wolf SSL
SSL/TLS Library
CyaSSL is SSL/TLS library for embedded systems.
Diff: src/tls.c
- Revision:
- 0:9d17e4342598
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/tls.c Sun Apr 20 12:40:57 2014 +0000
@@ -0,0 +1,1942 @@
+/* tls.c
+ *
+ * Copyright (C) 2006-2013 wolfSSL Inc.
+ *
+ * This file is part of CyaSSL.
+ *
+ * CyaSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * CyaSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+ #include <config.h>
+#endif
+
+#include <cyassl/ctaocrypt/settings.h>
+
+#include <cyassl/ssl.h>
+#include <cyassl/internal.h>
+#include <cyassl/error-ssl.h>
+#include <cyassl/ctaocrypt/hmac.h>
+
+
+
+#ifndef NO_TLS
+
+
+#ifndef min
+
+ static INLINE word32 min(word32 a, word32 b)
+ {
+ return a > b ? b : a;
+ }
+
+#endif /* min */
+
+
+#ifdef CYASSL_SHA384
+ #define PHASH_MAX_DIGEST_SIZE SHA384_DIGEST_SIZE
+#else
+ #define PHASH_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
+#endif
+
+/* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
+static int p_hash(byte* result, word32 resLen, const byte* secret,
+ word32 secLen, const byte* seed, word32 seedLen, int hash)
+{
+ word32 len = PHASH_MAX_DIGEST_SIZE;
+ word32 times;
+ word32 lastLen;
+ word32 lastTime;
+ word32 i;
+ word32 idx = 0;
+ int ret;
+ byte previous[PHASH_MAX_DIGEST_SIZE]; /* max size */
+ byte current[PHASH_MAX_DIGEST_SIZE]; /* max size */
+
+ Hmac hmac;
+
+ switch (hash) {
+ #ifndef NO_MD5
+ case md5_mac:
+ {
+ len = MD5_DIGEST_SIZE;
+ hash = MD5;
+ }
+ break;
+ #endif
+ #ifndef NO_SHA256
+ case sha256_mac:
+ {
+ len = SHA256_DIGEST_SIZE;
+ hash = SHA256;
+ }
+ break;
+ #endif
+ #ifdef CYASSL_SHA384
+ case sha384_mac:
+ {
+ len = SHA384_DIGEST_SIZE;
+ hash = SHA384;
+ }
+ break;
+ #endif
+#ifndef NO_SHA
+ case sha_mac:
+ default:
+ {
+ len = SHA_DIGEST_SIZE;
+ hash = SHA;
+ }
+ break;
+#endif
+ }
+
+ times = resLen / len;
+ lastLen = resLen % len;
+ if (lastLen) times += 1;
+ lastTime = times - 1;
+
+ ret = HmacSetKey(&hmac, hash, secret, secLen);
+ if (ret != 0)
+ return ret;
+ HmacUpdate(&hmac, seed, seedLen); /* A0 = seed */
+ HmacFinal(&hmac, previous); /* A1 */
+
+ for (i = 0; i < times; i++) {
+ HmacUpdate(&hmac, previous, len);
+ HmacUpdate(&hmac, seed, seedLen);
+ HmacFinal(&hmac, current);
+
+ if ( (i == lastTime) && lastLen)
+ XMEMCPY(&result[idx], current, min(lastLen, sizeof(current)));
+ else {
+ XMEMCPY(&result[idx], current, len);
+ idx += len;
+ HmacUpdate(&hmac, previous, len);
+ HmacFinal(&hmac, previous);
+ }
+ }
+ XMEMSET(previous, 0, sizeof previous);
+ XMEMSET(current, 0, sizeof current);
+ XMEMSET(&hmac, 0, sizeof hmac);
+
+ return 0;
+}
+
+
+
+#ifndef NO_OLD_TLS
+
+/* calculate XOR for TLSv1 PRF */
+static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
+{
+ word32 i;
+
+ for (i = 0; i < digLen; i++)
+ digest[i] = md5[i] ^ sha[i];
+}
+
+
+/* compute TLSv1 PRF (pseudo random function using HMAC) */
+static int doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
+ const byte* label, word32 labLen, const byte* seed,
+ word32 seedLen)
+{
+ int ret;
+ word32 half = (secLen + 1) / 2;
+
+ byte md5_half[MAX_PRF_HALF]; /* half is real size */
+ byte sha_half[MAX_PRF_HALF]; /* half is real size */
+ byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
+ byte md5_result[MAX_PRF_DIG]; /* digLen is real size */
+ byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
+
+ if (half > MAX_PRF_HALF)
+ return BUFFER_E;
+ if (labLen + seedLen > MAX_PRF_LABSEED)
+ return BUFFER_E;
+ if (digLen > MAX_PRF_DIG)
+ return BUFFER_E;
+
+ XMEMSET(md5_result, 0, digLen);
+ XMEMSET(sha_result, 0, digLen);
+
+ XMEMCPY(md5_half, secret, half);
+ XMEMCPY(sha_half, secret + half - secLen % 2, half);
+
+ XMEMCPY(labelSeed, label, labLen);
+ XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+ ret = p_hash(md5_result, digLen, md5_half, half, labelSeed,
+ labLen + seedLen, md5_mac);
+ if (ret != 0)
+ return ret;
+ ret = p_hash(sha_result, digLen, sha_half, half, labelSeed,
+ labLen + seedLen, sha_mac);
+ if (ret != 0)
+ return ret;
+ get_xor(digest, digLen, md5_result, sha_result);
+
+ return 0;
+}
+
+#endif
+
+
+/* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
+ use */
+static int PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
+ const byte* label, word32 labLen, const byte* seed, word32 seedLen,
+ int useAtLeastSha256, int hash_type)
+{
+ int ret = 0;
+
+ if (useAtLeastSha256) {
+ byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
+
+ if (labLen + seedLen > MAX_PRF_LABSEED)
+ return BUFFER_E;
+
+ XMEMCPY(labelSeed, label, labLen);
+ XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+ /* If a cipher suite wants an algorithm better than sha256, it
+ * should use better. */
+ if (hash_type < sha256_mac)
+ hash_type = sha256_mac;
+ ret = p_hash(digest, digLen, secret, secLen, labelSeed,
+ labLen + seedLen, hash_type);
+ }
+#ifndef NO_OLD_TLS
+ else {
+ ret = doPRF(digest, digLen, secret, secLen, label, labLen, seed,
+ seedLen);
+ }
+#endif
+
+ return ret;
+}
+
+
+#ifdef CYASSL_SHA384
+ #define HSHASH_SZ SHA384_DIGEST_SIZE
+#else
+ #define HSHASH_SZ FINISHED_SZ
+#endif
+
+
+int BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
+{
+ const byte* side;
+ byte handshake_hash[HSHASH_SZ];
+ word32 hashSz = FINISHED_SZ;
+
+#ifndef NO_OLD_TLS
+ Md5Final(&ssl->hashMd5, handshake_hash);
+ ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
+#endif
+
+ if (IsAtLeastTLSv1_2(ssl)) {
+#ifndef NO_SHA256
+ if (ssl->specs.mac_algorithm <= sha256_mac) {
+ Sha256Final(&ssl->hashSha256, handshake_hash);
+ hashSz = SHA256_DIGEST_SIZE;
+ }
+#endif
+#ifdef CYASSL_SHA384
+ if (ssl->specs.mac_algorithm == sha384_mac) {
+ Sha384Final(&ssl->hashSha384, handshake_hash);
+ hashSz = SHA384_DIGEST_SIZE;
+ }
+#endif
+ }
+
+ if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
+ side = tls_client;
+ else
+ side = tls_server;
+
+ return PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret,
+ SECRET_LEN, side, FINISHED_LABEL_SZ, handshake_hash, hashSz,
+ IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
+}
+
+
+#ifndef NO_OLD_TLS
+
+ProtocolVersion MakeTLSv1(void)
+{
+ ProtocolVersion pv;
+ pv.major = SSLv3_MAJOR;
+ pv.minor = TLSv1_MINOR;
+
+ return pv;
+}
+
+
+ProtocolVersion MakeTLSv1_1(void)
+{
+ ProtocolVersion pv;
+ pv.major = SSLv3_MAJOR;
+ pv.minor = TLSv1_1_MINOR;
+
+ return pv;
+}
+
+#endif
+
+
+ProtocolVersion MakeTLSv1_2(void)
+{
+ ProtocolVersion pv;
+ pv.major = SSLv3_MAJOR;
+ pv.minor = TLSv1_2_MINOR;
+
+ return pv;
+}
+
+
+static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
+static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion";
+
+
+int DeriveTlsKeys(CYASSL* ssl)
+{
+ int ret;
+ int length = 2 * ssl->specs.hash_size +
+ 2 * ssl->specs.key_size +
+ 2 * ssl->specs.iv_size;
+ byte seed[SEED_LEN];
+ byte key_data[MAX_PRF_DIG];
+
+ XMEMCPY(seed, ssl->arrays->serverRandom, RAN_LEN);
+ XMEMCPY(&seed[RAN_LEN], ssl->arrays->clientRandom, RAN_LEN);
+
+ ret = PRF(key_data, length, ssl->arrays->masterSecret, SECRET_LEN,
+ key_label, KEY_LABEL_SZ, seed, SEED_LEN, IsAtLeastTLSv1_2(ssl),
+ ssl->specs.mac_algorithm);
+ if (ret != 0)
+ return ret;
+
+ return StoreKeys(ssl, key_data);
+}
+
+
+int MakeTlsMasterSecret(CYASSL* ssl)
+{
+ int ret;
+ byte seed[SEED_LEN];
+
+ XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
+ XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
+
+ ret = PRF(ssl->arrays->masterSecret, SECRET_LEN,
+ ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
+ master_label, MASTER_LABEL_SZ,
+ seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
+ if (ret != 0)
+ return ret;
+
+#ifdef SHOW_SECRETS
+ {
+ int i;
+ printf("master secret: ");
+ for (i = 0; i < SECRET_LEN; i++)
+ printf("%02x", ssl->arrays->masterSecret[i]);
+ printf("\n");
+ }
+#endif
+
+ return DeriveTlsKeys(ssl);
+}
+
+
+/* Used by EAP-TLS and EAP-TTLS to derive keying material from
+ * the master_secret. */
+int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len,
+ const char* label)
+{
+ byte seed[SEED_LEN];
+
+ /*
+ * As per RFC-5281, the order of the client and server randoms is reversed
+ * from that used by the TLS protocol to derive keys.
+ */
+ XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
+ XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
+
+ return PRF((byte*)msk, len,
+ ssl->arrays->masterSecret, SECRET_LEN,
+ (const byte *)label, (word32)strlen(label),
+ seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
+
+}
+
+
+/*** next for static INLINE s copied internal.c ***/
+
+/* convert 16 bit integer to opaque */
+static INLINE void c16toa(word16 u16, byte* c)
+{
+ c[0] = (u16 >> 8) & 0xff;
+ c[1] = u16 & 0xff;
+}
+
+#ifdef HAVE_TLS_EXTENSIONS
+/* convert opaque to 16 bit integer */
+static INLINE void ato16(const byte* c, word16* u16)
+{
+ *u16 = (c[0] << 8) | (c[1]);
+}
+
+#ifdef HAVE_SNI
+/* convert a 24 bit integer into a 32 bit one */
+static INLINE void c24to32(const word24 u24, word32* u32)
+{
+ *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
+}
+#endif
+#endif
+
+/* convert 32 bit integer to opaque */
+static INLINE void c32toa(word32 u32, byte* c)
+{
+ c[0] = (u32 >> 24) & 0xff;
+ c[1] = (u32 >> 16) & 0xff;
+ c[2] = (u32 >> 8) & 0xff;
+ c[3] = u32 & 0xff;
+}
+
+
+static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
+{
+#ifdef CYASSL_DTLS
+ if (ssl->options.dtls) {
+ if (verify)
+ return ssl->keys.dtls_state.curSeq; /* explicit from peer */
+ else
+ return ssl->keys.dtls_sequence_number - 1; /* already incremented */
+ }
+#endif
+ if (verify)
+ return ssl->keys.peer_sequence_number++;
+ else
+ return ssl->keys.sequence_number++;
+}
+
+
+#ifdef CYASSL_DTLS
+
+static INLINE word32 GetEpoch(CYASSL* ssl, int verify)
+{
+ if (verify)
+ return ssl->keys.dtls_state.curEpoch;
+ else
+ return ssl->keys.dtls_epoch;
+}
+
+#endif /* CYASSL_DTLS */
+
+
+/*** end copy ***/
+
+
+/* return HMAC digest type in CyaSSL format */
+int CyaSSL_GetHmacType(CYASSL* ssl)
+{
+ if (ssl == NULL)
+ return BAD_FUNC_ARG;
+
+ switch (ssl->specs.mac_algorithm) {
+ #ifndef NO_MD5
+ case md5_mac:
+ {
+ return MD5;
+ }
+ #endif
+ #ifndef NO_SHA256
+ case sha256_mac:
+ {
+ return SHA256;
+ }
+ #endif
+ #ifdef CYASSL_SHA384
+ case sha384_mac:
+ {
+ return SHA384;
+ }
+
+ #endif
+ #ifndef NO_SHA
+ case sha_mac:
+ {
+ return SHA;
+ }
+ #endif
+ #ifdef HAVE_BLAKE2
+ case blake2b_mac:
+ {
+ return BLAKE2B_ID;
+ }
+ #endif
+ default:
+ {
+ return SSL_FATAL_ERROR;
+ }
+ }
+}
+
+
+int CyaSSL_SetTlsHmacInner(CYASSL* ssl, byte* inner, word32 sz, int content,
+ int verify)
+{
+ if (ssl == NULL || inner == NULL)
+ return BAD_FUNC_ARG;
+
+ XMEMSET(inner, 0, CYASSL_TLS_HMAC_INNER_SZ);
+
+#ifdef CYASSL_DTLS
+ if (ssl->options.dtls)
+ c16toa((word16)GetEpoch(ssl, verify), inner);
+#endif
+ c32toa(GetSEQIncrement(ssl, verify), &inner[sizeof(word32)]);
+ inner[SEQ_SZ] = (byte)content;
+ inner[SEQ_SZ + ENUM_LEN] = ssl->version.major;
+ inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
+ c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
+
+ return 0;
+}
+
+
+/* TLS type HMAC */
+int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
+ int content, int verify)
+{
+ Hmac hmac;
+ int ret;
+ byte myInner[CYASSL_TLS_HMAC_INNER_SZ];
+
+ CyaSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
+
+ ret = HmacSetKey(&hmac, CyaSSL_GetHmacType(ssl),
+ CyaSSL_GetMacSecret(ssl, verify), ssl->specs.hash_size);
+ if (ret != 0)
+ return ret;
+ HmacUpdate(&hmac, myInner, sizeof(myInner));
+ HmacUpdate(&hmac, in, sz); /* content */
+ HmacFinal(&hmac, digest);
+
+ return 0;
+}
+
+#ifdef HAVE_TLS_EXTENSIONS
+
+#define IS_OFF(semaphore, light) \
+ ((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8)))
+
+#define TURN_ON(semaphore, light) \
+ ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
+
+static int TLSX_Append(TLSX** list, TLSX_Type type)
+{
+ TLSX* extension;
+
+ if (list == NULL) /* won't check type since this function is static */
+ return BAD_FUNC_ARG;
+
+ if ((extension = XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ return MEMORY_E;
+
+ extension->type = type;
+ extension->data = NULL;
+ extension->resp = 0;
+ extension->next = *list;
+ *list = extension;
+
+ return 0;
+}
+
+#ifndef NO_CYASSL_SERVER
+
+void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type);
+
+void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type)
+{
+ TLSX *ext = TLSX_Find(ssl->extensions, type);
+
+ if (ext)
+ ext->resp = 1;
+}
+
+#endif
+
+/* SNI - Server Name Indication */
+
+#ifdef HAVE_SNI
+
+static void TLSX_SNI_Free(SNI* sni)
+{
+ if (sni) {
+ switch (sni->type) {
+ case CYASSL_SNI_HOST_NAME:
+ XFREE(sni->data.host_name, 0, DYNAMIC_TYPE_TLSX);
+ break;
+ }
+
+ XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
+ }
+}
+
+static void TLSX_SNI_FreeAll(SNI* list)
+{
+ SNI* sni;
+
+ while ((sni = list)) {
+ list = sni->next;
+ TLSX_SNI_Free(sni);
+ }
+}
+
+static int TLSX_SNI_Append(SNI** list, byte type, const void* data, word16 size)
+{
+ SNI* sni;
+
+ if (list == NULL)
+ return BAD_FUNC_ARG;
+
+ if ((sni = XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ return MEMORY_E;
+
+ switch (type) {
+ case CYASSL_SNI_HOST_NAME: {
+ sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX);
+
+ if (sni->data.host_name) {
+ XSTRNCPY(sni->data.host_name, (const char*) data, size);
+ sni->data.host_name[size] = 0;
+ } else {
+ XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
+ return MEMORY_E;
+ }
+ }
+ break;
+
+ default: /* invalid type */
+ XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
+ return BAD_FUNC_ARG;
+ }
+
+ sni->type = type;
+ sni->next = *list;
+
+#ifndef NO_CYASSL_SERVER
+ sni->options = 0;
+ sni->status = CYASSL_SNI_NO_MATCH;
+#endif
+
+ *list = sni;
+
+ return 0;
+}
+
+static word16 TLSX_SNI_GetSize(SNI* list)
+{
+ SNI* sni;
+ word16 length = OPAQUE16_LEN; /* list length */
+
+ while ((sni = list)) {
+ list = sni->next;
+
+ length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
+
+ switch (sni->type) {
+ case CYASSL_SNI_HOST_NAME:
+ length += XSTRLEN((char*) sni->data.host_name);
+ break;
+ }
+ }
+
+ return length;
+}
+
+static word16 TLSX_SNI_Write(SNI* list, byte* output)
+{
+ SNI* sni;
+ word16 length = 0;
+ word16 offset = OPAQUE16_LEN; /* list length offset */
+
+ while ((sni = list)) {
+ list = sni->next;
+
+ output[offset++] = sni->type; /* sni type */
+
+ switch (sni->type) {
+ case CYASSL_SNI_HOST_NAME:
+ length = XSTRLEN((char*) sni->data.host_name);
+
+ c16toa(length, output + offset); /* sni length */
+ offset += OPAQUE16_LEN;
+
+ XMEMCPY(output + offset, sni->data.host_name, length);
+
+ offset += length;
+ break;
+ }
+ }
+
+ c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
+
+ return offset;
+}
+
+static SNI* TLSX_SNI_Find(SNI *list, byte type)
+{
+ SNI *sni = list;
+
+ while (sni && sni->type != type)
+ sni = sni->next;
+
+ return sni;
+}
+
+#ifndef NO_CYASSL_SERVER
+static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
+{
+ TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+
+ if (sni) {
+ sni->status = status;
+ CYASSL_MSG("SNI did match!");
+ }
+}
+
+byte TLSX_SNI_Status(TLSX* extensions, byte type)
+{
+ TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+
+ if (sni)
+ return sni->status;
+
+ return 0;
+}
+#endif
+
+static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+#ifndef NO_CYASSL_SERVER
+ word16 size = 0;
+ word16 offset = 0;
+#endif
+
+ TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
+
+ if (!extension)
+ extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
+
+ if (!extension || !extension->data)
+ return isRequest ? 0 : BUFFER_ERROR; /* not using SNI OR unexpected
+ SNI response from server. */
+
+ if (!isRequest)
+ return length ? BUFFER_ERROR : 0; /* SNI response must be empty!
+ Nothing else to do. */
+
+#ifndef NO_CYASSL_SERVER
+
+ if (OPAQUE16_LEN > length)
+ return BUFFER_ERROR;
+
+ ato16(input, &size);
+ offset += OPAQUE16_LEN;
+
+ /* validating sni list length */
+ if (length != OPAQUE16_LEN + size)
+ return BUFFER_ERROR;
+
+ for (size = 0; offset < length; offset += size) {
+ SNI *sni;
+ byte type = input[offset++];
+
+ if (offset + OPAQUE16_LEN > length)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN;
+
+ if (offset + size > length)
+ return BUFFER_ERROR;
+
+ if (!(sni = TLSX_SNI_Find((SNI *) extension->data, type))) {
+ continue; /* not using this SNI type */
+ }
+
+ switch(type) {
+ case CYASSL_SNI_HOST_NAME: {
+ byte matched = (XSTRLEN(sni->data.host_name) == size)
+ && (XSTRNCMP(sni->data.host_name,
+ (const char *) input + offset, size) == 0);
+
+ if (matched || sni->options & CYASSL_SNI_ANSWER_ON_MISMATCH) {
+ int r = TLSX_UseSNI(&ssl->extensions,
+ type, input + offset, size);
+
+ if (r != SSL_SUCCESS) return r; /* throw error */
+
+ TLSX_SNI_SetStatus(ssl->extensions, type,
+ matched ? CYASSL_SNI_REAL_MATCH : CYASSL_SNI_FAKE_MATCH);
+
+ } else if (!(sni->options & CYASSL_SNI_CONTINUE_ON_MISMATCH)) {
+ SendAlert(ssl, alert_fatal, unrecognized_name);
+
+ return UNKNOWN_SNI_HOST_NAME_E;
+ }
+ break;
+ }
+ }
+
+ TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
+ }
+
+#endif
+
+ return 0;
+}
+
+int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
+{
+ TLSX* extension = NULL;
+ SNI* sni = NULL;
+ int ret = 0;
+
+ if (extensions == NULL || data == NULL)
+ return BAD_FUNC_ARG;
+
+ if ((ret = TLSX_SNI_Append(&sni, type, data, size)) != 0)
+ return ret;
+
+ extension = *extensions;
+
+ /* find SNI extension if it already exists. */
+ while (extension && extension->type != SERVER_NAME_INDICATION)
+ extension = extension->next;
+
+ /* push new SNI extension if it doesn't exists. */
+ if (!extension) {
+ if ((ret = TLSX_Append(extensions, SERVER_NAME_INDICATION)) != 0) {
+ TLSX_SNI_Free(sni);
+ return ret;
+ }
+
+ extension = *extensions;
+ }
+
+ /* push new SNI object to extension data. */
+ sni->next = (SNI*) extension->data;
+ extension->data = (void*) sni;
+
+ /* look for another server name of the same type to remove (replacement) */
+ do {
+ if (sni->next && sni->next->type == type) {
+ SNI *next = sni->next;
+
+ sni->next = next->next;
+ TLSX_SNI_Free(next);
+
+ break;
+ }
+ } while ((sni = sni->next));
+
+ return SSL_SUCCESS;
+}
+
+#ifndef NO_CYASSL_SERVER
+word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
+{
+ TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+
+ if (sni && sni->status != CYASSL_SNI_NO_MATCH) {
+ switch (sni->type) {
+ case CYASSL_SNI_HOST_NAME:
+ *data = sni->data.host_name;
+ return XSTRLEN(*data);
+ }
+ }
+
+ return 0;
+}
+
+void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
+{
+ TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
+
+ if (sni)
+ sni->options = options;
+}
+
+int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
+ byte type, byte* sni, word32* inOutSz)
+{
+ word32 offset = 0;
+ word32 len32 = 0;
+ word16 len16 = 0;
+
+ if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
+ return INCOMPLETE_DATA;
+
+ /* TLS record header */
+ if ((enum ContentType) clientHello[offset++] != handshake)
+ return BUFFER_ERROR;
+
+ if (clientHello[offset++] != SSLv3_MAJOR)
+ return BUFFER_ERROR;
+
+ if (clientHello[offset++] < TLSv1_MINOR)
+ return BUFFER_ERROR;
+
+ ato16(clientHello + offset, &len16);
+ offset += OPAQUE16_LEN;
+
+ if (offset + len16 > helloSz)
+ return INCOMPLETE_DATA;
+
+ /* Handshake header */
+ if ((enum HandShakeType) clientHello[offset] != client_hello)
+ return BUFFER_ERROR;
+
+ c24to32(clientHello + offset + 1, &len32);
+ offset += HANDSHAKE_HEADER_SZ;
+
+ if (offset + len32 > helloSz)
+ return BUFFER_ERROR;
+
+ /* client hello */
+ offset += VERSION_SZ + RAN_LEN; /* version, random */
+
+ if (helloSz < offset + clientHello[offset])
+ return BUFFER_ERROR;
+
+ offset += ENUM_LEN + clientHello[offset]; /* skip session id */
+
+ /* cypher suites */
+ if (helloSz < offset + OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(clientHello + offset, &len16);
+ offset += OPAQUE16_LEN;
+
+ if (helloSz < offset + len16)
+ return BUFFER_ERROR;
+
+ offset += len16; /* skip cypher suites */
+
+ /* compression methods */
+ if (helloSz < offset + 1)
+ return BUFFER_ERROR;
+
+ if (helloSz < offset + clientHello[offset])
+ return BUFFER_ERROR;
+
+ offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
+
+ /* extensions */
+ if (helloSz < offset + OPAQUE16_LEN)
+ return 0; /* no extensions in client hello. */
+
+ ato16(clientHello + offset, &len16);
+ offset += OPAQUE16_LEN;
+
+ if (helloSz < offset + len16)
+ return BUFFER_ERROR;
+
+ while (len16 > OPAQUE16_LEN + OPAQUE16_LEN) {
+ word16 extType;
+ word16 extLen;
+
+ ato16(clientHello + offset, &extType);
+ offset += OPAQUE16_LEN;
+
+ ato16(clientHello + offset, &extLen);
+ offset += OPAQUE16_LEN;
+
+ if (helloSz < offset + extLen)
+ return BUFFER_ERROR;
+
+ if (extType != SERVER_NAME_INDICATION) {
+ offset += extLen; /* skip extension */
+ } else {
+ word16 listLen;
+
+ ato16(clientHello + offset, &listLen);
+ offset += OPAQUE16_LEN;
+
+ if (helloSz < offset + listLen)
+ return BUFFER_ERROR;
+
+ while (listLen > ENUM_LEN + OPAQUE16_LEN) {
+ byte sniType = clientHello[offset++];
+ word16 sniLen;
+
+ ato16(clientHello + offset, &sniLen);
+ offset += OPAQUE16_LEN;
+
+ if (helloSz < offset + sniLen)
+ return BUFFER_ERROR;
+
+ if (sniType != type) {
+ offset += sniLen;
+ listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
+ continue;
+ }
+
+ *inOutSz = min(sniLen, *inOutSz);
+ XMEMCPY(sni, clientHello + offset, *inOutSz);
+
+ return SSL_SUCCESS;
+ }
+ }
+
+ len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
+ }
+
+ return len16 ? BUFFER_ERROR : SSL_SUCCESS;
+}
+
+#endif
+
+#define SNI_FREE_ALL TLSX_SNI_FreeAll
+#define SNI_GET_SIZE TLSX_SNI_GetSize
+#define SNI_WRITE TLSX_SNI_Write
+#define SNI_PARSE TLSX_SNI_Parse
+
+#else
+
+#define SNI_FREE_ALL(list)
+#define SNI_GET_SIZE(list) 0
+#define SNI_WRITE(a, b) 0
+#define SNI_PARSE(a, b, c, d) 0
+
+#endif /* HAVE_SNI */
+
+#ifdef HAVE_MAX_FRAGMENT
+
+static word16 TLSX_MFL_Write(byte* data, byte* output)
+{
+ output[0] = data[0];
+
+ return ENUM_LEN;
+}
+
+static int TLSX_MFL_Parse(CYASSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+ if (length != ENUM_LEN)
+ return BUFFER_ERROR;
+
+ switch (*input) {
+ case CYASSL_MFL_2_9 : ssl->max_fragment = 512; break;
+ case CYASSL_MFL_2_10: ssl->max_fragment = 1024; break;
+ case CYASSL_MFL_2_11: ssl->max_fragment = 2048; break;
+ case CYASSL_MFL_2_12: ssl->max_fragment = 4096; break;
+ case CYASSL_MFL_2_13: ssl->max_fragment = 8192; break;
+
+ default:
+ SendAlert(ssl, alert_fatal, illegal_parameter);
+
+ return UNKNOWN_MAX_FRAG_LEN_E;
+ }
+
+#ifndef NO_CYASSL_SERVER
+ if (isRequest) {
+ int r = TLSX_UseMaxFragment(&ssl->extensions, *input);
+
+ if (r != SSL_SUCCESS) return r; /* throw error */
+
+ TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
+ }
+#endif
+
+ return 0;
+}
+
+int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
+{
+ TLSX* extension = NULL;
+ byte* data = NULL;
+ int ret = 0;
+
+ if (extensions == NULL)
+ return BAD_FUNC_ARG;
+
+ if (mfl < CYASSL_MFL_2_9 || CYASSL_MFL_2_13 < mfl)
+ return BAD_FUNC_ARG;
+
+ if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ return MEMORY_E;
+
+ data[0] = mfl;
+
+ /* push new MFL extension. */
+ if ((ret = TLSX_Append(extensions, MAX_FRAGMENT_LENGTH)) != 0) {
+ XFREE(data, 0, DYNAMIC_TYPE_TLSX);
+ return ret;
+ }
+
+ /* place new mfl to extension data. */
+ extension = *extensions;
+ extension->data = (void*) data;
+
+ /* remove duplicated extensions */
+ do {
+ if (extension->next && extension->next->type == MAX_FRAGMENT_LENGTH) {
+ TLSX *next = extension->next;
+
+ extension->next = next->next;
+ next->next = NULL;
+
+ TLSX_FreeAll(next);
+
+ break;
+ }
+ } while ((extension = extension->next));
+
+ return SSL_SUCCESS;
+}
+
+
+#define MFL_FREE_ALL(data) XFREE(data, 0, DYNAMIC_TYPE_TLSX)
+#define MFL_GET_SIZE(data) ENUM_LEN
+#define MFL_WRITE TLSX_MFL_Write
+#define MFL_PARSE TLSX_MFL_Parse
+
+#else
+
+#define MFL_FREE_ALL(a)
+#define MFL_GET_SIZE(a) 0
+#define MFL_WRITE(a, b) 0
+#define MFL_PARSE(a, b, c, d) 0
+
+#endif /* HAVE_MAX_FRAGMENT */
+
+#ifdef HAVE_TRUNCATED_HMAC
+
+int TLSX_UseTruncatedHMAC(TLSX** extensions)
+{
+ int ret = 0;
+
+ if (extensions == NULL)
+ return BAD_FUNC_ARG;
+
+ if (!TLSX_Find(*extensions, TRUNCATED_HMAC))
+ if ((ret = TLSX_Append(extensions, TRUNCATED_HMAC)) != 0)
+ return ret;
+
+ return SSL_SUCCESS;
+}
+
+static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+ if (length != 0 || input == NULL)
+ return BUFFER_ERROR;
+
+#ifndef NO_CYASSL_SERVER
+ if (isRequest) {
+ int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
+
+ if (r != SSL_SUCCESS) return r; /* throw error */
+
+ TLSX_SetResponse(ssl, TRUNCATED_HMAC);
+ }
+#endif
+
+ ssl->truncated_hmac = 1;
+
+ return 0;
+}
+
+#define THM_PARSE TLSX_THM_Parse
+
+#else
+
+#define THM_PARSE(a, b, c, d) 0
+
+#endif /* HAVE_TRUNCATED_HMAC */
+
+#ifdef HAVE_SUPPORTED_CURVES
+
+#ifndef HAVE_ECC
+#error "Elliptic Curves Extension requires Elliptic Curve Cryptography. \
+Use --enable-ecc in the configure script or define HAVE_ECC."
+#endif
+
+static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
+{
+ EllipticCurve* curve;
+
+ while ((curve = list)) {
+ list = curve->next;
+ XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
+ }
+}
+
+static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
+{
+ EllipticCurve* curve;
+
+ if (list == NULL)
+ return BAD_FUNC_ARG;
+
+ if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ return MEMORY_E;
+
+ curve->name = name;
+ curve->next = *list;
+
+ *list = curve;
+
+ return 0;
+}
+
+#ifndef NO_CYASSL_CLIENT
+
+static void TLSX_EllipticCurve_ValidateRequest(CYASSL* ssl, byte* semaphore)
+{
+ int i;
+
+ for (i = 0; i < ssl->suites->suiteSz; i+= 2)
+ if (ssl->suites->suites[i] == ECC_BYTE)
+ return;
+
+ /* No elliptic curve suite found */
+ TURN_ON(semaphore, ELLIPTIC_CURVES);
+}
+
+static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
+{
+ EllipticCurve* curve;
+ word16 length = OPAQUE16_LEN; /* list length */
+
+ while ((curve = list)) {
+ list = curve->next;
+ length += OPAQUE16_LEN; /* curve length */
+ }
+
+ return length;
+}
+
+static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output);
+static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output)
+{
+ word16 offset = 0;
+
+ if (!curve)
+ return offset;
+
+ offset = TLSX_EllipticCurve_WriteR(curve->next, output);
+ c16toa(curve->name, output + offset);
+
+ return OPAQUE16_LEN + offset;
+}
+
+static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output)
+{
+ word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN);
+
+ c16toa(length, output); /* writing list length */
+
+ return OPAQUE16_LEN + length;
+}
+
+#endif /* NO_CYASSL_CLIENT */
+#ifndef NO_CYASSL_SERVER
+
+static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+ word16 offset;
+ word16 name;
+ int r;
+
+ (void) isRequest; /* shut up compiler! */
+
+ if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input, &offset);
+
+ /* validating curve list length */
+ if (length != OPAQUE16_LEN + offset)
+ return BUFFER_ERROR;
+
+ while (offset) {
+ ato16(input + offset, &name);
+ offset -= OPAQUE16_LEN;
+
+ r = TLSX_UseSupportedCurve(&ssl->extensions, name);
+
+ if (r != SSL_SUCCESS) return r; /* throw error */
+ }
+
+ return 0;
+}
+
+int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) {
+ TLSX* extension = (first == ECC_BYTE)
+ ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
+ : NULL;
+ EllipticCurve* curve = NULL;
+ word32 oid = 0;
+ word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */
+ int sig = 0; /* valitade signature */
+ int key = 0; /* validate key */
+
+ if (!extension)
+ return 1; /* no suite restriction */
+
+ for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
+
+ switch (curve->name) {
+ case CYASSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break;
+ case CYASSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break;
+ case CYASSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break;
+ case CYASSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break;
+ case CYASSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break;
+ case CYASSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break;
+ default: continue; /* unsupported curve */
+ }
+
+ switch (second) {
+#ifndef NO_DSA
+ /* ECDHE_ECDSA */
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
+ case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
+ sig |= ssl->pkCurveOID == oid;
+ key |= ssl->eccTempKeySz == octets;
+ break;
+
+ /* ECDH_ECDSA */
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
+ case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
+ sig |= ssl->pkCurveOID == oid;
+ key |= ssl->pkCurveOID == oid;
+ break;
+#endif
+#ifndef NO_RSA
+ /* ECDHE_RSA */
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
+ case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+ sig = 1;
+ key |= ssl->eccTempKeySz == octets;
+ break;
+
+ /* ECDH_RSA */
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_RC4_128_SHA:
+ case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
+ case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
+ case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
+ sig = 1;
+ key |= ssl->pkCurveOID == oid;
+ break;
+#endif
+ default:
+ sig = 1;
+ key = 1;
+ break;
+ }
+ }
+
+ return sig && key;
+}
+
+#endif /* NO_CYASSL_SERVER */
+
+int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
+{
+ TLSX* extension = NULL;
+ EllipticCurve* curve = NULL;
+ int ret = 0;
+
+ if (extensions == NULL)
+ return BAD_FUNC_ARG;
+
+ if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0)
+ return ret;
+
+ extension = *extensions;
+
+ /* find EllipticCurve extension if it already exists. */
+ while (extension && extension->type != ELLIPTIC_CURVES)
+ extension = extension->next;
+
+ /* push new EllipticCurve extension if it doesn't exists. */
+ if (!extension) {
+ if ((ret = TLSX_Append(extensions, ELLIPTIC_CURVES)) != 0) {
+ XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
+ return ret;
+ }
+
+ extension = *extensions;
+ }
+
+ /* push new EllipticCurve object to extension data. */
+ curve->next = (EllipticCurve*) extension->data;
+ extension->data = (void*) curve;
+
+ /* look for another curve of the same name to remove (replacement) */
+ do {
+ if (curve->next && curve->next->name == name) {
+ EllipticCurve *next = curve->next;
+
+ curve->next = next->next;
+ XFREE(next, 0, DYNAMIC_TYPE_TLSX);
+
+ break;
+ }
+ } while ((curve = curve->next));
+
+ return SSL_SUCCESS;
+}
+
+#define EC_FREE_ALL TLSX_EllipticCurve_FreeAll
+#define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest
+
+#ifndef NO_CYASSL_CLIENT
+#define EC_GET_SIZE TLSX_EllipticCurve_GetSize
+#define EC_WRITE TLSX_EllipticCurve_Write
+#else
+#define EC_GET_SIZE(list) 0
+#define EC_WRITE(a, b) 0
+#endif
+
+#ifndef NO_CYASSL_SERVER
+#define EC_PARSE TLSX_EllipticCurve_Parse
+#else
+#define EC_PARSE(a, b, c, d) 0
+#endif
+
+#else
+
+#define EC_FREE_ALL(list)
+#define EC_GET_SIZE(list) 0
+#define EC_WRITE(a, b) 0
+#define EC_PARSE(a, b, c, d) 0
+#define EC_VALIDATE_REQUEST(a, b)
+
+#endif /* HAVE_SUPPORTED_CURVES */
+
+TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
+{
+ TLSX* extension = list;
+
+ while (extension && extension->type != type)
+ extension = extension->next;
+
+ return extension;
+}
+
+void TLSX_FreeAll(TLSX* list)
+{
+ TLSX* extension;
+
+ while ((extension = list)) {
+ list = extension->next;
+
+ switch (extension->type) {
+ case SERVER_NAME_INDICATION:
+ SNI_FREE_ALL((SNI *) extension->data);
+ break;
+
+ case MAX_FRAGMENT_LENGTH:
+ MFL_FREE_ALL(extension->data);
+ break;
+
+ case TRUNCATED_HMAC:
+ /* Nothing to do. */
+ break;
+
+ case ELLIPTIC_CURVES:
+ EC_FREE_ALL(extension->data);
+ break;
+ }
+
+ XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
+ }
+}
+
+static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
+{
+ TLSX* extension;
+ word16 length = 0;
+
+ while ((extension = list)) {
+ list = extension->next;
+
+ if (!isRequest && !extension->resp)
+ continue; /* skip! */
+
+ if (IS_OFF(semaphore, extension->type)) {
+ /* type + data length */
+ length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
+
+ switch (extension->type) {
+ case SERVER_NAME_INDICATION:
+ if (isRequest)
+ length += SNI_GET_SIZE((SNI *) extension->data);
+ break;
+ case MAX_FRAGMENT_LENGTH:
+ length += MFL_GET_SIZE(extension->data);
+ break;
+
+ case TRUNCATED_HMAC:
+ /* empty extension. */
+ break;
+
+ case ELLIPTIC_CURVES:
+ length += EC_GET_SIZE((EllipticCurve *) extension->data);
+ break;
+ }
+
+ TURN_ON(semaphore, extension->type);
+ }
+ }
+
+ return length;
+}
+
+static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
+ byte isRequest)
+{
+ TLSX* extension;
+ word16 offset = 0;
+ word16 length_offset = 0;
+
+ while ((extension = list)) {
+ list = extension->next;
+
+ if (!isRequest && !extension->resp)
+ continue; /* skip! */
+
+ if (IS_OFF(semaphore, extension->type)) {
+ /* extension type */
+ c16toa(extension->type, output + offset);
+ offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
+ length_offset = offset;
+
+ /* extension data should be written internally */
+ switch (extension->type) {
+ case SERVER_NAME_INDICATION:
+ if (isRequest)
+ offset += SNI_WRITE((SNI *) extension->data,
+ output + offset);
+ break;
+
+ case MAX_FRAGMENT_LENGTH:
+ offset += MFL_WRITE((byte *) extension->data,
+ output + offset);
+ break;
+
+ case TRUNCATED_HMAC:
+ /* empty extension. */
+ break;
+
+ case ELLIPTIC_CURVES:
+ offset += EC_WRITE((EllipticCurve *) extension->data,
+ output + offset);
+ break;
+ }
+
+ /* writing extension data length */
+ c16toa(offset - length_offset,
+ output + length_offset - OPAQUE16_LEN);
+
+ TURN_ON(semaphore, extension->type);
+ }
+ }
+
+ return offset;
+}
+
+#ifndef NO_CYASSL_CLIENT
+
+word16 TLSX_GetRequestSize(CYASSL* ssl)
+{
+ word16 length = 0;
+
+ if (ssl && IsTLS(ssl)) {
+ byte semaphore[16] = {0};
+
+ EC_VALIDATE_REQUEST(ssl, semaphore);
+
+ if (ssl->extensions)
+ length += TLSX_GetSize(ssl->extensions, semaphore, 1);
+
+ if (ssl->ctx && ssl->ctx->extensions)
+ length += TLSX_GetSize(ssl->ctx->extensions, semaphore, 1);
+
+ if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
+ length += ssl->suites->hashSigAlgoSz + HELLO_EXT_LEN;
+ }
+
+ if (length)
+ length += OPAQUE16_LEN; /* for total length storage */
+
+ return length;
+}
+
+word16 TLSX_WriteRequest(CYASSL* ssl, byte* output)
+{
+ word16 offset = 0;
+
+ if (ssl && IsTLS(ssl) && output) {
+ byte semaphore[16] = {0};
+
+ offset += OPAQUE16_LEN; /* extensions length */
+
+ EC_VALIDATE_REQUEST(ssl, semaphore);
+
+ if (ssl->extensions)
+ offset += TLSX_Write(ssl->extensions, output + offset,
+ semaphore, 1);
+
+ if (ssl->ctx && ssl->ctx->extensions)
+ offset += TLSX_Write(ssl->ctx->extensions, output + offset,
+ semaphore, 1);
+
+ if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
+ {
+ int i;
+ /* extension type */
+ c16toa(HELLO_EXT_SIG_ALGO, output + offset);
+ offset += HELLO_EXT_TYPE_SZ;
+
+ /* extension data length */
+ c16toa(OPAQUE16_LEN + ssl->suites->hashSigAlgoSz, output + offset);
+ offset += OPAQUE16_LEN;
+
+ /* sig algos length */
+ c16toa(ssl->suites->hashSigAlgoSz, output + offset);
+ offset += OPAQUE16_LEN;
+
+ /* sig algos */
+ for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, offset++)
+ output[offset] = ssl->suites->hashSigAlgo[i];
+ }
+
+ if (offset > OPAQUE16_LEN)
+ c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
+ }
+
+ return offset;
+}
+
+#endif /* NO_CYASSL_CLIENT */
+
+#ifndef NO_CYASSL_SERVER
+
+word16 TLSX_GetResponseSize(CYASSL* ssl)
+{
+ word16 length = 0;
+ byte semaphore[16] = {0};
+
+ if (ssl && IsTLS(ssl))
+ length += TLSX_GetSize(ssl->extensions, semaphore, 0);
+
+ /* All the response data is set at the ssl object only, so no ctx here. */
+
+ if (length)
+ length += OPAQUE16_LEN; /* for total length storage */
+
+ return length;
+}
+
+word16 TLSX_WriteResponse(CYASSL *ssl, byte* output)
+{
+ word16 offset = 0;
+
+ if (ssl && IsTLS(ssl) && output) {
+ byte semaphore[16] = {0};
+
+ offset += OPAQUE16_LEN; /* extensions length */
+
+ offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 0);
+
+ if (offset > OPAQUE16_LEN)
+ c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
+ }
+
+ return offset;
+}
+
+#endif /* NO_CYASSL_SERVER */
+
+int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
+ Suites *suites)
+{
+ int ret = 0;
+ word16 offset = 0;
+
+ if (!ssl || !input || !suites)
+ return BAD_FUNC_ARG;
+
+ while (ret == 0 && offset < length) {
+ word16 type;
+ word16 size;
+
+ if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &type);
+ offset += HELLO_EXT_TYPE_SZ;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN;
+
+ if (offset + size > length)
+ return BUFFER_ERROR;
+
+ switch (type) {
+ case SERVER_NAME_INDICATION:
+ CYASSL_MSG("SNI extension received");
+
+ ret = SNI_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case MAX_FRAGMENT_LENGTH:
+ CYASSL_MSG("Max Fragment Length extension received");
+
+ ret = MFL_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case TRUNCATED_HMAC:
+ CYASSL_MSG("Truncated HMAC extension received");
+
+ ret = THM_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case ELLIPTIC_CURVES:
+ CYASSL_MSG("Elliptic Curves extension received");
+
+ ret = EC_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case HELLO_EXT_SIG_ALGO:
+ if (isRequest) {
+ /* do not mess with offset inside the switch! */
+ if (IsAtLeastTLSv1_2(ssl)) {
+ ato16(input + offset, &suites->hashSigAlgoSz);
+
+ if (suites->hashSigAlgoSz > size - OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ XMEMCPY(suites->hashSigAlgo,
+ input + offset + OPAQUE16_LEN,
+ min(suites->hashSigAlgoSz,
+ HELLO_EXT_SIGALGO_MAX));
+ }
+ } else {
+ CYASSL_MSG("Servers MUST NOT send SIG ALGO extension.");
+ }
+
+ break;
+ }
+
+ /* offset should be updated here! */
+ offset += size;
+ }
+
+ return ret;
+}
+
+/* undefining semaphore macros */
+#undef IS_OFF
+#undef TURN_ON
+
+#elif defined(HAVE_SNI) \
+ || defined(HAVE_MAX_FRAGMENT) \
+ || defined(HAVE_TRUNCATED_HMAC) \
+ || defined(HAVE_SUPPORTED_CURVES)
+
+#error "Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined."
+
+#endif /* HAVE_TLS_EXTENSIONS */
+
+
+#ifndef NO_CYASSL_CLIENT
+
+#ifndef NO_OLD_TLS
+
+ CYASSL_METHOD* CyaTLSv1_client_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method)
+ InitSSL_Method(method, MakeTLSv1());
+ return method;
+ }
+
+
+ CYASSL_METHOD* CyaTLSv1_1_client_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method)
+ InitSSL_Method(method, MakeTLSv1_1());
+ return method;
+ }
+
+#endif /* !NO_OLD_TLS */
+
+#ifndef NO_SHA256 /* can't use without SHA256 */
+
+ CYASSL_METHOD* CyaTLSv1_2_client_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method)
+ InitSSL_Method(method, MakeTLSv1_2());
+ return method;
+ }
+
+#endif
+
+
+ CYASSL_METHOD* CyaSSLv23_client_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method) {
+#ifndef NO_SHA256 /* 1.2 requires SHA256 */
+ InitSSL_Method(method, MakeTLSv1_2());
+#else
+ InitSSL_Method(method, MakeTLSv1_1());
+#endif
+#ifndef NO_OLD_TLS
+ method->downgrade = 1;
+#endif
+ }
+ return method;
+ }
+
+
+#endif /* NO_CYASSL_CLIENT */
+
+
+
+#ifndef NO_CYASSL_SERVER
+
+#ifndef NO_OLD_TLS
+
+ CYASSL_METHOD* CyaTLSv1_server_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method) {
+ InitSSL_Method(method, MakeTLSv1());
+ method->side = CYASSL_SERVER_END;
+ }
+ return method;
+ }
+
+
+ CYASSL_METHOD* CyaTLSv1_1_server_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method) {
+ InitSSL_Method(method, MakeTLSv1_1());
+ method->side = CYASSL_SERVER_END;
+ }
+ return method;
+ }
+
+#endif /* !NO_OLD_TLS */
+
+#ifndef NO_SHA256 /* can't use without SHA256 */
+
+ CYASSL_METHOD* CyaTLSv1_2_server_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method) {
+ InitSSL_Method(method, MakeTLSv1_2());
+ method->side = CYASSL_SERVER_END;
+ }
+ return method;
+ }
+
+#endif
+
+
+ CYASSL_METHOD* CyaSSLv23_server_method(void)
+ {
+ CYASSL_METHOD* method =
+ (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
+ DYNAMIC_TYPE_METHOD);
+ if (method) {
+#ifndef NO_SHA256 /* 1.2 requires SHA256 */
+ InitSSL_Method(method, MakeTLSv1_2());
+#else
+ InitSSL_Method(method, MakeTLSv1_1());
+#endif
+ method->side = CYASSL_SERVER_END;
+#ifndef NO_OLD_TLS
+ method->downgrade = 1;
+#endif /* !NO_OLD_TLS */
+ }
+ return method;
+ }
+
+
+
+#endif /* NO_CYASSL_SERVER */
+#endif /* NO_TLS */
+