wolf SSL / wolfSSL-TLS13-Beta

wolfSSL 3.11.1 for TLS1.3 beta

Fork of wolfSSL by wolf SSL

src/tls13.c@12:0217a9463bc3, 2017-05-30 (annotated)

Committer:
wolfSSL
Date:
Tue May 30 06:15:48 2017 +0000
Revision:
12:0217a9463bc3
wolfSSL 3.11.1-TLS1.3 Beta;

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 12:0217a9463bc3 1 /* tls13.c
wolfSSL 12:0217a9463bc3 2 *
wolfSSL 12:0217a9463bc3 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 12:0217a9463bc3 4 *
wolfSSL 12:0217a9463bc3 5 * This file is part of wolfSSL.
wolfSSL 12:0217a9463bc3 6 *
wolfSSL 12:0217a9463bc3 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 12:0217a9463bc3 8 * it under the terms of the GNU General Public License as published by
wolfSSL 12:0217a9463bc3 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 12:0217a9463bc3 10 * (at your option) any later version.
wolfSSL 12:0217a9463bc3 11 *
wolfSSL 12:0217a9463bc3 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 12:0217a9463bc3 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 12:0217a9463bc3 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 12:0217a9463bc3 15 * GNU General Public License for more details.
wolfSSL 12:0217a9463bc3 16 *
wolfSSL 12:0217a9463bc3 17 * You should have received a copy of the GNU General Public License
wolfSSL 12:0217a9463bc3 18 * along with this program; if not, write to the Free Software
wolfSSL 12:0217a9463bc3 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 12:0217a9463bc3 20 */
wolfSSL 12:0217a9463bc3 21
wolfSSL 12:0217a9463bc3 22
wolfSSL 12:0217a9463bc3 23
wolfSSL 12:0217a9463bc3 24 #ifdef HAVE_CONFIG_H
wolfSSL 12:0217a9463bc3 25 #include <config.h>
wolfSSL 12:0217a9463bc3 26 #endif
wolfSSL 12:0217a9463bc3 27
wolfSSL 12:0217a9463bc3 28 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 12:0217a9463bc3 29
wolfSSL 12:0217a9463bc3 30 #ifdef WOLFSSL_TLS13
wolfSSL 12:0217a9463bc3 31 #if defined(HAVE_SESSION_TICKET)
wolfSSL 12:0217a9463bc3 32 #include <sys/time.h>
wolfSSL 12:0217a9463bc3 33 #endif
wolfSSL 12:0217a9463bc3 34
wolfSSL 12:0217a9463bc3 35 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 12:0217a9463bc3 36
wolfSSL 12:0217a9463bc3 37 #ifndef WOLFCRYPT_ONLY
wolfSSL 12:0217a9463bc3 38
wolfSSL 12:0217a9463bc3 39 #ifdef HAVE_ERRNO_H
wolfSSL 12:0217a9463bc3 40 #include <errno.h>
wolfSSL 12:0217a9463bc3 41 #endif
wolfSSL 12:0217a9463bc3 42
wolfSSL 12:0217a9463bc3 43 #include <wolfssl/internal.h>
wolfSSL 12:0217a9463bc3 44 #include <wolfssl/error-ssl.h>
wolfSSL 12:0217a9463bc3 45 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 12:0217a9463bc3 46 #include <wolfssl/wolfcrypt/dh.h>
wolfSSL 12:0217a9463bc3 47 #ifdef NO_INLINE
wolfSSL 12:0217a9463bc3 48 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 12:0217a9463bc3 49 #else
wolfSSL 12:0217a9463bc3 50 #define WOLFSSL_MISC_INCLUDED
wolfSSL 12:0217a9463bc3 51 #include <wolfcrypt/src/misc.c>
wolfSSL 12:0217a9463bc3 52 #endif
wolfSSL 12:0217a9463bc3 53
wolfSSL 12:0217a9463bc3 54 #ifdef HAVE_NTRU
wolfSSL 12:0217a9463bc3 55 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 12:0217a9463bc3 56 #endif
wolfSSL 12:0217a9463bc3 57
wolfSSL 12:0217a9463bc3 58 #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG) || \
wolfSSL 12:0217a9463bc3 59 defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
wolfSSL 12:0217a9463bc3 60 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 12:0217a9463bc3 61 #if MQX_USE_IO_OLD
wolfSSL 12:0217a9463bc3 62 #include <fio.h>
wolfSSL 12:0217a9463bc3 63 #else
wolfSSL 12:0217a9463bc3 64 #include <nio.h>
wolfSSL 12:0217a9463bc3 65 #endif
wolfSSL 12:0217a9463bc3 66 #else
wolfSSL 12:0217a9463bc3 67 #include <stdio.h>
wolfSSL 12:0217a9463bc3 68 #endif
wolfSSL 12:0217a9463bc3 69 #endif
wolfSSL 12:0217a9463bc3 70
wolfSSL 12:0217a9463bc3 71 #ifdef __sun
wolfSSL 12:0217a9463bc3 72 #include <sys/filio.h>
wolfSSL 12:0217a9463bc3 73 #endif
wolfSSL 12:0217a9463bc3 74
wolfSSL 12:0217a9463bc3 75 #ifndef TRUE
wolfSSL 12:0217a9463bc3 76 #define TRUE 1
wolfSSL 12:0217a9463bc3 77 #endif
wolfSSL 12:0217a9463bc3 78 #ifndef FALSE
wolfSSL 12:0217a9463bc3 79 #define FALSE 0
wolfSSL 12:0217a9463bc3 80 #endif
wolfSSL 12:0217a9463bc3 81
wolfSSL 12:0217a9463bc3 82 /* Set ret to error value and jump to label.
wolfSSL 12:0217a9463bc3 83 *
wolfSSL 12:0217a9463bc3 84 * err The error value to set.
wolfSSL 12:0217a9463bc3 85 * eLabel The label to jump to.
wolfSSL 12:0217a9463bc3 86 */
wolfSSL 12:0217a9463bc3 87 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL 12:0217a9463bc3 88
wolfSSL 12:0217a9463bc3 89
wolfSSL 12:0217a9463bc3 90 #ifndef WOLFSSL_HAVE_MIN
wolfSSL 12:0217a9463bc3 91 #define WOLFSSL_HAVE_MIN
wolfSSL 12:0217a9463bc3 92 /* Return the minimum of the two values.
wolfSSL 12:0217a9463bc3 93 *
wolfSSL 12:0217a9463bc3 94 * a First value.
wolfSSL 12:0217a9463bc3 95 * b Second value.
wolfSSL 12:0217a9463bc3 96 * returns the minimum of a and b.
wolfSSL 12:0217a9463bc3 97 */
wolfSSL 12:0217a9463bc3 98 static INLINE word32 min(word32 a, word32 b)
wolfSSL 12:0217a9463bc3 99 {
wolfSSL 12:0217a9463bc3 100 return a > b ? b : a;
wolfSSL 12:0217a9463bc3 101 }
wolfSSL 12:0217a9463bc3 102 #endif /* WOLFSSL_HAVE_MIN */
wolfSSL 12:0217a9463bc3 103
wolfSSL 12:0217a9463bc3 104 /* Convert 16-bit integer to opaque data.
wolfSSL 12:0217a9463bc3 105 *
wolfSSL 12:0217a9463bc3 106 * u16 Unsigned 16-bit value.
wolfSSL 12:0217a9463bc3 107 * c The buffer to write to.
wolfSSL 12:0217a9463bc3 108 */
wolfSSL 12:0217a9463bc3 109 static INLINE void c16toa(word16 u16, byte* c)
wolfSSL 12:0217a9463bc3 110 {
wolfSSL 12:0217a9463bc3 111 c[0] = (u16 >> 8) & 0xff;
wolfSSL 12:0217a9463bc3 112 c[1] = u16 & 0xff;
wolfSSL 12:0217a9463bc3 113 }
wolfSSL 12:0217a9463bc3 114
wolfSSL 12:0217a9463bc3 115 /* Convert 32-bit integer to opaque data.
wolfSSL 12:0217a9463bc3 116 *
wolfSSL 12:0217a9463bc3 117 * u32 Unsigned 32-bit value.
wolfSSL 12:0217a9463bc3 118 * c The buffer to write to.
wolfSSL 12:0217a9463bc3 119 */
wolfSSL 12:0217a9463bc3 120 static INLINE void c32toa(word32 u32, byte* c)
wolfSSL 12:0217a9463bc3 121 {
wolfSSL 12:0217a9463bc3 122 c[0] = (u32 >> 24) & 0xff;
wolfSSL 12:0217a9463bc3 123 c[1] = (u32 >> 16) & 0xff;
wolfSSL 12:0217a9463bc3 124 c[2] = (u32 >> 8) & 0xff;
wolfSSL 12:0217a9463bc3 125 c[3] = u32 & 0xff;
wolfSSL 12:0217a9463bc3 126 }
wolfSSL 12:0217a9463bc3 127
wolfSSL 12:0217a9463bc3 128
wolfSSL 12:0217a9463bc3 129 /* Convert 24-bit opaque data into a 32-bit value.
wolfSSL 12:0217a9463bc3 130 *
wolfSSL 12:0217a9463bc3 131 * u24 The opaque data holding a 24-bit integer.
wolfSSL 12:0217a9463bc3 132 * u32 Unsigned 32-bit value.
wolfSSL 12:0217a9463bc3 133 */
wolfSSL 12:0217a9463bc3 134 static INLINE void c24to32(const word24 u24, word32* u32)
wolfSSL 12:0217a9463bc3 135 {
wolfSSL 12:0217a9463bc3 136 *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
wolfSSL 12:0217a9463bc3 137 }
wolfSSL 12:0217a9463bc3 138
wolfSSL 12:0217a9463bc3 139
wolfSSL 12:0217a9463bc3 140 /* Convert opaque data into a 16-bit value.
wolfSSL 12:0217a9463bc3 141 *
wolfSSL 12:0217a9463bc3 142 * c The opaque data.
wolfSSL 12:0217a9463bc3 143 * u16 Unsigned 16-bit value.
wolfSSL 12:0217a9463bc3 144 */
wolfSSL 12:0217a9463bc3 145 static INLINE void ato16(const byte* c, word16* u16)
wolfSSL 12:0217a9463bc3 146 {
wolfSSL 12:0217a9463bc3 147 *u16 = (word16) ((c[0] << 8) | (c[1]));
wolfSSL 12:0217a9463bc3 148 }
wolfSSL 12:0217a9463bc3 149
wolfSSL 12:0217a9463bc3 150 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 151 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 152 /* Convert opaque data into a 32-bit value.
wolfSSL 12:0217a9463bc3 153 *
wolfSSL 12:0217a9463bc3 154 * c The opaque data.
wolfSSL 12:0217a9463bc3 155 * u32 Unsigned 32-bit value.
wolfSSL 12:0217a9463bc3 156 */
wolfSSL 12:0217a9463bc3 157 static INLINE void ato32(const byte* c, word32* u32)
wolfSSL 12:0217a9463bc3 158 {
wolfSSL 12:0217a9463bc3 159 *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
wolfSSL 12:0217a9463bc3 160 }
wolfSSL 12:0217a9463bc3 161 #endif
wolfSSL 12:0217a9463bc3 162 #endif
wolfSSL 12:0217a9463bc3 163
wolfSSL 12:0217a9463bc3 164 /* Extract data using HMAC, salt and input.
wolfSSL 12:0217a9463bc3 165 * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
wolfSSL 12:0217a9463bc3 166 *
wolfSSL 12:0217a9463bc3 167 * prk The generated pseudorandom key.
wolfSSL 12:0217a9463bc3 168 * salt The salt.
wolfSSL 12:0217a9463bc3 169 * saltLen The length of the salt.
wolfSSL 12:0217a9463bc3 170 * ikm The input keying material.
wolfSSL 12:0217a9463bc3 171 * ikmLen The length of the input keying material.
wolfSSL 12:0217a9463bc3 172 * mac The type of digest to use.
wolfSSL 12:0217a9463bc3 173 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 174 */
wolfSSL 12:0217a9463bc3 175 static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
wolfSSL 12:0217a9463bc3 176 byte* ikm, int ikmLen, int mac)
wolfSSL 12:0217a9463bc3 177 {
wolfSSL 12:0217a9463bc3 178 int ret;
wolfSSL 12:0217a9463bc3 179 int hash;
wolfSSL 12:0217a9463bc3 180 int len;
wolfSSL 12:0217a9463bc3 181
wolfSSL 12:0217a9463bc3 182 switch (mac) {
wolfSSL 12:0217a9463bc3 183 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 184 case sha256_mac:
wolfSSL 12:0217a9463bc3 185 hash = SHA256;
wolfSSL 12:0217a9463bc3 186 len = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 187 break;
wolfSSL 12:0217a9463bc3 188 #endif
wolfSSL 12:0217a9463bc3 189
wolfSSL 12:0217a9463bc3 190 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 191 case sha384_mac:
wolfSSL 12:0217a9463bc3 192 hash = SHA384;
wolfSSL 12:0217a9463bc3 193 len = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 194 break;
wolfSSL 12:0217a9463bc3 195 #endif
wolfSSL 12:0217a9463bc3 196
wolfSSL 12:0217a9463bc3 197 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 198 case sha512_mac:
wolfSSL 12:0217a9463bc3 199 hash = SHA512;
wolfSSL 12:0217a9463bc3 200 len = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 201 break;
wolfSSL 12:0217a9463bc3 202 #endif
wolfSSL 12:0217a9463bc3 203
wolfSSL 12:0217a9463bc3 204 default:
wolfSSL 12:0217a9463bc3 205 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 206 }
wolfSSL 12:0217a9463bc3 207
wolfSSL 12:0217a9463bc3 208 /* When length is 0 then use zeroed data of digest length. */
wolfSSL 12:0217a9463bc3 209 if (ikmLen == 0) {
wolfSSL 12:0217a9463bc3 210 ikmLen = len;
wolfSSL 12:0217a9463bc3 211 XMEMSET(ikm, 0, len);
wolfSSL 12:0217a9463bc3 212 }
wolfSSL 12:0217a9463bc3 213
wolfSSL 12:0217a9463bc3 214 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 215 WOLFSSL_MSG("Salt");
wolfSSL 12:0217a9463bc3 216 WOLFSSL_BUFFER(salt, saltLen);
wolfSSL 12:0217a9463bc3 217 WOLFSSL_MSG("IKM");
wolfSSL 12:0217a9463bc3 218 WOLFSSL_BUFFER(ikm, ikmLen);
wolfSSL 12:0217a9463bc3 219 #endif
wolfSSL 12:0217a9463bc3 220
wolfSSL 12:0217a9463bc3 221 ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
wolfSSL 12:0217a9463bc3 222
wolfSSL 12:0217a9463bc3 223 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 224 WOLFSSL_MSG("PRK");
wolfSSL 12:0217a9463bc3 225 WOLFSSL_BUFFER(prk, len);
wolfSSL 12:0217a9463bc3 226 #endif
wolfSSL 12:0217a9463bc3 227
wolfSSL 12:0217a9463bc3 228 return ret;
wolfSSL 12:0217a9463bc3 229 }
wolfSSL 12:0217a9463bc3 230
wolfSSL 12:0217a9463bc3 231 /* Expand data using HMAC, salt and label and info.
wolfSSL 12:0217a9463bc3 232 * TLS v1.3 defines this function.
wolfSSL 12:0217a9463bc3 233 *
wolfSSL 12:0217a9463bc3 234 * okm The generated pseudorandom key - output key material.
wolfSSL 12:0217a9463bc3 235 * prk The salt - pseudo-random key.
wolfSSL 12:0217a9463bc3 236 * prkLen The length of the salt - pseudo-random key.
wolfSSL 12:0217a9463bc3 237 * protocol The TLS protocol label.
wolfSSL 12:0217a9463bc3 238 * protocolLen The length of the TLS protocol label.
wolfSSL 12:0217a9463bc3 239 * info The information to expand.
wolfSSL 12:0217a9463bc3 240 * infoLen The length of the information.
wolfSSL 12:0217a9463bc3 241 * digest The type of digest to use.
wolfSSL 12:0217a9463bc3 242 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 243 */
wolfSSL 12:0217a9463bc3 244 static int HKDF_Expand_Label(byte* okm, word32 okmLen,
wolfSSL 12:0217a9463bc3 245 const byte* prk, word32 prkLen,
wolfSSL 12:0217a9463bc3 246 const byte* protocol, word32 protocolLen,
wolfSSL 12:0217a9463bc3 247 const byte* label, word32 labelLen,
wolfSSL 12:0217a9463bc3 248 const byte* info, word32 infoLen,
wolfSSL 12:0217a9463bc3 249 int digest)
wolfSSL 12:0217a9463bc3 250 {
wolfSSL 12:0217a9463bc3 251 int ret = 0;
wolfSSL 12:0217a9463bc3 252 int idx = 0;
wolfSSL 12:0217a9463bc3 253 byte data[MAX_HKDF_LABEL_SZ];
wolfSSL 12:0217a9463bc3 254
wolfSSL 12:0217a9463bc3 255 /* Output length. */
wolfSSL 12:0217a9463bc3 256 data[idx++] = okmLen >> 8;
wolfSSL 12:0217a9463bc3 257 data[idx++] = okmLen;
wolfSSL 12:0217a9463bc3 258 /* Length of protocol | label. */
wolfSSL 12:0217a9463bc3 259 data[idx++] = protocolLen + labelLen;
wolfSSL 12:0217a9463bc3 260 /* Protocol */
wolfSSL 12:0217a9463bc3 261 XMEMCPY(&data[idx], protocol, protocolLen);
wolfSSL 12:0217a9463bc3 262 idx += protocolLen;
wolfSSL 12:0217a9463bc3 263 /* Label */
wolfSSL 12:0217a9463bc3 264 XMEMCPY(&data[idx], label, labelLen);
wolfSSL 12:0217a9463bc3 265 idx += labelLen;
wolfSSL 12:0217a9463bc3 266 /* Length of hash of messages */
wolfSSL 12:0217a9463bc3 267 data[idx++] = infoLen;
wolfSSL 12:0217a9463bc3 268 /* Hash of messages */
wolfSSL 12:0217a9463bc3 269 XMEMCPY(&data[idx], info, infoLen);
wolfSSL 12:0217a9463bc3 270 idx += infoLen;
wolfSSL 12:0217a9463bc3 271
wolfSSL 12:0217a9463bc3 272 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 273 WOLFSSL_MSG("PRK");
wolfSSL 12:0217a9463bc3 274 WOLFSSL_BUFFER(prk, prkLen);
wolfSSL 12:0217a9463bc3 275 WOLFSSL_MSG("Info");
wolfSSL 12:0217a9463bc3 276 WOLFSSL_BUFFER(data, idx);
wolfSSL 12:0217a9463bc3 277 #endif
wolfSSL 12:0217a9463bc3 278
wolfSSL 12:0217a9463bc3 279 ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
wolfSSL 12:0217a9463bc3 280
wolfSSL 12:0217a9463bc3 281 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 282 WOLFSSL_MSG("OKM");
wolfSSL 12:0217a9463bc3 283 WOLFSSL_BUFFER(okm, okmLen);
wolfSSL 12:0217a9463bc3 284 #endif
wolfSSL 12:0217a9463bc3 285
wolfSSL 12:0217a9463bc3 286 ForceZero(data, idx);
wolfSSL 12:0217a9463bc3 287
wolfSSL 12:0217a9463bc3 288 return ret;
wolfSSL 12:0217a9463bc3 289 }
wolfSSL 12:0217a9463bc3 290
wolfSSL 12:0217a9463bc3 291 /* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL 12:0217a9463bc3 292 #define TLS13_PROTOCOL_LABEL_SZ 9
wolfSSL 12:0217a9463bc3 293 /* The protocol label for TLS v1.3. */
wolfSSL 12:0217a9463bc3 294 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
wolfSSL 12:0217a9463bc3 295
wolfSSL 12:0217a9463bc3 296 /* Derive a key from a message.
wolfSSL 12:0217a9463bc3 297 *
wolfSSL 12:0217a9463bc3 298 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 299 * output The buffer to hold the derived key.
wolfSSL 12:0217a9463bc3 300 * outputLen The length of the derived key.
wolfSSL 12:0217a9463bc3 301 * secret The secret used to derive the key (HMAC secret).
wolfSSL 12:0217a9463bc3 302 * label The label used to distinguish the context.
wolfSSL 12:0217a9463bc3 303 * labelLen The length of the label.
wolfSSL 12:0217a9463bc3 304 * msg The message data to derive key from.
wolfSSL 12:0217a9463bc3 305 * msgLen The length of the message data to derive key from.
wolfSSL 12:0217a9463bc3 306 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 12:0217a9463bc3 307 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 308 */
wolfSSL 12:0217a9463bc3 309 static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 12:0217a9463bc3 310 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 12:0217a9463bc3 311 byte* msg, int msgLen, int hashAlgo)
wolfSSL 12:0217a9463bc3 312 {
wolfSSL 12:0217a9463bc3 313 byte hash[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 314 Digest digest;
wolfSSL 12:0217a9463bc3 315 word32 hashSz = 0;
wolfSSL 12:0217a9463bc3 316 const byte* protocol;
wolfSSL 12:0217a9463bc3 317 word32 protocolLen;
wolfSSL 12:0217a9463bc3 318 int digestAlg;
wolfSSL 12:0217a9463bc3 319
wolfSSL 12:0217a9463bc3 320 switch (hashAlgo) {
wolfSSL 12:0217a9463bc3 321 #ifndef NO_WOLFSSL_SHA256
wolfSSL 12:0217a9463bc3 322 case sha256_mac:
wolfSSL 12:0217a9463bc3 323 wc_InitSha256(&digest.sha256);
wolfSSL 12:0217a9463bc3 324 wc_Sha256Update(&digest.sha256, msg, msgLen);
wolfSSL 12:0217a9463bc3 325 wc_Sha256Final(&digest.sha256, hash);
wolfSSL 12:0217a9463bc3 326 wc_Sha256Free(&digest.sha256);
wolfSSL 12:0217a9463bc3 327 hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 328 digestAlg = SHA256;
wolfSSL 12:0217a9463bc3 329 break;
wolfSSL 12:0217a9463bc3 330 #endif
wolfSSL 12:0217a9463bc3 331 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 332 case sha384_mac:
wolfSSL 12:0217a9463bc3 333 wc_InitSha384(&digest.sha384);
wolfSSL 12:0217a9463bc3 334 wc_Sha384Update(&digest.sha384, msg, msgLen);
wolfSSL 12:0217a9463bc3 335 wc_Sha384Final(&digest.sha384, hash);
wolfSSL 12:0217a9463bc3 336 wc_Sha384Free(&digest.sha384);
wolfSSL 12:0217a9463bc3 337 hashSz = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 338 digestAlg = SHA384;
wolfSSL 12:0217a9463bc3 339 break;
wolfSSL 12:0217a9463bc3 340 #endif
wolfSSL 12:0217a9463bc3 341 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 342 case sha512_mac:
wolfSSL 12:0217a9463bc3 343 wc_InitSha512(&digest.sha512);
wolfSSL 12:0217a9463bc3 344 wc_Sha512Update(&digest.sha512, msg, msgLen);
wolfSSL 12:0217a9463bc3 345 wc_Sha512Final(&digest.sha512, hash);
wolfSSL 12:0217a9463bc3 346 wc_Sha512Free(&digest.sha512);
wolfSSL 12:0217a9463bc3 347 hashSz = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 348 digestAlg = SHA512;
wolfSSL 12:0217a9463bc3 349 break;
wolfSSL 12:0217a9463bc3 350 #endif
wolfSSL 12:0217a9463bc3 351
wolfSSL 12:0217a9463bc3 352 default:
wolfSSL 12:0217a9463bc3 353 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 354 }
wolfSSL 12:0217a9463bc3 355
wolfSSL 12:0217a9463bc3 356 switch (ssl->version.minor) {
wolfSSL 12:0217a9463bc3 357 case TLSv1_3_MINOR:
wolfSSL 12:0217a9463bc3 358 protocol = tls13ProtocolLabel;
wolfSSL 12:0217a9463bc3 359 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 12:0217a9463bc3 360 break;
wolfSSL 12:0217a9463bc3 361
wolfSSL 12:0217a9463bc3 362 default:
wolfSSL 12:0217a9463bc3 363 return VERSION_ERROR;
wolfSSL 12:0217a9463bc3 364 }
wolfSSL 12:0217a9463bc3 365 if (outputLen == -1)
wolfSSL 12:0217a9463bc3 366 outputLen = hashSz;
wolfSSL 12:0217a9463bc3 367
wolfSSL 12:0217a9463bc3 368 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 12:0217a9463bc3 369 protocol, protocolLen, label, labelLen,
wolfSSL 12:0217a9463bc3 370 hash, hashSz, digestAlg);
wolfSSL 12:0217a9463bc3 371 }
wolfSSL 12:0217a9463bc3 372
wolfSSL 12:0217a9463bc3 373 /* Derive a key.
wolfSSL 12:0217a9463bc3 374 *
wolfSSL 12:0217a9463bc3 375 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 376 * output The buffer to hold the derived key.
wolfSSL 12:0217a9463bc3 377 * outputLen The length of the derived key.
wolfSSL 12:0217a9463bc3 378 * secret The secret used to derive the key (HMAC secret).
wolfSSL 12:0217a9463bc3 379 * label The label used to distinguish the context.
wolfSSL 12:0217a9463bc3 380 * labelLen The length of the label.
wolfSSL 12:0217a9463bc3 381 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 12:0217a9463bc3 382 * includeMsgs Whether to include a hash of the handshake messages so far.
wolfSSL 12:0217a9463bc3 383 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 384 */
wolfSSL 12:0217a9463bc3 385 static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 12:0217a9463bc3 386 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 12:0217a9463bc3 387 int hashAlgo, int includeMsgs)
wolfSSL 12:0217a9463bc3 388 {
wolfSSL 12:0217a9463bc3 389 int ret = 0;
wolfSSL 12:0217a9463bc3 390 byte hash[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 391 word32 hashSz = 0;
wolfSSL 12:0217a9463bc3 392 word32 hashOutSz = 0;
wolfSSL 12:0217a9463bc3 393 const byte* protocol;
wolfSSL 12:0217a9463bc3 394 word32 protocolLen;
wolfSSL 12:0217a9463bc3 395 int digestAlg;
wolfSSL 12:0217a9463bc3 396
wolfSSL 12:0217a9463bc3 397 switch (hashAlgo) {
wolfSSL 12:0217a9463bc3 398 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 399 case sha256_mac:
wolfSSL 12:0217a9463bc3 400 hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 401 digestAlg = SHA256;
wolfSSL 12:0217a9463bc3 402 if (includeMsgs)
wolfSSL 12:0217a9463bc3 403 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 12:0217a9463bc3 404 break;
wolfSSL 12:0217a9463bc3 405 #endif
wolfSSL 12:0217a9463bc3 406
wolfSSL 12:0217a9463bc3 407 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 408 case sha384_mac:
wolfSSL 12:0217a9463bc3 409 hashSz = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 410 digestAlg = SHA384;
wolfSSL 12:0217a9463bc3 411 if (includeMsgs)
wolfSSL 12:0217a9463bc3 412 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 12:0217a9463bc3 413 break;
wolfSSL 12:0217a9463bc3 414 #endif
wolfSSL 12:0217a9463bc3 415
wolfSSL 12:0217a9463bc3 416 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 417 case sha512_mac:
wolfSSL 12:0217a9463bc3 418 hashSz = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 419 digestAlg = SHA512;
wolfSSL 12:0217a9463bc3 420 if (includeMsgs)
wolfSSL 12:0217a9463bc3 421 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 12:0217a9463bc3 422 break;
wolfSSL 12:0217a9463bc3 423 #endif
wolfSSL 12:0217a9463bc3 424
wolfSSL 12:0217a9463bc3 425 default:
wolfSSL 12:0217a9463bc3 426 ret = BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 427 break;
wolfSSL 12:0217a9463bc3 428 }
wolfSSL 12:0217a9463bc3 429 if (ret != 0)
wolfSSL 12:0217a9463bc3 430 return ret;
wolfSSL 12:0217a9463bc3 431
wolfSSL 12:0217a9463bc3 432 /* Only one protocol version defined at this time. */
wolfSSL 12:0217a9463bc3 433 protocol = tls13ProtocolLabel;
wolfSSL 12:0217a9463bc3 434 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 12:0217a9463bc3 435
wolfSSL 12:0217a9463bc3 436 if (outputLen == -1)
wolfSSL 12:0217a9463bc3 437 outputLen = hashSz;
wolfSSL 12:0217a9463bc3 438 if (includeMsgs)
wolfSSL 12:0217a9463bc3 439 hashOutSz = hashSz;
wolfSSL 12:0217a9463bc3 440
wolfSSL 12:0217a9463bc3 441 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 12:0217a9463bc3 442 protocol, protocolLen, label, labelLen,
wolfSSL 12:0217a9463bc3 443 hash, hashOutSz, digestAlg);
wolfSSL 12:0217a9463bc3 444 }
wolfSSL 12:0217a9463bc3 445
wolfSSL 12:0217a9463bc3 446
wolfSSL 12:0217a9463bc3 447 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 448 /* The length of the binder key label. */
wolfSSL 12:0217a9463bc3 449 #define BINDER_KEY_LABEL_SZ 23
wolfSSL 12:0217a9463bc3 450 /* The binder key label. */
wolfSSL 12:0217a9463bc3 451 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 452 "external psk binder key";
wolfSSL 12:0217a9463bc3 453 /* Derive the binder key.
wolfSSL 12:0217a9463bc3 454 *
wolfSSL 12:0217a9463bc3 455 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 456 * key The derived key.
wolfSSL 12:0217a9463bc3 457 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 458 */
wolfSSL 12:0217a9463bc3 459 static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 460 {
wolfSSL 12:0217a9463bc3 461 WOLFSSL_MSG("Derive Binder Key");
wolfSSL 12:0217a9463bc3 462 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 12:0217a9463bc3 463 binderKeyLabel, BINDER_KEY_LABEL_SZ,
wolfSSL 12:0217a9463bc3 464 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 465 }
wolfSSL 12:0217a9463bc3 466
wolfSSL 12:0217a9463bc3 467 /* The length of the binder key resume label. */
wolfSSL 12:0217a9463bc3 468 #define BINDER_KEY_RESUME_LABEL_SZ 25
wolfSSL 12:0217a9463bc3 469 /* The binder key resume label. */
wolfSSL 12:0217a9463bc3 470 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 471 "resumption psk binder key";
wolfSSL 12:0217a9463bc3 472 /* Derive the binder resumption key.
wolfSSL 12:0217a9463bc3 473 *
wolfSSL 12:0217a9463bc3 474 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 475 * key The derived key.
wolfSSL 12:0217a9463bc3 476 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 477 */
wolfSSL 12:0217a9463bc3 478 static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 479 {
wolfSSL 12:0217a9463bc3 480 WOLFSSL_MSG("Derive Binder Key - Resumption");
wolfSSL 12:0217a9463bc3 481 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 12:0217a9463bc3 482 binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
wolfSSL 12:0217a9463bc3 483 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 484 }
wolfSSL 12:0217a9463bc3 485 #endif
wolfSSL 12:0217a9463bc3 486
wolfSSL 12:0217a9463bc3 487 #ifdef TLS13_SUPPORTS_0RTT
wolfSSL 12:0217a9463bc3 488 /* The length of the early traffic label. */
wolfSSL 12:0217a9463bc3 489 #define EARLY_TRAFFIC_LABEL_SZ 27
wolfSSL 12:0217a9463bc3 490 /* The early traffic label. */
wolfSSL 12:0217a9463bc3 491 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 492 "client early traffic secret";
wolfSSL 12:0217a9463bc3 493 /* Derive the early traffic key.
wolfSSL 12:0217a9463bc3 494 *
wolfSSL 12:0217a9463bc3 495 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 496 * key The derived key.
wolfSSL 12:0217a9463bc3 497 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 498 */
wolfSSL 12:0217a9463bc3 499 static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 500 {
wolfSSL 12:0217a9463bc3 501 WOLFSSL_MSG("Derive Early Traffic Secret");
wolfSSL 12:0217a9463bc3 502 return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 12:0217a9463bc3 503 earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
wolfSSL 12:0217a9463bc3 504 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 505 }
wolfSSL 12:0217a9463bc3 506
wolfSSL 12:0217a9463bc3 507 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 12:0217a9463bc3 508 /* The length of the early exporter label. */
wolfSSL 12:0217a9463bc3 509 #define EARLY_EXPORTER_LABEL_SZ 28
wolfSSL 12:0217a9463bc3 510 /* The early exporter label. */
wolfSSL 12:0217a9463bc3 511 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 512 "early exporter master secret";
wolfSSL 12:0217a9463bc3 513 /* Derive the early exporter key.
wolfSSL 12:0217a9463bc3 514 *
wolfSSL 12:0217a9463bc3 515 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 516 * key The derived key.
wolfSSL 12:0217a9463bc3 517 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 518 */
wolfSSL 12:0217a9463bc3 519 static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 520 {
wolfSSL 12:0217a9463bc3 521 WOLFSSL_MSG("Derive Early Exporter Secret");
wolfSSL 12:0217a9463bc3 522 return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 12:0217a9463bc3 523 earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
wolfSSL 12:0217a9463bc3 524 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 525 }
wolfSSL 12:0217a9463bc3 526 #endif
wolfSSL 12:0217a9463bc3 527 #endif
wolfSSL 12:0217a9463bc3 528
wolfSSL 12:0217a9463bc3 529 /* The length of the client hanshake label. */
wolfSSL 12:0217a9463bc3 530 #define CLIENT_HANDSHAKE_LABEL_SZ 31
wolfSSL 12:0217a9463bc3 531 /* The client hanshake label. */
wolfSSL 12:0217a9463bc3 532 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 533 "client handshake traffic secret";
wolfSSL 12:0217a9463bc3 534 /* Derive the client handshake key.
wolfSSL 12:0217a9463bc3 535 *
wolfSSL 12:0217a9463bc3 536 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 537 * key The derived key.
wolfSSL 12:0217a9463bc3 538 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 539 */
wolfSSL 12:0217a9463bc3 540 static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 541 {
wolfSSL 12:0217a9463bc3 542 WOLFSSL_MSG("Derive Client Handshake Secret");
wolfSSL 12:0217a9463bc3 543 return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 12:0217a9463bc3 544 clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
wolfSSL 12:0217a9463bc3 545 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 546 }
wolfSSL 12:0217a9463bc3 547
wolfSSL 12:0217a9463bc3 548 /* The length of the server handshake label. */
wolfSSL 12:0217a9463bc3 549 #define SERVER_HANDSHAKE_LABEL_SZ 31
wolfSSL 12:0217a9463bc3 550 /* The server handshake label. */
wolfSSL 12:0217a9463bc3 551 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 552 "server handshake traffic secret";
wolfSSL 12:0217a9463bc3 553 /* Derive the server handshake key.
wolfSSL 12:0217a9463bc3 554 *
wolfSSL 12:0217a9463bc3 555 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 556 * key The derived key.
wolfSSL 12:0217a9463bc3 557 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 558 */
wolfSSL 12:0217a9463bc3 559 static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 560 {
wolfSSL 12:0217a9463bc3 561 WOLFSSL_MSG("Derive Server Handshake Secret");
wolfSSL 12:0217a9463bc3 562 return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 12:0217a9463bc3 563 serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
wolfSSL 12:0217a9463bc3 564 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 565 }
wolfSSL 12:0217a9463bc3 566
wolfSSL 12:0217a9463bc3 567 /* The length of the client application traffic label. */
wolfSSL 12:0217a9463bc3 568 #define CLIENT_APP_LABEL_SZ 33
wolfSSL 12:0217a9463bc3 569 /* The client application traffic label. */
wolfSSL 12:0217a9463bc3 570 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 571 "client application traffic secret";
wolfSSL 12:0217a9463bc3 572 /* Derive the client application traffic key.
wolfSSL 12:0217a9463bc3 573 *
wolfSSL 12:0217a9463bc3 574 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 575 * key The derived key.
wolfSSL 12:0217a9463bc3 576 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 577 */
wolfSSL 12:0217a9463bc3 578 static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 579 {
wolfSSL 12:0217a9463bc3 580 WOLFSSL_MSG("Derive Client Traffic Secret");
wolfSSL 12:0217a9463bc3 581 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 12:0217a9463bc3 582 clientAppLabel, CLIENT_APP_LABEL_SZ,
wolfSSL 12:0217a9463bc3 583 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 584 }
wolfSSL 12:0217a9463bc3 585
wolfSSL 12:0217a9463bc3 586 /* The length of the server application traffic label. */
wolfSSL 12:0217a9463bc3 587 #define SERVER_APP_LABEL_SZ 33
wolfSSL 12:0217a9463bc3 588 /* The server application traffic label. */
wolfSSL 12:0217a9463bc3 589 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 590 "server application traffic secret";
wolfSSL 12:0217a9463bc3 591 /* Derive the server application traffic key.
wolfSSL 12:0217a9463bc3 592 *
wolfSSL 12:0217a9463bc3 593 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 594 * key The derived key.
wolfSSL 12:0217a9463bc3 595 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 596 */
wolfSSL 12:0217a9463bc3 597 static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 598 {
wolfSSL 12:0217a9463bc3 599 WOLFSSL_MSG("Derive Server Traffic Secret");
wolfSSL 12:0217a9463bc3 600 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 12:0217a9463bc3 601 serverAppLabel, SERVER_APP_LABEL_SZ,
wolfSSL 12:0217a9463bc3 602 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 603 }
wolfSSL 12:0217a9463bc3 604
wolfSSL 12:0217a9463bc3 605 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 12:0217a9463bc3 606 /* The length of the exporter master secret label. */
wolfSSL 12:0217a9463bc3 607 #define EXPORTER_MASTER_LABEL_SZ 22
wolfSSL 12:0217a9463bc3 608 /* The exporter master secret label. */
wolfSSL 12:0217a9463bc3 609 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 610 "exporter master secret";
wolfSSL 12:0217a9463bc3 611 /* Derive the exporter secret.
wolfSSL 12:0217a9463bc3 612 *
wolfSSL 12:0217a9463bc3 613 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 614 * key The derived key.
wolfSSL 12:0217a9463bc3 615 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 616 */
wolfSSL 12:0217a9463bc3 617 static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 618 {
wolfSSL 12:0217a9463bc3 619 WOLFSSL_MSG("Derive Exporter Secret");
wolfSSL 12:0217a9463bc3 620 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 12:0217a9463bc3 621 exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
wolfSSL 12:0217a9463bc3 622 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 623 }
wolfSSL 12:0217a9463bc3 624 #endif
wolfSSL 12:0217a9463bc3 625
wolfSSL 12:0217a9463bc3 626 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 627 /* The length of the resumption master secret label. */
wolfSSL 12:0217a9463bc3 628 #define RESUME_MASTER_LABEL_SZ 24
wolfSSL 12:0217a9463bc3 629 /* The resumption master secret label. */
wolfSSL 12:0217a9463bc3 630 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 631 "resumption master secret";
wolfSSL 12:0217a9463bc3 632 /* Derive the resumption secret.
wolfSSL 12:0217a9463bc3 633 *
wolfSSL 12:0217a9463bc3 634 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 635 * key The derived key.
wolfSSL 12:0217a9463bc3 636 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 637 */
wolfSSL 12:0217a9463bc3 638 static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
wolfSSL 12:0217a9463bc3 639 {
wolfSSL 12:0217a9463bc3 640 WOLFSSL_MSG("Derive Resumption Secret");
wolfSSL 12:0217a9463bc3 641 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 12:0217a9463bc3 642 resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
wolfSSL 12:0217a9463bc3 643 ssl->specs.mac_algorithm, 1);
wolfSSL 12:0217a9463bc3 644 }
wolfSSL 12:0217a9463bc3 645 #endif
wolfSSL 12:0217a9463bc3 646
wolfSSL 12:0217a9463bc3 647 /* Length of the finished label. */
wolfSSL 12:0217a9463bc3 648 #define FINISHED_LABEL_SZ 8
wolfSSL 12:0217a9463bc3 649 /* Finished label for generating finished key. */
wolfSSL 12:0217a9463bc3 650 static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
wolfSSL 12:0217a9463bc3 651 /* Derive the finished secret.
wolfSSL 12:0217a9463bc3 652 *
wolfSSL 12:0217a9463bc3 653 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 654 * key The key to use with the HMAC.
wolfSSL 12:0217a9463bc3 655 * secret The derived secret.
wolfSSL 12:0217a9463bc3 656 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 657 */
wolfSSL 12:0217a9463bc3 658 static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
wolfSSL 12:0217a9463bc3 659 {
wolfSSL 12:0217a9463bc3 660 WOLFSSL_MSG("Derive Finished Secret");
wolfSSL 12:0217a9463bc3 661 return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
wolfSSL 12:0217a9463bc3 662 ssl->specs.mac_algorithm, 0);
wolfSSL 12:0217a9463bc3 663 }
wolfSSL 12:0217a9463bc3 664
wolfSSL 12:0217a9463bc3 665 /* The length of the application traffic label. */
wolfSSL 12:0217a9463bc3 666 #define APP_TRAFFIC_LABEL_SZ 26
wolfSSL 12:0217a9463bc3 667 /* The application traffic label. */
wolfSSL 12:0217a9463bc3 668 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 12:0217a9463bc3 669 "application traffic secret";
wolfSSL 12:0217a9463bc3 670 /* Update the traffic secret.
wolfSSL 12:0217a9463bc3 671 *
wolfSSL 12:0217a9463bc3 672 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 673 * secret The previous secret and derived secret.
wolfSSL 12:0217a9463bc3 674 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 675 */
wolfSSL 12:0217a9463bc3 676 static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
wolfSSL 12:0217a9463bc3 677 {
wolfSSL 12:0217a9463bc3 678 WOLFSSL_MSG("Derive New Application Traffic Secret");
wolfSSL 12:0217a9463bc3 679 return DeriveKeyMsg(ssl, secret, -1, secret,
wolfSSL 12:0217a9463bc3 680 appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
wolfSSL 12:0217a9463bc3 681 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 682 }
wolfSSL 12:0217a9463bc3 683
wolfSSL 12:0217a9463bc3 684 /* Derive the early secret using HKDF Extract.
wolfSSL 12:0217a9463bc3 685 *
wolfSSL 12:0217a9463bc3 686 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 687 */
wolfSSL 12:0217a9463bc3 688 static int DeriveEarlySecret(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 689 {
wolfSSL 12:0217a9463bc3 690 WOLFSSL_MSG("Derive Early Secret");
wolfSSL 12:0217a9463bc3 691 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 692 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 12:0217a9463bc3 693 ssl->arrays->psk_key, ssl->arrays->psk_keySz,
wolfSSL 12:0217a9463bc3 694 ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 695 #else
wolfSSL 12:0217a9463bc3 696 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 12:0217a9463bc3 697 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 698 #endif
wolfSSL 12:0217a9463bc3 699 }
wolfSSL 12:0217a9463bc3 700
wolfSSL 12:0217a9463bc3 701 /* Derive the handshake secret using HKDF Extract.
wolfSSL 12:0217a9463bc3 702 *
wolfSSL 12:0217a9463bc3 703 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 704 */
wolfSSL 12:0217a9463bc3 705 static int DeriveHandshakeSecret(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 706 {
wolfSSL 12:0217a9463bc3 707 WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL 12:0217a9463bc3 708 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL 12:0217a9463bc3 709 ssl->arrays->secret, ssl->specs.hash_size,
wolfSSL 12:0217a9463bc3 710 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL 12:0217a9463bc3 711 ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 712 }
wolfSSL 12:0217a9463bc3 713
wolfSSL 12:0217a9463bc3 714 /* Derive the master secret using HKDF Extract.
wolfSSL 12:0217a9463bc3 715 *
wolfSSL 12:0217a9463bc3 716 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 717 */
wolfSSL 12:0217a9463bc3 718 static int DeriveMasterSecret(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 719 {
wolfSSL 12:0217a9463bc3 720 WOLFSSL_MSG("Derive Master Secret");
wolfSSL 12:0217a9463bc3 721 return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL 12:0217a9463bc3 722 ssl->arrays->preMasterSecret, ssl->specs.hash_size,
wolfSSL 12:0217a9463bc3 723 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 12:0217a9463bc3 724 }
wolfSSL 12:0217a9463bc3 725
wolfSSL 12:0217a9463bc3 726 /* Calculate the HMAC of message data to this point.
wolfSSL 12:0217a9463bc3 727 *
wolfSSL 12:0217a9463bc3 728 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 729 * key The HMAC key.
wolfSSL 12:0217a9463bc3 730 * hash The hash result - verify data.
wolfSSL 12:0217a9463bc3 731 * returns length of verify data generated.
wolfSSL 12:0217a9463bc3 732 */
wolfSSL 12:0217a9463bc3 733 static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash)
wolfSSL 12:0217a9463bc3 734 {
wolfSSL 12:0217a9463bc3 735 Hmac verifyHmac;
wolfSSL 12:0217a9463bc3 736 int hashType = SHA256;
wolfSSL 12:0217a9463bc3 737 int hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 738
wolfSSL 12:0217a9463bc3 739 /* Get the hash of the previous handshake messages. */
wolfSSL 12:0217a9463bc3 740 switch (ssl->specs.mac_algorithm) {
wolfSSL 12:0217a9463bc3 741 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 742 case sha256_mac:
wolfSSL 12:0217a9463bc3 743 hashType = SHA256;
wolfSSL 12:0217a9463bc3 744 hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 745 wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 12:0217a9463bc3 746 break;
wolfSSL 12:0217a9463bc3 747 #endif /* !NO_SHA256 */
wolfSSL 12:0217a9463bc3 748 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 749 case sha384_mac:
wolfSSL 12:0217a9463bc3 750 hashType = SHA384;
wolfSSL 12:0217a9463bc3 751 hashSz = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 752 wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 12:0217a9463bc3 753 break;
wolfSSL 12:0217a9463bc3 754 #endif /* WOLFSSL_SHA384 */
wolfSSL 12:0217a9463bc3 755 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 756 case sha512_mac:
wolfSSL 12:0217a9463bc3 757 hashType = SHA512;
wolfSSL 12:0217a9463bc3 758 hashSz = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 759 wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 12:0217a9463bc3 760 break;
wolfSSL 12:0217a9463bc3 761 #endif /* WOLFSSL_SHA512 */
wolfSSL 12:0217a9463bc3 762 }
wolfSSL 12:0217a9463bc3 763
wolfSSL 12:0217a9463bc3 764 /* Calculate the verify data. */
wolfSSL 12:0217a9463bc3 765 wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
wolfSSL 12:0217a9463bc3 766 wc_HmacUpdate(&verifyHmac, hash, hashSz);
wolfSSL 12:0217a9463bc3 767 wc_HmacFinal(&verifyHmac, hash);
wolfSSL 12:0217a9463bc3 768
wolfSSL 12:0217a9463bc3 769 return hashSz;
wolfSSL 12:0217a9463bc3 770 }
wolfSSL 12:0217a9463bc3 771
wolfSSL 12:0217a9463bc3 772 /* The length of the label to use when deriving keys. */
wolfSSL 12:0217a9463bc3 773 #define WRITE_KEY_LABEL_SZ 3
wolfSSL 12:0217a9463bc3 774 /* The length of the label to use when deriving IVs. */
wolfSSL 12:0217a9463bc3 775 #define WRITE_IV_LABEL_SZ 2
wolfSSL 12:0217a9463bc3 776 /* The label to use when deriving keys. */
wolfSSL 12:0217a9463bc3 777 static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
wolfSSL 12:0217a9463bc3 778 /* The label to use when deriving IVs. */
wolfSSL 12:0217a9463bc3 779 static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
wolfSSL 12:0217a9463bc3 780
wolfSSL 12:0217a9463bc3 781 /* Derive the keys and IVs for TLS v1.3.
wolfSSL 12:0217a9463bc3 782 *
wolfSSL 12:0217a9463bc3 783 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 784 * sercret handshake_key when deriving keys and IVs for encrypting handshake
wolfSSL 12:0217a9463bc3 785 * messages.
wolfSSL 12:0217a9463bc3 786 * traffic_key when deriving first keys and IVs for encrypting
wolfSSL 12:0217a9463bc3 787 * traffic messages.
wolfSSL 12:0217a9463bc3 788 * update_traffic_key when deriving next keys and IVs for encrypting
wolfSSL 12:0217a9463bc3 789 * traffic messages.
wolfSSL 12:0217a9463bc3 790 * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
wolfSSL 12:0217a9463bc3 791 * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
wolfSSL 12:0217a9463bc3 792 * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
wolfSSL 12:0217a9463bc3 793 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 794 */
wolfSSL 12:0217a9463bc3 795 static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side)
wolfSSL 12:0217a9463bc3 796 {
wolfSSL 12:0217a9463bc3 797 int ret;
wolfSSL 12:0217a9463bc3 798 int i = 0;
wolfSSL 12:0217a9463bc3 799 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 800 byte* key_data;
wolfSSL 12:0217a9463bc3 801 #else
wolfSSL 12:0217a9463bc3 802 byte key_data[MAX_PRF_DIG];
wolfSSL 12:0217a9463bc3 803 #endif
wolfSSL 12:0217a9463bc3 804 int deriveClient = 0;
wolfSSL 12:0217a9463bc3 805 int deriveServer = 0;
wolfSSL 12:0217a9463bc3 806
wolfSSL 12:0217a9463bc3 807 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 808 key_data = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 809 if (key_data == NULL)
wolfSSL 12:0217a9463bc3 810 return MEMORY_E;
wolfSSL 12:0217a9463bc3 811 #endif
wolfSSL 12:0217a9463bc3 812
wolfSSL 12:0217a9463bc3 813 if (side == ENCRYPT_AND_DECRYPT_SIDE) {
wolfSSL 12:0217a9463bc3 814 deriveClient = 1;
wolfSSL 12:0217a9463bc3 815 deriveServer = 1;
wolfSSL 12:0217a9463bc3 816 }
wolfSSL 12:0217a9463bc3 817 else {
wolfSSL 12:0217a9463bc3 818 deriveClient = (ssl->options.side != WOLFSSL_CLIENT_END) ^
wolfSSL 12:0217a9463bc3 819 (side == ENCRYPT_SIDE_ONLY);
wolfSSL 12:0217a9463bc3 820 deriveServer = !deriveClient;
wolfSSL 12:0217a9463bc3 821 }
wolfSSL 12:0217a9463bc3 822
wolfSSL 12:0217a9463bc3 823 /* Derive the appropriate secret to use in the HKDF. */
wolfSSL 12:0217a9463bc3 824 switch (secret) {
wolfSSL 12:0217a9463bc3 825 case handshake_key:
wolfSSL 12:0217a9463bc3 826 if (deriveClient) {
wolfSSL 12:0217a9463bc3 827 ret = DeriveClientHandshakeSecret(ssl,
wolfSSL 12:0217a9463bc3 828 ssl->arrays->clientSecret);
wolfSSL 12:0217a9463bc3 829 if (ret != 0)
wolfSSL 12:0217a9463bc3 830 goto end;
wolfSSL 12:0217a9463bc3 831 }
wolfSSL 12:0217a9463bc3 832 if (deriveServer) {
wolfSSL 12:0217a9463bc3 833 ret = DeriveServerHandshakeSecret(ssl,
wolfSSL 12:0217a9463bc3 834 ssl->arrays->serverSecret);
wolfSSL 12:0217a9463bc3 835 if (ret != 0)
wolfSSL 12:0217a9463bc3 836 goto end;
wolfSSL 12:0217a9463bc3 837 }
wolfSSL 12:0217a9463bc3 838 break;
wolfSSL 12:0217a9463bc3 839
wolfSSL 12:0217a9463bc3 840 case traffic_key:
wolfSSL 12:0217a9463bc3 841 if (deriveClient) {
wolfSSL 12:0217a9463bc3 842 ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL 12:0217a9463bc3 843 if (ret != 0)
wolfSSL 12:0217a9463bc3 844 goto end;
wolfSSL 12:0217a9463bc3 845 }
wolfSSL 12:0217a9463bc3 846 if (deriveServer) {
wolfSSL 12:0217a9463bc3 847 ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL 12:0217a9463bc3 848 if (ret != 0)
wolfSSL 12:0217a9463bc3 849 goto end;
wolfSSL 12:0217a9463bc3 850 }
wolfSSL 12:0217a9463bc3 851 break;
wolfSSL 12:0217a9463bc3 852
wolfSSL 12:0217a9463bc3 853 case update_traffic_key:
wolfSSL 12:0217a9463bc3 854 if (deriveClient) {
wolfSSL 12:0217a9463bc3 855 ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL 12:0217a9463bc3 856 if (ret != 0)
wolfSSL 12:0217a9463bc3 857 goto end;
wolfSSL 12:0217a9463bc3 858 }
wolfSSL 12:0217a9463bc3 859 if (deriveServer) {
wolfSSL 12:0217a9463bc3 860 ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL 12:0217a9463bc3 861 if (ret != 0)
wolfSSL 12:0217a9463bc3 862 goto end;
wolfSSL 12:0217a9463bc3 863 }
wolfSSL 12:0217a9463bc3 864 break;
wolfSSL 12:0217a9463bc3 865 }
wolfSSL 12:0217a9463bc3 866
wolfSSL 12:0217a9463bc3 867 /* Key data = client key | server key | client IV | server IV */
wolfSSL 12:0217a9463bc3 868
wolfSSL 12:0217a9463bc3 869 /* Derive the client key. */
wolfSSL 12:0217a9463bc3 870 WOLFSSL_MSG("Derive Client Key");
wolfSSL 12:0217a9463bc3 871 ret = DeriveKey(ssl, &key_data[i], ssl->specs.key_size,
wolfSSL 12:0217a9463bc3 872 ssl->arrays->clientSecret, writeKeyLabel,
wolfSSL 12:0217a9463bc3 873 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 12:0217a9463bc3 874 if (ret != 0)
wolfSSL 12:0217a9463bc3 875 goto end;
wolfSSL 12:0217a9463bc3 876 i += ssl->specs.key_size;
wolfSSL 12:0217a9463bc3 877
wolfSSL 12:0217a9463bc3 878 /* Derive the server key. */
wolfSSL 12:0217a9463bc3 879 WOLFSSL_MSG("Derive Server Key");
wolfSSL 12:0217a9463bc3 880 ret = DeriveKey(ssl, &key_data[i], ssl->specs.key_size,
wolfSSL 12:0217a9463bc3 881 ssl->arrays->serverSecret, writeKeyLabel,
wolfSSL 12:0217a9463bc3 882 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 12:0217a9463bc3 883 if (ret != 0)
wolfSSL 12:0217a9463bc3 884 goto end;
wolfSSL 12:0217a9463bc3 885 i += ssl->specs.key_size;
wolfSSL 12:0217a9463bc3 886
wolfSSL 12:0217a9463bc3 887 /* Derive the client IV. */
wolfSSL 12:0217a9463bc3 888 WOLFSSL_MSG("Derive Client IV");
wolfSSL 12:0217a9463bc3 889 ret = DeriveKey(ssl, &key_data[i], ssl->specs.iv_size,
wolfSSL 12:0217a9463bc3 890 ssl->arrays->clientSecret, writeIVLabel, WRITE_IV_LABEL_SZ,
wolfSSL 12:0217a9463bc3 891 ssl->specs.mac_algorithm, 0);
wolfSSL 12:0217a9463bc3 892 if (ret != 0)
wolfSSL 12:0217a9463bc3 893 goto end;
wolfSSL 12:0217a9463bc3 894 i += ssl->specs.iv_size;
wolfSSL 12:0217a9463bc3 895
wolfSSL 12:0217a9463bc3 896 /* Derive the server IV. */
wolfSSL 12:0217a9463bc3 897 WOLFSSL_MSG("Derive Server IV");
wolfSSL 12:0217a9463bc3 898 ret = DeriveKey(ssl, &key_data[i], ssl->specs.iv_size,
wolfSSL 12:0217a9463bc3 899 ssl->arrays->serverSecret, writeIVLabel, WRITE_IV_LABEL_SZ,
wolfSSL 12:0217a9463bc3 900 ssl->specs.mac_algorithm, 0);
wolfSSL 12:0217a9463bc3 901 if (ret != 0)
wolfSSL 12:0217a9463bc3 902 goto end;
wolfSSL 12:0217a9463bc3 903
wolfSSL 12:0217a9463bc3 904 /* Store keys and IVs but don't activate them. */
wolfSSL 12:0217a9463bc3 905 ret = StoreKeys(ssl, key_data);
wolfSSL 12:0217a9463bc3 906
wolfSSL 12:0217a9463bc3 907 end:
wolfSSL 12:0217a9463bc3 908 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 909 XFREE(key_data, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 910 #endif
wolfSSL 12:0217a9463bc3 911
wolfSSL 12:0217a9463bc3 912 return ret;
wolfSSL 12:0217a9463bc3 913 }
wolfSSL 12:0217a9463bc3 914
wolfSSL 12:0217a9463bc3 915 #if defined(HAVE_SESSION_TICKET)
wolfSSL 12:0217a9463bc3 916 #if defined(USER_TICKS)
wolfSSL 12:0217a9463bc3 917 #if 0
wolfSSL 12:0217a9463bc3 918 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 919 {
wolfSSL 12:0217a9463bc3 920 /*
wolfSSL 12:0217a9463bc3 921 write your own clock tick function if don't want gettimeofday()
wolfSSL 12:0217a9463bc3 922 needs millisecond accuracy but doesn't have to correlated to EPOCH
wolfSSL 12:0217a9463bc3 923 */
wolfSSL 12:0217a9463bc3 924 }
wolfSSL 12:0217a9463bc3 925 #endif
wolfSSL 12:0217a9463bc3 926
wolfSSL 12:0217a9463bc3 927 #elif defined(TIME_OVERRIDES)
wolfSSL 12:0217a9463bc3 928 #ifndef HAVE_TIME_T_TYPE
wolfSSL 12:0217a9463bc3 929 typedef long time_t;
wolfSSL 12:0217a9463bc3 930 #endif
wolfSSL 12:0217a9463bc3 931 extern time_t XTIME(time_t * timer);
wolfSSL 12:0217a9463bc3 932
wolfSSL 12:0217a9463bc3 933 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 934 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 935 * sending.
wolfSSL 12:0217a9463bc3 936 *
wolfSSL 12:0217a9463bc3 937 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 938 */
wolfSSL 12:0217a9463bc3 939 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 940 {
wolfSSL 12:0217a9463bc3 941 return (word32) XTIME(0) * 1000;
wolfSSL 12:0217a9463bc3 942 }
wolfSSL 12:0217a9463bc3 943 #elif defined(USE_WINDOWS_API)
wolfSSL 12:0217a9463bc3 944 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 945 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 946 * sending.
wolfSSL 12:0217a9463bc3 947 *
wolfSSL 12:0217a9463bc3 948 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 949 */
wolfSSL 12:0217a9463bc3 950 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 951 {
wolfSSL 12:0217a9463bc3 952 static int init = 0;
wolfSSL 12:0217a9463bc3 953 static LARGE_INTEGER freq;
wolfSSL 12:0217a9463bc3 954 LARGE_INTEGER count;
wolfSSL 12:0217a9463bc3 955
wolfSSL 12:0217a9463bc3 956 if (!init) {
wolfSSL 12:0217a9463bc3 957 QueryPerformanceFrequency(&freq);
wolfSSL 12:0217a9463bc3 958 init = 1;
wolfSSL 12:0217a9463bc3 959 }
wolfSSL 12:0217a9463bc3 960
wolfSSL 12:0217a9463bc3 961 QueryPerformanceCounter(&count);
wolfSSL 12:0217a9463bc3 962
wolfSSL 12:0217a9463bc3 963 return (word32)(count.QuadPart / (freq.QuadPart / 1000));
wolfSSL 12:0217a9463bc3 964 }
wolfSSL 12:0217a9463bc3 965
wolfSSL 12:0217a9463bc3 966 #elif defined(HAVE_RTP_SYS)
wolfSSL 12:0217a9463bc3 967 #include "rtptime.h"
wolfSSL 12:0217a9463bc3 968
wolfSSL 12:0217a9463bc3 969 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 970 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 971 * sending.
wolfSSL 12:0217a9463bc3 972 *
wolfSSL 12:0217a9463bc3 973 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 974 */
wolfSSL 12:0217a9463bc3 975 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 976 {
wolfSSL 12:0217a9463bc3 977 return (word32)rtp_get_system_sec() * 1000;
wolfSSL 12:0217a9463bc3 978 }
wolfSSL 12:0217a9463bc3 979 #elif defined(MICRIUM)
wolfSSL 12:0217a9463bc3 980 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 981 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 982 * sending.
wolfSSL 12:0217a9463bc3 983 *
wolfSSL 12:0217a9463bc3 984 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 985 */
wolfSSL 12:0217a9463bc3 986 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 987 {
wolfSSL 12:0217a9463bc3 988 NET_SECURE_OS_TICK clk = 0;
wolfSSL 12:0217a9463bc3 989
wolfSSL 12:0217a9463bc3 990 #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
wolfSSL 12:0217a9463bc3 991 clk = NetSecure_OS_TimeGet();
wolfSSL 12:0217a9463bc3 992 #endif
wolfSSL 12:0217a9463bc3 993 return (word32)clk * 1000;
wolfSSL 12:0217a9463bc3 994 }
wolfSSL 12:0217a9463bc3 995 #elif defined(MICROCHIP_TCPIP_V5)
wolfSSL 12:0217a9463bc3 996 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 997 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 998 * sending.
wolfSSL 12:0217a9463bc3 999 *
wolfSSL 12:0217a9463bc3 1000 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1001 */
wolfSSL 12:0217a9463bc3 1002 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1003 {
wolfSSL 12:0217a9463bc3 1004 return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
wolfSSL 12:0217a9463bc3 1005 }
wolfSSL 12:0217a9463bc3 1006 #elif defined(MICROCHIP_TCPIP)
wolfSSL 12:0217a9463bc3 1007 #if defined(MICROCHIP_MPLAB_HARMONY)
wolfSSL 12:0217a9463bc3 1008 #include <system/tmr/sys_tmr.h>
wolfSSL 12:0217a9463bc3 1009
wolfSSL 12:0217a9463bc3 1010 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1011 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1012 * sending.
wolfSSL 12:0217a9463bc3 1013 *
wolfSSL 12:0217a9463bc3 1014 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1015 */
wolfSSL 12:0217a9463bc3 1016 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1017 {
wolfSSL 12:0217a9463bc3 1018 return (word32) (SYS_TMR_TickCountGet() /
wolfSSL 12:0217a9463bc3 1019 (SYS_TMR_TickCounterFrequencyGet() / 1000));
wolfSSL 12:0217a9463bc3 1020 }
wolfSSL 12:0217a9463bc3 1021 #else
wolfSSL 12:0217a9463bc3 1022 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1023 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1024 * sending.
wolfSSL 12:0217a9463bc3 1025 *
wolfSSL 12:0217a9463bc3 1026 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1027 */
wolfSSL 12:0217a9463bc3 1028 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1029 {
wolfSSL 12:0217a9463bc3 1030 return (word32) (SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
wolfSSL 12:0217a9463bc3 1031 }
wolfSSL 12:0217a9463bc3 1032
wolfSSL 12:0217a9463bc3 1033 #endif
wolfSSL 12:0217a9463bc3 1034
wolfSSL 12:0217a9463bc3 1035 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 12:0217a9463bc3 1036 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1037 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1038 * sending.
wolfSSL 12:0217a9463bc3 1039 *
wolfSSL 12:0217a9463bc3 1040 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1041 */
wolfSSL 12:0217a9463bc3 1042 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1043 {
wolfSSL 12:0217a9463bc3 1044 TIME_STRUCT mqxTime;
wolfSSL 12:0217a9463bc3 1045
wolfSSL 12:0217a9463bc3 1046 _time_get_elapsed(&mqxTime);
wolfSSL 12:0217a9463bc3 1047
wolfSSL 12:0217a9463bc3 1048 return (word32) mqxTime.SECONDS * 1000;
wolfSSL 12:0217a9463bc3 1049 }
wolfSSL 12:0217a9463bc3 1050 #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
wolfSSL 12:0217a9463bc3 1051 #include "include/task.h"
wolfSSL 12:0217a9463bc3 1052
wolfSSL 12:0217a9463bc3 1053 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1054 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1055 * sending.
wolfSSL 12:0217a9463bc3 1056 *
wolfSSL 12:0217a9463bc3 1057 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1058 */
wolfSSL 12:0217a9463bc3 1059 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1060 {
wolfSSL 12:0217a9463bc3 1061 return (unsigned int)(((float)xTaskGetTickCount()) /
wolfSSL 12:0217a9463bc3 1062 (configTICK_RATE_HZ / 1000));
wolfSSL 12:0217a9463bc3 1063 }
wolfSSL 12:0217a9463bc3 1064 #elif defined(FREESCALE_KSDK_BM)
wolfSSL 12:0217a9463bc3 1065 #include "lwip/sys.h" /* lwIP */
wolfSSL 12:0217a9463bc3 1066
wolfSSL 12:0217a9463bc3 1067 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1068 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1069 * sending.
wolfSSL 12:0217a9463bc3 1070 *
wolfSSL 12:0217a9463bc3 1071 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1072 */
wolfSSL 12:0217a9463bc3 1073 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1074 {
wolfSSL 12:0217a9463bc3 1075 return sys_now();
wolfSSL 12:0217a9463bc3 1076 }
wolfSSL 12:0217a9463bc3 1077 #elif defined(WOLFSSL_TIRTOS)
wolfSSL 12:0217a9463bc3 1078 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1079 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1080 * sending.
wolfSSL 12:0217a9463bc3 1081 *
wolfSSL 12:0217a9463bc3 1082 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1083 */
wolfSSL 12:0217a9463bc3 1084 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1085 {
wolfSSL 12:0217a9463bc3 1086 return (word32) Seconds_get() * 1000;
wolfSSL 12:0217a9463bc3 1087 }
wolfSSL 12:0217a9463bc3 1088 #elif defined(WOLFSSL_UTASKER)
wolfSSL 12:0217a9463bc3 1089 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1090 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1091 * sending.
wolfSSL 12:0217a9463bc3 1092 *
wolfSSL 12:0217a9463bc3 1093 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1094 */
wolfSSL 12:0217a9463bc3 1095 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1096 {
wolfSSL 12:0217a9463bc3 1097 return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
wolfSSL 12:0217a9463bc3 1098 }
wolfSSL 12:0217a9463bc3 1099 #else
wolfSSL 12:0217a9463bc3 1100 /* The time in milliseconds.
wolfSSL 12:0217a9463bc3 1101 * Used for tickets to represent difference between when first seen and when
wolfSSL 12:0217a9463bc3 1102 * sending.
wolfSSL 12:0217a9463bc3 1103 *
wolfSSL 12:0217a9463bc3 1104 * returns the time in milliseconds as a 32-bit value.
wolfSSL 12:0217a9463bc3 1105 */
wolfSSL 12:0217a9463bc3 1106 word32 TimeNowInMilliseconds(void)
wolfSSL 12:0217a9463bc3 1107 {
wolfSSL 12:0217a9463bc3 1108 struct timeval now;
wolfSSL 12:0217a9463bc3 1109
wolfSSL 12:0217a9463bc3 1110 if (gettimeofday(&now, 0) < 0)
wolfSSL 12:0217a9463bc3 1111 return GETTIME_ERROR;
wolfSSL 12:0217a9463bc3 1112 /* Convert to milliseconds number. */
wolfSSL 12:0217a9463bc3 1113 return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
wolfSSL 12:0217a9463bc3 1114 }
wolfSSL 12:0217a9463bc3 1115 #endif
wolfSSL 12:0217a9463bc3 1116 #endif /* HAVE_SESSION_TICKET */
wolfSSL 12:0217a9463bc3 1117
wolfSSL 12:0217a9463bc3 1118
wolfSSL 12:0217a9463bc3 1119 #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) && \
wolfSSL 12:0217a9463bc3 1120 !defined(NO_PSK))
wolfSSL 12:0217a9463bc3 1121 /* Add input to all handshake hashes.
wolfSSL 12:0217a9463bc3 1122 *
wolfSSL 12:0217a9463bc3 1123 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1124 * input The data to hash.
wolfSSL 12:0217a9463bc3 1125 * sz The size of the data to hash.
wolfSSL 12:0217a9463bc3 1126 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 1127 */
wolfSSL 12:0217a9463bc3 1128 static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
wolfSSL 12:0217a9463bc3 1129 {
wolfSSL 12:0217a9463bc3 1130 int ret = 0;
wolfSSL 12:0217a9463bc3 1131
wolfSSL 12:0217a9463bc3 1132 #ifndef NO_OLD_TLS
wolfSSL 12:0217a9463bc3 1133 #ifndef NO_SHA
wolfSSL 12:0217a9463bc3 1134 wc_ShaUpdate(&ssl->hsHashes->hashSha, input, sz);
wolfSSL 12:0217a9463bc3 1135 #endif
wolfSSL 12:0217a9463bc3 1136 #ifndef NO_MD5
wolfSSL 12:0217a9463bc3 1137 wc_Md5Update(&ssl->hsHashes->hashMd5, input, sz);
wolfSSL 12:0217a9463bc3 1138 #endif
wolfSSL 12:0217a9463bc3 1139 #endif
wolfSSL 12:0217a9463bc3 1140
wolfSSL 12:0217a9463bc3 1141 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 1142 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
wolfSSL 12:0217a9463bc3 1143 if (ret != 0)
wolfSSL 12:0217a9463bc3 1144 return ret;
wolfSSL 12:0217a9463bc3 1145 #endif
wolfSSL 12:0217a9463bc3 1146 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 1147 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
wolfSSL 12:0217a9463bc3 1148 if (ret != 0)
wolfSSL 12:0217a9463bc3 1149 return ret;
wolfSSL 12:0217a9463bc3 1150 #endif
wolfSSL 12:0217a9463bc3 1151 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 1152 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
wolfSSL 12:0217a9463bc3 1153 if (ret != 0)
wolfSSL 12:0217a9463bc3 1154 return ret;
wolfSSL 12:0217a9463bc3 1155 #endif
wolfSSL 12:0217a9463bc3 1156
wolfSSL 12:0217a9463bc3 1157 return ret;
wolfSSL 12:0217a9463bc3 1158 }
wolfSSL 12:0217a9463bc3 1159 #endif
wolfSSL 12:0217a9463bc3 1160
wolfSSL 12:0217a9463bc3 1161 /* Extract the handshake header information.
wolfSSL 12:0217a9463bc3 1162 *
wolfSSL 12:0217a9463bc3 1163 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1164 * input The buffer holding the message data.
wolfSSL 12:0217a9463bc3 1165 * inOutIdx On entry, the index into the buffer of the handshake data.
wolfSSL 12:0217a9463bc3 1166 * On exit, the start of the hanshake data.
wolfSSL 12:0217a9463bc3 1167 * type Type of handshake message.
wolfSSL 12:0217a9463bc3 1168 * size The length of the handshake message data.
wolfSSL 12:0217a9463bc3 1169 * totalSz The total size of data in the buffer.
wolfSSL 12:0217a9463bc3 1170 * returns BUFFER_E if there is not enough input data and 0 on success.
wolfSSL 12:0217a9463bc3 1171 */
wolfSSL 12:0217a9463bc3 1172 static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 1173 byte *type, word32 *size, word32 totalSz)
wolfSSL 12:0217a9463bc3 1174 {
wolfSSL 12:0217a9463bc3 1175 const byte *ptr = input + *inOutIdx;
wolfSSL 12:0217a9463bc3 1176 (void)ssl;
wolfSSL 12:0217a9463bc3 1177
wolfSSL 12:0217a9463bc3 1178 *inOutIdx += HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1179 if (*inOutIdx > totalSz)
wolfSSL 12:0217a9463bc3 1180 return BUFFER_E;
wolfSSL 12:0217a9463bc3 1181
wolfSSL 12:0217a9463bc3 1182 *type = ptr[0];
wolfSSL 12:0217a9463bc3 1183 c24to32(&ptr[1], size);
wolfSSL 12:0217a9463bc3 1184
wolfSSL 12:0217a9463bc3 1185 return 0;
wolfSSL 12:0217a9463bc3 1186 }
wolfSSL 12:0217a9463bc3 1187
wolfSSL 12:0217a9463bc3 1188 /* Add record layer header to message.
wolfSSL 12:0217a9463bc3 1189 *
wolfSSL 12:0217a9463bc3 1190 * output The buffer to write the record layer header into.
wolfSSL 12:0217a9463bc3 1191 * length The length of the record data.
wolfSSL 12:0217a9463bc3 1192 * type The type of record message.
wolfSSL 12:0217a9463bc3 1193 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1194 */
wolfSSL 12:0217a9463bc3 1195 static void AddTls13RecordHeader(byte* output, word32 length, byte type,
wolfSSL 12:0217a9463bc3 1196 WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 1197 {
wolfSSL 12:0217a9463bc3 1198 RecordLayerHeader* rl;
wolfSSL 12:0217a9463bc3 1199
wolfSSL 12:0217a9463bc3 1200 rl = (RecordLayerHeader*)output;
wolfSSL 12:0217a9463bc3 1201 rl->type = type;
wolfSSL 12:0217a9463bc3 1202 rl->pvMajor = ssl->version.major;
wolfSSL 12:0217a9463bc3 1203 rl->pvMinor = TLSv1_MINOR;
wolfSSL 12:0217a9463bc3 1204 c16toa((word16)length, rl->length);
wolfSSL 12:0217a9463bc3 1205 }
wolfSSL 12:0217a9463bc3 1206
wolfSSL 12:0217a9463bc3 1207 /* Add handshake header to message.
wolfSSL 12:0217a9463bc3 1208 *
wolfSSL 12:0217a9463bc3 1209 * output The buffer to write the hanshake header into.
wolfSSL 12:0217a9463bc3 1210 * length The length of the handshake data.
wolfSSL 12:0217a9463bc3 1211 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 12:0217a9463bc3 1212 * fragLength The length of the fragment data. (DTLS)
wolfSSL 12:0217a9463bc3 1213 * type The type of handshake message.
wolfSSL 12:0217a9463bc3 1214 * ssl The SSL/TLS object. (DTLS)
wolfSSL 12:0217a9463bc3 1215 */
wolfSSL 12:0217a9463bc3 1216 static void AddTls13HandShakeHeader(byte* output, word32 length,
wolfSSL 12:0217a9463bc3 1217 word32 fragOffset, word32 fragLength,
wolfSSL 12:0217a9463bc3 1218 byte type, WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 1219 {
wolfSSL 12:0217a9463bc3 1220 HandShakeHeader* hs;
wolfSSL 12:0217a9463bc3 1221 (void)fragOffset;
wolfSSL 12:0217a9463bc3 1222 (void)fragLength;
wolfSSL 12:0217a9463bc3 1223 (void)ssl;
wolfSSL 12:0217a9463bc3 1224
wolfSSL 12:0217a9463bc3 1225 /* handshake header */
wolfSSL 12:0217a9463bc3 1226 hs = (HandShakeHeader*)output;
wolfSSL 12:0217a9463bc3 1227 hs->type = type;
wolfSSL 12:0217a9463bc3 1228 c32to24(length, hs->length);
wolfSSL 12:0217a9463bc3 1229 }
wolfSSL 12:0217a9463bc3 1230
wolfSSL 12:0217a9463bc3 1231
wolfSSL 12:0217a9463bc3 1232 /* Add both record layer and handshake header to message.
wolfSSL 12:0217a9463bc3 1233 *
wolfSSL 12:0217a9463bc3 1234 * output The buffer to write the headers into.
wolfSSL 12:0217a9463bc3 1235 * length The length of the handshake data.
wolfSSL 12:0217a9463bc3 1236 * type The type of record layer message.
wolfSSL 12:0217a9463bc3 1237 * ssl The SSL/TLS object. (DTLS)
wolfSSL 12:0217a9463bc3 1238 */
wolfSSL 12:0217a9463bc3 1239 static void AddTls13Headers(byte* output, word32 length, byte type, WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 1240 {
wolfSSL 12:0217a9463bc3 1241 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1242 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1243
wolfSSL 12:0217a9463bc3 1244 AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
wolfSSL 12:0217a9463bc3 1245 AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
wolfSSL 12:0217a9463bc3 1246 }
wolfSSL 12:0217a9463bc3 1247
wolfSSL 12:0217a9463bc3 1248
wolfSSL 12:0217a9463bc3 1249 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 1250 /* Add both record layer and fragement handshake header to message.
wolfSSL 12:0217a9463bc3 1251 *
wolfSSL 12:0217a9463bc3 1252 * output The buffer to write the headers into.
wolfSSL 12:0217a9463bc3 1253 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 12:0217a9463bc3 1254 * fragLength The length of the fragment data. (DTLS)
wolfSSL 12:0217a9463bc3 1255 * length The length of the handshake data.
wolfSSL 12:0217a9463bc3 1256 * type The type of record layer message.
wolfSSL 12:0217a9463bc3 1257 * ssl The SSL/TLS object. (DTLS)
wolfSSL 12:0217a9463bc3 1258 */
wolfSSL 12:0217a9463bc3 1259 static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
wolfSSL 12:0217a9463bc3 1260 word32 length, byte type, WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 1261 {
wolfSSL 12:0217a9463bc3 1262 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1263 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1264 (void)fragSz;
wolfSSL 12:0217a9463bc3 1265
wolfSSL 12:0217a9463bc3 1266 AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
wolfSSL 12:0217a9463bc3 1267 AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
wolfSSL 12:0217a9463bc3 1268 type, ssl);
wolfSSL 12:0217a9463bc3 1269 }
wolfSSL 12:0217a9463bc3 1270 #endif /* NO_CERTS */
wolfSSL 12:0217a9463bc3 1271
wolfSSL 12:0217a9463bc3 1272 /* Write the sequence number into the buffer.
wolfSSL 12:0217a9463bc3 1273 * No DTLS v1.3 support.
wolfSSL 12:0217a9463bc3 1274 *
wolfSSL 12:0217a9463bc3 1275 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1276 * verifyOrder Which set of sequence numbers to use.
wolfSSL 12:0217a9463bc3 1277 * out The buffer to write into.
wolfSSL 12:0217a9463bc3 1278 */
wolfSSL 12:0217a9463bc3 1279 static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
wolfSSL 12:0217a9463bc3 1280 {
wolfSSL 12:0217a9463bc3 1281 word32 seq[2] = {0, 0};
wolfSSL 12:0217a9463bc3 1282
wolfSSL 12:0217a9463bc3 1283 if (verifyOrder) {
wolfSSL 12:0217a9463bc3 1284 seq[0] = ssl->keys.peer_sequence_number_hi;
wolfSSL 12:0217a9463bc3 1285 seq[1] = ssl->keys.peer_sequence_number_lo++;
wolfSSL 12:0217a9463bc3 1286 /* handle rollover */
wolfSSL 12:0217a9463bc3 1287 if (seq[1] > ssl->keys.peer_sequence_number_lo)
wolfSSL 12:0217a9463bc3 1288 ssl->keys.peer_sequence_number_hi++;
wolfSSL 12:0217a9463bc3 1289 }
wolfSSL 12:0217a9463bc3 1290 else {
wolfSSL 12:0217a9463bc3 1291 seq[0] = ssl->keys.sequence_number_hi;
wolfSSL 12:0217a9463bc3 1292 seq[1] = ssl->keys.sequence_number_lo++;
wolfSSL 12:0217a9463bc3 1293 /* handle rollover */
wolfSSL 12:0217a9463bc3 1294 if (seq[1] > ssl->keys.sequence_number_lo)
wolfSSL 12:0217a9463bc3 1295 ssl->keys.sequence_number_hi++;
wolfSSL 12:0217a9463bc3 1296 }
wolfSSL 12:0217a9463bc3 1297
wolfSSL 12:0217a9463bc3 1298 c32toa(seq[0], out);
wolfSSL 12:0217a9463bc3 1299 c32toa(seq[1], out + OPAQUE32_LEN);
wolfSSL 12:0217a9463bc3 1300 }
wolfSSL 12:0217a9463bc3 1301
wolfSSL 12:0217a9463bc3 1302 /* Build the nonce for TLS v1.3 encryption and decryption.
wolfSSL 12:0217a9463bc3 1303 *
wolfSSL 12:0217a9463bc3 1304 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1305 * nonce The nonce data to use when encrypting or decrypting.
wolfSSL 12:0217a9463bc3 1306 * iv The derived IV.
wolfSSL 12:0217a9463bc3 1307 * order The side on which the message is to be or was sent.
wolfSSL 12:0217a9463bc3 1308 */
wolfSSL 12:0217a9463bc3 1309 static INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte *nonce, const byte* iv,
wolfSSL 12:0217a9463bc3 1310 int order)
wolfSSL 12:0217a9463bc3 1311 {
wolfSSL 12:0217a9463bc3 1312 int i;
wolfSSL 12:0217a9463bc3 1313
wolfSSL 12:0217a9463bc3 1314 /* The nonce is the IV with the sequence XORed into the last bytes. */
wolfSSL 12:0217a9463bc3 1315 WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
wolfSSL 12:0217a9463bc3 1316 for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
wolfSSL 12:0217a9463bc3 1317 nonce[i] = iv[i];
wolfSSL 12:0217a9463bc3 1318 for (; i < AEAD_NONCE_SZ; i++)
wolfSSL 12:0217a9463bc3 1319 nonce[i] ^= iv[i];
wolfSSL 12:0217a9463bc3 1320 }
wolfSSL 12:0217a9463bc3 1321
wolfSSL 12:0217a9463bc3 1322 /* Encrypt with ChaCha20 and create authenication tag with Poly1305.
wolfSSL 12:0217a9463bc3 1323 *
wolfSSL 12:0217a9463bc3 1324 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1325 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 12:0217a9463bc3 1326 * May be the same pointer as input.
wolfSSL 12:0217a9463bc3 1327 * input The data to encrypt.
wolfSSL 12:0217a9463bc3 1328 * sz The number of bytes to encrypt.
wolfSSL 12:0217a9463bc3 1329 * nonce The nonce to use with ChaCha20.
wolfSSL 12:0217a9463bc3 1330 * tag The authentication tag buffer.
wolfSSL 12:0217a9463bc3 1331 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 1332 */
wolfSSL 12:0217a9463bc3 1333 static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
wolfSSL 12:0217a9463bc3 1334 const byte* input, word16 sz, byte* nonce,
wolfSSL 12:0217a9463bc3 1335 byte* tag)
wolfSSL 12:0217a9463bc3 1336 {
wolfSSL 12:0217a9463bc3 1337 int ret = 0;
wolfSSL 12:0217a9463bc3 1338 byte poly[CHACHA20_256_KEY_SIZE];
wolfSSL 12:0217a9463bc3 1339
wolfSSL 12:0217a9463bc3 1340 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 12:0217a9463bc3 1341 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 12:0217a9463bc3 1342
wolfSSL 12:0217a9463bc3 1343 /* Set the nonce for ChaCha and get Poly1305 key. */
wolfSSL 12:0217a9463bc3 1344 ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
wolfSSL 12:0217a9463bc3 1345 if (ret != 0)
wolfSSL 12:0217a9463bc3 1346 return ret;
wolfSSL 12:0217a9463bc3 1347 /* Create Poly1305 key using ChaCha20 keystream. */
wolfSSL 12:0217a9463bc3 1348 ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 12:0217a9463bc3 1349 if (ret != 0)
wolfSSL 12:0217a9463bc3 1350 return ret;
wolfSSL 12:0217a9463bc3 1351 /* Encrypt the plain text. */
wolfSSL 12:0217a9463bc3 1352 ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
wolfSSL 12:0217a9463bc3 1353 if (ret != 0) {
wolfSSL 12:0217a9463bc3 1354 ForceZero(poly, sizeof(poly));
wolfSSL 12:0217a9463bc3 1355 return ret;
wolfSSL 12:0217a9463bc3 1356 }
wolfSSL 12:0217a9463bc3 1357
wolfSSL 12:0217a9463bc3 1358 /* Set key for Poly1305. */
wolfSSL 12:0217a9463bc3 1359 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 12:0217a9463bc3 1360 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 12:0217a9463bc3 1361 if (ret != 0)
wolfSSL 12:0217a9463bc3 1362 return ret;
wolfSSL 12:0217a9463bc3 1363 /* Add authentication code of encrypted data to end. */
wolfSSL 12:0217a9463bc3 1364 ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, output, sz, tag,
wolfSSL 12:0217a9463bc3 1365 POLY1305_AUTH_SZ);
wolfSSL 12:0217a9463bc3 1366
wolfSSL 12:0217a9463bc3 1367 return ret;
wolfSSL 12:0217a9463bc3 1368 }
wolfSSL 12:0217a9463bc3 1369
wolfSSL 12:0217a9463bc3 1370 /* Encrypt data for TLS v1.3.
wolfSSL 12:0217a9463bc3 1371 *
wolfSSL 12:0217a9463bc3 1372 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1373 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 12:0217a9463bc3 1374 * May be the same pointer as input.
wolfSSL 12:0217a9463bc3 1375 * input The data to encrypt.
wolfSSL 12:0217a9463bc3 1376 * sz The number of bytes to encrypt.
wolfSSL 12:0217a9463bc3 1377 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 1378 */
wolfSSL 12:0217a9463bc3 1379 static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
wolfSSL 12:0217a9463bc3 1380 word16 sz)
wolfSSL 12:0217a9463bc3 1381 {
wolfSSL 12:0217a9463bc3 1382 int ret = 0;
wolfSSL 12:0217a9463bc3 1383 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 12:0217a9463bc3 1384 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 12:0217a9463bc3 1385 byte nonce[AEAD_NONCE_SZ];
wolfSSL 12:0217a9463bc3 1386
wolfSSL 12:0217a9463bc3 1387 (void)output;
wolfSSL 12:0217a9463bc3 1388 (void)input;
wolfSSL 12:0217a9463bc3 1389 (void)sz;
wolfSSL 12:0217a9463bc3 1390 (void)dataSz;
wolfSSL 12:0217a9463bc3 1391 (void)macSz;
wolfSSL 12:0217a9463bc3 1392
wolfSSL 12:0217a9463bc3 1393 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 1394 WOLFSSL_MSG("Data to encrypt");
wolfSSL 12:0217a9463bc3 1395 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 12:0217a9463bc3 1396 #endif
wolfSSL 12:0217a9463bc3 1397
wolfSSL 12:0217a9463bc3 1398 BuildTls13Nonce(ssl, nonce, ssl->keys.aead_enc_imp_IV, CUR_ORDER);
wolfSSL 12:0217a9463bc3 1399
wolfSSL 12:0217a9463bc3 1400 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 12:0217a9463bc3 1401 #ifdef BUILD_AESGCM
wolfSSL 12:0217a9463bc3 1402 case wolfssl_aes_gcm:
wolfSSL 12:0217a9463bc3 1403 ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input, dataSz,
wolfSSL 12:0217a9463bc3 1404 nonce, AESGCM_NONCE_SZ, output + dataSz, macSz, NULL, 0);
wolfSSL 12:0217a9463bc3 1405 break;
wolfSSL 12:0217a9463bc3 1406 #endif
wolfSSL 12:0217a9463bc3 1407
wolfSSL 12:0217a9463bc3 1408 #ifdef HAVE_AESCCM
wolfSSL 12:0217a9463bc3 1409 case wolfssl_aes_ccm:
wolfSSL 12:0217a9463bc3 1410 ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input, dataSz,
wolfSSL 12:0217a9463bc3 1411 nonce, AESCCM_NONCE_SZ, output + dataSz, macSz, NULL, 0);
wolfSSL 12:0217a9463bc3 1412 break;
wolfSSL 12:0217a9463bc3 1413 #endif
wolfSSL 12:0217a9463bc3 1414
wolfSSL 12:0217a9463bc3 1415 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 12:0217a9463bc3 1416 case wolfssl_chacha:
wolfSSL 12:0217a9463bc3 1417 ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz, nonce,
wolfSSL 12:0217a9463bc3 1418 output + dataSz);
wolfSSL 12:0217a9463bc3 1419 break;
wolfSSL 12:0217a9463bc3 1420 #endif
wolfSSL 12:0217a9463bc3 1421
wolfSSL 12:0217a9463bc3 1422 default:
wolfSSL 12:0217a9463bc3 1423 WOLFSSL_MSG("wolfSSL Encrypt programming error");
wolfSSL 12:0217a9463bc3 1424 return ENCRYPT_ERROR;
wolfSSL 12:0217a9463bc3 1425 }
wolfSSL 12:0217a9463bc3 1426
wolfSSL 12:0217a9463bc3 1427 ForceZero(nonce, AEAD_NONCE_SZ);
wolfSSL 12:0217a9463bc3 1428
wolfSSL 12:0217a9463bc3 1429 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 1430 WOLFSSL_MSG("Encrypted data");
wolfSSL 12:0217a9463bc3 1431 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 12:0217a9463bc3 1432 WOLFSSL_MSG("Authentication Tag");
wolfSSL 12:0217a9463bc3 1433 WOLFSSL_BUFFER(output + dataSz, macSz);
wolfSSL 12:0217a9463bc3 1434 #endif
wolfSSL 12:0217a9463bc3 1435
wolfSSL 12:0217a9463bc3 1436 return ret;
wolfSSL 12:0217a9463bc3 1437 }
wolfSSL 12:0217a9463bc3 1438
wolfSSL 12:0217a9463bc3 1439 /* Decrypt with ChaCha20 and check authenication tag with Poly1305.
wolfSSL 12:0217a9463bc3 1440 *
wolfSSL 12:0217a9463bc3 1441 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1442 * output The buffer to write decrypted data into.
wolfSSL 12:0217a9463bc3 1443 * May be the same pointer as input.
wolfSSL 12:0217a9463bc3 1444 * input The data to decrypt.
wolfSSL 12:0217a9463bc3 1445 * sz The number of bytes to decrypt.
wolfSSL 12:0217a9463bc3 1446 * nonce The nonce to use with ChaCha20.
wolfSSL 12:0217a9463bc3 1447 * tagIn The authentication tag data from packet.
wolfSSL 12:0217a9463bc3 1448 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 1449 */
wolfSSL 12:0217a9463bc3 1450 static int ChaCha20Poly1305_Decrypt(WOLFSSL *ssl, byte* output,
wolfSSL 12:0217a9463bc3 1451 const byte* input, word16 sz, byte* nonce,
wolfSSL 12:0217a9463bc3 1452 const byte* tagIn)
wolfSSL 12:0217a9463bc3 1453 {
wolfSSL 12:0217a9463bc3 1454 int ret;
wolfSSL 12:0217a9463bc3 1455 byte tag[POLY1305_AUTH_SZ];
wolfSSL 12:0217a9463bc3 1456 byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
wolfSSL 12:0217a9463bc3 1457
wolfSSL 12:0217a9463bc3 1458 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 12:0217a9463bc3 1459 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 12:0217a9463bc3 1460
wolfSSL 12:0217a9463bc3 1461 /* Set nonce and get Poly1305 key. */
wolfSSL 12:0217a9463bc3 1462 ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
wolfSSL 12:0217a9463bc3 1463 if (ret != 0)
wolfSSL 12:0217a9463bc3 1464 return ret;
wolfSSL 12:0217a9463bc3 1465 /* Use ChaCha20 keystream to get Poly1305 key for tag. */
wolfSSL 12:0217a9463bc3 1466 ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 12:0217a9463bc3 1467 if (ret != 0)
wolfSSL 12:0217a9463bc3 1468 return ret;
wolfSSL 12:0217a9463bc3 1469
wolfSSL 12:0217a9463bc3 1470 /* Set key for Poly1305. */
wolfSSL 12:0217a9463bc3 1471 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 12:0217a9463bc3 1472 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 12:0217a9463bc3 1473 if (ret != 0)
wolfSSL 12:0217a9463bc3 1474 return ret;
wolfSSL 12:0217a9463bc3 1475 /* Generate authentication tag for encrypted data. */
wolfSSL 12:0217a9463bc3 1476 if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, (byte*)input, sz,
wolfSSL 12:0217a9463bc3 1477 tag, sizeof(tag))) != 0) {
wolfSSL 12:0217a9463bc3 1478 return ret;
wolfSSL 12:0217a9463bc3 1479 }
wolfSSL 12:0217a9463bc3 1480
wolfSSL 12:0217a9463bc3 1481 /* Check tag sent along with packet. */
wolfSSL 12:0217a9463bc3 1482 if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
wolfSSL 12:0217a9463bc3 1483 WOLFSSL_MSG("MAC did not match");
wolfSSL 12:0217a9463bc3 1484 return VERIFY_MAC_ERROR;
wolfSSL 12:0217a9463bc3 1485 }
wolfSSL 12:0217a9463bc3 1486
wolfSSL 12:0217a9463bc3 1487 /* If the tag was good decrypt message. */
wolfSSL 12:0217a9463bc3 1488 ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
wolfSSL 12:0217a9463bc3 1489
wolfSSL 12:0217a9463bc3 1490 return ret;
wolfSSL 12:0217a9463bc3 1491 }
wolfSSL 12:0217a9463bc3 1492
wolfSSL 12:0217a9463bc3 1493 /* Decrypt data for TLS v1.3.
wolfSSL 12:0217a9463bc3 1494 *
wolfSSL 12:0217a9463bc3 1495 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1496 * output The buffer to write decrypted data into.
wolfSSL 12:0217a9463bc3 1497 * May be the same pointer as input.
wolfSSL 12:0217a9463bc3 1498 * input The data to encrypt and authentication tag.
wolfSSL 12:0217a9463bc3 1499 * sz The length of the encrypted data plus authentication tag.
wolfSSL 12:0217a9463bc3 1500 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 1501 */
wolfSSL 12:0217a9463bc3 1502 int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz)
wolfSSL 12:0217a9463bc3 1503 {
wolfSSL 12:0217a9463bc3 1504 int ret = 0;
wolfSSL 12:0217a9463bc3 1505 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 12:0217a9463bc3 1506 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 12:0217a9463bc3 1507 byte nonce[AEAD_NONCE_SZ];
wolfSSL 12:0217a9463bc3 1508
wolfSSL 12:0217a9463bc3 1509 (void)output;
wolfSSL 12:0217a9463bc3 1510 (void)input;
wolfSSL 12:0217a9463bc3 1511 (void)sz;
wolfSSL 12:0217a9463bc3 1512 (void)dataSz;
wolfSSL 12:0217a9463bc3 1513 (void)macSz;
wolfSSL 12:0217a9463bc3 1514
wolfSSL 12:0217a9463bc3 1515 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 1516 WOLFSSL_MSG("Data to decrypt");
wolfSSL 12:0217a9463bc3 1517 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 12:0217a9463bc3 1518 WOLFSSL_MSG("Authentication tag");
wolfSSL 12:0217a9463bc3 1519 WOLFSSL_BUFFER(input + dataSz, macSz);
wolfSSL 12:0217a9463bc3 1520 #endif
wolfSSL 12:0217a9463bc3 1521
wolfSSL 12:0217a9463bc3 1522 BuildTls13Nonce(ssl, nonce, ssl->keys.aead_dec_imp_IV, PEER_ORDER);
wolfSSL 12:0217a9463bc3 1523
wolfSSL 12:0217a9463bc3 1524 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 12:0217a9463bc3 1525 #ifdef BUILD_AESGCM
wolfSSL 12:0217a9463bc3 1526 case wolfssl_aes_gcm:
wolfSSL 12:0217a9463bc3 1527 ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input, dataSz,
wolfSSL 12:0217a9463bc3 1528 nonce, AESGCM_NONCE_SZ, input + dataSz, macSz, NULL, 0);
wolfSSL 12:0217a9463bc3 1529 break;
wolfSSL 12:0217a9463bc3 1530 #endif
wolfSSL 12:0217a9463bc3 1531
wolfSSL 12:0217a9463bc3 1532 #ifdef HAVE_AESCCM
wolfSSL 12:0217a9463bc3 1533 case wolfssl_aes_ccm:
wolfSSL 12:0217a9463bc3 1534 ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input, dataSz,
wolfSSL 12:0217a9463bc3 1535 nonce, AESCCM_NONCE_SZ, input + dataSz, macSz, NULL, 0);
wolfSSL 12:0217a9463bc3 1536 break;
wolfSSL 12:0217a9463bc3 1537 #endif
wolfSSL 12:0217a9463bc3 1538
wolfSSL 12:0217a9463bc3 1539 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 12:0217a9463bc3 1540 case wolfssl_chacha:
wolfSSL 12:0217a9463bc3 1541 ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz, nonce,
wolfSSL 12:0217a9463bc3 1542 input + dataSz);
wolfSSL 12:0217a9463bc3 1543 break;
wolfSSL 12:0217a9463bc3 1544 #endif
wolfSSL 12:0217a9463bc3 1545
wolfSSL 12:0217a9463bc3 1546 default:
wolfSSL 12:0217a9463bc3 1547 WOLFSSL_MSG("wolfSSL Decrypt programming error");
wolfSSL 12:0217a9463bc3 1548 return DECRYPT_ERROR;
wolfSSL 12:0217a9463bc3 1549 }
wolfSSL 12:0217a9463bc3 1550
wolfSSL 12:0217a9463bc3 1551 ForceZero(nonce, AEAD_NONCE_SZ);
wolfSSL 12:0217a9463bc3 1552 if (ret < 0 && !ssl->options.dtls) {
wolfSSL 12:0217a9463bc3 1553 SendAlert(ssl, alert_fatal, bad_record_mac);
wolfSSL 12:0217a9463bc3 1554 ret = VERIFY_MAC_ERROR;
wolfSSL 12:0217a9463bc3 1555 }
wolfSSL 12:0217a9463bc3 1556
wolfSSL 12:0217a9463bc3 1557 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 1558 WOLFSSL_MSG("Decrypted data");
wolfSSL 12:0217a9463bc3 1559 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 12:0217a9463bc3 1560 #endif
wolfSSL 12:0217a9463bc3 1561
wolfSSL 12:0217a9463bc3 1562 return ret;
wolfSSL 12:0217a9463bc3 1563 }
wolfSSL 12:0217a9463bc3 1564
wolfSSL 12:0217a9463bc3 1565 /* Build SSL Message, encrypted.
wolfSSL 12:0217a9463bc3 1566 * TLS v1.3 encryption is AEAD only.
wolfSSL 12:0217a9463bc3 1567 *
wolfSSL 12:0217a9463bc3 1568 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1569 * output The buffer to write record message to.
wolfSSL 12:0217a9463bc3 1570 * outSz Size of the buffer being written into.
wolfSSL 12:0217a9463bc3 1571 * input The record data to encrypt (excluding record header).
wolfSSL 12:0217a9463bc3 1572 * inSz The size of the record data.
wolfSSL 12:0217a9463bc3 1573 * type The recorder header content type.
wolfSSL 12:0217a9463bc3 1574 * hashOutput Whether to hash the unencrypted record data.
wolfSSL 12:0217a9463bc3 1575 * sizeOnly Only want the size of the record message.
wolfSSL 12:0217a9463bc3 1576 * returns the size of the encrypted record message or negative value on error.
wolfSSL 12:0217a9463bc3 1577 */
wolfSSL 12:0217a9463bc3 1578 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
wolfSSL 12:0217a9463bc3 1579 int inSz, int type, int hashOutput, int sizeOnly)
wolfSSL 12:0217a9463bc3 1580 {
wolfSSL 12:0217a9463bc3 1581 word32 sz = RECORD_HEADER_SZ + inSz;
wolfSSL 12:0217a9463bc3 1582 word32 idx = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1583 word32 headerSz = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1584 word16 size;
wolfSSL 12:0217a9463bc3 1585 int ret = 0;
wolfSSL 12:0217a9463bc3 1586 int atomicUser = 0;
wolfSSL 12:0217a9463bc3 1587
wolfSSL 12:0217a9463bc3 1588 if (ssl == NULL)
wolfSSL 12:0217a9463bc3 1589 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 1590 if (!sizeOnly && (output == NULL || input == NULL))
wolfSSL 12:0217a9463bc3 1591 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 1592 /* catch mistaken sizeOnly parameter */
wolfSSL 12:0217a9463bc3 1593 if (sizeOnly && (output || input)) {
wolfSSL 12:0217a9463bc3 1594 WOLFSSL_MSG("BuildMessage with sizeOnly doesn't need input or output");
wolfSSL 12:0217a9463bc3 1595 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 1596 }
wolfSSL 12:0217a9463bc3 1597
wolfSSL 12:0217a9463bc3 1598 /* Record layer content type at the end of record data. */
wolfSSL 12:0217a9463bc3 1599 sz++;
wolfSSL 12:0217a9463bc3 1600 /* Authentication data at the end. */
wolfSSL 12:0217a9463bc3 1601 sz += ssl->specs.aead_mac_size;
wolfSSL 12:0217a9463bc3 1602
wolfSSL 12:0217a9463bc3 1603 if (sizeOnly)
wolfSSL 12:0217a9463bc3 1604 return sz;
wolfSSL 12:0217a9463bc3 1605
wolfSSL 12:0217a9463bc3 1606 if (sz > (word32)outSz) {
wolfSSL 12:0217a9463bc3 1607 WOLFSSL_MSG("Oops, want to write past output buffer size");
wolfSSL 12:0217a9463bc3 1608 return BUFFER_E;
wolfSSL 12:0217a9463bc3 1609 }
wolfSSL 12:0217a9463bc3 1610
wolfSSL 12:0217a9463bc3 1611 /* Record data length. */
wolfSSL 12:0217a9463bc3 1612 size = (word16)(sz - headerSz);
wolfSSL 12:0217a9463bc3 1613 /* Write/update the record header with the new size.
wolfSSL 12:0217a9463bc3 1614 * Always have the content type as application data for encrypted
wolfSSL 12:0217a9463bc3 1615 * messages in TLS v1.3.
wolfSSL 12:0217a9463bc3 1616 */
wolfSSL 12:0217a9463bc3 1617 AddTls13RecordHeader(output, size, application_data, ssl);
wolfSSL 12:0217a9463bc3 1618
wolfSSL 12:0217a9463bc3 1619 /* TLS v1.3 can do in place encryption. */
wolfSSL 12:0217a9463bc3 1620 if (input != output + idx)
wolfSSL 12:0217a9463bc3 1621 XMEMCPY(output + idx, input, inSz);
wolfSSL 12:0217a9463bc3 1622 idx += inSz;
wolfSSL 12:0217a9463bc3 1623
wolfSSL 12:0217a9463bc3 1624 if (hashOutput) {
wolfSSL 12:0217a9463bc3 1625 ret = HashOutput(ssl, output, headerSz + inSz, 0);
wolfSSL 12:0217a9463bc3 1626 if (ret != 0)
wolfSSL 12:0217a9463bc3 1627 return ret;
wolfSSL 12:0217a9463bc3 1628 }
wolfSSL 12:0217a9463bc3 1629
wolfSSL 12:0217a9463bc3 1630 /* The real record content type goes at the end of the data. */
wolfSSL 12:0217a9463bc3 1631 output[idx++] = type;
wolfSSL 12:0217a9463bc3 1632
wolfSSL 12:0217a9463bc3 1633 #ifdef ATOMIC_USER
wolfSSL 12:0217a9463bc3 1634 if (ssl->ctx->MacEncryptCb)
wolfSSL 12:0217a9463bc3 1635 atomicUser = 1;
wolfSSL 12:0217a9463bc3 1636 #endif
wolfSSL 12:0217a9463bc3 1637
wolfSSL 12:0217a9463bc3 1638 if (atomicUser) { /* User Record Layer Callback handling */
wolfSSL 12:0217a9463bc3 1639 #ifdef ATOMIC_USER
wolfSSL 12:0217a9463bc3 1640 byte* mac = output + idx;
wolfSSL 12:0217a9463bc3 1641 output += headerSz;
wolfSSL 12:0217a9463bc3 1642
wolfSSL 12:0217a9463bc3 1643 if ((ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
wolfSSL 12:0217a9463bc3 1644 output, output, size, ssl->MacEncryptCtx)) != 0) {
wolfSSL 12:0217a9463bc3 1645 return ret;
wolfSSL 12:0217a9463bc3 1646 }
wolfSSL 12:0217a9463bc3 1647 #endif
wolfSSL 12:0217a9463bc3 1648 }
wolfSSL 12:0217a9463bc3 1649 else {
wolfSSL 12:0217a9463bc3 1650 output += headerSz;
wolfSSL 12:0217a9463bc3 1651 if ((ret = EncryptTls13(ssl, output, output, size)) != 0)
wolfSSL 12:0217a9463bc3 1652 return ret;
wolfSSL 12:0217a9463bc3 1653 }
wolfSSL 12:0217a9463bc3 1654
wolfSSL 12:0217a9463bc3 1655 return sz;
wolfSSL 12:0217a9463bc3 1656 }
wolfSSL 12:0217a9463bc3 1657
wolfSSL 12:0217a9463bc3 1658 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 1659 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 1660 /* Get the size of the message hash.
wolfSSL 12:0217a9463bc3 1661 *
wolfSSL 12:0217a9463bc3 1662 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1663 * returns the length of the hash.
wolfSSL 12:0217a9463bc3 1664 */
wolfSSL 12:0217a9463bc3 1665 static int GetMsgHashSize(WOLFSSL *ssl)
wolfSSL 12:0217a9463bc3 1666 {
wolfSSL 12:0217a9463bc3 1667 switch (ssl->specs.mac_algorithm) {
wolfSSL 12:0217a9463bc3 1668 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 1669 case sha256_mac:
wolfSSL 12:0217a9463bc3 1670 return SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 1671 #endif /* !NO_SHA256 */
wolfSSL 12:0217a9463bc3 1672 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 1673 case sha384_mac:
wolfSSL 12:0217a9463bc3 1674 return SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 1675 #endif /* WOLFSSL_SHA384 */
wolfSSL 12:0217a9463bc3 1676 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 1677 case sha512_mac:
wolfSSL 12:0217a9463bc3 1678 return SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 1679 #endif /* WOLFSSL_SHA512 */
wolfSSL 12:0217a9463bc3 1680 }
wolfSSL 12:0217a9463bc3 1681 return 0;
wolfSSL 12:0217a9463bc3 1682 }
wolfSSL 12:0217a9463bc3 1683
wolfSSL 12:0217a9463bc3 1684 /* Derive and write the binders into the ClientHello in space left when
wolfSSL 12:0217a9463bc3 1685 * writing the Pre-Shared Key extension.
wolfSSL 12:0217a9463bc3 1686 *
wolfSSL 12:0217a9463bc3 1687 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1688 * output The buffer containing the ClientHello.
wolfSSL 12:0217a9463bc3 1689 * idx The index at the end of the completed ClientHello.
wolfSSL 12:0217a9463bc3 1690 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 1691 */
wolfSSL 12:0217a9463bc3 1692 static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
wolfSSL 12:0217a9463bc3 1693 {
wolfSSL 12:0217a9463bc3 1694 int ret;
wolfSSL 12:0217a9463bc3 1695 TLSX* ext;
wolfSSL 12:0217a9463bc3 1696 PreSharedKey* current;
wolfSSL 12:0217a9463bc3 1697 byte binderKey[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 1698 word16 len;
wolfSSL 12:0217a9463bc3 1699
wolfSSL 12:0217a9463bc3 1700 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 12:0217a9463bc3 1701 if (ext == NULL)
wolfSSL 12:0217a9463bc3 1702 return SANITY_MSG_E;
wolfSSL 12:0217a9463bc3 1703
wolfSSL 12:0217a9463bc3 1704 /* Get the size of the binders to determine where to write binders. */
wolfSSL 12:0217a9463bc3 1705 idx -= TLSX_PreSharedKey_GetSizeBinders(ext->data, client_hello);
wolfSSL 12:0217a9463bc3 1706
wolfSSL 12:0217a9463bc3 1707 /* Hash truncated ClientHello - up to binders. */
wolfSSL 12:0217a9463bc3 1708 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 12:0217a9463bc3 1709 if (ret != 0)
wolfSSL 12:0217a9463bc3 1710 return ret;
wolfSSL 12:0217a9463bc3 1711
wolfSSL 12:0217a9463bc3 1712 current = ext->data;
wolfSSL 12:0217a9463bc3 1713 /* Calculate the binder for each identity based on previous handshake data.
wolfSSL 12:0217a9463bc3 1714 */
wolfSSL 12:0217a9463bc3 1715 while (current != NULL) {
wolfSSL 12:0217a9463bc3 1716 if (current->resumption) {
wolfSSL 12:0217a9463bc3 1717 /* Set the HMAC to use based on the one for the session (set into
wolfSSL 12:0217a9463bc3 1718 * the extension data at the start of this function based on the
wolfSSL 12:0217a9463bc3 1719 * cipher suite in the session information.
wolfSSL 12:0217a9463bc3 1720 */
wolfSSL 12:0217a9463bc3 1721 ssl->specs.mac_algorithm = current->hmac;
wolfSSL 12:0217a9463bc3 1722
wolfSSL 12:0217a9463bc3 1723 /* Resumption PSK is master secret. */
wolfSSL 12:0217a9463bc3 1724 ssl->arrays->psk_keySz = GetMsgHashSize(ssl);
wolfSSL 12:0217a9463bc3 1725 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 12:0217a9463bc3 1726 ssl->arrays->psk_keySz);
wolfSSL 12:0217a9463bc3 1727 /* Derive the early secret using the PSK. */
wolfSSL 12:0217a9463bc3 1728 DeriveEarlySecret(ssl);
wolfSSL 12:0217a9463bc3 1729 /* Derive the binder key to use to with HMAC. */
wolfSSL 12:0217a9463bc3 1730 DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 12:0217a9463bc3 1731 }
wolfSSL 12:0217a9463bc3 1732 else {
wolfSSL 12:0217a9463bc3 1733 /* TODO: [TLS13] Support non-ticket PSK. */
wolfSSL 12:0217a9463bc3 1734 /* Get the pre-shared key. */
wolfSSL 12:0217a9463bc3 1735 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
wolfSSL 12:0217a9463bc3 1736 (char *)current->identity, ssl->arrays->client_identity,
wolfSSL 12:0217a9463bc3 1737 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
wolfSSL 12:0217a9463bc3 1738 /* Derive the early secret using the PSK. */
wolfSSL 12:0217a9463bc3 1739 DeriveEarlySecret(ssl);
wolfSSL 12:0217a9463bc3 1740 /* Derive the binder key to use to with HMAC. */
wolfSSL 12:0217a9463bc3 1741 DeriveBinderKey(ssl, binderKey);
wolfSSL 12:0217a9463bc3 1742 }
wolfSSL 12:0217a9463bc3 1743
wolfSSL 12:0217a9463bc3 1744 /* Derive the Finished message secret. */
wolfSSL 12:0217a9463bc3 1745 DeriveFinishedSecret(ssl, binderKey, ssl->keys.client_write_MAC_secret);
wolfSSL 12:0217a9463bc3 1746 /* Build the HMAC of the handshake message data = binder. */
wolfSSL 12:0217a9463bc3 1747 current->binderLen = BuildTls13HandshakeHmac(ssl,
wolfSSL 12:0217a9463bc3 1748 ssl->keys.client_write_MAC_secret, current->binder);
wolfSSL 12:0217a9463bc3 1749
wolfSSL 12:0217a9463bc3 1750 current = current->next;
wolfSSL 12:0217a9463bc3 1751 }
wolfSSL 12:0217a9463bc3 1752
wolfSSL 12:0217a9463bc3 1753 /* Data entered into extension, now write to message. */
wolfSSL 12:0217a9463bc3 1754 len = TLSX_PreSharedKey_WriteBinders(ext->data, output + idx, client_hello);
wolfSSL 12:0217a9463bc3 1755
wolfSSL 12:0217a9463bc3 1756 /* Hash binders to complete the hash of the ClientHello. */
wolfSSL 12:0217a9463bc3 1757 return HashOutputRaw(ssl, output + idx, len);
wolfSSL 12:0217a9463bc3 1758 }
wolfSSL 12:0217a9463bc3 1759 #endif
wolfSSL 12:0217a9463bc3 1760
wolfSSL 12:0217a9463bc3 1761 /* Send a ClientHello message to the server.
wolfSSL 12:0217a9463bc3 1762 * Include the information required to start a handshake with servers using
wolfSSL 12:0217a9463bc3 1763 * protocol versions less than TLS v1.3.
wolfSSL 12:0217a9463bc3 1764 * Only a client will send this message.
wolfSSL 12:0217a9463bc3 1765 *
wolfSSL 12:0217a9463bc3 1766 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1767 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 1768 */
wolfSSL 12:0217a9463bc3 1769 int SendTls13ClientHello(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 1770 {
wolfSSL 12:0217a9463bc3 1771 byte* output;
wolfSSL 12:0217a9463bc3 1772 word32 length;
wolfSSL 12:0217a9463bc3 1773 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1774 int sendSz;
wolfSSL 12:0217a9463bc3 1775 int ret;
wolfSSL 12:0217a9463bc3 1776
wolfSSL 12:0217a9463bc3 1777 #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 1778 if (ssl->options.resuming &&
wolfSSL 12:0217a9463bc3 1779 (ssl->session.version.major != ssl->version.major ||
wolfSSL 12:0217a9463bc3 1780 ssl->session.version.minor != ssl->version.minor)) {
wolfSSL 12:0217a9463bc3 1781 ssl->version.major = ssl->session.version.major;
wolfSSL 12:0217a9463bc3 1782 ssl->version.minor = ssl->session.version.minor;
wolfSSL 12:0217a9463bc3 1783 return SendClientHello(ssl);
wolfSSL 12:0217a9463bc3 1784 }
wolfSSL 12:0217a9463bc3 1785 #endif
wolfSSL 12:0217a9463bc3 1786
wolfSSL 12:0217a9463bc3 1787 if (ssl->suites == NULL) {
wolfSSL 12:0217a9463bc3 1788 WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
wolfSSL 12:0217a9463bc3 1789 return SUITES_ERROR;
wolfSSL 12:0217a9463bc3 1790 }
wolfSSL 12:0217a9463bc3 1791
wolfSSL 12:0217a9463bc3 1792 /* Version | Random | Session Id | Cipher Suites | Compression | Ext */
wolfSSL 12:0217a9463bc3 1793 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
wolfSSL 12:0217a9463bc3 1794 SUITE_LEN + COMP_LEN + ENUM_LEN;
wolfSSL 12:0217a9463bc3 1795
wolfSSL 12:0217a9463bc3 1796 /* Auto populate extensions supported unless user defined. */
wolfSSL 12:0217a9463bc3 1797 if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
wolfSSL 12:0217a9463bc3 1798 return ret;
wolfSSL 12:0217a9463bc3 1799 #ifdef HAVE_QSH
wolfSSL 12:0217a9463bc3 1800 if (QSH_Init(ssl) != 0)
wolfSSL 12:0217a9463bc3 1801 return MEMORY_E;
wolfSSL 12:0217a9463bc3 1802 #endif
wolfSSL 12:0217a9463bc3 1803 /* Include length of TLS extensions. */
wolfSSL 12:0217a9463bc3 1804 length += TLSX_GetRequestSize(ssl);
wolfSSL 12:0217a9463bc3 1805
wolfSSL 12:0217a9463bc3 1806 /* Total message size. */
wolfSSL 12:0217a9463bc3 1807 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 1808
wolfSSL 12:0217a9463bc3 1809 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 1810 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 12:0217a9463bc3 1811 return ret;
wolfSSL 12:0217a9463bc3 1812
wolfSSL 12:0217a9463bc3 1813 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 1814 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 1815 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 1816
wolfSSL 12:0217a9463bc3 1817 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 1818 AddTls13Headers(output, length, client_hello, ssl);
wolfSSL 12:0217a9463bc3 1819
wolfSSL 12:0217a9463bc3 1820 /* Protocol version. */
wolfSSL 12:0217a9463bc3 1821 output[idx++] = SSLv3_MAJOR;
wolfSSL 12:0217a9463bc3 1822 output[idx++] = TLSv1_2_MINOR;
wolfSSL 12:0217a9463bc3 1823 ssl->chVersion = ssl->version;
wolfSSL 12:0217a9463bc3 1824
wolfSSL 12:0217a9463bc3 1825 /* Client Random */
wolfSSL 12:0217a9463bc3 1826 if (ssl->options.connectState == CONNECT_BEGIN) {
wolfSSL 12:0217a9463bc3 1827 ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
wolfSSL 12:0217a9463bc3 1828 if (ret != 0)
wolfSSL 12:0217a9463bc3 1829 return ret;
wolfSSL 12:0217a9463bc3 1830
wolfSSL 12:0217a9463bc3 1831 /* Store random for possible second ClientHello. */
wolfSSL 12:0217a9463bc3 1832 XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
wolfSSL 12:0217a9463bc3 1833 }
wolfSSL 12:0217a9463bc3 1834 else
wolfSSL 12:0217a9463bc3 1835 XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 12:0217a9463bc3 1836 idx += RAN_LEN;
wolfSSL 12:0217a9463bc3 1837
wolfSSL 12:0217a9463bc3 1838 /* TLS v1.3 does not use session id - 0 length. */
wolfSSL 12:0217a9463bc3 1839 output[idx++] = 0;
wolfSSL 12:0217a9463bc3 1840
wolfSSL 12:0217a9463bc3 1841 /* Cipher suites */
wolfSSL 12:0217a9463bc3 1842 c16toa(ssl->suites->suiteSz, output + idx);
wolfSSL 12:0217a9463bc3 1843 idx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 1844 XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
wolfSSL 12:0217a9463bc3 1845 idx += ssl->suites->suiteSz;
wolfSSL 12:0217a9463bc3 1846
wolfSSL 12:0217a9463bc3 1847 /* Compression not supported in TLS v1.3. */
wolfSSL 12:0217a9463bc3 1848 output[idx++] = COMP_LEN;
wolfSSL 12:0217a9463bc3 1849 output[idx++] = NO_COMPRESSION;
wolfSSL 12:0217a9463bc3 1850
wolfSSL 12:0217a9463bc3 1851 /* Write out extensions for a request. */
wolfSSL 12:0217a9463bc3 1852 idx += TLSX_WriteRequest(ssl, output + idx);
wolfSSL 12:0217a9463bc3 1853
wolfSSL 12:0217a9463bc3 1854 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 1855 /* Resumption has a specific set of extensions and binder is calculated
wolfSSL 12:0217a9463bc3 1856 * for each identity.
wolfSSL 12:0217a9463bc3 1857 */
wolfSSL 12:0217a9463bc3 1858 if (ssl->options.resuming)
wolfSSL 12:0217a9463bc3 1859 ret = WritePSKBinders(ssl, output, idx);
wolfSSL 12:0217a9463bc3 1860 else
wolfSSL 12:0217a9463bc3 1861 #endif
wolfSSL 12:0217a9463bc3 1862 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 12:0217a9463bc3 1863 if (ret != 0)
wolfSSL 12:0217a9463bc3 1864 return ret;
wolfSSL 12:0217a9463bc3 1865
wolfSSL 12:0217a9463bc3 1866 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 12:0217a9463bc3 1867
wolfSSL 12:0217a9463bc3 1868 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 1869 if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 1870 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 1871 AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 1872 ssl->heap);
wolfSSL 12:0217a9463bc3 1873 #endif
wolfSSL 12:0217a9463bc3 1874
wolfSSL 12:0217a9463bc3 1875 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 1876
wolfSSL 12:0217a9463bc3 1877 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 1878 }
wolfSSL 12:0217a9463bc3 1879
wolfSSL 12:0217a9463bc3 1880 /* Parse and handle a HelloRetryRequest message.
wolfSSL 12:0217a9463bc3 1881 * Only a client will receive this message.
wolfSSL 12:0217a9463bc3 1882 *
wolfSSL 12:0217a9463bc3 1883 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1884 * input The message buffer.
wolfSSL 12:0217a9463bc3 1885 * inOutIdx On entry, the index into the message buffer of
wolfSSL 12:0217a9463bc3 1886 * HelloRetryRequest.
wolfSSL 12:0217a9463bc3 1887 * On exit, the index of byte after the HelloRetryRequest message.
wolfSSL 12:0217a9463bc3 1888 * totalSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 1889 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 1890 */
wolfSSL 12:0217a9463bc3 1891 static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 12:0217a9463bc3 1892 word32* inOutIdx, word32 totalSz)
wolfSSL 12:0217a9463bc3 1893 {
wolfSSL 12:0217a9463bc3 1894 int ret;
wolfSSL 12:0217a9463bc3 1895 word32 begin = *inOutIdx;
wolfSSL 12:0217a9463bc3 1896 word32 i = begin;
wolfSSL 12:0217a9463bc3 1897 word16 totalExtSz;
wolfSSL 12:0217a9463bc3 1898 ProtocolVersion pv;
wolfSSL 12:0217a9463bc3 1899
wolfSSL 12:0217a9463bc3 1900 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 1901 if (ssl->hsInfoOn) AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 1902 if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 1903 #endif
wolfSSL 12:0217a9463bc3 1904
wolfSSL 12:0217a9463bc3 1905 /* Version info and length field of extension data. */
wolfSSL 12:0217a9463bc3 1906 if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 12:0217a9463bc3 1907 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 1908
wolfSSL 12:0217a9463bc3 1909 /* Protocol version. */
wolfSSL 12:0217a9463bc3 1910 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 12:0217a9463bc3 1911 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 1912 ret = CheckVersion(ssl, pv);
wolfSSL 12:0217a9463bc3 1913 if (ret != 0)
wolfSSL 12:0217a9463bc3 1914 return ret;
wolfSSL 12:0217a9463bc3 1915
wolfSSL 12:0217a9463bc3 1916 /* Length of extension data. */
wolfSSL 12:0217a9463bc3 1917 ato16(&input[i], &totalExtSz);
wolfSSL 12:0217a9463bc3 1918 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 1919 if (totalExtSz == 0) {
wolfSSL 12:0217a9463bc3 1920 WOLFSSL_MSG("HelloRetryRequest must contain extensions");
wolfSSL 12:0217a9463bc3 1921 return MISSING_HANDSHAKE_DATA;
wolfSSL 12:0217a9463bc3 1922 }
wolfSSL 12:0217a9463bc3 1923
wolfSSL 12:0217a9463bc3 1924 /* Extension data. */
wolfSSL 12:0217a9463bc3 1925 if (i - begin + totalExtSz > totalSz)
wolfSSL 12:0217a9463bc3 1926 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 1927 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 12:0217a9463bc3 1928 hello_retry_request, NULL)))
wolfSSL 12:0217a9463bc3 1929 return ret;
wolfSSL 12:0217a9463bc3 1930 /* The KeyShare extension parsing fails when not valid. */
wolfSSL 12:0217a9463bc3 1931
wolfSSL 12:0217a9463bc3 1932 /* Move index to byte after message. */
wolfSSL 12:0217a9463bc3 1933 *inOutIdx = i + totalExtSz;
wolfSSL 12:0217a9463bc3 1934
wolfSSL 12:0217a9463bc3 1935 ssl->options.tls1_3 = 1;
wolfSSL 12:0217a9463bc3 1936 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST;
wolfSSL 12:0217a9463bc3 1937
wolfSSL 12:0217a9463bc3 1938 return 0;
wolfSSL 12:0217a9463bc3 1939 }
wolfSSL 12:0217a9463bc3 1940
wolfSSL 12:0217a9463bc3 1941 /* Handle the ServerHello message from the server.
wolfSSL 12:0217a9463bc3 1942 * Only a client will receive this message.
wolfSSL 12:0217a9463bc3 1943 *
wolfSSL 12:0217a9463bc3 1944 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 1945 * input The message buffer.
wolfSSL 12:0217a9463bc3 1946 * inOutIdx On entry, the index into the message buffer of ServerHello.
wolfSSL 12:0217a9463bc3 1947 * On exit, the index of byte after the ServerHello message.
wolfSSL 12:0217a9463bc3 1948 * helloSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 1949 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 1950 */
wolfSSL 12:0217a9463bc3 1951 int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 1952 word32 helloSz)
wolfSSL 12:0217a9463bc3 1953 {
wolfSSL 12:0217a9463bc3 1954 ProtocolVersion pv;
wolfSSL 12:0217a9463bc3 1955 word32 i = *inOutIdx;
wolfSSL 12:0217a9463bc3 1956 word32 begin = i;
wolfSSL 12:0217a9463bc3 1957 int ret;
wolfSSL 12:0217a9463bc3 1958 word16 totalExtSz;
wolfSSL 12:0217a9463bc3 1959
wolfSSL 12:0217a9463bc3 1960 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 1961 if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 1962 if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 1963 #endif
wolfSSL 12:0217a9463bc3 1964
wolfSSL 12:0217a9463bc3 1965 /* Protocol version length check. */
wolfSSL 12:0217a9463bc3 1966 if (OPAQUE16_LEN > helloSz)
wolfSSL 12:0217a9463bc3 1967 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 1968
wolfSSL 12:0217a9463bc3 1969 /* Protocol version */
wolfSSL 12:0217a9463bc3 1970 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 12:0217a9463bc3 1971 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 1972 ret = CheckVersion(ssl, pv);
wolfSSL 12:0217a9463bc3 1973 if (ret != 0)
wolfSSL 12:0217a9463bc3 1974 return ret;
wolfSSL 12:0217a9463bc3 1975 if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
wolfSSL 12:0217a9463bc3 1976 ssl->version = pv;
wolfSSL 12:0217a9463bc3 1977 return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL 12:0217a9463bc3 1978 }
wolfSSL 12:0217a9463bc3 1979
wolfSSL 12:0217a9463bc3 1980 /* Random, cipher suite and extensions length check. */
wolfSSL 12:0217a9463bc3 1981 if ((i - begin) + RAN_LEN + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
wolfSSL 12:0217a9463bc3 1982 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 1983
wolfSSL 12:0217a9463bc3 1984 /* Server random - keep for debugging. */
wolfSSL 12:0217a9463bc3 1985 XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
wolfSSL 12:0217a9463bc3 1986 i += RAN_LEN;
wolfSSL 12:0217a9463bc3 1987 /* TODO: [TLS13] Check last 8 bytes. */
wolfSSL 12:0217a9463bc3 1988
wolfSSL 12:0217a9463bc3 1989 /* Set the cipher suite from the message. */
wolfSSL 12:0217a9463bc3 1990 ssl->options.cipherSuite0 = input[i++];
wolfSSL 12:0217a9463bc3 1991 ssl->options.cipherSuite = input[i++];
wolfSSL 12:0217a9463bc3 1992
wolfSSL 12:0217a9463bc3 1993 /* Get extension length and length check. */
wolfSSL 12:0217a9463bc3 1994 ato16(&input[i], &totalExtSz);
wolfSSL 12:0217a9463bc3 1995 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 1996 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 12:0217a9463bc3 1997 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 1998
wolfSSL 12:0217a9463bc3 1999 /* Parse and handle extensions. */
wolfSSL 12:0217a9463bc3 2000 ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, server_hello, NULL);
wolfSSL 12:0217a9463bc3 2001 if (ret != 0)
wolfSSL 12:0217a9463bc3 2002 return ret;
wolfSSL 12:0217a9463bc3 2003
wolfSSL 12:0217a9463bc3 2004 i += totalExtSz;
wolfSSL 12:0217a9463bc3 2005 *inOutIdx = i;
wolfSSL 12:0217a9463bc3 2006
wolfSSL 12:0217a9463bc3 2007 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 12:0217a9463bc3 2008
wolfSSL 12:0217a9463bc3 2009 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 12:0217a9463bc3 2010 if (ssl->sessionSecretCb != NULL) {
wolfSSL 12:0217a9463bc3 2011 int secretSz = SECRET_LEN, ret;
wolfSSL 12:0217a9463bc3 2012 ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
wolfSSL 12:0217a9463bc3 2013 &secretSz, ssl->sessionSecretCtx);
wolfSSL 12:0217a9463bc3 2014 if (ret != 0 || secretSz != SECRET_LEN)
wolfSSL 12:0217a9463bc3 2015 return SESSION_SECRET_CB_E;
wolfSSL 12:0217a9463bc3 2016 }
wolfSSL 12:0217a9463bc3 2017 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 12:0217a9463bc3 2018
wolfSSL 12:0217a9463bc3 2019 ret = SetCipherSpecs(ssl);
wolfSSL 12:0217a9463bc3 2020 if (ret != 0)
wolfSSL 12:0217a9463bc3 2021 return ret;
wolfSSL 12:0217a9463bc3 2022
wolfSSL 12:0217a9463bc3 2023 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 2024 if (ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 2025 PreSharedKey *psk = NULL;
wolfSSL 12:0217a9463bc3 2026 TLSX* ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 12:0217a9463bc3 2027 if (ext != NULL)
wolfSSL 12:0217a9463bc3 2028 psk = (PreSharedKey*)ext->data;
wolfSSL 12:0217a9463bc3 2029 while (psk != NULL && !psk->chosen)
wolfSSL 12:0217a9463bc3 2030 psk = psk->next;
wolfSSL 12:0217a9463bc3 2031 if (psk == NULL) {
wolfSSL 12:0217a9463bc3 2032 ssl->options.resuming = 0;
wolfSSL 12:0217a9463bc3 2033 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 12:0217a9463bc3 2034 XMEMSET(ssl->arrays->psk_key, 0, ssl->arrays->psk_keySz);
wolfSSL 12:0217a9463bc3 2035 }
wolfSSL 12:0217a9463bc3 2036 }
wolfSSL 12:0217a9463bc3 2037 #endif
wolfSSL 12:0217a9463bc3 2038
wolfSSL 12:0217a9463bc3 2039 ssl->keys.encryptionOn = 1;
wolfSSL 12:0217a9463bc3 2040
wolfSSL 12:0217a9463bc3 2041 return ret;
wolfSSL 12:0217a9463bc3 2042 }
wolfSSL 12:0217a9463bc3 2043
wolfSSL 12:0217a9463bc3 2044 /* Parse and handle an EncryptedExtensions message.
wolfSSL 12:0217a9463bc3 2045 * Only a client will receive this message.
wolfSSL 12:0217a9463bc3 2046 *
wolfSSL 12:0217a9463bc3 2047 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2048 * input The message buffer.
wolfSSL 12:0217a9463bc3 2049 * inOutIdx On entry, the index into the message buffer of
wolfSSL 12:0217a9463bc3 2050 * EncryptedExtensions.
wolfSSL 12:0217a9463bc3 2051 * On exit, the index of byte after the EncryptedExtensions
wolfSSL 12:0217a9463bc3 2052 * message.
wolfSSL 12:0217a9463bc3 2053 * totalSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 2054 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 2055 */
wolfSSL 12:0217a9463bc3 2056 static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
wolfSSL 12:0217a9463bc3 2057 word32* inOutIdx, word32 totalSz)
wolfSSL 12:0217a9463bc3 2058 {
wolfSSL 12:0217a9463bc3 2059 int ret;
wolfSSL 12:0217a9463bc3 2060 word32 begin = *inOutIdx;
wolfSSL 12:0217a9463bc3 2061 word32 i = begin;
wolfSSL 12:0217a9463bc3 2062 word16 totalExtSz;
wolfSSL 12:0217a9463bc3 2063
wolfSSL 12:0217a9463bc3 2064 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2065 if (ssl->hsInfoOn) AddPacketName("EncryptedExtensions",
wolfSSL 12:0217a9463bc3 2066 &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2067 if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 2068 #endif
wolfSSL 12:0217a9463bc3 2069
wolfSSL 12:0217a9463bc3 2070 /* Length field of extension data. */
wolfSSL 12:0217a9463bc3 2071 if (totalSz < i - begin + OPAQUE16_LEN)
wolfSSL 12:0217a9463bc3 2072 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2073 ato16(&input[i], &totalExtSz);
wolfSSL 12:0217a9463bc3 2074 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2075
wolfSSL 12:0217a9463bc3 2076 /* Extension data. */
wolfSSL 12:0217a9463bc3 2077 if (i - begin + totalExtSz > totalSz)
wolfSSL 12:0217a9463bc3 2078 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2079 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 12:0217a9463bc3 2080 encrypted_extensions, NULL)))
wolfSSL 12:0217a9463bc3 2081 return ret;
wolfSSL 12:0217a9463bc3 2082
wolfSSL 12:0217a9463bc3 2083 /* Move index to byte after message. */
wolfSSL 12:0217a9463bc3 2084 *inOutIdx = i + totalExtSz;
wolfSSL 12:0217a9463bc3 2085
wolfSSL 12:0217a9463bc3 2086 /* Always encrypted. */
wolfSSL 12:0217a9463bc3 2087 *inOutIdx += ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 2088
wolfSSL 12:0217a9463bc3 2089 return 0;
wolfSSL 12:0217a9463bc3 2090 }
wolfSSL 12:0217a9463bc3 2091
wolfSSL 12:0217a9463bc3 2092 /* Handle a TLS v1.3 CertificateRequest message.
wolfSSL 12:0217a9463bc3 2093 * This message is always encrypted.
wolfSSL 12:0217a9463bc3 2094 * Only a client will receive this message.
wolfSSL 12:0217a9463bc3 2095 *
wolfSSL 12:0217a9463bc3 2096 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2097 * input The message buffer.
wolfSSL 12:0217a9463bc3 2098 * inOutIdx On entry, the index into the message buffer of CertificateRequest.
wolfSSL 12:0217a9463bc3 2099 * On exit, the index of byte after the CertificateRequest message.
wolfSSL 12:0217a9463bc3 2100 * size The length of the current handshake message.
wolfSSL 12:0217a9463bc3 2101 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 2102 */
wolfSSL 12:0217a9463bc3 2103 static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 12:0217a9463bc3 2104 word32* inOutIdx, word32 size)
wolfSSL 12:0217a9463bc3 2105 {
wolfSSL 12:0217a9463bc3 2106 word16 len;
wolfSSL 12:0217a9463bc3 2107 word32 begin = *inOutIdx;
wolfSSL 12:0217a9463bc3 2108
wolfSSL 12:0217a9463bc3 2109 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2110 if (ssl->hsInfoOn) AddPacketName("CertificateRequest",
wolfSSL 12:0217a9463bc3 2111 &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2112 if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 2113 #endif
wolfSSL 12:0217a9463bc3 2114
wolfSSL 12:0217a9463bc3 2115 if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
wolfSSL 12:0217a9463bc3 2116 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2117
wolfSSL 12:0217a9463bc3 2118 /* Length of the request context. */
wolfSSL 12:0217a9463bc3 2119 len = input[(*inOutIdx)++];
wolfSSL 12:0217a9463bc3 2120 if ((*inOutIdx - begin) + len > size)
wolfSSL 12:0217a9463bc3 2121 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2122 if (ssl->options.connectState < FINISHED_DONE && len > 0)
wolfSSL 12:0217a9463bc3 2123 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2124
wolfSSL 12:0217a9463bc3 2125 /* Request context parsed here. */
wolfSSL 12:0217a9463bc3 2126 /* TODO: [TLS13] Request context for post-handshake auth.
wolfSSL 12:0217a9463bc3 2127 * Store the value and return it in Certificate message.
wolfSSL 12:0217a9463bc3 2128 * Must be unique in the scope of the connection.
wolfSSL 12:0217a9463bc3 2129 */
wolfSSL 12:0217a9463bc3 2130 *inOutIdx += len;
wolfSSL 12:0217a9463bc3 2131
wolfSSL 12:0217a9463bc3 2132 /* Signature and hash algorithms. */
wolfSSL 12:0217a9463bc3 2133 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 12:0217a9463bc3 2134 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2135 ato16(input + *inOutIdx, &len);
wolfSSL 12:0217a9463bc3 2136 *inOutIdx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2137 if ((*inOutIdx - begin) + len > size)
wolfSSL 12:0217a9463bc3 2138 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2139 PickHashSigAlgo(ssl, input + *inOutIdx, len);
wolfSSL 12:0217a9463bc3 2140 *inOutIdx += len;
wolfSSL 12:0217a9463bc3 2141
wolfSSL 12:0217a9463bc3 2142 /* Length of certificate authority data. */
wolfSSL 12:0217a9463bc3 2143 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 12:0217a9463bc3 2144 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2145 ato16(input + *inOutIdx, &len);
wolfSSL 12:0217a9463bc3 2146 *inOutIdx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2147 if ((*inOutIdx - begin) + len > size)
wolfSSL 12:0217a9463bc3 2148 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2149
wolfSSL 12:0217a9463bc3 2150 /* Certificate authorities. */
wolfSSL 12:0217a9463bc3 2151 while (len) {
wolfSSL 12:0217a9463bc3 2152 word16 dnSz;
wolfSSL 12:0217a9463bc3 2153
wolfSSL 12:0217a9463bc3 2154 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 12:0217a9463bc3 2155 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2156
wolfSSL 12:0217a9463bc3 2157 ato16(input + *inOutIdx, &dnSz);
wolfSSL 12:0217a9463bc3 2158 *inOutIdx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2159
wolfSSL 12:0217a9463bc3 2160 if ((*inOutIdx - begin) + dnSz > size)
wolfSSL 12:0217a9463bc3 2161 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2162
wolfSSL 12:0217a9463bc3 2163 *inOutIdx += dnSz;
wolfSSL 12:0217a9463bc3 2164 len -= OPAQUE16_LEN + dnSz;
wolfSSL 12:0217a9463bc3 2165 }
wolfSSL 12:0217a9463bc3 2166
wolfSSL 12:0217a9463bc3 2167 /* TODO: [TLS13] Add extension handling. */
wolfSSL 12:0217a9463bc3 2168 /* Certificate extensions */
wolfSSL 12:0217a9463bc3 2169 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 12:0217a9463bc3 2170 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2171 ato16(input + *inOutIdx, &len);
wolfSSL 12:0217a9463bc3 2172 *inOutIdx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2173 if ((*inOutIdx - begin) + len > size)
wolfSSL 12:0217a9463bc3 2174 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2175 /* Skip over extensions for now. */
wolfSSL 12:0217a9463bc3 2176 *inOutIdx += len;
wolfSSL 12:0217a9463bc3 2177
wolfSSL 12:0217a9463bc3 2178 ssl->options.sendVerify = SEND_CERT;
wolfSSL 12:0217a9463bc3 2179
wolfSSL 12:0217a9463bc3 2180 /* This message is always encrypted so add encryption padding. */
wolfSSL 12:0217a9463bc3 2181 *inOutIdx += ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 2182
wolfSSL 12:0217a9463bc3 2183 return 0;
wolfSSL 12:0217a9463bc3 2184 }
wolfSSL 12:0217a9463bc3 2185
wolfSSL 12:0217a9463bc3 2186 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 12:0217a9463bc3 2187
wolfSSL 12:0217a9463bc3 2188 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 2189 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 2190 /* Handle any Pre-Shared Key (PSK) extension.
wolfSSL 12:0217a9463bc3 2191 * Must do this in ClientHello as it requires a hash of the truncated message.
wolfSSL 12:0217a9463bc3 2192 * Don't know size of binders until Pre-Shared Key extension has been parsed.
wolfSSL 12:0217a9463bc3 2193 *
wolfSSL 12:0217a9463bc3 2194 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2195 * input The ClientHello message.
wolfSSL 12:0217a9463bc3 2196 * helloSz The size of the ClientHello message (including binders if present).
wolfSSL 12:0217a9463bc3 2197 * usingPSK Indicates handshake is using Pre-Shared Keys.
wolfSSL 12:0217a9463bc3 2198 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 2199 */
wolfSSL 12:0217a9463bc3 2200 static int DoPreSharedKeys(WOLFSSL *ssl, const byte* input, word32 helloSz,
wolfSSL 12:0217a9463bc3 2201 int* usingPSK)
wolfSSL 12:0217a9463bc3 2202 {
wolfSSL 12:0217a9463bc3 2203 int ret;
wolfSSL 12:0217a9463bc3 2204 TLSX* ext;
wolfSSL 12:0217a9463bc3 2205 word16 bindersLen;
wolfSSL 12:0217a9463bc3 2206 PreSharedKey* current;
wolfSSL 12:0217a9463bc3 2207 byte binderKey[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 2208 byte binder[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 2209 word16 binderLen;
wolfSSL 12:0217a9463bc3 2210 word16 modes;
wolfSSL 12:0217a9463bc3 2211
wolfSSL 12:0217a9463bc3 2212 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 12:0217a9463bc3 2213 if (ext == NULL)
wolfSSL 12:0217a9463bc3 2214 return 0;
wolfSSL 12:0217a9463bc3 2215
wolfSSL 12:0217a9463bc3 2216 /* Extensions pushed on stack/list and PSK must be last. */
wolfSSL 12:0217a9463bc3 2217 if (ssl->extensions != ext)
wolfSSL 12:0217a9463bc3 2218 return PSK_KEY_ERROR;
wolfSSL 12:0217a9463bc3 2219
wolfSSL 12:0217a9463bc3 2220 /* Assume we are going to resume with a pre-shared key. */
wolfSSL 12:0217a9463bc3 2221 ssl->options.resuming = 1;
wolfSSL 12:0217a9463bc3 2222
wolfSSL 12:0217a9463bc3 2223 /* Find the pre-shared key extension and calculate hash of truncated
wolfSSL 12:0217a9463bc3 2224 * ClientHello for binders.
wolfSSL 12:0217a9463bc3 2225 */
wolfSSL 12:0217a9463bc3 2226 bindersLen = TLSX_PreSharedKey_GetSizeBinders(ext->data, client_hello);
wolfSSL 12:0217a9463bc3 2227
wolfSSL 12:0217a9463bc3 2228 /* Hash data up to binders for deriving binders in PSK extension. */
wolfSSL 12:0217a9463bc3 2229 ret = HashInput(ssl, input, helloSz - bindersLen);
wolfSSL 12:0217a9463bc3 2230 if (ret != 0)
wolfSSL 12:0217a9463bc3 2231 return ret;
wolfSSL 12:0217a9463bc3 2232
wolfSSL 12:0217a9463bc3 2233 /* Look through all client's pre-shared keys for a match. */
wolfSSL 12:0217a9463bc3 2234 current = (PreSharedKey*)ext->data;
wolfSSL 12:0217a9463bc3 2235 while (current != NULL) {
wolfSSL 12:0217a9463bc3 2236 /* TODO: [TLS13] Support non-ticket PSK. */
wolfSSL 12:0217a9463bc3 2237 /* Decode the identity. */
wolfSSL 12:0217a9463bc3 2238 ret = DoClientTicket(ssl, current->identity, current->identityLen);
wolfSSL 12:0217a9463bc3 2239 if (ret != WOLFSSL_TICKET_RET_OK)
wolfSSL 12:0217a9463bc3 2240 continue;
wolfSSL 12:0217a9463bc3 2241
wolfSSL 12:0217a9463bc3 2242 if (current->resumption) {
wolfSSL 12:0217a9463bc3 2243 /* Check the ticket isn't too old or new. */
wolfSSL 12:0217a9463bc3 2244 int diff = TimeNowInMilliseconds() - ssl->session.ticketSeen;
wolfSSL 12:0217a9463bc3 2245 diff -= current->ticketAge - ssl->session.ticketAdd;
wolfSSL 12:0217a9463bc3 2246 /* TODO: [TLS13] What should the value be? Configurable? */
wolfSSL 12:0217a9463bc3 2247 if (diff < -1000 || diff > 1000) {
wolfSSL 12:0217a9463bc3 2248 /* Invalid difference, fallback to full handshake. */
wolfSSL 12:0217a9463bc3 2249 ssl->options.resuming = 0;
wolfSSL 12:0217a9463bc3 2250 break;
wolfSSL 12:0217a9463bc3 2251 }
wolfSSL 12:0217a9463bc3 2252
wolfSSL 12:0217a9463bc3 2253 /* Use the same cipher suite as before and set up for use. */
wolfSSL 12:0217a9463bc3 2254 ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
wolfSSL 12:0217a9463bc3 2255 ssl->options.cipherSuite = ssl->session.cipherSuite;
wolfSSL 12:0217a9463bc3 2256 ret = SetCipherSpecs(ssl);
wolfSSL 12:0217a9463bc3 2257 if (ret != 0)
wolfSSL 12:0217a9463bc3 2258 return ret;
wolfSSL 12:0217a9463bc3 2259
wolfSSL 12:0217a9463bc3 2260 /* Resumption PSK is resumption master secret. */
wolfSSL 12:0217a9463bc3 2261 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 12:0217a9463bc3 2262 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 12:0217a9463bc3 2263 ssl->specs.hash_size);
wolfSSL 12:0217a9463bc3 2264 /* Derive the early secret using the PSK. */
wolfSSL 12:0217a9463bc3 2265 DeriveEarlySecret(ssl);
wolfSSL 12:0217a9463bc3 2266 /* Derive the binder key to use to with HMAC. */
wolfSSL 12:0217a9463bc3 2267 DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 12:0217a9463bc3 2268 }
wolfSSL 12:0217a9463bc3 2269 else {
wolfSSL 12:0217a9463bc3 2270 /* PSK age is always zero. */
wolfSSL 12:0217a9463bc3 2271 if (current->ticketAge != ssl->session.ticketAdd)
wolfSSL 12:0217a9463bc3 2272 return PSK_KEY_ERROR;
wolfSSL 12:0217a9463bc3 2273
wolfSSL 12:0217a9463bc3 2274 /* Get the pre-shared key. */
wolfSSL 12:0217a9463bc3 2275 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
wolfSSL 12:0217a9463bc3 2276 (char*)current->identity, ssl->arrays->client_identity,
wolfSSL 12:0217a9463bc3 2277 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
wolfSSL 12:0217a9463bc3 2278 /* Derive the early secret using the PSK. */
wolfSSL 12:0217a9463bc3 2279 DeriveEarlySecret(ssl);
wolfSSL 12:0217a9463bc3 2280 /* Derive the binder key to use to with HMAC. */
wolfSSL 12:0217a9463bc3 2281 DeriveBinderKey(ssl, binderKey);
wolfSSL 12:0217a9463bc3 2282 }
wolfSSL 12:0217a9463bc3 2283
wolfSSL 12:0217a9463bc3 2284 /* Derive the Finished message secret. */
wolfSSL 12:0217a9463bc3 2285 DeriveFinishedSecret(ssl, binderKey, ssl->keys.client_write_MAC_secret);
wolfSSL 12:0217a9463bc3 2286 /* Derive the binder and compare with the one in the extension. */
wolfSSL 12:0217a9463bc3 2287 binderLen = BuildTls13HandshakeHmac(ssl,
wolfSSL 12:0217a9463bc3 2288 ssl->keys.client_write_MAC_secret, binder);
wolfSSL 12:0217a9463bc3 2289 if (binderLen != current->binderLen ||
wolfSSL 12:0217a9463bc3 2290 XMEMCMP(binder, current->binder, binderLen) != 0) {
wolfSSL 12:0217a9463bc3 2291 return BAD_BINDER;
wolfSSL 12:0217a9463bc3 2292 }
wolfSSL 12:0217a9463bc3 2293
wolfSSL 12:0217a9463bc3 2294 /* This PSK works, no need to try any more. */
wolfSSL 12:0217a9463bc3 2295 current->chosen = 1;
wolfSSL 12:0217a9463bc3 2296 ext->resp = 1;
wolfSSL 12:0217a9463bc3 2297 break;
wolfSSL 12:0217a9463bc3 2298 }
wolfSSL 12:0217a9463bc3 2299
wolfSSL 12:0217a9463bc3 2300 /* Hash the rest of the ClientHello. */
wolfSSL 12:0217a9463bc3 2301 ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
wolfSSL 12:0217a9463bc3 2302 if (ret != 0)
wolfSSL 12:0217a9463bc3 2303 return ret;
wolfSSL 12:0217a9463bc3 2304
wolfSSL 12:0217a9463bc3 2305 /* Get the PSK key exchange modes the client wants to negotiate. */
wolfSSL 12:0217a9463bc3 2306 ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
wolfSSL 12:0217a9463bc3 2307 if (ext == NULL)
wolfSSL 12:0217a9463bc3 2308 return MISSING_HANDSHAKE_DATA;
wolfSSL 12:0217a9463bc3 2309 modes = ext->val;
wolfSSL 12:0217a9463bc3 2310
wolfSSL 12:0217a9463bc3 2311 ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
wolfSSL 12:0217a9463bc3 2312 /* Use (EC)DHE for forward-security if possible. */
wolfSSL 12:0217a9463bc3 2313 if (ext != NULL && (modes & (1 << PSK_DHE_KE)) != 0 &&
wolfSSL 12:0217a9463bc3 2314 !ssl->options.noPskDheKe) {
wolfSSL 12:0217a9463bc3 2315 /* Only use named group used in last session. */
wolfSSL 12:0217a9463bc3 2316 ssl->namedGroup = ssl->session.namedGroup;
wolfSSL 12:0217a9463bc3 2317
wolfSSL 12:0217a9463bc3 2318 /* Try to establish a new secret. */
wolfSSL 12:0217a9463bc3 2319 ret = TLSX_KeyShare_Establish(ssl);
wolfSSL 12:0217a9463bc3 2320 if (ret == KEY_SHARE_ERROR)
wolfSSL 12:0217a9463bc3 2321 return PSK_KEY_ERROR;
wolfSSL 12:0217a9463bc3 2322 else if (ret > 0)
wolfSSL 12:0217a9463bc3 2323 ret = 0;
wolfSSL 12:0217a9463bc3 2324
wolfSSL 12:0217a9463bc3 2325 /* Send new public key to client. */
wolfSSL 12:0217a9463bc3 2326 ext->resp = 1;
wolfSSL 12:0217a9463bc3 2327 }
wolfSSL 12:0217a9463bc3 2328 else if ((modes & (1 << PSK_KE)) != 0) {
wolfSSL 12:0217a9463bc3 2329 /* Don't send a key share extension back. */
wolfSSL 12:0217a9463bc3 2330 if (ext != NULL)
wolfSSL 12:0217a9463bc3 2331 ext->resp = 0;
wolfSSL 12:0217a9463bc3 2332 }
wolfSSL 12:0217a9463bc3 2333 else
wolfSSL 12:0217a9463bc3 2334 return PSK_KEY_ERROR;
wolfSSL 12:0217a9463bc3 2335
wolfSSL 12:0217a9463bc3 2336 *usingPSK = 1;
wolfSSL 12:0217a9463bc3 2337
wolfSSL 12:0217a9463bc3 2338 return ret;
wolfSSL 12:0217a9463bc3 2339 }
wolfSSL 12:0217a9463bc3 2340 #endif
wolfSSL 12:0217a9463bc3 2341
wolfSSL 12:0217a9463bc3 2342 /* Handle a ClientHello handshake message.
wolfSSL 12:0217a9463bc3 2343 * If the protocol version in the message is not TLS v1.3 or higher, use
wolfSSL 12:0217a9463bc3 2344 * DoClientHello()
wolfSSL 12:0217a9463bc3 2345 * Only a server will receive this message.
wolfSSL 12:0217a9463bc3 2346 *
wolfSSL 12:0217a9463bc3 2347 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2348 * input The message buffer.
wolfSSL 12:0217a9463bc3 2349 * inOutIdx On entry, the index into the message buffer of ClientHello.
wolfSSL 12:0217a9463bc3 2350 * On exit, the index of byte after the ClientHello message and
wolfSSL 12:0217a9463bc3 2351 * padding.
wolfSSL 12:0217a9463bc3 2352 * helloSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 2353 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 2354 */
wolfSSL 12:0217a9463bc3 2355 static int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 2356 word32 helloSz)
wolfSSL 12:0217a9463bc3 2357 {
wolfSSL 12:0217a9463bc3 2358 int ret;
wolfSSL 12:0217a9463bc3 2359 byte b;
wolfSSL 12:0217a9463bc3 2360 ProtocolVersion pv;
wolfSSL 12:0217a9463bc3 2361 Suites clSuites;
wolfSSL 12:0217a9463bc3 2362 word32 i = *inOutIdx;
wolfSSL 12:0217a9463bc3 2363 word32 begin = i;
wolfSSL 12:0217a9463bc3 2364 word16 totalExtSz;
wolfSSL 12:0217a9463bc3 2365 int usingPSK = 0;
wolfSSL 12:0217a9463bc3 2366
wolfSSL 12:0217a9463bc3 2367 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2368 if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2369 if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 2370 #endif
wolfSSL 12:0217a9463bc3 2371
wolfSSL 12:0217a9463bc3 2372 /* protocol version, random and session id length check */
wolfSSL 12:0217a9463bc3 2373 if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
wolfSSL 12:0217a9463bc3 2374 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2375
wolfSSL 12:0217a9463bc3 2376 /* Protocol version */
wolfSSL 12:0217a9463bc3 2377 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 12:0217a9463bc3 2378 ssl->chVersion = pv; /* store */
wolfSSL 12:0217a9463bc3 2379 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2380
wolfSSL 12:0217a9463bc3 2381 if ((ssl->version.major == SSLv3_MAJOR &&
wolfSSL 12:0217a9463bc3 2382 ssl->version.minor < TLSv1_3_MINOR) || ssl->options.dtls) {
wolfSSL 12:0217a9463bc3 2383 return DoClientHello(ssl, input, inOutIdx, helloSz);
wolfSSL 12:0217a9463bc3 2384 }
wolfSSL 12:0217a9463bc3 2385
wolfSSL 12:0217a9463bc3 2386 /* Client random */
wolfSSL 12:0217a9463bc3 2387 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
wolfSSL 12:0217a9463bc3 2388 i += RAN_LEN;
wolfSSL 12:0217a9463bc3 2389
wolfSSL 12:0217a9463bc3 2390 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 2391 WOLFSSL_MSG("client random");
wolfSSL 12:0217a9463bc3 2392 WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 12:0217a9463bc3 2393 #endif
wolfSSL 12:0217a9463bc3 2394
wolfSSL 12:0217a9463bc3 2395
wolfSSL 12:0217a9463bc3 2396 /* Session id - empty in TLS v1.3 */
wolfSSL 12:0217a9463bc3 2397 b = input[i++];
wolfSSL 12:0217a9463bc3 2398 if (b != 0) {
wolfSSL 12:0217a9463bc3 2399 WOLFSSL_MSG("Client sent session id - not supported");
wolfSSL 12:0217a9463bc3 2400 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2401 }
wolfSSL 12:0217a9463bc3 2402
wolfSSL 12:0217a9463bc3 2403 /* Cipher suites */
wolfSSL 12:0217a9463bc3 2404 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 12:0217a9463bc3 2405 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2406 ato16(&input[i], &clSuites.suiteSz);
wolfSSL 12:0217a9463bc3 2407 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2408 /* suites and compression length check */
wolfSSL 12:0217a9463bc3 2409 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
wolfSSL 12:0217a9463bc3 2410 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2411 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
wolfSSL 12:0217a9463bc3 2412 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2413 XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
wolfSSL 12:0217a9463bc3 2414 i += clSuites.suiteSz;
wolfSSL 12:0217a9463bc3 2415 clSuites.hashSigAlgoSz = 0;
wolfSSL 12:0217a9463bc3 2416
wolfSSL 12:0217a9463bc3 2417 /* Compression */
wolfSSL 12:0217a9463bc3 2418 b = input[i++];
wolfSSL 12:0217a9463bc3 2419 if ((i - begin) + b > helloSz)
wolfSSL 12:0217a9463bc3 2420 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2421 if (b != COMP_LEN) {
wolfSSL 12:0217a9463bc3 2422 WOLFSSL_MSG("Must be one compression type in list");
wolfSSL 12:0217a9463bc3 2423 return INVALID_PARAMETER;
wolfSSL 12:0217a9463bc3 2424 }
wolfSSL 12:0217a9463bc3 2425 b = input[i++];
wolfSSL 12:0217a9463bc3 2426 if (b != NO_COMPRESSION) {
wolfSSL 12:0217a9463bc3 2427 WOLFSSL_MSG("Must be no compression type in list");
wolfSSL 12:0217a9463bc3 2428 return INVALID_PARAMETER;
wolfSSL 12:0217a9463bc3 2429 }
wolfSSL 12:0217a9463bc3 2430
wolfSSL 12:0217a9463bc3 2431 /* TLS v1.3 ClientHello messages will have extensions. */
wolfSSL 12:0217a9463bc3 2432 if ((i - begin) >= helloSz) {
wolfSSL 12:0217a9463bc3 2433 WOLFSSL_MSG("ClientHello must have extensions in TLS v1.3");
wolfSSL 12:0217a9463bc3 2434 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2435 }
wolfSSL 12:0217a9463bc3 2436 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 12:0217a9463bc3 2437 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2438 ato16(&input[i], &totalExtSz);
wolfSSL 12:0217a9463bc3 2439 i += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 2440 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 12:0217a9463bc3 2441 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 2442
wolfSSL 12:0217a9463bc3 2443 #ifdef HAVE_QSH
wolfSSL 12:0217a9463bc3 2444 QSH_Init(ssl);
wolfSSL 12:0217a9463bc3 2445 #endif
wolfSSL 12:0217a9463bc3 2446
wolfSSL 12:0217a9463bc3 2447 /* Auto populate extensions supported unless user defined. */
wolfSSL 12:0217a9463bc3 2448 if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
wolfSSL 12:0217a9463bc3 2449 return ret;
wolfSSL 12:0217a9463bc3 2450
wolfSSL 12:0217a9463bc3 2451 /* Parse extensions */
wolfSSL 12:0217a9463bc3 2452 if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
wolfSSL 12:0217a9463bc3 2453 &clSuites))) {
wolfSSL 12:0217a9463bc3 2454 return ret;
wolfSSL 12:0217a9463bc3 2455 }
wolfSSL 12:0217a9463bc3 2456
wolfSSL 12:0217a9463bc3 2457 #ifdef HAVE_STUNNEL
wolfSSL 12:0217a9463bc3 2458 if ((ret = SNI_Callback(ssl)) != 0)
wolfSSL 12:0217a9463bc3 2459 return ret;
wolfSSL 12:0217a9463bc3 2460 #endif /*HAVE_STUNNEL*/
wolfSSL 12:0217a9463bc3 2461
wolfSSL 12:0217a9463bc3 2462 if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL)
wolfSSL 12:0217a9463bc3 2463 ssl->version.minor = pv.minor;
wolfSSL 12:0217a9463bc3 2464
wolfSSL 12:0217a9463bc3 2465 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK)
wolfSSL 12:0217a9463bc3 2466 /* Process the Pre-Shared Key extension if present. */
wolfSSL 12:0217a9463bc3 2467 ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
wolfSSL 12:0217a9463bc3 2468 if (ret != 0)
wolfSSL 12:0217a9463bc3 2469 return ret;
wolfSSL 12:0217a9463bc3 2470 #endif
wolfSSL 12:0217a9463bc3 2471
wolfSSL 12:0217a9463bc3 2472 if (!usingPSK) {
wolfSSL 12:0217a9463bc3 2473 ret = MatchSuite(ssl, &clSuites);
wolfSSL 12:0217a9463bc3 2474 if (ret < 0) {
wolfSSL 12:0217a9463bc3 2475 WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
wolfSSL 12:0217a9463bc3 2476 return ret;
wolfSSL 12:0217a9463bc3 2477 }
wolfSSL 12:0217a9463bc3 2478
wolfSSL 12:0217a9463bc3 2479 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 2480 if (ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 2481 ssl->options.resuming = 0;
wolfSSL 12:0217a9463bc3 2482 XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
wolfSSL 12:0217a9463bc3 2483 /* May or may not have done any hashing. */
wolfSSL 12:0217a9463bc3 2484 ret = InitHandshakeHashes(ssl);
wolfSSL 12:0217a9463bc3 2485 if (ret != 0)
wolfSSL 12:0217a9463bc3 2486 return ret;
wolfSSL 12:0217a9463bc3 2487 }
wolfSSL 12:0217a9463bc3 2488 #endif
wolfSSL 12:0217a9463bc3 2489
wolfSSL 12:0217a9463bc3 2490 ret = HashInput(ssl, input + begin, helloSz);
wolfSSL 12:0217a9463bc3 2491 if (ret != 0)
wolfSSL 12:0217a9463bc3 2492 return ret;
wolfSSL 12:0217a9463bc3 2493 }
wolfSSL 12:0217a9463bc3 2494
wolfSSL 12:0217a9463bc3 2495 i += totalExtSz;
wolfSSL 12:0217a9463bc3 2496 *inOutIdx = i;
wolfSSL 12:0217a9463bc3 2497
wolfSSL 12:0217a9463bc3 2498 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 12:0217a9463bc3 2499
wolfSSL 12:0217a9463bc3 2500 return 0;
wolfSSL 12:0217a9463bc3 2501 }
wolfSSL 12:0217a9463bc3 2502
wolfSSL 12:0217a9463bc3 2503 /* Send the HelloRetryRequest message to indicate the negotiated protocol
wolfSSL 12:0217a9463bc3 2504 * version and security parameters the server is willing to use.
wolfSSL 12:0217a9463bc3 2505 * Only a server will send this message.
wolfSSL 12:0217a9463bc3 2506 *
wolfSSL 12:0217a9463bc3 2507 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2508 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 2509 */
wolfSSL 12:0217a9463bc3 2510 int SendTls13HelloRetryRequest(WOLFSSL *ssl)
wolfSSL 12:0217a9463bc3 2511 {
wolfSSL 12:0217a9463bc3 2512 int ret;
wolfSSL 12:0217a9463bc3 2513 byte* output;
wolfSSL 12:0217a9463bc3 2514 word32 length;
wolfSSL 12:0217a9463bc3 2515 word32 len;
wolfSSL 12:0217a9463bc3 2516 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2517 int sendSz;
wolfSSL 12:0217a9463bc3 2518
wolfSSL 12:0217a9463bc3 2519 /* Get the length of the extensions that will be written. */
wolfSSL 12:0217a9463bc3 2520 len = TLSX_GetResponseSize(ssl, hello_retry_request);
wolfSSL 12:0217a9463bc3 2521 /* There must be extensions sent to indicate what client needs to do. */
wolfSSL 12:0217a9463bc3 2522 if (len == 0)
wolfSSL 12:0217a9463bc3 2523 return MISSING_HANDSHAKE_DATA;
wolfSSL 12:0217a9463bc3 2524
wolfSSL 12:0217a9463bc3 2525 /* Protocol version + Extensions */
wolfSSL 12:0217a9463bc3 2526 length = OPAQUE16_LEN + len;
wolfSSL 12:0217a9463bc3 2527 sendSz = idx + length;
wolfSSL 12:0217a9463bc3 2528
wolfSSL 12:0217a9463bc3 2529 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 2530 ret = CheckAvailableSize(ssl, sendSz);
wolfSSL 12:0217a9463bc3 2531 if (ret != 0)
wolfSSL 12:0217a9463bc3 2532 return ret;
wolfSSL 12:0217a9463bc3 2533
wolfSSL 12:0217a9463bc3 2534 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 2535 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 2536 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 2537 /* Add record and hanshake headers. */
wolfSSL 12:0217a9463bc3 2538 AddTls13Headers(output, length, hello_retry_request, ssl);
wolfSSL 12:0217a9463bc3 2539
wolfSSL 12:0217a9463bc3 2540 /* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL 12:0217a9463bc3 2541 * Use the TLS v1.3 draft version for now.
wolfSSL 12:0217a9463bc3 2542 *
wolfSSL 12:0217a9463bc3 2543 * Change to:
wolfSSL 12:0217a9463bc3 2544 * output[idx++] = ssl->version.major;
wolfSSL 12:0217a9463bc3 2545 * output[idx++] = ssl->version.minor;
wolfSSL 12:0217a9463bc3 2546 */
wolfSSL 12:0217a9463bc3 2547 /* The negotiated protocol version. */
wolfSSL 12:0217a9463bc3 2548 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 12:0217a9463bc3 2549 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 12:0217a9463bc3 2550
wolfSSL 12:0217a9463bc3 2551 /* Add TLS extensions. */
wolfSSL 12:0217a9463bc3 2552 TLSX_WriteResponse(ssl, output + idx, hello_retry_request);
wolfSSL 12:0217a9463bc3 2553 idx += len;
wolfSSL 12:0217a9463bc3 2554
wolfSSL 12:0217a9463bc3 2555 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2556 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 2557 AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2558 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 2559 AddPacketInfo("HelloRetryRequest", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 2560 ssl->heap);
wolfSSL 12:0217a9463bc3 2561 #endif
wolfSSL 12:0217a9463bc3 2562
wolfSSL 12:0217a9463bc3 2563 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 12:0217a9463bc3 2564 if (ret != 0)
wolfSSL 12:0217a9463bc3 2565 return ret;
wolfSSL 12:0217a9463bc3 2566
wolfSSL 12:0217a9463bc3 2567 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 2568
wolfSSL 12:0217a9463bc3 2569 if (ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 2570 return 0;
wolfSSL 12:0217a9463bc3 2571 else
wolfSSL 12:0217a9463bc3 2572 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 2573 }
wolfSSL 12:0217a9463bc3 2574
wolfSSL 12:0217a9463bc3 2575 /* Send TLS v1.3 ServerHello message to client.
wolfSSL 12:0217a9463bc3 2576 * Only a server will send this message.
wolfSSL 12:0217a9463bc3 2577 *
wolfSSL 12:0217a9463bc3 2578 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2579 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 2580 */
wolfSSL 12:0217a9463bc3 2581 int SendTls13ServerHello(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 2582 {
wolfSSL 12:0217a9463bc3 2583 byte* output;
wolfSSL 12:0217a9463bc3 2584 word32 length;
wolfSSL 12:0217a9463bc3 2585 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2586 int sendSz;
wolfSSL 12:0217a9463bc3 2587 int ret;
wolfSSL 12:0217a9463bc3 2588
wolfSSL 12:0217a9463bc3 2589 /* Protocol version, server random, cipher suite and extensions. */
wolfSSL 12:0217a9463bc3 2590 length = VERSION_SZ + RAN_LEN + SUITE_LEN +
wolfSSL 12:0217a9463bc3 2591 TLSX_GetResponseSize(ssl, server_hello);
wolfSSL 12:0217a9463bc3 2592 sendSz = idx + length;
wolfSSL 12:0217a9463bc3 2593
wolfSSL 12:0217a9463bc3 2594 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 2595 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 12:0217a9463bc3 2596 return ret;
wolfSSL 12:0217a9463bc3 2597
wolfSSL 12:0217a9463bc3 2598 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 2599 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 2600 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 2601
wolfSSL 12:0217a9463bc3 2602 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 2603 AddTls13Headers(output, length, server_hello, ssl);
wolfSSL 12:0217a9463bc3 2604
wolfSSL 12:0217a9463bc3 2605 /* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL 12:0217a9463bc3 2606 * Use the TLS v1.3 draft version for now.
wolfSSL 12:0217a9463bc3 2607 *
wolfSSL 12:0217a9463bc3 2608 * Change to:
wolfSSL 12:0217a9463bc3 2609 * output[idx++] = ssl->version.major;
wolfSSL 12:0217a9463bc3 2610 * output[idx++] = ssl->version.minor;
wolfSSL 12:0217a9463bc3 2611 */
wolfSSL 12:0217a9463bc3 2612 /* The negotiated protocol version. */
wolfSSL 12:0217a9463bc3 2613 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 12:0217a9463bc3 2614 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 12:0217a9463bc3 2615
wolfSSL 12:0217a9463bc3 2616 /* TODO: [TLS13] Last 8 bytes have special meaning. */
wolfSSL 12:0217a9463bc3 2617 /* Generate server random. */
wolfSSL 12:0217a9463bc3 2618 ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
wolfSSL 12:0217a9463bc3 2619 if (ret != 0)
wolfSSL 12:0217a9463bc3 2620 return ret;
wolfSSL 12:0217a9463bc3 2621 /* Store in SSL for debugging. */
wolfSSL 12:0217a9463bc3 2622 XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
wolfSSL 12:0217a9463bc3 2623 idx += RAN_LEN;
wolfSSL 12:0217a9463bc3 2624
wolfSSL 12:0217a9463bc3 2625 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 12:0217a9463bc3 2626 WOLFSSL_MSG("Server random");
wolfSSL 12:0217a9463bc3 2627 WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
wolfSSL 12:0217a9463bc3 2628 #endif
wolfSSL 12:0217a9463bc3 2629
wolfSSL 12:0217a9463bc3 2630 /* Chosen cipher suite */
wolfSSL 12:0217a9463bc3 2631 output[idx++] = ssl->options.cipherSuite0;
wolfSSL 12:0217a9463bc3 2632 output[idx++] = ssl->options.cipherSuite;
wolfSSL 12:0217a9463bc3 2633
wolfSSL 12:0217a9463bc3 2634 /* Extensions */
wolfSSL 12:0217a9463bc3 2635 TLSX_WriteResponse(ssl, output + idx, server_hello);
wolfSSL 12:0217a9463bc3 2636
wolfSSL 12:0217a9463bc3 2637 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 2638
wolfSSL 12:0217a9463bc3 2639 ret = HashOutput(ssl, output, sendSz, 0);
wolfSSL 12:0217a9463bc3 2640 if (ret != 0)
wolfSSL 12:0217a9463bc3 2641 return ret;
wolfSSL 12:0217a9463bc3 2642
wolfSSL 12:0217a9463bc3 2643 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2644 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 2645 AddPacketName("ServerHello", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2646 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 2647 AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 2648 ssl->heap);
wolfSSL 12:0217a9463bc3 2649 #endif
wolfSSL 12:0217a9463bc3 2650
wolfSSL 12:0217a9463bc3 2651 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 12:0217a9463bc3 2652
wolfSSL 12:0217a9463bc3 2653 if (ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 2654 return 0;
wolfSSL 12:0217a9463bc3 2655 else
wolfSSL 12:0217a9463bc3 2656 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 2657 }
wolfSSL 12:0217a9463bc3 2658
wolfSSL 12:0217a9463bc3 2659 /* Send the rest of the extensions encrypted under the handshake key.
wolfSSL 12:0217a9463bc3 2660 * This message is always encrypted in TLS v1.3.
wolfSSL 12:0217a9463bc3 2661 * Only a server will send this message.
wolfSSL 12:0217a9463bc3 2662 *
wolfSSL 12:0217a9463bc3 2663 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2664 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 2665 */
wolfSSL 12:0217a9463bc3 2666 int SendTls13EncryptedExtensions(WOLFSSL *ssl)
wolfSSL 12:0217a9463bc3 2667 {
wolfSSL 12:0217a9463bc3 2668 int ret;
wolfSSL 12:0217a9463bc3 2669 byte* output;
wolfSSL 12:0217a9463bc3 2670 word32 length;
wolfSSL 12:0217a9463bc3 2671 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2672 int sendSz;
wolfSSL 12:0217a9463bc3 2673
wolfSSL 12:0217a9463bc3 2674 ssl->keys.encryptionOn = 1;
wolfSSL 12:0217a9463bc3 2675
wolfSSL 12:0217a9463bc3 2676 /* Derive early secret for handshake secret. */
wolfSSL 12:0217a9463bc3 2677 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 2678 return ret;
wolfSSL 12:0217a9463bc3 2679 /* Derive the handshake secret now that we are at first message to be
wolfSSL 12:0217a9463bc3 2680 * encrypted under the keys.
wolfSSL 12:0217a9463bc3 2681 */
wolfSSL 12:0217a9463bc3 2682 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 2683 return ret;
wolfSSL 12:0217a9463bc3 2684 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 12:0217a9463bc3 2685 ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 2686 return ret;
wolfSSL 12:0217a9463bc3 2687
wolfSSL 12:0217a9463bc3 2688 /* Setup encrypt/decrypt keys for following messages. */
wolfSSL 12:0217a9463bc3 2689 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 2690 return ret;
wolfSSL 12:0217a9463bc3 2691
wolfSSL 12:0217a9463bc3 2692 length = TLSX_GetResponseSize(ssl, encrypted_extensions);
wolfSSL 12:0217a9463bc3 2693 sendSz = idx + length;
wolfSSL 12:0217a9463bc3 2694 /* Encryption always on. */
wolfSSL 12:0217a9463bc3 2695 sendSz += MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 2696
wolfSSL 12:0217a9463bc3 2697 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 2698 ret = CheckAvailableSize(ssl, sendSz);
wolfSSL 12:0217a9463bc3 2699 if (ret != 0)
wolfSSL 12:0217a9463bc3 2700 return ret;
wolfSSL 12:0217a9463bc3 2701
wolfSSL 12:0217a9463bc3 2702 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 2703 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 2704 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 2705
wolfSSL 12:0217a9463bc3 2706 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 2707 AddTls13Headers(output, length, encrypted_extensions, ssl);
wolfSSL 12:0217a9463bc3 2708
wolfSSL 12:0217a9463bc3 2709 TLSX_WriteResponse(ssl, output + idx, encrypted_extensions);
wolfSSL 12:0217a9463bc3 2710 idx += length;
wolfSSL 12:0217a9463bc3 2711
wolfSSL 12:0217a9463bc3 2712 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2713 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 2714 AddPacketName("EncryptedExtensions", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2715 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 2716 AddPacketInfo("EncryptedExtensions", &ssl->timeoutInfo, output,
wolfSSL 12:0217a9463bc3 2717 sendSz, ssl->heap);
wolfSSL 12:0217a9463bc3 2718 #endif
wolfSSL 12:0217a9463bc3 2719
wolfSSL 12:0217a9463bc3 2720 /* This handshake message is always encrypted. */
wolfSSL 12:0217a9463bc3 2721 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 12:0217a9463bc3 2722 idx - RECORD_HEADER_SZ, handshake, 1, 0);
wolfSSL 12:0217a9463bc3 2723 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 2724 return sendSz;
wolfSSL 12:0217a9463bc3 2725
wolfSSL 12:0217a9463bc3 2726 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 2727
wolfSSL 12:0217a9463bc3 2728 ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL 12:0217a9463bc3 2729
wolfSSL 12:0217a9463bc3 2730 if (ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 2731 return 0;
wolfSSL 12:0217a9463bc3 2732 else
wolfSSL 12:0217a9463bc3 2733 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 2734 }
wolfSSL 12:0217a9463bc3 2735
wolfSSL 12:0217a9463bc3 2736 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 2737 /* Send the TLS v1.3 CertificateRequest message.
wolfSSL 12:0217a9463bc3 2738 * This message is always encrypted in TLS v1.3.
wolfSSL 12:0217a9463bc3 2739 * Only a server will send this message.
wolfSSL 12:0217a9463bc3 2740 *
wolfSSL 12:0217a9463bc3 2741 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2742 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 2743 */
wolfSSL 12:0217a9463bc3 2744 int SendTls13CertificateRequest(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 2745 {
wolfSSL 12:0217a9463bc3 2746 byte *output;
wolfSSL 12:0217a9463bc3 2747 int ret;
wolfSSL 12:0217a9463bc3 2748 int sendSz;
wolfSSL 12:0217a9463bc3 2749 int reqCtxLen = 0;
wolfSSL 12:0217a9463bc3 2750 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2751
wolfSSL 12:0217a9463bc3 2752 int reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2753
wolfSSL 12:0217a9463bc3 2754 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
wolfSSL 12:0217a9463bc3 2755
wolfSSL 12:0217a9463bc3 2756 if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
wolfSSL 12:0217a9463bc3 2757 return 0; /* not needed */
wolfSSL 12:0217a9463bc3 2758
wolfSSL 12:0217a9463bc3 2759 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
wolfSSL 12:0217a9463bc3 2760 /* Always encrypted and make room for padding. */
wolfSSL 12:0217a9463bc3 2761 sendSz += MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 2762
wolfSSL 12:0217a9463bc3 2763 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 2764 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 12:0217a9463bc3 2765 return ret;
wolfSSL 12:0217a9463bc3 2766
wolfSSL 12:0217a9463bc3 2767 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 2768 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 2769 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 2770
wolfSSL 12:0217a9463bc3 2771 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 2772 AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL 12:0217a9463bc3 2773
wolfSSL 12:0217a9463bc3 2774 /* Certificate request context. */
wolfSSL 12:0217a9463bc3 2775 /* TODO: [TLS13] Request context for post-handshake auth.
wolfSSL 12:0217a9463bc3 2776 * Must be unique in the scope of the connection.
wolfSSL 12:0217a9463bc3 2777 */
wolfSSL 12:0217a9463bc3 2778 output[i++] = reqCtxLen;
wolfSSL 12:0217a9463bc3 2779
wolfSSL 12:0217a9463bc3 2780 /* supported hash/sig */
wolfSSL 12:0217a9463bc3 2781 c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
wolfSSL 12:0217a9463bc3 2782 i += LENGTH_SZ;
wolfSSL 12:0217a9463bc3 2783
wolfSSL 12:0217a9463bc3 2784 XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
wolfSSL 12:0217a9463bc3 2785 i += ssl->suites->hashSigAlgoSz;
wolfSSL 12:0217a9463bc3 2786
wolfSSL 12:0217a9463bc3 2787 /* Certificate authorities not supported yet - empty buffer. */
wolfSSL 12:0217a9463bc3 2788 c16toa(0, &output[i]);
wolfSSL 12:0217a9463bc3 2789 i += REQ_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2790
wolfSSL 12:0217a9463bc3 2791 /* Certificate extensions. */
wolfSSL 12:0217a9463bc3 2792 /* TODO: [TLS13] Add extension handling. */
wolfSSL 12:0217a9463bc3 2793 c16toa(0, &output[i]); /* auth's */
wolfSSL 12:0217a9463bc3 2794 i += REQ_HEADER_SZ;
wolfSSL 12:0217a9463bc3 2795
wolfSSL 12:0217a9463bc3 2796 /* Always encrypted. */
wolfSSL 12:0217a9463bc3 2797 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 12:0217a9463bc3 2798 i - RECORD_HEADER_SZ, handshake, 1, 0);
wolfSSL 12:0217a9463bc3 2799 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 2800 return sendSz;
wolfSSL 12:0217a9463bc3 2801
wolfSSL 12:0217a9463bc3 2802 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 2803 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 2804 AddPacketName("CertificateRequest", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 2805 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 2806 AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
wolfSSL 12:0217a9463bc3 2807 sendSz, ssl->heap);
wolfSSL 12:0217a9463bc3 2808 #endif
wolfSSL 12:0217a9463bc3 2809
wolfSSL 12:0217a9463bc3 2810 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 2811 if (!ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 2812 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 2813 return 0;
wolfSSL 12:0217a9463bc3 2814 }
wolfSSL 12:0217a9463bc3 2815 #endif /* NO_CERTS */
wolfSSL 12:0217a9463bc3 2816 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 12:0217a9463bc3 2817
wolfSSL 12:0217a9463bc3 2818 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 2819 #if !defined(NO_RSA) || defined(HAVE_ECC)
wolfSSL 12:0217a9463bc3 2820 /* Encode the signature algorithm into buffer.
wolfSSL 12:0217a9463bc3 2821 *
wolfSSL 12:0217a9463bc3 2822 * hashalgo The hash algorithm.
wolfSSL 12:0217a9463bc3 2823 * hsType The signature type.
wolfSSL 12:0217a9463bc3 2824 * output The buffer to encode into.
wolfSSL 12:0217a9463bc3 2825 */
wolfSSL 12:0217a9463bc3 2826 static INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
wolfSSL 12:0217a9463bc3 2827 {
wolfSSL 12:0217a9463bc3 2828 switch (hsType) {
wolfSSL 12:0217a9463bc3 2829 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 2830 case DYNAMIC_TYPE_ECC:
wolfSSL 12:0217a9463bc3 2831 output[0] = hashAlgo;
wolfSSL 12:0217a9463bc3 2832 output[1] = ecc_dsa_sa_algo;
wolfSSL 12:0217a9463bc3 2833 break;
wolfSSL 12:0217a9463bc3 2834 #endif
wolfSSL 12:0217a9463bc3 2835 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 2836 case DYNAMIC_TYPE_RSA:
wolfSSL 12:0217a9463bc3 2837 output[0] = hashAlgo;
wolfSSL 12:0217a9463bc3 2838 output[1] = rsa_sa_algo;
wolfSSL 12:0217a9463bc3 2839 break;
wolfSSL 12:0217a9463bc3 2840 #endif
wolfSSL 12:0217a9463bc3 2841 /* PSS signatures: 0x080[4-6] */
wolfSSL 12:0217a9463bc3 2842 /* ED25519: 0x0807 */
wolfSSL 12:0217a9463bc3 2843 /* ED448: 0x0808 */
wolfSSL 12:0217a9463bc3 2844 }
wolfSSL 12:0217a9463bc3 2845 }
wolfSSL 12:0217a9463bc3 2846
wolfSSL 12:0217a9463bc3 2847 /* Decode the signature algorithm.
wolfSSL 12:0217a9463bc3 2848 *
wolfSSL 12:0217a9463bc3 2849 * input The encoded signature algorithm.
wolfSSL 12:0217a9463bc3 2850 * hashalgo The hash algorithm.
wolfSSL 12:0217a9463bc3 2851 * hsType The signature type.
wolfSSL 12:0217a9463bc3 2852 */
wolfSSL 12:0217a9463bc3 2853 static INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType)
wolfSSL 12:0217a9463bc3 2854 {
wolfSSL 12:0217a9463bc3 2855 switch (input[0]) {
wolfSSL 12:0217a9463bc3 2856 case 0x08:
wolfSSL 12:0217a9463bc3 2857 /* PSS signatures: 0x080[4-6] */
wolfSSL 12:0217a9463bc3 2858 if (input[1] <= 0x06) {
wolfSSL 12:0217a9463bc3 2859 *hsType = input[0];
wolfSSL 12:0217a9463bc3 2860 *hashAlgo = input[1];
wolfSSL 12:0217a9463bc3 2861 }
wolfSSL 12:0217a9463bc3 2862 break;
wolfSSL 12:0217a9463bc3 2863 /* ED25519: 0x0807 */
wolfSSL 12:0217a9463bc3 2864 /* ED448: 0x0808 */
wolfSSL 12:0217a9463bc3 2865 default:
wolfSSL 12:0217a9463bc3 2866 *hashAlgo = input[0];
wolfSSL 12:0217a9463bc3 2867 *hsType = input[1];
wolfSSL 12:0217a9463bc3 2868 break;
wolfSSL 12:0217a9463bc3 2869 }
wolfSSL 12:0217a9463bc3 2870 }
wolfSSL 12:0217a9463bc3 2871
wolfSSL 12:0217a9463bc3 2872 /* Get the hash of the messages so far.
wolfSSL 12:0217a9463bc3 2873 *
wolfSSL 12:0217a9463bc3 2874 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2875 * hash The buffer to write the hash to.
wolfSSL 12:0217a9463bc3 2876 * returns the length of the hash.
wolfSSL 12:0217a9463bc3 2877 */
wolfSSL 12:0217a9463bc3 2878 static INLINE int GetMsgHash(WOLFSSL *ssl, byte* hash)
wolfSSL 12:0217a9463bc3 2879 {
wolfSSL 12:0217a9463bc3 2880 switch (ssl->specs.mac_algorithm) {
wolfSSL 12:0217a9463bc3 2881 #ifndef NO_SHA256
wolfSSL 12:0217a9463bc3 2882 case sha256_mac:
wolfSSL 12:0217a9463bc3 2883 wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 12:0217a9463bc3 2884 return SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2885 #endif /* !NO_SHA256 */
wolfSSL 12:0217a9463bc3 2886 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 2887 case sha384_mac:
wolfSSL 12:0217a9463bc3 2888 wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 12:0217a9463bc3 2889 return SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2890 #endif /* WOLFSSL_SHA384 */
wolfSSL 12:0217a9463bc3 2891 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 2892 case sha512_mac:
wolfSSL 12:0217a9463bc3 2893 wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 12:0217a9463bc3 2894 return SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2895 #endif /* WOLFSSL_SHA512 */
wolfSSL 12:0217a9463bc3 2896 }
wolfSSL 12:0217a9463bc3 2897 return 0;
wolfSSL 12:0217a9463bc3 2898 }
wolfSSL 12:0217a9463bc3 2899
wolfSSL 12:0217a9463bc3 2900 /* The length of the certificate verification label - client and server. */
wolfSSL 12:0217a9463bc3 2901 #define CERT_VFY_LABEL_SZ 34
wolfSSL 12:0217a9463bc3 2902 /* The server certificate verification label. */
wolfSSL 12:0217a9463bc3 2903 static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 12:0217a9463bc3 2904 "TLS 1.3, server CertificateVerify";
wolfSSL 12:0217a9463bc3 2905 /* The client certificate verification label. */
wolfSSL 12:0217a9463bc3 2906 static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 12:0217a9463bc3 2907 "TLS 1.3, client CertificateVerify";
wolfSSL 12:0217a9463bc3 2908
wolfSSL 12:0217a9463bc3 2909 /* The number of prefix bytes for signature data. */
wolfSSL 12:0217a9463bc3 2910 #define SIGNING_DATA_PREFIX_SZ 64
wolfSSL 12:0217a9463bc3 2911 /* The prefix byte in the signature data. */
wolfSSL 12:0217a9463bc3 2912 #define SIGNING_DATA_PREFIX_BYTE 0x20
wolfSSL 12:0217a9463bc3 2913 /* Maximum length of the signature data. */
wolfSSL 12:0217a9463bc3 2914 #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
wolfSSL 12:0217a9463bc3 2915 CERT_VFY_LABEL_SZ + \
wolfSSL 12:0217a9463bc3 2916 MAX_DIGEST_SIZE)
wolfSSL 12:0217a9463bc3 2917
wolfSSL 12:0217a9463bc3 2918 /* Create the signature data for TLS v1.3 certificate verification.
wolfSSL 12:0217a9463bc3 2919 *
wolfSSL 12:0217a9463bc3 2920 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 2921 * sigData The signature data.
wolfSSL 12:0217a9463bc3 2922 * sigDataSz The length of the signature data.
wolfSSL 12:0217a9463bc3 2923 * check Indicates this is a check not create.
wolfSSL 12:0217a9463bc3 2924 */
wolfSSL 12:0217a9463bc3 2925 static void CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
wolfSSL 12:0217a9463bc3 2926 int check)
wolfSSL 12:0217a9463bc3 2927 {
wolfSSL 12:0217a9463bc3 2928 word16 idx;
wolfSSL 12:0217a9463bc3 2929 int side = ssl->options.side;
wolfSSL 12:0217a9463bc3 2930
wolfSSL 12:0217a9463bc3 2931 /* Signature Data = Prefix | Label | Handshake Hash */
wolfSSL 12:0217a9463bc3 2932 XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
wolfSSL 12:0217a9463bc3 2933 idx = SIGNING_DATA_PREFIX_SZ;
wolfSSL 12:0217a9463bc3 2934
wolfSSL 12:0217a9463bc3 2935 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 2936 if ((side == WOLFSSL_SERVER_END && check) ||
wolfSSL 12:0217a9463bc3 2937 (side == WOLFSSL_CLIENT_END && !check)) {
wolfSSL 12:0217a9463bc3 2938 XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 12:0217a9463bc3 2939 }
wolfSSL 12:0217a9463bc3 2940 #endif
wolfSSL 12:0217a9463bc3 2941 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 2942 if ((side == WOLFSSL_CLIENT_END && check) ||
wolfSSL 12:0217a9463bc3 2943 (side == WOLFSSL_SERVER_END && !check)) {
wolfSSL 12:0217a9463bc3 2944 XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 12:0217a9463bc3 2945 }
wolfSSL 12:0217a9463bc3 2946 #endif
wolfSSL 12:0217a9463bc3 2947 idx += CERT_VFY_LABEL_SZ;
wolfSSL 12:0217a9463bc3 2948
wolfSSL 12:0217a9463bc3 2949 *sigDataSz = idx + GetMsgHash(ssl, &sigData[idx]);
wolfSSL 12:0217a9463bc3 2950 }
wolfSSL 12:0217a9463bc3 2951
wolfSSL 12:0217a9463bc3 2952 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 2953 /* Encode the PKCS #1.5 RSA signature.
wolfSSL 12:0217a9463bc3 2954 *
wolfSSL 12:0217a9463bc3 2955 * sig The buffer to place the encoded signature into.
wolfSSL 12:0217a9463bc3 2956 * sigData The data to be signed.
wolfSSL 12:0217a9463bc3 2957 * sigDataSz The size of the data to be signed.
wolfSSL 12:0217a9463bc3 2958 * hashAlgo The hash algorithm to use when signing.
wolfSSL 12:0217a9463bc3 2959 * returns the length of the encoded signature or negative on error.
wolfSSL 12:0217a9463bc3 2960 */
wolfSSL 12:0217a9463bc3 2961 static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
wolfSSL 12:0217a9463bc3 2962 int hashAlgo)
wolfSSL 12:0217a9463bc3 2963 {
wolfSSL 12:0217a9463bc3 2964 Digest digest;
wolfSSL 12:0217a9463bc3 2965 int hashSz = 0;
wolfSSL 12:0217a9463bc3 2966 int hashOid = 0;
wolfSSL 12:0217a9463bc3 2967
wolfSSL 12:0217a9463bc3 2968 /* Digest the signature data. */
wolfSSL 12:0217a9463bc3 2969 switch (hashAlgo) {
wolfSSL 12:0217a9463bc3 2970 #ifndef NO_WOLFSSL_SHA256
wolfSSL 12:0217a9463bc3 2971 case sha256_mac:
wolfSSL 12:0217a9463bc3 2972 wc_InitSha256(&digest.sha256);
wolfSSL 12:0217a9463bc3 2973 wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 2974 wc_Sha256Final(&digest.sha256, sigData);
wolfSSL 12:0217a9463bc3 2975 wc_Sha256Free(&digest.sha256);
wolfSSL 12:0217a9463bc3 2976 hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2977 hashOid = SHA256h;
wolfSSL 12:0217a9463bc3 2978 break;
wolfSSL 12:0217a9463bc3 2979 #endif
wolfSSL 12:0217a9463bc3 2980 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 2981 case sha384_mac:
wolfSSL 12:0217a9463bc3 2982 wc_InitSha384(&digest.sha384);
wolfSSL 12:0217a9463bc3 2983 wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 2984 wc_Sha384Final(&digest.sha384, sigData);
wolfSSL 12:0217a9463bc3 2985 wc_Sha384Free(&digest.sha384);
wolfSSL 12:0217a9463bc3 2986 hashSz = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2987 hashOid = SHA384h;
wolfSSL 12:0217a9463bc3 2988 break;
wolfSSL 12:0217a9463bc3 2989 #endif
wolfSSL 12:0217a9463bc3 2990 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 2991 case sha512_mac:
wolfSSL 12:0217a9463bc3 2992 wc_InitSha512(&digest.sha512);
wolfSSL 12:0217a9463bc3 2993 wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 2994 wc_Sha512Final(&digest.sha512, sigData);
wolfSSL 12:0217a9463bc3 2995 wc_Sha512Free(&digest.sha512);
wolfSSL 12:0217a9463bc3 2996 hashSz = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 2997 hashOid = SHA512h;
wolfSSL 12:0217a9463bc3 2998 break;
wolfSSL 12:0217a9463bc3 2999 #endif
wolfSSL 12:0217a9463bc3 3000 }
wolfSSL 12:0217a9463bc3 3001
wolfSSL 12:0217a9463bc3 3002 /* Encode the signature data as per PKCS #1.5 */
wolfSSL 12:0217a9463bc3 3003 return wc_EncodeSignature(sig, sigData, hashSz, hashOid);
wolfSSL 12:0217a9463bc3 3004 }
wolfSSL 12:0217a9463bc3 3005
wolfSSL 12:0217a9463bc3 3006 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 3007 /* Encode the ECC signature.
wolfSSL 12:0217a9463bc3 3008 *
wolfSSL 12:0217a9463bc3 3009 * sigData The data to be signed.
wolfSSL 12:0217a9463bc3 3010 * sigDataSz The size of the data to be signed.
wolfSSL 12:0217a9463bc3 3011 * hashAlgo The hash algorithm to use when signing.
wolfSSL 12:0217a9463bc3 3012 * returns the length of the encoded signature or negative on error.
wolfSSL 12:0217a9463bc3 3013 */
wolfSSL 12:0217a9463bc3 3014 static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
wolfSSL 12:0217a9463bc3 3015 {
wolfSSL 12:0217a9463bc3 3016 Digest digest;
wolfSSL 12:0217a9463bc3 3017 int hashSz = 0;
wolfSSL 12:0217a9463bc3 3018
wolfSSL 12:0217a9463bc3 3019 /* Digest the signature data. */
wolfSSL 12:0217a9463bc3 3020 switch (hashAlgo) {
wolfSSL 12:0217a9463bc3 3021 #ifndef NO_WOLFSSL_SHA256
wolfSSL 12:0217a9463bc3 3022 case sha256_mac:
wolfSSL 12:0217a9463bc3 3023 wc_InitSha256(&digest.sha256);
wolfSSL 12:0217a9463bc3 3024 wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 3025 wc_Sha256Final(&digest.sha256, sigData);
wolfSSL 12:0217a9463bc3 3026 wc_Sha256Free(&digest.sha256);
wolfSSL 12:0217a9463bc3 3027 hashSz = SHA256_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 3028 break;
wolfSSL 12:0217a9463bc3 3029 #endif
wolfSSL 12:0217a9463bc3 3030 #ifdef WOLFSSL_SHA384
wolfSSL 12:0217a9463bc3 3031 case sha384_mac:
wolfSSL 12:0217a9463bc3 3032 wc_InitSha384(&digest.sha384);
wolfSSL 12:0217a9463bc3 3033 wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 3034 wc_Sha384Final(&digest.sha384, sigData);
wolfSSL 12:0217a9463bc3 3035 wc_Sha384Free(&digest.sha384);
wolfSSL 12:0217a9463bc3 3036 hashSz = SHA384_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 3037 break;
wolfSSL 12:0217a9463bc3 3038 #endif
wolfSSL 12:0217a9463bc3 3039 #ifdef WOLFSSL_SHA512
wolfSSL 12:0217a9463bc3 3040 case sha512_mac:
wolfSSL 12:0217a9463bc3 3041 wc_InitSha512(&digest.sha512);
wolfSSL 12:0217a9463bc3 3042 wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 12:0217a9463bc3 3043 wc_Sha512Final(&digest.sha512, sigData);
wolfSSL 12:0217a9463bc3 3044 wc_Sha512Free(&digest.sha512);
wolfSSL 12:0217a9463bc3 3045 hashSz = SHA512_DIGEST_SIZE;
wolfSSL 12:0217a9463bc3 3046 break;
wolfSSL 12:0217a9463bc3 3047 #endif
wolfSSL 12:0217a9463bc3 3048 }
wolfSSL 12:0217a9463bc3 3049
wolfSSL 12:0217a9463bc3 3050 return hashSz;
wolfSSL 12:0217a9463bc3 3051 }
wolfSSL 12:0217a9463bc3 3052 #endif
wolfSSL 12:0217a9463bc3 3053
wolfSSL 12:0217a9463bc3 3054
wolfSSL 12:0217a9463bc3 3055 /* Check that the decrypted signature matches the encoded signature
wolfSSL 12:0217a9463bc3 3056 * based on the digest of the signature data.
wolfSSL 12:0217a9463bc3 3057 *
wolfSSL 12:0217a9463bc3 3058 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3059 * hashAlgo The signature algorithm used to generate signature.
wolfSSL 12:0217a9463bc3 3060 * hashAlgo The hash algorithm used to generate signature.
wolfSSL 12:0217a9463bc3 3061 * decSig The decrypted signature.
wolfSSL 12:0217a9463bc3 3062 * decSigSz The size of the decrypted signature.
wolfSSL 12:0217a9463bc3 3063 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 3064 */
wolfSSL 12:0217a9463bc3 3065 static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
wolfSSL 12:0217a9463bc3 3066 byte* decSig, word32 decSigSz)
wolfSSL 12:0217a9463bc3 3067 {
wolfSSL 12:0217a9463bc3 3068 int ret = 0;
wolfSSL 12:0217a9463bc3 3069 byte sigData[MAX_SIG_DATA_SZ];
wolfSSL 12:0217a9463bc3 3070 word16 sigDataSz;
wolfSSL 12:0217a9463bc3 3071 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 3072 byte* encodedSig = NULL;
wolfSSL 12:0217a9463bc3 3073 #else
wolfSSL 12:0217a9463bc3 3074 byte encodedSig[MAX_ENCODED_SIG_SZ];
wolfSSL 12:0217a9463bc3 3075 #endif
wolfSSL 12:0217a9463bc3 3076 word32 sigSz;
wolfSSL 12:0217a9463bc3 3077
wolfSSL 12:0217a9463bc3 3078 if (sigAlgo == rsa_sa_algo) {
wolfSSL 12:0217a9463bc3 3079 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 3080 encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, ssl->heap,
wolfSSL 12:0217a9463bc3 3081 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3082 if (encodedSig == NULL) {
wolfSSL 12:0217a9463bc3 3083 ret = MEMORY_E;
wolfSSL 12:0217a9463bc3 3084 goto end;
wolfSSL 12:0217a9463bc3 3085 }
wolfSSL 12:0217a9463bc3 3086 #endif
wolfSSL 12:0217a9463bc3 3087
wolfSSL 12:0217a9463bc3 3088 CreateSigData(ssl, sigData, &sigDataSz, 1);
wolfSSL 12:0217a9463bc3 3089 sigSz = CreateRSAEncodedSig(encodedSig, sigData, sigDataSz, hashAlgo);
wolfSSL 12:0217a9463bc3 3090 /* Check the encoded and decrypted signature data match. */
wolfSSL 12:0217a9463bc3 3091 if (decSigSz != sigSz || decSig == NULL ||
wolfSSL 12:0217a9463bc3 3092 XMEMCMP(decSig, encodedSig, sigSz) != 0) {
wolfSSL 12:0217a9463bc3 3093 ret = VERIFY_CERT_ERROR;
wolfSSL 12:0217a9463bc3 3094 }
wolfSSL 12:0217a9463bc3 3095 }
wolfSSL 12:0217a9463bc3 3096 else {
wolfSSL 12:0217a9463bc3 3097 CreateSigData(ssl, sigData, &sigDataSz, 1);
wolfSSL 12:0217a9463bc3 3098 sigSz = CreateECCEncodedSig(sigData, sigDataSz, hashAlgo);
wolfSSL 12:0217a9463bc3 3099 if (decSigSz != sigSz || decSig == NULL)
wolfSSL 12:0217a9463bc3 3100 ret = VERIFY_CERT_ERROR;
wolfSSL 12:0217a9463bc3 3101 else {
wolfSSL 12:0217a9463bc3 3102 decSig -= 2 * decSigSz;
wolfSSL 12:0217a9463bc3 3103 XMEMCPY(decSig, sigData, decSigSz);
wolfSSL 12:0217a9463bc3 3104 decSig -= 8;
wolfSSL 12:0217a9463bc3 3105 XMEMSET(decSig, 0, 8);
wolfSSL 12:0217a9463bc3 3106 CreateECCEncodedSig(decSig, 8 + decSigSz * 2, hashAlgo);
wolfSSL 12:0217a9463bc3 3107 if (XMEMCMP(decSig, decSig + 8 + decSigSz * 2, decSigSz) != 0)
wolfSSL 12:0217a9463bc3 3108 ret = VERIFY_CERT_ERROR;
wolfSSL 12:0217a9463bc3 3109 }
wolfSSL 12:0217a9463bc3 3110 }
wolfSSL 12:0217a9463bc3 3111
wolfSSL 12:0217a9463bc3 3112 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 12:0217a9463bc3 3113 end:
wolfSSL 12:0217a9463bc3 3114 if (encodedSig != NULL)
wolfSSL 12:0217a9463bc3 3115 XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3116 #endif
wolfSSL 12:0217a9463bc3 3117
wolfSSL 12:0217a9463bc3 3118 return ret;
wolfSSL 12:0217a9463bc3 3119 }
wolfSSL 12:0217a9463bc3 3120 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3121 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 12:0217a9463bc3 3122
wolfSSL 12:0217a9463bc3 3123 /* Get the next certificate from the list for writing into the TLS v1.3
wolfSSL 12:0217a9463bc3 3124 * Certificate message.
wolfSSL 12:0217a9463bc3 3125 *
wolfSSL 12:0217a9463bc3 3126 * data The certificate list.
wolfSSL 12:0217a9463bc3 3127 * length The length of the certificate data in the list.
wolfSSL 12:0217a9463bc3 3128 * idx The index of the next certificate.
wolfSSL 12:0217a9463bc3 3129 * returns the length of the certificate data. 0 indicates no more certificates
wolfSSL 12:0217a9463bc3 3130 * in the list.
wolfSSL 12:0217a9463bc3 3131 */
wolfSSL 12:0217a9463bc3 3132 static word32 NextCert(byte* data, word32 length, word32* idx)
wolfSSL 12:0217a9463bc3 3133 {
wolfSSL 12:0217a9463bc3 3134 word32 len;
wolfSSL 12:0217a9463bc3 3135
wolfSSL 12:0217a9463bc3 3136 /* Is index at end of list. */
wolfSSL 12:0217a9463bc3 3137 if (*idx == length)
wolfSSL 12:0217a9463bc3 3138 return 0;
wolfSSL 12:0217a9463bc3 3139
wolfSSL 12:0217a9463bc3 3140 /* Length of the current ASN.1 encoded certificate. */
wolfSSL 12:0217a9463bc3 3141 c24to32(data + *idx, &len);
wolfSSL 12:0217a9463bc3 3142 /* Include the length field. */
wolfSSL 12:0217a9463bc3 3143 len += 3;
wolfSSL 12:0217a9463bc3 3144
wolfSSL 12:0217a9463bc3 3145 /* Move index to next certificate and return the current certificate's
wolfSSL 12:0217a9463bc3 3146 * length.
wolfSSL 12:0217a9463bc3 3147 */
wolfSSL 12:0217a9463bc3 3148 *idx += len;
wolfSSL 12:0217a9463bc3 3149 return len;
wolfSSL 12:0217a9463bc3 3150 }
wolfSSL 12:0217a9463bc3 3151
wolfSSL 12:0217a9463bc3 3152 /* Add certificate data and empty extension to output up to the fragment size.
wolfSSL 12:0217a9463bc3 3153 *
wolfSSL 12:0217a9463bc3 3154 * cert The certificate data to write out.
wolfSSL 12:0217a9463bc3 3155 * len The length of the certificate data.
wolfSSL 12:0217a9463bc3 3156 * idx The start of the certificate data to write out.
wolfSSL 12:0217a9463bc3 3157 * fragSz The maximum size of this fragment.
wolfSSL 12:0217a9463bc3 3158 * output The buffer to write to.
wolfSSL 12:0217a9463bc3 3159 * returns the number of bytes written.
wolfSSL 12:0217a9463bc3 3160 */
wolfSSL 12:0217a9463bc3 3161 static word32 AddCertExt(byte* cert, word32 len, word32 idx, word32 fragSz,
wolfSSL 12:0217a9463bc3 3162 byte* output)
wolfSSL 12:0217a9463bc3 3163 {
wolfSSL 12:0217a9463bc3 3164 word32 i = 0;
wolfSSL 12:0217a9463bc3 3165 word32 copySz = min(len - idx, fragSz);
wolfSSL 12:0217a9463bc3 3166
wolfSSL 12:0217a9463bc3 3167 if (idx < len) {
wolfSSL 12:0217a9463bc3 3168 XMEMCPY(output, cert + idx, copySz);
wolfSSL 12:0217a9463bc3 3169 i = copySz;
wolfSSL 12:0217a9463bc3 3170 }
wolfSSL 12:0217a9463bc3 3171
wolfSSL 12:0217a9463bc3 3172 if (copySz + OPAQUE16_LEN <= fragSz) {
wolfSSL 12:0217a9463bc3 3173 /* Empty extension */
wolfSSL 12:0217a9463bc3 3174 output[i++] = 0;
wolfSSL 12:0217a9463bc3 3175 output[i++] = 0;
wolfSSL 12:0217a9463bc3 3176 }
wolfSSL 12:0217a9463bc3 3177
wolfSSL 12:0217a9463bc3 3178 return i;
wolfSSL 12:0217a9463bc3 3179 }
wolfSSL 12:0217a9463bc3 3180
wolfSSL 12:0217a9463bc3 3181 /* Send the certificate for this end and any CAs that help with validation.
wolfSSL 12:0217a9463bc3 3182 * This message is always encrypted in TLS v1.3.
wolfSSL 12:0217a9463bc3 3183 *
wolfSSL 12:0217a9463bc3 3184 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3185 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 3186 */
wolfSSL 12:0217a9463bc3 3187 int SendTls13Certificate(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 3188 {
wolfSSL 12:0217a9463bc3 3189 int ret = 0;
wolfSSL 12:0217a9463bc3 3190 word32 certSz, certChainSz, headerSz, listSz, payloadSz;
wolfSSL 12:0217a9463bc3 3191 word32 length, maxFragment;
wolfSSL 12:0217a9463bc3 3192 word32 len = 0;
wolfSSL 12:0217a9463bc3 3193 word32 idx = 0;
wolfSSL 12:0217a9463bc3 3194 word32 offset = OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 3195 byte* p = NULL;
wolfSSL 12:0217a9463bc3 3196
wolfSSL 12:0217a9463bc3 3197
wolfSSL 12:0217a9463bc3 3198 /* TODO: [TLS13] Request context for post-handshake auth.
wolfSSL 12:0217a9463bc3 3199 * Taken from request if post-handshake.
wolfSSL 12:0217a9463bc3 3200 */
wolfSSL 12:0217a9463bc3 3201
wolfSSL 12:0217a9463bc3 3202 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 12:0217a9463bc3 3203 certSz = 0;
wolfSSL 12:0217a9463bc3 3204 certChainSz = 0;
wolfSSL 12:0217a9463bc3 3205 headerSz = CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3206 length = CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3207 listSz = 0;
wolfSSL 12:0217a9463bc3 3208 }
wolfSSL 12:0217a9463bc3 3209 else {
wolfSSL 12:0217a9463bc3 3210 if (!ssl->buffers.certificate) {
wolfSSL 12:0217a9463bc3 3211 WOLFSSL_MSG("Send Cert missing certificate buffer");
wolfSSL 12:0217a9463bc3 3212 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 3213 }
wolfSSL 12:0217a9463bc3 3214 /* Certificate Data */
wolfSSL 12:0217a9463bc3 3215 certSz = ssl->buffers.certificate->length;
wolfSSL 12:0217a9463bc3 3216 /* Cert Req Ctx Len | Cert List Len | Cert Data Len */
wolfSSL 12:0217a9463bc3 3217 headerSz = OPAQUE8_LEN + CERT_HEADER_SZ + CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3218 /* Length of message data with one certificate and empty extensions. */
wolfSSL 12:0217a9463bc3 3219 length = headerSz + certSz + OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 3220 /* Length of list data with one certificate and empty extensions. */
wolfSSL 12:0217a9463bc3 3221 listSz = CERT_HEADER_SZ + certSz + OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 3222
wolfSSL 12:0217a9463bc3 3223 /* Send rest of chain if sending cert (chain has leading size/s). */
wolfSSL 12:0217a9463bc3 3224 if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
wolfSSL 12:0217a9463bc3 3225 /* The pointer to the current spot in the cert chain buffer. */
wolfSSL 12:0217a9463bc3 3226 p = ssl->buffers.certChain->buffer;
wolfSSL 12:0217a9463bc3 3227 /* Chain length including extensions. */
wolfSSL 12:0217a9463bc3 3228 certChainSz = ssl->buffers.certChain->length +
wolfSSL 12:0217a9463bc3 3229 OPAQUE16_LEN * ssl->buffers.certChainCnt;
wolfSSL 12:0217a9463bc3 3230 length += certChainSz;
wolfSSL 12:0217a9463bc3 3231 listSz += certChainSz;
wolfSSL 12:0217a9463bc3 3232 }
wolfSSL 12:0217a9463bc3 3233 else
wolfSSL 12:0217a9463bc3 3234 certChainSz = 0;
wolfSSL 12:0217a9463bc3 3235 }
wolfSSL 12:0217a9463bc3 3236
wolfSSL 12:0217a9463bc3 3237 payloadSz = length;
wolfSSL 12:0217a9463bc3 3238
wolfSSL 12:0217a9463bc3 3239 if (ssl->fragOffset != 0)
wolfSSL 12:0217a9463bc3 3240 length -= (ssl->fragOffset + headerSz);
wolfSSL 12:0217a9463bc3 3241
wolfSSL 12:0217a9463bc3 3242 maxFragment = MAX_RECORD_SIZE;
wolfSSL 12:0217a9463bc3 3243
wolfSSL 12:0217a9463bc3 3244 #ifdef HAVE_MAX_FRAGMENT
wolfSSL 12:0217a9463bc3 3245 if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment)
wolfSSL 12:0217a9463bc3 3246 maxFragment = ssl->max_fragment;
wolfSSL 12:0217a9463bc3 3247 #endif /* HAVE_MAX_FRAGMENT */
wolfSSL 12:0217a9463bc3 3248
wolfSSL 12:0217a9463bc3 3249 while (length > 0 && ret == 0) {
wolfSSL 12:0217a9463bc3 3250 byte* output = NULL;
wolfSSL 12:0217a9463bc3 3251 word32 fragSz = 0;
wolfSSL 12:0217a9463bc3 3252 word32 i = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3253 int sendSz = RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3254
wolfSSL 12:0217a9463bc3 3255 if (ssl->fragOffset == 0) {
wolfSSL 12:0217a9463bc3 3256 if (headerSz + certSz + OPAQUE16_LEN + certChainSz <=
wolfSSL 12:0217a9463bc3 3257 maxFragment - HANDSHAKE_HEADER_SZ) {
wolfSSL 12:0217a9463bc3 3258
wolfSSL 12:0217a9463bc3 3259 fragSz = headerSz + certSz + OPAQUE16_LEN + certChainSz;
wolfSSL 12:0217a9463bc3 3260 }
wolfSSL 12:0217a9463bc3 3261 else {
wolfSSL 12:0217a9463bc3 3262 fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3263 }
wolfSSL 12:0217a9463bc3 3264 sendSz += fragSz + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3265 i += HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3266 }
wolfSSL 12:0217a9463bc3 3267 else {
wolfSSL 12:0217a9463bc3 3268 fragSz = min(length, maxFragment);
wolfSSL 12:0217a9463bc3 3269 sendSz += fragSz;
wolfSSL 12:0217a9463bc3 3270 }
wolfSSL 12:0217a9463bc3 3271
wolfSSL 12:0217a9463bc3 3272 sendSz += MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 3273
wolfSSL 12:0217a9463bc3 3274 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 3275 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 12:0217a9463bc3 3276 return ret;
wolfSSL 12:0217a9463bc3 3277
wolfSSL 12:0217a9463bc3 3278 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 3279 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 3280 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 3281
wolfSSL 12:0217a9463bc3 3282 if (ssl->fragOffset == 0) {
wolfSSL 12:0217a9463bc3 3283 AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
wolfSSL 12:0217a9463bc3 3284
wolfSSL 12:0217a9463bc3 3285 /* Request context. */
wolfSSL 12:0217a9463bc3 3286 output[i++] = 0;
wolfSSL 12:0217a9463bc3 3287 length -= 1;
wolfSSL 12:0217a9463bc3 3288 fragSz -= 1;
wolfSSL 12:0217a9463bc3 3289 /* Certificate list length. */
wolfSSL 12:0217a9463bc3 3290 c32to24(listSz, output + i);
wolfSSL 12:0217a9463bc3 3291 i += CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3292 length -= CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3293 fragSz -= CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3294 /* Leaf certificate data length. */
wolfSSL 12:0217a9463bc3 3295 if (certSz > 0) {
wolfSSL 12:0217a9463bc3 3296 c32to24(certSz, output + i);
wolfSSL 12:0217a9463bc3 3297 i += CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3298 length -= CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3299 fragSz -= CERT_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3300 }
wolfSSL 12:0217a9463bc3 3301 }
wolfSSL 12:0217a9463bc3 3302 else
wolfSSL 12:0217a9463bc3 3303 AddTls13RecordHeader(output, fragSz, handshake, ssl);
wolfSSL 12:0217a9463bc3 3304
wolfSSL 12:0217a9463bc3 3305 /* TODO: [TLS13] Test with fragments and multiple CA certs */
wolfSSL 12:0217a9463bc3 3306 if (certSz > 0 && ssl->fragOffset < certSz + OPAQUE16_LEN) {
wolfSSL 12:0217a9463bc3 3307 /* Put in the leaf certificate and empty extension. */
wolfSSL 12:0217a9463bc3 3308 word32 copySz = AddCertExt(ssl->buffers.certificate->buffer, certSz,
wolfSSL 12:0217a9463bc3 3309 ssl->fragOffset, fragSz, output + i);
wolfSSL 12:0217a9463bc3 3310
wolfSSL 12:0217a9463bc3 3311 i += copySz;
wolfSSL 12:0217a9463bc3 3312 ssl->fragOffset += copySz;
wolfSSL 12:0217a9463bc3 3313 length -= copySz;
wolfSSL 12:0217a9463bc3 3314 fragSz -= copySz;
wolfSSL 12:0217a9463bc3 3315 }
wolfSSL 12:0217a9463bc3 3316 if (certChainSz > 0 && fragSz > 0) {
wolfSSL 12:0217a9463bc3 3317 /* Put in the CA certificates with empty extensions. */
wolfSSL 12:0217a9463bc3 3318 while (fragSz > 0) {
wolfSSL 12:0217a9463bc3 3319 word32 l;
wolfSSL 12:0217a9463bc3 3320
wolfSSL 12:0217a9463bc3 3321 if (offset == len + OPAQUE16_LEN) {
wolfSSL 12:0217a9463bc3 3322 /* Find next CA certificate to write out. */
wolfSSL 12:0217a9463bc3 3323 offset = 0;
wolfSSL 12:0217a9463bc3 3324 len = NextCert(ssl->buffers.certChain->buffer,
wolfSSL 12:0217a9463bc3 3325 ssl->buffers.certChain->length, &idx);
wolfSSL 12:0217a9463bc3 3326 if (len == 0)
wolfSSL 12:0217a9463bc3 3327 break;
wolfSSL 12:0217a9463bc3 3328 }
wolfSSL 12:0217a9463bc3 3329
wolfSSL 12:0217a9463bc3 3330 /* Write out certificate and empty extension. */
wolfSSL 12:0217a9463bc3 3331 l = AddCertExt(p, len, offset, fragSz, output + i);
wolfSSL 12:0217a9463bc3 3332 i += l;
wolfSSL 12:0217a9463bc3 3333 ssl->fragOffset += l;
wolfSSL 12:0217a9463bc3 3334 length -= l;
wolfSSL 12:0217a9463bc3 3335 fragSz -= l;
wolfSSL 12:0217a9463bc3 3336 offset += l;
wolfSSL 12:0217a9463bc3 3337 }
wolfSSL 12:0217a9463bc3 3338 }
wolfSSL 12:0217a9463bc3 3339
wolfSSL 12:0217a9463bc3 3340 if ((int)i - RECORD_HEADER_SZ < 0) {
wolfSSL 12:0217a9463bc3 3341 WOLFSSL_MSG("Send Cert bad inputSz");
wolfSSL 12:0217a9463bc3 3342 return BUFFER_E;
wolfSSL 12:0217a9463bc3 3343 }
wolfSSL 12:0217a9463bc3 3344
wolfSSL 12:0217a9463bc3 3345 /* This message is always encrypted. */
wolfSSL 12:0217a9463bc3 3346 sendSz = BuildTls13Message(ssl, output, sendSz,
wolfSSL 12:0217a9463bc3 3347 output + RECORD_HEADER_SZ,
wolfSSL 12:0217a9463bc3 3348 i - RECORD_HEADER_SZ, handshake, 1, 0);
wolfSSL 12:0217a9463bc3 3349 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 3350 return sendSz;
wolfSSL 12:0217a9463bc3 3351
wolfSSL 12:0217a9463bc3 3352 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 3353 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 3354 AddPacketName("Certificate", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 3355 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 3356 AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 3357 ssl->heap);
wolfSSL 12:0217a9463bc3 3358 #endif
wolfSSL 12:0217a9463bc3 3359
wolfSSL 12:0217a9463bc3 3360 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 3361 if (!ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 3362 ret = SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 3363 }
wolfSSL 12:0217a9463bc3 3364
wolfSSL 12:0217a9463bc3 3365 if (ret != WANT_WRITE) {
wolfSSL 12:0217a9463bc3 3366 /* Clean up the fragment offset. */
wolfSSL 12:0217a9463bc3 3367 ssl->fragOffset = 0;
wolfSSL 12:0217a9463bc3 3368 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 12:0217a9463bc3 3369 ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL 12:0217a9463bc3 3370 }
wolfSSL 12:0217a9463bc3 3371
wolfSSL 12:0217a9463bc3 3372 return ret;
wolfSSL 12:0217a9463bc3 3373 }
wolfSSL 12:0217a9463bc3 3374
wolfSSL 12:0217a9463bc3 3375 typedef struct Scv13Args {
wolfSSL 12:0217a9463bc3 3376 byte* output; /* not allocated */
wolfSSL 12:0217a9463bc3 3377 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3378 byte* verifySig;
wolfSSL 12:0217a9463bc3 3379 #endif
wolfSSL 12:0217a9463bc3 3380 byte* verify; /* not allocated */
wolfSSL 12:0217a9463bc3 3381 byte* input;
wolfSSL 12:0217a9463bc3 3382 word32 idx;
wolfSSL 12:0217a9463bc3 3383 word32 sigLen;
wolfSSL 12:0217a9463bc3 3384 int sendSz;
wolfSSL 12:0217a9463bc3 3385 word16 length;
wolfSSL 12:0217a9463bc3 3386
wolfSSL 12:0217a9463bc3 3387 byte* sigData;
wolfSSL 12:0217a9463bc3 3388 word16 sigDataSz;
wolfSSL 12:0217a9463bc3 3389 } Scv13Args;
wolfSSL 12:0217a9463bc3 3390
wolfSSL 12:0217a9463bc3 3391 static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 12:0217a9463bc3 3392 {
wolfSSL 12:0217a9463bc3 3393 Scv13Args* args = (Scv13Args*)pArgs;
wolfSSL 12:0217a9463bc3 3394
wolfSSL 12:0217a9463bc3 3395 (void)ssl;
wolfSSL 12:0217a9463bc3 3396
wolfSSL 12:0217a9463bc3 3397 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3398 if (args->verifySig) {
wolfSSL 12:0217a9463bc3 3399 XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3400 args->verifySig = NULL;
wolfSSL 12:0217a9463bc3 3401 }
wolfSSL 12:0217a9463bc3 3402 #endif
wolfSSL 12:0217a9463bc3 3403 if (args->sigData) {
wolfSSL 12:0217a9463bc3 3404 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3405 args->sigData = NULL;
wolfSSL 12:0217a9463bc3 3406 }
wolfSSL 12:0217a9463bc3 3407 if (args->input) {
wolfSSL 12:0217a9463bc3 3408 XFREE(args->input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3409 args->input = NULL;
wolfSSL 12:0217a9463bc3 3410 }
wolfSSL 12:0217a9463bc3 3411 }
wolfSSL 12:0217a9463bc3 3412
wolfSSL 12:0217a9463bc3 3413 /* Send the TLS v1.3 CertificateVerify message.
wolfSSL 12:0217a9463bc3 3414 * A hash of all the message so far is used.
wolfSSL 12:0217a9463bc3 3415 * The signed data is:
wolfSSL 12:0217a9463bc3 3416 * 0x20 * 64 | context string | 0x00 | hash of messages
wolfSSL 12:0217a9463bc3 3417 * This message is always encrypted in TLS v1.3.
wolfSSL 12:0217a9463bc3 3418 *
wolfSSL 12:0217a9463bc3 3419 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3420 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 3421 */
wolfSSL 12:0217a9463bc3 3422 int SendTls13CertificateVerify(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 3423 {
wolfSSL 12:0217a9463bc3 3424 int ret = 0;
wolfSSL 12:0217a9463bc3 3425 buffer* sig = &ssl->buffers.sig;
wolfSSL 12:0217a9463bc3 3426 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3427 Scv13Args* args = (Scv13Args*)ssl->async.args;
wolfSSL 12:0217a9463bc3 3428 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 12:0217a9463bc3 3429 (void)sizeof(args_test);
wolfSSL 12:0217a9463bc3 3430 #else
wolfSSL 12:0217a9463bc3 3431 Scv13Args args[1];
wolfSSL 12:0217a9463bc3 3432 #endif
wolfSSL 12:0217a9463bc3 3433
wolfSSL 12:0217a9463bc3 3434 WOLFSSL_ENTER("SendTls13CertificateVerify");
wolfSSL 12:0217a9463bc3 3435
wolfSSL 12:0217a9463bc3 3436 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3437 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 12:0217a9463bc3 3438 if (ret != WC_NOT_PENDING_E) {
wolfSSL 12:0217a9463bc3 3439 /* Check for error */
wolfSSL 12:0217a9463bc3 3440 if (ret < 0)
wolfSSL 12:0217a9463bc3 3441 goto exit_scv;
wolfSSL 12:0217a9463bc3 3442 }
wolfSSL 12:0217a9463bc3 3443 else
wolfSSL 12:0217a9463bc3 3444 #endif
wolfSSL 12:0217a9463bc3 3445 {
wolfSSL 12:0217a9463bc3 3446 /* Reset state */
wolfSSL 12:0217a9463bc3 3447 ret = 0;
wolfSSL 12:0217a9463bc3 3448 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 12:0217a9463bc3 3449 XMEMSET(args, 0, sizeof(Scv13Args));
wolfSSL 12:0217a9463bc3 3450 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3451 ssl->async.freeArgs = FreeScv13Args;
wolfSSL 12:0217a9463bc3 3452 #endif
wolfSSL 12:0217a9463bc3 3453 }
wolfSSL 12:0217a9463bc3 3454
wolfSSL 12:0217a9463bc3 3455 switch(ssl->options.asyncState)
wolfSSL 12:0217a9463bc3 3456 {
wolfSSL 12:0217a9463bc3 3457 case TLS_ASYNC_BEGIN:
wolfSSL 12:0217a9463bc3 3458 {
wolfSSL 12:0217a9463bc3 3459 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 12:0217a9463bc3 3460 return 0; /* sent blank cert, can't verify */
wolfSSL 12:0217a9463bc3 3461 }
wolfSSL 12:0217a9463bc3 3462
wolfSSL 12:0217a9463bc3 3463 args->sendSz = MAX_CERT_VERIFY_SZ;
wolfSSL 12:0217a9463bc3 3464 /* Always encrypted. */
wolfSSL 12:0217a9463bc3 3465 args->sendSz += MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 3466
wolfSSL 12:0217a9463bc3 3467 /* check for available size */
wolfSSL 12:0217a9463bc3 3468 if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
wolfSSL 12:0217a9463bc3 3469 goto exit_scv;
wolfSSL 12:0217a9463bc3 3470 }
wolfSSL 12:0217a9463bc3 3471
wolfSSL 12:0217a9463bc3 3472 /* get output buffer */
wolfSSL 12:0217a9463bc3 3473 args->output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 3474 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 3475
wolfSSL 12:0217a9463bc3 3476 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3477 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 12:0217a9463bc3 3478 } /* case TLS_ASYNC_BEGIN */
wolfSSL 12:0217a9463bc3 3479
wolfSSL 12:0217a9463bc3 3480 case TLS_ASYNC_BUILD:
wolfSSL 12:0217a9463bc3 3481 {
wolfSSL 12:0217a9463bc3 3482 /* idx is used to track verify pointer offset to output */
wolfSSL 12:0217a9463bc3 3483 args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 3484 args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
wolfSSL 12:0217a9463bc3 3485
wolfSSL 12:0217a9463bc3 3486 ret = DecodePrivateKey(ssl, &args->length);
wolfSSL 12:0217a9463bc3 3487 if (ret != 0)
wolfSSL 12:0217a9463bc3 3488 goto exit_scv;
wolfSSL 12:0217a9463bc3 3489
wolfSSL 12:0217a9463bc3 3490 /* Add signature algorithm. */
wolfSSL 12:0217a9463bc3 3491 EncodeSigAlg(ssl->suites->hashAlgo, ssl->hsType, args->verify);
wolfSSL 12:0217a9463bc3 3492
wolfSSL 12:0217a9463bc3 3493 /* Create the data to be signed. */
wolfSSL 12:0217a9463bc3 3494 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 12:0217a9463bc3 3495 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3496 if (args->sigData == NULL) {
wolfSSL 12:0217a9463bc3 3497 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 12:0217a9463bc3 3498 }
wolfSSL 12:0217a9463bc3 3499
wolfSSL 12:0217a9463bc3 3500 CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
wolfSSL 12:0217a9463bc3 3501
wolfSSL 12:0217a9463bc3 3502 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3503 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 12:0217a9463bc3 3504 /* build encoded signature buffer */
wolfSSL 12:0217a9463bc3 3505 sig->length = MAX_ENCODED_SIG_SZ;
wolfSSL 12:0217a9463bc3 3506 sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
wolfSSL 12:0217a9463bc3 3507 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3508 if (sig->buffer == NULL)
wolfSSL 12:0217a9463bc3 3509 return MEMORY_E;
wolfSSL 12:0217a9463bc3 3510
wolfSSL 12:0217a9463bc3 3511 /* Digest the signature data and encode. Used in verify too. */
wolfSSL 12:0217a9463bc3 3512 sig->length = CreateRSAEncodedSig(sig->buffer, args->sigData,
wolfSSL 12:0217a9463bc3 3513 args->sigDataSz, ssl->suites->hashAlgo);
wolfSSL 12:0217a9463bc3 3514 if (ret != 0)
wolfSSL 12:0217a9463bc3 3515 goto exit_scv;
wolfSSL 12:0217a9463bc3 3516
wolfSSL 12:0217a9463bc3 3517 /* Maximum size of RSA Signature. */
wolfSSL 12:0217a9463bc3 3518 args->sigLen = args->length;
wolfSSL 12:0217a9463bc3 3519 }
wolfSSL 12:0217a9463bc3 3520 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3521 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 3522 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 12:0217a9463bc3 3523 sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
wolfSSL 12:0217a9463bc3 3524 VERIFY_HEADER;
wolfSSL 12:0217a9463bc3 3525 args->sigDataSz = CreateECCEncodedSig(args->sigData,
wolfSSL 12:0217a9463bc3 3526 args->sigDataSz, ssl->suites->hashAlgo);
wolfSSL 12:0217a9463bc3 3527 }
wolfSSL 12:0217a9463bc3 3528 #endif /* HAVE_ECC */
wolfSSL 12:0217a9463bc3 3529
wolfSSL 12:0217a9463bc3 3530 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3531 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 12:0217a9463bc3 3532 } /* case TLS_ASYNC_BUILD */
wolfSSL 12:0217a9463bc3 3533
wolfSSL 12:0217a9463bc3 3534 case TLS_ASYNC_DO:
wolfSSL 12:0217a9463bc3 3535 {
wolfSSL 12:0217a9463bc3 3536 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 3537 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 12:0217a9463bc3 3538 ret = EccSign(ssl, args->sigData, args->sigDataSz,
wolfSSL 12:0217a9463bc3 3539 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 12:0217a9463bc3 3540 &sig->length, (ecc_key*)ssl->hsKey,
wolfSSL 12:0217a9463bc3 3541 #if defined(HAVE_PK_CALLBACKS)
wolfSSL 12:0217a9463bc3 3542 ssl->buffers.key->buffer, ssl->buffers.key->length,
wolfSSL 12:0217a9463bc3 3543 ssl->EccSignCtx
wolfSSL 12:0217a9463bc3 3544 #else
wolfSSL 12:0217a9463bc3 3545 NULL, 0, NULL
wolfSSL 12:0217a9463bc3 3546 #endif
wolfSSL 12:0217a9463bc3 3547 );
wolfSSL 12:0217a9463bc3 3548 args->length = sig->length;
wolfSSL 12:0217a9463bc3 3549 }
wolfSSL 12:0217a9463bc3 3550 #endif /* HAVE_ECC */
wolfSSL 12:0217a9463bc3 3551 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3552 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 12:0217a9463bc3 3553 /* restore verify pointer */
wolfSSL 12:0217a9463bc3 3554 args->verify = &args->output[args->idx];
wolfSSL 12:0217a9463bc3 3555
wolfSSL 12:0217a9463bc3 3556 ret = RsaSign(ssl, sig->buffer, sig->length,
wolfSSL 12:0217a9463bc3 3557 args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
wolfSSL 12:0217a9463bc3 3558 (RsaKey*)ssl->hsKey,
wolfSSL 12:0217a9463bc3 3559 ssl->buffers.key->buffer, ssl->buffers.key->length,
wolfSSL 12:0217a9463bc3 3560 #ifdef HAVE_PK_CALLBACKS
wolfSSL 12:0217a9463bc3 3561 ssl->RsaSignCtx
wolfSSL 12:0217a9463bc3 3562 #else
wolfSSL 12:0217a9463bc3 3563 NULL
wolfSSL 12:0217a9463bc3 3564 #endif
wolfSSL 12:0217a9463bc3 3565 );
wolfSSL 12:0217a9463bc3 3566 args->length = args->sigLen;
wolfSSL 12:0217a9463bc3 3567 }
wolfSSL 12:0217a9463bc3 3568 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3569
wolfSSL 12:0217a9463bc3 3570 /* Check for error */
wolfSSL 12:0217a9463bc3 3571 if (ret != 0) {
wolfSSL 12:0217a9463bc3 3572 goto exit_scv;
wolfSSL 12:0217a9463bc3 3573 }
wolfSSL 12:0217a9463bc3 3574
wolfSSL 12:0217a9463bc3 3575 /* Add signature length. */
wolfSSL 12:0217a9463bc3 3576 c16toa(args->length, args->verify + HASH_SIG_SIZE);
wolfSSL 12:0217a9463bc3 3577
wolfSSL 12:0217a9463bc3 3578 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3579 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 12:0217a9463bc3 3580 } /* case TLS_ASYNC_DO */
wolfSSL 12:0217a9463bc3 3581
wolfSSL 12:0217a9463bc3 3582 case TLS_ASYNC_VERIFY:
wolfSSL 12:0217a9463bc3 3583 {
wolfSSL 12:0217a9463bc3 3584 /* restore verify pointer */
wolfSSL 12:0217a9463bc3 3585 args->verify = &args->output[args->idx];
wolfSSL 12:0217a9463bc3 3586
wolfSSL 12:0217a9463bc3 3587 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3588 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 12:0217a9463bc3 3589 if (args->verifySig == NULL) {
wolfSSL 12:0217a9463bc3 3590 args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap,
wolfSSL 12:0217a9463bc3 3591 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3592 if (args->verifySig == NULL) {
wolfSSL 12:0217a9463bc3 3593 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 12:0217a9463bc3 3594 }
wolfSSL 12:0217a9463bc3 3595 XMEMCPY(args->verifySig,
wolfSSL 12:0217a9463bc3 3596 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 12:0217a9463bc3 3597 args->sigLen);
wolfSSL 12:0217a9463bc3 3598 }
wolfSSL 12:0217a9463bc3 3599
wolfSSL 12:0217a9463bc3 3600 /* check for signature faults */
wolfSSL 12:0217a9463bc3 3601 ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
wolfSSL 12:0217a9463bc3 3602 sig->buffer, sig->length, (RsaKey*)ssl->hsKey);
wolfSSL 12:0217a9463bc3 3603 }
wolfSSL 12:0217a9463bc3 3604 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3605
wolfSSL 12:0217a9463bc3 3606 /* Check for error */
wolfSSL 12:0217a9463bc3 3607 if (ret != 0) {
wolfSSL 12:0217a9463bc3 3608 goto exit_scv;
wolfSSL 12:0217a9463bc3 3609 }
wolfSSL 12:0217a9463bc3 3610
wolfSSL 12:0217a9463bc3 3611 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3612 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 12:0217a9463bc3 3613 } /* case TLS_ASYNC_VERIFY */
wolfSSL 12:0217a9463bc3 3614
wolfSSL 12:0217a9463bc3 3615 case TLS_ASYNC_FINALIZE:
wolfSSL 12:0217a9463bc3 3616 {
wolfSSL 12:0217a9463bc3 3617 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 3618 AddTls13Headers(args->output, args->length + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 12:0217a9463bc3 3619 certificate_verify, ssl);
wolfSSL 12:0217a9463bc3 3620
wolfSSL 12:0217a9463bc3 3621 args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + args->length +
wolfSSL 12:0217a9463bc3 3622 HASH_SIG_SIZE + VERIFY_HEADER;
wolfSSL 12:0217a9463bc3 3623
wolfSSL 12:0217a9463bc3 3624 /* This message is always encrypted. */
wolfSSL 12:0217a9463bc3 3625 args->sendSz = BuildTls13Message(ssl, args->output,
wolfSSL 12:0217a9463bc3 3626 MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
wolfSSL 12:0217a9463bc3 3627 args->output + RECORD_HEADER_SZ,
wolfSSL 12:0217a9463bc3 3628 args->sendSz - RECORD_HEADER_SZ, handshake,
wolfSSL 12:0217a9463bc3 3629 1, 0);
wolfSSL 12:0217a9463bc3 3630 if (args->sendSz < 0) {
wolfSSL 12:0217a9463bc3 3631 ret = args->sendSz;
wolfSSL 12:0217a9463bc3 3632 goto exit_scv;
wolfSSL 12:0217a9463bc3 3633 }
wolfSSL 12:0217a9463bc3 3634
wolfSSL 12:0217a9463bc3 3635 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3636 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 12:0217a9463bc3 3637 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 12:0217a9463bc3 3638
wolfSSL 12:0217a9463bc3 3639 case TLS_ASYNC_END:
wolfSSL 12:0217a9463bc3 3640 {
wolfSSL 12:0217a9463bc3 3641 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 3642 if (ssl->hsInfoOn)
wolfSSL 12:0217a9463bc3 3643 AddPacketName("CertificateVerify", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 3644 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 3645 AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
wolfSSL 12:0217a9463bc3 3646 args->output, args->sendSz, ssl->heap);
wolfSSL 12:0217a9463bc3 3647 #endif
wolfSSL 12:0217a9463bc3 3648
wolfSSL 12:0217a9463bc3 3649 ssl->buffers.outputBuffer.length += args->sendSz;
wolfSSL 12:0217a9463bc3 3650
wolfSSL 12:0217a9463bc3 3651 if (!ssl->options.groupMessages)
wolfSSL 12:0217a9463bc3 3652 ret = SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 3653 break;
wolfSSL 12:0217a9463bc3 3654 }
wolfSSL 12:0217a9463bc3 3655 default:
wolfSSL 12:0217a9463bc3 3656 ret = INPUT_CASE_ERROR;
wolfSSL 12:0217a9463bc3 3657 } /* switch(ssl->options.asyncState) */
wolfSSL 12:0217a9463bc3 3658
wolfSSL 12:0217a9463bc3 3659 exit_scv:
wolfSSL 12:0217a9463bc3 3660
wolfSSL 12:0217a9463bc3 3661 WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
wolfSSL 12:0217a9463bc3 3662
wolfSSL 12:0217a9463bc3 3663 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3664 /* Handle async operation */
wolfSSL 12:0217a9463bc3 3665 if (ret == WC_PENDING_E) {
wolfSSL 12:0217a9463bc3 3666 return ret;
wolfSSL 12:0217a9463bc3 3667 }
wolfSSL 12:0217a9463bc3 3668 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 12:0217a9463bc3 3669
wolfSSL 12:0217a9463bc3 3670 /* Final cleanup */
wolfSSL 12:0217a9463bc3 3671 FreeScv13Args(ssl, args);
wolfSSL 12:0217a9463bc3 3672 FreeKeyExchange(ssl);
wolfSSL 12:0217a9463bc3 3673
wolfSSL 12:0217a9463bc3 3674 return ret;
wolfSSL 12:0217a9463bc3 3675 }
wolfSSL 12:0217a9463bc3 3676
wolfSSL 12:0217a9463bc3 3677
wolfSSL 12:0217a9463bc3 3678 /* Parse and handle a TLS v1.3 Certificate message.
wolfSSL 12:0217a9463bc3 3679 *
wolfSSL 12:0217a9463bc3 3680 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3681 * input The message buffer.
wolfSSL 12:0217a9463bc3 3682 * inOutIdx On entry, the index into the message buffer of Certificate.
wolfSSL 12:0217a9463bc3 3683 * On exit, the index of byte after the Certificate message.
wolfSSL 12:0217a9463bc3 3684 * totalSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 3685 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 3686 */
wolfSSL 12:0217a9463bc3 3687 static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 3688 word32 totalSz)
wolfSSL 12:0217a9463bc3 3689 {
wolfSSL 12:0217a9463bc3 3690 return ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
wolfSSL 12:0217a9463bc3 3691 }
wolfSSL 12:0217a9463bc3 3692
wolfSSL 12:0217a9463bc3 3693 #if !defined(NO_RSA) || defined(HAVE_ECC)
wolfSSL 12:0217a9463bc3 3694
wolfSSL 12:0217a9463bc3 3695 typedef struct Dcv13Args {
wolfSSL 12:0217a9463bc3 3696 byte* output; /* not allocated */
wolfSSL 12:0217a9463bc3 3697 word32 sendSz;
wolfSSL 12:0217a9463bc3 3698 word16 sz;
wolfSSL 12:0217a9463bc3 3699 word32 sigSz;
wolfSSL 12:0217a9463bc3 3700 word32 idx;
wolfSSL 12:0217a9463bc3 3701 word32 begin;
wolfSSL 12:0217a9463bc3 3702 byte hashAlgo;
wolfSSL 12:0217a9463bc3 3703 byte sigAlgo;
wolfSSL 12:0217a9463bc3 3704
wolfSSL 12:0217a9463bc3 3705 byte* sigData;
wolfSSL 12:0217a9463bc3 3706 word16 sigDataSz;
wolfSSL 12:0217a9463bc3 3707 } Dcv13Args;
wolfSSL 12:0217a9463bc3 3708
wolfSSL 12:0217a9463bc3 3709 static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 12:0217a9463bc3 3710 {
wolfSSL 12:0217a9463bc3 3711 Dcv13Args* args = (Dcv13Args*)pArgs;
wolfSSL 12:0217a9463bc3 3712
wolfSSL 12:0217a9463bc3 3713 if (args->sigData) {
wolfSSL 12:0217a9463bc3 3714 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3715 args->sigData = NULL;
wolfSSL 12:0217a9463bc3 3716 }
wolfSSL 12:0217a9463bc3 3717
wolfSSL 12:0217a9463bc3 3718 (void)ssl;
wolfSSL 12:0217a9463bc3 3719 }
wolfSSL 12:0217a9463bc3 3720
wolfSSL 12:0217a9463bc3 3721 /* Parse and handle a TLS v1.3 CertificateVerify message.
wolfSSL 12:0217a9463bc3 3722 *
wolfSSL 12:0217a9463bc3 3723 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3724 * input The message buffer.
wolfSSL 12:0217a9463bc3 3725 * inOutIdx On entry, the index into the message buffer of
wolfSSL 12:0217a9463bc3 3726 * CertificateVerify.
wolfSSL 12:0217a9463bc3 3727 * On exit, the index of byte after the CertificateVerify message.
wolfSSL 12:0217a9463bc3 3728 * totalSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 3729 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 3730 */
wolfSSL 12:0217a9463bc3 3731 static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
wolfSSL 12:0217a9463bc3 3732 word32* inOutIdx, word32 totalSz)
wolfSSL 12:0217a9463bc3 3733 {
wolfSSL 12:0217a9463bc3 3734 int ret = 0;
wolfSSL 12:0217a9463bc3 3735 buffer* sig = &ssl->buffers.sig;
wolfSSL 12:0217a9463bc3 3736 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3737 Dcv13Args* args = (Dcv13Args*)ssl->async.args;
wolfSSL 12:0217a9463bc3 3738 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 12:0217a9463bc3 3739 (void)sizeof(args_test);
wolfSSL 12:0217a9463bc3 3740 #else
wolfSSL 12:0217a9463bc3 3741 Dcv13Args args[1];
wolfSSL 12:0217a9463bc3 3742 #endif
wolfSSL 12:0217a9463bc3 3743
wolfSSL 12:0217a9463bc3 3744 WOLFSSL_ENTER("DoTls13CertificateVerify");
wolfSSL 12:0217a9463bc3 3745
wolfSSL 12:0217a9463bc3 3746 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3747 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 12:0217a9463bc3 3748 if (ret != WC_NOT_PENDING_E) {
wolfSSL 12:0217a9463bc3 3749 /* Check for error */
wolfSSL 12:0217a9463bc3 3750 if (ret < 0)
wolfSSL 12:0217a9463bc3 3751 goto exit_dcv;
wolfSSL 12:0217a9463bc3 3752 }
wolfSSL 12:0217a9463bc3 3753 else
wolfSSL 12:0217a9463bc3 3754 #endif
wolfSSL 12:0217a9463bc3 3755 {
wolfSSL 12:0217a9463bc3 3756 /* Reset state */
wolfSSL 12:0217a9463bc3 3757 ret = 0;
wolfSSL 12:0217a9463bc3 3758 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 12:0217a9463bc3 3759 XMEMSET(args, 0, sizeof(Dcv13Args));
wolfSSL 12:0217a9463bc3 3760 args->hashAlgo = sha_mac;
wolfSSL 12:0217a9463bc3 3761 args->sigAlgo = anonymous_sa_algo;
wolfSSL 12:0217a9463bc3 3762 args->idx = *inOutIdx;
wolfSSL 12:0217a9463bc3 3763 args->begin = *inOutIdx;
wolfSSL 12:0217a9463bc3 3764 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3765 ssl->async.freeArgs = FreeDcv13Args;
wolfSSL 12:0217a9463bc3 3766 #endif
wolfSSL 12:0217a9463bc3 3767 }
wolfSSL 12:0217a9463bc3 3768
wolfSSL 12:0217a9463bc3 3769 switch(ssl->options.asyncState)
wolfSSL 12:0217a9463bc3 3770 {
wolfSSL 12:0217a9463bc3 3771 case TLS_ASYNC_BEGIN:
wolfSSL 12:0217a9463bc3 3772 {
wolfSSL 12:0217a9463bc3 3773 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 3774 if (ssl->hsInfoOn) AddPacketName("CertificateVerify",
wolfSSL 12:0217a9463bc3 3775 &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 3776 if (ssl->toInfoOn) AddLateName("CertificateVerify",
wolfSSL 12:0217a9463bc3 3777 &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 3778 #endif
wolfSSL 12:0217a9463bc3 3779
wolfSSL 12:0217a9463bc3 3780 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3781 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 12:0217a9463bc3 3782 } /* case TLS_ASYNC_BEGIN */
wolfSSL 12:0217a9463bc3 3783
wolfSSL 12:0217a9463bc3 3784 case TLS_ASYNC_BUILD:
wolfSSL 12:0217a9463bc3 3785 {
wolfSSL 12:0217a9463bc3 3786 /* Signature algorithm. */
wolfSSL 12:0217a9463bc3 3787 if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
wolfSSL 12:0217a9463bc3 3788 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 12:0217a9463bc3 3789 }
wolfSSL 12:0217a9463bc3 3790 DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo);
wolfSSL 12:0217a9463bc3 3791 args->idx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 3792 /* TODO: [TLS13] was it in SignatureAlgorithms extension? */
wolfSSL 12:0217a9463bc3 3793
wolfSSL 12:0217a9463bc3 3794 /* Signature length. */
wolfSSL 12:0217a9463bc3 3795 if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
wolfSSL 12:0217a9463bc3 3796 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 12:0217a9463bc3 3797 }
wolfSSL 12:0217a9463bc3 3798 ato16(input + args->idx, &args->sz);
wolfSSL 12:0217a9463bc3 3799 args->idx += OPAQUE16_LEN;
wolfSSL 12:0217a9463bc3 3800
wolfSSL 12:0217a9463bc3 3801 /* Signature data. */
wolfSSL 12:0217a9463bc3 3802 if ((args->idx - args->begin) + args->sz > totalSz ||
wolfSSL 12:0217a9463bc3 3803 args->sz > ENCRYPT_LEN) {
wolfSSL 12:0217a9463bc3 3804 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 12:0217a9463bc3 3805 }
wolfSSL 12:0217a9463bc3 3806
wolfSSL 12:0217a9463bc3 3807 /* Check for public key of required type. */
wolfSSL 12:0217a9463bc3 3808 if (args->sigAlgo == ecc_dsa_sa_algo &&
wolfSSL 12:0217a9463bc3 3809 !ssl->peerEccDsaKeyPresent) {
wolfSSL 12:0217a9463bc3 3810 WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
wolfSSL 12:0217a9463bc3 3811 }
wolfSSL 12:0217a9463bc3 3812 if ((args->sigAlgo == rsa_sa_algo ||
wolfSSL 12:0217a9463bc3 3813 args->sigAlgo == rsa_pss_sa_algo) &&
wolfSSL 12:0217a9463bc3 3814 (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
wolfSSL 12:0217a9463bc3 3815 WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
wolfSSL 12:0217a9463bc3 3816 }
wolfSSL 12:0217a9463bc3 3817
wolfSSL 12:0217a9463bc3 3818 sig->buffer = XMALLOC(args->sz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3819 if (sig->buffer == NULL) {
wolfSSL 12:0217a9463bc3 3820 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 12:0217a9463bc3 3821 }
wolfSSL 12:0217a9463bc3 3822 sig->length = args->sz;
wolfSSL 12:0217a9463bc3 3823 XMEMCPY(sig->buffer, input + args->idx, args->sz);
wolfSSL 12:0217a9463bc3 3824
wolfSSL 12:0217a9463bc3 3825 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 3826 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 12:0217a9463bc3 3827 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 12:0217a9463bc3 3828
wolfSSL 12:0217a9463bc3 3829 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 12:0217a9463bc3 3830 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 12:0217a9463bc3 3831 if (args->sigData == NULL) {
wolfSSL 12:0217a9463bc3 3832 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 12:0217a9463bc3 3833 }
wolfSSL 12:0217a9463bc3 3834
wolfSSL 12:0217a9463bc3 3835 CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 12:0217a9463bc3 3836 args->sigDataSz = CreateECCEncodedSig(args->sigData,
wolfSSL 12:0217a9463bc3 3837 args->sigDataSz, args->hashAlgo);
wolfSSL 12:0217a9463bc3 3838 }
wolfSSL 12:0217a9463bc3 3839 #endif
wolfSSL 12:0217a9463bc3 3840
wolfSSL 12:0217a9463bc3 3841 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3842 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 12:0217a9463bc3 3843 } /* case TLS_ASYNC_BUILD */
wolfSSL 12:0217a9463bc3 3844
wolfSSL 12:0217a9463bc3 3845 case TLS_ASYNC_DO:
wolfSSL 12:0217a9463bc3 3846 {
wolfSSL 12:0217a9463bc3 3847 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3848 if (args->sigAlgo == rsa_sa_algo ||
wolfSSL 12:0217a9463bc3 3849 args->sigAlgo == rsa_pss_sa_algo) {
wolfSSL 12:0217a9463bc3 3850 WOLFSSL_MSG("Doing RSA peer cert verify");
wolfSSL 12:0217a9463bc3 3851
wolfSSL 12:0217a9463bc3 3852 ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output,
wolfSSL 12:0217a9463bc3 3853 args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
wolfSSL 12:0217a9463bc3 3854 #ifdef HAVE_PK_CALLBACKS
wolfSSL 12:0217a9463bc3 3855 ssl->buffers.peerRsaKey.buffer,
wolfSSL 12:0217a9463bc3 3856 ssl->buffers.peerRsaKey.length,
wolfSSL 12:0217a9463bc3 3857 ssl->RsaVerifyCtx
wolfSSL 12:0217a9463bc3 3858 #else
wolfSSL 12:0217a9463bc3 3859 NULL, 0, NULL
wolfSSL 12:0217a9463bc3 3860 #endif
wolfSSL 12:0217a9463bc3 3861 );
wolfSSL 12:0217a9463bc3 3862 if (ret >= 0) {
wolfSSL 12:0217a9463bc3 3863 args->sendSz = ret;
wolfSSL 12:0217a9463bc3 3864 ret = 0;
wolfSSL 12:0217a9463bc3 3865 }
wolfSSL 12:0217a9463bc3 3866 }
wolfSSL 12:0217a9463bc3 3867 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3868 #ifdef HAVE_ECC
wolfSSL 12:0217a9463bc3 3869 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 12:0217a9463bc3 3870 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 12:0217a9463bc3 3871
wolfSSL 12:0217a9463bc3 3872 ret = EccVerify(ssl, input + args->idx, args->sz,
wolfSSL 12:0217a9463bc3 3873 args->sigData, args->sigDataSz,
wolfSSL 12:0217a9463bc3 3874 ssl->peerEccDsaKey,
wolfSSL 12:0217a9463bc3 3875 #ifdef HAVE_PK_CALLBACKS
wolfSSL 12:0217a9463bc3 3876 ssl->buffers.peerEccDsaKey.buffer,
wolfSSL 12:0217a9463bc3 3877 ssl->buffers.peerEccDsaKey.length,
wolfSSL 12:0217a9463bc3 3878 ssl->EccVerifyCtx
wolfSSL 12:0217a9463bc3 3879 #else
wolfSSL 12:0217a9463bc3 3880 NULL, 0, NULL
wolfSSL 12:0217a9463bc3 3881 #endif
wolfSSL 12:0217a9463bc3 3882 );
wolfSSL 12:0217a9463bc3 3883 }
wolfSSL 12:0217a9463bc3 3884 #endif /* HAVE_ECC */
wolfSSL 12:0217a9463bc3 3885
wolfSSL 12:0217a9463bc3 3886 /* Check for error */
wolfSSL 12:0217a9463bc3 3887 if (ret != 0) {
wolfSSL 12:0217a9463bc3 3888 goto exit_dcv;
wolfSSL 12:0217a9463bc3 3889 }
wolfSSL 12:0217a9463bc3 3890
wolfSSL 12:0217a9463bc3 3891 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3892 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 12:0217a9463bc3 3893 } /* case TLS_ASYNC_DO */
wolfSSL 12:0217a9463bc3 3894
wolfSSL 12:0217a9463bc3 3895 case TLS_ASYNC_VERIFY:
wolfSSL 12:0217a9463bc3 3896 {
wolfSSL 12:0217a9463bc3 3897 #ifndef NO_RSA
wolfSSL 12:0217a9463bc3 3898 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
wolfSSL 12:0217a9463bc3 3899 ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
wolfSSL 12:0217a9463bc3 3900 args->output, args->sendSz);
wolfSSL 12:0217a9463bc3 3901 if (ret != 0)
wolfSSL 12:0217a9463bc3 3902 goto exit_dcv;
wolfSSL 12:0217a9463bc3 3903 }
wolfSSL 12:0217a9463bc3 3904 #endif /* !NO_RSA */
wolfSSL 12:0217a9463bc3 3905
wolfSSL 12:0217a9463bc3 3906 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3907 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 12:0217a9463bc3 3908 } /* case TLS_ASYNC_VERIFY */
wolfSSL 12:0217a9463bc3 3909
wolfSSL 12:0217a9463bc3 3910 case TLS_ASYNC_FINALIZE:
wolfSSL 12:0217a9463bc3 3911 {
wolfSSL 12:0217a9463bc3 3912 ssl->options.havePeerVerify = 1;
wolfSSL 12:0217a9463bc3 3913
wolfSSL 12:0217a9463bc3 3914 /* Set final index */
wolfSSL 12:0217a9463bc3 3915 args->idx += args->sz;
wolfSSL 12:0217a9463bc3 3916 *inOutIdx = args->idx;
wolfSSL 12:0217a9463bc3 3917
wolfSSL 12:0217a9463bc3 3918 /* Encryption is always on: add padding */
wolfSSL 12:0217a9463bc3 3919 *inOutIdx += ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 3920
wolfSSL 12:0217a9463bc3 3921 /* Advance state and proceed */
wolfSSL 12:0217a9463bc3 3922 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 12:0217a9463bc3 3923 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 12:0217a9463bc3 3924
wolfSSL 12:0217a9463bc3 3925 case TLS_ASYNC_END:
wolfSSL 12:0217a9463bc3 3926 {
wolfSSL 12:0217a9463bc3 3927 break;
wolfSSL 12:0217a9463bc3 3928 }
wolfSSL 12:0217a9463bc3 3929 default:
wolfSSL 12:0217a9463bc3 3930 ret = INPUT_CASE_ERROR;
wolfSSL 12:0217a9463bc3 3931 } /* switch(ssl->options.asyncState) */
wolfSSL 12:0217a9463bc3 3932
wolfSSL 12:0217a9463bc3 3933 exit_dcv:
wolfSSL 12:0217a9463bc3 3934
wolfSSL 12:0217a9463bc3 3935 WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
wolfSSL 12:0217a9463bc3 3936
wolfSSL 12:0217a9463bc3 3937 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 3938 /* Handle async operation */
wolfSSL 12:0217a9463bc3 3939 if (ret == WC_PENDING_E) {
wolfSSL 12:0217a9463bc3 3940 /* Mark message as not recevied so it can process again */
wolfSSL 12:0217a9463bc3 3941 ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL 12:0217a9463bc3 3942
wolfSSL 12:0217a9463bc3 3943 return ret;
wolfSSL 12:0217a9463bc3 3944 }
wolfSSL 12:0217a9463bc3 3945 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 12:0217a9463bc3 3946
wolfSSL 12:0217a9463bc3 3947 /* Final cleanup */
wolfSSL 12:0217a9463bc3 3948 FreeDcv13Args(ssl, args);
wolfSSL 12:0217a9463bc3 3949 FreeKeyExchange(ssl);
wolfSSL 12:0217a9463bc3 3950
wolfSSL 12:0217a9463bc3 3951 return ret;
wolfSSL 12:0217a9463bc3 3952 }
wolfSSL 12:0217a9463bc3 3953 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 12:0217a9463bc3 3954
wolfSSL 12:0217a9463bc3 3955 /* Parse and handle a TLS v1.3 Finished message.
wolfSSL 12:0217a9463bc3 3956 *
wolfSSL 12:0217a9463bc3 3957 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 3958 * input The message buffer.
wolfSSL 12:0217a9463bc3 3959 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 12:0217a9463bc3 3960 * On exit, the index of byte after the Finished message and padding.
wolfSSL 12:0217a9463bc3 3961 * size Length of message data.
wolfSSL 12:0217a9463bc3 3962 * totalSz Length of remaining data in the message buffer.
wolfSSL 12:0217a9463bc3 3963 * sniff Indicates whether we are sniffing packets.
wolfSSL 12:0217a9463bc3 3964 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 3965 */
wolfSSL 12:0217a9463bc3 3966 static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 3967 word32 size, word32 totalSz, int sniff)
wolfSSL 12:0217a9463bc3 3968 {
wolfSSL 12:0217a9463bc3 3969 int ret;
wolfSSL 12:0217a9463bc3 3970 word32 finishedSz = 0;
wolfSSL 12:0217a9463bc3 3971 byte* secret;
wolfSSL 12:0217a9463bc3 3972 byte mac[MAX_DIGEST_SIZE];
wolfSSL 12:0217a9463bc3 3973
wolfSSL 12:0217a9463bc3 3974 /* check against totalSz */
wolfSSL 12:0217a9463bc3 3975 if (*inOutIdx + size + ssl->keys.padSz > totalSz)
wolfSSL 12:0217a9463bc3 3976 return BUFFER_E;
wolfSSL 12:0217a9463bc3 3977
wolfSSL 12:0217a9463bc3 3978 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 3979 /* All the handshake messages have been received to calculate
wolfSSL 12:0217a9463bc3 3980 * client and server finished keys.
wolfSSL 12:0217a9463bc3 3981 */
wolfSSL 12:0217a9463bc3 3982 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 12:0217a9463bc3 3983 ssl->keys.client_write_MAC_secret);
wolfSSL 12:0217a9463bc3 3984 if (ret != 0)
wolfSSL 12:0217a9463bc3 3985 return ret;
wolfSSL 12:0217a9463bc3 3986
wolfSSL 12:0217a9463bc3 3987 ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL 12:0217a9463bc3 3988 ssl->keys.server_write_MAC_secret);
wolfSSL 12:0217a9463bc3 3989 if (ret != 0)
wolfSSL 12:0217a9463bc3 3990 return ret;
wolfSSL 12:0217a9463bc3 3991
wolfSSL 12:0217a9463bc3 3992 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 12:0217a9463bc3 3993 }
wolfSSL 12:0217a9463bc3 3994 else
wolfSSL 12:0217a9463bc3 3995 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 12:0217a9463bc3 3996 finishedSz = BuildTls13HandshakeHmac(ssl, secret, mac);
wolfSSL 12:0217a9463bc3 3997 if (size != finishedSz)
wolfSSL 12:0217a9463bc3 3998 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 3999
wolfSSL 12:0217a9463bc3 4000 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 4001 if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 4002 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 4003 #endif
wolfSSL 12:0217a9463bc3 4004
wolfSSL 12:0217a9463bc3 4005 if (sniff == NO_SNIFF) {
wolfSSL 12:0217a9463bc3 4006 /* Actually check verify data. */
wolfSSL 12:0217a9463bc3 4007 if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
wolfSSL 12:0217a9463bc3 4008 WOLFSSL_MSG("Verify finished error on hashes");
wolfSSL 12:0217a9463bc3 4009 return VERIFY_FINISHED_ERROR;
wolfSSL 12:0217a9463bc3 4010 }
wolfSSL 12:0217a9463bc3 4011 }
wolfSSL 12:0217a9463bc3 4012
wolfSSL 12:0217a9463bc3 4013 /* Force input exhaustion at ProcessReply by consuming padSz. */
wolfSSL 12:0217a9463bc3 4014 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 4015
wolfSSL 12:0217a9463bc3 4016 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 12:0217a9463bc3 4017 /* Setup keys for application data messages from client. */
wolfSSL 12:0217a9463bc3 4018 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4019 return ret;
wolfSSL 12:0217a9463bc3 4020 }
wolfSSL 12:0217a9463bc3 4021
wolfSSL 12:0217a9463bc3 4022 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 4023 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4024 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 12:0217a9463bc3 4025 if (!ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 4026 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 12:0217a9463bc3 4027 ssl->options.handShakeDone = 1;
wolfSSL 12:0217a9463bc3 4028 }
wolfSSL 12:0217a9463bc3 4029 }
wolfSSL 12:0217a9463bc3 4030 #endif
wolfSSL 12:0217a9463bc3 4031 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4032 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 12:0217a9463bc3 4033 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL 12:0217a9463bc3 4034 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 12:0217a9463bc3 4035 ssl->options.handShakeDone = 1;
wolfSSL 12:0217a9463bc3 4036 }
wolfSSL 12:0217a9463bc3 4037 #endif
wolfSSL 12:0217a9463bc3 4038
wolfSSL 12:0217a9463bc3 4039 return 0;
wolfSSL 12:0217a9463bc3 4040 }
wolfSSL 12:0217a9463bc3 4041 #endif /* NO_CERTS */
wolfSSL 12:0217a9463bc3 4042
wolfSSL 12:0217a9463bc3 4043 /* Send the TLS v1.3 Finished message.
wolfSSL 12:0217a9463bc3 4044 *
wolfSSL 12:0217a9463bc3 4045 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4046 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 4047 */
wolfSSL 12:0217a9463bc3 4048 int SendTls13Finished(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 4049 {
wolfSSL 12:0217a9463bc3 4050 int sendSz;
wolfSSL 12:0217a9463bc3 4051 int finishedSz = ssl->specs.hash_size;
wolfSSL 12:0217a9463bc3 4052 byte* input;
wolfSSL 12:0217a9463bc3 4053 byte* output;
wolfSSL 12:0217a9463bc3 4054 int ret;
wolfSSL 12:0217a9463bc3 4055 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4056 int outputSz;
wolfSSL 12:0217a9463bc3 4057 byte* secret;
wolfSSL 12:0217a9463bc3 4058
wolfSSL 12:0217a9463bc3 4059 outputSz = MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 4060 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 4061 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 12:0217a9463bc3 4062 return ret;
wolfSSL 12:0217a9463bc3 4063
wolfSSL 12:0217a9463bc3 4064 /* get output buffer */
wolfSSL 12:0217a9463bc3 4065 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 4066 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 4067 input = output + RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4068
wolfSSL 12:0217a9463bc3 4069 AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
wolfSSL 12:0217a9463bc3 4070
wolfSSL 12:0217a9463bc3 4071 /* make finished hashes */
wolfSSL 12:0217a9463bc3 4072 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 12:0217a9463bc3 4073 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 12:0217a9463bc3 4074 else {
wolfSSL 12:0217a9463bc3 4075 /* All the handshake messages have been done to calculate client and
wolfSSL 12:0217a9463bc3 4076 * server finished keys.
wolfSSL 12:0217a9463bc3 4077 */
wolfSSL 12:0217a9463bc3 4078 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 12:0217a9463bc3 4079 ssl->keys.client_write_MAC_secret);
wolfSSL 12:0217a9463bc3 4080 if (ret != 0)
wolfSSL 12:0217a9463bc3 4081 return ret;
wolfSSL 12:0217a9463bc3 4082
wolfSSL 12:0217a9463bc3 4083 ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL 12:0217a9463bc3 4084 ssl->keys.server_write_MAC_secret);
wolfSSL 12:0217a9463bc3 4085 if (ret != 0)
wolfSSL 12:0217a9463bc3 4086 return ret;
wolfSSL 12:0217a9463bc3 4087
wolfSSL 12:0217a9463bc3 4088 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 12:0217a9463bc3 4089 }
wolfSSL 12:0217a9463bc3 4090 BuildTls13HandshakeHmac(ssl, secret, &input[headerSz]);
wolfSSL 12:0217a9463bc3 4091
wolfSSL 12:0217a9463bc3 4092 /* This message is always encrypted. */
wolfSSL 12:0217a9463bc3 4093 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 12:0217a9463bc3 4094 headerSz + finishedSz, handshake, 1, 0);
wolfSSL 12:0217a9463bc3 4095 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 4096 return BUILD_MSG_ERROR;
wolfSSL 12:0217a9463bc3 4097
wolfSSL 12:0217a9463bc3 4098 if (!ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 4099 #ifndef NO_SESSION_CACHE
wolfSSL 12:0217a9463bc3 4100 AddSession(ssl); /* just try */
wolfSSL 12:0217a9463bc3 4101 #endif
wolfSSL 12:0217a9463bc3 4102 }
wolfSSL 12:0217a9463bc3 4103 else {
wolfSSL 12:0217a9463bc3 4104 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4105 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 12:0217a9463bc3 4106 ssl->options.handShakeDone = 1;
wolfSSL 12:0217a9463bc3 4107 }
wolfSSL 12:0217a9463bc3 4108 }
wolfSSL 12:0217a9463bc3 4109
wolfSSL 12:0217a9463bc3 4110 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 4111 if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 4112 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 4113 AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 4114 ssl->heap);
wolfSSL 12:0217a9463bc3 4115 #endif
wolfSSL 12:0217a9463bc3 4116
wolfSSL 12:0217a9463bc3 4117 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 4118
wolfSSL 12:0217a9463bc3 4119 ret = SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 4120 if (ret != 0)
wolfSSL 12:0217a9463bc3 4121 return ret;
wolfSSL 12:0217a9463bc3 4122
wolfSSL 12:0217a9463bc3 4123 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 12:0217a9463bc3 4124 /* Can send application data now. */
wolfSSL 12:0217a9463bc3 4125 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 4126 return ret;
wolfSSL 12:0217a9463bc3 4127 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 12:0217a9463bc3 4128 ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 4129 return ret;
wolfSSL 12:0217a9463bc3 4130 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4131 return ret;
wolfSSL 12:0217a9463bc3 4132 }
wolfSSL 12:0217a9463bc3 4133
wolfSSL 12:0217a9463bc3 4134 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4135 /* Setup keys for application data messages. */
wolfSSL 12:0217a9463bc3 4136 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 4137 return ret;
wolfSSL 12:0217a9463bc3 4138
wolfSSL 12:0217a9463bc3 4139 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 4140 ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 12:0217a9463bc3 4141 #endif
wolfSSL 12:0217a9463bc3 4142 }
wolfSSL 12:0217a9463bc3 4143
wolfSSL 12:0217a9463bc3 4144 return ret;
wolfSSL 12:0217a9463bc3 4145 }
wolfSSL 12:0217a9463bc3 4146
wolfSSL 12:0217a9463bc3 4147 /* Send the TLS v1.3 KeyUpdate message.
wolfSSL 12:0217a9463bc3 4148 *
wolfSSL 12:0217a9463bc3 4149 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4150 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 4151 */
wolfSSL 12:0217a9463bc3 4152 static int SendTls13KeyUpdate(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 4153 {
wolfSSL 12:0217a9463bc3 4154 int sendSz;
wolfSSL 12:0217a9463bc3 4155 byte* input;
wolfSSL 12:0217a9463bc3 4156 byte* output;
wolfSSL 12:0217a9463bc3 4157 int ret;
wolfSSL 12:0217a9463bc3 4158 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4159 int outputSz;
wolfSSL 12:0217a9463bc3 4160 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4161
wolfSSL 12:0217a9463bc3 4162 outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 4163 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 4164 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 12:0217a9463bc3 4165 return ret;
wolfSSL 12:0217a9463bc3 4166
wolfSSL 12:0217a9463bc3 4167 /* get output buffer */
wolfSSL 12:0217a9463bc3 4168 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 4169 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 4170 input = output + RECORD_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4171
wolfSSL 12:0217a9463bc3 4172 AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
wolfSSL 12:0217a9463bc3 4173
wolfSSL 12:0217a9463bc3 4174 /* If:
wolfSSL 12:0217a9463bc3 4175 * 1. I haven't sent a KeyUpdate requesting a response and
wolfSSL 12:0217a9463bc3 4176 * 2. This isn't responding to peer KeyUpdate requiring a response then,
wolfSSL 12:0217a9463bc3 4177 * I want a response.
wolfSSL 12:0217a9463bc3 4178 */
wolfSSL 12:0217a9463bc3 4179 ssl->keys.updateResponseReq = output[i++] =
wolfSSL 12:0217a9463bc3 4180 !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
wolfSSL 12:0217a9463bc3 4181 /* Sent response, no longer need to respond. */
wolfSSL 12:0217a9463bc3 4182 ssl->keys.keyUpdateRespond = 0;
wolfSSL 12:0217a9463bc3 4183
wolfSSL 12:0217a9463bc3 4184 /* This message is always encrypted. */
wolfSSL 12:0217a9463bc3 4185 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 12:0217a9463bc3 4186 headerSz + OPAQUE8_LEN, handshake, 0, 0);
wolfSSL 12:0217a9463bc3 4187 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 4188 return BUILD_MSG_ERROR;
wolfSSL 12:0217a9463bc3 4189
wolfSSL 12:0217a9463bc3 4190 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 4191 if (ssl->hsInfoOn) AddPacketName("KeyUpdate", &ssl->handShakeInfo);
wolfSSL 12:0217a9463bc3 4192 if (ssl->toInfoOn)
wolfSSL 12:0217a9463bc3 4193 AddPacketInfo("KeyUpdate", &ssl->timeoutInfo, output, sendSz,
wolfSSL 12:0217a9463bc3 4194 ssl->heap);
wolfSSL 12:0217a9463bc3 4195 #endif
wolfSSL 12:0217a9463bc3 4196
wolfSSL 12:0217a9463bc3 4197 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 4198
wolfSSL 12:0217a9463bc3 4199 ret = SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 4200 if (ret != 0 && ret != WANT_WRITE)
wolfSSL 12:0217a9463bc3 4201 return ret;
wolfSSL 12:0217a9463bc3 4202
wolfSSL 12:0217a9463bc3 4203 /* Future traffic uses new encryption keys. */
wolfSSL 12:0217a9463bc3 4204 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY))
wolfSSL 12:0217a9463bc3 4205 != 0)
wolfSSL 12:0217a9463bc3 4206 return ret;
wolfSSL 12:0217a9463bc3 4207 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4208 return ret;
wolfSSL 12:0217a9463bc3 4209
wolfSSL 12:0217a9463bc3 4210 return ret;
wolfSSL 12:0217a9463bc3 4211 }
wolfSSL 12:0217a9463bc3 4212
wolfSSL 12:0217a9463bc3 4213 /* Parse and handle a TLS v1.3 KeyUpdate message.
wolfSSL 12:0217a9463bc3 4214 *
wolfSSL 12:0217a9463bc3 4215 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4216 * input The message buffer.
wolfSSL 12:0217a9463bc3 4217 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 12:0217a9463bc3 4218 * On exit, the index of byte after the Finished message and padding.
wolfSSL 12:0217a9463bc3 4219 * totalSz The length of the current handshake message.
wolfSSL 12:0217a9463bc3 4220 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 4221 */
wolfSSL 12:0217a9463bc3 4222 static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 4223 word32 totalSz)
wolfSSL 12:0217a9463bc3 4224 {
wolfSSL 12:0217a9463bc3 4225 int ret;
wolfSSL 12:0217a9463bc3 4226 word32 i = *inOutIdx;
wolfSSL 12:0217a9463bc3 4227
wolfSSL 12:0217a9463bc3 4228 /* check against totalSz */
wolfSSL 12:0217a9463bc3 4229 if (OPAQUE8_LEN != totalSz)
wolfSSL 12:0217a9463bc3 4230 return BUFFER_E;
wolfSSL 12:0217a9463bc3 4231
wolfSSL 12:0217a9463bc3 4232 switch (input[i]) {
wolfSSL 12:0217a9463bc3 4233 case update_not_requested:
wolfSSL 12:0217a9463bc3 4234 /* This message in response to any oustanding request. */
wolfSSL 12:0217a9463bc3 4235 ssl->keys.keyUpdateRespond = 0;
wolfSSL 12:0217a9463bc3 4236 ssl->keys.updateResponseReq = 0;
wolfSSL 12:0217a9463bc3 4237 break;
wolfSSL 12:0217a9463bc3 4238 case update_requested:
wolfSSL 12:0217a9463bc3 4239 /* New key update requiring a response. */
wolfSSL 12:0217a9463bc3 4240 ssl->keys.keyUpdateRespond = 1;
wolfSSL 12:0217a9463bc3 4241 break;
wolfSSL 12:0217a9463bc3 4242 default:
wolfSSL 12:0217a9463bc3 4243 return INVALID_PARAMETER;
wolfSSL 12:0217a9463bc3 4244 break;
wolfSSL 12:0217a9463bc3 4245 }
wolfSSL 12:0217a9463bc3 4246
wolfSSL 12:0217a9463bc3 4247 /* Move index to byte after message. */
wolfSSL 12:0217a9463bc3 4248 *inOutIdx += totalSz;
wolfSSL 12:0217a9463bc3 4249 /* Always encrypted. */
wolfSSL 12:0217a9463bc3 4250 *inOutIdx += ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 4251
wolfSSL 12:0217a9463bc3 4252 /* Future traffic uses new decryption keys. */
wolfSSL 12:0217a9463bc3 4253 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4254 return ret;
wolfSSL 12:0217a9463bc3 4255 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4256 return ret;
wolfSSL 12:0217a9463bc3 4257
wolfSSL 12:0217a9463bc3 4258 if (ssl->keys.keyUpdateRespond)
wolfSSL 12:0217a9463bc3 4259 return SendTls13KeyUpdate(ssl);
wolfSSL 12:0217a9463bc3 4260 return 0;
wolfSSL 12:0217a9463bc3 4261 }
wolfSSL 12:0217a9463bc3 4262
wolfSSL 12:0217a9463bc3 4263 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4264 /* Handle a New Session Ticket handshake message.
wolfSSL 12:0217a9463bc3 4265 * Message contains the information required to perform resumption.
wolfSSL 12:0217a9463bc3 4266 *
wolfSSL 12:0217a9463bc3 4267 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4268 * input The message buffer.
wolfSSL 12:0217a9463bc3 4269 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 12:0217a9463bc3 4270 * On exit, the index of byte after the Finished message and padding.
wolfSSL 12:0217a9463bc3 4271 * size The length of the current handshake message.
wolfSSL 12:0217a9463bc3 4272 * retuns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 4273 */
wolfSSL 12:0217a9463bc3 4274 static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
wolfSSL 12:0217a9463bc3 4275 word32* inOutIdx, word32 size)
wolfSSL 12:0217a9463bc3 4276 {
wolfSSL 12:0217a9463bc3 4277 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 4278 word32 begin = *inOutIdx;
wolfSSL 12:0217a9463bc3 4279 word32 lifetime;
wolfSSL 12:0217a9463bc3 4280 word32 ageAdd;
wolfSSL 12:0217a9463bc3 4281 word16 length;
wolfSSL 12:0217a9463bc3 4282
wolfSSL 12:0217a9463bc3 4283 /* Lifetime hint. */
wolfSSL 12:0217a9463bc3 4284 if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
wolfSSL 12:0217a9463bc3 4285 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4286 ato32(input + *inOutIdx, &lifetime);
wolfSSL 12:0217a9463bc3 4287 *inOutIdx += SESSION_HINT_SZ;
wolfSSL 12:0217a9463bc3 4288 if (lifetime > MAX_LIFETIME)
wolfSSL 12:0217a9463bc3 4289 return SERVER_HINT_ERROR;
wolfSSL 12:0217a9463bc3 4290
wolfSSL 12:0217a9463bc3 4291 /* Age add. */
wolfSSL 12:0217a9463bc3 4292 if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
wolfSSL 12:0217a9463bc3 4293 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4294 ato32(input + *inOutIdx, &ageAdd);
wolfSSL 12:0217a9463bc3 4295 *inOutIdx += SESSION_ADD_SZ;
wolfSSL 12:0217a9463bc3 4296
wolfSSL 12:0217a9463bc3 4297 /* Ticket length. */
wolfSSL 12:0217a9463bc3 4298 if ((*inOutIdx - begin) + LENGTH_SZ > size)
wolfSSL 12:0217a9463bc3 4299 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4300 ato16(input + *inOutIdx, &length);
wolfSSL 12:0217a9463bc3 4301 *inOutIdx += LENGTH_SZ;
wolfSSL 12:0217a9463bc3 4302 if ((*inOutIdx - begin) + length > size)
wolfSSL 12:0217a9463bc3 4303 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4304
wolfSSL 12:0217a9463bc3 4305 /* Free old dynamic ticket if we already had one. */
wolfSSL 12:0217a9463bc3 4306 if (ssl->session.isDynamic) {
wolfSSL 12:0217a9463bc3 4307 XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
wolfSSL 12:0217a9463bc3 4308 /* Reset back to static by default. */
wolfSSL 12:0217a9463bc3 4309 ssl->session.ticket = NULL;
wolfSSL 12:0217a9463bc3 4310 ssl->session.isDynamic = 0;
wolfSSL 12:0217a9463bc3 4311 ssl->session.ticket = ssl->session.staticTicket;
wolfSSL 12:0217a9463bc3 4312 }
wolfSSL 12:0217a9463bc3 4313 /* Use dynamic ticket if required.*/
wolfSSL 12:0217a9463bc3 4314 if (length > sizeof(ssl->session.staticTicket)) {
wolfSSL 12:0217a9463bc3 4315 ssl->session.ticket = (byte*)XMALLOC(length, ssl->heap,
wolfSSL 12:0217a9463bc3 4316 DYNAMIC_TYPE_SESSION_TICK);
wolfSSL 12:0217a9463bc3 4317 if (ssl->session.ticket == NULL)
wolfSSL 12:0217a9463bc3 4318 return MEMORY_E;
wolfSSL 12:0217a9463bc3 4319 ssl->session.isDynamic = 1;
wolfSSL 12:0217a9463bc3 4320 }
wolfSSL 12:0217a9463bc3 4321
wolfSSL 12:0217a9463bc3 4322 /* Copy in ticket data (server identity). */
wolfSSL 12:0217a9463bc3 4323 XMEMCPY(ssl->session.ticket, input + *inOutIdx, length);
wolfSSL 12:0217a9463bc3 4324 *inOutIdx += length;
wolfSSL 12:0217a9463bc3 4325 ssl->timeout = lifetime;
wolfSSL 12:0217a9463bc3 4326 ssl->session.ticketLen = length;
wolfSSL 12:0217a9463bc3 4327 ssl->session.timeout = lifetime;
wolfSSL 12:0217a9463bc3 4328 ssl->session.ticketAdd = ageAdd;
wolfSSL 12:0217a9463bc3 4329 ssl->session.ticketSeen = TimeNowInMilliseconds();
wolfSSL 12:0217a9463bc3 4330 if (ssl->session_ticket_cb != NULL) {
wolfSSL 12:0217a9463bc3 4331 ssl->session_ticket_cb(ssl, ssl->session.ticket,
wolfSSL 12:0217a9463bc3 4332 ssl->session.ticketLen,
wolfSSL 12:0217a9463bc3 4333 ssl->session_ticket_ctx);
wolfSSL 12:0217a9463bc3 4334 }
wolfSSL 12:0217a9463bc3 4335 ssl->options.haveSessionId = 1;
wolfSSL 12:0217a9463bc3 4336 XMEMCPY(ssl->arrays->sessionID, ssl->session.ticket + length - ID_LEN,
wolfSSL 12:0217a9463bc3 4337 ID_LEN);
wolfSSL 12:0217a9463bc3 4338 ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
wolfSSL 12:0217a9463bc3 4339 ssl->session.cipherSuite = ssl->options.cipherSuite;
wolfSSL 12:0217a9463bc3 4340 #ifndef NO_SESSION_CACHE
wolfSSL 12:0217a9463bc3 4341 AddSession(ssl);
wolfSSL 12:0217a9463bc3 4342 #endif
wolfSSL 12:0217a9463bc3 4343
wolfSSL 12:0217a9463bc3 4344 /* No extension support - skip over extensions. */
wolfSSL 12:0217a9463bc3 4345 if ((*inOutIdx - begin) + EXTS_SZ > size)
wolfSSL 12:0217a9463bc3 4346 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4347 ato16(input + *inOutIdx, &length);
wolfSSL 12:0217a9463bc3 4348 *inOutIdx += EXTS_SZ;
wolfSSL 12:0217a9463bc3 4349 if ((*inOutIdx - begin) + length != size)
wolfSSL 12:0217a9463bc3 4350 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4351 *inOutIdx += length;
wolfSSL 12:0217a9463bc3 4352
wolfSSL 12:0217a9463bc3 4353 /* Always encrypted. */
wolfSSL 12:0217a9463bc3 4354 *inOutIdx += ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 4355
wolfSSL 12:0217a9463bc3 4356 ssl->expect_session_ticket = 0;
wolfSSL 12:0217a9463bc3 4357 #else
wolfSSL 12:0217a9463bc3 4358 (void)ssl;
wolfSSL 12:0217a9463bc3 4359 (void)input;
wolfSSL 12:0217a9463bc3 4360 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 12:0217a9463bc3 4361 #endif /* HAVE_SESSION_TICKET */
wolfSSL 12:0217a9463bc3 4362
wolfSSL 12:0217a9463bc3 4363 return 0;
wolfSSL 12:0217a9463bc3 4364 }
wolfSSL 12:0217a9463bc3 4365 #endif /* NO_WOLFSSL_CLIENT */
wolfSSL 12:0217a9463bc3 4366
wolfSSL 12:0217a9463bc3 4367 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 4368 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 4369 /* Send New Session Ticket handshake message.
wolfSSL 12:0217a9463bc3 4370 * Message contains the information required to perform resumption.
wolfSSL 12:0217a9463bc3 4371 *
wolfSSL 12:0217a9463bc3 4372 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4373 * retuns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 4374 */
wolfSSL 12:0217a9463bc3 4375 int SendTls13NewSessionTicket(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 4376 {
wolfSSL 12:0217a9463bc3 4377 byte* output;
wolfSSL 12:0217a9463bc3 4378 int ret;
wolfSSL 12:0217a9463bc3 4379 int sendSz;
wolfSSL 12:0217a9463bc3 4380 word32 length;
wolfSSL 12:0217a9463bc3 4381 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4382
wolfSSL 12:0217a9463bc3 4383 if (!ssl->options.noTicketTls13) {
wolfSSL 12:0217a9463bc3 4384 ret = CreateTicket(ssl);
wolfSSL 12:0217a9463bc3 4385 if (ret != 0) return ret;
wolfSSL 12:0217a9463bc3 4386 }
wolfSSL 12:0217a9463bc3 4387
wolfSSL 12:0217a9463bc3 4388 /* Lifetime | Age Add | Ticket | Extensions */
wolfSSL 12:0217a9463bc3 4389 length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
wolfSSL 12:0217a9463bc3 4390 ssl->session.ticketLen + EXTS_SZ;
wolfSSL 12:0217a9463bc3 4391 sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL 12:0217a9463bc3 4392
wolfSSL 12:0217a9463bc3 4393 /* Check buffers are big enough and grow if needed. */
wolfSSL 12:0217a9463bc3 4394 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 12:0217a9463bc3 4395 return ret;
wolfSSL 12:0217a9463bc3 4396
wolfSSL 12:0217a9463bc3 4397 /* Get position in output buffer to write new message to. */
wolfSSL 12:0217a9463bc3 4398 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 12:0217a9463bc3 4399 ssl->buffers.outputBuffer.length;
wolfSSL 12:0217a9463bc3 4400
wolfSSL 12:0217a9463bc3 4401 /* Put the record and handshake headers on. */
wolfSSL 12:0217a9463bc3 4402 AddTls13Headers(output, length, session_ticket, ssl);
wolfSSL 12:0217a9463bc3 4403
wolfSSL 12:0217a9463bc3 4404 /* Lifetime hint */
wolfSSL 12:0217a9463bc3 4405 c32toa(ssl->ctx->ticketHint, output + idx);
wolfSSL 12:0217a9463bc3 4406 idx += SESSION_HINT_SZ;
wolfSSL 12:0217a9463bc3 4407 /* Age add - obfuscator */
wolfSSL 12:0217a9463bc3 4408 c32toa(ssl->session.ticketAdd, output + idx);
wolfSSL 12:0217a9463bc3 4409 idx += SESSION_ADD_SZ;
wolfSSL 12:0217a9463bc3 4410
wolfSSL 12:0217a9463bc3 4411 /* length */
wolfSSL 12:0217a9463bc3 4412 c16toa(ssl->session.ticketLen, output + idx);
wolfSSL 12:0217a9463bc3 4413 idx += LENGTH_SZ;
wolfSSL 12:0217a9463bc3 4414 /* ticket */
wolfSSL 12:0217a9463bc3 4415 XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
wolfSSL 12:0217a9463bc3 4416 idx += ssl->session.ticketLen;
wolfSSL 12:0217a9463bc3 4417
wolfSSL 12:0217a9463bc3 4418 /* No extension support - empty extensions. */
wolfSSL 12:0217a9463bc3 4419 c16toa(0, output + idx);
wolfSSL 12:0217a9463bc3 4420 idx += EXTS_SZ;
wolfSSL 12:0217a9463bc3 4421
wolfSSL 12:0217a9463bc3 4422 ssl->options.haveSessionId = 1;
wolfSSL 12:0217a9463bc3 4423
wolfSSL 12:0217a9463bc3 4424 #ifndef NO_SESSION_CACHE
wolfSSL 12:0217a9463bc3 4425 AddSession(ssl);
wolfSSL 12:0217a9463bc3 4426 #endif
wolfSSL 12:0217a9463bc3 4427
wolfSSL 12:0217a9463bc3 4428 /* This message is always encrypted. */
wolfSSL 12:0217a9463bc3 4429 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 12:0217a9463bc3 4430 idx - RECORD_HEADER_SZ, handshake, 0, 0);
wolfSSL 12:0217a9463bc3 4431 if (sendSz < 0)
wolfSSL 12:0217a9463bc3 4432 return sendSz;
wolfSSL 12:0217a9463bc3 4433
wolfSSL 12:0217a9463bc3 4434 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 12:0217a9463bc3 4435
wolfSSL 12:0217a9463bc3 4436 return SendBuffered(ssl);
wolfSSL 12:0217a9463bc3 4437 }
wolfSSL 12:0217a9463bc3 4438 #endif /* HAVE_SESSION_TICKET */
wolfSSL 12:0217a9463bc3 4439 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 12:0217a9463bc3 4440
wolfSSL 12:0217a9463bc3 4441 /* Make sure no duplicates, no fast forward, or other problems
wolfSSL 12:0217a9463bc3 4442 *
wolfSSL 12:0217a9463bc3 4443 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4444 * type Type of handshake message received.
wolfSSL 12:0217a9463bc3 4445 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 4446 */
wolfSSL 12:0217a9463bc3 4447 static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
wolfSSL 12:0217a9463bc3 4448 {
wolfSSL 12:0217a9463bc3 4449 /* verify not a duplicate, mark received, check state */
wolfSSL 12:0217a9463bc3 4450 switch (type) {
wolfSSL 12:0217a9463bc3 4451
wolfSSL 12:0217a9463bc3 4452 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 4453 case client_hello:
wolfSSL 12:0217a9463bc3 4454 if (ssl->msgsReceived.got_client_hello == 2) {
wolfSSL 12:0217a9463bc3 4455 WOLFSSL_MSG("Too many ClientHello received");
wolfSSL 12:0217a9463bc3 4456 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4457 }
wolfSSL 12:0217a9463bc3 4458 ssl->msgsReceived.got_client_hello++;
wolfSSL 12:0217a9463bc3 4459
wolfSSL 12:0217a9463bc3 4460 break;
wolfSSL 12:0217a9463bc3 4461 #endif
wolfSSL 12:0217a9463bc3 4462
wolfSSL 12:0217a9463bc3 4463 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4464 case server_hello:
wolfSSL 12:0217a9463bc3 4465 if (ssl->msgsReceived.got_server_hello) {
wolfSSL 12:0217a9463bc3 4466 WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL 12:0217a9463bc3 4467 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4468 }
wolfSSL 12:0217a9463bc3 4469 ssl->msgsReceived.got_server_hello = 1;
wolfSSL 12:0217a9463bc3 4470
wolfSSL 12:0217a9463bc3 4471 break;
wolfSSL 12:0217a9463bc3 4472 #endif
wolfSSL 12:0217a9463bc3 4473
wolfSSL 12:0217a9463bc3 4474 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4475 case session_ticket:
wolfSSL 12:0217a9463bc3 4476 if (ssl->msgsReceived.got_session_ticket) {
wolfSSL 12:0217a9463bc3 4477 WOLFSSL_MSG("Duplicate SessionTicket received");
wolfSSL 12:0217a9463bc3 4478 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4479 }
wolfSSL 12:0217a9463bc3 4480 ssl->msgsReceived.got_session_ticket = 1;
wolfSSL 12:0217a9463bc3 4481
wolfSSL 12:0217a9463bc3 4482 break;
wolfSSL 12:0217a9463bc3 4483 #endif
wolfSSL 12:0217a9463bc3 4484
wolfSSL 12:0217a9463bc3 4485 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4486 case hello_retry_request:
wolfSSL 12:0217a9463bc3 4487 if (ssl->msgsReceived.got_hello_retry_request) {
wolfSSL 12:0217a9463bc3 4488 WOLFSSL_MSG("Duplicate HelloRetryRequest received");
wolfSSL 12:0217a9463bc3 4489 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4490 }
wolfSSL 12:0217a9463bc3 4491 ssl->msgsReceived.got_hello_retry_request = 1;
wolfSSL 12:0217a9463bc3 4492
wolfSSL 12:0217a9463bc3 4493 break;
wolfSSL 12:0217a9463bc3 4494 #endif
wolfSSL 12:0217a9463bc3 4495
wolfSSL 12:0217a9463bc3 4496 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4497 case encrypted_extensions:
wolfSSL 12:0217a9463bc3 4498 if (ssl->msgsReceived.got_encrypted_extensions) {
wolfSSL 12:0217a9463bc3 4499 WOLFSSL_MSG("Duplicate EncryptedExtensions received");
wolfSSL 12:0217a9463bc3 4500 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4501 }
wolfSSL 12:0217a9463bc3 4502 ssl->msgsReceived.got_encrypted_extensions = 1;
wolfSSL 12:0217a9463bc3 4503
wolfSSL 12:0217a9463bc3 4504 break;
wolfSSL 12:0217a9463bc3 4505 #endif
wolfSSL 12:0217a9463bc3 4506
wolfSSL 12:0217a9463bc3 4507 case certificate:
wolfSSL 12:0217a9463bc3 4508 if (ssl->msgsReceived.got_certificate) {
wolfSSL 12:0217a9463bc3 4509 WOLFSSL_MSG("Duplicate Certificate received");
wolfSSL 12:0217a9463bc3 4510 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4511 }
wolfSSL 12:0217a9463bc3 4512 ssl->msgsReceived.got_certificate = 1;
wolfSSL 12:0217a9463bc3 4513
wolfSSL 12:0217a9463bc3 4514 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4515 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4516 if ( ssl->msgsReceived.got_server_hello == 0) {
wolfSSL 12:0217a9463bc3 4517 WOLFSSL_MSG("No ServerHello before Cert");
wolfSSL 12:0217a9463bc3 4518 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4519 }
wolfSSL 12:0217a9463bc3 4520 }
wolfSSL 12:0217a9463bc3 4521 #endif
wolfSSL 12:0217a9463bc3 4522 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 4523 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 12:0217a9463bc3 4524 if ( ssl->msgsReceived.got_client_hello == 0) {
wolfSSL 12:0217a9463bc3 4525 WOLFSSL_MSG("No ClientHello before Cert");
wolfSSL 12:0217a9463bc3 4526 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4527 }
wolfSSL 12:0217a9463bc3 4528 }
wolfSSL 12:0217a9463bc3 4529 #endif
wolfSSL 12:0217a9463bc3 4530 break;
wolfSSL 12:0217a9463bc3 4531
wolfSSL 12:0217a9463bc3 4532 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4533 case certificate_request:
wolfSSL 12:0217a9463bc3 4534 if (ssl->msgsReceived.got_certificate_request) {
wolfSSL 12:0217a9463bc3 4535 WOLFSSL_MSG("Duplicate CertificateRequest received");
wolfSSL 12:0217a9463bc3 4536 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4537 }
wolfSSL 12:0217a9463bc3 4538 ssl->msgsReceived.got_certificate_request = 1;
wolfSSL 12:0217a9463bc3 4539
wolfSSL 12:0217a9463bc3 4540 break;
wolfSSL 12:0217a9463bc3 4541 #endif
wolfSSL 12:0217a9463bc3 4542
wolfSSL 12:0217a9463bc3 4543 case certificate_verify:
wolfSSL 12:0217a9463bc3 4544 if (ssl->msgsReceived.got_certificate_verify) {
wolfSSL 12:0217a9463bc3 4545 WOLFSSL_MSG("Duplicate CertificateVerify received");
wolfSSL 12:0217a9463bc3 4546 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4547 }
wolfSSL 12:0217a9463bc3 4548 ssl->msgsReceived.got_certificate_verify = 1;
wolfSSL 12:0217a9463bc3 4549
wolfSSL 12:0217a9463bc3 4550 if (ssl->msgsReceived.got_certificate == 0) {
wolfSSL 12:0217a9463bc3 4551 WOLFSSL_MSG("No Cert before CertVerify");
wolfSSL 12:0217a9463bc3 4552 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4553 }
wolfSSL 12:0217a9463bc3 4554 break;
wolfSSL 12:0217a9463bc3 4555
wolfSSL 12:0217a9463bc3 4556 case finished:
wolfSSL 12:0217a9463bc3 4557 if (ssl->msgsReceived.got_finished) {
wolfSSL 12:0217a9463bc3 4558 WOLFSSL_MSG("Duplicate Finished received");
wolfSSL 12:0217a9463bc3 4559 return DUPLICATE_MSG_E;
wolfSSL 12:0217a9463bc3 4560 }
wolfSSL 12:0217a9463bc3 4561 ssl->msgsReceived.got_finished = 1;
wolfSSL 12:0217a9463bc3 4562
wolfSSL 12:0217a9463bc3 4563 break;
wolfSSL 12:0217a9463bc3 4564
wolfSSL 12:0217a9463bc3 4565 case key_update:
wolfSSL 12:0217a9463bc3 4566 if (!ssl->msgsReceived.got_finished) {
wolfSSL 12:0217a9463bc3 4567 WOLFSSL_MSG("No KeyUpdate before Finished");
wolfSSL 12:0217a9463bc3 4568 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4569 }
wolfSSL 12:0217a9463bc3 4570 break;
wolfSSL 12:0217a9463bc3 4571
wolfSSL 12:0217a9463bc3 4572 default:
wolfSSL 12:0217a9463bc3 4573 WOLFSSL_MSG("Unknown message type");
wolfSSL 12:0217a9463bc3 4574 return SANITY_MSG_E;
wolfSSL 12:0217a9463bc3 4575 }
wolfSSL 12:0217a9463bc3 4576
wolfSSL 12:0217a9463bc3 4577 return 0;
wolfSSL 12:0217a9463bc3 4578 }
wolfSSL 12:0217a9463bc3 4579
wolfSSL 12:0217a9463bc3 4580 /* Handle a type of handshake message that has been received.
wolfSSL 12:0217a9463bc3 4581 *
wolfSSL 12:0217a9463bc3 4582 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4583 * input The message buffer.
wolfSSL 12:0217a9463bc3 4584 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 12:0217a9463bc3 4585 * On exit, the index into the buffer of the next message.
wolfSSL 12:0217a9463bc3 4586 * size The length of the current handshake message.
wolfSSL 12:0217a9463bc3 4587 * totalSz Length of remaining data in the message buffer.
wolfSSL 12:0217a9463bc3 4588 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 4589 */
wolfSSL 12:0217a9463bc3 4590 int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 4591 byte type, word32 size, word32 totalSz)
wolfSSL 12:0217a9463bc3 4592 {
wolfSSL 12:0217a9463bc3 4593 int ret = 0;
wolfSSL 12:0217a9463bc3 4594 (void)totalSz;
wolfSSL 12:0217a9463bc3 4595 word32 inIdx = *inOutIdx;
wolfSSL 12:0217a9463bc3 4596
wolfSSL 12:0217a9463bc3 4597 WOLFSSL_ENTER("DoTls13HandShakeMsgType");
wolfSSL 12:0217a9463bc3 4598
wolfSSL 12:0217a9463bc3 4599 /* make sure can read the message */
wolfSSL 12:0217a9463bc3 4600 if (*inOutIdx + size > totalSz)
wolfSSL 12:0217a9463bc3 4601 return INCOMPLETE_DATA;
wolfSSL 12:0217a9463bc3 4602
wolfSSL 12:0217a9463bc3 4603 /* sanity check msg received */
wolfSSL 12:0217a9463bc3 4604 if ( (ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
wolfSSL 12:0217a9463bc3 4605 WOLFSSL_MSG("Sanity Check on handshake message type received failed");
wolfSSL 12:0217a9463bc3 4606 return ret;
wolfSSL 12:0217a9463bc3 4607 }
wolfSSL 12:0217a9463bc3 4608
wolfSSL 12:0217a9463bc3 4609 #ifdef WOLFSSL_CALLBACKS
wolfSSL 12:0217a9463bc3 4610 /* add name later, add on record and handshake header part back on */
wolfSSL 12:0217a9463bc3 4611 if (ssl->toInfoOn) {
wolfSSL 12:0217a9463bc3 4612 int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4613 AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
wolfSSL 12:0217a9463bc3 4614 size + add, ssl->heap);
wolfSSL 12:0217a9463bc3 4615 AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
wolfSSL 12:0217a9463bc3 4616 }
wolfSSL 12:0217a9463bc3 4617 #endif
wolfSSL 12:0217a9463bc3 4618
wolfSSL 12:0217a9463bc3 4619 if (ssl->options.handShakeState == HANDSHAKE_DONE &&
wolfSSL 12:0217a9463bc3 4620 type != session_ticket && type != certificate_request &&
wolfSSL 12:0217a9463bc3 4621 type != key_update) {
wolfSSL 12:0217a9463bc3 4622 WOLFSSL_MSG("HandShake message after handshake complete");
wolfSSL 12:0217a9463bc3 4623 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 12:0217a9463bc3 4624 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4625 }
wolfSSL 12:0217a9463bc3 4626
wolfSSL 12:0217a9463bc3 4627 if (ssl->options.side == WOLFSSL_CLIENT_END && !ssl->options.dtls &&
wolfSSL 12:0217a9463bc3 4628 ssl->options.serverState == NULL_STATE &&
wolfSSL 12:0217a9463bc3 4629 type != server_hello && type != hello_retry_request) {
wolfSSL 12:0217a9463bc3 4630 WOLFSSL_MSG("First server message not server hello");
wolfSSL 12:0217a9463bc3 4631 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 12:0217a9463bc3 4632 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4633 }
wolfSSL 12:0217a9463bc3 4634
wolfSSL 12:0217a9463bc3 4635 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls &&
wolfSSL 12:0217a9463bc3 4636 type == server_hello_done &&
wolfSSL 12:0217a9463bc3 4637 ssl->options.serverState < SERVER_HELLO_COMPLETE) {
wolfSSL 12:0217a9463bc3 4638 WOLFSSL_MSG("Server hello done received before server hello in DTLS");
wolfSSL 12:0217a9463bc3 4639 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 12:0217a9463bc3 4640 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4641 }
wolfSSL 12:0217a9463bc3 4642
wolfSSL 12:0217a9463bc3 4643 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 12:0217a9463bc3 4644 ssl->options.clientState == NULL_STATE && type != client_hello) {
wolfSSL 12:0217a9463bc3 4645 WOLFSSL_MSG("First client message not client hello");
wolfSSL 12:0217a9463bc3 4646 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 12:0217a9463bc3 4647 return OUT_OF_ORDER_E;
wolfSSL 12:0217a9463bc3 4648 }
wolfSSL 12:0217a9463bc3 4649
wolfSSL 12:0217a9463bc3 4650 /* above checks handshake state */
wolfSSL 12:0217a9463bc3 4651 switch (type) {
wolfSSL 12:0217a9463bc3 4652
wolfSSL 12:0217a9463bc3 4653 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 12:0217a9463bc3 4654 case hello_retry_request:
wolfSSL 12:0217a9463bc3 4655 WOLFSSL_MSG("processing hello rety request");
wolfSSL 12:0217a9463bc3 4656 ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4657 break;
wolfSSL 12:0217a9463bc3 4658
wolfSSL 12:0217a9463bc3 4659 case server_hello:
wolfSSL 12:0217a9463bc3 4660 WOLFSSL_MSG("processing server hello");
wolfSSL 12:0217a9463bc3 4661 ret = DoTls13ServerHello(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4662 break;
wolfSSL 12:0217a9463bc3 4663
wolfSSL 12:0217a9463bc3 4664 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 4665 case certificate_request:
wolfSSL 12:0217a9463bc3 4666 WOLFSSL_MSG("processing certificate request");
wolfSSL 12:0217a9463bc3 4667 ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4668 break;
wolfSSL 12:0217a9463bc3 4669 #endif
wolfSSL 12:0217a9463bc3 4670
wolfSSL 12:0217a9463bc3 4671 case session_ticket:
wolfSSL 12:0217a9463bc3 4672 WOLFSSL_MSG("processing new session ticket");
wolfSSL 12:0217a9463bc3 4673 ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4674 break;
wolfSSL 12:0217a9463bc3 4675
wolfSSL 12:0217a9463bc3 4676 case encrypted_extensions:
wolfSSL 12:0217a9463bc3 4677 WOLFSSL_MSG("processing encrypted extensions");
wolfSSL 12:0217a9463bc3 4678 ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4679 break;
wolfSSL 12:0217a9463bc3 4680 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 12:0217a9463bc3 4681
wolfSSL 12:0217a9463bc3 4682 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 4683 case certificate:
wolfSSL 12:0217a9463bc3 4684 WOLFSSL_MSG("processing certificate");
wolfSSL 12:0217a9463bc3 4685 ret = DoTls13Certificate(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4686 break;
wolfSSL 12:0217a9463bc3 4687 #endif
wolfSSL 12:0217a9463bc3 4688
wolfSSL 12:0217a9463bc3 4689 #if !defined(NO_RSA) || defined(HAVE_ECC)
wolfSSL 12:0217a9463bc3 4690 case certificate_verify:
wolfSSL 12:0217a9463bc3 4691 WOLFSSL_MSG("processing certificate verify");
wolfSSL 12:0217a9463bc3 4692 ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4693 break;
wolfSSL 12:0217a9463bc3 4694 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 12:0217a9463bc3 4695
wolfSSL 12:0217a9463bc3 4696 case finished:
wolfSSL 12:0217a9463bc3 4697 WOLFSSL_MSG("processing finished");
wolfSSL 12:0217a9463bc3 4698 ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
wolfSSL 12:0217a9463bc3 4699 break;
wolfSSL 12:0217a9463bc3 4700
wolfSSL 12:0217a9463bc3 4701 case key_update:
wolfSSL 12:0217a9463bc3 4702 WOLFSSL_MSG("processing finished");
wolfSSL 12:0217a9463bc3 4703 ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4704 break;
wolfSSL 12:0217a9463bc3 4705
wolfSSL 12:0217a9463bc3 4706 #ifndef NO_WOLFSSL_SERVER
wolfSSL 12:0217a9463bc3 4707 case client_hello:
wolfSSL 12:0217a9463bc3 4708 WOLFSSL_MSG("processing client hello");
wolfSSL 12:0217a9463bc3 4709 ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
wolfSSL 12:0217a9463bc3 4710 break;
wolfSSL 12:0217a9463bc3 4711 #endif /* !NO_WOLFSSL_SERVER */
wolfSSL 12:0217a9463bc3 4712
wolfSSL 12:0217a9463bc3 4713 default:
wolfSSL 12:0217a9463bc3 4714 WOLFSSL_MSG("Unknown handshake message type");
wolfSSL 12:0217a9463bc3 4715 ret = UNKNOWN_HANDSHAKE_TYPE;
wolfSSL 12:0217a9463bc3 4716 break;
wolfSSL 12:0217a9463bc3 4717 }
wolfSSL 12:0217a9463bc3 4718
wolfSSL 12:0217a9463bc3 4719 if (ret == 0 && type != client_hello && type != session_ticket &&
wolfSSL 12:0217a9463bc3 4720 type != key_update && ssl->error != WC_PENDING_E) {
wolfSSL 12:0217a9463bc3 4721 ret = HashInput(ssl, input + inIdx, size);
wolfSSL 12:0217a9463bc3 4722 }
wolfSSL 12:0217a9463bc3 4723
wolfSSL 12:0217a9463bc3 4724 if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA)
wolfSSL 12:0217a9463bc3 4725 SendAlert(ssl, alert_fatal, decode_error);
wolfSSL 12:0217a9463bc3 4726
wolfSSL 12:0217a9463bc3 4727 if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR ||
wolfSSL 12:0217a9463bc3 4728 ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA ||
wolfSSL 12:0217a9463bc3 4729 ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) {
wolfSSL 12:0217a9463bc3 4730 SendAlert(ssl, alert_fatal, illegal_parameter);
wolfSSL 12:0217a9463bc3 4731 }
wolfSSL 12:0217a9463bc3 4732
wolfSSL 12:0217a9463bc3 4733 if (ssl->options.tls1_3) {
wolfSSL 12:0217a9463bc3 4734 if (type == server_hello && ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4735 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 4736 return ret;
wolfSSL 12:0217a9463bc3 4737 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 4738 return ret;
wolfSSL 12:0217a9463bc3 4739 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 12:0217a9463bc3 4740 ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 4741 return ret;
wolfSSL 12:0217a9463bc3 4742
wolfSSL 12:0217a9463bc3 4743 /* setup decrypt keys for following messages */
wolfSSL 12:0217a9463bc3 4744 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4745 return ret;
wolfSSL 12:0217a9463bc3 4746 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 12:0217a9463bc3 4747 return ret;
wolfSSL 12:0217a9463bc3 4748 }
wolfSSL 12:0217a9463bc3 4749
wolfSSL 12:0217a9463bc3 4750 if (type == finished && ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4751 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 12:0217a9463bc3 4752 return ret;
wolfSSL 12:0217a9463bc3 4753 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 12:0217a9463bc3 4754 ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 12:0217a9463bc3 4755 return ret;
wolfSSL 12:0217a9463bc3 4756 }
wolfSSL 12:0217a9463bc3 4757
wolfSSL 12:0217a9463bc3 4758 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 4759 if (type == finished && ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 12:0217a9463bc3 4760 DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 12:0217a9463bc3 4761 #endif
wolfSSL 12:0217a9463bc3 4762 }
wolfSSL 12:0217a9463bc3 4763
wolfSSL 12:0217a9463bc3 4764 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 12:0217a9463bc3 4765 /* if async, offset index so this msg will be processed again */
wolfSSL 12:0217a9463bc3 4766 if (ret == WC_PENDING_E) {
wolfSSL 12:0217a9463bc3 4767 *inOutIdx -= HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4768 }
wolfSSL 12:0217a9463bc3 4769 #endif
wolfSSL 12:0217a9463bc3 4770
wolfSSL 12:0217a9463bc3 4771 WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
wolfSSL 12:0217a9463bc3 4772 return ret;
wolfSSL 12:0217a9463bc3 4773 }
wolfSSL 12:0217a9463bc3 4774
wolfSSL 12:0217a9463bc3 4775
wolfSSL 12:0217a9463bc3 4776 /* Handle a handshake message that has been received.
wolfSSL 12:0217a9463bc3 4777 *
wolfSSL 12:0217a9463bc3 4778 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4779 * input The message buffer.
wolfSSL 12:0217a9463bc3 4780 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 12:0217a9463bc3 4781 * On exit, the index into the buffer of the next message.
wolfSSL 12:0217a9463bc3 4782 * totalSz Length of remaining data in the message buffer.
wolfSSL 12:0217a9463bc3 4783 * returns 0 on success and otherwise failure.
wolfSSL 12:0217a9463bc3 4784 */
wolfSSL 12:0217a9463bc3 4785 int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 12:0217a9463bc3 4786 word32 totalSz)
wolfSSL 12:0217a9463bc3 4787 {
wolfSSL 12:0217a9463bc3 4788 int ret = 0;
wolfSSL 12:0217a9463bc3 4789 word32 inputLength;
wolfSSL 12:0217a9463bc3 4790
wolfSSL 12:0217a9463bc3 4791 WOLFSSL_ENTER("DoTls13HandShakeMsg()");
wolfSSL 12:0217a9463bc3 4792
wolfSSL 12:0217a9463bc3 4793 if (ssl->arrays == NULL) {
wolfSSL 12:0217a9463bc3 4794 byte type;
wolfSSL 12:0217a9463bc3 4795 word32 size;
wolfSSL 12:0217a9463bc3 4796
wolfSSL 12:0217a9463bc3 4797 if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
wolfSSL 12:0217a9463bc3 4798 return PARSE_ERROR;
wolfSSL 12:0217a9463bc3 4799
wolfSSL 12:0217a9463bc3 4800 return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 12:0217a9463bc3 4801 totalSz);
wolfSSL 12:0217a9463bc3 4802 }
wolfSSL 12:0217a9463bc3 4803
wolfSSL 12:0217a9463bc3 4804 inputLength = ssl->buffers.inputBuffer.length - *inOutIdx;
wolfSSL 12:0217a9463bc3 4805
wolfSSL 12:0217a9463bc3 4806 /* If there is a pending fragmented handshake message,
wolfSSL 12:0217a9463bc3 4807 * pending message size will be non-zero. */
wolfSSL 12:0217a9463bc3 4808 if (ssl->arrays->pendingMsgSz == 0) {
wolfSSL 12:0217a9463bc3 4809 byte type;
wolfSSL 12:0217a9463bc3 4810 word32 size;
wolfSSL 12:0217a9463bc3 4811
wolfSSL 12:0217a9463bc3 4812 if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
wolfSSL 12:0217a9463bc3 4813 return PARSE_ERROR;
wolfSSL 12:0217a9463bc3 4814
wolfSSL 12:0217a9463bc3 4815 /* Cap the maximum size of a handshake message to something reasonable.
wolfSSL 12:0217a9463bc3 4816 * By default is the maximum size of a certificate message assuming
wolfSSL 12:0217a9463bc3 4817 * nine 2048-bit RSA certificates in the chain. */
wolfSSL 12:0217a9463bc3 4818 if (size > MAX_HANDSHAKE_SZ) {
wolfSSL 12:0217a9463bc3 4819 WOLFSSL_MSG("Handshake message too large");
wolfSSL 12:0217a9463bc3 4820 return HANDSHAKE_SIZE_ERROR;
wolfSSL 12:0217a9463bc3 4821 }
wolfSSL 12:0217a9463bc3 4822
wolfSSL 12:0217a9463bc3 4823 /* size is the size of the certificate message payload */
wolfSSL 12:0217a9463bc3 4824 if (inputLength - HANDSHAKE_HEADER_SZ < size) {
wolfSSL 12:0217a9463bc3 4825 ssl->arrays->pendingMsgType = type;
wolfSSL 12:0217a9463bc3 4826 ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4827 ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
wolfSSL 12:0217a9463bc3 4828 ssl->heap,
wolfSSL 12:0217a9463bc3 4829 DYNAMIC_TYPE_ARRAYS);
wolfSSL 12:0217a9463bc3 4830 if (ssl->arrays->pendingMsg == NULL)
wolfSSL 12:0217a9463bc3 4831 return MEMORY_E;
wolfSSL 12:0217a9463bc3 4832 XMEMCPY(ssl->arrays->pendingMsg,
wolfSSL 12:0217a9463bc3 4833 input + *inOutIdx - HANDSHAKE_HEADER_SZ,
wolfSSL 12:0217a9463bc3 4834 inputLength);
wolfSSL 12:0217a9463bc3 4835 ssl->arrays->pendingMsgOffset = inputLength;
wolfSSL 12:0217a9463bc3 4836 *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ;
wolfSSL 12:0217a9463bc3 4837 return 0;
wolfSSL 12:0217a9463bc3 4838 }
wolfSSL 12:0217a9463bc3 4839
wolfSSL 12:0217a9463bc3 4840 ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 12:0217a9463bc3 4841 totalSz);
wolfSSL 12:0217a9463bc3 4842 }
wolfSSL 12:0217a9463bc3 4843 else {
wolfSSL 12:0217a9463bc3 4844 if (inputLength + ssl->arrays->pendingMsgOffset >
wolfSSL 12:0217a9463bc3 4845 ssl->arrays->pendingMsgSz) {
wolfSSL 12:0217a9463bc3 4846 return BUFFER_ERROR;
wolfSSL 12:0217a9463bc3 4847 }
wolfSSL 12:0217a9463bc3 4848
wolfSSL 12:0217a9463bc3 4849 XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
wolfSSL 12:0217a9463bc3 4850 input + *inOutIdx, inputLength);
wolfSSL 12:0217a9463bc3 4851 ssl->arrays->pendingMsgOffset += inputLength;
wolfSSL 12:0217a9463bc3 4852 *inOutIdx += inputLength;
wolfSSL 12:0217a9463bc3 4853
wolfSSL 12:0217a9463bc3 4854 if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
wolfSSL 12:0217a9463bc3 4855 {
wolfSSL 12:0217a9463bc3 4856 word32 idx = 0;
wolfSSL 12:0217a9463bc3 4857 ret = DoTls13HandShakeMsgType(ssl,
wolfSSL 12:0217a9463bc3 4858 ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
wolfSSL 12:0217a9463bc3 4859 &idx, ssl->arrays->pendingMsgType,
wolfSSL 12:0217a9463bc3 4860 ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
wolfSSL 12:0217a9463bc3 4861 ssl->arrays->pendingMsgSz);
wolfSSL 12:0217a9463bc3 4862 XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
wolfSSL 12:0217a9463bc3 4863 ssl->arrays->pendingMsg = NULL;
wolfSSL 12:0217a9463bc3 4864 ssl->arrays->pendingMsgSz = 0;
wolfSSL 12:0217a9463bc3 4865 }
wolfSSL 12:0217a9463bc3 4866 }
wolfSSL 12:0217a9463bc3 4867
wolfSSL 12:0217a9463bc3 4868 WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
wolfSSL 12:0217a9463bc3 4869 return ret;
wolfSSL 12:0217a9463bc3 4870 }
wolfSSL 12:0217a9463bc3 4871
wolfSSL 12:0217a9463bc3 4872 /* The client connecting to the server.
wolfSSL 12:0217a9463bc3 4873 * The protocol version is expecting to be TLS v1.3.
wolfSSL 12:0217a9463bc3 4874 * If the server downgrades, and older versions of the protocol are compiled
wolfSSL 12:0217a9463bc3 4875 * in, the client will fallback to wolfSSL_connect().
wolfSSL 12:0217a9463bc3 4876 * Please see note at top of README if you get an error from connect.
wolfSSL 12:0217a9463bc3 4877 *
wolfSSL 12:0217a9463bc3 4878 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 4879 * returns SSL_SUCCESS on successful handshake, SSL_FATAL_ERROR when
wolfSSL 12:0217a9463bc3 4880 * unrecoverable error occurs and 0 otherwise.
wolfSSL 12:0217a9463bc3 4881 * For more error information use wolfSSL_get_error().
wolfSSL 12:0217a9463bc3 4882 */
wolfSSL 12:0217a9463bc3 4883 int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 4884 {
wolfSSL 12:0217a9463bc3 4885 int neededState;
wolfSSL 12:0217a9463bc3 4886
wolfSSL 12:0217a9463bc3 4887 WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
wolfSSL 12:0217a9463bc3 4888
wolfSSL 12:0217a9463bc3 4889 #ifdef HAVE_ERRNO_H
wolfSSL 12:0217a9463bc3 4890 errno = 0;
wolfSSL 12:0217a9463bc3 4891 #endif
wolfSSL 12:0217a9463bc3 4892
wolfSSL 12:0217a9463bc3 4893 if (ssl->options.side != WOLFSSL_CLIENT_END) {
wolfSSL 12:0217a9463bc3 4894 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 12:0217a9463bc3 4895 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4896 }
wolfSSL 12:0217a9463bc3 4897
wolfSSL 12:0217a9463bc3 4898 if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL 12:0217a9463bc3 4899 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 12:0217a9463bc3 4900 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 12:0217a9463bc3 4901 * fragment, fragOffset is zero again, and the state can be
wolfSSL 12:0217a9463bc3 4902 * advanced. */
wolfSSL 12:0217a9463bc3 4903 if (ssl->fragOffset == 0) {
wolfSSL 12:0217a9463bc3 4904 ssl->options.connectState++;
wolfSSL 12:0217a9463bc3 4905 WOLFSSL_MSG("connect state: "
wolfSSL 12:0217a9463bc3 4906 "Advanced from last buffered fragment send");
wolfSSL 12:0217a9463bc3 4907 }
wolfSSL 12:0217a9463bc3 4908 else {
wolfSSL 12:0217a9463bc3 4909 WOLFSSL_MSG("connect state: "
wolfSSL 12:0217a9463bc3 4910 "Not advanced, more fragments to send");
wolfSSL 12:0217a9463bc3 4911 }
wolfSSL 12:0217a9463bc3 4912 }
wolfSSL 12:0217a9463bc3 4913 else {
wolfSSL 12:0217a9463bc3 4914 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4915 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4916 }
wolfSSL 12:0217a9463bc3 4917 }
wolfSSL 12:0217a9463bc3 4918
wolfSSL 12:0217a9463bc3 4919 switch (ssl->options.connectState) {
wolfSSL 12:0217a9463bc3 4920
wolfSSL 12:0217a9463bc3 4921 case CONNECT_BEGIN:
wolfSSL 12:0217a9463bc3 4922 /* Always send client hello first. */
wolfSSL 12:0217a9463bc3 4923 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 4924 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4925 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4926 }
wolfSSL 12:0217a9463bc3 4927
wolfSSL 12:0217a9463bc3 4928 ssl->options.connectState = CLIENT_HELLO_SENT;
wolfSSL 12:0217a9463bc3 4929 WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
wolfSSL 12:0217a9463bc3 4930
wolfSSL 12:0217a9463bc3 4931 case CLIENT_HELLO_SENT:
wolfSSL 12:0217a9463bc3 4932 neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
wolfSSL 12:0217a9463bc3 4933 SERVER_HELLODONE_COMPLETE;
wolfSSL 12:0217a9463bc3 4934 /* Get the response/s from the server. */
wolfSSL 12:0217a9463bc3 4935 while (ssl->options.serverState < neededState) {
wolfSSL 12:0217a9463bc3 4936 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 12:0217a9463bc3 4937 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4938 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4939 }
wolfSSL 12:0217a9463bc3 4940 /* if resumption failed, reset needed state. */
wolfSSL 12:0217a9463bc3 4941 if (neededState == SERVER_FINISHED_COMPLETE &&
wolfSSL 12:0217a9463bc3 4942 !ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 4943 neededState = SERVER_HELLODONE_COMPLETE;
wolfSSL 12:0217a9463bc3 4944 }
wolfSSL 12:0217a9463bc3 4945 }
wolfSSL 12:0217a9463bc3 4946
wolfSSL 12:0217a9463bc3 4947 ssl->options.connectState = HELLO_AGAIN;
wolfSSL 12:0217a9463bc3 4948 WOLFSSL_MSG("connect state: HELLO_AGAIN");
wolfSSL 12:0217a9463bc3 4949 case HELLO_AGAIN:
wolfSSL 12:0217a9463bc3 4950 if (ssl->options.certOnly)
wolfSSL 12:0217a9463bc3 4951 return SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 4952
wolfSSL 12:0217a9463bc3 4953 if (!ssl->options.tls1_3)
wolfSSL 12:0217a9463bc3 4954 return wolfSSL_connect(ssl);
wolfSSL 12:0217a9463bc3 4955
wolfSSL 12:0217a9463bc3 4956 if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL 12:0217a9463bc3 4957 ssl->options.serverState = NULL_STATE;
wolfSSL 12:0217a9463bc3 4958 /* Try again with different security parameters. */
wolfSSL 12:0217a9463bc3 4959 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 4960 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4961 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4962 }
wolfSSL 12:0217a9463bc3 4963 }
wolfSSL 12:0217a9463bc3 4964
wolfSSL 12:0217a9463bc3 4965 ssl->options.connectState = HELLO_AGAIN_REPLY;
wolfSSL 12:0217a9463bc3 4966 WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
wolfSSL 12:0217a9463bc3 4967
wolfSSL 12:0217a9463bc3 4968 case HELLO_AGAIN_REPLY:
wolfSSL 12:0217a9463bc3 4969 if (ssl->options.serverState == NULL_STATE) {
wolfSSL 12:0217a9463bc3 4970 neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
wolfSSL 12:0217a9463bc3 4971 SERVER_HELLODONE_COMPLETE;
wolfSSL 12:0217a9463bc3 4972
wolfSSL 12:0217a9463bc3 4973 /* Get the response/s from the server. */
wolfSSL 12:0217a9463bc3 4974 while (ssl->options.serverState < neededState) {
wolfSSL 12:0217a9463bc3 4975 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 12:0217a9463bc3 4976 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4977 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4978 }
wolfSSL 12:0217a9463bc3 4979 /* if resumption failed, reset needed state */
wolfSSL 12:0217a9463bc3 4980 else if (neededState == SERVER_FINISHED_COMPLETE) {
wolfSSL 12:0217a9463bc3 4981 if (!ssl->options.resuming)
wolfSSL 12:0217a9463bc3 4982 neededState = SERVER_HELLODONE_COMPLETE;
wolfSSL 12:0217a9463bc3 4983 }
wolfSSL 12:0217a9463bc3 4984 }
wolfSSL 12:0217a9463bc3 4985 }
wolfSSL 12:0217a9463bc3 4986
wolfSSL 12:0217a9463bc3 4987 ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL 12:0217a9463bc3 4988 WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
wolfSSL 12:0217a9463bc3 4989
wolfSSL 12:0217a9463bc3 4990 case FIRST_REPLY_DONE:
wolfSSL 12:0217a9463bc3 4991 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 4992 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 12:0217a9463bc3 4993 ssl->error = SendTls13Certificate(ssl);
wolfSSL 12:0217a9463bc3 4994 if (ssl->error != 0) {
wolfSSL 12:0217a9463bc3 4995 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 4996 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 4997 }
wolfSSL 12:0217a9463bc3 4998 WOLFSSL_MSG("sent: certificate");
wolfSSL 12:0217a9463bc3 4999 }
wolfSSL 12:0217a9463bc3 5000 #endif
wolfSSL 12:0217a9463bc3 5001
wolfSSL 12:0217a9463bc3 5002 ssl->options.connectState = FIRST_REPLY_FIRST;
wolfSSL 12:0217a9463bc3 5003 WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
wolfSSL 12:0217a9463bc3 5004
wolfSSL 12:0217a9463bc3 5005 case FIRST_REPLY_FIRST:
wolfSSL 12:0217a9463bc3 5006 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 5007 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 12:0217a9463bc3 5008 ssl->error = SendTls13CertificateVerify(ssl);
wolfSSL 12:0217a9463bc3 5009 if (ssl->error != 0) {
wolfSSL 12:0217a9463bc3 5010 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5011 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5012 }
wolfSSL 12:0217a9463bc3 5013 WOLFSSL_MSG("sent: certificate verify");
wolfSSL 12:0217a9463bc3 5014 }
wolfSSL 12:0217a9463bc3 5015 #endif
wolfSSL 12:0217a9463bc3 5016
wolfSSL 12:0217a9463bc3 5017 ssl->options.connectState = FIRST_REPLY_SECOND;
wolfSSL 12:0217a9463bc3 5018 WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
wolfSSL 12:0217a9463bc3 5019
wolfSSL 12:0217a9463bc3 5020 case FIRST_REPLY_SECOND:
wolfSSL 12:0217a9463bc3 5021 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5022 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5023 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5024 }
wolfSSL 12:0217a9463bc3 5025 WOLFSSL_MSG("sent: finished");
wolfSSL 12:0217a9463bc3 5026
wolfSSL 12:0217a9463bc3 5027 ssl->options.connectState = FINISHED_DONE;
wolfSSL 12:0217a9463bc3 5028 WOLFSSL_MSG("connect state: FINISHED_DONE");
wolfSSL 12:0217a9463bc3 5029
wolfSSL 12:0217a9463bc3 5030 case FINISHED_DONE:
wolfSSL 12:0217a9463bc3 5031 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 12:0217a9463bc3 5032 if (ssl->hsDoneCb != NULL) {
wolfSSL 12:0217a9463bc3 5033 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 12:0217a9463bc3 5034 if (cbret < 0) {
wolfSSL 12:0217a9463bc3 5035 ssl->error = cbret;
wolfSSL 12:0217a9463bc3 5036 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 12:0217a9463bc3 5037 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5038 }
wolfSSL 12:0217a9463bc3 5039 }
wolfSSL 12:0217a9463bc3 5040 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 12:0217a9463bc3 5041
wolfSSL 12:0217a9463bc3 5042 WOLFSSL_LEAVE("SSL_connect()", SSL_SUCCESS);
wolfSSL 12:0217a9463bc3 5043 return SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 5044
wolfSSL 12:0217a9463bc3 5045 default:
wolfSSL 12:0217a9463bc3 5046 WOLFSSL_MSG("Unknown connect state ERROR");
wolfSSL 12:0217a9463bc3 5047 return SSL_FATAL_ERROR; /* unknown connect state */
wolfSSL 12:0217a9463bc3 5048 }
wolfSSL 12:0217a9463bc3 5049 }
wolfSSL 12:0217a9463bc3 5050
wolfSSL 12:0217a9463bc3 5051 /* Create a key share entry from group.
wolfSSL 12:0217a9463bc3 5052 * Generates a key pair.
wolfSSL 12:0217a9463bc3 5053 *
wolfSSL 12:0217a9463bc3 5054 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5055 * group The named group.
wolfSSL 12:0217a9463bc3 5056 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 5057 */
wolfSSL 12:0217a9463bc3 5058 int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
wolfSSL 12:0217a9463bc3 5059 {
wolfSSL 12:0217a9463bc3 5060 int ret = BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5061
wolfSSL 12:0217a9463bc3 5062 if (ssl == NULL)
wolfSSL 12:0217a9463bc3 5063 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5064
wolfSSL 12:0217a9463bc3 5065 ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
wolfSSL 12:0217a9463bc3 5066 if (ret != 0)
wolfSSL 12:0217a9463bc3 5067 return ret;
wolfSSL 12:0217a9463bc3 5068
wolfSSL 12:0217a9463bc3 5069 return SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 5070 }
wolfSSL 12:0217a9463bc3 5071
wolfSSL 12:0217a9463bc3 5072 /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
wolfSSL 12:0217a9463bc3 5073 *
wolfSSL 12:0217a9463bc3 5074 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5075 * returns 0 on success, otherwise failure.
wolfSSL 12:0217a9463bc3 5076 */
wolfSSL 12:0217a9463bc3 5077 int wolfSSL_NoKeyShares(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 5078 {
wolfSSL 12:0217a9463bc3 5079 int ret = BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5080
wolfSSL 12:0217a9463bc3 5081 if (ssl == NULL)
wolfSSL 12:0217a9463bc3 5082 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5083
wolfSSL 12:0217a9463bc3 5084 ret = TLSX_KeyShare_Empty(ssl);
wolfSSL 12:0217a9463bc3 5085 if (ret != 0)
wolfSSL 12:0217a9463bc3 5086 return ret;
wolfSSL 12:0217a9463bc3 5087
wolfSSL 12:0217a9463bc3 5088 return SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 5089 }
wolfSSL 12:0217a9463bc3 5090
wolfSSL 12:0217a9463bc3 5091 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 12:0217a9463bc3 5092 *
wolfSSL 12:0217a9463bc3 5093 * ctx The SSL/TLS CTX object.
wolfSSL 12:0217a9463bc3 5094 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 12:0217a9463bc3 5095 */
wolfSSL 12:0217a9463bc3 5096 int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
wolfSSL 12:0217a9463bc3 5097 {
wolfSSL 12:0217a9463bc3 5098 if (ctx == NULL)
wolfSSL 12:0217a9463bc3 5099 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5100
wolfSSL 12:0217a9463bc3 5101 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 5102 ctx->noTicketTls13 = 1;
wolfSSL 12:0217a9463bc3 5103 #endif
wolfSSL 12:0217a9463bc3 5104
wolfSSL 12:0217a9463bc3 5105 return 0;
wolfSSL 12:0217a9463bc3 5106 }
wolfSSL 12:0217a9463bc3 5107
wolfSSL 12:0217a9463bc3 5108 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 12:0217a9463bc3 5109 *
wolfSSL 12:0217a9463bc3 5110 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5111 * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
wolfSSL 12:0217a9463bc3 5112 * a client and 0 on success.
wolfSSL 12:0217a9463bc3 5113 */
wolfSSL 12:0217a9463bc3 5114 int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 5115 {
wolfSSL 12:0217a9463bc3 5116 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version) ||
wolfSSL 12:0217a9463bc3 5117 ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 12:0217a9463bc3 5118 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5119
wolfSSL 12:0217a9463bc3 5120 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 5121 ssl->options.noTicketTls13 = 1;
wolfSSL 12:0217a9463bc3 5122 #endif
wolfSSL 12:0217a9463bc3 5123
wolfSSL 12:0217a9463bc3 5124 return 0;
wolfSSL 12:0217a9463bc3 5125 }
wolfSSL 12:0217a9463bc3 5126
wolfSSL 12:0217a9463bc3 5127 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 12:0217a9463bc3 5128 *
wolfSSL 12:0217a9463bc3 5129 * ctx The SSL/TLS CTX object.
wolfSSL 12:0217a9463bc3 5130 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 12:0217a9463bc3 5131 */
wolfSSL 12:0217a9463bc3 5132 int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
wolfSSL 12:0217a9463bc3 5133 {
wolfSSL 12:0217a9463bc3 5134 if (ctx == NULL)
wolfSSL 12:0217a9463bc3 5135 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5136
wolfSSL 12:0217a9463bc3 5137 ctx->noPskDheKe = 1;
wolfSSL 12:0217a9463bc3 5138
wolfSSL 12:0217a9463bc3 5139 return 0;
wolfSSL 12:0217a9463bc3 5140 }
wolfSSL 12:0217a9463bc3 5141
wolfSSL 12:0217a9463bc3 5142 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 12:0217a9463bc3 5143 *
wolfSSL 12:0217a9463bc3 5144 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5145 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
wolfSSL 12:0217a9463bc3 5146 * success.
wolfSSL 12:0217a9463bc3 5147 */
wolfSSL 12:0217a9463bc3 5148 int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 5149 {
wolfSSL 12:0217a9463bc3 5150 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 12:0217a9463bc3 5151 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5152
wolfSSL 12:0217a9463bc3 5153 ssl->options.noPskDheKe = 1;
wolfSSL 12:0217a9463bc3 5154
wolfSSL 12:0217a9463bc3 5155 return 0;
wolfSSL 12:0217a9463bc3 5156 }
wolfSSL 12:0217a9463bc3 5157
wolfSSL 12:0217a9463bc3 5158 /* Update the keys for encryption and decryption.
wolfSSL 12:0217a9463bc3 5159 * If using non-blocking I/O and SSL_ERROR_WANT_WRITE is returned then
wolfSSL 12:0217a9463bc3 5160 * calling wolfSSL_write() will have the message sent when ready.
wolfSSL 12:0217a9463bc3 5161 *
wolfSSL 12:0217a9463bc3 5162 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5163 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 12:0217a9463bc3 5164 * SSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
wolfSSL 12:0217a9463bc3 5165 * SSL_SUCCESS on success and otherwise failure.
wolfSSL 12:0217a9463bc3 5166 */
wolfSSL 12:0217a9463bc3 5167 int wolfSSL_update_keys(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 5168 {
wolfSSL 12:0217a9463bc3 5169 int ret;
wolfSSL 12:0217a9463bc3 5170
wolfSSL 12:0217a9463bc3 5171 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 12:0217a9463bc3 5172 return BAD_FUNC_ARG;
wolfSSL 12:0217a9463bc3 5173
wolfSSL 12:0217a9463bc3 5174 ret = SendTls13KeyUpdate(ssl);
wolfSSL 12:0217a9463bc3 5175 if (ret == WANT_WRITE)
wolfSSL 12:0217a9463bc3 5176 ret = SSL_ERROR_WANT_WRITE;
wolfSSL 12:0217a9463bc3 5177 else if (ret == 0)
wolfSSL 12:0217a9463bc3 5178 ret = SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 5179 return ret;
wolfSSL 12:0217a9463bc3 5180 }
wolfSSL 12:0217a9463bc3 5181
wolfSSL 12:0217a9463bc3 5182 /* The server accepting a connection from a client.
wolfSSL 12:0217a9463bc3 5183 * The protocol version is expecting to be TLS v1.3.
wolfSSL 12:0217a9463bc3 5184 * If the client downgrades, and older versions of the protocol are compiled
wolfSSL 12:0217a9463bc3 5185 * in, the server will fallback to wolfSSL_accept().
wolfSSL 12:0217a9463bc3 5186 * Please see note at top of README if you get an error from accept.
wolfSSL 12:0217a9463bc3 5187 *
wolfSSL 12:0217a9463bc3 5188 * ssl The SSL/TLS object.
wolfSSL 12:0217a9463bc3 5189 * returns SSL_SUCCESS on successful handshake, SSL_FATAL_ERROR when
wolfSSL 12:0217a9463bc3 5190 * unrecoverable error occurs and 0 otherwise.
wolfSSL 12:0217a9463bc3 5191 * For more error information use wolfSSL_get_error().
wolfSSL 12:0217a9463bc3 5192 */
wolfSSL 12:0217a9463bc3 5193 int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
wolfSSL 12:0217a9463bc3 5194 {
wolfSSL 12:0217a9463bc3 5195 word16 havePSK = 0;
wolfSSL 12:0217a9463bc3 5196 word16 haveAnon = 0;
wolfSSL 12:0217a9463bc3 5197 WOLFSSL_ENTER("SSL_accept_TLSv13()");
wolfSSL 12:0217a9463bc3 5198
wolfSSL 12:0217a9463bc3 5199 #ifdef HAVE_ERRNO_H
wolfSSL 12:0217a9463bc3 5200 errno = 0;
wolfSSL 12:0217a9463bc3 5201 #endif
wolfSSL 12:0217a9463bc3 5202
wolfSSL 12:0217a9463bc3 5203 #ifndef NO_PSK
wolfSSL 12:0217a9463bc3 5204 havePSK = ssl->options.havePSK;
wolfSSL 12:0217a9463bc3 5205 #endif
wolfSSL 12:0217a9463bc3 5206 (void)havePSK;
wolfSSL 12:0217a9463bc3 5207
wolfSSL 12:0217a9463bc3 5208 #ifdef HAVE_ANON
wolfSSL 12:0217a9463bc3 5209 haveAnon = ssl->options.haveAnon;
wolfSSL 12:0217a9463bc3 5210 #endif
wolfSSL 12:0217a9463bc3 5211 (void)haveAnon;
wolfSSL 12:0217a9463bc3 5212
wolfSSL 12:0217a9463bc3 5213 if (ssl->options.side != WOLFSSL_SERVER_END) {
wolfSSL 12:0217a9463bc3 5214 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 12:0217a9463bc3 5215 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5216 }
wolfSSL 12:0217a9463bc3 5217
wolfSSL 12:0217a9463bc3 5218 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 5219 /* in case used set_accept_state after init */
wolfSSL 12:0217a9463bc3 5220 if (!havePSK && !haveAnon &&
wolfSSL 12:0217a9463bc3 5221 (!ssl->buffers.certificate ||
wolfSSL 12:0217a9463bc3 5222 !ssl->buffers.certificate->buffer ||
wolfSSL 12:0217a9463bc3 5223 !ssl->buffers.key ||
wolfSSL 12:0217a9463bc3 5224 !ssl->buffers.key->buffer)) {
wolfSSL 12:0217a9463bc3 5225 WOLFSSL_MSG("accept error: don't have server cert and key");
wolfSSL 12:0217a9463bc3 5226 ssl->error = NO_PRIVATE_KEY;
wolfSSL 12:0217a9463bc3 5227 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5228 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5229 }
wolfSSL 12:0217a9463bc3 5230 #endif
wolfSSL 12:0217a9463bc3 5231 #ifdef WOLFSSL_DTLS
wolfSSL 12:0217a9463bc3 5232 if (ssl->version.major == DTLS_MAJOR) {
wolfSSL 12:0217a9463bc3 5233 ssl->options.dtls = 1;
wolfSSL 12:0217a9463bc3 5234 ssl->options.tls = 1;
wolfSSL 12:0217a9463bc3 5235 ssl->options.tls1_1 = 1;
wolfSSL 12:0217a9463bc3 5236 }
wolfSSL 12:0217a9463bc3 5237 #endif
wolfSSL 12:0217a9463bc3 5238
wolfSSL 12:0217a9463bc3 5239 if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL 12:0217a9463bc3 5240 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 12:0217a9463bc3 5241 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 12:0217a9463bc3 5242 * fragment, fragOffset is zero again, and the state can be
wolfSSL 12:0217a9463bc3 5243 * advanced. */
wolfSSL 12:0217a9463bc3 5244 if (ssl->fragOffset == 0) {
wolfSSL 12:0217a9463bc3 5245 ssl->options.acceptState++;
wolfSSL 12:0217a9463bc3 5246 WOLFSSL_MSG("accept state: "
wolfSSL 12:0217a9463bc3 5247 "Advanced from last buffered fragment send");
wolfSSL 12:0217a9463bc3 5248 }
wolfSSL 12:0217a9463bc3 5249 else {
wolfSSL 12:0217a9463bc3 5250 WOLFSSL_MSG("accept state: "
wolfSSL 12:0217a9463bc3 5251 "Not advanced, more fragments to send");
wolfSSL 12:0217a9463bc3 5252 }
wolfSSL 12:0217a9463bc3 5253 }
wolfSSL 12:0217a9463bc3 5254 else {
wolfSSL 12:0217a9463bc3 5255 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5256 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5257 }
wolfSSL 12:0217a9463bc3 5258 }
wolfSSL 12:0217a9463bc3 5259
wolfSSL 12:0217a9463bc3 5260 switch (ssl->options.acceptState) {
wolfSSL 12:0217a9463bc3 5261
wolfSSL 12:0217a9463bc3 5262 case ACCEPT_BEGIN :
wolfSSL 12:0217a9463bc3 5263 /* get response */
wolfSSL 12:0217a9463bc3 5264 while (ssl->options.clientState < CLIENT_HELLO_COMPLETE)
wolfSSL 12:0217a9463bc3 5265 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 12:0217a9463bc3 5266 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5267 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5268 }
wolfSSL 12:0217a9463bc3 5269
wolfSSL 12:0217a9463bc3 5270 ssl->options.acceptState = ACCEPT_CLIENT_HELLO_DONE;
wolfSSL 12:0217a9463bc3 5271 WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
wolfSSL 12:0217a9463bc3 5272
wolfSSL 12:0217a9463bc3 5273 case ACCEPT_CLIENT_HELLO_DONE :
wolfSSL 12:0217a9463bc3 5274 if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL 12:0217a9463bc3 5275 if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5276 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5277 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5278 }
wolfSSL 12:0217a9463bc3 5279 }
wolfSSL 12:0217a9463bc3 5280 ssl->options.acceptState = ACCEPT_HELLO_RETRY_REQUEST_DONE;
wolfSSL 12:0217a9463bc3 5281 WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
wolfSSL 12:0217a9463bc3 5282
wolfSSL 12:0217a9463bc3 5283 case ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL 12:0217a9463bc3 5284 if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
wolfSSL 12:0217a9463bc3 5285 if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 12:0217a9463bc3 5286 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5287 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5288 }
wolfSSL 12:0217a9463bc3 5289 }
wolfSSL 12:0217a9463bc3 5290 ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
wolfSSL 12:0217a9463bc3 5291 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL 12:0217a9463bc3 5292
wolfSSL 12:0217a9463bc3 5293 case ACCEPT_FIRST_REPLY_DONE :
wolfSSL 12:0217a9463bc3 5294 if ((ssl->error = SendTls13ServerHello(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5295 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5296 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5297 }
wolfSSL 12:0217a9463bc3 5298 ssl->options.acceptState = SERVER_HELLO_SENT;
wolfSSL 12:0217a9463bc3 5299 WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
wolfSSL 12:0217a9463bc3 5300
wolfSSL 12:0217a9463bc3 5301 case SERVER_HELLO_SENT :
wolfSSL 12:0217a9463bc3 5302 if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5303 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5304 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5305 }
wolfSSL 12:0217a9463bc3 5306 ssl->options.acceptState = SERVER_EXTENSIONS_SENT;
wolfSSL 12:0217a9463bc3 5307 WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
wolfSSL 12:0217a9463bc3 5308 case SERVER_EXTENSIONS_SENT :
wolfSSL 12:0217a9463bc3 5309 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 5310 if (!ssl->options.resuming)
wolfSSL 12:0217a9463bc3 5311 if (ssl->options.verifyPeer)
wolfSSL 12:0217a9463bc3 5312 ssl->error = SendTls13CertificateRequest(ssl);
wolfSSL 12:0217a9463bc3 5313 if (ssl->error != 0) {
wolfSSL 12:0217a9463bc3 5314 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5315 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5316 }
wolfSSL 12:0217a9463bc3 5317 #endif
wolfSSL 12:0217a9463bc3 5318 ssl->options.acceptState = CERT_REQ_SENT;
wolfSSL 12:0217a9463bc3 5319 WOLFSSL_MSG("accept state CERT_REQ_SENT");
wolfSSL 12:0217a9463bc3 5320
wolfSSL 12:0217a9463bc3 5321 case CERT_REQ_SENT :
wolfSSL 12:0217a9463bc3 5322 ssl->options.acceptState = KEY_EXCHANGE_SENT;
wolfSSL 12:0217a9463bc3 5323 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 5324 if (!ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 5325 if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5326 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5327 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5328 }
wolfSSL 12:0217a9463bc3 5329 }
wolfSSL 12:0217a9463bc3 5330 #endif
wolfSSL 12:0217a9463bc3 5331 ssl->options.acceptState = CERT_SENT;
wolfSSL 12:0217a9463bc3 5332 WOLFSSL_MSG("accept state CERT_SENT");
wolfSSL 12:0217a9463bc3 5333
wolfSSL 12:0217a9463bc3 5334 case CERT_SENT :
wolfSSL 12:0217a9463bc3 5335 #ifndef NO_CERTS
wolfSSL 12:0217a9463bc3 5336 if (!ssl->options.resuming) {
wolfSSL 12:0217a9463bc3 5337 if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5338 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5339 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5340 }
wolfSSL 12:0217a9463bc3 5341 }
wolfSSL 12:0217a9463bc3 5342 #endif
wolfSSL 12:0217a9463bc3 5343 ssl->options.acceptState = CERT_STATUS_SENT;
wolfSSL 12:0217a9463bc3 5344 WOLFSSL_MSG("accept state CERT_STATUS_SENT");
wolfSSL 12:0217a9463bc3 5345
wolfSSL 12:0217a9463bc3 5346 case CERT_VERIFY_SENT :
wolfSSL 12:0217a9463bc3 5347 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5348 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5349 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5350 }
wolfSSL 12:0217a9463bc3 5351
wolfSSL 12:0217a9463bc3 5352 ssl->options.acceptState = ACCEPT_FINISHED_DONE;
wolfSSL 12:0217a9463bc3 5353 WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
wolfSSL 12:0217a9463bc3 5354
wolfSSL 12:0217a9463bc3 5355 case ACCEPT_FINISHED_DONE :
wolfSSL 12:0217a9463bc3 5356 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 5357 /* TODO: [TLS13] Section 4.5.1 Note. */
wolfSSL 12:0217a9463bc3 5358 if (!ssl->options.resuming && !ssl->options.verifyPeer &&
wolfSSL 12:0217a9463bc3 5359 !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL 12:0217a9463bc3 5360 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5361 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5362 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5363 }
wolfSSL 12:0217a9463bc3 5364 }
wolfSSL 12:0217a9463bc3 5365 #endif /* HAVE_SESSION_TICKET */
wolfSSL 12:0217a9463bc3 5366 ssl->options.acceptState = TICKET_SENT;
wolfSSL 12:0217a9463bc3 5367 WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL 12:0217a9463bc3 5368
wolfSSL 12:0217a9463bc3 5369 case TICKET_SENT:
wolfSSL 12:0217a9463bc3 5370 while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
wolfSSL 12:0217a9463bc3 5371 if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 12:0217a9463bc3 5372 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5373 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5374 }
wolfSSL 12:0217a9463bc3 5375
wolfSSL 12:0217a9463bc3 5376 ssl->options.acceptState = ACCEPT_SECOND_REPLY_DONE;
wolfSSL 12:0217a9463bc3 5377 WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
wolfSSL 12:0217a9463bc3 5378 case ACCEPT_SECOND_REPLY_DONE :
wolfSSL 12:0217a9463bc3 5379 #ifdef HAVE_SESSION_TICKET
wolfSSL 12:0217a9463bc3 5380 if (!ssl->options.resuming && ssl->options.verifyPeer &&
wolfSSL 12:0217a9463bc3 5381 !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL 12:0217a9463bc3 5382 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5383 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5384 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5385 }
wolfSSL 12:0217a9463bc3 5386 }
wolfSSL 12:0217a9463bc3 5387 #endif /* HAVE_SESSION_TICKET */
wolfSSL 12:0217a9463bc3 5388 ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
wolfSSL 12:0217a9463bc3 5389 WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
wolfSSL 12:0217a9463bc3 5390
wolfSSL 12:0217a9463bc3 5391 case ACCEPT_THIRD_REPLY_DONE:
wolfSSL 12:0217a9463bc3 5392 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 12:0217a9463bc3 5393 if (ssl->hsDoneCb) {
wolfSSL 12:0217a9463bc3 5394 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 12:0217a9463bc3 5395 if (cbret < 0) {
wolfSSL 12:0217a9463bc3 5396 ssl->error = cbret;
wolfSSL 12:0217a9463bc3 5397 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 12:0217a9463bc3 5398 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5399 }
wolfSSL 12:0217a9463bc3 5400 }
wolfSSL 12:0217a9463bc3 5401 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 12:0217a9463bc3 5402
wolfSSL 12:0217a9463bc3 5403 #ifdef WOLFSSL_SESSION_EXPORT
wolfSSL 12:0217a9463bc3 5404 if (ssl->dtls_export) {
wolfSSL 12:0217a9463bc3 5405 if ((ssl->error = wolfSSL_send_session(ssl)) != 0) {
wolfSSL 12:0217a9463bc3 5406 WOLFSSL_MSG("Export DTLS session error");
wolfSSL 12:0217a9463bc3 5407 WOLFSSL_ERROR(ssl->error);
wolfSSL 12:0217a9463bc3 5408 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5409 }
wolfSSL 12:0217a9463bc3 5410 }
wolfSSL 12:0217a9463bc3 5411 #endif
wolfSSL 12:0217a9463bc3 5412
wolfSSL 12:0217a9463bc3 5413 WOLFSSL_LEAVE("SSL_accept()", SSL_SUCCESS);
wolfSSL 12:0217a9463bc3 5414 return SSL_SUCCESS;
wolfSSL 12:0217a9463bc3 5415
wolfSSL 12:0217a9463bc3 5416 default :
wolfSSL 12:0217a9463bc3 5417 WOLFSSL_MSG("Unknown accept state ERROR");
wolfSSL 12:0217a9463bc3 5418 return SSL_FATAL_ERROR;
wolfSSL 12:0217a9463bc3 5419 }
wolfSSL 12:0217a9463bc3 5420 }
wolfSSL 12:0217a9463bc3 5421
wolfSSL 12:0217a9463bc3 5422
wolfSSL 12:0217a9463bc3 5423 #undef ERROR_OUT
wolfSSL 12:0217a9463bc3 5424
wolfSSL 12:0217a9463bc3 5425 #endif /* WOLFCRYPT_ONLY */
wolfSSL 12:0217a9463bc3 5426
wolfSSL 12:0217a9463bc3 5427 #endif /* WOLFSSL_TLS13 */
wolfSSL 12:0217a9463bc3 5428