wolf SSL
/
wolfSSL-TLS13-Beta
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
tls.c
00001 /* tls.c 00002 * 00003 * Copyright (C) 2006-2016 wolfSSL Inc. 00004 * 00005 * This file is part of wolfSSL. 00006 * 00007 * wolfSSL is free software; you can redistribute it and/or modify 00008 * it under the terms of the GNU General Public License as published by 00009 * the Free Software Foundation; either version 2 of the License, or 00010 * (at your option) any later version. 00011 * 00012 * wolfSSL is distributed in the hope that it will be useful, 00013 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00015 * GNU General Public License for more details. 00016 * 00017 * You should have received a copy of the GNU General Public License 00018 * along with this program; if not, write to the Free Software 00019 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA 00020 */ 00021 00022 00023 00024 #ifdef HAVE_CONFIG_H 00025 #include <config.h> 00026 #endif 00027 00028 #include <wolfssl/wolfcrypt/settings.h> 00029 00030 #ifndef WOLFCRYPT_ONLY 00031 00032 #include <wolfssl/ssl.h> 00033 #include <wolfssl/internal.h> 00034 #include <wolfssl/error-ssl.h> 00035 #include <wolfssl/wolfcrypt/hmac.h> 00036 #ifdef NO_INLINE 00037 #include <wolfssl/wolfcrypt/misc.h> 00038 #else 00039 #define WOLFSSL_MISC_INCLUDED 00040 #include <wolfcrypt/src/misc.c> 00041 #endif 00042 00043 #ifdef HAVE_CURVE25519 00044 #include <wolfssl/wolfcrypt/curve25519.h> 00045 #endif 00046 00047 #ifdef HAVE_NTRU 00048 #include "libntruencrypt/ntru_crypto.h" 00049 #include <wolfssl/wolfcrypt/random.h> 00050 #endif 00051 #ifdef HAVE_QSH 00052 static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key); 00053 static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name); 00054 #endif 00055 #if defined(HAVE_NTRU) || defined(HAVE_QSH) 00056 static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type); 00057 #endif 00058 00059 00060 #ifndef NO_TLS 00061 00062 /* Digest enable checks */ 00063 #ifdef NO_OLD_TLS /* TLS 1.2 only */ 00064 #if defined(NO_SHA256) && !defined(WOLFSSL_SHA384) && \ 00065 !defined(WOLFSSL_SHA512) 00066 #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2 00067 #endif 00068 #else /* TLS 1.1 or older */ 00069 #if defined(NO_MD5) && defined(NO_SHA) 00070 #error Must have SHA1 and MD5 enabled for old TLS 00071 #endif 00072 #endif 00073 00074 00075 #ifdef WOLFSSL_SHA384 00076 #define P_HASH_MAX_SIZE SHA384_DIGEST_SIZE 00077 #else 00078 #define P_HASH_MAX_SIZE SHA256_DIGEST_SIZE 00079 #endif 00080 00081 00082 /* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */ 00083 static int p_hash(byte* result, word32 resLen, const byte* secret, 00084 word32 secLen, const byte* seed, word32 seedLen, int hash) 00085 { 00086 word32 len = P_HASH_MAX_SIZE; 00087 word32 times; 00088 word32 lastLen; 00089 word32 lastTime; 00090 word32 i; 00091 word32 idx = 0; 00092 int ret = 0; 00093 #ifdef WOLFSSL_SMALL_STACK 00094 byte* previous; 00095 byte* current; 00096 Hmac* hmac; 00097 #else 00098 byte previous[P_HASH_MAX_SIZE]; /* max size */ 00099 byte current[P_HASH_MAX_SIZE]; /* max size */ 00100 Hmac hmac[1]; 00101 #endif 00102 00103 #ifdef WOLFSSL_SMALL_STACK 00104 previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00105 current = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00106 hmac = (Hmac*)XMALLOC(sizeof(Hmac), NULL, DYNAMIC_TYPE_TMP_BUFFER); 00107 00108 if (previous == NULL || current == NULL || hmac == NULL) { 00109 if (previous) XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00110 if (current) XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00111 if (hmac) XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00112 00113 return MEMORY_E; 00114 } 00115 #endif 00116 00117 switch (hash) { 00118 #ifndef NO_MD5 00119 case md5_mac: 00120 hash = MD5; 00121 len = MD5_DIGEST_SIZE; 00122 break; 00123 #endif 00124 00125 #ifndef NO_SHA256 00126 case sha256_mac: 00127 hash = SHA256; 00128 len = SHA256_DIGEST_SIZE; 00129 break; 00130 #endif 00131 00132 #ifdef WOLFSSL_SHA384 00133 case sha384_mac: 00134 hash = SHA384; 00135 len = SHA384_DIGEST_SIZE; 00136 break; 00137 #endif 00138 00139 #ifndef NO_SHA 00140 case sha_mac: 00141 default: 00142 hash = SHA; 00143 len = SHA_DIGEST_SIZE; 00144 break; 00145 #endif 00146 } 00147 00148 times = resLen / len; 00149 lastLen = resLen % len; 00150 00151 if (lastLen) 00152 times += 1; 00153 00154 lastTime = times - 1; 00155 00156 ret = wc_HmacInit(hmac, NULL, INVALID_DEVID); 00157 if (ret == 0) { 00158 ret = wc_HmacSetKey(hmac, hash, secret, secLen); 00159 if (ret == 0) 00160 ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */ 00161 if (ret == 0) 00162 ret = wc_HmacFinal(hmac, previous); /* A1 */ 00163 if (ret == 0) { 00164 for (i = 0; i < times; i++) { 00165 ret = wc_HmacUpdate(hmac, previous, len); 00166 if (ret != 0) 00167 break; 00168 ret = wc_HmacUpdate(hmac, seed, seedLen); 00169 if (ret != 0) 00170 break; 00171 ret = wc_HmacFinal(hmac, current); 00172 if (ret != 0) 00173 break; 00174 00175 if ((i == lastTime) && lastLen) 00176 XMEMCPY(&result[idx], current, 00177 min(lastLen, P_HASH_MAX_SIZE)); 00178 else { 00179 XMEMCPY(&result[idx], current, len); 00180 idx += len; 00181 ret = wc_HmacUpdate(hmac, previous, len); 00182 if (ret != 0) 00183 break; 00184 ret = wc_HmacFinal(hmac, previous); 00185 if (ret != 0) 00186 break; 00187 } 00188 } 00189 } 00190 wc_HmacFree(hmac); 00191 } 00192 00193 ForceZero(previous, P_HASH_MAX_SIZE); 00194 ForceZero(current, P_HASH_MAX_SIZE); 00195 ForceZero(hmac, sizeof(Hmac)); 00196 00197 #ifdef WOLFSSL_SMALL_STACK 00198 XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00199 XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00200 XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00201 #endif 00202 00203 return ret; 00204 } 00205 00206 #undef P_HASH_MAX_SIZE 00207 00208 00209 #ifndef NO_OLD_TLS 00210 00211 /* calculate XOR for TLSv1 PRF */ 00212 static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha) 00213 { 00214 word32 i; 00215 00216 for (i = 0; i < digLen; i++) 00217 digest[i] = md5[i] ^ sha[i]; 00218 } 00219 00220 00221 /* compute TLSv1 PRF (pseudo random function using HMAC) */ 00222 static int doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen, 00223 const byte* label, word32 labLen, const byte* seed, 00224 word32 seedLen) 00225 { 00226 int ret = 0; 00227 word32 half = (secLen + 1) / 2; 00228 00229 #ifdef WOLFSSL_SMALL_STACK 00230 byte* md5_half; 00231 byte* sha_half; 00232 byte* labelSeed; 00233 byte* md5_result; 00234 byte* sha_result; 00235 #else 00236 byte md5_half[MAX_PRF_HALF]; /* half is real size */ 00237 byte sha_half[MAX_PRF_HALF]; /* half is real size */ 00238 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */ 00239 byte md5_result[MAX_PRF_DIG]; /* digLen is real size */ 00240 byte sha_result[MAX_PRF_DIG]; /* digLen is real size */ 00241 #endif 00242 00243 if (half > MAX_PRF_HALF) 00244 return BUFFER_E; 00245 if (labLen + seedLen > MAX_PRF_LABSEED) 00246 return BUFFER_E; 00247 if (digLen > MAX_PRF_DIG) 00248 return BUFFER_E; 00249 00250 #ifdef WOLFSSL_SMALL_STACK 00251 md5_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00252 sha_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00253 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00254 md5_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00255 sha_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00256 00257 if (md5_half == NULL || sha_half == NULL || labelSeed == NULL || 00258 md5_result == NULL || sha_result == NULL) { 00259 if (md5_half) XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00260 if (sha_half) XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00261 if (labelSeed) XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00262 if (md5_result) XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00263 if (sha_result) XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00264 00265 return MEMORY_E; 00266 } 00267 #endif 00268 00269 XMEMSET(md5_result, 0, digLen); 00270 XMEMSET(sha_result, 0, digLen); 00271 00272 XMEMCPY(md5_half, secret, half); 00273 XMEMCPY(sha_half, secret + half - secLen % 2, half); 00274 00275 XMEMCPY(labelSeed, label, labLen); 00276 XMEMCPY(labelSeed + labLen, seed, seedLen); 00277 00278 if ((ret = p_hash(md5_result, digLen, md5_half, half, labelSeed, 00279 labLen + seedLen, md5_mac)) == 0) { 00280 if ((ret = p_hash(sha_result, digLen, sha_half, half, labelSeed, 00281 labLen + seedLen, sha_mac)) == 0) { 00282 get_xor(digest, digLen, md5_result, sha_result); 00283 } 00284 } 00285 00286 #ifdef WOLFSSL_SMALL_STACK 00287 XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00288 XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00289 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00290 XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00291 XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00292 #endif 00293 00294 return ret; 00295 } 00296 00297 #endif 00298 00299 00300 /* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack 00301 use */ 00302 static int PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen, 00303 const byte* label, word32 labLen, const byte* seed, word32 seedLen, 00304 int useAtLeastSha256, int hash_type) 00305 { 00306 int ret = 0; 00307 00308 if (useAtLeastSha256) { 00309 #ifdef WOLFSSL_SMALL_STACK 00310 byte* labelSeed; 00311 #else 00312 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */ 00313 #endif 00314 00315 if (labLen + seedLen > MAX_PRF_LABSEED) 00316 return BUFFER_E; 00317 00318 #ifdef WOLFSSL_SMALL_STACK 00319 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL, 00320 DYNAMIC_TYPE_TMP_BUFFER); 00321 if (labelSeed == NULL) 00322 return MEMORY_E; 00323 #endif 00324 00325 XMEMCPY(labelSeed, label, labLen); 00326 XMEMCPY(labelSeed + labLen, seed, seedLen); 00327 00328 /* If a cipher suite wants an algorithm better than sha256, it 00329 * should use better. */ 00330 if (hash_type < sha256_mac || hash_type == blake2b_mac) 00331 hash_type = sha256_mac; 00332 ret = p_hash(digest, digLen, secret, secLen, labelSeed, 00333 labLen + seedLen, hash_type); 00334 00335 #ifdef WOLFSSL_SMALL_STACK 00336 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00337 #endif 00338 } 00339 #ifndef NO_OLD_TLS 00340 else { 00341 ret = doPRF(digest, digLen, secret, secLen, label, labLen, seed, 00342 seedLen); 00343 } 00344 #endif 00345 00346 return ret; 00347 } 00348 00349 #ifdef WOLFSSL_SHA384 00350 #define HSHASH_SZ SHA384_DIGEST_SIZE 00351 #else 00352 #define HSHASH_SZ FINISHED_SZ 00353 #endif 00354 00355 00356 int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, word32* hashLen) 00357 { 00358 word32 hashSz = FINISHED_SZ; 00359 00360 if (ssl == NULL || hash == NULL || hashLen == NULL || *hashLen < HSHASH_SZ) 00361 return BAD_FUNC_ARG; 00362 00363 #ifndef NO_OLD_TLS 00364 wc_Md5GetHash(&ssl->hsHashes->hashMd5, hash); 00365 wc_ShaGetHash(&ssl->hsHashes->hashSha, &hash[MD5_DIGEST_SIZE]); 00366 #endif 00367 00368 if (IsAtLeastTLSv1_2(ssl)) { 00369 #ifndef NO_SHA256 00370 if (ssl->specs.mac_algorithm <= sha256_mac || 00371 ssl->specs.mac_algorithm == blake2b_mac) { 00372 int ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); 00373 00374 if (ret != 0) 00375 return ret; 00376 00377 hashSz = SHA256_DIGEST_SIZE; 00378 } 00379 #endif 00380 #ifdef WOLFSSL_SHA384 00381 if (ssl->specs.mac_algorithm == sha384_mac) { 00382 int ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); 00383 00384 if (ret != 0) 00385 return ret; 00386 00387 hashSz = SHA384_DIGEST_SIZE; 00388 } 00389 #endif 00390 } 00391 00392 *hashLen = hashSz; 00393 00394 return 0; 00395 } 00396 00397 00398 int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) 00399 { 00400 int ret; 00401 const byte* side; 00402 byte* handshake_hash; 00403 word32 hashSz = HSHASH_SZ; 00404 00405 /* using allocate here to allow async hardware to use buffer directly */ 00406 handshake_hash = (byte*)XMALLOC(hashSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 00407 if (handshake_hash == NULL) 00408 return MEMORY_E; 00409 00410 ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz); 00411 if (ret == 0) { 00412 if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0) 00413 side = tls_client; 00414 else 00415 side = tls_server; 00416 00417 ret = PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret, 00418 SECRET_LEN, side, FINISHED_LABEL_SZ, handshake_hash, hashSz, 00419 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); 00420 } 00421 00422 XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 00423 00424 return ret; 00425 } 00426 00427 00428 #ifndef NO_OLD_TLS 00429 00430 ProtocolVersion MakeTLSv1(void) 00431 { 00432 ProtocolVersion pv; 00433 pv.major = SSLv3_MAJOR; 00434 pv.minor = TLSv1_MINOR; 00435 00436 return pv; 00437 } 00438 00439 00440 ProtocolVersion MakeTLSv1_1(void) 00441 { 00442 ProtocolVersion pv; 00443 pv.major = SSLv3_MAJOR; 00444 pv.minor = TLSv1_1_MINOR; 00445 00446 return pv; 00447 } 00448 00449 #endif 00450 00451 00452 ProtocolVersion MakeTLSv1_2(void) 00453 { 00454 ProtocolVersion pv; 00455 pv.major = SSLv3_MAJOR; 00456 pv.minor = TLSv1_2_MINOR; 00457 00458 return pv; 00459 } 00460 00461 #ifdef WOLFSSL_TLS13 00462 /* The TLS v1.3 protocol version. 00463 * 00464 * returns the protocol version data for TLS v1.3. 00465 */ 00466 ProtocolVersion MakeTLSv1_3(void) 00467 { 00468 ProtocolVersion pv; 00469 pv.major = SSLv3_MAJOR; 00470 pv.minor = TLSv1_3_MINOR; 00471 00472 return pv; 00473 } 00474 #endif 00475 00476 00477 #ifdef HAVE_EXTENDED_MASTER 00478 static const byte ext_master_label[EXT_MASTER_LABEL_SZ + 1] = 00479 "extended master secret"; 00480 #endif 00481 static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret"; 00482 static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion"; 00483 00484 00485 /* External facing wrapper so user can call as well, 0 on success */ 00486 int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen, 00487 const byte* ms, word32 msLen, 00488 const byte* sr, const byte* cr, 00489 int tls1_2, int hash_type) 00490 { 00491 byte seed[SEED_LEN]; 00492 00493 XMEMCPY(seed, sr, RAN_LEN); 00494 XMEMCPY(seed + RAN_LEN, cr, RAN_LEN); 00495 00496 return PRF(key_data, keyLen, ms, msLen, key_label, KEY_LABEL_SZ, 00497 seed, SEED_LEN, tls1_2, hash_type); 00498 } 00499 00500 00501 int DeriveTlsKeys(WOLFSSL* ssl) 00502 { 00503 int ret; 00504 int length = 2 * ssl->specs.hash_size + 00505 2 * ssl->specs.key_size + 00506 2 * ssl->specs.iv_size; 00507 #ifdef WOLFSSL_SMALL_STACK 00508 byte* key_data; 00509 #else 00510 byte key_data[MAX_PRF_DIG]; 00511 #endif 00512 00513 #ifdef WOLFSSL_SMALL_STACK 00514 key_data = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00515 if (key_data == NULL) { 00516 return MEMORY_E; 00517 } 00518 #endif 00519 00520 ret = wolfSSL_DeriveTlsKeys(key_data, length, 00521 ssl->arrays->masterSecret, SECRET_LEN, 00522 ssl->arrays->serverRandom, ssl->arrays->clientRandom, 00523 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); 00524 if (ret == 0) 00525 ret = StoreKeys(ssl, key_data); 00526 00527 #ifdef WOLFSSL_SMALL_STACK 00528 XFREE(key_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00529 #endif 00530 00531 return ret; 00532 } 00533 00534 00535 /* External facing wrapper so user can call as well, 0 on success */ 00536 int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen, 00537 const byte* pms, word32 pmsLen, 00538 const byte* cr, const byte* sr, 00539 int tls1_2, int hash_type) 00540 { 00541 byte seed[SEED_LEN]; 00542 00543 XMEMCPY(seed, cr, RAN_LEN); 00544 XMEMCPY(seed + RAN_LEN, sr, RAN_LEN); 00545 00546 return PRF(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ, 00547 seed, SEED_LEN, tls1_2, hash_type); 00548 } 00549 00550 00551 #ifdef HAVE_EXTENDED_MASTER 00552 00553 /* External facing wrapper so user can call as well, 0 on success */ 00554 int wolfSSL_MakeTlsExtendedMasterSecret(byte* ms, word32 msLen, 00555 const byte* pms, word32 pmsLen, 00556 const byte* sHash, word32 sHashLen, 00557 int tls1_2, int hash_type) 00558 { 00559 return PRF(ms, msLen, pms, pmsLen, ext_master_label, EXT_MASTER_LABEL_SZ, 00560 sHash, sHashLen, tls1_2, hash_type); 00561 } 00562 00563 #endif /* HAVE_EXTENDED_MASTER */ 00564 00565 00566 int MakeTlsMasterSecret(WOLFSSL* ssl) 00567 { 00568 int ret; 00569 #ifdef HAVE_EXTENDED_MASTER 00570 if (ssl->options.haveEMS) { 00571 byte* handshake_hash; 00572 word32 hashSz = HSHASH_SZ; 00573 00574 handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 00575 if (handshake_hash == NULL) 00576 return MEMORY_E; 00577 00578 ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz); 00579 if (ret < 0) { 00580 XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 00581 return ret; 00582 } 00583 00584 ret = wolfSSL_MakeTlsExtendedMasterSecret( 00585 ssl->arrays->masterSecret, SECRET_LEN, 00586 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, 00587 handshake_hash, hashSz, 00588 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); 00589 00590 XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 00591 } else 00592 #endif 00593 ret = wolfSSL_MakeTlsMasterSecret(ssl->arrays->masterSecret, SECRET_LEN, 00594 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, 00595 ssl->arrays->clientRandom, ssl->arrays->serverRandom, 00596 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); 00597 00598 if (ret == 0) { 00599 #ifdef SHOW_SECRETS 00600 int i; 00601 00602 printf("master secret: "); 00603 for (i = 0; i < SECRET_LEN; i++) 00604 printf("%02x", ssl->arrays->masterSecret[i]); 00605 printf("\n"); 00606 #endif 00607 00608 ret = DeriveTlsKeys(ssl); 00609 } 00610 00611 return ret; 00612 } 00613 00614 00615 /* Used by EAP-TLS and EAP-TTLS to derive keying material from 00616 * the master_secret. */ 00617 int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* msk, unsigned int len, 00618 const char* label) 00619 { 00620 int ret; 00621 #ifdef WOLFSSL_SMALL_STACK 00622 byte* seed; 00623 #else 00624 byte seed[SEED_LEN]; 00625 #endif 00626 00627 #ifdef WOLFSSL_SMALL_STACK 00628 seed = (byte*)XMALLOC(SEED_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00629 if (seed == NULL) 00630 return MEMORY_E; 00631 #endif 00632 00633 /* 00634 * As per RFC-5281, the order of the client and server randoms is reversed 00635 * from that used by the TLS protocol to derive keys. 00636 */ 00637 XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN); 00638 XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN); 00639 00640 ret = PRF((byte*)msk, len, ssl->arrays->masterSecret, SECRET_LEN, 00641 (const byte *)label, (word32)XSTRLEN(label), seed, SEED_LEN, 00642 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); 00643 00644 #ifdef WOLFSSL_SMALL_STACK 00645 XFREE(seed, NULL, DYNAMIC_TYPE_TMP_BUFFER); 00646 #endif 00647 00648 return ret; 00649 } 00650 00651 00652 /*** next for static INLINE s copied internal.c ***/ 00653 00654 /* convert 16 bit integer to opaque */ 00655 static INLINE void c16toa(word16 u16, byte* c) 00656 { 00657 c[0] = (u16 >> 8) & 0xff; 00658 c[1] = u16 & 0xff; 00659 } 00660 00661 #ifdef HAVE_TLS_EXTENSIONS 00662 /* convert opaque to 16 bit integer */ 00663 static INLINE void ato16(const byte* c, word16* u16) 00664 { 00665 *u16 = (c[0] << 8) | (c[1]); 00666 } 00667 00668 #if defined(HAVE_SNI) && !defined(NO_WOLFSSL_SERVER) 00669 /* convert a 24 bit integer into a 32 bit one */ 00670 static INLINE void c24to32(const word24 u24, word32* u32) 00671 { 00672 *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2]; 00673 } 00674 #endif 00675 00676 #if defined(WOLFSSL_TLS13) && !defined(NO_PSK) 00677 /* Convert opaque data to a 32-bit unsigned integer. 00678 * 00679 * c The opaque data holding a 32-bit integer. 00680 * u32 The 32-bit unsigned integer. 00681 */ 00682 static INLINE void ato32(const byte* c, word32* u32) 00683 { 00684 *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3]; 00685 } 00686 #endif 00687 #endif /* HAVE_TLS_EXTENSIONS */ 00688 00689 /* convert 32 bit integer to opaque */ 00690 static INLINE void c32toa(word32 u32, byte* c) 00691 { 00692 c[0] = (u32 >> 24) & 0xff; 00693 c[1] = (u32 >> 16) & 0xff; 00694 c[2] = (u32 >> 8) & 0xff; 00695 c[3] = u32 & 0xff; 00696 } 00697 00698 00699 static INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2]) 00700 { 00701 if (verify) { 00702 seq[0] = ssl->keys.peer_sequence_number_hi; 00703 seq[1] = ssl->keys.peer_sequence_number_lo++; 00704 if (seq[1] > ssl->keys.peer_sequence_number_lo) { 00705 /* handle rollover */ 00706 ssl->keys.peer_sequence_number_hi++; 00707 } 00708 } 00709 else { 00710 seq[0] = ssl->keys.sequence_number_hi; 00711 seq[1] = ssl->keys.sequence_number_lo++; 00712 if (seq[1] > ssl->keys.sequence_number_lo) { 00713 /* handle rollover */ 00714 ssl->keys.sequence_number_hi++; 00715 } 00716 } 00717 } 00718 00719 00720 #ifdef WOLFSSL_DTLS 00721 static INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2]) 00722 { 00723 if (order == PREV_ORDER) { 00724 /* Previous epoch case */ 00725 seq[0] = ((ssl->keys.dtls_epoch - 1) << 16) | 00726 (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF); 00727 seq[1] = ssl->keys.dtls_prev_sequence_number_lo; 00728 } 00729 else if (order == PEER_ORDER) { 00730 seq[0] = (ssl->keys.curEpoch << 16) | 00731 (ssl->keys.curSeq_hi & 0xFFFF); 00732 seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */ 00733 } 00734 else { 00735 seq[0] = (ssl->keys.dtls_epoch << 16) | 00736 (ssl->keys.dtls_sequence_number_hi & 0xFFFF); 00737 seq[1] = ssl->keys.dtls_sequence_number_lo; 00738 } 00739 } 00740 #endif /* WOLFSSL_DTLS */ 00741 00742 00743 static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) 00744 { 00745 word32 seq[2] = {0, 0}; 00746 00747 if (!ssl->options.dtls) { 00748 GetSEQIncrement(ssl, verifyOrder, seq); 00749 } 00750 else { 00751 #ifdef WOLFSSL_DTLS 00752 DtlsGetSEQ(ssl, verifyOrder, seq); 00753 #endif 00754 } 00755 00756 c32toa(seq[0], out); 00757 c32toa(seq[1], out + OPAQUE32_LEN); 00758 } 00759 00760 00761 /*** end copy ***/ 00762 00763 00764 /* return HMAC digest type in wolfSSL format */ 00765 int wolfSSL_GetHmacType(WOLFSSL* ssl) 00766 { 00767 if (ssl == NULL) 00768 return BAD_FUNC_ARG; 00769 00770 switch (ssl->specs.mac_algorithm) { 00771 #ifndef NO_MD5 00772 case md5_mac: 00773 { 00774 return MD5; 00775 } 00776 #endif 00777 #ifndef NO_SHA256 00778 case sha256_mac: 00779 { 00780 return SHA256; 00781 } 00782 #endif 00783 #ifdef WOLFSSL_SHA384 00784 case sha384_mac: 00785 { 00786 return SHA384; 00787 } 00788 00789 #endif 00790 #ifndef NO_SHA 00791 case sha_mac: 00792 { 00793 return SHA; 00794 } 00795 #endif 00796 #ifdef HAVE_BLAKE2 00797 case blake2b_mac: 00798 { 00799 return BLAKE2B_ID; 00800 } 00801 #endif 00802 default: 00803 { 00804 return SSL_FATAL_ERROR; 00805 } 00806 } 00807 } 00808 00809 00810 int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content, 00811 int verify) 00812 { 00813 if (ssl == NULL || inner == NULL) 00814 return BAD_FUNC_ARG; 00815 00816 XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ); 00817 00818 WriteSEQ(ssl, verify, inner); 00819 inner[SEQ_SZ] = (byte)content; 00820 inner[SEQ_SZ + ENUM_LEN] = ssl->version.major; 00821 inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor; 00822 c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ); 00823 00824 return 0; 00825 } 00826 00827 00828 /* TLS type HMAC */ 00829 int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, 00830 int content, int verify) 00831 { 00832 Hmac hmac; 00833 int ret = 0; 00834 byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ]; 00835 00836 if (ssl == NULL) 00837 return BAD_FUNC_ARG; 00838 00839 #ifdef HAVE_FUZZER 00840 if (ssl->fuzzerCb) 00841 ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); 00842 #endif 00843 00844 wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); 00845 00846 ret = wc_HmacInit(&hmac, NULL, ssl->devId); 00847 if (ret != 0) 00848 return ret; 00849 00850 ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl), 00851 wolfSSL_GetMacSecret(ssl, verify), ssl->specs.hash_size); 00852 if (ret == 0) { 00853 ret = wc_HmacUpdate(&hmac, myInner, sizeof(myInner)); 00854 if (ret == 0) 00855 ret = wc_HmacUpdate(&hmac, in, sz); /* content */ 00856 if (ret == 0) 00857 ret = wc_HmacFinal(&hmac, digest); 00858 } 00859 wc_HmacFree(&hmac); 00860 00861 return ret; 00862 } 00863 00864 #ifdef HAVE_TLS_EXTENSIONS 00865 00866 /** 00867 * The TLSX semaphore is used to calculate the size of the extensions to be sent 00868 * from one peer to another. 00869 */ 00870 00871 /** Supports up to 64 flags. Increase as needed. */ 00872 #define SEMAPHORE_SIZE 8 00873 00874 /** 00875 * Converts the extension type (id) to an index in the semaphore. 00876 * 00877 * Oficial reference for TLS extension types: 00878 * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml 00879 * 00880 * Motivation: 00881 * Previously, we used the extension type itself as the index of that 00882 * extension in the semaphore as the extension types were declared 00883 * sequentially, but maintain a semaphore as big as the number of available 00884 * extensions is no longer an option since the release of renegotiation_info. 00885 * 00886 * How to update: 00887 * Assign extension types that extrapolate the number of available semaphores 00888 * to the first available index going backwards in the semaphore array. 00889 * When adding a new extension type that don't extrapolate the number of 00890 * available semaphores, check for a possible collision with with a 00891 * 'remapped' extension type. 00892 */ 00893 static INLINE word16 TLSX_ToSemaphore(word16 type) 00894 { 00895 switch (type) { 00896 00897 case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */ 00898 return 63; 00899 00900 default: 00901 if (type > 62) { 00902 /* This message SHOULD only happens during the adding of 00903 new TLS extensions in which its IANA number overflows 00904 the current semaphore's range, or if its number already 00905 is assigned to be used by another extension. 00906 Use this check value for the new extension and decrement 00907 the check value by one. */ 00908 WOLFSSL_MSG("### TLSX semaphore colision or overflow detected!"); 00909 } 00910 } 00911 00912 return type; 00913 } 00914 00915 /** Checks if a specific light (tls extension) is not set in the semaphore. */ 00916 #define IS_OFF(semaphore, light) \ 00917 (!(((semaphore)[(light) / 8] & (byte) (0x01 << ((light) % 8))))) 00918 00919 /** Turn on a specific light (tls extension) in the semaphore. */ 00920 #define TURN_ON(semaphore, light) \ 00921 ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8))) 00922 00923 /** Turn off a specific light (tls extension) in the semaphore. */ 00924 #define TURN_OFF(semaphore, light) \ 00925 ((semaphore)[(light) / 8] &= (byte) ~(0x01 << ((light) % 8))) 00926 00927 /** Creates a new extension. */ 00928 static TLSX* TLSX_New(TLSX_Type type, void* data, void* heap) 00929 { 00930 TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), heap, DYNAMIC_TYPE_TLSX); 00931 00932 if (extension) { 00933 extension->type = type; 00934 extension->data = data; 00935 extension->resp = 0; 00936 extension->next = NULL; 00937 } 00938 00939 return extension; 00940 } 00941 00942 /** 00943 * Creates a new extension and pushes it to the provided list. 00944 * Checks for duplicate extensions, keeps the newest. 00945 */ 00946 static int TLSX_Push(TLSX** list, TLSX_Type type, void* data, void* heap) 00947 { 00948 TLSX* extension = TLSX_New(type, data, heap); 00949 00950 if (extension == NULL) 00951 return MEMORY_E; 00952 00953 /* pushes the new extension on the list. */ 00954 extension->next = *list; 00955 *list = extension; 00956 00957 /* remove duplicate extensions, there should be only one of each type. */ 00958 do { 00959 if (extension->next && extension->next->type == type) { 00960 TLSX *next = extension->next; 00961 00962 extension->next = next->next; 00963 next->next = NULL; 00964 00965 TLSX_FreeAll(next, heap); 00966 00967 /* there is no way to occur more than */ 00968 /* two extensions of the same type. */ 00969 break; 00970 } 00971 } while ((extension = extension->next)); 00972 00973 return 0; 00974 } 00975 00976 #ifndef NO_WOLFSSL_SERVER 00977 00978 /** Mark an extension to be sent back to the client. */ 00979 void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type); 00980 00981 void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) 00982 { 00983 TLSX *ext = TLSX_Find(ssl->extensions, type); 00984 00985 if (ext) 00986 ext->resp = 1; 00987 } 00988 00989 #endif 00990 00991 /******************************************************************************/ 00992 /* Application-Layer Protocol Negotiation */ 00993 /******************************************************************************/ 00994 00995 #ifdef HAVE_ALPN 00996 /** Creates a new ALPN object, providing protocol name to use. */ 00997 static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz, 00998 void* heap) 00999 { 01000 ALPN *alpn; 01001 01002 WOLFSSL_ENTER("TLSX_ALPN_New"); 01003 01004 if (protocol_name == NULL || 01005 protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) { 01006 WOLFSSL_MSG("Invalid arguments"); 01007 return NULL; 01008 } 01009 01010 alpn = (ALPN*)XMALLOC(sizeof(ALPN), heap, DYNAMIC_TYPE_TLSX); 01011 if (alpn == NULL) { 01012 WOLFSSL_MSG("Memory failure"); 01013 return NULL; 01014 } 01015 01016 alpn->next = NULL; 01017 alpn->negotiated = 0; 01018 alpn->options = 0; 01019 01020 alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1, 01021 heap, DYNAMIC_TYPE_TLSX); 01022 if (alpn->protocol_name == NULL) { 01023 WOLFSSL_MSG("Memory failure"); 01024 XFREE(alpn, heap, DYNAMIC_TYPE_TLSX); 01025 return NULL; 01026 } 01027 01028 XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz); 01029 alpn->protocol_name[protocol_nameSz] = 0; 01030 01031 return alpn; 01032 } 01033 01034 /** Releases an ALPN object. */ 01035 static void TLSX_ALPN_Free(ALPN *alpn, void* heap) 01036 { 01037 (void)heap; 01038 01039 if (alpn == NULL) 01040 return; 01041 01042 XFREE(alpn->protocol_name, heap, DYNAMIC_TYPE_TLSX); 01043 XFREE(alpn, heap, DYNAMIC_TYPE_TLSX); 01044 } 01045 01046 /** Releases all ALPN objects in the provided list. */ 01047 static void TLSX_ALPN_FreeAll(ALPN *list, void* heap) 01048 { 01049 ALPN* alpn; 01050 01051 while ((alpn = list)) { 01052 list = alpn->next; 01053 TLSX_ALPN_Free(alpn, heap); 01054 } 01055 } 01056 01057 /** Tells the buffered size of the ALPN objects in a list. */ 01058 static word16 TLSX_ALPN_GetSize(ALPN *list) 01059 { 01060 ALPN* alpn; 01061 word16 length = OPAQUE16_LEN; /* list length */ 01062 01063 while ((alpn = list)) { 01064 list = alpn->next; 01065 01066 length++; /* protocol name length is on one byte */ 01067 length += (word16)XSTRLEN(alpn->protocol_name); 01068 } 01069 01070 return length; 01071 } 01072 01073 /** Writes the ALPN objects of a list in a buffer. */ 01074 static word16 TLSX_ALPN_Write(ALPN *list, byte *output) 01075 { 01076 ALPN* alpn; 01077 word16 length = 0; 01078 word16 offset = OPAQUE16_LEN; /* list length offset */ 01079 01080 while ((alpn = list)) { 01081 list = alpn->next; 01082 01083 length = (word16)XSTRLEN(alpn->protocol_name); 01084 01085 /* protocol name length */ 01086 output[offset++] = (byte)length; 01087 01088 /* protocol name value */ 01089 XMEMCPY(output + offset, alpn->protocol_name, length); 01090 01091 offset += length; 01092 } 01093 01094 /* writing list length */ 01095 c16toa(offset - OPAQUE16_LEN, output); 01096 01097 return offset; 01098 } 01099 01100 /** Finds a protocol name in the provided ALPN list */ 01101 static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size) 01102 { 01103 ALPN *alpn; 01104 01105 if (list == NULL || protocol_name == NULL) 01106 return NULL; 01107 01108 alpn = list; 01109 while (alpn != NULL && ( 01110 (word16)XSTRLEN(alpn->protocol_name) != size || 01111 XSTRNCMP(alpn->protocol_name, protocol_name, size))) 01112 alpn = alpn->next; 01113 01114 return alpn; 01115 } 01116 01117 /** Set the ALPN matching client and server requirements */ 01118 static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size, 01119 void* heap) 01120 { 01121 ALPN *alpn; 01122 int ret; 01123 01124 if (extensions == NULL || data == NULL) 01125 return BAD_FUNC_ARG; 01126 01127 alpn = TLSX_ALPN_New((char *)data, size, heap); 01128 if (alpn == NULL) { 01129 WOLFSSL_MSG("Memory failure"); 01130 return MEMORY_E; 01131 } 01132 01133 alpn->negotiated = 1; 01134 01135 ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn, 01136 heap); 01137 if (ret != 0) { 01138 TLSX_ALPN_Free(alpn, heap); 01139 return ret; 01140 } 01141 01142 return SSL_SUCCESS; 01143 } 01144 01145 /** Parses a buffer of ALPN extensions and set the first one matching 01146 * client and server requirements */ 01147 static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, 01148 byte isRequest) 01149 { 01150 word16 size = 0, offset = 0, idx = 0; 01151 int r = BUFFER_ERROR; 01152 byte match = 0; 01153 TLSX *extension; 01154 ALPN *alpn = NULL, *list; 01155 01156 if (OPAQUE16_LEN > length) 01157 return BUFFER_ERROR; 01158 01159 ato16(input, &size); 01160 offset += OPAQUE16_LEN; 01161 01162 extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); 01163 if (extension == NULL) 01164 extension = TLSX_Find(ssl->ctx->extensions, 01165 TLSX_APPLICATION_LAYER_PROTOCOL); 01166 01167 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 01168 if (ssl->alpnSelect != NULL) { 01169 const byte* out; 01170 unsigned char outLen; 01171 01172 if (ssl->alpnSelect(ssl, &out, &outLen, input + offset, size, 01173 ssl->alpnSelectArg) == 0) { 01174 WOLFSSL_MSG("ALPN protocol match"); 01175 if (TLSX_UseALPN(&ssl->extensions, (char*)out, outLen, 0, ssl->heap) 01176 == SSL_SUCCESS) { 01177 if (extension == NULL) { 01178 extension = TLSX_Find(ssl->extensions, 01179 TLSX_APPLICATION_LAYER_PROTOCOL); 01180 } 01181 } 01182 } 01183 } 01184 #endif 01185 01186 if (extension == NULL || extension->data == NULL) { 01187 WOLFSSL_MSG("No ALPN extensions not used or bad"); 01188 return isRequest ? 0 /* not using ALPN */ 01189 : BUFFER_ERROR; /* unexpected ALPN response */ 01190 } 01191 01192 /* validating alpn list length */ 01193 if (length != OPAQUE16_LEN + size) 01194 return BUFFER_ERROR; 01195 01196 list = (ALPN*)extension->data; 01197 01198 /* keep the list sent by client */ 01199 if (isRequest) { 01200 if (ssl->alpn_client_list != NULL) 01201 XFREE(ssl->alpn_client_list, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); 01202 01203 ssl->alpn_client_list = (char *)XMALLOC(size, ssl->heap, 01204 DYNAMIC_TYPE_TMP_BUFFER); 01205 if (ssl->alpn_client_list == NULL) 01206 return MEMORY_ERROR; 01207 } 01208 01209 for (size = 0; offset < length; offset += size) { 01210 01211 size = input[offset++]; 01212 if (offset + size > length) 01213 return BUFFER_ERROR; 01214 01215 if (isRequest) { 01216 XMEMCPY(ssl->alpn_client_list+idx, (char*)input + offset, size); 01217 idx += size; 01218 ssl->alpn_client_list[idx++] = ','; 01219 } 01220 01221 if (!match) { 01222 alpn = TLSX_ALPN_Find(list, (char*)input + offset, size); 01223 if (alpn != NULL) { 01224 WOLFSSL_MSG("ALPN protocol match"); 01225 match = 1; 01226 01227 /* skip reading other values if not required */ 01228 if (!isRequest) 01229 break; 01230 } 01231 } 01232 } 01233 01234 if (isRequest) 01235 ssl->alpn_client_list[idx-1] = 0; 01236 01237 if (!match) { 01238 WOLFSSL_MSG("No ALPN protocol match"); 01239 01240 /* do nothing if no protocol match between client and server and option 01241 is set to continue (like OpenSSL) */ 01242 if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) { 01243 WOLFSSL_MSG("Continue on mismatch"); 01244 return 0; 01245 } 01246 01247 SendAlert(ssl, alert_fatal, no_application_protocol); 01248 return UNKNOWN_ALPN_PROTOCOL_NAME_E; 01249 } 01250 01251 /* set the matching negotiated protocol */ 01252 r = TLSX_SetALPN(&ssl->extensions, 01253 alpn->protocol_name, 01254 (word16)XSTRLEN(alpn->protocol_name), 01255 ssl->heap); 01256 if (r != SSL_SUCCESS) { 01257 WOLFSSL_MSG("TLSX_UseALPN failed"); 01258 return BUFFER_ERROR; 01259 } 01260 01261 /* reply to ALPN extension sent from client */ 01262 if (isRequest) { 01263 #ifndef NO_WOLFSSL_SERVER 01264 TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL); 01265 #endif 01266 } 01267 01268 return 0; 01269 } 01270 01271 /** Add a protocol name to the list of accepted usable ones */ 01272 int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options, 01273 void* heap) 01274 { 01275 ALPN *alpn; 01276 TLSX *extension; 01277 int ret; 01278 01279 if (extensions == NULL || data == NULL) 01280 return BAD_FUNC_ARG; 01281 01282 alpn = TLSX_ALPN_New((char *)data, size, heap); 01283 if (alpn == NULL) { 01284 WOLFSSL_MSG("Memory failure"); 01285 return MEMORY_E; 01286 } 01287 01288 /* Set Options of ALPN */ 01289 alpn->options = options; 01290 01291 extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL); 01292 if (extension == NULL) { 01293 ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, 01294 (void*)alpn, heap); 01295 if (ret != 0) { 01296 TLSX_ALPN_Free(alpn, heap); 01297 return ret; 01298 } 01299 } 01300 else { 01301 /* push new ALPN object to extension data. */ 01302 alpn->next = (ALPN*)extension->data; 01303 extension->data = (void*)alpn; 01304 } 01305 01306 return SSL_SUCCESS; 01307 } 01308 01309 /** Get the protocol name set by the server */ 01310 int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) 01311 { 01312 TLSX *extension; 01313 ALPN *alpn; 01314 01315 if (extensions == NULL || data == NULL || dataSz == NULL) 01316 return BAD_FUNC_ARG; 01317 01318 extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL); 01319 if (extension == NULL) { 01320 WOLFSSL_MSG("TLS extension not found"); 01321 return SSL_ALPN_NOT_FOUND; 01322 } 01323 01324 alpn = (ALPN *)extension->data; 01325 if (alpn == NULL) { 01326 WOLFSSL_MSG("ALPN extension not found"); 01327 *data = NULL; 01328 *dataSz = 0; 01329 return SSL_FATAL_ERROR; 01330 } 01331 01332 if (alpn->negotiated != 1) { 01333 01334 /* consider as an error */ 01335 if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) { 01336 WOLFSSL_MSG("No protocol match with peer -> Failed"); 01337 return SSL_FATAL_ERROR; 01338 } 01339 01340 /* continue without negotiated protocol */ 01341 WOLFSSL_MSG("No protocol match with peer -> Continue"); 01342 return SSL_ALPN_NOT_FOUND; 01343 } 01344 01345 if (alpn->next != NULL) { 01346 WOLFSSL_MSG("Only one protocol name must be accepted"); 01347 return SSL_FATAL_ERROR; 01348 } 01349 01350 *data = alpn->protocol_name; 01351 *dataSz = (word16)XSTRLEN((char*)*data); 01352 01353 return SSL_SUCCESS; 01354 } 01355 01356 #define ALPN_FREE_ALL TLSX_ALPN_FreeAll 01357 #define ALPN_GET_SIZE TLSX_ALPN_GetSize 01358 #define ALPN_WRITE TLSX_ALPN_Write 01359 #define ALPN_PARSE TLSX_ALPN_ParseAndSet 01360 01361 #else /* HAVE_ALPN */ 01362 01363 #define ALPN_FREE_ALL(list, heap) 01364 #define ALPN_GET_SIZE(list) 0 01365 #define ALPN_WRITE(a, b) 0 01366 #define ALPN_PARSE(a, b, c, d) 0 01367 01368 #endif /* HAVE_ALPN */ 01369 01370 /******************************************************************************/ 01371 /* Server Name Indication */ 01372 /******************************************************************************/ 01373 01374 #ifdef HAVE_SNI 01375 01376 /** Creates a new SNI object. */ 01377 static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap) 01378 { 01379 SNI* sni = (SNI*)XMALLOC(sizeof(SNI), heap, DYNAMIC_TYPE_TLSX); 01380 01381 if (sni) { 01382 sni->type = type; 01383 sni->next = NULL; 01384 01385 #ifndef NO_WOLFSSL_SERVER 01386 sni->options = 0; 01387 sni->status = WOLFSSL_SNI_NO_MATCH; 01388 #endif 01389 01390 switch (sni->type) { 01391 case WOLFSSL_SNI_HOST_NAME: 01392 sni->data.host_name = (char*)XMALLOC(size + 1, heap, 01393 DYNAMIC_TYPE_TLSX); 01394 if (sni->data.host_name) { 01395 XSTRNCPY(sni->data.host_name, (const char*)data, size); 01396 sni->data.host_name[size] = 0; 01397 } else { 01398 XFREE(sni, heap, DYNAMIC_TYPE_TLSX); 01399 sni = NULL; 01400 } 01401 break; 01402 01403 default: /* invalid type */ 01404 XFREE(sni, heap, DYNAMIC_TYPE_TLSX); 01405 sni = NULL; 01406 } 01407 } 01408 01409 return sni; 01410 } 01411 01412 /** Releases a SNI object. */ 01413 static void TLSX_SNI_Free(SNI* sni, void* heap) 01414 { 01415 if (sni) { 01416 switch (sni->type) { 01417 case WOLFSSL_SNI_HOST_NAME: 01418 XFREE(sni->data.host_name, heap, DYNAMIC_TYPE_TLSX); 01419 break; 01420 } 01421 01422 XFREE(sni, heap, DYNAMIC_TYPE_TLSX); 01423 } 01424 (void)heap; 01425 } 01426 01427 /** Releases all SNI objects in the provided list. */ 01428 static void TLSX_SNI_FreeAll(SNI* list, void* heap) 01429 { 01430 SNI* sni; 01431 01432 while ((sni = list)) { 01433 list = sni->next; 01434 TLSX_SNI_Free(sni, heap); 01435 } 01436 } 01437 01438 /** Tells the buffered size of the SNI objects in a list. */ 01439 static word16 TLSX_SNI_GetSize(SNI* list) 01440 { 01441 SNI* sni; 01442 word16 length = OPAQUE16_LEN; /* list length */ 01443 01444 while ((sni = list)) { 01445 list = sni->next; 01446 01447 length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */ 01448 01449 switch (sni->type) { 01450 case WOLFSSL_SNI_HOST_NAME: 01451 length += (word16)XSTRLEN((char*)sni->data.host_name); 01452 break; 01453 } 01454 } 01455 01456 return length; 01457 } 01458 01459 /** Writes the SNI objects of a list in a buffer. */ 01460 static word16 TLSX_SNI_Write(SNI* list, byte* output) 01461 { 01462 SNI* sni; 01463 word16 length = 0; 01464 word16 offset = OPAQUE16_LEN; /* list length offset */ 01465 01466 while ((sni = list)) { 01467 list = sni->next; 01468 01469 output[offset++] = sni->type; /* sni type */ 01470 01471 switch (sni->type) { 01472 case WOLFSSL_SNI_HOST_NAME: 01473 length = (word16)XSTRLEN((char*)sni->data.host_name); 01474 01475 c16toa(length, output + offset); /* sni length */ 01476 offset += OPAQUE16_LEN; 01477 01478 XMEMCPY(output + offset, sni->data.host_name, length); 01479 01480 offset += length; 01481 break; 01482 } 01483 } 01484 01485 c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ 01486 01487 return offset; 01488 } 01489 01490 #ifndef NO_WOLFSSL_SERVER 01491 01492 /** Finds a SNI object in the provided list. */ 01493 static SNI* TLSX_SNI_Find(SNI *list, byte type) 01494 { 01495 SNI *sni = list; 01496 01497 while (sni && sni->type != type) 01498 sni = sni->next; 01499 01500 return sni; 01501 } 01502 01503 01504 /** Sets the status of a SNI object. */ 01505 static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) 01506 { 01507 TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); 01508 SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); 01509 01510 if (sni) 01511 sni->status = status; 01512 } 01513 01514 /** Gets the status of a SNI object. */ 01515 byte TLSX_SNI_Status(TLSX* extensions, byte type) 01516 { 01517 TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); 01518 SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); 01519 01520 if (sni) 01521 return sni->status; 01522 01523 return 0; 01524 } 01525 01526 #endif /* NO_WOLFSSL_SERVER */ 01527 01528 /** Parses a buffer of SNI extensions. */ 01529 static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, 01530 byte isRequest) 01531 { 01532 #ifndef NO_WOLFSSL_SERVER 01533 word16 size = 0; 01534 word16 offset = 0; 01535 int cacheOnly = 0; 01536 #endif 01537 01538 TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); 01539 01540 if (!extension) 01541 extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); 01542 01543 (void)isRequest; 01544 (void)input; 01545 01546 if (!extension || !extension->data) { 01547 #if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER) 01548 /* This will keep SNI even though TLSX_UseSNI has not been called. 01549 * Enable it so that the received sni is available to functions 01550 * that use a custom callback when SNI is received */ 01551 cacheOnly = 1; 01552 WOLFSSL_MSG("Forcing SSL object to store SNI parameter"); 01553 #else 01554 return isRequest ? 0 /* not using SNI. */ 01555 : BUFFER_ERROR; /* unexpected SNI response. */ 01556 #endif 01557 } 01558 01559 if (!isRequest) 01560 return length ? BUFFER_ERROR /* SNI response MUST be empty. */ 01561 : 0; /* nothing else to do. */ 01562 01563 #ifndef NO_WOLFSSL_SERVER 01564 01565 if (OPAQUE16_LEN > length) 01566 return BUFFER_ERROR; 01567 01568 ato16(input, &size); 01569 offset += OPAQUE16_LEN; 01570 01571 /* validating sni list length */ 01572 if (length != OPAQUE16_LEN + size) 01573 return BUFFER_ERROR; 01574 01575 for (size = 0; offset < length; offset += size) { 01576 SNI *sni = NULL; 01577 byte type = input[offset++]; 01578 01579 if (offset + OPAQUE16_LEN > length) 01580 return BUFFER_ERROR; 01581 01582 ato16(input + offset, &size); 01583 offset += OPAQUE16_LEN; 01584 01585 if (offset + size > length) 01586 return BUFFER_ERROR; 01587 01588 if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type))) 01589 continue; /* not using this type of SNI. */ 01590 01591 switch(type) { 01592 case WOLFSSL_SNI_HOST_NAME: { 01593 int matchStat; 01594 #ifdef WOLFSSL_TLS13 01595 /* Don't process the second ClientHello SNI extension if there 01596 * was problems with the first. 01597 */ 01598 if (sni->status != 0) 01599 break; 01600 #endif 01601 byte matched = cacheOnly || 01602 ((XSTRLEN(sni->data.host_name) == size) 01603 && (XSTRNCMP(sni->data.host_name, 01604 (const char*)input + offset, size) == 0)); 01605 01606 if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) { 01607 int r = TLSX_UseSNI(&ssl->extensions, 01608 type, input + offset, size, ssl->heap); 01609 01610 if (r != SSL_SUCCESS) 01611 return r; /* throws error. */ 01612 01613 if(cacheOnly) { 01614 WOLFSSL_MSG("Forcing storage of SNI, Fake match"); 01615 matchStat = WOLFSSL_SNI_FORCE_KEEP; 01616 } else if(matched) { 01617 WOLFSSL_MSG("SNI did match!"); 01618 matchStat = WOLFSSL_SNI_REAL_MATCH; 01619 } else { 01620 WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH"); 01621 matchStat = WOLFSSL_SNI_FAKE_MATCH; 01622 } 01623 01624 TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); 01625 01626 if(!cacheOnly) 01627 TLSX_SetResponse(ssl, TLSX_SERVER_NAME); 01628 01629 } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { 01630 SendAlert(ssl, alert_fatal, unrecognized_name); 01631 01632 return UNKNOWN_SNI_HOST_NAME_E; 01633 } 01634 break; 01635 } 01636 } 01637 } 01638 01639 #endif 01640 01641 return 0; 01642 } 01643 01644 static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) 01645 { 01646 (void)ssl; 01647 01648 if (isRequest) { 01649 #ifndef NO_WOLFSSL_SERVER 01650 TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); 01651 TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); 01652 SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL; 01653 SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL; 01654 SNI* sni = NULL; 01655 01656 for (; ctx_sni; ctx_sni = ctx_sni->next) { 01657 if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) { 01658 sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type); 01659 01660 if (sni) { 01661 if (sni->status != WOLFSSL_SNI_NO_MATCH) 01662 continue; 01663 01664 /* if ssl level overrides ctx level, it is ok. */ 01665 if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0) 01666 continue; 01667 } 01668 01669 SendAlert(ssl, alert_fatal, handshake_failure); 01670 return SNI_ABSENT_ERROR; 01671 } 01672 } 01673 01674 for (; ssl_sni; ssl_sni = ssl_sni->next) { 01675 if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) { 01676 if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH) 01677 continue; 01678 01679 SendAlert(ssl, alert_fatal, handshake_failure); 01680 return SNI_ABSENT_ERROR; 01681 } 01682 } 01683 #endif /* NO_WOLFSSL_SERVER */ 01684 } 01685 01686 return 0; 01687 } 01688 01689 int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size, 01690 void* heap) 01691 { 01692 TLSX* extension; 01693 SNI* sni = NULL; 01694 01695 if (extensions == NULL || data == NULL) 01696 return BAD_FUNC_ARG; 01697 01698 if ((sni = TLSX_SNI_New(type, data, size, heap)) == NULL) 01699 return MEMORY_E; 01700 01701 extension = TLSX_Find(*extensions, TLSX_SERVER_NAME); 01702 if (!extension) { 01703 int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni, heap); 01704 if (ret != 0) { 01705 TLSX_SNI_Free(sni, heap); 01706 return ret; 01707 } 01708 } 01709 else { 01710 /* push new SNI object to extension data. */ 01711 sni->next = (SNI*)extension->data; 01712 extension->data = (void*)sni; 01713 01714 /* remove duplicate SNI, there should be only one of each type. */ 01715 do { 01716 if (sni->next && sni->next->type == type) { 01717 SNI *next = sni->next; 01718 01719 sni->next = next->next; 01720 TLSX_SNI_Free(next, heap); 01721 01722 /* there is no way to occur more than */ 01723 /* two SNIs of the same type. */ 01724 break; 01725 } 01726 } while ((sni = sni->next)); 01727 } 01728 01729 return SSL_SUCCESS; 01730 } 01731 01732 #ifndef NO_WOLFSSL_SERVER 01733 01734 /** Tells the SNI requested by the client. */ 01735 word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) 01736 { 01737 TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); 01738 SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); 01739 01740 if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) { 01741 switch (sni->type) { 01742 case WOLFSSL_SNI_HOST_NAME: 01743 if (data) { 01744 *data = sni->data.host_name; 01745 return (word16)XSTRLEN((char*)*data); 01746 } 01747 } 01748 } 01749 01750 return 0; 01751 } 01752 01753 /** Sets the options for a SNI object. */ 01754 void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) 01755 { 01756 TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); 01757 SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); 01758 01759 if (sni) 01760 sni->options = options; 01761 } 01762 01763 /** Retrieves a SNI request from a client hello buffer. */ 01764 int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, 01765 byte type, byte* sni, word32* inOutSz) 01766 { 01767 word32 offset = 0; 01768 word32 len32 = 0; 01769 word16 len16 = 0; 01770 01771 if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST) 01772 return INCOMPLETE_DATA; 01773 01774 /* TLS record header */ 01775 if ((enum ContentType) clientHello[offset++] != handshake) { 01776 01777 /* checking for SSLv2.0 client hello according to: */ 01778 /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */ 01779 if ((enum HandShakeType) clientHello[++offset] == client_hello) { 01780 offset += ENUM_LEN + VERSION_SZ; /* skip version */ 01781 01782 ato16(clientHello + offset, &len16); 01783 offset += OPAQUE16_LEN; 01784 01785 if (len16 % 3) /* cipher_spec_length must be multiple of 3 */ 01786 return BUFFER_ERROR; 01787 01788 ato16(clientHello + offset, &len16); 01789 /* Returning SNI_UNSUPPORTED do not increment offset here */ 01790 01791 if (len16 != 0) /* session_id_length must be 0 */ 01792 return BUFFER_ERROR; 01793 01794 return SNI_UNSUPPORTED; 01795 } 01796 01797 return BUFFER_ERROR; 01798 } 01799 01800 if (clientHello[offset++] != SSLv3_MAJOR) 01801 return BUFFER_ERROR; 01802 01803 if (clientHello[offset++] < TLSv1_MINOR) 01804 return SNI_UNSUPPORTED; 01805 01806 ato16(clientHello + offset, &len16); 01807 offset += OPAQUE16_LEN; 01808 01809 if (offset + len16 > helloSz) 01810 return INCOMPLETE_DATA; 01811 01812 /* Handshake header */ 01813 if ((enum HandShakeType) clientHello[offset] != client_hello) 01814 return BUFFER_ERROR; 01815 01816 c24to32(clientHello + offset + 1, &len32); 01817 offset += HANDSHAKE_HEADER_SZ; 01818 01819 if (offset + len32 > helloSz) 01820 return BUFFER_ERROR; 01821 01822 /* client hello */ 01823 offset += VERSION_SZ + RAN_LEN; /* version, random */ 01824 01825 if (helloSz < offset + clientHello[offset]) 01826 return BUFFER_ERROR; 01827 01828 offset += ENUM_LEN + clientHello[offset]; /* skip session id */ 01829 01830 /* cypher suites */ 01831 if (helloSz < offset + OPAQUE16_LEN) 01832 return BUFFER_ERROR; 01833 01834 ato16(clientHello + offset, &len16); 01835 offset += OPAQUE16_LEN; 01836 01837 if (helloSz < offset + len16) 01838 return BUFFER_ERROR; 01839 01840 offset += len16; /* skip cypher suites */ 01841 01842 /* compression methods */ 01843 if (helloSz < offset + 1) 01844 return BUFFER_ERROR; 01845 01846 if (helloSz < offset + clientHello[offset]) 01847 return BUFFER_ERROR; 01848 01849 offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */ 01850 01851 /* extensions */ 01852 if (helloSz < offset + OPAQUE16_LEN) 01853 return 0; /* no extensions in client hello. */ 01854 01855 ato16(clientHello + offset, &len16); 01856 offset += OPAQUE16_LEN; 01857 01858 if (helloSz < offset + len16) 01859 return BUFFER_ERROR; 01860 01861 while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) { 01862 word16 extType; 01863 word16 extLen; 01864 01865 ato16(clientHello + offset, &extType); 01866 offset += OPAQUE16_LEN; 01867 01868 ato16(clientHello + offset, &extLen); 01869 offset += OPAQUE16_LEN; 01870 01871 if (helloSz < offset + extLen) 01872 return BUFFER_ERROR; 01873 01874 if (extType != TLSX_SERVER_NAME) { 01875 offset += extLen; /* skip extension */ 01876 } else { 01877 word16 listLen; 01878 01879 ato16(clientHello + offset, &listLen); 01880 offset += OPAQUE16_LEN; 01881 01882 if (helloSz < offset + listLen) 01883 return BUFFER_ERROR; 01884 01885 while (listLen > ENUM_LEN + OPAQUE16_LEN) { 01886 byte sniType = clientHello[offset++]; 01887 word16 sniLen; 01888 01889 ato16(clientHello + offset, &sniLen); 01890 offset += OPAQUE16_LEN; 01891 01892 if (helloSz < offset + sniLen) 01893 return BUFFER_ERROR; 01894 01895 if (sniType != type) { 01896 offset += sniLen; 01897 listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen); 01898 continue; 01899 } 01900 01901 *inOutSz = min(sniLen, *inOutSz); 01902 XMEMCPY(sni, clientHello + offset, *inOutSz); 01903 01904 return SSL_SUCCESS; 01905 } 01906 } 01907 01908 len16 -= min(2 * OPAQUE16_LEN + extLen, len16); 01909 } 01910 01911 return len16 ? BUFFER_ERROR : 0; 01912 } 01913 01914 #endif 01915 01916 #define SNI_FREE_ALL TLSX_SNI_FreeAll 01917 #define SNI_GET_SIZE TLSX_SNI_GetSize 01918 #define SNI_WRITE TLSX_SNI_Write 01919 #define SNI_PARSE TLSX_SNI_Parse 01920 #define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse 01921 01922 #else 01923 01924 #define SNI_FREE_ALL(list, heap) 01925 #define SNI_GET_SIZE(list) 0 01926 #define SNI_WRITE(a, b) 0 01927 #define SNI_PARSE(a, b, c, d) 0 01928 #define SNI_VERIFY_PARSE(a, b) 0 01929 01930 #endif /* HAVE_SNI */ 01931 01932 /******************************************************************************/ 01933 /* Max Fragment Length Negotiation */ 01934 /******************************************************************************/ 01935 01936 #ifdef HAVE_MAX_FRAGMENT 01937 01938 static word16 TLSX_MFL_Write(byte* data, byte* output) 01939 { 01940 output[0] = data[0]; 01941 01942 return ENUM_LEN; 01943 } 01944 01945 static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length, 01946 byte isRequest) 01947 { 01948 (void)isRequest; 01949 01950 if (length != ENUM_LEN) 01951 return BUFFER_ERROR; 01952 01953 switch (*input) { 01954 case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break; 01955 case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break; 01956 case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break; 01957 case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break; 01958 case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break; 01959 01960 default: 01961 SendAlert(ssl, alert_fatal, illegal_parameter); 01962 01963 return UNKNOWN_MAX_FRAG_LEN_E; 01964 } 01965 01966 #ifndef NO_WOLFSSL_SERVER 01967 if (isRequest) { 01968 int r = TLSX_UseMaxFragment(&ssl->extensions, *input, ssl->heap); 01969 01970 if (r != SSL_SUCCESS) return r; /* throw error */ 01971 01972 TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH); 01973 } 01974 #endif 01975 01976 return 0; 01977 } 01978 01979 int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap) 01980 { 01981 byte* data = NULL; 01982 int ret = 0; 01983 01984 if (extensions == NULL) 01985 return BAD_FUNC_ARG; 01986 01987 if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl) 01988 return BAD_FUNC_ARG; 01989 01990 if ((data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX)) == NULL) 01991 return MEMORY_E; 01992 01993 data[0] = mfl; 01994 01995 /* push new MFL extension. */ 01996 if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data, heap)) 01997 != 0) { 01998 XFREE(data, heap, DYNAMIC_TYPE_TLSX); 01999 return ret; 02000 } 02001 02002 return SSL_SUCCESS; 02003 } 02004 02005 02006 #define MFL_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX) 02007 #define MFL_GET_SIZE(data) ENUM_LEN 02008 #define MFL_WRITE TLSX_MFL_Write 02009 #define MFL_PARSE TLSX_MFL_Parse 02010 02011 #else 02012 02013 #define MFL_FREE_ALL(a, b) 02014 #define MFL_GET_SIZE(a) 0 02015 #define MFL_WRITE(a, b) 0 02016 #define MFL_PARSE(a, b, c, d) 0 02017 02018 #endif /* HAVE_MAX_FRAGMENT */ 02019 02020 /******************************************************************************/ 02021 /* Truncated HMAC */ 02022 /******************************************************************************/ 02023 02024 #ifdef HAVE_TRUNCATED_HMAC 02025 02026 static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, 02027 byte isRequest) 02028 { 02029 (void)isRequest; 02030 02031 if (length != 0 || input == NULL) 02032 return BUFFER_ERROR; 02033 02034 #ifndef NO_WOLFSSL_SERVER 02035 if (isRequest) { 02036 int r = TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap); 02037 02038 if (r != SSL_SUCCESS) 02039 return r; /* throw error */ 02040 02041 TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC); 02042 } 02043 #endif 02044 02045 ssl->truncated_hmac = 1; 02046 02047 return 0; 02048 } 02049 02050 int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap) 02051 { 02052 int ret = 0; 02053 02054 if (extensions == NULL) 02055 return BAD_FUNC_ARG; 02056 02057 if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL, heap)) != 0) 02058 return ret; 02059 02060 return SSL_SUCCESS; 02061 } 02062 02063 #define THM_PARSE TLSX_THM_Parse 02064 02065 #else 02066 02067 #define THM_PARSE(a, b, c, d) 0 02068 02069 #endif /* HAVE_TRUNCATED_HMAC */ 02070 02071 /******************************************************************************/ 02072 /* Certificate Status Request */ 02073 /******************************************************************************/ 02074 02075 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST 02076 02077 static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap) 02078 { 02079 switch (csr->status_type) { 02080 case WOLFSSL_CSR_OCSP: 02081 FreeOcspRequest(&csr->request.ocsp); 02082 break; 02083 } 02084 02085 XFREE(csr, heap, DYNAMIC_TYPE_TLSX); 02086 (void)heap; 02087 } 02088 02089 static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) 02090 { 02091 word16 size = 0; 02092 02093 /* shut up compiler warnings */ 02094 (void) csr; (void) isRequest; 02095 02096 #ifndef NO_WOLFSSL_CLIENT 02097 if (isRequest) { 02098 switch (csr->status_type) { 02099 case WOLFSSL_CSR_OCSP: 02100 size += ENUM_LEN + 2 * OPAQUE16_LEN; 02101 02102 if (csr->request.ocsp.nonceSz) 02103 size += OCSP_NONCE_EXT_SZ; 02104 break; 02105 } 02106 } 02107 #endif 02108 02109 return size; 02110 } 02111 02112 static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, 02113 byte isRequest) 02114 { 02115 /* shut up compiler warnings */ 02116 (void) csr; (void) output; (void) isRequest; 02117 02118 #ifndef NO_WOLFSSL_CLIENT 02119 if (isRequest) { 02120 word16 offset = 0; 02121 word16 length = 0; 02122 02123 /* type */ 02124 output[offset++] = csr->status_type; 02125 02126 switch (csr->status_type) { 02127 case WOLFSSL_CSR_OCSP: 02128 /* responder id list */ 02129 c16toa(0, output + offset); 02130 offset += OPAQUE16_LEN; 02131 02132 /* request extensions */ 02133 if (csr->request.ocsp.nonceSz) 02134 length = (word16)EncodeOcspRequestExtensions( 02135 &csr->request.ocsp, 02136 output + offset + OPAQUE16_LEN, 02137 OCSP_NONCE_EXT_SZ); 02138 02139 c16toa(length, output + offset); 02140 offset += OPAQUE16_LEN + length; 02141 02142 break; 02143 } 02144 02145 return offset; 02146 } 02147 #endif 02148 02149 return 0; 02150 } 02151 02152 static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, 02153 byte isRequest) 02154 { 02155 int ret; 02156 02157 /* shut up compiler warnings */ 02158 (void) ssl; (void) input; 02159 02160 if (!isRequest) { 02161 #ifndef NO_WOLFSSL_CLIENT 02162 TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); 02163 CertificateStatusRequest* csr = extension ? 02164 (CertificateStatusRequest*)extension->data : NULL; 02165 02166 if (!csr) { 02167 /* look at context level */ 02168 extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST); 02169 csr = extension ? (CertificateStatusRequest*)extension->data : NULL; 02170 02171 if (!csr) 02172 return BUFFER_ERROR; /* unexpected extension */ 02173 02174 /* enable extension at ssl level */ 02175 ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, 02176 csr->status_type, csr->options, ssl->heap, 02177 ssl->devId); 02178 if (ret != SSL_SUCCESS) 02179 return ret; 02180 02181 switch (csr->status_type) { 02182 case WOLFSSL_CSR_OCSP: 02183 /* propagate nonce */ 02184 if (csr->request.ocsp.nonceSz) { 02185 OcspRequest* request = 02186 (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions); 02187 02188 if (request) { 02189 XMEMCPY(request->nonce, csr->request.ocsp.nonce, 02190 csr->request.ocsp.nonceSz); 02191 request->nonceSz = csr->request.ocsp.nonceSz; 02192 } 02193 } 02194 break; 02195 } 02196 } 02197 02198 ssl->status_request = 1; 02199 02200 return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ 02201 #endif 02202 } 02203 else { 02204 #ifndef NO_WOLFSSL_SERVER 02205 byte status_type; 02206 word16 offset = 0; 02207 word16 size = 0; 02208 02209 if (length < ENUM_LEN) 02210 return BUFFER_ERROR; 02211 02212 status_type = input[offset++]; 02213 02214 switch (status_type) { 02215 case WOLFSSL_CSR_OCSP: { 02216 02217 /* skip responder_id_list */ 02218 if (length - offset < OPAQUE16_LEN) 02219 return BUFFER_ERROR; 02220 02221 ato16(input + offset, &size); 02222 offset += OPAQUE16_LEN + size; 02223 02224 /* skip request_extensions */ 02225 if (length - offset < OPAQUE16_LEN) 02226 return BUFFER_ERROR; 02227 02228 ato16(input + offset, &size); 02229 offset += OPAQUE16_LEN + size; 02230 02231 if (offset > length) 02232 return BUFFER_ERROR; 02233 02234 /* is able to send OCSP response? */ 02235 if (ssl->ctx->cm == NULL || !ssl->ctx->cm->ocspStaplingEnabled) 02236 return 0; 02237 } 02238 break; 02239 02240 /* unknown status type */ 02241 default: 02242 return 0; 02243 } 02244 02245 /* if using status_request and already sending it, skip this one */ 02246 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 02247 if (ssl->status_request_v2) 02248 return 0; 02249 #endif 02250 02251 /* accept the first good status_type and return */ 02252 ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, 02253 0, ssl->heap, ssl->devId); 02254 if (ret != SSL_SUCCESS) 02255 return ret; /* throw error */ 02256 02257 TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); 02258 ssl->status_request = status_type; 02259 02260 #endif 02261 } 02262 02263 return 0; 02264 } 02265 02266 int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap) 02267 { 02268 TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); 02269 CertificateStatusRequest* csr = extension ? 02270 (CertificateStatusRequest*)extension->data : NULL; 02271 int ret = 0; 02272 02273 if (csr) { 02274 switch (csr->status_type) { 02275 case WOLFSSL_CSR_OCSP: { 02276 byte nonce[MAX_OCSP_NONCE_SZ]; 02277 int nonceSz = csr->request.ocsp.nonceSz; 02278 02279 /* preserve nonce */ 02280 XMEMCPY(nonce, csr->request.ocsp.nonce, nonceSz); 02281 02282 if ((ret = InitOcspRequest(&csr->request.ocsp, cert, 0, heap)) 02283 != 0) 02284 return ret; 02285 02286 /* restore nonce */ 02287 XMEMCPY(csr->request.ocsp.nonce, nonce, nonceSz); 02288 csr->request.ocsp.nonceSz = nonceSz; 02289 } 02290 break; 02291 } 02292 } 02293 02294 return ret; 02295 } 02296 02297 void* TLSX_CSR_GetRequest(TLSX* extensions) 02298 { 02299 TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); 02300 CertificateStatusRequest* csr = extension ? 02301 (CertificateStatusRequest*)extension->data : NULL; 02302 02303 if (csr) { 02304 switch (csr->status_type) { 02305 case WOLFSSL_CSR_OCSP: 02306 return &csr->request.ocsp; 02307 break; 02308 } 02309 } 02310 02311 return NULL; 02312 } 02313 02314 int TLSX_CSR_ForceRequest(WOLFSSL* ssl) 02315 { 02316 TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); 02317 CertificateStatusRequest* csr = extension ? 02318 (CertificateStatusRequest*)extension->data : NULL; 02319 02320 if (csr) { 02321 switch (csr->status_type) { 02322 case WOLFSSL_CSR_OCSP: 02323 if (ssl->ctx->cm->ocspEnabled) { 02324 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 02325 csr->request.ocsp.ssl = ssl; 02326 #endif 02327 return CheckOcspRequest(ssl->ctx->cm->ocsp, 02328 &csr->request.ocsp, NULL); 02329 } 02330 else 02331 return OCSP_LOOKUP_FAIL; 02332 } 02333 } 02334 02335 return 0; 02336 } 02337 02338 int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, 02339 byte options, void* heap, int devId) 02340 { 02341 CertificateStatusRequest* csr = NULL; 02342 int ret = 0; 02343 02344 if (!extensions || status_type != WOLFSSL_CSR_OCSP) 02345 return BAD_FUNC_ARG; 02346 02347 csr = (CertificateStatusRequest*) 02348 XMALLOC(sizeof(CertificateStatusRequest), heap, DYNAMIC_TYPE_TLSX); 02349 if (!csr) 02350 return MEMORY_E; 02351 02352 ForceZero(csr, sizeof(CertificateStatusRequest)); 02353 02354 csr->status_type = status_type; 02355 csr->options = options; 02356 02357 switch (csr->status_type) { 02358 case WOLFSSL_CSR_OCSP: 02359 if (options & WOLFSSL_CSR_OCSP_USE_NONCE) { 02360 WC_RNG rng; 02361 02362 #ifndef HAVE_FIPS 02363 ret = wc_InitRng_ex(&rng, heap, devId); 02364 #else 02365 ret = wc_InitRng(&rng); 02366 (void)devId; 02367 #endif 02368 if (ret == 0) { 02369 if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp.nonce, 02370 MAX_OCSP_NONCE_SZ) == 0) 02371 csr->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ; 02372 02373 wc_FreeRng(&rng); 02374 } 02375 } 02376 break; 02377 } 02378 02379 if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr, heap)) != 0) { 02380 XFREE(csr, heap, DYNAMIC_TYPE_TLSX); 02381 return ret; 02382 } 02383 02384 return SSL_SUCCESS; 02385 } 02386 02387 #define CSR_FREE_ALL TLSX_CSR_Free 02388 #define CSR_GET_SIZE TLSX_CSR_GetSize 02389 #define CSR_WRITE TLSX_CSR_Write 02390 #define CSR_PARSE TLSX_CSR_Parse 02391 02392 #else 02393 02394 #define CSR_FREE_ALL(data, heap) 02395 #define CSR_GET_SIZE(a, b) 0 02396 #define CSR_WRITE(a, b, c) 0 02397 #define CSR_PARSE(a, b, c, d) 0 02398 02399 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ 02400 02401 /******************************************************************************/ 02402 /* Certificate Status Request v2 */ 02403 /******************************************************************************/ 02404 02405 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 02406 02407 static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap) 02408 { 02409 CertificateStatusRequestItemV2* next; 02410 02411 for (; csr2; csr2 = next) { 02412 next = csr2->next; 02413 02414 switch (csr2->status_type) { 02415 case WOLFSSL_CSR2_OCSP: 02416 case WOLFSSL_CSR2_OCSP_MULTI: 02417 while(csr2->requests--) 02418 FreeOcspRequest(&csr2->request.ocsp[csr2->requests]); 02419 break; 02420 } 02421 02422 XFREE(csr2, heap, DYNAMIC_TYPE_TLSX); 02423 } 02424 (void)heap; 02425 } 02426 02427 static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2, 02428 byte isRequest) 02429 { 02430 word16 size = 0; 02431 02432 /* shut up compiler warnings */ 02433 (void) csr2; (void) isRequest; 02434 02435 #ifndef NO_WOLFSSL_CLIENT 02436 if (isRequest) { 02437 CertificateStatusRequestItemV2* next; 02438 02439 for (size = OPAQUE16_LEN; csr2; csr2 = next) { 02440 next = csr2->next; 02441 02442 switch (csr2->status_type) { 02443 case WOLFSSL_CSR2_OCSP: 02444 case WOLFSSL_CSR2_OCSP_MULTI: 02445 size += ENUM_LEN + 3 * OPAQUE16_LEN; 02446 02447 if (csr2->request.ocsp[0].nonceSz) 02448 size += OCSP_NONCE_EXT_SZ; 02449 break; 02450 } 02451 } 02452 } 02453 #endif 02454 02455 return size; 02456 } 02457 02458 static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, 02459 byte* output, byte isRequest) 02460 { 02461 /* shut up compiler warnings */ 02462 (void) csr2; (void) output; (void) isRequest; 02463 02464 #ifndef NO_WOLFSSL_CLIENT 02465 if (isRequest) { 02466 word16 offset; 02467 word16 length; 02468 02469 for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) { 02470 /* status_type */ 02471 output[offset++] = csr2->status_type; 02472 02473 /* request */ 02474 switch (csr2->status_type) { 02475 case WOLFSSL_CSR2_OCSP: 02476 case WOLFSSL_CSR2_OCSP_MULTI: 02477 /* request_length */ 02478 length = 2 * OPAQUE16_LEN; 02479 02480 if (csr2->request.ocsp[0].nonceSz) 02481 length += OCSP_NONCE_EXT_SZ; 02482 02483 c16toa(length, output + offset); 02484 offset += OPAQUE16_LEN; 02485 02486 /* responder id list */ 02487 c16toa(0, output + offset); 02488 offset += OPAQUE16_LEN; 02489 02490 /* request extensions */ 02491 length = 0; 02492 02493 if (csr2->request.ocsp[0].nonceSz) 02494 length = (word16)EncodeOcspRequestExtensions( 02495 &csr2->request.ocsp[0], 02496 output + offset + OPAQUE16_LEN, 02497 OCSP_NONCE_EXT_SZ); 02498 02499 c16toa(length, output + offset); 02500 offset += OPAQUE16_LEN + length; 02501 break; 02502 } 02503 } 02504 02505 /* list size */ 02506 c16toa(offset - OPAQUE16_LEN, output); 02507 02508 return offset; 02509 } 02510 #endif 02511 02512 return 0; 02513 } 02514 02515 static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, 02516 byte isRequest) 02517 { 02518 int ret; 02519 02520 /* shut up compiler warnings */ 02521 (void) ssl; (void) input; 02522 02523 if (!isRequest) { 02524 #ifndef NO_WOLFSSL_CLIENT 02525 TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); 02526 CertificateStatusRequestItemV2* csr2 = extension ? 02527 (CertificateStatusRequestItemV2*)extension->data : NULL; 02528 02529 if (!csr2) { 02530 /* look at context level */ 02531 extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2); 02532 csr2 = extension ? 02533 (CertificateStatusRequestItemV2*)extension->data : NULL; 02534 02535 if (!csr2) 02536 return BUFFER_ERROR; /* unexpected extension */ 02537 02538 /* enable extension at ssl level */ 02539 for (; csr2; csr2 = csr2->next) { 02540 ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, 02541 csr2->status_type, csr2->options, ssl->heap, ssl->devId); 02542 if (ret != SSL_SUCCESS) 02543 return ret; 02544 02545 switch (csr2->status_type) { 02546 case WOLFSSL_CSR2_OCSP: 02547 /* followed by */ 02548 case WOLFSSL_CSR2_OCSP_MULTI: 02549 /* propagate nonce */ 02550 if (csr2->request.ocsp[0].nonceSz) { 02551 OcspRequest* request = 02552 (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions, 02553 csr2->status_type, 0); 02554 02555 if (request) { 02556 XMEMCPY(request->nonce, 02557 csr2->request.ocsp[0].nonce, 02558 csr2->request.ocsp[0].nonceSz); 02559 02560 request->nonceSz = 02561 csr2->request.ocsp[0].nonceSz; 02562 } 02563 } 02564 break; 02565 } 02566 } 02567 } 02568 02569 ssl->status_request_v2 = 1; 02570 02571 return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ 02572 #endif 02573 } 02574 else { 02575 #ifndef NO_WOLFSSL_SERVER 02576 byte status_type; 02577 word16 request_length; 02578 word16 offset = 0; 02579 word16 size = 0; 02580 02581 /* list size */ 02582 ato16(input + offset, &request_length); 02583 offset += OPAQUE16_LEN; 02584 02585 if (length - OPAQUE16_LEN != request_length) 02586 return BUFFER_ERROR; 02587 02588 while (length > offset) { 02589 if (length - offset < ENUM_LEN + OPAQUE16_LEN) 02590 return BUFFER_ERROR; 02591 02592 status_type = input[offset++]; 02593 02594 ato16(input + offset, &request_length); 02595 offset += OPAQUE16_LEN; 02596 02597 if (length - offset < request_length) 02598 return BUFFER_ERROR; 02599 02600 switch (status_type) { 02601 case WOLFSSL_CSR2_OCSP: 02602 case WOLFSSL_CSR2_OCSP_MULTI: 02603 /* skip responder_id_list */ 02604 if (length - offset < OPAQUE16_LEN) 02605 return BUFFER_ERROR; 02606 02607 ato16(input + offset, &size); 02608 offset += OPAQUE16_LEN + size; 02609 02610 /* skip request_extensions */ 02611 if (length - offset < OPAQUE16_LEN) 02612 return BUFFER_ERROR; 02613 02614 ato16(input + offset, &size); 02615 offset += OPAQUE16_LEN + size; 02616 02617 if (offset > length) 02618 return BUFFER_ERROR; 02619 02620 /* is able to send OCSP response? */ 02621 if (ssl->ctx->cm == NULL 02622 || !ssl->ctx->cm->ocspStaplingEnabled) 02623 continue; 02624 break; 02625 02626 default: 02627 /* unknown status type, skipping! */ 02628 offset += request_length; 02629 continue; 02630 } 02631 02632 /* if using status_request and already sending it, skip this one */ 02633 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST 02634 if (ssl->status_request) 02635 return 0; 02636 #endif 02637 02638 /* accept the first good status_type and return */ 02639 ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, 02640 status_type, 0, ssl->heap, ssl->devId); 02641 if (ret != SSL_SUCCESS) 02642 return ret; /* throw error */ 02643 02644 TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2); 02645 ssl->status_request_v2 = status_type; 02646 02647 return 0; 02648 } 02649 #endif 02650 } 02651 02652 return 0; 02653 } 02654 02655 int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer, 02656 void* heap) 02657 { 02658 TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); 02659 CertificateStatusRequestItemV2* csr2 = extension ? 02660 (CertificateStatusRequestItemV2*)extension->data : NULL; 02661 int ret = 0; 02662 02663 for (; csr2; csr2 = csr2->next) { 02664 switch (csr2->status_type) { 02665 case WOLFSSL_CSR2_OCSP: 02666 if (!isPeer || csr2->requests != 0) 02667 break; 02668 02669 /* followed by */ 02670 02671 case WOLFSSL_CSR2_OCSP_MULTI: { 02672 if (csr2->requests < 1 + MAX_CHAIN_DEPTH) { 02673 byte nonce[MAX_OCSP_NONCE_SZ]; 02674 int nonceSz = csr2->request.ocsp[0].nonceSz; 02675 02676 /* preserve nonce, replicating nonce of ocsp[0] */ 02677 XMEMCPY(nonce, csr2->request.ocsp[0].nonce, nonceSz); 02678 02679 if ((ret = InitOcspRequest( 02680 &csr2->request.ocsp[csr2->requests], cert, 02681 0, heap)) != 0) 02682 return ret; 02683 02684 /* restore nonce */ 02685 XMEMCPY(csr2->request.ocsp[csr2->requests].nonce, 02686 nonce, nonceSz); 02687 csr2->request.ocsp[csr2->requests].nonceSz = nonceSz; 02688 csr2->requests++; 02689 } 02690 } 02691 break; 02692 } 02693 } 02694 02695 (void)cert; 02696 return ret; 02697 } 02698 02699 void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte idx) 02700 { 02701 TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); 02702 CertificateStatusRequestItemV2* csr2 = extension ? 02703 (CertificateStatusRequestItemV2*)extension->data : NULL; 02704 02705 for (; csr2; csr2 = csr2->next) { 02706 if (csr2->status_type == status_type) { 02707 switch (csr2->status_type) { 02708 case WOLFSSL_CSR2_OCSP: 02709 /* followed by */ 02710 02711 case WOLFSSL_CSR2_OCSP_MULTI: 02712 /* requests are initialized in the reverse order */ 02713 return idx < csr2->requests 02714 ? &csr2->request.ocsp[csr2->requests - idx - 1] 02715 : NULL; 02716 break; 02717 } 02718 } 02719 } 02720 02721 return NULL; 02722 } 02723 02724 int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) 02725 { 02726 TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); 02727 CertificateStatusRequestItemV2* csr2 = extension ? 02728 (CertificateStatusRequestItemV2*)extension->data : NULL; 02729 02730 /* forces only the first one */ 02731 if (csr2) { 02732 switch (csr2->status_type) { 02733 case WOLFSSL_CSR2_OCSP: 02734 /* followed by */ 02735 02736 case WOLFSSL_CSR2_OCSP_MULTI: 02737 if (ssl->ctx->cm->ocspEnabled) { 02738 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 02739 csr2->request.ocsp[0].ssl = ssl; 02740 #endif 02741 return CheckOcspRequest(ssl->ctx->cm->ocsp, 02742 &csr2->request.ocsp[0], NULL); 02743 } 02744 else 02745 return OCSP_LOOKUP_FAIL; 02746 } 02747 } 02748 02749 return 0; 02750 } 02751 02752 int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, 02753 byte options, void* heap, int devId) 02754 { 02755 TLSX* extension = NULL; 02756 CertificateStatusRequestItemV2* csr2 = NULL; 02757 int ret = 0; 02758 02759 if (!extensions) 02760 return BAD_FUNC_ARG; 02761 02762 if (status_type != WOLFSSL_CSR2_OCSP 02763 && status_type != WOLFSSL_CSR2_OCSP_MULTI) 02764 return BAD_FUNC_ARG; 02765 02766 csr2 = (CertificateStatusRequestItemV2*) 02767 XMALLOC(sizeof(CertificateStatusRequestItemV2), heap, DYNAMIC_TYPE_TLSX); 02768 if (!csr2) 02769 return MEMORY_E; 02770 02771 ForceZero(csr2, sizeof(CertificateStatusRequestItemV2)); 02772 02773 csr2->status_type = status_type; 02774 csr2->options = options; 02775 csr2->next = NULL; 02776 02777 switch (csr2->status_type) { 02778 case WOLFSSL_CSR2_OCSP: 02779 case WOLFSSL_CSR2_OCSP_MULTI: 02780 if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) { 02781 WC_RNG rng; 02782 02783 #ifndef HAVE_FIPS 02784 ret = wc_InitRng_ex(&rng, heap, devId); 02785 #else 02786 ret = wc_InitRng(&rng); 02787 (void)devId; 02788 #endif 02789 if (ret == 0) { 02790 if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce, 02791 MAX_OCSP_NONCE_SZ) == 0) 02792 csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ; 02793 02794 wc_FreeRng(&rng); 02795 } 02796 } 02797 break; 02798 } 02799 02800 /* append new item */ 02801 if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) { 02802 CertificateStatusRequestItemV2* last = 02803 (CertificateStatusRequestItemV2*)extension->data; 02804 02805 for (; last->next; last = last->next); 02806 02807 last->next = csr2; 02808 } 02809 else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2,heap))) { 02810 XFREE(csr2, heap, DYNAMIC_TYPE_TLSX); 02811 return ret; 02812 } 02813 02814 return SSL_SUCCESS; 02815 } 02816 02817 #define CSR2_FREE_ALL TLSX_CSR2_FreeAll 02818 #define CSR2_GET_SIZE TLSX_CSR2_GetSize 02819 #define CSR2_WRITE TLSX_CSR2_Write 02820 #define CSR2_PARSE TLSX_CSR2_Parse 02821 02822 #else 02823 02824 #define CSR2_FREE_ALL(data, heap) 02825 #define CSR2_GET_SIZE(a, b) 0 02826 #define CSR2_WRITE(a, b, c) 0 02827 #define CSR2_PARSE(a, b, c, d) 0 02828 02829 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ 02830 02831 /******************************************************************************/ 02832 /* Supported Elliptic Curves */ 02833 /******************************************************************************/ 02834 02835 #ifdef HAVE_SUPPORTED_CURVES 02836 02837 #ifndef HAVE_ECC 02838 #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \ 02839 Use --enable-ecc in the configure script or define HAVE_ECC. 02840 #endif 02841 02842 static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list, void* heap) 02843 { 02844 EllipticCurve* curve; 02845 02846 while ((curve = list)) { 02847 list = curve->next; 02848 XFREE(curve, heap, DYNAMIC_TYPE_TLSX); 02849 } 02850 (void)heap; 02851 } 02852 02853 static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name, 02854 void* heap) 02855 { 02856 EllipticCurve* curve = NULL; 02857 02858 if (list == NULL) 02859 return BAD_FUNC_ARG; 02860 02861 curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), heap, 02862 DYNAMIC_TYPE_TLSX); 02863 if (curve == NULL) 02864 return MEMORY_E; 02865 02866 curve->name = name; 02867 curve->next = *list; 02868 02869 *list = curve; 02870 02871 return 0; 02872 } 02873 02874 #ifndef NO_WOLFSSL_CLIENT 02875 02876 static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) 02877 { 02878 int i; 02879 02880 for (i = 0; i < ssl->suites->suiteSz; i+= 2) 02881 if (ssl->suites->suites[i] == ECC_BYTE || 02882 ssl->suites->suites[i] == CHACHA_BYTE || 02883 ssl->suites->suites[i] == TLS13_BYTE) 02884 return; 02885 02886 /* turns semaphore on to avoid sending this extension. */ 02887 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); 02888 } 02889 02890 static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) 02891 { 02892 EllipticCurve* curve; 02893 word16 length = OPAQUE16_LEN; /* list length */ 02894 02895 while ((curve = list)) { 02896 list = curve->next; 02897 length += OPAQUE16_LEN; /* curve length */ 02898 } 02899 02900 return length; 02901 } 02902 02903 static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output); 02904 static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output) 02905 { 02906 word16 offset = 0; 02907 02908 if (!curve) 02909 return offset; 02910 02911 offset = TLSX_EllipticCurve_WriteR(curve->next, output); 02912 c16toa(curve->name, output + offset); 02913 02914 return OPAQUE16_LEN + offset; 02915 } 02916 02917 static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output) 02918 { 02919 word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN); 02920 02921 c16toa(length, output); /* writing list length */ 02922 02923 return OPAQUE16_LEN + length; 02924 } 02925 02926 #endif /* NO_WOLFSSL_CLIENT */ 02927 #ifndef NO_WOLFSSL_SERVER 02928 02929 static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, 02930 byte isRequest) 02931 { 02932 word16 offset; 02933 word16 name; 02934 int r; 02935 02936 (void) isRequest; /* shut up compiler! */ 02937 02938 if (OPAQUE16_LEN > length || length % OPAQUE16_LEN) 02939 return BUFFER_ERROR; 02940 02941 ato16(input, &offset); 02942 02943 /* validating curve list length */ 02944 if (length != OPAQUE16_LEN + offset) 02945 return BUFFER_ERROR; 02946 02947 while (offset) { 02948 ato16(input + offset, &name); 02949 offset -= OPAQUE16_LEN; 02950 02951 r = TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap); 02952 02953 if (r != SSL_SUCCESS) return r; /* throw error */ 02954 } 02955 02956 return 0; 02957 } 02958 02959 #ifdef WOLFSSL_TLS13 02960 /* Searches the supported groups extension for the specified named group. 02961 * 02962 * ssl The SSL/TLS object. 02963 * name The group name to match. 02964 * returns 1 when the extension has the group name and 0 otherwise. 02965 */ 02966 static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name) 02967 { 02968 TLSX* extension; 02969 EllipticCurve* curve = NULL; 02970 02971 if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL) 02972 return 0; 02973 02974 for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) { 02975 if (curve->name == name) 02976 return 1; 02977 } 02978 return 0; 02979 } 02980 #endif /* WOLFSSL_TLS13 */ 02981 02982 int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { 02983 TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE) 02984 ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) 02985 : NULL; 02986 EllipticCurve* curve = NULL; 02987 word32 oid = 0; 02988 word32 defOid = 0; 02989 word32 defSz = 80; /* Maximum known curve size is 66. */ 02990 word32 nextOid = 0; 02991 word32 nextSz = 80; /* Maximum known curve size is 66. */ 02992 word32 currOid = ssl->ecdhCurveOID; 02993 int ephmSuite = 0; 02994 word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */ 02995 int sig = 0; /* validate signature */ 02996 int key = 0; /* validate key */ 02997 02998 (void)oid; 02999 03000 if (!extension) 03001 return 1; /* no suite restriction */ 03002 03003 for (curve = (EllipticCurve*)extension->data; 03004 curve && !(sig && key); 03005 curve = curve->next) { 03006 03007 /* find supported curve */ 03008 switch (curve->name) { 03009 #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) 03010 #ifndef NO_ECC_SECP 03011 case WOLFSSL_ECC_SECP160R1: 03012 oid = ECC_SECP160R1_OID; 03013 octets = 20; 03014 break; 03015 #endif /* !NO_ECC_SECP */ 03016 #ifdef HAVE_ECC_SECPR2 03017 case WOLFSSL_ECC_SECP160R2: 03018 oid = ECC_SECP160R2_OID; 03019 octets = 20; 03020 break; 03021 #endif /* HAVE_ECC_SECPR2 */ 03022 #ifdef HAVE_ECC_KOBLITZ 03023 case WOLFSSL_ECC_SECP160K1: 03024 oid = ECC_SECP160K1_OID; 03025 octets = 20; 03026 break; 03027 #endif /* HAVE_ECC_KOBLITZ */ 03028 #endif 03029 #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) 03030 #ifndef NO_ECC_SECP 03031 case WOLFSSL_ECC_SECP192R1: 03032 oid = ECC_SECP192R1_OID; 03033 octets = 24; 03034 break; 03035 #endif /* !NO_ECC_SECP */ 03036 #ifdef HAVE_ECC_KOBLITZ 03037 case WOLFSSL_ECC_SECP192K1: 03038 oid = ECC_SECP192K1_OID; 03039 octets = 24; 03040 break; 03041 #endif /* HAVE_ECC_KOBLITZ */ 03042 #endif 03043 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) 03044 #ifndef NO_ECC_SECP 03045 case WOLFSSL_ECC_SECP224R1: 03046 oid = ECC_SECP224R1_OID; 03047 octets = 28; 03048 break; 03049 #endif /* !NO_ECC_SECP */ 03050 #ifdef HAVE_ECC_KOBLITZ 03051 case WOLFSSL_ECC_SECP224K1: 03052 oid = ECC_SECP224K1_OID; 03053 octets = 28; 03054 break; 03055 #endif /* HAVE_ECC_KOBLITZ */ 03056 #endif 03057 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 03058 #ifndef NO_ECC_SECP 03059 case WOLFSSL_ECC_SECP256R1: 03060 oid = ECC_SECP256R1_OID; 03061 octets = 32; 03062 break; 03063 #endif /* !NO_ECC_SECP */ 03064 #ifdef HAVE_ECC_KOBLITZ 03065 case WOLFSSL_ECC_SECP256K1: 03066 oid = ECC_SECP256K1_OID; 03067 octets = 32; 03068 break; 03069 #endif /* HAVE_ECC_KOBLITZ */ 03070 #ifdef HAVE_ECC_BRAINPOOL 03071 case WOLFSSL_ECC_BRAINPOOLP256R1: 03072 oid = ECC_BRAINPOOLP256R1_OID; 03073 octets = 32; 03074 break; 03075 #endif /* HAVE_ECC_BRAINPOOL */ 03076 #endif 03077 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 03078 #ifndef NO_ECC_SECP 03079 case WOLFSSL_ECC_SECP384R1: 03080 oid = ECC_SECP384R1_OID; 03081 octets = 48; 03082 break; 03083 #endif /* !NO_ECC_SECP */ 03084 #ifdef HAVE_ECC_BRAINPOOL 03085 case WOLFSSL_ECC_BRAINPOOLP384R1: 03086 oid = ECC_BRAINPOOLP384R1_OID; 03087 octets = 48; 03088 break; 03089 #endif /* HAVE_ECC_BRAINPOOL */ 03090 #endif 03091 #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) 03092 #ifdef HAVE_ECC_BRAINPOOL 03093 case WOLFSSL_ECC_BRAINPOOLP512R1: 03094 oid = ECC_BRAINPOOLP512R1_OID; 03095 octets = 64; 03096 break; 03097 #endif /* HAVE_ECC_BRAINPOOL */ 03098 #endif 03099 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 03100 #ifndef NO_ECC_SECP 03101 case WOLFSSL_ECC_SECP521R1: 03102 oid = ECC_SECP521R1_OID; 03103 octets = 66; 03104 break; 03105 #endif /* !NO_ECC_SECP */ 03106 #endif 03107 default: continue; /* unsupported curve */ 03108 } 03109 03110 /* Set default Oid */ 03111 if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) { 03112 defOid = oid; 03113 defSz = octets; 03114 } 03115 03116 if (currOid == 0 && ssl->eccTempKeySz == octets) 03117 currOid = oid; 03118 if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) { 03119 nextOid = oid; 03120 nextSz = octets; 03121 } 03122 03123 if (first == ECC_BYTE) { 03124 switch (second) { 03125 /* ECDHE_ECDSA */ 03126 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 03127 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 03128 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: 03129 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: 03130 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 03131 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 03132 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 03133 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 03134 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: 03135 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: 03136 sig |= ssl->pkCurveOID == oid; 03137 key |= ssl->ecdhCurveOID == oid; 03138 ephmSuite = 1; 03139 break; 03140 03141 #ifdef WOLFSSL_STATIC_DH 03142 /* ECDH_ECDSA */ 03143 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: 03144 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: 03145 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: 03146 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: 03147 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: 03148 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: 03149 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 03150 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 03151 sig |= ssl->pkCurveOID == oid; 03152 key |= ssl->pkCurveOID == oid; 03153 break; 03154 #endif /* WOLFSSL_STATIC_DH */ 03155 #ifndef NO_RSA 03156 /* ECDHE_RSA */ 03157 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: 03158 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 03159 case TLS_ECDHE_RSA_WITH_RC4_128_SHA: 03160 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: 03161 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 03162 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: 03163 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 03164 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 03165 sig = 1; 03166 key |= ssl->ecdhCurveOID == oid; 03167 ephmSuite = 1; 03168 break; 03169 03170 #ifdef WOLFSSL_STATIC_DH 03171 /* ECDH_RSA */ 03172 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: 03173 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: 03174 case TLS_ECDH_RSA_WITH_RC4_128_SHA: 03175 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: 03176 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: 03177 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: 03178 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: 03179 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: 03180 sig = 1; 03181 key |= ssl->pkCurveOID == oid; 03182 break; 03183 #endif /* WOLFSSL_STATIC_DH */ 03184 #endif 03185 default: 03186 sig = 1; 03187 key = 1; 03188 break; 03189 } 03190 } 03191 03192 /* ChaCha20-Poly1305 ECC cipher suites */ 03193 if (first == CHACHA_BYTE) { 03194 switch (second) { 03195 /* ECDHE_ECDSA */ 03196 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : 03197 case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : 03198 sig |= ssl->pkCurveOID == oid; 03199 key |= ssl->ecdhCurveOID == oid; 03200 ephmSuite = 1; 03201 break; 03202 #ifndef NO_RSA 03203 /* ECDHE_RSA */ 03204 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : 03205 case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : 03206 sig = 1; 03207 key |= ssl->ecdhCurveOID == oid; 03208 ephmSuite = 1; 03209 break; 03210 #endif 03211 default: 03212 sig = 1; 03213 key = 1; 03214 break; 03215 } 03216 } 03217 } 03218 03219 /* Choose the default if it is at the required strength. */ 03220 if (ssl->ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz) { 03221 key = 1; 03222 ssl->ecdhCurveOID = defOid; 03223 } 03224 /* Choose any curve at the required strength. */ 03225 if (ssl->ecdhCurveOID == 0) { 03226 key = 1; 03227 ssl->ecdhCurveOID = currOid; 03228 } 03229 /* Choose the default if it is at the next highest strength. */ 03230 if (ssl->ecdhCurveOID == 0 && defSz == nextSz) 03231 ssl->ecdhCurveOID = defOid; 03232 /* Choose any curve at the next highest strength. */ 03233 if (ssl->ecdhCurveOID == 0) 03234 ssl->ecdhCurveOID = nextOid; 03235 /* No curve and ephemeral ECC suite requires a matching curve. */ 03236 if (ssl->ecdhCurveOID == 0 && ephmSuite) 03237 key = 0; 03238 03239 return sig && key; 03240 } 03241 03242 #endif /* NO_WOLFSSL_SERVER */ 03243 03244 int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap) 03245 { 03246 TLSX* extension; 03247 EllipticCurve* curve = NULL; 03248 int ret = 0; 03249 03250 if (extensions == NULL) 03251 return BAD_FUNC_ARG; 03252 03253 if ((ret = TLSX_EllipticCurve_Append(&curve, name, heap)) != 0) 03254 return ret; 03255 03256 extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); 03257 if (!extension) { 03258 if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve, heap)) 03259 != 0) { 03260 XFREE(curve, heap, DYNAMIC_TYPE_TLSX); 03261 return ret; 03262 } 03263 } 03264 else { 03265 /* push new EllipticCurve object to extension data. */ 03266 curve->next = (EllipticCurve*)extension->data; 03267 extension->data = (void*)curve; 03268 03269 /* look for another curve of the same name to remove (replacement) */ 03270 do { 03271 if (curve->next && curve->next->name == name) { 03272 EllipticCurve *next = curve->next; 03273 03274 curve->next = next->next; 03275 XFREE(next, heap, DYNAMIC_TYPE_TLSX); 03276 03277 break; 03278 } 03279 } while ((curve = curve->next)); 03280 } 03281 03282 return SSL_SUCCESS; 03283 } 03284 03285 #define EC_FREE_ALL TLSX_EllipticCurve_FreeAll 03286 #define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest 03287 03288 #ifndef NO_WOLFSSL_CLIENT 03289 #define EC_GET_SIZE TLSX_EllipticCurve_GetSize 03290 #define EC_WRITE TLSX_EllipticCurve_Write 03291 #else 03292 #define EC_GET_SIZE(list) 0 03293 #define EC_WRITE(a, b) 0 03294 #endif 03295 03296 #ifndef NO_WOLFSSL_SERVER 03297 #define EC_PARSE TLSX_EllipticCurve_Parse 03298 #else 03299 #define EC_PARSE(a, b, c, d) 0 03300 #endif 03301 03302 #else 03303 03304 #define EC_FREE_ALL(list, heap) 03305 #define EC_GET_SIZE(list) 0 03306 #define EC_WRITE(a, b) 0 03307 #define EC_PARSE(a, b, c, d) 0 03308 #define EC_VALIDATE_REQUEST(a, b) 03309 03310 #endif /* HAVE_SUPPORTED_CURVES */ 03311 03312 /******************************************************************************/ 03313 /* Renegotiation Indication */ 03314 /******************************************************************************/ 03315 03316 #if defined(HAVE_SECURE_RENEGOTIATION) \ 03317 || defined(HAVE_SERVER_RENEGOTIATION_INFO) 03318 03319 static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data, 03320 int isRequest) 03321 { 03322 byte length = OPAQUE8_LEN; /* empty info length */ 03323 03324 /* data will be NULL for HAVE_SERVER_RENEGOTIATION_INFO only */ 03325 if (data && data->enabled) { 03326 /* client sends client_verify_data only */ 03327 length += TLS_FINISHED_SZ; 03328 03329 /* server also sends server_verify_data */ 03330 if (!isRequest) 03331 length += TLS_FINISHED_SZ; 03332 } 03333 03334 return length; 03335 } 03336 03337 static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data, 03338 byte* output, int isRequest) 03339 { 03340 word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */ 03341 03342 if (data && data->enabled) { 03343 /* client sends client_verify_data only */ 03344 XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ); 03345 offset += TLS_FINISHED_SZ; 03346 03347 /* server also sends server_verify_data */ 03348 if (!isRequest) { 03349 XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ); 03350 offset += TLS_FINISHED_SZ; 03351 } 03352 } 03353 03354 output[0] = (byte)(offset - 1); /* info length - self */ 03355 03356 return offset; 03357 } 03358 03359 static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input, 03360 word16 length, byte isRequest) 03361 { 03362 int ret = SECURE_RENEGOTIATION_E; 03363 03364 if (length >= OPAQUE8_LEN) { 03365 if (ssl->secure_renegotiation == NULL) { 03366 #ifndef NO_WOLFSSL_SERVER 03367 if (isRequest && *input == 0) { 03368 #ifdef HAVE_SERVER_RENEGOTIATION_INFO 03369 if (length == OPAQUE8_LEN) { 03370 if (TLSX_Find(ssl->extensions, 03371 TLSX_RENEGOTIATION_INFO) == NULL) { 03372 ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, 03373 ssl->heap); 03374 if (ret == SSL_SUCCESS) 03375 ret = 0; 03376 03377 } else { 03378 ret = 0; 03379 } 03380 } 03381 #else 03382 ret = 0; /* don't reply, user didn't enable */ 03383 #endif /* HAVE_SERVER_RENEGOTIATION_INFO */ 03384 } 03385 #ifdef HAVE_SERVER_RENEGOTIATION_INFO 03386 else if (!isRequest) { 03387 /* don't do anything on client side */ 03388 ret = 0; 03389 } 03390 #endif 03391 #endif 03392 } 03393 else if (isRequest) { 03394 #ifndef NO_WOLFSSL_SERVER 03395 if (*input == TLS_FINISHED_SZ) { 03396 /* TODO compare client_verify_data */ 03397 ret = 0; 03398 } 03399 #endif 03400 } 03401 else { 03402 #ifndef NO_WOLFSSL_CLIENT 03403 if (!ssl->secure_renegotiation->enabled) { 03404 if (*input == 0) { 03405 ssl->secure_renegotiation->enabled = 1; 03406 ret = 0; 03407 } 03408 } 03409 else if (*input == 2 * TLS_FINISHED_SZ && 03410 length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) { 03411 input++; /* get past size */ 03412 03413 /* validate client and server verify data */ 03414 if (XMEMCMP(input, 03415 ssl->secure_renegotiation->client_verify_data, 03416 TLS_FINISHED_SZ) == 0 && 03417 XMEMCMP(input + TLS_FINISHED_SZ, 03418 ssl->secure_renegotiation->server_verify_data, 03419 TLS_FINISHED_SZ) == 0) { 03420 WOLFSSL_MSG("SCR client and server verify data match"); 03421 ret = 0; /* verified */ 03422 } else { 03423 /* already in error state */ 03424 WOLFSSL_MSG("SCR client and server verify data Failure"); 03425 } 03426 } 03427 #endif 03428 } 03429 } 03430 03431 if (ret != 0) { 03432 SendAlert(ssl, alert_fatal, handshake_failure); 03433 } 03434 03435 return ret; 03436 } 03437 03438 int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap) 03439 { 03440 int ret = 0; 03441 SecureRenegotiation* data = NULL; 03442 03443 data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), heap, 03444 DYNAMIC_TYPE_TLSX); 03445 if (data == NULL) 03446 return MEMORY_E; 03447 03448 XMEMSET(data, 0, sizeof(SecureRenegotiation)); 03449 03450 ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data, heap); 03451 if (ret != 0) { 03452 XFREE(data, heap, DYNAMIC_TYPE_TLSX); 03453 return ret; 03454 } 03455 03456 return SSL_SUCCESS; 03457 } 03458 03459 #ifdef HAVE_SERVER_RENEGOTIATION_INFO 03460 03461 int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap) 03462 { 03463 int ret; 03464 03465 ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, NULL, heap); 03466 if (ret != 0) 03467 return ret; 03468 03469 /* send empty renegotiation_info extension */ 03470 TLSX* ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO); 03471 if (ext) 03472 ext->resp = 1; 03473 03474 return SSL_SUCCESS; 03475 } 03476 03477 #endif /* HAVE_SERVER_RENEGOTIATION_INFO */ 03478 03479 03480 #define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX) 03481 #define SCR_GET_SIZE TLSX_SecureRenegotiation_GetSize 03482 #define SCR_WRITE TLSX_SecureRenegotiation_Write 03483 #define SCR_PARSE TLSX_SecureRenegotiation_Parse 03484 03485 #else 03486 03487 #define SCR_FREE_ALL(a, heap) 03488 #define SCR_GET_SIZE(a, b) 0 03489 #define SCR_WRITE(a, b, c) 0 03490 #define SCR_PARSE(a, b, c, d) 0 03491 03492 #endif /* HAVE_SECURE_RENEGOTIATION */ 03493 03494 /******************************************************************************/ 03495 /* Session Tickets */ 03496 /******************************************************************************/ 03497 03498 #ifdef HAVE_SESSION_TICKET 03499 03500 #ifndef NO_WOLFSSL_CLIENT 03501 static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) 03502 { 03503 TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); 03504 SessionTicket* ticket = extension ? 03505 (SessionTicket*)extension->data : NULL; 03506 03507 if (ticket) { 03508 /* TODO validate ticket timeout here! */ 03509 if (ticket->lifetime == 0xfffffff) { 03510 /* send empty ticket on timeout */ 03511 TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); 03512 } 03513 } 03514 } 03515 #endif /* NO_WOLFSSL_CLIENT */ 03516 03517 03518 static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest) 03519 { 03520 (void)isRequest; 03521 return ticket ? ticket->size : 0; 03522 } 03523 03524 static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output, 03525 int isRequest) 03526 { 03527 word16 offset = 0; /* empty ticket */ 03528 03529 if (isRequest && ticket) { 03530 XMEMCPY(output + offset, ticket->data, ticket->size); 03531 offset += ticket->size; 03532 } 03533 03534 return offset; 03535 } 03536 03537 03538 static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, 03539 byte isRequest) 03540 { 03541 int ret = 0; 03542 03543 (void) input; /* avoid unused parameter if NO_WOLFSSL_SERVER defined */ 03544 03545 if (!isRequest) { 03546 /* client side */ 03547 if (length != 0) 03548 return BUFFER_ERROR; 03549 03550 #ifndef NO_WOLFSSL_CLIENT 03551 ssl->expect_session_ticket = 1; 03552 #endif 03553 } 03554 #ifndef NO_WOLFSSL_SERVER 03555 else { 03556 /* server side */ 03557 if (ssl->ctx->ticketEncCb == NULL) { 03558 WOLFSSL_MSG("Client sent session ticket, server has no callback"); 03559 return 0; 03560 } 03561 03562 if (length == 0) { 03563 /* blank ticket */ 03564 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); 03565 if (ret == SSL_SUCCESS) { 03566 ret = 0; 03567 TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ 03568 ssl->options.createTicket = 1; /* will send ticket msg */ 03569 ssl->options.useTicket = 1; 03570 ssl->options.resuming = 0; /* no standard resumption */ 03571 ssl->arrays->sessionIDSz = 0; /* no echo on blank ticket */ 03572 } 03573 } else { 03574 /* got actual ticket from client */ 03575 ret = DoClientTicket(ssl, input, length); 03576 if (ret == WOLFSSL_TICKET_RET_OK) { /* use ticket to resume */ 03577 WOLFSSL_MSG("Using exisitng client ticket"); 03578 ssl->options.useTicket = 1; 03579 ssl->options.resuming = 1; 03580 } else if (ret == WOLFSSL_TICKET_RET_CREATE) { 03581 WOLFSSL_MSG("Using existing client ticket, creating new one"); 03582 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); 03583 if (ret == SSL_SUCCESS) { 03584 ret = 0; 03585 TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); 03586 /* send blank ticket */ 03587 ssl->options.createTicket = 1; /* will send ticket msg */ 03588 ssl->options.useTicket = 1; 03589 ssl->options.resuming = 1; 03590 } 03591 } else if (ret == WOLFSSL_TICKET_RET_REJECT) { 03592 WOLFSSL_MSG("Process client ticket rejected, not using"); 03593 ssl->options.rejectTicket = 1; 03594 ret = 0; /* not fatal */ 03595 } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) { 03596 WOLFSSL_MSG("Process client ticket fatal error, not using"); 03597 } 03598 } 03599 } 03600 #endif /* NO_WOLFSSL_SERVER */ 03601 03602 return ret; 03603 } 03604 03605 WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, 03606 byte* data, word16 size, void* heap) 03607 { 03608 SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket), 03609 heap, DYNAMIC_TYPE_TLSX); 03610 if (ticket) { 03611 ticket->data = (byte*)XMALLOC(size, heap, DYNAMIC_TYPE_TLSX); 03612 if (ticket->data == NULL) { 03613 XFREE(ticket, heap, DYNAMIC_TYPE_TLSX); 03614 return NULL; 03615 } 03616 03617 XMEMCPY(ticket->data, data, size); 03618 ticket->size = size; 03619 ticket->lifetime = lifetime; 03620 } 03621 03622 return ticket; 03623 } 03624 WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap) 03625 { 03626 if (ticket) { 03627 XFREE(ticket->data, heap, DYNAMIC_TYPE_TLSX); 03628 XFREE(ticket, heap, DYNAMIC_TYPE_TLSX); 03629 } 03630 03631 (void)heap; 03632 } 03633 03634 int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap) 03635 { 03636 int ret = 0; 03637 03638 if (extensions == NULL) 03639 return BAD_FUNC_ARG; 03640 03641 /* If the ticket is NULL, the client will request a new ticket from the 03642 server. Otherwise, the client will use it in the next client hello. */ 03643 if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket, heap)) 03644 != 0) 03645 return ret; 03646 03647 return SSL_SUCCESS; 03648 } 03649 03650 #define WOLF_STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest 03651 #define WOLF_STK_GET_SIZE TLSX_SessionTicket_GetSize 03652 #define WOLF_STK_WRITE TLSX_SessionTicket_Write 03653 #define WOLF_STK_PARSE TLSX_SessionTicket_Parse 03654 #define WOLF_STK_FREE(stk, heap) TLSX_SessionTicket_Free((SessionTicket*)stk,(heap)) 03655 03656 #else 03657 03658 #define WOLF_STK_FREE(a, b) 03659 #define WOLF_STK_VALIDATE_REQUEST(a) 03660 #define WOLF_STK_GET_SIZE(a, b) 0 03661 #define WOLF_STK_WRITE(a, b, c) 0 03662 #define WOLF_STK_PARSE(a, b, c, d) 0 03663 03664 #endif /* HAVE_SESSION_TICKET */ 03665 03666 /******************************************************************************/ 03667 /* Quantum-Safe-Hybrid */ 03668 /******************************************************************************/ 03669 03670 #if defined(HAVE_NTRU) && defined(HAVE_QSH) 03671 static WC_RNG* rng; 03672 static wolfSSL_Mutex* rngMutex; 03673 #endif 03674 03675 #ifdef HAVE_QSH 03676 static void TLSX_QSH_FreeAll(QSHScheme* list, void* heap) 03677 { 03678 QSHScheme* current; 03679 03680 while ((current = list)) { 03681 list = current->next; 03682 XFREE(current, heap, DYNAMIC_TYPE_TLSX); 03683 } 03684 03685 (void)heap; 03686 } 03687 03688 static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, 03689 word16 pubLen) 03690 { 03691 QSHScheme* temp; 03692 03693 if (list == NULL) 03694 return BAD_FUNC_ARG; 03695 03696 if ((temp = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL, 03697 DYNAMIC_TYPE_TLSX)) == NULL) 03698 return MEMORY_E; 03699 03700 temp->name = name; 03701 temp->PK = pub; 03702 temp->PKLen = pubLen; 03703 temp->next = *list; 03704 03705 *list = temp; 03706 03707 return 0; 03708 } 03709 03710 03711 /* request for server's public key : 02 indicates 0-2 requested */ 03712 static byte TLSX_QSH_SerPKReq(byte* output, byte isRequest) 03713 { 03714 if (isRequest) { 03715 /* only request one public key from the server */ 03716 output[0] = 0x01; 03717 03718 return OPAQUE8_LEN; 03719 } 03720 else { 03721 return 0; 03722 } 03723 } 03724 03725 #ifndef NO_WOLFSSL_CLIENT 03726 03727 /* check for TLS_QSH suite */ 03728 static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore) 03729 { 03730 int i; 03731 03732 for (i = 0; i < ssl->suites->suiteSz; i+= 2) 03733 if (ssl->suites->suites[i] == QSH_BYTE) 03734 return; 03735 03736 /* No QSH suite found */ 03737 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID)); 03738 } 03739 03740 03741 /* return the size of the QSH hello extension 03742 list the list of QSHScheme structs containing id and key 03743 isRequest if 1 then is being sent to the server 03744 */ 03745 word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest) 03746 { 03747 QSHScheme* temp = list; 03748 word16 length = 0; 03749 03750 /* account for size of scheme list and public key list */ 03751 if (isRequest) 03752 length = OPAQUE16_LEN; 03753 length += OPAQUE24_LEN; 03754 03755 /* for each non null element in list add size */ 03756 while ((temp)) { 03757 /* add public key info Scheme | Key Length | Key */ 03758 length += OPAQUE16_LEN; 03759 length += OPAQUE16_LEN; 03760 length += temp->PKLen; 03761 03762 /* if client add name size for scheme list 03763 advance to next QSHScheme struct in list */ 03764 if (isRequest) 03765 length += OPAQUE16_LEN; 03766 temp = temp->next; 03767 } 03768 03769 /* add length for request server public keys */ 03770 if (isRequest) 03771 length += OPAQUE8_LEN; 03772 03773 return length; 03774 } 03775 03776 03777 /* write out a list of QSHScheme IDs */ 03778 static word16 TLSX_QSH_Write(QSHScheme* list, byte* output) 03779 { 03780 QSHScheme* current = list; 03781 word16 length = 0; 03782 03783 length += OPAQUE16_LEN; 03784 03785 while (current) { 03786 c16toa(current->name, output + length); 03787 length += OPAQUE16_LEN; 03788 current = (QSHScheme*)current->next; 03789 } 03790 03791 c16toa(length - OPAQUE16_LEN, output); /* writing list length */ 03792 03793 return length; 03794 } 03795 03796 03797 /* write public key list in extension */ 03798 static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output); 03799 static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output) 03800 { 03801 word32 offset = 0; 03802 word16 public_len = 0; 03803 03804 if (!format) 03805 return offset; 03806 03807 /* write scheme ID */ 03808 c16toa(format->name, output + offset); 03809 offset += OPAQUE16_LEN; 03810 03811 /* write public key matching scheme */ 03812 public_len = format->PKLen; 03813 c16toa(public_len, output + offset); 03814 offset += OPAQUE16_LEN; 03815 if (format->PK) { 03816 XMEMCPY(output+offset, format->PK, public_len); 03817 } 03818 03819 return public_len + offset; 03820 } 03821 03822 word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output) 03823 { 03824 QSHScheme* current = list; 03825 word32 length = 0; 03826 word24 toWire; 03827 03828 length += OPAQUE24_LEN; 03829 03830 while (current) { 03831 length += TLSX_QSHPK_WriteR(current, output + length); 03832 current = (QSHScheme*)current->next; 03833 } 03834 /* length of public keys sent */ 03835 c32to24(length - OPAQUE24_LEN, toWire); 03836 output[0] = toWire[0]; 03837 output[1] = toWire[1]; 03838 output[2] = toWire[2]; 03839 03840 return length; 03841 } 03842 03843 #endif /* NO_WOLFSSL_CLIENT */ 03844 #ifndef NO_WOLFSSL_SERVER 03845 03846 static void TLSX_QSHAgreement(TLSX** extensions, void* heap) 03847 { 03848 TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); 03849 QSHScheme* format = NULL; 03850 QSHScheme* del = NULL; 03851 QSHScheme* prev = NULL; 03852 03853 if (extension == NULL) 03854 return; 03855 03856 format = (QSHScheme*)extension->data; 03857 while (format) { 03858 if (format->PKLen == 0) { 03859 /* case of head */ 03860 if (format == extension->data) { 03861 extension->data = format->next; 03862 } 03863 if (prev) 03864 prev->next = format->next; 03865 del = format; 03866 format = format->next; 03867 XFREE(del, heap, DYNAMIC_TYPE_TMP_BUFFER); 03868 del = NULL; 03869 } else { 03870 prev = format; 03871 format = format->next; 03872 } 03873 } 03874 03875 (void)heap; 03876 } 03877 03878 03879 /* Parse in hello extension 03880 input the byte stream to process 03881 length length of total extension found 03882 isRequest set to 1 if being sent to the server 03883 */ 03884 static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, 03885 byte isRequest) 03886 { 03887 byte numKeys = 0; 03888 word16 offset = 0; 03889 word16 schemSz = 0; 03890 word16 offset_len = 0; 03891 word32 offset_pk = 0; 03892 word16 name = 0; 03893 word16 PKLen = 0; 03894 byte* PK = NULL; 03895 int r; 03896 03897 03898 if (OPAQUE16_LEN > length) 03899 return BUFFER_ERROR; 03900 03901 if (isRequest) { 03902 ato16(input, &schemSz); 03903 03904 /* list of public keys available for QSH schemes */ 03905 offset_len = schemSz + OPAQUE16_LEN; 03906 } 03907 03908 offset_pk = ((input[offset_len] << 16) & 0xFF00000) | 03909 (((input[offset_len + 1]) << 8) & 0xFF00) | 03910 (input[offset_len + 2] & 0xFF); 03911 offset_len += OPAQUE24_LEN; 03912 03913 /* check buffer size */ 03914 if (offset_pk > length) 03915 return BUFFER_ERROR; 03916 03917 /* set maximum number of keys the client will accept */ 03918 if (!isRequest) 03919 numKeys = (ssl->maxRequest < 1)? 1 : ssl->maxRequest; 03920 03921 /* hello extension read list of scheme ids */ 03922 if (isRequest) { 03923 03924 /* read in request for public keys */ 03925 ssl->minRequest = (input[length -1] >> 4) & 0xFF; 03926 ssl->maxRequest = input[length -1] & 0x0F; 03927 03928 /* choose the min between min requested by client and 1 */ 03929 numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1; 03930 03931 if (ssl->minRequest > ssl->maxRequest) 03932 return BAD_FUNC_ARG; 03933 03934 offset += OPAQUE16_LEN; 03935 schemSz += offset; 03936 03937 /* check buffer size */ 03938 if (schemSz > length) 03939 return BUFFER_ERROR; 03940 03941 while ((offset < schemSz) && numKeys) { 03942 /* Scheme ID list */ 03943 ato16(input + offset, &name); 03944 offset += OPAQUE16_LEN; 03945 03946 /* validate we have scheme id */ 03947 if (ssl->user_set_QSHSchemes && 03948 !TLSX_ValidateQSHScheme(&ssl->extensions, name)) { 03949 continue; 03950 } 03951 03952 /* server create keys on demand */ 03953 if ((r = TLSX_CreateNtruKey(ssl, name)) != 0) { 03954 WOLFSSL_MSG("Error creating ntru keys"); 03955 return r; 03956 } 03957 03958 /* peer sent an agreed upon scheme */ 03959 r = TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0, ssl->heap); 03960 03961 if (r != SSL_SUCCESS) return r; /* throw error */ 03962 03963 numKeys--; 03964 } 03965 03966 /* choose the min between min requested by client and 1 */ 03967 numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1; 03968 } 03969 03970 /* QSHPK struct */ 03971 offset_pk += offset_len; 03972 while ((offset_len < offset_pk) && numKeys) { 03973 QSHKey * temp; 03974 03975 if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap, 03976 DYNAMIC_TYPE_TLSX)) == NULL) 03977 return MEMORY_E; 03978 03979 /* initialize */ 03980 temp->next = NULL; 03981 temp->pub.buffer = NULL; 03982 temp->pub.length = 0; 03983 temp->pri.buffer = NULL; 03984 temp->pri.length = 0; 03985 03986 /* scheme id */ 03987 ato16(input + offset_len, &(temp->name)); 03988 offset_len += OPAQUE16_LEN; 03989 03990 /* public key length */ 03991 ato16(input + offset_len, &PKLen); 03992 temp->pub.length = PKLen; 03993 offset_len += OPAQUE16_LEN; 03994 03995 03996 if (isRequest) { 03997 /* validate we have scheme id */ 03998 if (ssl->user_set_QSHSchemes && 03999 (!TLSX_ValidateQSHScheme(&ssl->extensions, temp->name))) { 04000 offset_len += PKLen; 04001 XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX); 04002 continue; 04003 } 04004 } 04005 04006 /* read in public key */ 04007 if (PKLen > 0) { 04008 temp->pub.buffer = (byte*)XMALLOC(temp->pub.length, 04009 ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); 04010 XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length); 04011 offset_len += PKLen; 04012 } 04013 else { 04014 PK = NULL; 04015 } 04016 04017 /* use own key when adding to extensions list for sending reply */ 04018 PKLen = 0; 04019 PK = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, &PKLen, temp->name); 04020 r = TLSX_UseQSHScheme(&ssl->extensions, temp->name, PK, PKLen, 04021 ssl->heap); 04022 04023 /* store peers key */ 04024 ssl->peerQSHKeyPresent = 1; 04025 if (TLSX_AddQSHKey(&ssl->peerQSHKey, temp) != 0) 04026 return MEMORY_E; 04027 04028 if (temp->pub.length == 0) { 04029 XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX); 04030 } 04031 04032 if (r != SSL_SUCCESS) {return r;} /* throw error */ 04033 04034 numKeys--; 04035 } 04036 04037 /* reply to a QSH extension sent from client */ 04038 if (isRequest) { 04039 TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID); 04040 /* only use schemes we have key generated for -- free the rest */ 04041 TLSX_QSHAgreement(&ssl->extensions, ssl->heap); 04042 } 04043 04044 return 0; 04045 } 04046 04047 04048 /* Used for parsing in QSHCipher structs on Key Exchange */ 04049 int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length, 04050 byte isServer) 04051 { 04052 QSHKey* key; 04053 word16 Max_Secret_Len = 48; 04054 word16 offset = 0; 04055 word16 offset_len = 0; 04056 word32 offset_pk = 0; 04057 word16 name = 0; 04058 word16 secretLen = 0; 04059 byte* secret = NULL; 04060 word16 buffLen = 0; 04061 byte buff[145]; /* size enough for 3 secrets */ 04062 buffer* buf; 04063 04064 /* pointer to location where secret should be stored */ 04065 if (isServer) { 04066 buf = ssl->QSH_secret->CliSi; 04067 } 04068 else { 04069 buf = ssl->QSH_secret->SerSi; 04070 } 04071 04072 offset_pk = ((input[offset_len] << 16) & 0xFF0000) | 04073 (((input[offset_len + 1]) << 8) & 0xFF00) | 04074 (input[offset_len + 2] & 0xFF); 04075 offset_len += OPAQUE24_LEN; 04076 04077 /* validating extension list length -- check if trying to read over edge 04078 of buffer */ 04079 if (length < (offset_pk + OPAQUE24_LEN)) { 04080 return BUFFER_ERROR; 04081 } 04082 04083 /* QSHCipherList struct */ 04084 offset_pk += offset_len; 04085 while (offset_len < offset_pk) { 04086 04087 /* scheme id */ 04088 ato16(input + offset_len, &name); 04089 offset_len += OPAQUE16_LEN; 04090 04091 /* public key length */ 04092 ato16(input + offset_len, &secretLen); 04093 offset_len += OPAQUE16_LEN; 04094 04095 /* read in public key */ 04096 if (secretLen > 0) { 04097 secret = (byte*)(input + offset_len); 04098 offset_len += secretLen; 04099 } 04100 else { 04101 secret = NULL; 04102 } 04103 04104 /* no secret sent */ 04105 if (secret == NULL) 04106 continue; 04107 04108 /* find corresponding key */ 04109 key = ssl->QSH_Key; 04110 while (key) { 04111 if (key->name == name) 04112 break; 04113 else 04114 key = (QSHKey*)key->next; 04115 } 04116 04117 /* if we do not have the key than there was a big issue negotiation */ 04118 if (key == NULL) { 04119 WOLFSSL_MSG("key was null for decryption!!!\n"); 04120 return MEMORY_E; 04121 } 04122 04123 /* Decrypt sent secret */ 04124 buffLen = Max_Secret_Len; 04125 QSH_Decrypt(key, secret, secretLen, buff + offset, &buffLen); 04126 offset += buffLen; 04127 } 04128 04129 /* allocate memory for buffer */ 04130 buf->length = offset; 04131 buf->buffer = (byte*)XMALLOC(offset, NULL, DYNAMIC_TYPE_TMP_BUFFER); 04132 if (buf->buffer == NULL) 04133 return MEMORY_E; 04134 04135 /* store secrets */ 04136 XMEMCPY(buf->buffer, buff, offset); 04137 ForceZero(buff, offset); 04138 04139 return offset_len; 04140 } 04141 04142 04143 /* return 1 on success */ 04144 int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) { 04145 TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); 04146 QSHScheme* format = NULL; 04147 04148 /* if no extension is sent then do not use QSH */ 04149 if (!extension) { 04150 WOLFSSL_MSG("No QSH Extension"); 04151 return 0; 04152 } 04153 04154 for (format = (QSHScheme*)extension->data; format; format = format->next) { 04155 if (format->name == theirs) { 04156 WOLFSSL_MSG("Found Matching QSH Scheme"); 04157 return 1; /* have QSH */ 04158 } 04159 } 04160 04161 return 0; 04162 } 04163 #endif /* NO_WOLFSSL_SERVER */ 04164 04165 /* test if the QSH Scheme is implemented 04166 return 1 if yes 0 if no */ 04167 static int TLSX_HaveQSHScheme(word16 name) 04168 { 04169 switch(name) { 04170 #ifdef HAVE_NTRU 04171 case WOLFSSL_NTRU_EESS439: 04172 case WOLFSSL_NTRU_EESS593: 04173 case WOLFSSL_NTRU_EESS743: 04174 return 1; 04175 #endif 04176 case WOLFSSL_LWE_XXX: 04177 case WOLFSSL_HFE_XXX: 04178 return 0; /* not supported yet */ 04179 04180 default: 04181 return 0; 04182 } 04183 } 04184 04185 04186 /* Add a QSHScheme struct to list of usable ones */ 04187 int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz, 04188 void* heap) 04189 { 04190 TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); 04191 QSHScheme* format = NULL; 04192 int ret = 0; 04193 04194 /* sanity check */ 04195 if (extensions == NULL || (pKey == NULL && pkeySz != 0)) 04196 return BAD_FUNC_ARG; 04197 04198 /* if scheme is implemented than add */ 04199 if (TLSX_HaveQSHScheme(name)) { 04200 if ((ret = TLSX_QSH_Append(&format, name, pKey, pkeySz)) != 0) 04201 return ret; 04202 04203 if (!extension) { 04204 if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format, 04205 heap)) != 0) { 04206 XFREE(format, 0, DYNAMIC_TYPE_TLSX); 04207 return ret; 04208 } 04209 } 04210 else { 04211 /* push new QSH object to extension data. */ 04212 format->next = (QSHScheme*)extension->data; 04213 extension->data = (void*)format; 04214 04215 /* look for another format of the same name to remove (replacement) */ 04216 do { 04217 if (format->next && (format->next->name == name)) { 04218 QSHScheme* next = format->next; 04219 04220 format->next = next->next; 04221 XFREE(next, 0, DYNAMIC_TYPE_TLSX); 04222 04223 break; 04224 } 04225 } while ((format = format->next)); 04226 } 04227 } 04228 return SSL_SUCCESS; 04229 } 04230 04231 #define QSH_FREE_ALL TLSX_QSH_FreeAll 04232 #define QSH_VALIDATE_REQUEST TLSX_QSH_ValidateRequest 04233 04234 #ifndef NO_WOLFSSL_CLIENT 04235 #define QSH_GET_SIZE TLSX_QSH_GetSize 04236 #define QSH_WRITE TLSX_QSH_Write 04237 #else 04238 #define QSH_GET_SIZE(list) 0 04239 #define QSH_WRITE(a, b) 0 04240 #endif 04241 04242 #ifndef NO_WOLFSSL_SERVER 04243 #define QSH_PARSE TLSX_QSH_Parse 04244 #else 04245 #define QSH_PARSE(a, b, c, d) 0 04246 #endif 04247 04248 #define QSHPK_WRITE TLSX_QSHPK_Write 04249 #define QSH_SERREQ TLSX_QSH_SerPKReq 04250 #else 04251 04252 #define QSH_FREE_ALL(list, heap) 04253 #define QSH_GET_SIZE(list, a) 0 04254 #define QSH_WRITE(a, b) 0 04255 #define QSH_PARSE(a, b, c, d) 0 04256 #define QSHPK_WRITE(a, b) 0 04257 #define QSH_SERREQ(a, b) 0 04258 #define QSH_VALIDATE_REQUEST(a, b) 04259 04260 #endif /* HAVE_QSH */ 04261 04262 /******************************************************************************/ 04263 /* Supported Versions */ 04264 /******************************************************************************/ 04265 04266 #ifdef WOLFSSL_TLS13 04267 /* Return the size of the SupportedVersions extension's data. 04268 * 04269 * data The SSL/TLS object. 04270 * returns the length of data that will be in the extension. 04271 */ 04272 static word16 TLSX_SupportedVersions_GetSize(byte* data) 04273 { 04274 (void)data; 04275 04276 /* TLS v1.2 and TLS v1.3 */ 04277 int cnt = 2; 04278 04279 #ifndef NO_OLD_TLS 04280 /* TLS v1 and TLS v1.1 */ 04281 cnt += 2; 04282 #endif 04283 04284 return OPAQUE8_LEN + cnt * OPAQUE16_LEN; 04285 } 04286 04287 /* Writes the SupportedVersions extension into the buffer. 04288 * 04289 * data The SSL/TLS object. 04290 * output The buffer to write the extension into. 04291 * returns the length of data that was written. 04292 */ 04293 static word16 TLSX_SupportedVersions_Write(byte* data, byte* output) 04294 { 04295 WOLFSSL* ssl = (WOLFSSL*)data; 04296 ProtocolVersion pv = ssl->ctx->method->version; 04297 int i; 04298 /* TLS v1.2 and TLS v1.3 */ 04299 int cnt = 2; 04300 04301 #ifndef NO_OLD_TLS 04302 /* TLS v1 and TLS v1.1 */ 04303 cnt += 2; 04304 #endif 04305 04306 *(output++) = cnt * OPAQUE16_LEN; 04307 for (i = 0; i < cnt; i++) { 04308 /* TODO: [TLS13] Remove code when TLS v1.3 becomes an RFC. */ 04309 if (pv.minor - i == TLSv1_3_MINOR) { 04310 /* The TLS draft major number. */ 04311 *(output++) = TLS_DRAFT_MAJOR; 04312 /* Version of draft supported. */ 04313 *(output++) = TLS_DRAFT_MINOR; 04314 continue; 04315 } 04316 04317 *(output++) = pv.major; 04318 *(output++) = pv.minor - i; 04319 } 04320 04321 return OPAQUE8_LEN + cnt * OPAQUE16_LEN; 04322 } 04323 04324 /* Parse the SupportedVersions extension. 04325 * 04326 * ssl The SSL/TLS object. 04327 * input The buffer with the extension data. 04328 * length The length of the extension data. 04329 * returns 0 on success, otherwise failure. 04330 */ 04331 static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input, 04332 word16 length) 04333 { 04334 ProtocolVersion pv = ssl->ctx->method->version; 04335 int i; 04336 int ret = 0; 04337 int len; 04338 04339 /* Must contain a length and at least one version. */ 04340 if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1) 04341 return BUFFER_ERROR; 04342 04343 len = *input; 04344 04345 /* Protocol version array must fill rest of data. */ 04346 if (length != OPAQUE8_LEN + len) 04347 return BUFFER_ERROR; 04348 04349 input++; 04350 04351 /* Find first match. */ 04352 for (i = 0; i < len; i += OPAQUE16_LEN) { 04353 /* TODO: [TLS13] Remove code when TLS v1.3 becomes an RFC. */ 04354 if (input[i] == TLS_DRAFT_MAJOR && 04355 input[i + OPAQUE8_LEN] == TLS_DRAFT_MINOR) { 04356 ssl->version.minor = TLSv1_3_MINOR; 04357 ssl->options.tls1_3 = 1; 04358 TLSX_Push(&ssl->extensions, TLSX_SUPPORTED_VERSIONS, input, 04359 ssl->heap); 04360 break; 04361 } 04362 04363 if (input[i] != pv.major) 04364 continue; 04365 04366 #ifndef NO_OLD_TLS 04367 if (input[i + OPAQUE8_LEN] == TLSv1_MINOR || 04368 input[i + OPAQUE8_LEN] == TLSv1_1_MINOR) { 04369 ssl->version.minor = input[i + OPAQUE8_LEN]; 04370 break; 04371 } 04372 #endif 04373 if (input[i + OPAQUE8_LEN] == TLSv1_2_MINOR) { 04374 ssl->version.minor = input[i + OPAQUE8_LEN]; 04375 TLSX_Push(&ssl->extensions, TLSX_SUPPORTED_VERSIONS, input, 04376 ssl->heap); 04377 break; 04378 } 04379 if (input[i + OPAQUE8_LEN] == TLSv1_3_MINOR) { 04380 ssl->version.minor = input[i + OPAQUE8_LEN]; 04381 ssl->options.tls1_3 = 1; 04382 TLSX_Push(&ssl->extensions, TLSX_SUPPORTED_VERSIONS, input, 04383 ssl->heap); 04384 break; 04385 } 04386 } 04387 04388 return ret; 04389 } 04390 04391 /* Sets a new SupportedVersions extension into the extension list. 04392 * 04393 * extensions The list of extensions. 04394 * data The extensions specific data. 04395 * heap The heap used for allocation. 04396 * returns 0 on success, otherwise failure. 04397 */ 04398 static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data, 04399 void* heap) 04400 { 04401 if (extensions == NULL || data == NULL) 04402 return BAD_FUNC_ARG; 04403 04404 return TLSX_Push(extensions, TLSX_SUPPORTED_VERSIONS, (void *)data, heap); 04405 } 04406 04407 #define SV_GET_SIZE TLSX_SupportedVersions_GetSize 04408 #define SV_WRITE TLSX_SupportedVersions_Write 04409 #define SV_PARSE TLSX_SupportedVersions_Parse 04410 04411 #else 04412 04413 #define SV_GET_SIZE(a) 0 04414 #define SV_WRITE(a, b) 0 04415 #define SV_PARSE(a, b, c) 0 04416 04417 #endif /* WOLFSSL_TLS13 */ 04418 04419 /******************************************************************************/ 04420 /* Sugnature Algorithms */ 04421 /******************************************************************************/ 04422 04423 #ifdef WOLFSSL_TLS13 04424 /* Return the size of the SignatureAlgorithms extension's data. 04425 * 04426 * data Unused 04427 * returns the length of data that will be in the extension. 04428 */ 04429 static word16 TLSX_SignatureAlgorithms_GetSize(byte* data) 04430 { 04431 WOLFSSL* ssl = (WOLFSSL*)data; 04432 int cnt = 0; 04433 04434 (void)data; 04435 04436 #ifndef NO_RSA 04437 #ifndef NO_SHA1 04438 cnt++; 04439 #endif 04440 #ifndef NO_SHA256 04441 cnt++; 04442 #endif 04443 #ifdef HAVE_SHA384 04444 cnt++; 04445 #endif 04446 #ifdef HAVE_SHA512 04447 cnt++; 04448 #endif 04449 #ifdef WC_RSA_PSS 04450 if (IsAtLeastTLSv1_3(ssl->version)) { 04451 #ifndef NO_SHA256 04452 cnt++; 04453 #endif 04454 #ifdef HAVE_SHA384 04455 cnt++; 04456 #endif 04457 #ifdef HAVE_SHA512 04458 cnt++; 04459 #endif 04460 } 04461 #endif 04462 #endif 04463 04464 #ifdef HAVE_ECC 04465 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 04466 #ifndef NO_ECC_SECP 04467 cnt++; 04468 #endif 04469 #endif 04470 #if !defined(NO_ECC384) || defined(HAVE_ALL_CURVES) 04471 #ifndef NO_ECC_SECP 04472 cnt++; 04473 #endif 04474 #endif 04475 #if !defined(NO_ECC521) || defined(HAVE_ALL_CURVES) 04476 #ifndef NO_ECC_SECP 04477 cnt++; 04478 #endif 04479 #endif 04480 #endif 04481 04482 return OPAQUE16_LEN + cnt * OPAQUE16_LEN; 04483 } 04484 04485 /* Writes the SignatureAlgorithms extension into the buffer. 04486 * 04487 * data Unused 04488 * output The buffer to write the extension into. 04489 * returns the length of data that was written. 04490 */ 04491 static word16 TLSX_SignatureAlgorithms_Write(byte* data, byte* output) 04492 { 04493 WOLFSSL* ssl = (WOLFSSL*)data; 04494 int idx = OPAQUE16_LEN; 04495 04496 04497 #ifndef NO_RSA 04498 #ifndef NO_SHA1 04499 output[idx++] = 0x02; 04500 output[idx++] = 0x01; 04501 #endif 04502 #ifndef NO_SHA256 04503 output[idx++] = 0x04; 04504 output[idx++] = 0x01; 04505 #endif 04506 #ifdef HAVE_SHA384 04507 output[idx++] = 0x05; 04508 output[idx++] = 0x01; 04509 #endif 04510 #ifdef HAVE_SHA512 04511 output[idx++] = 0x06; 04512 output[idx++] = 0x01; 04513 #endif 04514 #ifdef WC_RSA_PSS 04515 if (IsAtLeastTLSv1_3(ssl->version)) { 04516 #ifndef NO_SHA256 04517 output[idx++] = 0x08; 04518 output[idx++] = 0x04; 04519 #endif 04520 #ifdef HAVE_SHA384 04521 output[idx++] = 0x08; 04522 output[idx++] = 0x05; 04523 #endif 04524 #ifdef HAVE_SHA512 04525 output[idx++] = 0x08; 04526 output[idx++] = 0x06; 04527 #endif 04528 } 04529 #endif 04530 #endif 04531 04532 #ifdef HAVE_ECC 04533 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 04534 #ifndef NO_ECC_SECP 04535 output[idx++] = 0x04; 04536 output[idx++] = 0x03; 04537 #endif 04538 #endif 04539 #if !defined(NO_ECC384) || defined(HAVE_ALL_CURVES) 04540 #ifndef NO_ECC_SECP 04541 output[idx++] = 0x05; 04542 output[idx++] = 0x03; 04543 #endif 04544 #endif 04545 #if !defined(NO_ECC521) || defined(HAVE_ALL_CURVES) 04546 #ifndef NO_ECC_SECP 04547 output[idx++] = 0x06; 04548 output[idx++] = 0x03; 04549 #endif 04550 #endif 04551 #endif 04552 04553 output[0] = (idx - OPAQUE16_LEN) >> 8; 04554 output[1] = idx - OPAQUE16_LEN; 04555 04556 return idx; 04557 } 04558 04559 /* Parse the SignatureAlgorithms extension. 04560 * 04561 * ssl The SSL/TLS object. 04562 * input The buffer with the extension data. 04563 * length The length of the extension data. 04564 * returns 0 on success, otherwise failure. 04565 */ 04566 static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, byte* input, 04567 word16 length) 04568 { 04569 int ret = 0; 04570 word16 len; 04571 04572 (void)ssl; 04573 04574 /* Must contain a length and at least algorithm. */ 04575 if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0) 04576 return BUFFER_ERROR; 04577 04578 ato16(input, &len); 04579 04580 /* Algorithm array must fill rest of data. */ 04581 if (length != OPAQUE16_LEN + len) 04582 return BUFFER_ERROR; 04583 04584 /* Ignore for now. */ 04585 04586 return ret; 04587 } 04588 04589 /* Sets a new SupportedVersions extension into the extension list. 04590 * 04591 * extensions The list of extensions. 04592 * data The extensions specific data. 04593 * heap The heap used for allocation. 04594 * returns 0 on success, otherwise failure. 04595 */ 04596 static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data, 04597 void* heap) 04598 { 04599 if (extensions == NULL) 04600 return BAD_FUNC_ARG; 04601 04602 return TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS, (void *)data, heap); 04603 } 04604 04605 #define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize 04606 #define SA_WRITE TLSX_SignatureAlgorithms_Write 04607 #define SA_PARSE TLSX_SignatureAlgorithms_Parse 04608 04609 #else 04610 04611 #define SA_GET_SIZE(a) 0 04612 #define SA_WRITE(a, b) 0 04613 #define SA_PARSE(a, b, c) 0 04614 04615 #endif 04616 04617 /******************************************************************************/ 04618 /* Key Share */ 04619 /******************************************************************************/ 04620 04621 #ifdef WOLFSSL_TLS13 04622 #ifndef NO_DH 04623 /* Create a key share entry using named Diffie-Hellman parameters group. 04624 * Generates a key pair. 04625 * 04626 * ssl The SSL/TLS object. 04627 * kse The key share entry object. 04628 * returns 0 on success, otherwise failure. 04629 */ 04630 static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse) 04631 { 04632 int ret; 04633 byte* keyData; 04634 void* key = NULL; 04635 word32 keySz; 04636 word32 dataSz; 04637 const DhParams* params; 04638 DhKey dhKey; 04639 04640 /* TODO: [TLS13] The key size should come from wolfcrypt. */ 04641 /* Pick the parameters from the named group. */ 04642 switch (kse->group) { 04643 #ifdef HAVE_FFDHE_2048 04644 case WOLFSSL_FFDHE_2048: 04645 params = wc_Dh_ffdhe2048_Get(); 04646 keySz = 29; 04647 break; 04648 #endif 04649 #ifdef HAVE_FFDHE_3072 04650 case WOLFSSL_FFDHE_3072: 04651 params = wc_Dh_ffdhe3072_Get(); 04652 keySz = 34; 04653 break; 04654 #endif 04655 #ifdef HAVE_FFDHE_4096 04656 case WOLFSSL_FFDHE_4096: 04657 params = wc_Dh_ffdhe4096_Get(); 04658 keySz = 39; 04659 break; 04660 #endif 04661 #ifdef HAVE_FFDHE_6144 04662 case WOLFSSL_FFDHE_6144: 04663 params = wc_Dh_ffdhe6144_Get(); 04664 keySz = 46; 04665 break; 04666 #endif 04667 #ifdef HAVE_FFDHE_8192 04668 case WOLFSSL_FFDHE_8192: 04669 params = wc_Dh_ffdhe8192_Get(); 04670 keySz = 52; 04671 break; 04672 #endif 04673 default: 04674 return BAD_FUNC_ARG; 04675 } 04676 04677 ret = wc_InitDhKey_ex(&dhKey, ssl->heap, ssl->devId); 04678 if (ret != 0) 04679 return ret; 04680 04681 /* Allocate space for the public key. */ 04682 dataSz = params->p_len; 04683 keyData = (byte*)XMALLOC(dataSz, ssl->heap, DYNAMIC_TYPE_TLSX); 04684 if (keyData == NULL) { 04685 ret = MEMORY_E; 04686 goto end; 04687 } 04688 /* Allocate space for the private key. */ 04689 key = (byte*)XMALLOC(keySz, ssl->heap, DYNAMIC_TYPE_TLSX); 04690 if (key == NULL) { 04691 ret = MEMORY_E; 04692 goto end; 04693 } 04694 04695 /* Set key */ 04696 ret = wc_DhSetKey(&dhKey, 04697 (byte*)params->p, params->p_len, 04698 (byte*)params->g, params->g_len); 04699 if (ret != 0) 04700 goto end; 04701 04702 /* Generate a new key pair. */ 04703 ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng, key, &keySz, keyData, &dataSz); 04704 #ifdef WOLFSSL_ASYNC_CRYPT 04705 /* TODO: Make this function non-blocking */ 04706 if (ret == WC_PENDING_E) { 04707 ret = wc_AsyncWait(ret, &dhKey.asyncDev, WC_ASYNC_FLAG_NONE); 04708 } 04709 #endif 04710 if (ret != 0) 04711 goto end; 04712 04713 if (params->p_len != dataSz) { 04714 /* Pad the front of the key data with zeros. */ 04715 XMEMMOVE(keyData + params->p_len - dataSz, keyData, dataSz); 04716 XMEMSET(keyData, 0, params->p_len - dataSz); 04717 } 04718 04719 kse->ke = keyData; 04720 kse->keLen = params->p_len; 04721 kse->key = key; 04722 kse->keyLen = keySz; 04723 04724 #ifdef WOLFSSL_DEBUG_TLS 04725 WOLFSSL_MSG("Public DH Key"); 04726 WOLFSSL_BUFFER(keyData, params->p_len); 04727 #endif 04728 04729 end: 04730 04731 wc_FreeDhKey(&dhKey); 04732 04733 if (ret != 0) { 04734 /* Data owned by key share entry otherwise. */ 04735 if (keyData != NULL) 04736 XFREE(keyData, ssl->heap, DYNAMIC_TYPE_TLSX); 04737 if (key != NULL) 04738 XFREE(key, ssl->heap, DYNAMIC_TYPE_TLSX); 04739 } 04740 04741 return ret; 04742 } 04743 #endif 04744 04745 #ifndef NO_ECC 04746 /* Create a key share entry using named elliptic curve parameters group. 04747 * Generates a key pair. 04748 * 04749 * ssl The SSL/TLS object. 04750 * kse The key share entry object. 04751 * returns 0 on success, otherwise failure. 04752 */ 04753 static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse) 04754 { 04755 int ret; 04756 byte* keyData = NULL; 04757 word32 dataSize; 04758 word32 keySize; 04759 ecc_key* eccKey; 04760 word16 curveId; 04761 04762 /* TODO: [TLS13] The key sizes should come from wolfcrypt. */ 04763 /* Translate named group to a curve id. */ 04764 switch (kse->group) { 04765 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 04766 #ifndef NO_ECC_SECP 04767 case WOLFSSL_ECC_SECP256R1: 04768 curveId = ECC_SECP256R1; 04769 keySize = 32; 04770 dataSize = keySize * 2 + 1; 04771 break; 04772 #endif /* !NO_ECC_SECP */ 04773 #endif 04774 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 04775 #ifndef NO_ECC_SECP 04776 case WOLFSSL_ECC_SECP384R1: 04777 curveId = ECC_SECP384R1; 04778 keySize = 48; 04779 dataSize = keySize * 2 + 1; 04780 break; 04781 #endif /* !NO_ECC_SECP */ 04782 #endif 04783 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 04784 #ifndef NO_ECC_SECP 04785 case WOLFSSL_ECC_SECP521R1: 04786 curveId = ECC_SECP521R1; 04787 keySize = 66; 04788 dataSize = keySize * 2 + 1; 04789 break; 04790 #endif /* !NO_ECC_SECP */ 04791 #endif 04792 #ifdef HAVE_CURVE25519 04793 case WOLFSSL_ECC_X25519: 04794 { 04795 curve25519_key* key; 04796 /* Allocate an ECC key to hold private key. */ 04797 key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), 04798 ssl->heap, DYNAMIC_TYPE_TLSX); 04799 if (key == NULL) { 04800 WOLFSSL_MSG("EccTempKey Memory error"); 04801 return MEMORY_E; 04802 } 04803 04804 dataSize = keySize = 32; 04805 04806 /* Make an ECC key. */ 04807 ret = wc_curve25519_init(key); 04808 if (ret != 0) 04809 goto end; 04810 ret = wc_curve25519_make_key(ssl->rng, keySize, key); 04811 if (ret != 0) 04812 goto end; 04813 04814 /* Allocate space for the public key. */ 04815 keyData = XMALLOC(dataSize, ssl->heap, DYNAMIC_TYPE_TLSX); 04816 if (keyData == NULL) { 04817 WOLFSSL_MSG("Key data Memory error"); 04818 ret = MEMORY_E; 04819 goto end; 04820 } 04821 04822 /* Export public key. */ 04823 if (wc_curve25519_export_public_ex(key, keyData, &dataSize, 04824 EC25519_LITTLE_ENDIAN) != 0) { 04825 ret = ECC_EXPORT_ERROR; 04826 goto end; 04827 } 04828 04829 kse->ke = keyData; 04830 kse->keLen = dataSize; 04831 kse->key = key; 04832 04833 #ifdef WOLFSSL_DEBUG_TLS 04834 WOLFSSL_MSG("Public ECC Key"); 04835 WOLFSSL_BUFFER(keyData, dataSize); 04836 #endif 04837 04838 goto end; 04839 } 04840 #endif 04841 #ifdef HAVE_X448 04842 case WOLFSSL_ECC_X448: 04843 curveId = ECC_X448; 04844 dataSize = keySize = 56; 04845 break; 04846 #endif 04847 default: 04848 return BAD_FUNC_ARG; 04849 } 04850 04851 /* Allocate an ECC key to hold private key. */ 04852 eccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap, DYNAMIC_TYPE_TLSX); 04853 if (eccKey == NULL) { 04854 WOLFSSL_MSG("EccTempKey Memory error"); 04855 return MEMORY_E; 04856 } 04857 04858 /* Make an ECC key. */ 04859 ret = wc_ecc_init_ex(eccKey, ssl->heap, ssl->devId); 04860 if (ret != 0) 04861 goto end; 04862 ret = wc_ecc_make_key_ex(ssl->rng, keySize, eccKey, curveId); 04863 #ifdef WOLFSSL_ASYNC_CRYPT 04864 /* TODO: Make this function non-blocking */ 04865 if (ret == WC_PENDING_E) { 04866 ret = wc_AsyncWait(ret, &eccKey->asyncDev, WC_ASYNC_FLAG_NONE); 04867 } 04868 #endif 04869 if (ret != 0) 04870 goto end; 04871 04872 /* Allocate space for the public key. */ 04873 keyData = XMALLOC(dataSize, ssl->heap, DYNAMIC_TYPE_TLSX); 04874 if (keyData == NULL) { 04875 WOLFSSL_MSG("Key data Memory error"); 04876 ret = MEMORY_E; 04877 goto end; 04878 } 04879 04880 /* Export public key. */ 04881 if (wc_ecc_export_x963(eccKey, keyData, &dataSize) != 0) { 04882 ret = ECC_EXPORT_ERROR; 04883 goto end; 04884 } 04885 04886 kse->ke = keyData; 04887 kse->keLen = dataSize; 04888 kse->key = eccKey; 04889 04890 #ifdef WOLFSSL_DEBUG_TLS 04891 WOLFSSL_MSG("Public ECC Key"); 04892 WOLFSSL_BUFFER(keyData, dataSize); 04893 #endif 04894 04895 end: 04896 if (ret != 0) { 04897 /* Data owned by key share entry otherwise. */ 04898 if (eccKey != NULL) 04899 XFREE(eccKey, ssl->heap, DYNAMIC_TYPE_TLSX); 04900 if (keyData != NULL) 04901 XFREE(keyData, ssl->heap, DYNAMIC_TYPE_TLSX); 04902 } 04903 return ret; 04904 } 04905 #endif /* !NO_ECC */ 04906 04907 /* Generate a secret/key using the key share entry. 04908 * 04909 * ssl The SSL/TLS object. 04910 * kse The key share entry holding peer data. 04911 */ 04912 static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse) 04913 { 04914 /* Named FFHE groups have a bit set to identify them. */ 04915 if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK) 04916 return TLSX_KeyShare_GenDhKey(ssl, kse); 04917 return TLSX_KeyShare_GenEccKey(ssl, kse); 04918 } 04919 04920 /* Free the key share dynamic data. 04921 * 04922 * list The linked list of key share entry objects. 04923 * heap The heap used for allocation. 04924 */ 04925 static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap) 04926 { 04927 KeyShareEntry* current; 04928 04929 while ((current = list) != NULL) { 04930 list = current->next; 04931 XFREE(current->key, heap, DYNAMIC_TYPE_TLSX); 04932 XFREE(current->ke, heap, DYNAMIC_TYPE_TLSX); 04933 XFREE(current, heap, DYNAMIC_TYPE_TLSX); 04934 } 04935 04936 (void)heap; 04937 } 04938 04939 /* Get the size of the encoded key share extension. 04940 * 04941 * list The linked list of key share extensions. 04942 * msgType The type of the message this extension is being written into. 04943 * returns the number of bytes of the encoded key share extension. 04944 */ 04945 static word16 TLSX_KeyShare_GetSize(KeyShareEntry* list, byte msgType) 04946 { 04947 int len = 0; 04948 byte isRequest = (msgType == client_hello); 04949 KeyShareEntry* current; 04950 04951 /* The named group the server wants to use. */ 04952 if (msgType == hello_retry_request) 04953 return OPAQUE16_LEN; 04954 04955 /* List of key exchange groups. */ 04956 if (isRequest) 04957 len += OPAQUE16_LEN; 04958 while ((current = list) != NULL) { 04959 list = current->next; 04960 04961 if (!isRequest && current->key == NULL) 04962 continue; 04963 04964 len += OPAQUE16_LEN + OPAQUE16_LEN + current->keLen; 04965 } 04966 04967 return len; 04968 } 04969 04970 /* Writes the key share extension into the output buffer. 04971 * Assumes that the the output buffer is big enough to hold data. 04972 * 04973 * list The linked list of key share entries. 04974 * output The buffer to write into. 04975 * msgType The type of the message this extension is being written into. 04976 * returns the number of bytes written into the buffer. 04977 */ 04978 static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output, 04979 byte msgType) 04980 { 04981 word16 i = 0; 04982 byte isRequest = (msgType == client_hello); 04983 KeyShareEntry* current; 04984 04985 if (msgType == hello_retry_request) { 04986 c16toa(list->group, output); 04987 return OPAQUE16_LEN; 04988 } 04989 04990 /* ClientHello has a list but ServerHello is only the chosen. */ 04991 if (isRequest) 04992 i += OPAQUE16_LEN; 04993 04994 /* Write out all in the list. */ 04995 while ((current = list) != NULL) { 04996 list = current->next; 04997 04998 if (!isRequest && current->key == NULL) 04999 continue; 05000 05001 c16toa(current->group, &output[i]); 05002 i += KE_GROUP_LEN; 05003 c16toa(current->keLen, &output[i]); 05004 i += OPAQUE16_LEN; 05005 XMEMCPY(&output[i], current->ke, current->keLen); 05006 i += current->keLen; 05007 } 05008 /* Write the length of the list if required. */ 05009 if (isRequest) 05010 c16toa(i - OPAQUE16_LEN, output); 05011 05012 return i; 05013 } 05014 05015 /* Process the DH key share extension on the client side. 05016 * 05017 * ssl The SSL/TLS object. 05018 * keyShareEntry The key share entry object to use to calculate shared secret. 05019 * returns 0 on success and other values indicate failure. 05020 */ 05021 static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) 05022 { 05023 #ifndef NO_DH 05024 int ret; 05025 const DhParams* params; 05026 word16 i; 05027 byte b; 05028 DhKey dhKey; 05029 05030 switch (keyShareEntry->group) { 05031 #ifdef HAVE_FFDHE_2048 05032 case WOLFSSL_FFDHE_2048: 05033 params = wc_Dh_ffdhe2048_Get(); 05034 break; 05035 #endif 05036 #ifdef HAVE_FFDHE_3072 05037 case WOLFSSL_FFDHE_3072: 05038 params = wc_Dh_ffdhe3072_Get(); 05039 break; 05040 #endif 05041 #ifdef HAVE_FFDHE_4096 05042 case WOLFSSL_FFDHE_4096: 05043 params = wc_Dh_ffdhe4096_Get(); 05044 break; 05045 #endif 05046 #ifdef HAVE_FFDHE_6144 05047 case WOLFSSL_FFDHE_6144: 05048 params = wc_Dh_ffdhe6144_Get(); 05049 break; 05050 #endif 05051 #ifdef HAVE_FFDHE_8192 05052 case WOLFSSL_FFDHE_8192: 05053 params = wc_Dh_ffdhe8192_Get(); 05054 break; 05055 #endif 05056 default: 05057 return PEER_KEY_ERROR; 05058 } 05059 05060 #ifdef WOLFSSL_DEBUG_TLS 05061 WOLFSSL_MSG("Peer DH Key"); 05062 WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); 05063 #endif 05064 05065 if (params->p_len != keyShareEntry->keLen) 05066 return BUFFER_ERROR; 05067 05068 /* TODO: [TLS13] move this check down into wolfcrypt. */ 05069 /* Check that public DH key is not 0 or 1. */ 05070 b = 0; 05071 for (i = 0; i < params->p_len - 1; i++) 05072 b |= keyShareEntry->ke[i]; 05073 if (b == 0 && (keyShareEntry->ke[i] == 0x00 || 05074 keyShareEntry->ke[i] == 0x01)) { 05075 return PEER_KEY_ERROR; 05076 } 05077 /* Check that public DH key is not mod, mod + 1 or mod - 1. */ 05078 b = 0; 05079 for (i = 0; i < params->p_len - 1; i++) 05080 b |= params->p[i] ^ keyShareEntry->ke[i]; 05081 if (b == 0 && (params->p[i] == keyShareEntry->ke[i] || 05082 params->p[i] - 1 == keyShareEntry->ke[i] || 05083 params->p[i] + 1 == keyShareEntry->ke[i])) { 05084 return PEER_KEY_ERROR; 05085 } 05086 05087 ret = wc_InitDhKey_ex(&dhKey, ssl->heap, ssl->devId); 05088 if (ret != 0) 05089 return ret; 05090 05091 /* Set key */ 05092 ret = wc_DhSetKey(&dhKey, 05093 (byte*)params->p, params->p_len, 05094 (byte*)params->g, params->g_len); 05095 if (ret != 0) { 05096 wc_FreeDhKey(&dhKey); 05097 return ret; 05098 } 05099 05100 /* Derive secret from private key and peer's public key. */ 05101 ret = wc_DhAgree(&dhKey, 05102 ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz, 05103 keyShareEntry->key, keyShareEntry->keyLen, 05104 keyShareEntry->ke, keyShareEntry->keLen); 05105 #ifdef WOLFSSL_ASYNC_CRYPT 05106 /* TODO: Make this function non-blocking */ 05107 if (ret == WC_PENDING_E) { 05108 ret = wc_AsyncWait(ret, &dhKey.asyncDev, WC_ASYNC_FLAG_NONE); 05109 } 05110 #endif 05111 05112 wc_FreeDhKey(&dhKey); 05113 05114 return ret; 05115 #else 05116 return PEER_KEY_ERROR; 05117 #endif 05118 } 05119 05120 /* Process the ECC key share extension on the client side. 05121 * 05122 * ssl The SSL/TLS object. 05123 * keyShareEntry The key share entry object to use to calculate shared secret. 05124 * returns 0 on success and other values indicate failure. 05125 */ 05126 static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) 05127 { 05128 #ifndef NO_ECC 05129 int ret; 05130 int curveId; 05131 ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key; 05132 05133 if (ssl->peerEccKey != NULL) 05134 wc_ecc_free(ssl->peerEccKey); 05135 05136 ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap, 05137 DYNAMIC_TYPE_TLSX); 05138 if (ssl->peerEccKey == NULL) { 05139 WOLFSSL_MSG("PeerEccKey Memory error"); 05140 return MEMORY_ERROR; 05141 } 05142 ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId); 05143 if (ret != 0) 05144 return ret; 05145 05146 /* find supported curve */ 05147 switch (keyShareEntry->group) { 05148 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 05149 #ifndef NO_ECC_SECP 05150 case WOLFSSL_ECC_SECP256R1: 05151 curveId = ECC_SECP256R1; 05152 break; 05153 #endif /* !NO_ECC_SECP */ 05154 #endif 05155 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 05156 #ifndef NO_ECC_SECP 05157 case WOLFSSL_ECC_SECP384R1: 05158 curveId = ECC_SECP384R1; 05159 break; 05160 #endif /* !NO_ECC_SECP */ 05161 #endif 05162 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 05163 #ifndef NO_ECC_SECP 05164 case WOLFSSL_ECC_SECP521R1: 05165 curveId = ECC_SECP521R1; 05166 break; 05167 #endif /* !NO_ECC_SECP */ 05168 #endif 05169 #ifdef HAVE_CURVE25519 05170 case WOLFSSL_ECC_X25519: 05171 { 05172 curve25519_key* key = (curve25519_key*)keyShareEntry->key; 05173 curve25519_key* peerEccKey; 05174 05175 if (ssl->peerEccKey != NULL) 05176 wc_ecc_free(ssl->peerEccKey); 05177 05178 peerEccKey = (curve25519_key*)XMALLOC(sizeof(curve25519_key), 05179 ssl->heap, DYNAMIC_TYPE_TLSX); 05180 if (peerEccKey == NULL) { 05181 WOLFSSL_MSG("PeerEccKey Memory error"); 05182 return MEMORY_ERROR; 05183 } 05184 ret = wc_curve25519_init(peerEccKey); 05185 if (ret != 0) 05186 return ret; 05187 #ifdef WOLFSSL_DEBUG_TLS 05188 WOLFSSL_MSG("Peer ECC Key"); 05189 WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); 05190 #endif 05191 05192 /* Point is validated by import function. */ 05193 if (wc_curve25519_import_public_ex(keyShareEntry->ke, 05194 keyShareEntry->keLen, peerEccKey, 05195 EC25519_LITTLE_ENDIAN) != 0) { 05196 return ECC_PEERKEY_ERROR; 05197 } 05198 05199 ssl->arrays->preMasterSz = ENCRYPT_LEN; 05200 ret = wc_curve25519_shared_secret_ex(key, peerEccKey, 05201 ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz, 05202 EC25519_LITTLE_ENDIAN); 05203 wc_curve25519_free(peerEccKey); 05204 XFREE(peerEccKey, ssl->heap, DYNAMIC_TYPE_TLSX); 05205 return ret; 05206 } 05207 #endif 05208 #ifdef HAVE_X448 05209 case WOLFSSL_ECC_X448: 05210 curveId = ECC_X448; 05211 break; 05212 #endif 05213 default: 05214 /* unsupported curve */ 05215 return ECC_PEERKEY_ERROR; 05216 } 05217 05218 #ifdef WOLFSSL_DEBUG_TLS 05219 WOLFSSL_MSG("Peer ECC Key"); 05220 WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); 05221 #endif 05222 05223 /* Point is validated by import function. */ 05224 if (wc_ecc_import_x963_ex(keyShareEntry->ke, keyShareEntry->keLen, 05225 ssl->peerEccKey, curveId) != 0) { 05226 return ECC_PEERKEY_ERROR; 05227 } 05228 05229 ssl->arrays->preMasterSz = ENCRYPT_LEN; 05230 do { 05231 #if defined(WOLFSSL_ASYNC_CRYPT) 05232 ret = wc_AsyncWait(ret, &keyShareKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); 05233 #endif 05234 if (ret >= 0) 05235 ret = wc_ecc_shared_secret(keyShareKey, ssl->peerEccKey, 05236 ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz); 05237 } while (ret == WC_PENDING_E); 05238 05239 #if 0 05240 /* TODO: Switch to support async here and use: */ 05241 ret = EccSharedSecret(ssl, keyShareEntry->key, ssl->peerEccKey, 05242 keyShareEntry->ke, &keyShareEntry->keLen, 05243 ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz, 05244 ssl->options.side, 05245 #ifdef HAVE_PK_CALLBACKS 05246 ssl->EccSharedSecretCtx 05247 #else 05248 NULL 05249 #endif 05250 ); 05251 #endif 05252 05253 return ret; 05254 #else 05255 return PEER_KEY_ERROR; 05256 #endif 05257 } 05258 05259 /* Process the key share extension on the client side. 05260 * 05261 * ssl The SSL/TLS object. 05262 * keyShareEntry The key share entry object to use to calculate shared secret. 05263 * returns 0 on success and other values indicate failure. 05264 */ 05265 static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) 05266 { 05267 int ret; 05268 05269 #ifdef HAVE_SESSION_TICKET 05270 ssl->session.namedGroup = keyShareEntry->group; 05271 #endif 05272 /* Use Key Share Data from server. */ 05273 if (keyShareEntry->group & NAMED_DH_MASK) 05274 ret = TLSX_KeyShare_ProcessDh(ssl, keyShareEntry); 05275 else 05276 ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry); 05277 05278 #ifdef WOLFSSL_DEBUG_TLS 05279 WOLFSSL_MSG("KE Secret"); 05280 WOLFSSL_BUFFER(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); 05281 #endif 05282 05283 return ret; 05284 } 05285 05286 /* Parse an entry of the KeyShare extension. 05287 * 05288 * ssl The SSL/TLS object. 05289 * input The extension data. 05290 * length The length of the extension data. 05291 * kse The new key share entry object. 05292 * returns a positive number to indicate amount of data parsed and a negative 05293 * number on error. 05294 */ 05295 static int TLSX_KeyShareEntry_Parse(WOLFSSL* ssl, byte* input, word16 length, 05296 KeyShareEntry **kse) 05297 { 05298 int ret; 05299 word16 group; 05300 word16 keLen; 05301 int offset = 0; 05302 byte* ke; 05303 05304 if (length < OPAQUE16_LEN + OPAQUE16_LEN) 05305 return BUFFER_ERROR; 05306 /* Named group */ 05307 ato16(&input[offset], &group); 05308 offset += OPAQUE16_LEN; 05309 /* Key exchange data - public key. */ 05310 ato16(&input[offset], &keLen); 05311 offset += OPAQUE16_LEN; 05312 if (keLen < 1 || keLen > length - offset) 05313 return BUFFER_ERROR; 05314 05315 /* Store a copy in the key share object. */ 05316 ke = XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_TLSX); 05317 if (ke == NULL) 05318 return MEMORY_E; 05319 XMEMCPY(ke, &input[offset], keLen); 05320 05321 /* Populate a key share object in the extension. */ 05322 ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse); 05323 if (ret != 0) 05324 return ret; 05325 05326 /* Total length of the parsed data. */ 05327 return offset + keLen; 05328 } 05329 05330 /* Searches the groups sent for the specified named group. 05331 * 05332 * ssl The SSL/TLS object. 05333 * name The group name to match. 05334 * returns 1 when the extension has the group name and 0 otherwise. 05335 */ 05336 static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group) 05337 { 05338 TLSX* extension; 05339 KeyShareEntry* list; 05340 05341 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05342 if (extension == NULL) 05343 return 0; 05344 05345 list = (KeyShareEntry*)extension->data; 05346 while (list != NULL) { 05347 if (list->group == group) { 05348 return 1; 05349 } 05350 list = list->next; 05351 } 05352 05353 return 0; 05354 } 05355 05356 /* Parse the KeyShare extension. 05357 * Different formats in different messages. 05358 * 05359 * ssl The SSL/TLS object. 05360 * input The extension data. 05361 * length The length of the extension data. 05362 * msgType The type of the message this extension is being parsed from. 05363 * returns 0 on success and other values indicate failure. 05364 */ 05365 static int TLSX_KeyShare_Parse(WOLFSSL* ssl, byte* input, word16 length, 05366 byte msgType) 05367 { 05368 int ret; 05369 KeyShareEntry *keyShareEntry; 05370 05371 if (msgType == client_hello) { 05372 int offset = 0; 05373 word16 len; 05374 05375 if (length < OPAQUE16_LEN) 05376 return BUFFER_ERROR; 05377 05378 /* ClientHello contains zero or more key share entries. */ 05379 ato16(input, &len); 05380 if (len != length - OPAQUE16_LEN) 05381 return BUFFER_ERROR; 05382 offset += OPAQUE16_LEN; 05383 05384 while (offset < length) { 05385 ret = TLSX_KeyShareEntry_Parse(ssl, &input[offset], length, 05386 &keyShareEntry); 05387 if (ret < 0) 05388 return ret; 05389 05390 offset += ret; 05391 } 05392 05393 ret = 0; 05394 } 05395 else if (msgType == server_hello) { 05396 int len; 05397 05398 /* ServerHello contains one key share entry. */ 05399 len = TLSX_KeyShareEntry_Parse(ssl, input, length, &keyShareEntry); 05400 if (len != length) 05401 return BUFFER_ERROR; 05402 05403 /* Not in list sent if there isn't a private key. */ 05404 if (keyShareEntry->key == NULL) 05405 return BAD_KEY_SHARE_DATA; 05406 05407 /* Process the entry to calculate the secret. */ 05408 ret = TLSX_KeyShare_Process(ssl, keyShareEntry); 05409 } 05410 else if (msgType == hello_retry_request) { 05411 word16 group; 05412 05413 if (length != OPAQUE16_LEN) 05414 return BUFFER_ERROR; 05415 05416 /* The data is the named group the server wants to use. */ 05417 ato16(input, &group); 05418 05419 /* Check the selected group was supported by ClientHello extensions. */ 05420 if (!TLSX_SupportedGroups_Find(ssl, group)) 05421 return BAD_KEY_SHARE_DATA; 05422 05423 /* Check if the group was sent. */ 05424 if (TLSX_KeyShare_Find(ssl, group)) 05425 return BAD_KEY_SHARE_DATA; 05426 05427 /* Try to use the server's group. */ 05428 ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL); 05429 } 05430 else { 05431 /* Not a message type that is allowed to have this extension. */ 05432 return SANITY_MSG_E; 05433 } 05434 05435 return ret; 05436 } 05437 05438 /* Create a new key share entry and put it into the list. 05439 * 05440 * list The linked list of key share entries. 05441 * group The named group. 05442 * heap The memory to allocate with. 05443 * keyShareEntry The new key share entry object. 05444 * returns 0 on success and other values indicate failure. 05445 */ 05446 static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap, 05447 KeyShareEntry** keyShareEntry) 05448 { 05449 KeyShareEntry* kse; 05450 05451 kse = (KeyShareEntry*)XMALLOC(sizeof(KeyShareEntry), heap, 05452 DYNAMIC_TYPE_TLSX); 05453 if (kse == NULL) 05454 return MEMORY_E; 05455 05456 XMEMSET(kse, 0, sizeof(*kse)); 05457 kse->group = group; 05458 05459 /* Add it to the back and maintain the links. */ 05460 while (*list != NULL) 05461 list = &((*list)->next); 05462 *list = kse; 05463 *keyShareEntry = kse; 05464 05465 return 0; 05466 } 05467 05468 /* Use the data to create a new key share object in the extensions. 05469 * 05470 * ssl The SSL/TLS object. 05471 * group The named group. 05472 * len The length of the public key data. 05473 * data The public key data. 05474 * kse The new key share entry object. 05475 * returns 0 on success and other values indicate failure. 05476 */ 05477 int TLSX_KeyShare_Use(WOLFSSL* ssl, word16 group, word16 len, byte* data, 05478 KeyShareEntry **kse) 05479 { 05480 int ret = 0; 05481 TLSX* extension; 05482 KeyShareEntry* keyShareEntry = NULL; 05483 05484 /* Find the KeyShare extension if it exists. */ 05485 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05486 if (extension == NULL) { 05487 /* Push new KeyShare extension. */ 05488 ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap); 05489 if (ret != 0) 05490 return ret; 05491 05492 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05493 if (extension == NULL) 05494 return MEMORY_E; 05495 } 05496 05497 /* Try to find the key share entry with this group. */ 05498 keyShareEntry = (KeyShareEntry*)extension->data; 05499 while (keyShareEntry != NULL) { 05500 if (keyShareEntry->group == group) 05501 break; 05502 keyShareEntry = keyShareEntry->next; 05503 } 05504 05505 /* Create a new key share entry if not found. */ 05506 if (keyShareEntry == NULL) { 05507 ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, group, 05508 ssl->heap, &keyShareEntry); 05509 if (ret != 0) 05510 return ret; 05511 } 05512 05513 if (data != NULL) { 05514 /* Keep the public key data and free when finished. */ 05515 if (keyShareEntry->ke != NULL) 05516 XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_TLSX); 05517 keyShareEntry->ke = data; 05518 keyShareEntry->keLen = len; 05519 } 05520 else { 05521 /* Generate a key pair. */ 05522 ret = TLSX_KeyShare_GenKey(ssl, keyShareEntry); 05523 if (ret != 0) 05524 return ret; 05525 } 05526 05527 if (kse != NULL) 05528 *kse = keyShareEntry; 05529 05530 return 0; 05531 } 05532 05533 /* Set an empty Key Share extension. 05534 * 05535 * ssl The SSL/TLS object. 05536 * returns 0 on success and other values indicate failure. 05537 */ 05538 int TLSX_KeyShare_Empty(WOLFSSL* ssl) 05539 { 05540 int ret = 0; 05541 TLSX* extension; 05542 05543 /* Find the KeyShare extension if it exists. */ 05544 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05545 if (extension == NULL) { 05546 /* Push new KeyShare extension. */ 05547 ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap); 05548 } 05549 else if (extension->data != NULL) { 05550 TLSX_KeyShare_FreeAll(extension->data, ssl->heap); 05551 extension->data = NULL; 05552 } 05553 05554 return ret; 05555 } 05556 05557 /* Returns whether this group is supported. 05558 * 05559 * namedGroup The named group to check. 05560 * returns 1 when supported or 0 otherwise. 05561 */ 05562 static int TLSX_KeyShare_IsSupported(int namedGroup) 05563 { 05564 switch (namedGroup) { 05565 #ifdef HAVE_FFDHE_2048 05566 case WOLFSSL_FFDHE_2048: 05567 break; 05568 #endif 05569 #ifdef HAVE_FFDHE_3072 05570 case WOLFSSL_FFDHE_3072: 05571 break; 05572 #endif 05573 #ifdef HAVE_FFDHE_4096 05574 case WOLFSSL_FFDHE_4096: 05575 break; 05576 #endif 05577 #ifdef HAVE_FFDHE_6144 05578 case WOLFSSL_FFDHE_6144: 05579 break; 05580 #endif 05581 #ifdef HAVE_FFDHE_8192 05582 case WOLFSSL_FFDHE_8192: 05583 break; 05584 #endif 05585 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 05586 #ifndef NO_ECC_SECP 05587 case WOLFSSL_ECC_SECP256R1: 05588 break; 05589 #endif /* !NO_ECC_SECP */ 05590 #endif 05591 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 05592 #ifndef NO_ECC_SECP 05593 case WOLFSSL_ECC_SECP384R1: 05594 break; 05595 #endif /* !NO_ECC_SECP */ 05596 #endif 05597 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 05598 #ifndef NO_ECC_SECP 05599 case WOLFSSL_ECC_SECP521R1: 05600 break; 05601 #endif /* !NO_ECC_SECP */ 05602 #endif 05603 #ifdef HAVE_CURVE25519 05604 case WOLFSSL_ECC_X25519: 05605 break; 05606 #endif 05607 #ifdef HAVE_X448 05608 case WOLFSSL_ECC_X448: 05609 break; 05610 #endif 05611 default: 05612 return 0; 05613 } 05614 05615 return 1; 05616 } 05617 05618 /* Set a key share that is supported by the client into extensions. 05619 * 05620 * ssl The SSL/TLS object. 05621 * returns BAD_KEY_SHARE_DATA if no supported group has a key share, 05622 * 0 if a supported group has a key share and other values indicate an error. 05623 */ 05624 static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl) 05625 { 05626 int ret; 05627 TLSX* extension; 05628 EllipticCurve* curve = NULL; 05629 05630 /* Use SupportedGroup's order. */ 05631 extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); 05632 if (extension != NULL) 05633 curve = (EllipticCurve*)extension->data; 05634 for (; curve != NULL; curve = curve->next) { 05635 if (TLSX_KeyShare_IsSupported(curve->name) && 05636 !TLSX_KeyShare_Find(ssl, curve->name)) { 05637 break; 05638 } 05639 } 05640 if (curve == NULL) 05641 return BAD_KEY_SHARE_DATA; 05642 05643 /* Delete the old key share data list. */ 05644 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05645 if (extension != NULL) { 05646 TLSX_KeyShare_FreeAll(extension->data, ssl->heap); 05647 extension->data = NULL; 05648 } 05649 05650 /* Add in the chosen group. */ 05651 ret = TLSX_KeyShare_Use(ssl, curve->name, 0, NULL, NULL); 05652 if (ret != 0) 05653 return ret; 05654 05655 /* Set extension to be in reponse. */ 05656 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05657 extension->resp = 1; 05658 05659 return 0; 05660 } 05661 05662 /* Establish the secret based on the key shares received from the client. 05663 * 05664 * ssl The SSL/TLS object. 05665 * returns 0 on success and other values indicate failure. 05666 */ 05667 int TLSX_KeyShare_Establish(WOLFSSL *ssl) 05668 { 05669 int ret; 05670 TLSX* extension; 05671 KeyShareEntry* clientKSE = NULL; 05672 KeyShareEntry* serverKSE; 05673 KeyShareEntry* list = NULL; 05674 byte* ke; 05675 word16 keLen; 05676 05677 /* Find the KeyShare extension if it exists. */ 05678 extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); 05679 if (extension != NULL) 05680 list = (KeyShareEntry*)extension->data; 05681 05682 /* TODO: [TLS13] Server's preference and sending back SupportedGroups */ 05683 /* Use client's preference. */ 05684 for (clientKSE = list; clientKSE != NULL; clientKSE = clientKSE->next) { 05685 /* Check consistency now - extensions in any order. */ 05686 if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group)) 05687 return BAD_KEY_SHARE_DATA; 05688 05689 /* Check if server supports group. */ 05690 if (TLSX_KeyShare_IsSupported(clientKSE->group)) 05691 break; 05692 } 05693 /* No supported group found - send HelloRetryRequest. */ 05694 if (clientKSE == NULL) { 05695 ret = TLSX_KeyShare_SetSupported(ssl); 05696 /* Return KEY_SHARE_ERROR to indicate HelloRetryRequest required. */ 05697 if (ret == 0) 05698 return KEY_SHARE_ERROR; 05699 return ret; 05700 } 05701 05702 list = NULL; 05703 /* Generate a new key pair. */ 05704 ret = TLSX_KeyShare_New(&list, clientKSE->group, ssl->heap, &serverKSE); 05705 if (ret != 0) 05706 return ret; 05707 ret = TLSX_KeyShare_GenKey(ssl, serverKSE); 05708 if (ret != 0) 05709 return ret; 05710 05711 /* Move private key to client entry. */ 05712 if (clientKSE->key != NULL) 05713 XFREE(clientKSE->key, heap, DYNAMIC_TYPE_TLSX); 05714 clientKSE->key = serverKSE->key; 05715 serverKSE->key = NULL; 05716 clientKSE->keyLen = serverKSE->keyLen; 05717 05718 /* Calculate secret. */ 05719 ret = TLSX_KeyShare_Process(ssl, clientKSE); 05720 if (ret != 0) 05721 return ret; 05722 05723 /* Swap public keys for sending to client. */ 05724 ke = serverKSE->ke; 05725 keLen = serverKSE->keLen; 05726 serverKSE->ke = clientKSE->ke; 05727 serverKSE->keLen = clientKSE->keLen; 05728 clientKSE->ke = ke; 05729 clientKSE->keLen = keLen; 05730 05731 extension->resp = 1; 05732 05733 /* Dispose of temporary server extension. */ 05734 TLSX_KeyShare_FreeAll(list, ssl->heap); 05735 05736 return 0; 05737 } 05738 05739 #define KS_FREE_ALL TLSX_KeyShare_FreeAll 05740 #define KS_GET_SIZE TLSX_KeyShare_GetSize 05741 #define KS_WRITE TLSX_KeyShare_Write 05742 #define KS_PARSE TLSX_KeyShare_Parse 05743 05744 #else 05745 05746 #define KS_FREE_ALL(a, b) 05747 #define KS_GET_SIZE(a, b) 0 05748 #define KS_WRITE(a, b, c) 0 05749 #define KS_PARSE(a, b, c, d) 0 05750 05751 #endif /* WOLFSSL_TLS13 */ 05752 05753 /******************************************************************************/ 05754 /* Pre-Shared Key */ 05755 /******************************************************************************/ 05756 05757 #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && !defined(NO_PSK) 05758 /* Free the pre-shared key dynamic data. 05759 * 05760 * list The linked list of key share entry objects. 05761 * heap The heap used for allocation. 05762 */ 05763 static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap) 05764 { 05765 PreSharedKey* current; 05766 05767 while ((current = list) != NULL) { 05768 list = current->next; 05769 XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX); 05770 XFREE(current, heap, DYNAMIC_TYPE_TLSX); 05771 } 05772 05773 (void)heap; 05774 } 05775 05776 /* Get the size of the encoded pre shared key extension. 05777 * 05778 * list The linked list of pre-shared key extensions. 05779 * msgType The type of the message this extension is being written into. 05780 * returns the number of bytes of the encoded pre-shared key extension or 05781 * SANITY_MSG_E to indicate invalid message type. 05782 */ 05783 static word16 TLSX_PreSharedKey_GetSize(PreSharedKey* list, byte msgType) 05784 { 05785 if (msgType == client_hello) { 05786 /* Length of identities + Length of binders. */ 05787 word16 len = OPAQUE16_LEN + OPAQUE16_LEN; 05788 while (list != NULL) { 05789 /* Each entry has: identity, ticket age and binder. */ 05790 len += OPAQUE16_LEN + list->identityLen + OPAQUE32_LEN + 05791 OPAQUE8_LEN + list->binderLen; 05792 list = list->next; 05793 } 05794 return len; 05795 } 05796 05797 if (msgType == server_hello) { 05798 return OPAQUE16_LEN; 05799 } 05800 05801 return 0; 05802 } 05803 05804 /* The number of bytes to be written for the binders. 05805 * 05806 * list The linked list of pre-shared key extensions. 05807 * msgType The type of the message this extension is being written into. 05808 * returns the number of bytes of the encoded pre-shared key extension or 05809 * SANITY_MSG_E to indicate invalid message type. 05810 */ 05811 word16 TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, byte msgType) 05812 { 05813 word16 len; 05814 05815 if (msgType != client_hello) 05816 return SANITY_MSG_E; 05817 05818 /* Length of all binders. */ 05819 len = OPAQUE16_LEN; 05820 while (list != NULL) { 05821 len += OPAQUE8_LEN + list->binderLen; 05822 list = list->next; 05823 } 05824 05825 return len; 05826 } 05827 05828 /* Writes the pre-shared key extension into the output buffer - binders only. 05829 * Assumes that the the output buffer is big enough to hold data. 05830 * 05831 * list The linked list of key share entries. 05832 * output The buffer to write into. 05833 * msgType The type of the message this extension is being written into. 05834 * returns the number of bytes written into the buffer. 05835 */ 05836 word16 TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, byte* output, 05837 byte msgType) 05838 { 05839 PreSharedKey* current = list; 05840 word16 idx = 0; 05841 word16 lenIdx; 05842 word16 len; 05843 05844 if (msgType != client_hello) 05845 return SANITY_MSG_E; 05846 05847 /* Skip length of all binders. */ 05848 lenIdx = idx; 05849 idx += OPAQUE16_LEN; 05850 while (current != NULL) { 05851 /* Binder data length. */ 05852 output[idx++] = current->binderLen; 05853 /* Binder data. */ 05854 XMEMCPY(output + idx, current->binder, current->binderLen); 05855 idx += current->binderLen; 05856 05857 current = current->next; 05858 } 05859 /* Length of the binders. */ 05860 len = idx - lenIdx - OPAQUE16_LEN; 05861 c16toa(len, output + lenIdx); 05862 05863 return idx; 05864 } 05865 05866 05867 /* Writes the pre-shared key extension into the output buffer. 05868 * Assumes that the the output buffer is big enough to hold data. 05869 * 05870 * list The linked list of key share entries. 05871 * output The buffer to write into. 05872 * msgType The type of the message this extension is being written into. 05873 * returns the number of bytes written into the buffer. 05874 */ 05875 static word16 TLSX_PreSharedKey_Write(PreSharedKey* list, byte* output, 05876 byte msgType) 05877 { 05878 if (msgType == client_hello) { 05879 PreSharedKey* current = list; 05880 word16 idx = 0; 05881 word16 lenIdx; 05882 word16 len; 05883 05884 /* Write identites only. Binders after HMACing over this. */ 05885 lenIdx = idx; 05886 idx += OPAQUE16_LEN; 05887 while (current != NULL) { 05888 /* Identity length */ 05889 c16toa(current->identityLen, output + idx); 05890 idx += OPAQUE16_LEN; 05891 /* Identity data */ 05892 XMEMCPY(output + idx, current->identity, current->identityLen); 05893 idx += current->identityLen; 05894 05895 /* Obfuscated ticket age. */ 05896 c32toa(current->ticketAge, output + idx); 05897 idx += OPAQUE32_LEN; 05898 05899 current = current->next; 05900 } 05901 /* Length of the identites. */ 05902 len = idx - lenIdx - OPAQUE16_LEN; 05903 c16toa(len, output + lenIdx); 05904 05905 /* Don't include binders here. 05906 * The binders are based on the hash of all the ClientHello data up to 05907 * and include the identities written above. 05908 */ 05909 idx += TLSX_PreSharedKey_GetSizeBinders(list, msgType); 05910 05911 return idx; 05912 } 05913 05914 if (msgType == server_hello) { 05915 word16 i; 05916 05917 /* Find the index of the chosen identity. */ 05918 for (i=0; list != NULL && !list->chosen; i++) 05919 list = list->next; 05920 if (list == NULL) 05921 return BUILD_MSG_ERROR; 05922 05923 /* The index of the identity chosen by the server from the list supplied 05924 * by the client. 05925 */ 05926 c16toa(i, output); 05927 return OPAQUE16_LEN; 05928 } 05929 05930 return 0; 05931 } 05932 05933 /* Parse the pre-shared key extension. 05934 * Different formats in different messages. 05935 * 05936 * ssl The SSL/TLS object. 05937 * input The extension data. 05938 * length The length of the extension data. 05939 * msgType The type of the message this extension is being parsed from. 05940 * returns 0 on success and other values indicate failure. 05941 */ 05942 static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, byte* input, word16 length, 05943 byte msgType) 05944 { 05945 TLSX* extension; 05946 PreSharedKey* list; 05947 05948 if (msgType == client_hello) { 05949 int ret; 05950 word16 len; 05951 word16 idx = 0; 05952 05953 /* Length of identities and of binders. */ 05954 if (length - idx < OPAQUE16_LEN + OPAQUE16_LEN) 05955 return BUFFER_E; 05956 05957 /* Length of identities. */ 05958 ato16(input + idx, &len); 05959 idx += OPAQUE16_LEN; 05960 if (len < MIN_PSK_ID_LEN || length - idx < len) 05961 return BUFFER_E; 05962 05963 /* Create a pre-shared key object for each identity. */ 05964 while (len > 0) { 05965 byte* identity; 05966 word16 identityLen; 05967 word32 age; 05968 05969 if (len < OPAQUE16_LEN) 05970 return BUFFER_E; 05971 05972 /* Length of identity. */ 05973 ato16(input + idx, &identityLen); 05974 idx += OPAQUE16_LEN; 05975 if (len < OPAQUE16_LEN + identityLen + OPAQUE32_LEN) 05976 return BUFFER_E; 05977 /* Cache identity pointer. */ 05978 identity = input + idx; 05979 idx += identityLen; 05980 /* Ticket age. */ 05981 ato32(input + idx, &age); 05982 idx += OPAQUE32_LEN; 05983 05984 ret = TLSX_PreSharedKey_Use(ssl, identity, identityLen, age, 0, 1, 05985 NULL); 05986 if (ret != 0) 05987 return ret; 05988 05989 /* Done with this identity. */ 05990 len -= OPAQUE16_LEN + identityLen + OPAQUE32_LEN; 05991 } 05992 05993 /* Find the list of identities sent to server. */ 05994 extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); 05995 if (extension == NULL) 05996 return PSK_KEY_ERROR; 05997 list = (PreSharedKey*)extension->data; 05998 05999 /* Length of binders. */ 06000 ato16(input + idx, &len); 06001 idx += OPAQUE16_LEN; 06002 if (len < MIN_PSK_BINDERS_LEN || length - idx < len) 06003 return BUFFER_E; 06004 06005 /* Set binder for each identity. */ 06006 while (list != NULL && len > 0) { 06007 /* Length of binder */ 06008 list->binderLen = input[idx++]; 06009 if (list->binderLen < SHA256_DIGEST_SIZE || 06010 list->binderLen > MAX_DIGEST_SIZE) 06011 return BUFFER_E; 06012 if (len < OPAQUE8_LEN + list->binderLen) 06013 return BUFFER_E; 06014 06015 /* Copy binder into static buffer. */ 06016 XMEMCPY(list->binder, input + idx, list->binderLen); 06017 idx += list->binderLen; 06018 06019 /* Done with binder entry. */ 06020 len -= OPAQUE8_LEN + list->binderLen; 06021 06022 /* Next identity. */ 06023 list = list->next; 06024 } 06025 if (list != NULL || len != 0) 06026 return BUFFER_E; 06027 06028 return 0; 06029 } 06030 06031 if (msgType == server_hello) { 06032 word16 idx; 06033 06034 /* Index of identity chosen by server. */ 06035 if (length != OPAQUE16_LEN) 06036 return BUFFER_E; 06037 ato16(input, &idx); 06038 06039 /* Find the list of identities sent to server. */ 06040 extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); 06041 if (extension == NULL) 06042 return PSK_KEY_ERROR; 06043 list = (PreSharedKey*)extension->data; 06044 06045 /* Mark the identity as chosen. */ 06046 for (; list != NULL && idx > 0; idx--) 06047 list = list->next; 06048 if (list == NULL) 06049 return PSK_KEY_ERROR; 06050 list->chosen = 1; 06051 06052 if (list->resumption) { 06053 /* Check that the session's details are the same as the server's. */ 06054 if (ssl->options.cipherSuite0 != ssl->session.cipherSuite0 || 06055 ssl->options.cipherSuite != ssl->session.cipherSuite || 06056 ssl->session.version.major != ssl->version.major || 06057 ssl->session.version.minor != ssl->version.minor ) { 06058 return PSK_KEY_ERROR; 06059 } 06060 } 06061 /* TODO: [TLS13] More checks of consistency. 06062 * the "key_share", and "signature_algorithms" extensions are 06063 * consistent with the indicated ke_modes and auth_modes values 06064 */ 06065 06066 return 0; 06067 } 06068 06069 return SANITY_MSG_E; 06070 } 06071 06072 /* Create a new pre-shared key and put it into the list. 06073 * 06074 * list The linked list of pre-shared key. 06075 * identity The identity. 06076 * len The length of the identity data. 06077 * heap The memory to allocate with. 06078 * preSharedKey The new pre-shared key object. 06079 * returns 0 on success and other values indicate failure. 06080 */ 06081 static int TLSX_PreSharedKey_New(PreSharedKey** list, byte* identity, 06082 word16 len, void *heap, 06083 PreSharedKey** preSharedKey) 06084 { 06085 PreSharedKey* psk; 06086 06087 psk = (PreSharedKey*)XMALLOC(sizeof(PreSharedKey), heap, DYNAMIC_TYPE_TLSX); 06088 if (psk == NULL) 06089 return MEMORY_E; 06090 XMEMSET(psk, 0, sizeof(*psk)); 06091 06092 /* Make a copy of the identity data. */ 06093 psk->identity = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX); 06094 if (psk->identity == NULL) { 06095 XFREE(psk, heap, DYNAMIC_TYPE_TLSX); 06096 return MEMORY_E; 06097 } 06098 XMEMCPY(psk->identity, identity, len); 06099 psk->identityLen = len; 06100 06101 /* Add it to the end and maintain the links. */ 06102 while (*list != NULL) 06103 list = &((*list)->next); 06104 *list = psk; 06105 *preSharedKey = psk; 06106 06107 return 0; 06108 } 06109 06110 static INLINE byte GetHmacLength(int hmac) 06111 { 06112 switch (hmac) { 06113 #ifndef NO_SHA256 06114 case sha256_mac: 06115 return SHA256_DIGEST_SIZE; 06116 #endif 06117 #ifndef NO_SHA384 06118 case sha384_mac: 06119 return SHA384_DIGEST_SIZE; 06120 #endif 06121 #ifndef NO_SHA512 06122 case sha512_mac: 06123 return SHA512_DIGEST_SIZE; 06124 #endif 06125 } 06126 return 0; 06127 } 06128 06129 /* Use the data to create a new pre-shared key object in the extensions. 06130 * 06131 * ssl The SSL/TLS object. 06132 * identity The identity. 06133 * len The length of the identity data. 06134 * age The age of the identity. 06135 * hmac The HMAC algorithm. 06136 * resumption The PSK is for resumption of a session. 06137 * preSharedKey The new pre-shared key object. 06138 * returns 0 on success and other values indicate failure. 06139 */ 06140 int TLSX_PreSharedKey_Use(WOLFSSL* ssl, byte* identity, word16 len, word32 age, 06141 byte hmac, byte resumption, 06142 PreSharedKey **preSharedKey) 06143 { 06144 int ret = 0; 06145 TLSX* extension; 06146 PreSharedKey* psk = NULL; 06147 06148 /* Find the pre-shared key extension if it exists. */ 06149 extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); 06150 if (extension == NULL) { 06151 /* Push new pre-shared key extension. */ 06152 ret = TLSX_Push(&ssl->extensions, TLSX_PRE_SHARED_KEY, NULL, ssl->heap); 06153 if (ret != 0) 06154 return ret; 06155 06156 extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); 06157 if (extension == NULL) 06158 return MEMORY_E; 06159 } 06160 06161 /* Try to find the pre-shared key with this identity. */ 06162 psk = (PreSharedKey*)extension->data; 06163 while (psk != NULL) { 06164 if ((psk->identityLen == len) && 06165 (XMEMCMP(psk->identity, identity, len) == 0)) { 06166 break; 06167 } 06168 psk = psk->next; 06169 } 06170 06171 /* Create a new pre-shared key object if not found. */ 06172 if (psk == NULL) { 06173 ret = TLSX_PreSharedKey_New((PreSharedKey**)&extension->data, identity, 06174 len, ssl->heap, &psk); 06175 if (ret != 0) 06176 return ret; 06177 } 06178 06179 /* Update/set age and HMAC algorithm. */ 06180 psk->ticketAge = age; 06181 psk->hmac = hmac; 06182 psk->resumption = resumption; 06183 psk->binderLen = GetHmacLength(psk->hmac); 06184 06185 if (preSharedKey != NULL) 06186 *preSharedKey = psk; 06187 06188 return 0; 06189 } 06190 06191 #define PSK_FREE_ALL TLSX_PreSharedKey_FreeAll 06192 #define PSK_GET_SIZE TLSX_PreSharedKey_GetSize 06193 #define PSK_WRITE TLSX_PreSharedKey_Write 06194 #define PSK_PARSE TLSX_PreSharedKey_Parse 06195 06196 #else 06197 06198 #define PSK_FREE_ALL(a, b) 06199 #define PSK_GET_SIZE(a, b) 0 06200 #define PSK_WRITE(a, b, c) 0 06201 #define PSK_PARSE(a, b, c, d) 0 06202 06203 #endif 06204 06205 /******************************************************************************/ 06206 /* PSK Key Exchange Modes */ 06207 /******************************************************************************/ 06208 06209 #if defined(WOLFSSL_TLS13) && !defined(NO_PSK) 06210 /* Get the size of the encoded PSK KE modes extension. 06211 * Only in ClientHello. 06212 * 06213 * modes The PSK KE mode bit string. 06214 * msgType The type of the message this extension is being written into. 06215 * returns the number of bytes of the encoded key share extension. 06216 */ 06217 static word16 TLSX_PskKeModes_GetSize(byte modes, byte msgType) 06218 { 06219 if (msgType == client_hello) { 06220 /* Format: Len | Modes* */ 06221 word16 len = OPAQUE8_LEN; 06222 /* Check whether each possible mode is to be written. */ 06223 if (modes & (1 << PSK_KE)) 06224 len += OPAQUE8_LEN; 06225 if (modes & (1 << PSK_DHE_KE)) 06226 len += OPAQUE8_LEN; 06227 return len; 06228 } 06229 06230 return SANITY_MSG_E; 06231 } 06232 06233 /* Writes the PSK KE modes extension into the output buffer. 06234 * Assumes that the the output buffer is big enough to hold data. 06235 * Only in ClientHello. 06236 * 06237 * modes The PSK KE mode bit string. 06238 * output The buffer to write into. 06239 * msgType The type of the message this extension is being written into. 06240 * returns the number of bytes written into the buffer. 06241 */ 06242 static word16 TLSX_PskKeModes_Write(byte modes, byte* output, byte msgType) 06243 { 06244 if (msgType == client_hello) { 06245 /* Format: Len | Modes* */ 06246 int idx = OPAQUE8_LEN; 06247 06248 /* Write out each possible mode. */ 06249 if (modes & (1 << PSK_KE)) 06250 output[idx++] = PSK_KE; 06251 if (modes & (1 << PSK_DHE_KE)) 06252 output[idx++] = PSK_DHE_KE; 06253 /* Write out length of mode list. */ 06254 output[0] = idx - OPAQUE8_LEN; 06255 06256 return idx; 06257 } 06258 06259 return SANITY_MSG_E; 06260 } 06261 06262 /* Parse the PSK KE modes extension. 06263 * Only in ClientHello. 06264 * 06265 * ssl The SSL/TLS object. 06266 * input The extension data. 06267 * length The length of the extension data. 06268 * msgType The type of the message this extension is being parsed from. 06269 * returns 0 on success and other values indicate failure. 06270 */ 06271 static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, byte* input, word16 length, 06272 byte msgType) 06273 { 06274 int ret; 06275 06276 if (msgType == client_hello) { 06277 /* Format: Len | Modes* */ 06278 int idx = 0; 06279 int len; 06280 byte modes = 0; 06281 06282 /* Ensure length byte exists. */ 06283 if (length < OPAQUE8_LEN) 06284 return BUFFER_E; 06285 06286 /* Get length of mode list and ensure that is the only data. */ 06287 len = input[0]; 06288 if (length - OPAQUE8_LEN != len) 06289 return BUFFER_E; 06290 06291 idx = OPAQUE8_LEN; 06292 /* Set a bit for each recognized modes. */ 06293 while (len > 0) { 06294 /* Ignore unrecognized modes. */ 06295 if (input[idx] <= PSK_DHE_KE) 06296 modes |= 1 << input[idx]; 06297 idx++; 06298 len--; 06299 } 06300 06301 ret = TLSX_PskKeModes_Use(ssl, modes); 06302 if (ret != 0) 06303 return ret; 06304 06305 return 0; 06306 } 06307 06308 return SANITY_MSG_E; 06309 } 06310 06311 /* Use the data to create a new PSK Key Exchange Modes object in the extensions. 06312 * 06313 * ssl The SSL/TLS object. 06314 * modes The PSK key exchange modes. 06315 * returns 0 on success and other values indicate failure. 06316 */ 06317 int TLSX_PskKeModes_Use(WOLFSSL* ssl, byte modes) 06318 { 06319 int ret = 0; 06320 TLSX* extension; 06321 06322 /* Find the PSK key exchange modes extension if it exists. */ 06323 extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); 06324 if (extension == NULL) { 06325 /* Push new PSK key exchange modes extension. */ 06326 ret = TLSX_Push(&ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES, NULL, 06327 ssl->heap); 06328 if (ret != 0) 06329 return ret; 06330 06331 extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); 06332 if (extension == NULL) 06333 return MEMORY_E; 06334 } 06335 06336 extension->val = modes; 06337 06338 return 0; 06339 } 06340 06341 #define PKM_GET_SIZE TLSX_PskKeModes_GetSize 06342 #define PKM_WRITE TLSX_PskKeModes_Write 06343 #define PKM_PARSE TLSX_PskKeModes_Parse 06344 06345 #else 06346 06347 #define PKM_GET_SIZE(a, b) 0 06348 #define PKM_WRITE(a, b, c) 0 06349 #define PKM_PARSE(a, b, c, d) 0 06350 06351 #endif 06352 06353 /******************************************************************************/ 06354 /* TLS Extensions Framework */ 06355 /******************************************************************************/ 06356 06357 /** Finds an extension in the provided list. */ 06358 TLSX* TLSX_Find(TLSX* list, TLSX_Type type) 06359 { 06360 TLSX* extension = list; 06361 06362 while (extension && extension->type != type) 06363 extension = extension->next; 06364 06365 return extension; 06366 } 06367 06368 /** Releases all extensions in the provided list. */ 06369 void TLSX_FreeAll(TLSX* list, void* heap) 06370 { 06371 TLSX* extension; 06372 06373 while ((extension = list)) { 06374 list = extension->next; 06375 06376 switch (extension->type) { 06377 06378 case TLSX_SERVER_NAME: 06379 SNI_FREE_ALL((SNI*)extension->data, heap); 06380 break; 06381 06382 case TLSX_MAX_FRAGMENT_LENGTH: 06383 MFL_FREE_ALL(extension->data, heap); 06384 break; 06385 06386 case TLSX_TRUNCATED_HMAC: 06387 /* Nothing to do. */ 06388 break; 06389 06390 case TLSX_SUPPORTED_GROUPS: 06391 EC_FREE_ALL((EllipticCurve*)extension->data, heap); 06392 break; 06393 06394 case TLSX_STATUS_REQUEST: 06395 CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap); 06396 break; 06397 06398 case TLSX_STATUS_REQUEST_V2: 06399 CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data, 06400 heap); 06401 break; 06402 06403 case TLSX_RENEGOTIATION_INFO: 06404 SCR_FREE_ALL(extension->data, heap); 06405 break; 06406 06407 case TLSX_SESSION_TICKET: 06408 WOLF_STK_FREE(extension->data, heap); 06409 break; 06410 06411 case TLSX_QUANTUM_SAFE_HYBRID: 06412 QSH_FREE_ALL((QSHScheme*)extension->data, heap); 06413 break; 06414 06415 case TLSX_APPLICATION_LAYER_PROTOCOL: 06416 ALPN_FREE_ALL((ALPN*)extension->data, heap); 06417 break; 06418 06419 case TLSX_SIGNATURE_ALGORITHMS: 06420 break; 06421 06422 #ifdef WOLFSSL_TLS13 06423 case TLSX_SUPPORTED_VERSIONS: 06424 break; 06425 06426 case TLSX_KEY_SHARE: 06427 KS_FREE_ALL((KeyShareEntry*)extension->data, heap); 06428 break; 06429 06430 #ifndef NO_PSK 06431 case TLSX_PRE_SHARED_KEY: 06432 PSK_FREE_ALL((PreSharedKey*)extension->data, heap); 06433 break; 06434 06435 case TLSX_PSK_KEY_EXCHANGE_MODES: 06436 break; 06437 #endif 06438 #endif 06439 } 06440 06441 XFREE(extension, heap, DYNAMIC_TYPE_TLSX); 06442 } 06443 06444 (void)heap; 06445 } 06446 06447 /** Checks if the tls extensions are supported based on the protocol version. */ 06448 int TLSX_SupportExtensions(WOLFSSL* ssl) { 06449 return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR); 06450 } 06451 06452 /** Tells the buffered size of the extensions in a list. */ 06453 static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType) 06454 { 06455 TLSX* extension; 06456 word16 length = 0; 06457 byte isRequest = (msgType == client_hello); 06458 06459 while ((extension = list)) { 06460 list = extension->next; 06461 06462 /* only extensions marked as response are sent back to the client. */ 06463 if (!isRequest && !extension->resp) 06464 continue; /* skip! */ 06465 06466 /* ssl level extensions are expected to override ctx level ones. */ 06467 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type))) 06468 continue; /* skip! */ 06469 06470 /* extension type + extension data length. */ 06471 length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN; 06472 06473 06474 switch (extension->type) { 06475 06476 case TLSX_SERVER_NAME: 06477 /* SNI only sends the name on the request. */ 06478 if (isRequest) 06479 length += SNI_GET_SIZE((SNI*)extension->data); 06480 break; 06481 06482 case TLSX_MAX_FRAGMENT_LENGTH: 06483 length += MFL_GET_SIZE(extension->data); 06484 break; 06485 06486 case TLSX_TRUNCATED_HMAC: 06487 /* always empty. */ 06488 break; 06489 06490 case TLSX_SUPPORTED_GROUPS: 06491 length += EC_GET_SIZE((EllipticCurve*)extension->data); 06492 break; 06493 06494 case TLSX_STATUS_REQUEST: 06495 length += CSR_GET_SIZE( 06496 (CertificateStatusRequest*)extension->data, isRequest); 06497 break; 06498 06499 case TLSX_STATUS_REQUEST_V2: 06500 length += CSR2_GET_SIZE( 06501 (CertificateStatusRequestItemV2*)extension->data, 06502 isRequest); 06503 break; 06504 06505 case TLSX_RENEGOTIATION_INFO: 06506 length += SCR_GET_SIZE((SecureRenegotiation*)extension->data, 06507 isRequest); 06508 break; 06509 06510 case TLSX_SESSION_TICKET: 06511 length += WOLF_STK_GET_SIZE((SessionTicket*)extension->data, 06512 isRequest); 06513 break; 06514 06515 case TLSX_QUANTUM_SAFE_HYBRID: 06516 length += QSH_GET_SIZE((QSHScheme*)extension->data, isRequest); 06517 break; 06518 06519 case TLSX_APPLICATION_LAYER_PROTOCOL: 06520 length += ALPN_GET_SIZE((ALPN*)extension->data); 06521 break; 06522 06523 case TLSX_SIGNATURE_ALGORITHMS: 06524 #ifdef WOLFSSL_TLS13 06525 length += SA_GET_SIZE(extension->data); 06526 #endif 06527 break; 06528 06529 #ifdef WOLFSSL_TLS13 06530 case TLSX_SUPPORTED_VERSIONS: 06531 length += SV_GET_SIZE(extension->data); 06532 break; 06533 06534 case TLSX_KEY_SHARE: 06535 length += KS_GET_SIZE(extension->data, msgType); 06536 break; 06537 06538 #ifndef NO_PSK 06539 case TLSX_PRE_SHARED_KEY: 06540 length += PSK_GET_SIZE(extension->data, msgType); 06541 break; 06542 06543 case TLSX_PSK_KEY_EXCHANGE_MODES: 06544 length += PKM_GET_SIZE(extension->val, msgType); 06545 break; 06546 #endif 06547 #endif 06548 } 06549 06550 /* marks the extension as processed so ctx level */ 06551 /* extensions don't overlap with ssl level ones. */ 06552 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type)); 06553 } 06554 06555 return length; 06556 } 06557 06558 /** Writes the extensions of a list in a buffer. */ 06559 static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, 06560 byte msgType) 06561 { 06562 TLSX* extension; 06563 word16 offset = 0; 06564 word16 length_offset = 0; 06565 byte isRequest = (msgType == client_hello); 06566 06567 while ((extension = list)) { 06568 list = extension->next; 06569 06570 /* only extensions marked as response are written in a response. */ 06571 if (!isRequest && !extension->resp) 06572 continue; /* skip! */ 06573 06574 /* ssl level extensions are expected to override ctx level ones. */ 06575 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type))) 06576 continue; /* skip! */ 06577 06578 /* writes extension type. */ 06579 c16toa(extension->type, output + offset); 06580 offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN; 06581 length_offset = offset; 06582 06583 /* extension data should be written internally. */ 06584 switch (extension->type) { 06585 case TLSX_SERVER_NAME: 06586 if (isRequest) { 06587 WOLFSSL_MSG("SNI extension to write"); 06588 offset += SNI_WRITE((SNI*)extension->data, output + offset); 06589 } 06590 break; 06591 06592 case TLSX_MAX_FRAGMENT_LENGTH: 06593 WOLFSSL_MSG("Max Fragment Length extension to write"); 06594 offset += MFL_WRITE((byte*)extension->data, output + offset); 06595 break; 06596 06597 case TLSX_TRUNCATED_HMAC: 06598 WOLFSSL_MSG("Truncated HMAC extension to write"); 06599 /* always empty. */ 06600 break; 06601 06602 case TLSX_SUPPORTED_GROUPS: 06603 WOLFSSL_MSG("Elliptic Curves extension to write"); 06604 offset += EC_WRITE((EllipticCurve*)extension->data, 06605 output + offset); 06606 break; 06607 06608 case TLSX_STATUS_REQUEST: 06609 WOLFSSL_MSG("Certificate Status Request extension to write"); 06610 offset += CSR_WRITE((CertificateStatusRequest*)extension->data, 06611 output + offset, isRequest); 06612 break; 06613 06614 case TLSX_STATUS_REQUEST_V2: 06615 WOLFSSL_MSG("Certificate Status Request v2 extension to write"); 06616 offset += CSR2_WRITE( 06617 (CertificateStatusRequestItemV2*)extension->data, 06618 output + offset, isRequest); 06619 break; 06620 06621 case TLSX_RENEGOTIATION_INFO: 06622 WOLFSSL_MSG("Secure Renegotiation extension to write"); 06623 offset += SCR_WRITE((SecureRenegotiation*)extension->data, 06624 output + offset, isRequest); 06625 break; 06626 06627 case TLSX_SESSION_TICKET: 06628 WOLFSSL_MSG("Session Ticket extension to write"); 06629 offset += WOLF_STK_WRITE((SessionTicket*)extension->data, 06630 output + offset, isRequest); 06631 break; 06632 06633 case TLSX_QUANTUM_SAFE_HYBRID: 06634 WOLFSSL_MSG("Quantum-Safe-Hybrid extension to write"); 06635 if (isRequest) { 06636 offset += QSH_WRITE((QSHScheme*)extension->data, output + offset); 06637 } 06638 offset += QSHPK_WRITE((QSHScheme*)extension->data, output + offset); 06639 offset += QSH_SERREQ(output + offset, isRequest); 06640 break; 06641 06642 case TLSX_APPLICATION_LAYER_PROTOCOL: 06643 WOLFSSL_MSG("ALPN extension to write"); 06644 offset += ALPN_WRITE((ALPN*)extension->data, output + offset); 06645 break; 06646 06647 case TLSX_SIGNATURE_ALGORITHMS: 06648 #ifdef WOLFSSL_TLS13 06649 WOLFSSL_MSG("Signature Algorithms extension to write"); 06650 offset += SA_WRITE(extension->data, output + offset); 06651 #endif 06652 break; 06653 06654 #ifdef WOLFSSL_TLS13 06655 case TLSX_SUPPORTED_VERSIONS: 06656 WOLFSSL_MSG("Supported Versions extension to write"); 06657 offset += SV_WRITE(extension->data, output + offset); 06658 break; 06659 06660 case TLSX_KEY_SHARE: 06661 WOLFSSL_MSG("Key Share extension to write"); 06662 offset += KS_WRITE(extension->data, output + offset, msgType); 06663 break; 06664 06665 #ifndef NO_PSK 06666 case TLSX_PRE_SHARED_KEY: 06667 WOLFSSL_MSG("Pre-Shared Key extension to write"); 06668 offset += PSK_WRITE(extension->data, output + offset, msgType); 06669 break; 06670 06671 case TLSX_PSK_KEY_EXCHANGE_MODES: 06672 WOLFSSL_MSG("PSK Key Exchange Modes extension to write"); 06673 offset += PKM_WRITE(extension->val, output + offset, msgType); 06674 break; 06675 #endif 06676 #endif 06677 } 06678 06679 /* writes extension data length. */ 06680 c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN); 06681 06682 /* marks the extension as processed so ctx level */ 06683 /* extensions don't overlap with ssl level ones. */ 06684 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type)); 06685 } 06686 06687 return offset; 06688 } 06689 06690 06691 #ifdef HAVE_NTRU 06692 06693 static word32 GetEntropy(unsigned char* out, word32 num_bytes) 06694 { 06695 int ret = 0; 06696 06697 if (rng == NULL) { 06698 if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, 06699 DYNAMIC_TYPE_TLSX)) == NULL) 06700 return DRBG_OUT_OF_MEMORY; 06701 wc_InitRng(rng); 06702 } 06703 06704 if (rngMutex == NULL) { 06705 if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), NULL, 06706 DYNAMIC_TYPE_TLSX)) == NULL) 06707 return DRBG_OUT_OF_MEMORY; 06708 wc_InitMutex(rngMutex); 06709 } 06710 06711 ret |= wc_LockMutex(rngMutex); 06712 ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); 06713 ret |= wc_UnLockMutex(rngMutex); 06714 06715 if (ret != 0) 06716 return DRBG_ENTROPY_FAIL; 06717 06718 return DRBG_OK; 06719 } 06720 #endif 06721 06722 06723 #ifdef HAVE_QSH 06724 static int TLSX_CreateQSHKey(WOLFSSL* ssl, int type) 06725 { 06726 int ret; 06727 06728 (void)ssl; 06729 06730 switch (type) { 06731 #ifdef HAVE_NTRU 06732 case WOLFSSL_NTRU_EESS439: 06733 case WOLFSSL_NTRU_EESS593: 06734 case WOLFSSL_NTRU_EESS743: 06735 ret = TLSX_CreateNtruKey(ssl, type); 06736 break; 06737 #endif 06738 default: 06739 WOLFSSL_MSG("Unknown type for creating NTRU key"); 06740 return -1; 06741 } 06742 06743 return ret; 06744 } 06745 06746 06747 static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key) 06748 { 06749 QSHKey* current; 06750 06751 if (key == NULL) 06752 return BAD_FUNC_ARG; 06753 06754 /* if no public key stored in key then do not add */ 06755 if (key->pub.length == 0 || key->pub.buffer == NULL) 06756 return 0; 06757 06758 /* first element to be added to the list */ 06759 current = *list; 06760 if (current == NULL) { 06761 *list = key; 06762 return 0; 06763 } 06764 06765 while (current->next) { 06766 /* can only have one of the key in the list */ 06767 if (current->name == key->name) 06768 return -1; 06769 current = (QSHKey*)current->next; 06770 } 06771 06772 current->next = (struct QSHKey*)key; 06773 06774 return 0; 06775 } 06776 06777 06778 #if defined(HAVE_NTRU) || defined(HAVE_QSH) 06779 int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) 06780 { 06781 int ret = -1; 06782 #ifdef HAVE_NTRU 06783 int ntruType; 06784 06785 /* variable declarations for NTRU*/ 06786 QSHKey* temp = NULL; 06787 byte public_key[1027]; 06788 word16 public_key_len = sizeof(public_key); 06789 byte private_key[1120]; 06790 word16 private_key_len = sizeof(private_key); 06791 DRBG_HANDLE drbg; 06792 06793 if (ssl == NULL) 06794 return BAD_FUNC_ARG; 06795 06796 switch (type) { 06797 case WOLFSSL_NTRU_EESS439: 06798 ntruType = NTRU_EES439EP1; 06799 break; 06800 case WOLFSSL_NTRU_EESS593: 06801 ntruType = NTRU_EES593EP1; 06802 break; 06803 case WOLFSSL_NTRU_EESS743: 06804 ntruType = NTRU_EES743EP1; 06805 break; 06806 default: 06807 WOLFSSL_MSG("Unknown type for creating NTRU key"); 06808 return -1; 06809 } 06810 ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); 06811 if (ret != DRBG_OK) { 06812 WOLFSSL_MSG("NTRU drbg instantiate failed\n"); 06813 return ret; 06814 } 06815 06816 if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType, 06817 &public_key_len, NULL, &private_key_len, NULL)) != NTRU_OK) 06818 return ret; 06819 06820 if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType, 06821 &public_key_len, public_key, &private_key_len, private_key)) != NTRU_OK) 06822 return ret; 06823 06824 ret = ntru_crypto_drbg_uninstantiate(drbg); 06825 if (ret != NTRU_OK) { 06826 WOLFSSL_MSG("NTRU drbg uninstantiate failed\n"); 06827 return ret; 06828 } 06829 06830 if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap, 06831 DYNAMIC_TYPE_TLSX)) == NULL) 06832 return MEMORY_E; 06833 temp->name = type; 06834 temp->pub.length = public_key_len; 06835 temp->pub.buffer = (byte*)XMALLOC(public_key_len, ssl->heap, 06836 DYNAMIC_TYPE_PUBLIC_KEY); 06837 XMEMCPY(temp->pub.buffer, public_key, public_key_len); 06838 temp->pri.length = private_key_len; 06839 temp->pri.buffer = (byte*)XMALLOC(private_key_len, ssl->heap, 06840 DYNAMIC_TYPE_ARRAYS); 06841 XMEMCPY(temp->pri.buffer, private_key, private_key_len); 06842 temp->next = NULL; 06843 06844 TLSX_AddQSHKey(&ssl->QSH_Key, temp); 06845 #endif 06846 06847 (void)ssl; 06848 (void)type; 06849 06850 return ret; 06851 } 06852 #endif 06853 06854 06855 /* 06856 Used to find a public key from the list of keys 06857 pubLen length of array 06858 name input the name of the scheme looking for ie WOLFSSL_NTRU_ESSXXX 06859 06860 returns a pointer to public key byte* or NULL if not found 06861 */ 06862 static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name) 06863 { 06864 QSHKey* current = qsh; 06865 06866 if (qsh == NULL || pubLen == NULL) 06867 return NULL; 06868 06869 *pubLen = 0; 06870 06871 while(current) { 06872 if (current->name == name) { 06873 *pubLen = current->pub.length; 06874 return current->pub.buffer; 06875 } 06876 current = (QSHKey*)current->next; 06877 } 06878 06879 return NULL; 06880 } 06881 #endif /* HAVE_QSH */ 06882 06883 int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) 06884 { 06885 int ret = 0; 06886 byte* public_key = NULL; 06887 word16 public_key_len = 0; 06888 #ifdef HAVE_QSH 06889 TLSX* extension; 06890 QSHScheme* qsh; 06891 QSHScheme* next; 06892 06893 /* add supported QSHSchemes */ 06894 WOLFSSL_MSG("Adding supported QSH Schemes"); 06895 #endif 06896 06897 /* server will add extension depending on whats parsed from client */ 06898 if (!isServer) { 06899 #ifdef HAVE_QSH 06900 /* test if user has set a specific scheme already */ 06901 if (!ssl->user_set_QSHSchemes) { 06902 if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { 06903 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) { 06904 WOLFSSL_MSG("Error creating ntru keys"); 06905 return ret; 06906 } 06907 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) { 06908 WOLFSSL_MSG("Error creating ntru keys"); 06909 return ret; 06910 } 06911 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) { 06912 WOLFSSL_MSG("Error creating ntru keys"); 06913 return ret; 06914 } 06915 06916 /* add NTRU 256 */ 06917 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, 06918 &public_key_len, WOLFSSL_NTRU_EESS743); 06919 } 06920 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743, 06921 public_key, public_key_len, ssl->heap) 06922 != SSL_SUCCESS) 06923 ret = -1; 06924 06925 /* add NTRU 196 */ 06926 if (ssl->sendQSHKeys) { 06927 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, 06928 &public_key_len, WOLFSSL_NTRU_EESS593); 06929 } 06930 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593, 06931 public_key, public_key_len, ssl->heap) 06932 != SSL_SUCCESS) 06933 ret = -1; 06934 06935 /* add NTRU 128 */ 06936 if (ssl->sendQSHKeys) { 06937 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, 06938 &public_key_len, WOLFSSL_NTRU_EESS439); 06939 } 06940 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439, 06941 public_key, public_key_len, ssl->heap) 06942 != SSL_SUCCESS) 06943 ret = -1; 06944 } 06945 else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { 06946 /* for each scheme make a client key */ 06947 extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); 06948 if (extension) { 06949 qsh = (QSHScheme*)extension->data; 06950 06951 while (qsh) { 06952 if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0) 06953 return ret; 06954 06955 /* get next now because qsh could be freed */ 06956 next = qsh->next; 06957 06958 /* find the public key created and add to extension*/ 06959 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, 06960 &public_key_len, qsh->name); 06961 if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name, 06962 public_key, public_key_len, 06963 ssl->heap) != SSL_SUCCESS) 06964 ret = -1; 06965 qsh = next; 06966 } 06967 } 06968 } 06969 #endif 06970 06971 #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) 06972 if (!ssl->options.userCurves && !ssl->ctx->userCurves) { 06973 #ifndef HAVE_FIPS 06974 #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) 06975 #ifndef NO_ECC_SECP 06976 ret = TLSX_UseSupportedCurve(&ssl->extensions, 06977 WOLFSSL_ECC_SECP160R1, ssl->heap); 06978 if (ret != SSL_SUCCESS) return ret; 06979 #endif 06980 #ifdef HAVE_ECC_SECPR2 06981 ret = TLSX_UseSupportedCurve(&ssl->extensions, 06982 WOLFSSL_ECC_SECP160R2, ssl->heap); 06983 if (ret != SSL_SUCCESS) return ret; 06984 #endif 06985 #ifdef HAVE_ECC_KOBLITZ 06986 ret = TLSX_UseSupportedCurve(&ssl->extensions, 06987 WOLFSSL_ECC_SECP160K1, ssl->heap); 06988 if (ret != SSL_SUCCESS) return ret; 06989 #endif 06990 #endif 06991 #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) 06992 #ifndef NO_ECC_SECP 06993 ret = TLSX_UseSupportedCurve(&ssl->extensions, 06994 WOLFSSL_ECC_SECP192R1, ssl->heap); 06995 if (ret != SSL_SUCCESS) return ret; 06996 #endif 06997 #ifdef HAVE_ECC_KOBLITZ 06998 ret = TLSX_UseSupportedCurve(&ssl->extensions, 06999 WOLFSSL_ECC_SECP192K1, ssl->heap); 07000 if (ret != SSL_SUCCESS) return ret; 07001 #endif 07002 #endif 07003 #endif 07004 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) 07005 #ifndef NO_ECC_SECP 07006 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07007 WOLFSSL_ECC_SECP224R1, ssl->heap); 07008 if (ret != SSL_SUCCESS) return ret; 07009 #endif 07010 #ifdef HAVE_ECC_KOBLITZ 07011 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07012 WOLFSSL_ECC_SECP224K1, ssl->heap); 07013 if (ret != SSL_SUCCESS) return ret; 07014 #endif 07015 #endif 07016 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 07017 #ifndef NO_ECC_SECP 07018 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07019 WOLFSSL_ECC_SECP256R1, ssl->heap); 07020 if (ret != SSL_SUCCESS) return ret; 07021 #endif 07022 #ifdef HAVE_ECC_KOBLITZ 07023 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07024 WOLFSSL_ECC_SECP256K1, ssl->heap); 07025 if (ret != SSL_SUCCESS) return ret; 07026 #endif 07027 #ifdef HAVE_ECC_BRAINPOOL 07028 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07029 WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap); 07030 if (ret != SSL_SUCCESS) return ret; 07031 #endif 07032 #endif 07033 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 07034 #ifndef NO_ECC_SECP 07035 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07036 WOLFSSL_ECC_SECP384R1, ssl->heap); 07037 if (ret != SSL_SUCCESS) return ret; 07038 #endif 07039 #ifdef HAVE_ECC_BRAINPOOL 07040 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07041 WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap); 07042 if (ret != SSL_SUCCESS) return ret; 07043 #endif 07044 #endif 07045 #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) 07046 #ifdef HAVE_ECC_BRAINPOOL 07047 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07048 WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap); 07049 if (ret != SSL_SUCCESS) return ret; 07050 #endif 07051 #endif 07052 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 07053 #ifndef NO_ECC_SECP 07054 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07055 WOLFSSL_ECC_SECP521R1, ssl->heap); 07056 if (ret != SSL_SUCCESS) return ret; 07057 #endif 07058 #endif 07059 #ifdef WOLFSSL_TLS13 07060 #if defined(HAVE_CURVE25519) 07061 #ifndef NO_ECC_SECP 07062 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07063 WOLFSSL_ECC_X25519, ssl->heap); 07064 if (ret != SSL_SUCCESS) return ret; 07065 #endif 07066 #endif 07067 #endif 07068 } 07069 #endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */ 07070 } /* is not server */ 07071 07072 #ifdef WOLFSSL_TLS13 07073 WOLFSSL_MSG("Adding signature algorithms extension"); 07074 if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, 07075 ssl->heap)) != 0) 07076 return ret; 07077 07078 if (!isServer && IsAtLeastTLSv1_3(ssl->version)) { 07079 /* Add mandatory TLS v1.3 extension: supported version */ 07080 WOLFSSL_MSG("Adding supported versions extension"); 07081 if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl, 07082 ssl->heap)) != 0) 07083 return ret; 07084 07085 /* Add FFDHE supported groups. */ 07086 #ifdef HAVE_FFDHE_2048 07087 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07088 WOLFSSL_FFDHE_2048, ssl->heap); 07089 if (ret != SSL_SUCCESS) 07090 return ret; 07091 #endif 07092 #ifdef HAVE_FFDHE_3072 07093 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07094 WOLFSSL_FFDHE_3072, ssl->heap); 07095 if (ret != SSL_SUCCESS) 07096 return ret; 07097 #endif 07098 #ifdef HAVE_FFDHE_4096 07099 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07100 WOLFSSL_FFDHE_4096, ssl->heap); 07101 if (ret != SSL_SUCCESS) 07102 return ret; 07103 #endif 07104 #ifdef HAVE_FFDHE_6144 07105 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07106 WOLFSSL_FFDHE_6144, ssl->heap); 07107 if (ret != SSL_SUCCESS) 07108 return ret; 07109 #endif 07110 #ifdef HAVE_FFDHE_8192 07111 ret = TLSX_UseSupportedCurve(&ssl->extensions, 07112 WOLFSSL_FFDHE_8192, ssl->heap); 07113 if (ret != SSL_SUCCESS) 07114 return ret; 07115 #endif 07116 ret = 0; 07117 07118 if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { 07119 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ 07120 !defined(NO_ECC_SECP) 07121 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL, 07122 NULL); 07123 #elif (!defined(NO_ECC384) || defined(HAVE_ALL_CURVES)) && \ 07124 !defined(NO_ECC_SECP) 07125 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL, 07126 NULL); 07127 #elif (!defined(NO_ECC521) || defined(HAVE_ALL_CURVES)) && \ 07128 !defined(NO_ECC_SECP) 07129 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP521R1, 0, NULL, 07130 NULL); 07131 #elif defined(HAVE_FFDHE_2048) 07132 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_2048, 0, NULL, NULL); 07133 #elif defined(HAVE_FFDHE_3072) 07134 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_3072, 0, NULL, NULL); 07135 #elif defined(HAVE_FFDHE_4096) 07136 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_4096, 0, NULL, NULL); 07137 #elif defined(HAVE_FFDHE_6144) 07138 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_6144, 0, NULL, NULL); 07139 #elif defined(HAVE_FFDHE_8192) 07140 ret = TLSX_KeyShare_Use(ssl, WOLFSSL_FFDHE_8192, 0, NULL, NULL); 07141 #else 07142 ret = KEY_SHARE_ERROR; 07143 #endif 07144 if (ret != 0) 07145 return ret; 07146 } 07147 07148 #if defined(HAVE_SESSION_TICKET) && !defined(NO_PSK) 07149 if (ssl->options.resuming) { 07150 WOLFSSL_SESSION* sess = &ssl->session; 07151 word32 milli; 07152 byte modes; 07153 07154 /* Determine the MAC algorithm for the cipher suite used. */ 07155 ssl->options.cipherSuite0 = sess->cipherSuite0; 07156 ssl->options.cipherSuite = sess->cipherSuite; 07157 SetCipherSpecs(ssl); 07158 milli = TimeNowInMilliseconds() - sess->ticketSeen + 07159 sess->ticketAdd; 07160 /* Pre-shared key is mandatory extension for resumption. */ 07161 ret = TLSX_PreSharedKey_Use(ssl, sess->ticket, sess->ticketLen, 07162 milli, ssl->specs.mac_algorithm, 1, 07163 ssl->heap); 07164 if (ret != 0) 07165 return ret; 07166 07167 /* Pre-shared key modes: mandatory extension for resumption. */ 07168 modes = 1 << PSK_KE; 07169 #if !defined(NO_DH) || defined(HAVE_ECC) 07170 if (!ssl->options.noPskDheKe) 07171 modes |= 1 << PSK_DHE_KE; 07172 #endif 07173 ret = TLSX_PskKeModes_Use(ssl, modes); 07174 if (ret != 0) 07175 return ret; 07176 } 07177 #endif 07178 /* TODO: [TLS13] Add PSKs */ 07179 } 07180 07181 #endif 07182 07183 (void)isServer; 07184 (void)public_key; 07185 (void)public_key_len; 07186 (void)ssl; 07187 07188 if (ret == SSL_SUCCESS) 07189 ret = 0; 07190 07191 return ret; 07192 } 07193 07194 07195 #ifndef NO_WOLFSSL_CLIENT 07196 07197 /** Tells the buffered size of extensions to be sent into the client hello. */ 07198 word16 TLSX_GetRequestSize(WOLFSSL* ssl) 07199 { 07200 word16 length = 0; 07201 07202 if (TLSX_SupportExtensions(ssl)) { 07203 byte semaphore[SEMAPHORE_SIZE] = {0}; 07204 07205 EC_VALIDATE_REQUEST(ssl, semaphore); 07206 QSH_VALIDATE_REQUEST(ssl, semaphore); 07207 WOLF_STK_VALIDATE_REQUEST(ssl); 07208 #if defined(WOLFSSL_TLS13) 07209 if (!IsAtLeastTLSv1_2(ssl)) 07210 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); 07211 if (!IsAtLeastTLSv1_3(ssl->version)) { 07212 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); 07213 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07214 #ifndef NO_PSK 07215 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07216 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES)); 07217 #endif 07218 } 07219 #endif 07220 07221 if (ssl->extensions) 07222 length += TLSX_GetSize(ssl->extensions, semaphore, client_hello); 07223 07224 if (ssl->ctx && ssl->ctx->extensions) { 07225 length += TLSX_GetSize(ssl->ctx->extensions, semaphore, 07226 client_hello); 07227 } 07228 07229 #ifndef WOLFSSL_TLS13 07230 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz) 07231 length += HELLO_EXT_SZ + OPAQUE16_LEN + 07232 + ssl->suites->hashSigAlgoSz; 07233 #endif 07234 07235 #ifdef HAVE_EXTENDED_MASTER 07236 if (ssl->options.haveEMS) 07237 length += HELLO_EXT_SZ; 07238 #endif 07239 } 07240 07241 if (length) 07242 length += OPAQUE16_LEN; /* for total length storage. */ 07243 07244 return length; 07245 } 07246 07247 /** Writes the extensions to be sent into the client hello. */ 07248 word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output) 07249 { 07250 word16 offset = 0; 07251 07252 if (TLSX_SupportExtensions(ssl) && output) { 07253 byte semaphore[SEMAPHORE_SIZE] = {0}; 07254 07255 offset += OPAQUE16_LEN; /* extensions length */ 07256 07257 EC_VALIDATE_REQUEST(ssl, semaphore); 07258 WOLF_STK_VALIDATE_REQUEST(ssl); 07259 QSH_VALIDATE_REQUEST(ssl, semaphore); 07260 #if defined(WOLFSSL_TLS13) 07261 if (!IsAtLeastTLSv1_2(ssl)) 07262 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); 07263 if (!IsAtLeastTLSv1_3(ssl->version)) { 07264 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); 07265 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07266 #ifndef NO_PSK 07267 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES)); 07268 #endif 07269 } 07270 #ifndef NO_PSK 07271 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07272 #endif 07273 #endif 07274 07275 if (ssl->extensions) 07276 offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 07277 client_hello); 07278 07279 if (ssl->ctx && ssl->ctx->extensions) 07280 offset += TLSX_Write(ssl->ctx->extensions, output + offset, 07281 semaphore, client_hello); 07282 07283 #ifndef WOLFSSL_TLS13 07284 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz) { 07285 int i; 07286 /* extension type */ 07287 c16toa(TLSX_SIGNATURE_ALGORITHMS, output + offset); 07288 offset += HELLO_EXT_TYPE_SZ; 07289 07290 /* extension data length */ 07291 c16toa(OPAQUE16_LEN + ssl->suites->hashSigAlgoSz, 07292 output + offset); 07293 offset += OPAQUE16_LEN; 07294 07295 /* sig algos length */ 07296 c16toa(ssl->suites->hashSigAlgoSz, output + offset); 07297 offset += OPAQUE16_LEN; 07298 07299 /* sig algos */ 07300 for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, offset++) 07301 output[offset] = ssl->suites->hashSigAlgo[i]; 07302 } 07303 #endif 07304 07305 #ifdef HAVE_EXTENDED_MASTER 07306 if (ssl->options.haveEMS) { 07307 c16toa(HELLO_EXT_EXTMS, output + offset); 07308 offset += HELLO_EXT_TYPE_SZ; 07309 c16toa(0, output + offset); 07310 offset += HELLO_EXT_SZ_SZ; 07311 } 07312 #endif 07313 07314 #ifdef WOLFSSL_TLS13 07315 if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.resuming) { 07316 #ifndef NO_PSK 07317 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07318 #endif 07319 offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 07320 client_hello); 07321 } 07322 #endif 07323 07324 if (offset > OPAQUE16_LEN) 07325 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */ 07326 } 07327 07328 return offset; 07329 } 07330 07331 #endif /* NO_WOLFSSL_CLIENT */ 07332 07333 #ifndef NO_WOLFSSL_SERVER 07334 07335 /** Tells the buffered size of extensions to be sent into the server hello. */ 07336 word16 TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType) 07337 { 07338 word16 length = 0; 07339 byte semaphore[SEMAPHORE_SIZE] = {0}; 07340 07341 switch (msgType) { 07342 case server_hello: 07343 #ifdef WOLFSSL_TLS13 07344 case hello_retry_request: 07345 if (ssl->options.tls1_3) { 07346 XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); 07347 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07348 #ifndef NO_PSK 07349 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07350 #endif 07351 } 07352 break; 07353 case encrypted_extensions: 07354 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET)); 07355 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07356 #ifndef NO_PSK 07357 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07358 #endif 07359 #endif 07360 break; 07361 } 07362 07363 #ifdef HAVE_QSH 07364 /* change response if not using TLS_QSH */ 07365 if (!ssl->options.haveQSH) { 07366 TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); 07367 if (ext) 07368 ext->resp = 0; 07369 } 07370 #endif 07371 07372 #ifdef HAVE_EXTENDED_MASTER 07373 if (ssl->options.haveEMS && msgType == server_hello) 07374 length += HELLO_EXT_SZ; 07375 #endif 07376 07377 if (TLSX_SupportExtensions(ssl)) 07378 length += TLSX_GetSize(ssl->extensions, semaphore, msgType); 07379 07380 /* All the response data is set at the ssl object only, so no ctx here. */ 07381 07382 if (length || (msgType != server_hello)) 07383 length += OPAQUE16_LEN; /* for total length storage. */ 07384 07385 return length; 07386 } 07387 07388 /** Writes the server hello extensions into a buffer. */ 07389 word16 TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType) 07390 { 07391 word16 offset = 0; 07392 07393 if (TLSX_SupportExtensions(ssl) && output) { 07394 byte semaphore[SEMAPHORE_SIZE] = {0}; 07395 07396 switch (msgType) { 07397 case server_hello: 07398 #ifdef WOLFSSL_TLS13 07399 case hello_retry_request: 07400 if (ssl->options.tls1_3) { 07401 XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); 07402 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07403 #ifndef NO_PSK 07404 TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07405 #endif 07406 } 07407 break; 07408 case encrypted_extensions: 07409 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET)); 07410 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); 07411 #ifndef NO_PSK 07412 TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); 07413 #endif 07414 #endif 07415 break; 07416 } 07417 07418 offset += OPAQUE16_LEN; /* extensions length */ 07419 07420 offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 07421 msgType); 07422 07423 #ifdef HAVE_EXTENDED_MASTER 07424 if (ssl->options.haveEMS && msgType == server_hello) { 07425 c16toa(HELLO_EXT_EXTMS, output + offset); 07426 offset += HELLO_EXT_TYPE_SZ; 07427 c16toa(0, output + offset); 07428 offset += HELLO_EXT_SZ_SZ; 07429 } 07430 #endif 07431 07432 if (offset > OPAQUE16_LEN || msgType == encrypted_extensions) 07433 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */ 07434 } 07435 07436 return offset; 07437 } 07438 07439 #endif /* NO_WOLFSSL_SERVER */ 07440 07441 /** Parses a buffer of TLS extensions. */ 07442 int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, 07443 Suites *suites) 07444 { 07445 int ret = 0; 07446 word16 offset = 0; 07447 byte isRequest = (msgType == client_hello); 07448 #ifdef HAVE_EXTENDED_MASTER 07449 byte pendingEMS = 0; 07450 #endif 07451 07452 if (!ssl || !input || (isRequest && !suites)) 07453 return BAD_FUNC_ARG; 07454 07455 while (ret == 0 && offset < length) { 07456 word16 type; 07457 word16 size; 07458 07459 if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN) 07460 return BUFFER_ERROR; 07461 07462 ato16(input + offset, &type); 07463 offset += HELLO_EXT_TYPE_SZ; 07464 07465 ato16(input + offset, &size); 07466 offset += OPAQUE16_LEN; 07467 07468 if (offset + size > length) 07469 return BUFFER_ERROR; 07470 07471 switch (type) { 07472 case TLSX_SERVER_NAME: 07473 WOLFSSL_MSG("SNI extension received"); 07474 07475 #ifdef WOLFSSL_TLS13 07476 if (IsAtLeastTLSv1_3(ssl->version) && 07477 msgType != client_hello && 07478 msgType != encrypted_extensions) { 07479 return EXT_NOT_ALLOWED; 07480 } 07481 #endif 07482 ret = SNI_PARSE(ssl, input + offset, size, isRequest); 07483 break; 07484 07485 case TLSX_MAX_FRAGMENT_LENGTH: 07486 WOLFSSL_MSG("Max Fragment Length extension received"); 07487 07488 #ifdef WOLFSSL_TLS13 07489 if (IsAtLeastTLSv1_3(ssl->version) && 07490 msgType != client_hello && 07491 msgType != encrypted_extensions) { 07492 return EXT_NOT_ALLOWED; 07493 } 07494 #endif 07495 ret = MFL_PARSE(ssl, input + offset, size, isRequest); 07496 break; 07497 07498 case TLSX_TRUNCATED_HMAC: 07499 WOLFSSL_MSG("Truncated HMAC extension received"); 07500 07501 #ifdef WOLFSSL_TLS13 07502 if (IsAtLeastTLSv1_3(ssl->version)) 07503 return EXT_NOT_ALLOWED; 07504 #endif 07505 ret = THM_PARSE(ssl, input + offset, size, isRequest); 07506 break; 07507 07508 case TLSX_SUPPORTED_GROUPS: 07509 WOLFSSL_MSG("Elliptic Curves extension received"); 07510 07511 #ifdef WOLFSSL_TLS13 07512 if (IsAtLeastTLSv1_3(ssl->version) && 07513 msgType != client_hello && 07514 msgType != encrypted_extensions) { 07515 return EXT_NOT_ALLOWED; 07516 } 07517 #endif 07518 ret = EC_PARSE(ssl, input + offset, size, isRequest); 07519 break; 07520 07521 case TLSX_STATUS_REQUEST: 07522 WOLFSSL_MSG("Certificate Status Request extension received"); 07523 07524 #ifdef WOLFSSL_TLS13 07525 if (IsAtLeastTLSv1_3(ssl->version) && 07526 msgType != client_hello && 07527 msgType != encrypted_extensions) { 07528 return EXT_NOT_ALLOWED; 07529 } 07530 #endif 07531 ret = CSR_PARSE(ssl, input + offset, size, isRequest); 07532 break; 07533 07534 case TLSX_STATUS_REQUEST_V2: 07535 WOLFSSL_MSG("Certificate Status Request v2 extension received"); 07536 07537 #ifdef WOLFSSL_TLS13 07538 if (IsAtLeastTLSv1_3(ssl->version) && 07539 msgType != client_hello && 07540 msgType != encrypted_extensions) { 07541 return EXT_NOT_ALLOWED; 07542 } 07543 #endif 07544 ret = CSR2_PARSE(ssl, input + offset, size, isRequest); 07545 break; 07546 07547 #ifdef HAVE_EXTENDED_MASTER 07548 case HELLO_EXT_EXTMS: 07549 WOLFSSL_MSG("Extended Master Secret extension received"); 07550 07551 #ifdef WOLFSSL_TLS13 07552 if (IsAtLeastTLSv1_3(ssl->version) && 07553 msgType != client_hello) { 07554 return EXT_NOT_ALLOWED; 07555 } 07556 #endif 07557 #ifndef NO_WOLFSSL_SERVER 07558 if (isRequest && !IsAtLeastTLSv1_3(ssl->version)) 07559 ssl->options.haveEMS = 1; 07560 #endif 07561 pendingEMS = 1; 07562 break; 07563 #endif 07564 07565 case TLSX_RENEGOTIATION_INFO: 07566 WOLFSSL_MSG("Secure Renegotiation extension received"); 07567 07568 ret = SCR_PARSE(ssl, input + offset, size, isRequest); 07569 break; 07570 07571 case TLSX_SESSION_TICKET: 07572 WOLFSSL_MSG("Session Ticket extension received"); 07573 07574 #ifdef WOLFSSL_TLS13 07575 if (IsAtLeastTLSv1_3(ssl->version) && 07576 msgType != client_hello) { 07577 return EXT_NOT_ALLOWED; 07578 } 07579 #endif 07580 ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest); 07581 break; 07582 07583 case TLSX_QUANTUM_SAFE_HYBRID: 07584 WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); 07585 07586 #ifdef WOLFSSL_TLS13 07587 if (IsAtLeastTLSv1_3(ssl->version)) 07588 return EXT_NOT_ALLOWED; 07589 #endif 07590 ret = QSH_PARSE(ssl, input + offset, size, isRequest); 07591 break; 07592 07593 case TLSX_APPLICATION_LAYER_PROTOCOL: 07594 WOLFSSL_MSG("ALPN extension received"); 07595 07596 #ifdef WOLFSSL_TLS13 07597 if (IsAtLeastTLSv1_3(ssl->version) && 07598 msgType != client_hello && 07599 msgType != encrypted_extensions) { 07600 return EXT_NOT_ALLOWED; 07601 } 07602 #endif 07603 ret = ALPN_PARSE(ssl, input + offset, size, isRequest); 07604 break; 07605 07606 #ifndef WOLFSSL_TLS13 07607 case TLSX_SIGNATURE_ALGORITHMS: 07608 WOLFSSL_MSG("Extended signature algorithm extension received"); 07609 07610 if (isRequest) { 07611 /* do not mess with offset inside the switch! */ 07612 if (IsAtLeastTLSv1_2(ssl)) { 07613 ato16(input + offset, &suites->hashSigAlgoSz); 07614 07615 if (suites->hashSigAlgoSz > size - OPAQUE16_LEN) 07616 return BUFFER_ERROR; 07617 07618 XMEMCPY(suites->hashSigAlgo, 07619 input + offset + OPAQUE16_LEN, 07620 min(suites->hashSigAlgoSz, 07621 HELLO_EXT_SIGALGO_MAX)); 07622 } 07623 } else { 07624 WOLFSSL_MSG("Servers MUST NOT send SIG ALGO extension."); 07625 } 07626 07627 break; 07628 #endif 07629 07630 #ifdef WOLFSSL_TLS13 07631 case TLSX_SUPPORTED_VERSIONS: 07632 WOLFSSL_MSG("Supported Versions extension received"); 07633 07634 if (!IsAtLeastTLSv1_3(ssl->version)) 07635 break; 07636 07637 if (IsAtLeastTLSv1_3(ssl->version) && 07638 msgType != client_hello) { 07639 return EXT_NOT_ALLOWED; 07640 } 07641 ret = SV_PARSE(ssl, input + offset, size); 07642 break; 07643 07644 case TLSX_SIGNATURE_ALGORITHMS: 07645 WOLFSSL_MSG("Signature Algorithms extension received"); 07646 07647 if (!IsAtLeastTLSv1_2(ssl)) 07648 break; 07649 07650 if (IsAtLeastTLSv1_3(ssl->version) && 07651 msgType != client_hello) { 07652 return EXT_NOT_ALLOWED; 07653 } 07654 ret = SA_PARSE(ssl, input + offset, size); 07655 break; 07656 07657 case TLSX_KEY_SHARE: 07658 WOLFSSL_MSG("Key Share extension received"); 07659 07660 if (!IsAtLeastTLSv1_3(ssl->version)) 07661 break; 07662 07663 if (IsAtLeastTLSv1_3(ssl->version) && 07664 msgType != client_hello && msgType != server_hello && 07665 msgType != hello_retry_request) { 07666 return EXT_NOT_ALLOWED; 07667 } 07668 ret = KS_PARSE(ssl, input + offset, size, msgType); 07669 break; 07670 07671 #ifndef NO_PSK 07672 case TLSX_PRE_SHARED_KEY: 07673 WOLFSSL_MSG("Pre-Shared Key extension received"); 07674 07675 if (!IsAtLeastTLSv1_3(ssl->version)) 07676 break; 07677 07678 if (IsAtLeastTLSv1_3(ssl->version) && 07679 msgType != client_hello && msgType != server_hello) { 07680 return EXT_NOT_ALLOWED; 07681 } 07682 ret = PSK_PARSE(ssl, input + offset, size, msgType); 07683 break; 07684 07685 case TLSX_PSK_KEY_EXCHANGE_MODES: 07686 WOLFSSL_MSG("PSK Key Exchange Modes extension received"); 07687 07688 if (!IsAtLeastTLSv1_3(ssl->version)) 07689 break; 07690 07691 if (IsAtLeastTLSv1_3(ssl->version) && 07692 msgType != client_hello) { 07693 return EXT_NOT_ALLOWED; 07694 } 07695 ret = PKM_PARSE(ssl, input + offset, size, msgType); 07696 break; 07697 #endif 07698 #endif 07699 } 07700 07701 /* offset should be updated here! */ 07702 offset += size; 07703 } 07704 07705 #ifdef HAVE_EXTENDED_MASTER 07706 if (!isRequest && ssl->options.haveEMS && !pendingEMS) 07707 ssl->options.haveEMS = 0; 07708 #endif 07709 07710 if (ret == 0) 07711 ret = SNI_VERIFY_PARSE(ssl, isRequest); 07712 07713 return ret; 07714 } 07715 07716 /* undefining semaphore macros */ 07717 #undef IS_OFF 07718 #undef TURN_ON 07719 #undef SEMAPHORE_SIZE 07720 07721 #endif /* HAVE_TLS_EXTENSIONS */ 07722 07723 #ifndef NO_WOLFSSL_CLIENT 07724 07725 #ifndef NO_OLD_TLS 07726 07727 WOLFSSL_METHOD* wolfTLSv1_client_method(void) 07728 { 07729 return wolfTLSv1_client_method_ex(NULL); 07730 } 07731 07732 07733 WOLFSSL_METHOD* wolfTLSv1_1_client_method(void) 07734 { 07735 return wolfTLSv1_1_client_method_ex(NULL); 07736 } 07737 07738 WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap) 07739 { 07740 WOLFSSL_METHOD* method = 07741 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07742 heap, DYNAMIC_TYPE_METHOD); 07743 if (method) 07744 InitSSL_Method(method, MakeTLSv1()); 07745 return method; 07746 } 07747 07748 07749 WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap) 07750 { 07751 WOLFSSL_METHOD* method = 07752 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07753 heap, DYNAMIC_TYPE_METHOD); 07754 if (method) 07755 InitSSL_Method(method, MakeTLSv1_1()); 07756 return method; 07757 } 07758 07759 #endif /* !NO_OLD_TLS */ 07760 07761 07762 WOLFSSL_METHOD* wolfTLSv1_2_client_method(void) 07763 { 07764 return wolfTLSv1_2_client_method_ex(NULL); 07765 } 07766 07767 WOLFSSL_METHOD* wolfTLSv1_2_client_method_ex(void* heap) 07768 { 07769 WOLFSSL_METHOD* method = 07770 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07771 heap, DYNAMIC_TYPE_METHOD); 07772 (void)heap; 07773 if (method) 07774 InitSSL_Method(method, MakeTLSv1_2()); 07775 return method; 07776 } 07777 07778 #ifdef WOLFSSL_TLS13 07779 /* The TLS v1.3 client method data. 07780 * 07781 * returns the method data for a TLS v1.3 client. 07782 */ 07783 WOLFSSL_METHOD* wolfTLSv1_3_client_method(void) 07784 { 07785 return wolfTLSv1_3_client_method_ex(NULL); 07786 } 07787 07788 /* The TLS v1.3 client method data. 07789 * 07790 * heap The heap used for allocation. 07791 * returns the method data for a TLS v1.3 client. 07792 */ 07793 WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap) 07794 { 07795 WOLFSSL_METHOD* method = (WOLFSSL_METHOD*) 07796 XMALLOC(sizeof(WOLFSSL_METHOD), heap, 07797 DYNAMIC_TYPE_METHOD); 07798 (void)heap; 07799 if (method) { 07800 InitSSL_Method(method, MakeTLSv1_3()); 07801 method->downgrade = 1; 07802 } 07803 return method; 07804 } 07805 #endif /* WOLFSSL_TLS13 */ 07806 07807 07808 WOLFSSL_METHOD* wolfSSLv23_client_method(void) 07809 { 07810 return wolfSSLv23_client_method_ex(NULL); 07811 } 07812 07813 07814 WOLFSSL_METHOD* wolfSSLv23_client_method_ex(void* heap) 07815 { 07816 WOLFSSL_METHOD* method = 07817 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07818 heap, DYNAMIC_TYPE_METHOD); 07819 (void)heap; 07820 if (method) { 07821 #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512) 07822 #ifdef WOLFSSL_TLS13 07823 InitSSL_Method(method, MakeTLSv1_3()); 07824 #else 07825 InitSSL_Method(method, MakeTLSv1_2()); 07826 #endif 07827 #else 07828 #ifndef NO_OLD_TLS 07829 InitSSL_Method(method, MakeTLSv1_1()); 07830 #endif 07831 #endif 07832 #ifndef NO_OLD_TLS 07833 method->downgrade = 1; 07834 #endif 07835 } 07836 return method; 07837 } 07838 07839 #endif /* NO_WOLFSSL_CLIENT */ 07840 07841 07842 07843 #ifndef NO_WOLFSSL_SERVER 07844 07845 #ifndef NO_OLD_TLS 07846 07847 WOLFSSL_METHOD* wolfTLSv1_server_method(void) 07848 { 07849 return wolfTLSv1_server_method_ex(NULL); 07850 } 07851 07852 07853 WOLFSSL_METHOD* wolfTLSv1_1_server_method(void) 07854 { 07855 return wolfTLSv1_1_server_method_ex(NULL); 07856 } 07857 07858 WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap) 07859 { 07860 WOLFSSL_METHOD* method = 07861 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07862 heap, DYNAMIC_TYPE_METHOD); 07863 if (method) { 07864 InitSSL_Method(method, MakeTLSv1()); 07865 method->side = WOLFSSL_SERVER_END; 07866 } 07867 return method; 07868 } 07869 07870 07871 WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap) 07872 { 07873 WOLFSSL_METHOD* method = 07874 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07875 heap, DYNAMIC_TYPE_METHOD); 07876 if (method) { 07877 InitSSL_Method(method, MakeTLSv1_1()); 07878 method->side = WOLFSSL_SERVER_END; 07879 } 07880 return method; 07881 } 07882 #endif /* !NO_OLD_TLS */ 07883 07884 07885 WOLFSSL_METHOD* wolfTLSv1_2_server_method(void) 07886 { 07887 return wolfTLSv1_2_server_method_ex(NULL); 07888 } 07889 07890 WOLFSSL_METHOD* wolfTLSv1_2_server_method_ex(void* heap) 07891 { 07892 WOLFSSL_METHOD* method = 07893 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07894 heap, DYNAMIC_TYPE_METHOD); 07895 (void)heap; 07896 if (method) { 07897 InitSSL_Method(method, MakeTLSv1_2()); 07898 method->side = WOLFSSL_SERVER_END; 07899 } 07900 return method; 07901 } 07902 07903 #ifdef WOLFSSL_TLS13 07904 /* The TLS v1.3 server method data. 07905 * 07906 * returns the method data for a TLS v1.3 server. 07907 */ 07908 WOLFSSL_METHOD* wolfTLSv1_3_server_method(void) 07909 { 07910 return wolfTLSv1_3_server_method_ex(NULL); 07911 } 07912 07913 /* The TLS v1.3 server method data. 07914 * 07915 * heap The heap used for allocation. 07916 * returns the method data for a TLS v1.3 server. 07917 */ 07918 WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap) 07919 { 07920 WOLFSSL_METHOD* method = 07921 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07922 heap, DYNAMIC_TYPE_METHOD); 07923 (void)heap; 07924 if (method) { 07925 InitSSL_Method(method, MakeTLSv1_3()); 07926 method->side = WOLFSSL_SERVER_END; 07927 } 07928 return method; 07929 } 07930 #endif /* WOLFSSL_TLS13 */ 07931 07932 WOLFSSL_METHOD* wolfSSLv23_server_method(void) 07933 { 07934 return wolfSSLv23_server_method_ex(NULL); 07935 } 07936 07937 WOLFSSL_METHOD* wolfSSLv23_server_method_ex(void* heap) 07938 { 07939 WOLFSSL_METHOD* method = 07940 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 07941 heap, DYNAMIC_TYPE_METHOD); 07942 (void)heap; 07943 if (method) { 07944 #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512) 07945 #ifdef WOLFSSL_TLS13 07946 InitSSL_Method(method, MakeTLSv1_3()); 07947 #else 07948 InitSSL_Method(method, MakeTLSv1_2()); 07949 #endif 07950 #else 07951 #ifndef NO_OLD_TLS 07952 InitSSL_Method(method, MakeTLSv1_1()); 07953 #else 07954 #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2 07955 #endif 07956 #endif 07957 #ifndef NO_OLD_TLS 07958 method->downgrade = 1; 07959 #endif 07960 method->side = WOLFSSL_SERVER_END; 07961 } 07962 return method; 07963 } 07964 07965 07966 #endif /* NO_WOLFSSL_SERVER */ 07967 #endif /* NO_TLS */ 07968 #endif /* WOLFCRYPT_ONLY */ 07969
Generated on Tue Jul 12 2022 23:31:02 by
1.7.2