL	12:1a06964c2adb	6361	/* The client connecting to the server.
wolfSSL	12:1a06964c2adb	6362	* The protocol version is expecting to be TLS v1.3.
wolfSSL	12:1a06964c2adb	6363	* If the server downgrades, and older versions of the protocol are compiled
wolfSSL	12:1a06964c2adb	6364	* in, the client will fallback to wolfSSL_connect().
wolfSSL	12:1a06964c2adb	6365	* Please see note at top of README if you get an error from connect.
wolfSSL	12:1a06964c2adb	6366	*
wolfSSL	12:1a06964c2adb	6367	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6368	* returns SSL_SUCCESS on successful handshake, SSL_FATAL_ERROR when
wolfSSL	12:1a06964c2adb	6369	* unrecoverable error occurs and 0 otherwise.
wolfSSL	12:1a06964c2adb	6370	* For more error information use wolfSSL_get_error().
wolfSSL	12:1a06964c2adb	6371	*/
wolfSSL	12:1a06964c2adb	6372	int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6373	{
wolfSSL	12:1a06964c2adb	6374	int neededState;
wolfSSL	12:1a06964c2adb	6375
wolfSSL	12:1a06964c2adb	6376	WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
wolfSSL	12:1a06964c2adb	6377
wolfSSL	12:1a06964c2adb	6378	#ifdef HAVE_ERRNO_H
wolfSSL	12:1a06964c2adb	6379	errno = 0;
wolfSSL	12:1a06964c2adb	6380	#endif
wolfSSL	12:1a06964c2adb	6381
wolfSSL	12:1a06964c2adb	6382	if (ssl->options.side != WOLFSSL_CLIENT_END) {
wolfSSL	12:1a06964c2adb	6383	WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL	12:1a06964c2adb	6384	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6385	}
wolfSSL	12:1a06964c2adb	6386
wolfSSL	12:1a06964c2adb	6387	if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL	12:1a06964c2adb	6388	if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL	12:1a06964c2adb	6389	/* fragOffset is non-zero when sending fragments. On the last
wolfSSL	12:1a06964c2adb	6390	* fragment, fragOffset is zero again, and the state can be
wolfSSL	12:1a06964c2adb	6391	* advanced. */
wolfSSL	12:1a06964c2adb	6392	if (ssl->fragOffset == 0) {
wolfSSL	12:1a06964c2adb	6393	ssl->options.connectState++;
wolfSSL	12:1a06964c2adb	6394	WOLFSSL_MSG("connect state: "
wolfSSL	12:1a06964c2adb	6395	"Advanced from last buffered fragment send");
wolfSSL	12:1a06964c2adb	6396	}
wolfSSL	12:1a06964c2adb	6397	else {
wolfSSL	12:1a06964c2adb	6398	WOLFSSL_MSG("connect state: "
wolfSSL	12:1a06964c2adb	6399	"Not advanced, more fragments to send");
wolfSSL	12:1a06964c2adb	6400	}
wolfSSL	12:1a06964c2adb	6401	}
wolfSSL	12:1a06964c2adb	6402	else {
wolfSSL	12:1a06964c2adb	6403	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6404	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6405	}
wolfSSL	12:1a06964c2adb	6406	}
wolfSSL	12:1a06964c2adb	6407
wolfSSL	12:1a06964c2adb	6408	switch (ssl->options.connectState) {
wolfSSL	12:1a06964c2adb	6409
wolfSSL	12:1a06964c2adb	6410	case CONNECT_BEGIN:
wolfSSL	12:1a06964c2adb	6411	/* Always send client hello first. */
wolfSSL	12:1a06964c2adb	6412	if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6413	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6414	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6415	}
wolfSSL	12:1a06964c2adb	6416
wolfSSL	12:1a06964c2adb	6417	ssl->options.connectState = CLIENT_HELLO_SENT;
wolfSSL	12:1a06964c2adb	6418	WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
wolfSSL	12:1a06964c2adb	6419	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6420	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	6421	ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL	12:1a06964c2adb	6422	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6423	}
wolfSSL	12:1a06964c2adb	6424	#endif
wolfSSL	12:1a06964c2adb	6425	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6426
wolfSSL	12:1a06964c2adb	6427	case CLIENT_HELLO_SENT:
wolfSSL	12:1a06964c2adb	6428	neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
wolfSSL	12:1a06964c2adb	6429	SERVER_HELLODONE_COMPLETE;
wolfSSL	12:1a06964c2adb	6430	/* Get the response/s from the server. */
wolfSSL	12:1a06964c2adb	6431	while (ssl->options.serverState < neededState) {
wolfSSL	12:1a06964c2adb	6432	if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL	12:1a06964c2adb	6433	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6434	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6435	}
wolfSSL	12:1a06964c2adb	6436	/* if resumption failed, reset needed state. */
wolfSSL	12:1a06964c2adb	6437	if (neededState == SERVER_FINISHED_COMPLETE &&
wolfSSL	12:1a06964c2adb	6438	!ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	6439	neededState = SERVER_HELLODONE_COMPLETE;
wolfSSL	12:1a06964c2adb	6440	}
wolfSSL	12:1a06964c2adb	6441	}
wolfSSL	12:1a06964c2adb	6442
wolfSSL	12:1a06964c2adb	6443	ssl->options.connectState = HELLO_AGAIN;
wolfSSL	12:1a06964c2adb	6444	WOLFSSL_MSG("connect state: HELLO_AGAIN");
wolfSSL	12:1a06964c2adb	6445	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6446
wolfSSL	12:1a06964c2adb	6447	case HELLO_AGAIN:
wolfSSL	12:1a06964c2adb	6448	if (ssl->options.certOnly)
wolfSSL	12:1a06964c2adb	6449	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6450
wolfSSL	12:1a06964c2adb	6451	if (!ssl->options.tls1_3)
wolfSSL	12:1a06964c2adb	6452	return wolfSSL_connect(ssl);
wolfSSL	12:1a06964c2adb	6453
wolfSSL	12:1a06964c2adb	6454	if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL	12:1a06964c2adb	6455	ssl->options.serverState = NULL_STATE;
wolfSSL	12:1a06964c2adb	6456	/* Try again with different security parameters. */
wolfSSL	12:1a06964c2adb	6457	if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6458	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6459	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6460	}
wolfSSL	12:1a06964c2adb	6461	}
wolfSSL	12:1a06964c2adb	6462
wolfSSL	12:1a06964c2adb	6463	ssl->options.connectState = HELLO_AGAIN_REPLY;
wolfSSL	12:1a06964c2adb	6464	WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
wolfSSL	12:1a06964c2adb	6465	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6466
wolfSSL	12:1a06964c2adb	6467	case HELLO_AGAIN_REPLY:
wolfSSL	12:1a06964c2adb	6468	if (ssl->options.serverState == NULL_STATE \|\|
wolfSSL	12:1a06964c2adb	6469	ssl->error == WC_PENDING_E) {
wolfSSL	12:1a06964c2adb	6470	neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
wolfSSL	12:1a06964c2adb	6471	SERVER_HELLODONE_COMPLETE;
wolfSSL	12:1a06964c2adb	6472
wolfSSL	12:1a06964c2adb	6473	/* Get the response/s from the server. */
wolfSSL	12:1a06964c2adb	6474	while (ssl->options.serverState < neededState) {
wolfSSL	12:1a06964c2adb	6475	if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL	12:1a06964c2adb	6476	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6477	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6478	}
wolfSSL	12:1a06964c2adb	6479	/* if resumption failed, reset needed state */
wolfSSL	12:1a06964c2adb	6480	else if (neededState == SERVER_FINISHED_COMPLETE) {
wolfSSL	12:1a06964c2adb	6481	if (!ssl->options.resuming)
wolfSSL	12:1a06964c2adb	6482	neededState = SERVER_HELLODONE_COMPLETE;
wolfSSL	12:1a06964c2adb	6483	}
wolfSSL	12:1a06964c2adb	6484	}
wolfSSL	12:1a06964c2adb	6485	}
wolfSSL	12:1a06964c2adb	6486
wolfSSL	12:1a06964c2adb	6487	ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL	12:1a06964c2adb	6488	WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
wolfSSL	12:1a06964c2adb	6489	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6490
wolfSSL	12:1a06964c2adb	6491	case FIRST_REPLY_DONE:
wolfSSL	12:1a06964c2adb	6492	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	6493	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	6494	if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6495	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6496	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6497	}
wolfSSL	12:1a06964c2adb	6498	WOLFSSL_MSG("sent: end_of_early_data");
wolfSSL	12:1a06964c2adb	6499	}
wolfSSL	12:1a06964c2adb	6500	#endif
wolfSSL	12:1a06964c2adb	6501
wolfSSL	12:1a06964c2adb	6502	ssl->options.connectState = FIRST_REPLY_FIRST;
wolfSSL	12:1a06964c2adb	6503	WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
wolfSSL	12:1a06964c2adb	6504	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6505
wolfSSL	12:1a06964c2adb	6506	case FIRST_REPLY_FIRST:
wolfSSL	12:1a06964c2adb	6507	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6508	if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL	12:1a06964c2adb	6509	ssl->error = SendTls13Certificate(ssl);
wolfSSL	12:1a06964c2adb	6510	if (ssl->error != 0) {
wolfSSL	12:1a06964c2adb	6511	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6512	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6513	}
wolfSSL	12:1a06964c2adb	6514	WOLFSSL_MSG("sent: certificate");
wolfSSL	12:1a06964c2adb	6515	}
wolfSSL	12:1a06964c2adb	6516	#endif
wolfSSL	12:1a06964c2adb	6517
wolfSSL	12:1a06964c2adb	6518	ssl->options.connectState = FIRST_REPLY_SECOND;
wolfSSL	12:1a06964c2adb	6519	WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
wolfSSL	12:1a06964c2adb	6520	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6521
wolfSSL	12:1a06964c2adb	6522	case FIRST_REPLY_SECOND:
wolfSSL	12:1a06964c2adb	6523
wolfSSL	12:1a06964c2adb	6524	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6525	if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL	12:1a06964c2adb	6526	ssl->error = SendTls13CertificateVerify(ssl);
wolfSSL	12:1a06964c2adb	6527	if (ssl->error != 0) {
wolfSSL	12:1a06964c2adb	6528	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6529	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6530	}
wolfSSL	12:1a06964c2adb	6531	WOLFSSL_MSG("sent: certificate verify");
wolfSSL	12:1a06964c2adb	6532	}
wolfSSL	12:1a06964c2adb	6533	#endif
wolfSSL	12:1a06964c2adb	6534
wolfSSL	12:1a06964c2adb	6535	ssl->options.connectState = FIRST_REPLY_THIRD;
wolfSSL	12:1a06964c2adb	6536	WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
wolfSSL	12:1a06964c2adb	6537	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6538
wolfSSL	12:1a06964c2adb	6539	case FIRST_REPLY_THIRD:
wolfSSL	12:1a06964c2adb	6540	if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6541	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6542	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6543	}
wolfSSL	12:1a06964c2adb	6544	WOLFSSL_MSG("sent: finished");
wolfSSL	12:1a06964c2adb	6545
wolfSSL	12:1a06964c2adb	6546	ssl->options.connectState = FINISHED_DONE;
wolfSSL	12:1a06964c2adb	6547	WOLFSSL_MSG("connect state: FINISHED_DONE");
wolfSSL	12:1a06964c2adb	6548	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6549
wolfSSL	12:1a06964c2adb	6550	case FINISHED_DONE:
wolfSSL	12:1a06964c2adb	6551	#ifndef NO_HANDSHAKE_DONE_CB
wolfSSL	12:1a06964c2adb	6552	if (ssl->hsDoneCb != NULL) {
wolfSSL	12:1a06964c2adb	6553	int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL	12:1a06964c2adb	6554	if (cbret < 0) {
wolfSSL	12:1a06964c2adb	6555	ssl->error = cbret;
wolfSSL	12:1a06964c2adb	6556	WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL	12:1a06964c2adb	6557	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6558	}
wolfSSL	12:1a06964c2adb	6559	}
wolfSSL	12:1a06964c2adb	6560	#endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL	12:1a06964c2adb	6561
wolfSSL	12:1a06964c2adb	6562	WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", SSL_SUCCESS);
wolfSSL	12:1a06964c2adb	6563	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6564
wolfSSL	12:1a06964c2adb	6565	default:
wolfSSL	12:1a06964c2adb	6566	WOLFSSL_MSG("Unknown connect state ERROR");
wolfSSL	12:1a06964c2adb	6567	return SSL_FATAL_ERROR; /* unknown connect state */
wolfSSL	12:1a06964c2adb	6568	}
wolfSSL	12:1a06964c2adb	6569	}
wolfSSL	12:1a06964c2adb	6570
wolfSSL	12:1a06964c2adb	6571	#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
wolfSSL	12:1a06964c2adb	6572	/* Send a cookie with the HelloRetryRequest to avoid storing state.
wolfSSL	12:1a06964c2adb	6573	*
wolfSSL	12:1a06964c2adb	6574	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	6575	* secret Secret to use when generating integrity check for cookie.
wolfSSL	12:1a06964c2adb	6576	* A value of NULL indicates to generate a new random secret.
wolfSSL	12:1a06964c2adb	6577	* secretSz Size of secret data in bytes.
wolfSSL	12:1a06964c2adb	6578	* Use a value of 0 to indicate use of default size.
wolfSSL	12:1a06964c2adb	6579	* returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
wolfSSL	12:1a06964c2adb	6580	* called on a client; SSL_SUCCESS on success and otherwise failure.
wolfSSL	12:1a06964c2adb	6581	*/
wolfSSL	12:1a06964c2adb	6582	int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
wolfSSL	12:1a06964c2adb	6583	unsigned int secretSz)
wolfSSL	12:1a06964c2adb	6584	{
wolfSSL	12:1a06964c2adb	6585	int ret;
wolfSSL	12:1a06964c2adb	6586
wolfSSL	12:1a06964c2adb	6587	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6588	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6589	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	6590	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6591
wolfSSL	12:1a06964c2adb	6592	if (secretSz == 0) {
wolfSSL	12:1a06964c2adb	6593	#if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL	12:1a06964c2adb	6594	secretSz = SHA_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	6595	#endif /* NO_SHA */
wolfSSL	12:1a06964c2adb	6596	#ifndef NO_SHA256
wolfSSL	12:1a06964c2adb	6597	secretSz = SHA256_DIGEST_SIZE;
wolfSSL	12:1a06964c2adb	6598	#endif /* NO_SHA256 */
wolfSSL	12:1a06964c2adb	6599	}
wolfSSL	12:1a06964c2adb	6600
wolfSSL	12:1a06964c2adb	6601	if (secretSz != ssl->buffers.tls13CookieSecret.length) {
wolfSSL	12:1a06964c2adb	6602	byte* newSecret;
wolfSSL	12:1a06964c2adb	6603
wolfSSL	12:1a06964c2adb	6604	if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
wolfSSL	12:1a06964c2adb	6605	ForceZero(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL	12:1a06964c2adb	6606	ssl->buffers.tls13CookieSecret.length);
wolfSSL	12:1a06964c2adb	6607	XFREE(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL	12:1a06964c2adb	6608	ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL	12:1a06964c2adb	6609	}
wolfSSL	12:1a06964c2adb	6610
wolfSSL	12:1a06964c2adb	6611	newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
wolfSSL	12:1a06964c2adb	6612	DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL	12:1a06964c2adb	6613	if (newSecret == NULL) {
wolfSSL	12:1a06964c2adb	6614	ssl->buffers.tls13CookieSecret.buffer = NULL;
wolfSSL	12:1a06964c2adb	6615	ssl->buffers.tls13CookieSecret.length = 0;
wolfSSL	12:1a06964c2adb	6616	WOLFSSL_MSG("couldn't allocate new cookie secret");
wolfSSL	12:1a06964c2adb	6617	return MEMORY_ERROR;
wolfSSL	12:1a06964c2adb	6618	}
wolfSSL	12:1a06964c2adb	6619	ssl->buffers.tls13CookieSecret.buffer = newSecret;
wolfSSL	12:1a06964c2adb	6620	ssl->buffers.tls13CookieSecret.length = secretSz;
wolfSSL	12:1a06964c2adb	6621	}
wolfSSL	12:1a06964c2adb	6622
wolfSSL	12:1a06964c2adb	6623	/* If the supplied secret is NULL, randomly generate a new secret. */
wolfSSL	12:1a06964c2adb	6624	if (secret == NULL) {
wolfSSL	12:1a06964c2adb	6625	ret = wc_RNG_GenerateBlock(ssl->rng,
wolfSSL	12:1a06964c2adb	6626	ssl->buffers.tls13CookieSecret.buffer, secretSz);
wolfSSL	12:1a06964c2adb	6627	if (ret < 0)
wolfSSL	12:1a06964c2adb	6628	return ret;
wolfSSL	12:1a06964c2adb	6629	}
wolfSSL	12:1a06964c2adb	6630	else
wolfSSL	12:1a06964c2adb	6631	XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
wolfSSL	12:1a06964c2adb	6632
wolfSSL	12:1a06964c2adb	6633	ssl->options.sendCookie = 1;
wolfSSL	12:1a06964c2adb	6634
wolfSSL	12:1a06964c2adb	6635	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6636	}
wolfSSL	12:1a06964c2adb	6637	#endif
wolfSSL	12:1a06964c2adb	6638
wolfSSL	12:1a06964c2adb	6639	/* Create a key share entry from group.
wolfSSL	12:1a06964c2adb	6640	* Generates a key pair.
wolfSSL	12:1a06964c2adb	6641	*
wolfSSL	12:1a06964c2adb	6642	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6643	* group The named group.
wolfSSL	12:1a06964c2adb	6644	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	6645	*/
wolfSSL	12:1a06964c2adb	6646	int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
wolfSSL	12:1a06964c2adb	6647	{
wolfSSL	12:1a06964c2adb	6648	int ret;
wolfSSL	12:1a06964c2adb	6649
wolfSSL	12:1a06964c2adb	6650	if (ssl == NULL)
wolfSSL	12:1a06964c2adb	6651	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6652	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	6653	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6654
wolfSSL	12:1a06964c2adb	6655	ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
wolfSSL	12:1a06964c2adb	6656	if (ret != 0)
wolfSSL	12:1a06964c2adb	6657	return ret;
wolfSSL	12:1a06964c2adb	6658
wolfSSL	12:1a06964c2adb	6659	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6660	}
wolfSSL	12:1a06964c2adb	6661
wolfSSL	12:1a06964c2adb	6662	/* Send no key share entries - use HelloRetryRequest to negotiate shared group.
wolfSSL	12:1a06964c2adb	6663	*
wolfSSL	12:1a06964c2adb	6664	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6665	* returns 0 on success, otherwise failure.
wolfSSL	12:1a06964c2adb	6666	*/
wolfSSL	12:1a06964c2adb	6667	int wolfSSL_NoKeyShares(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6668	{
wolfSSL	12:1a06964c2adb	6669	int ret;
wolfSSL	12:1a06964c2adb	6670
wolfSSL	12:1a06964c2adb	6671	if (ssl == NULL)
wolfSSL	12:1a06964c2adb	6672	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6673	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	6674	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6675
wolfSSL	12:1a06964c2adb	6676	ret = TLSX_KeyShare_Empty(ssl);
wolfSSL	12:1a06964c2adb	6677	if (ret != 0)
wolfSSL	12:1a06964c2adb	6678	return ret;
wolfSSL	12:1a06964c2adb	6679
wolfSSL	12:1a06964c2adb	6680	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6681	}
wolfSSL	12:1a06964c2adb	6682
wolfSSL	12:1a06964c2adb	6683	/* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL	12:1a06964c2adb	6684	*
wolfSSL	12:1a06964c2adb	6685	* ctx The SSL/TLS CTX object.
wolfSSL	12:1a06964c2adb	6686	* returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL	12:1a06964c2adb	6687	*/
wolfSSL	12:1a06964c2adb	6688	int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
wolfSSL	12:1a06964c2adb	6689	{
wolfSSL	12:1a06964c2adb	6690	if (ctx == NULL \|\| !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL	12:1a06964c2adb	6691	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6692	if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	6693	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6694
wolfSSL	12:1a06964c2adb	6695	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	6696	ctx->noTicketTls13 = 1;
wolfSSL	12:1a06964c2adb	6697	#endif
wolfSSL	12:1a06964c2adb	6698
wolfSSL	12:1a06964c2adb	6699	return 0;
wolfSSL	12:1a06964c2adb	6700	}
wolfSSL	12:1a06964c2adb	6701
wolfSSL	12:1a06964c2adb	6702	/* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL	12:1a06964c2adb	6703	*
wolfSSL	12:1a06964c2adb	6704	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6705	* returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
wolfSSL	12:1a06964c2adb	6706	* a client and 0 on success.
wolfSSL	12:1a06964c2adb	6707	*/
wolfSSL	12:1a06964c2adb	6708	int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6709	{
wolfSSL	12:1a06964c2adb	6710	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6711	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6712	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	6713	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6714
wolfSSL	12:1a06964c2adb	6715	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	6716	ssl->options.noTicketTls13 = 1;
wolfSSL	12:1a06964c2adb	6717	#endif
wolfSSL	12:1a06964c2adb	6718
wolfSSL	12:1a06964c2adb	6719	return 0;
wolfSSL	12:1a06964c2adb	6720	}
wolfSSL	12:1a06964c2adb	6721
wolfSSL	12:1a06964c2adb	6722	/* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL	12:1a06964c2adb	6723	*
wolfSSL	12:1a06964c2adb	6724	* ctx The SSL/TLS CTX object.
wolfSSL	12:1a06964c2adb	6725	* returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL	12:1a06964c2adb	6726	*/
wolfSSL	12:1a06964c2adb	6727	int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
wolfSSL	12:1a06964c2adb	6728	{
wolfSSL	12:1a06964c2adb	6729	if (ctx == NULL \|\| !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL	12:1a06964c2adb	6730	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6731
wolfSSL	12:1a06964c2adb	6732	ctx->noPskDheKe = 1;
wolfSSL	12:1a06964c2adb	6733
wolfSSL	12:1a06964c2adb	6734	return 0;
wolfSSL	12:1a06964c2adb	6735	}
wolfSSL	12:1a06964c2adb	6736
wolfSSL	12:1a06964c2adb	6737	/* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL	12:1a06964c2adb	6738	*
wolfSSL	12:1a06964c2adb	6739	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6740	* returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
wolfSSL	12:1a06964c2adb	6741	* success.
wolfSSL	12:1a06964c2adb	6742	*/
wolfSSL	12:1a06964c2adb	6743	int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6744	{
wolfSSL	12:1a06964c2adb	6745	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6746	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6747
wolfSSL	12:1a06964c2adb	6748	ssl->options.noPskDheKe = 1;
wolfSSL	12:1a06964c2adb	6749
wolfSSL	12:1a06964c2adb	6750	return 0;
wolfSSL	12:1a06964c2adb	6751	}
wolfSSL	12:1a06964c2adb	6752
wolfSSL	12:1a06964c2adb	6753	/* Update the keys for encryption and decryption.
wolfSSL	12:1a06964c2adb	6754	* If using non-blocking I/O and SSL_ERROR_WANT_WRITE is returned then
wolfSSL	12:1a06964c2adb	6755	* calling wolfSSL_write() will have the message sent when ready.
wolfSSL	12:1a06964c2adb	6756	*
wolfSSL	12:1a06964c2adb	6757	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6758	* returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL	12:1a06964c2adb	6759	* SSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
wolfSSL	12:1a06964c2adb	6760	* SSL_SUCCESS on success and otherwise failure.
wolfSSL	12:1a06964c2adb	6761	*/
wolfSSL	12:1a06964c2adb	6762	int wolfSSL_update_keys(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6763	{
wolfSSL	12:1a06964c2adb	6764	int ret;
wolfSSL	12:1a06964c2adb	6765
wolfSSL	12:1a06964c2adb	6766	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6767	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6768
wolfSSL	12:1a06964c2adb	6769	ret = SendTls13KeyUpdate(ssl);
wolfSSL	12:1a06964c2adb	6770	if (ret == WANT_WRITE)
wolfSSL	12:1a06964c2adb	6771	ret = SSL_ERROR_WANT_WRITE;
wolfSSL	12:1a06964c2adb	6772	else if (ret == 0)
wolfSSL	12:1a06964c2adb	6773	ret = SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6774	return ret;
wolfSSL	12:1a06964c2adb	6775	}
wolfSSL	12:1a06964c2adb	6776
wolfSSL	12:1a06964c2adb	6777	#if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL	12:1a06964c2adb	6778	/* Allow post-handshake authentication in TLS v1.3 connections.
wolfSSL	12:1a06964c2adb	6779	*
wolfSSL	12:1a06964c2adb	6780	* ctx The SSL/TLS CTX object.
wolfSSL	12:1a06964c2adb	6781	* returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
wolfSSL	12:1a06964c2adb	6782	* 0 on success.
wolfSSL	12:1a06964c2adb	6783	*/
wolfSSL	12:1a06964c2adb	6784	int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
wolfSSL	12:1a06964c2adb	6785	{
wolfSSL	12:1a06964c2adb	6786	if (ctx == NULL \|\| !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL	12:1a06964c2adb	6787	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6788	if (ctx->method->side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	6789	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6790
wolfSSL	12:1a06964c2adb	6791	ctx->postHandshakeAuth = 1;
wolfSSL	12:1a06964c2adb	6792
wolfSSL	12:1a06964c2adb	6793	return 0;
wolfSSL	12:1a06964c2adb	6794	}
wolfSSL	12:1a06964c2adb	6795
wolfSSL	12:1a06964c2adb	6796	/* Allow post-handshake authentication in TLS v1.3 connection.
wolfSSL	12:1a06964c2adb	6797	*
wolfSSL	12:1a06964c2adb	6798	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6799	* returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL	12:1a06964c2adb	6800	* SIDE_ERROR when not a server and 0 on success.
wolfSSL	12:1a06964c2adb	6801	*/
wolfSSL	12:1a06964c2adb	6802	int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6803	{
wolfSSL	12:1a06964c2adb	6804	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6805	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6806	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	6807	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6808
wolfSSL	12:1a06964c2adb	6809	ssl->options.postHandshakeAuth = 1;
wolfSSL	12:1a06964c2adb	6810
wolfSSL	12:1a06964c2adb	6811	return 0;
wolfSSL	12:1a06964c2adb	6812	}
wolfSSL	12:1a06964c2adb	6813
wolfSSL	12:1a06964c2adb	6814	/* Request a certificate of the client.
wolfSSL	12:1a06964c2adb	6815	* Can be called any time after handshake completion.
wolfSSL	12:1a06964c2adb	6816	* A maximum of 256 requests can be sent on a connection.
wolfSSL	12:1a06964c2adb	6817	*
wolfSSL	12:1a06964c2adb	6818	* ssl SSL/TLS object.
wolfSSL	12:1a06964c2adb	6819	*/
wolfSSL	12:1a06964c2adb	6820	int wolfSSL_request_certificate(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6821	{
wolfSSL	12:1a06964c2adb	6822	int ret;
wolfSSL	12:1a06964c2adb	6823	CertReqCtx* certReqCtx;
wolfSSL	12:1a06964c2adb	6824
wolfSSL	12:1a06964c2adb	6825	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	6826	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	6827	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	6828	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	6829	if (ssl->options.handShakeState != HANDSHAKE_DONE)
wolfSSL	12:1a06964c2adb	6830	return NOT_READY_ERROR;
wolfSSL	12:1a06964c2adb	6831	if (!ssl->options.postHandshakeAuth)
wolfSSL	12:1a06964c2adb	6832	return POST_HAND_AUTH_ERROR;
wolfSSL	12:1a06964c2adb	6833
wolfSSL	12:1a06964c2adb	6834	certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
wolfSSL	12:1a06964c2adb	6835	DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL	12:1a06964c2adb	6836	if (certReqCtx == NULL)
wolfSSL	12:1a06964c2adb	6837	return MEMORY_E;
wolfSSL	12:1a06964c2adb	6838	XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
wolfSSL	12:1a06964c2adb	6839	certReqCtx->next = ssl->certReqCtx;
wolfSSL	12:1a06964c2adb	6840	certReqCtx->len = 1;
wolfSSL	12:1a06964c2adb	6841	if (certReqCtx->next != NULL)
wolfSSL	12:1a06964c2adb	6842	certReqCtx->ctx = certReqCtx->next->ctx + 1;
wolfSSL	12:1a06964c2adb	6843	ssl->certReqCtx = certReqCtx;
wolfSSL	12:1a06964c2adb	6844
wolfSSL	12:1a06964c2adb	6845	ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
wolfSSL	12:1a06964c2adb	6846	if (ret == WANT_WRITE)
wolfSSL	12:1a06964c2adb	6847	ret = SSL_ERROR_WANT_WRITE;
wolfSSL	12:1a06964c2adb	6848	else if (ret == 0)
wolfSSL	12:1a06964c2adb	6849	ret = SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	6850	return ret;
wolfSSL	12:1a06964c2adb	6851	}
wolfSSL	12:1a06964c2adb	6852	#endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
wolfSSL	12:1a06964c2adb	6853
wolfSSL	12:1a06964c2adb	6854	#ifndef NO_WOLFSSL_SERVER
wolfSSL	12:1a06964c2adb	6855	/* The server accepting a connection from a client.
wolfSSL	12:1a06964c2adb	6856	* The protocol version is expecting to be TLS v1.3.
wolfSSL	12:1a06964c2adb	6857	* If the client downgrades, and older versions of the protocol are compiled
wolfSSL	12:1a06964c2adb	6858	* in, the server will fallback to wolfSSL_accept().
wolfSSL	12:1a06964c2adb	6859	* Please see note at top of README if you get an error from accept.
wolfSSL	12:1a06964c2adb	6860	*
wolfSSL	12:1a06964c2adb	6861	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	6862	* returns SSL_SUCCESS on successful handshake, SSL_FATAL_ERROR when
wolfSSL	12:1a06964c2adb	6863	* unrecoverable error occurs and 0 otherwise.
wolfSSL	12:1a06964c2adb	6864	* For more error information use wolfSSL_get_error().
wolfSSL	12:1a06964c2adb	6865	*/
wolfSSL	12:1a06964c2adb	6866	int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
wolfSSL	12:1a06964c2adb	6867	{
wolfSSL	12:1a06964c2adb	6868	word16 havePSK = 0;
wolfSSL	12:1a06964c2adb	6869	word16 haveAnon = 0;
wolfSSL	12:1a06964c2adb	6870	WOLFSSL_ENTER("SSL_accept_TLSv13()");
wolfSSL	12:1a06964c2adb	6871
wolfSSL	12:1a06964c2adb	6872	#ifdef HAVE_ERRNO_H
wolfSSL	12:1a06964c2adb	6873	errno = 0;
wolfSSL	12:1a06964c2adb	6874	#endif
wolfSSL	12:1a06964c2adb	6875
wolfSSL	12:1a06964c2adb	6876	#if defined(HAVE_SESSION_TICKET) \|\| !defined(NO_PSK)
wolfSSL	12:1a06964c2adb	6877	havePSK = ssl->options.havePSK;
wolfSSL	12:1a06964c2adb	6878	#endif
wolfSSL	12:1a06964c2adb	6879	(void)havePSK;
wolfSSL	12:1a06964c2adb	6880
wolfSSL	12:1a06964c2adb	6881	#ifdef HAVE_ANON
wolfSSL	12:1a06964c2adb	6882	haveAnon = ssl->options.haveAnon;
wolfSSL	12:1a06964c2adb	6883	#endif
wolfSSL	12:1a06964c2adb	6884	(void)haveAnon;
wolfSSL	12:1a06964c2adb	6885
wolfSSL	12:1a06964c2adb	6886	if (ssl->options.side != WOLFSSL_SERVER_END) {
wolfSSL	12:1a06964c2adb	6887	WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL	12:1a06964c2adb	6888	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6889	}
wolfSSL	12:1a06964c2adb	6890
wolfSSL	12:1a06964c2adb	6891	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6892	/* in case used set_accept_state after init */
wolfSSL	12:1a06964c2adb	6893	if (!havePSK && !haveAnon &&
wolfSSL	12:1a06964c2adb	6894	(!ssl->buffers.certificate \|\|
wolfSSL	12:1a06964c2adb	6895	!ssl->buffers.certificate->buffer \|\|
wolfSSL	12:1a06964c2adb	6896	!ssl->buffers.key \|\|
wolfSSL	12:1a06964c2adb	6897	!ssl->buffers.key->buffer)) {
wolfSSL	12:1a06964c2adb	6898	WOLFSSL_MSG("accept error: don't have server cert and key");
wolfSSL	12:1a06964c2adb	6899	ssl->error = NO_PRIVATE_KEY;
wolfSSL	12:1a06964c2adb	6900	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6901	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6902	}
wolfSSL	12:1a06964c2adb	6903	#endif
wolfSSL	12:1a06964c2adb	6904
wolfSSL	12:1a06964c2adb	6905	if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL	12:1a06964c2adb	6906	if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL	12:1a06964c2adb	6907	/* fragOffset is non-zero when sending fragments. On the last
wolfSSL	12:1a06964c2adb	6908	* fragment, fragOffset is zero again, and the state can be
wolfSSL	12:1a06964c2adb	6909	* advanced. */
wolfSSL	12:1a06964c2adb	6910	if (ssl->fragOffset == 0) {
wolfSSL	12:1a06964c2adb	6911	ssl->options.acceptState++;
wolfSSL	12:1a06964c2adb	6912	WOLFSSL_MSG("accept state: "
wolfSSL	12:1a06964c2adb	6913	"Advanced from last buffered fragment send");
wolfSSL	12:1a06964c2adb	6914	}
wolfSSL	12:1a06964c2adb	6915	else {
wolfSSL	12:1a06964c2adb	6916	WOLFSSL_MSG("accept state: "
wolfSSL	12:1a06964c2adb	6917	"Not advanced, more fragments to send");
wolfSSL	12:1a06964c2adb	6918	}
wolfSSL	12:1a06964c2adb	6919	}
wolfSSL	12:1a06964c2adb	6920	else {
wolfSSL	12:1a06964c2adb	6921	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6922	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6923	}
wolfSSL	12:1a06964c2adb	6924	}
wolfSSL	12:1a06964c2adb	6925
wolfSSL	12:1a06964c2adb	6926	switch (ssl->options.acceptState) {
wolfSSL	12:1a06964c2adb	6927
wolfSSL	12:1a06964c2adb	6928	case ACCEPT_BEGIN :
wolfSSL	12:1a06964c2adb	6929	/* get response */
wolfSSL	12:1a06964c2adb	6930	while (ssl->options.clientState < CLIENT_HELLO_COMPLETE)
wolfSSL	12:1a06964c2adb	6931	if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL	12:1a06964c2adb	6932	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6933	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6934	}
wolfSSL	12:1a06964c2adb	6935
wolfSSL	12:1a06964c2adb	6936	ssl->options.acceptState = ACCEPT_CLIENT_HELLO_DONE;
wolfSSL	12:1a06964c2adb	6937	WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
wolfSSL	12:1a06964c2adb	6938	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6939
wolfSSL	12:1a06964c2adb	6940	case ACCEPT_CLIENT_HELLO_DONE :
wolfSSL	12:1a06964c2adb	6941	if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL	12:1a06964c2adb	6942	if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6943	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6944	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6945	}
wolfSSL	12:1a06964c2adb	6946	}
wolfSSL	12:1a06964c2adb	6947	ssl->options.acceptState = ACCEPT_HELLO_RETRY_REQUEST_DONE;
wolfSSL	12:1a06964c2adb	6948	WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
wolfSSL	12:1a06964c2adb	6949	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6950
wolfSSL	12:1a06964c2adb	6951	case ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL	12:1a06964c2adb	6952	if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL	12:1a06964c2adb	6953	if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL	12:1a06964c2adb	6954	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6955	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6956	}
wolfSSL	12:1a06964c2adb	6957	}
wolfSSL	12:1a06964c2adb	6958	ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
wolfSSL	12:1a06964c2adb	6959	WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL	12:1a06964c2adb	6960	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6961
wolfSSL	12:1a06964c2adb	6962	case ACCEPT_FIRST_REPLY_DONE :
wolfSSL	12:1a06964c2adb	6963	if ((ssl->error = SendTls13ServerHello(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6964	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6965	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6966	}
wolfSSL	12:1a06964c2adb	6967	ssl->options.acceptState = SERVER_HELLO_SENT;
wolfSSL	12:1a06964c2adb	6968	WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
wolfSSL	12:1a06964c2adb	6969	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6970
wolfSSL	12:1a06964c2adb	6971	case SERVER_HELLO_SENT :
wolfSSL	12:1a06964c2adb	6972	if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	6973	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6974	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6975	}
wolfSSL	12:1a06964c2adb	6976	ssl->options.acceptState = SERVER_EXTENSIONS_SENT;
wolfSSL	12:1a06964c2adb	6977	WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
wolfSSL	12:1a06964c2adb	6978	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6979
wolfSSL	12:1a06964c2adb	6980	case SERVER_EXTENSIONS_SENT :
wolfSSL	12:1a06964c2adb	6981	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6982	if (!ssl->options.resuming) {
wolfSSL	12:1a06964c2adb	6983	if (ssl->options.verifyPeer) {
wolfSSL	12:1a06964c2adb	6984	ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
wolfSSL	12:1a06964c2adb	6985	if (ssl->error != 0) {
wolfSSL	12:1a06964c2adb	6986	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	6987	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	6988	}
wolfSSL	12:1a06964c2adb	6989	}
wolfSSL	12:1a06964c2adb	6990	}
wolfSSL	12:1a06964c2adb	6991	#endif
wolfSSL	12:1a06964c2adb	6992	ssl->options.acceptState = CERT_REQ_SENT;
wolfSSL	12:1a06964c2adb	6993	WOLFSSL_MSG("accept state CERT_REQ_SENT");
wolfSSL	12:1a06964c2adb	6994	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	6995
wolfSSL	12:1a06964c2adb	6996	case CERT_REQ_SENT :
wolfSSL	12:1a06964c2adb	6997	ssl->options.acceptState = KEY_EXCHANGE_SENT;
wolfSSL	12:1a06964c2adb	6998	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	6999	if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL	12:1a06964c2adb	7000	if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	7001	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7002	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7003	}
wolfSSL	12:1a06964c2adb	7004	}
wolfSSL	12:1a06964c2adb	7005	#endif
wolfSSL	12:1a06964c2adb	7006	ssl->options.acceptState = CERT_SENT;
wolfSSL	12:1a06964c2adb	7007	WOLFSSL_MSG("accept state CERT_SENT");
wolfSSL	12:1a06964c2adb	7008	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7009
wolfSSL	12:1a06964c2adb	7010	case CERT_SENT :
wolfSSL	12:1a06964c2adb	7011	#ifndef NO_CERTS
wolfSSL	12:1a06964c2adb	7012	if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL	12:1a06964c2adb	7013	if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	7014	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7015	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7016	}
wolfSSL	12:1a06964c2adb	7017	}
wolfSSL	12:1a06964c2adb	7018	#endif
wolfSSL	12:1a06964c2adb	7019	ssl->options.acceptState = CERT_STATUS_SENT;
wolfSSL	12:1a06964c2adb	7020	WOLFSSL_MSG("accept state CERT_STATUS_SENT");
wolfSSL	12:1a06964c2adb	7021	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7022
wolfSSL	12:1a06964c2adb	7023	case CERT_VERIFY_SENT :
wolfSSL	12:1a06964c2adb	7024	if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	7025	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7026	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7027	}
wolfSSL	12:1a06964c2adb	7028
wolfSSL	12:1a06964c2adb	7029	ssl->options.acceptState = ACCEPT_FINISHED_DONE;
wolfSSL	12:1a06964c2adb	7030	WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
wolfSSL	12:1a06964c2adb	7031	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	7032	if (ssl->earlyData) {
wolfSSL	12:1a06964c2adb	7033	ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL	12:1a06964c2adb	7034	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	7035	}
wolfSSL	12:1a06964c2adb	7036	#endif
wolfSSL	12:1a06964c2adb	7037	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7038
wolfSSL	12:1a06964c2adb	7039	case ACCEPT_FINISHED_DONE :
wolfSSL	12:1a06964c2adb	7040	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	7041	#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL	12:1a06964c2adb	7042	if (!ssl->options.resuming && !ssl->options.verifyPeer &&
wolfSSL	12:1a06964c2adb	7043	!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL	12:1a06964c2adb	7044	if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	7045	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7046	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7047	}
wolfSSL	12:1a06964c2adb	7048	}
wolfSSL	12:1a06964c2adb	7049	#endif
wolfSSL	12:1a06964c2adb	7050	#endif /* HAVE_SESSION_TICKET */
wolfSSL	12:1a06964c2adb	7051	ssl->options.acceptState = TICKET_SENT;
wolfSSL	12:1a06964c2adb	7052	WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL	12:1a06964c2adb	7053	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7054
wolfSSL	12:1a06964c2adb	7055	case TICKET_SENT:
wolfSSL	12:1a06964c2adb	7056	while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
wolfSSL	12:1a06964c2adb	7057	if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL	12:1a06964c2adb	7058	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7059	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7060	}
wolfSSL	12:1a06964c2adb	7061
wolfSSL	12:1a06964c2adb	7062	ssl->options.acceptState = ACCEPT_SECOND_REPLY_DONE;
wolfSSL	12:1a06964c2adb	7063	WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
wolfSSL	12:1a06964c2adb	7064	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7065
wolfSSL	12:1a06964c2adb	7066	case ACCEPT_SECOND_REPLY_DONE :
wolfSSL	12:1a06964c2adb	7067	#ifdef HAVE_SESSION_TICKET
wolfSSL	12:1a06964c2adb	7068	#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL	12:1a06964c2adb	7069	if (!ssl->options.verifyPeer) {
wolfSSL	12:1a06964c2adb	7070	}
wolfSSL	12:1a06964c2adb	7071	else
wolfSSL	12:1a06964c2adb	7072	#endif
wolfSSL	12:1a06964c2adb	7073	if (!ssl->options.resuming &&
wolfSSL	12:1a06964c2adb	7074	!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL	12:1a06964c2adb	7075	if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL	12:1a06964c2adb	7076	WOLFSSL_ERROR(ssl->error);
wolfSSL	12:1a06964c2adb	7077	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7078	}
wolfSSL	12:1a06964c2adb	7079	}
wolfSSL	12:1a06964c2adb	7080	#endif /* HAVE_SESSION_TICKET */
wolfSSL	12:1a06964c2adb	7081	ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
wolfSSL	12:1a06964c2adb	7082	WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
wolfSSL	12:1a06964c2adb	7083	FALL_THROUGH;
wolfSSL	12:1a06964c2adb	7084
wolfSSL	12:1a06964c2adb	7085	case ACCEPT_THIRD_REPLY_DONE:
wolfSSL	12:1a06964c2adb	7086	#ifndef NO_HANDSHAKE_DONE_CB
wolfSSL	12:1a06964c2adb	7087	if (ssl->hsDoneCb) {
wolfSSL	12:1a06964c2adb	7088	int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL	12:1a06964c2adb	7089	if (cbret < 0) {
wolfSSL	12:1a06964c2adb	7090	ssl->error = cbret;
wolfSSL	12:1a06964c2adb	7091	WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL	12:1a06964c2adb	7092	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7093	}
wolfSSL	12:1a06964c2adb	7094	}
wolfSSL	12:1a06964c2adb	7095	#endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL	12:1a06964c2adb	7096
wolfSSL	12:1a06964c2adb	7097	WOLFSSL_LEAVE("SSL_accept()", SSL_SUCCESS);
wolfSSL	12:1a06964c2adb	7098	return SSL_SUCCESS;
wolfSSL	12:1a06964c2adb	7099
wolfSSL	12:1a06964c2adb	7100	default :
wolfSSL	12:1a06964c2adb	7101	WOLFSSL_MSG("Unknown accept state ERROR");
wolfSSL	12:1a06964c2adb	7102	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7103	}
wolfSSL	12:1a06964c2adb	7104	}
wolfSSL	12:1a06964c2adb	7105	#endif
wolfSSL	12:1a06964c2adb	7106
wolfSSL	12:1a06964c2adb	7107	#ifdef WOLFSSL_EARLY_DATA
wolfSSL	12:1a06964c2adb	7108	/* Sets the maximum amount of early data that can be seen by server when using
wolfSSL	12:1a06964c2adb	7109	* session tickets for resumption.
wolfSSL	12:1a06964c2adb	7110	* A value of zero indicates no early data is to be sent by client using session
wolfSSL	12:1a06964c2adb	7111	* tickets.
wolfSSL	12:1a06964c2adb	7112	*
wolfSSL	12:1a06964c2adb	7113	* ctx The SSL/TLS CTX object.
wolfSSL	12:1a06964c2adb	7114	* sz Maximum size of the early data.
wolfSSL	12:1a06964c2adb	7115	* returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
wolfSSL	12:1a06964c2adb	7116	* 0 on success.
wolfSSL	12:1a06964c2adb	7117	*/
wolfSSL	12:1a06964c2adb	7118	int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
wolfSSL	12:1a06964c2adb	7119	{
wolfSSL	12:1a06964c2adb	7120	if (ctx == NULL \|\| !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL	12:1a06964c2adb	7121	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7122	if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	7123	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	7124
wolfSSL	12:1a06964c2adb	7125	ctx->maxEarlyDataSz = sz;
wolfSSL	12:1a06964c2adb	7126
wolfSSL	12:1a06964c2adb	7127	return 0;
wolfSSL	12:1a06964c2adb	7128	}
wolfSSL	12:1a06964c2adb	7129
wolfSSL	12:1a06964c2adb	7130	/* Sets the maximum amount of early data that can be seen by server when using
wolfSSL	12:1a06964c2adb	7131	* session tickets for resumption.
wolfSSL	12:1a06964c2adb	7132	* A value of zero indicates no early data is to be sent by client using session
wolfSSL	12:1a06964c2adb	7133	* tickets.
wolfSSL	12:1a06964c2adb	7134	*
wolfSSL	12:1a06964c2adb	7135	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	7136	* sz Maximum size of the early data.
wolfSSL	12:1a06964c2adb	7137	* returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL	12:1a06964c2adb	7138	* SIDE_ERROR when not a server and 0 on success.
wolfSSL	12:1a06964c2adb	7139	*/
wolfSSL	12:1a06964c2adb	7140	int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
wolfSSL	12:1a06964c2adb	7141	{
wolfSSL	12:1a06964c2adb	7142	if (ssl == NULL \|\| !IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	7143	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7144	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	7145	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	7146
wolfSSL	12:1a06964c2adb	7147	ssl->options.maxEarlyDataSz = sz;
wolfSSL	12:1a06964c2adb	7148
wolfSSL	12:1a06964c2adb	7149	return 0;
wolfSSL	12:1a06964c2adb	7150	}
wolfSSL	12:1a06964c2adb	7151
wolfSSL	12:1a06964c2adb	7152	/* Write early data to the server.
wolfSSL	12:1a06964c2adb	7153	*
wolfSSL	12:1a06964c2adb	7154	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	7155	* data Early data to write
wolfSSL	12:1a06964c2adb	7156	* sz The size of the eary data in bytes.
wolfSSL	12:1a06964c2adb	7157	* outSz The number of early data bytes written.
wolfSSL	12:1a06964c2adb	7158	* returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL	12:1a06964c2adb	7159	* or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL	12:1a06964c2adb	7160	* early data bytes written.
wolfSSL	12:1a06964c2adb	7161	*/
wolfSSL	12:1a06964c2adb	7162	int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
wolfSSL	12:1a06964c2adb	7163	{
wolfSSL	12:1a06964c2adb	7164	int ret = 0;
wolfSSL	12:1a06964c2adb	7165
wolfSSL	12:1a06964c2adb	7166	WOLFSSL_ENTER("SSL_write_early_data()");
wolfSSL	12:1a06964c2adb	7167
wolfSSL	12:1a06964c2adb	7168	if (ssl == NULL \|\| data == NULL \|\| sz < 0 \|\| outSz == NULL)
wolfSSL	12:1a06964c2adb	7169	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7170	if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	7171	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7172
wolfSSL	12:1a06964c2adb	7173	if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL	12:1a06964c2adb	7174	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	7175
wolfSSL	12:1a06964c2adb	7176	if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL	12:1a06964c2adb	7177	ssl->earlyData = 1;
wolfSSL	12:1a06964c2adb	7178	ret = wolfSSL_connect_TLSv13(ssl);
wolfSSL	12:1a06964c2adb	7179	if (ret <= 0)
wolfSSL	12:1a06964c2adb	7180	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7181	}
wolfSSL	12:1a06964c2adb	7182	if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
wolfSSL	12:1a06964c2adb	7183	ret = SendData(ssl, data, sz);
wolfSSL	12:1a06964c2adb	7184	if (ret > 0)
wolfSSL	12:1a06964c2adb	7185	*outSz = ret;
wolfSSL	12:1a06964c2adb	7186	}
wolfSSL	12:1a06964c2adb	7187
wolfSSL	12:1a06964c2adb	7188	WOLFSSL_LEAVE("SSL_write_early_data()", ret);
wolfSSL	12:1a06964c2adb	7189
wolfSSL	12:1a06964c2adb	7190	if (ret < 0)
wolfSSL	12:1a06964c2adb	7191	ret = SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7192	return ret;
wolfSSL	12:1a06964c2adb	7193	}
wolfSSL	12:1a06964c2adb	7194
wolfSSL	12:1a06964c2adb	7195	/* Read the any early data from the client.
wolfSSL	12:1a06964c2adb	7196	*
wolfSSL	12:1a06964c2adb	7197	* ssl The SSL/TLS object.
wolfSSL	12:1a06964c2adb	7198	* data Buffer to put the early data into.
wolfSSL	12:1a06964c2adb	7199	* sz The size of the buffer in bytes.
wolfSSL	12:1a06964c2adb	7200	* outSz The number of early data bytes read.
wolfSSL	12:1a06964c2adb	7201	* returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL	12:1a06964c2adb	7202	* or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL	12:1a06964c2adb	7203	* early data bytes read.
wolfSSL	12:1a06964c2adb	7204	*/
wolfSSL	12:1a06964c2adb	7205	int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
wolfSSL	12:1a06964c2adb	7206	{
wolfSSL	12:1a06964c2adb	7207	int ret;
wolfSSL	12:1a06964c2adb	7208
wolfSSL	12:1a06964c2adb	7209	WOLFSSL_ENTER("wolfSSL_read_early_data()");
wolfSSL	12:1a06964c2adb	7210
wolfSSL	12:1a06964c2adb	7211
wolfSSL	12:1a06964c2adb	7212	if (ssl == NULL \|\| data == NULL \|\| sz < 0 \|\| outSz == NULL)
wolfSSL	12:1a06964c2adb	7213	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7214	if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL	12:1a06964c2adb	7215	return BAD_FUNC_ARG;
wolfSSL	12:1a06964c2adb	7216
wolfSSL	12:1a06964c2adb	7217	if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL	12:1a06964c2adb	7218	return SIDE_ERROR;
wolfSSL	12:1a06964c2adb	7219
wolfSSL	12:1a06964c2adb	7220	if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL	12:1a06964c2adb	7221	ssl->earlyData = 1;
wolfSSL	12:1a06964c2adb	7222	ret = wolfSSL_accept_TLSv13(ssl);
wolfSSL	12:1a06964c2adb	7223	if (ret <= 0)
wolfSSL	12:1a06964c2adb	7224	return SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7225	}
wolfSSL	12:1a06964c2adb	7226	if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
wolfSSL	12:1a06964c2adb	7227	ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
wolfSSL	12:1a06964c2adb	7228	if (ret > 0)
wolfSSL	12:1a06964c2adb	7229	*outSz = ret;
wolfSSL	12:1a06964c2adb	7230	if (ssl->error == ZERO_RETURN)
wolfSSL	12:1a06964c2adb	7231	ssl->error = SSL_ERROR_NONE;
wolfSSL	12:1a06964c2adb	7232	}
wolfSSL	12:1a06964c2adb	7233	else
wolfSSL	12:1a06964c2adb	7234	ret = 0;
wolfSSL	12:1a06964c2adb	7235
wolfSSL	12:1a06964c2adb	7236	WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret);
wolfSSL	12:1a06964c2adb	7237
wolfSSL	12:1a06964c2adb	7238	if (ret < 0)
wolfSSL	12:1a06964c2adb	7239	ret = SSL_FATAL_ERROR;
wolfSSL	12:1a06964c2adb	7240	return ret;
wolfSSL	12:1a06964c2adb	7241	}
wolfSSL	12:1a06964c2adb	7242	#endif
wolfSSL	12:1a06964c2adb	7243
wolfSSL	12:1a06964c2adb	7244	#undef ERROR_OUT
wolfSSL	12:1a06964c2adb	7245
wolfSSL	12:1a06964c2adb	7246	#endif /* !WOLFCRYPT_ONLY */
wolfSSL	12:1a06964c2adb	7247
wolfSSL	12:1a06964c2adb	7248	#endif /* WOLFSSL_TLS13 */
wolfSSL	12:1a06964c2adb	7249

Repository toolbox

Repository details

Type:	Library
Created:	19 Nov 2019
Imports:	7
Forks:	0
Commits:	18
Dependents:	1
Dependencies:	0
Followers:	1

Important changes to repositories hosted on mbed.com

src/tls13.c@12:1a06964c2adb, 2017-08-22 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Important changes to repositories hosted on mbed.com

src/tls13.c@12:1a06964c2adb, 2017-08-22 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning