wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/tls13.c@15:117db924cf7c, 2018-08-18 (annotated)
- Committer:
- wolfSSL
- Date:
- Sat Aug 18 22:20:43 2018 +0000
- Revision:
- 15:117db924cf7c
- Child:
- 16:8e0d178b1d1e
wolfSSL 3.15.3
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 15:117db924cf7c | 1 | /* tls13.c |
wolfSSL | 15:117db924cf7c | 2 | * |
wolfSSL | 15:117db924cf7c | 3 | * Copyright (C) 2006-2017 wolfSSL Inc. |
wolfSSL | 15:117db924cf7c | 4 | * |
wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
wolfSSL | 15:117db924cf7c | 6 | * |
wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
wolfSSL | 15:117db924cf7c | 11 | * |
wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
wolfSSL | 15:117db924cf7c | 16 | * |
wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 15:117db924cf7c | 20 | */ |
wolfSSL | 15:117db924cf7c | 21 | |
wolfSSL | 15:117db924cf7c | 22 | |
wolfSSL | 15:117db924cf7c | 23 | /* |
wolfSSL | 15:117db924cf7c | 24 | * BUILD_GCM |
wolfSSL | 15:117db924cf7c | 25 | * Enables AES-GCM ciphersuites. |
wolfSSL | 15:117db924cf7c | 26 | * HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 27 | * Enables AES-CCM ciphersuites. |
wolfSSL | 15:117db924cf7c | 28 | * HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 29 | * Enables session tickets - required for TLS 1.3 resumption. |
wolfSSL | 15:117db924cf7c | 30 | * NO_PSK |
wolfSSL | 15:117db924cf7c | 31 | * Do not enable Pre-Shared Keys. |
wolfSSL | 15:117db924cf7c | 32 | * TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 15:117db924cf7c | 33 | * Gaurd to compile out any code for exporter keys. |
wolfSSL | 15:117db924cf7c | 34 | * Feature not supported yet. |
wolfSSL | 15:117db924cf7c | 35 | * WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 36 | * Enables the use of asynchornous cryptographic operations. |
wolfSSL | 15:117db924cf7c | 37 | * This is available for ciphers and certificates. |
wolfSSL | 15:117db924cf7c | 38 | * HAVE_CHACHA && HAVE_POLY1305 |
wolfSSL | 15:117db924cf7c | 39 | * Enables use of CHACHA20-POLY1305 ciphersuites. |
wolfSSL | 15:117db924cf7c | 40 | * WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 41 | * Writes out details of TLS 1.3 protocol including hanshake message buffers |
wolfSSL | 15:117db924cf7c | 42 | * and key generation input and output. |
wolfSSL | 15:117db924cf7c | 43 | * WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 44 | * Allow 0-RTT Handshake using Early Data extensions and handshake message |
wolfSSL | 15:117db924cf7c | 45 | * WOLFSSL_NO_SERVER_GROUPS_EXT |
wolfSSL | 15:117db924cf7c | 46 | * Do not send the server's groups in an extension when the server's top |
wolfSSL | 15:117db924cf7c | 47 | * preference is not in client's list. |
wolfSSL | 15:117db924cf7c | 48 | * WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 49 | * Allow TLS v1.3 code to perform post-handshake authentication of the |
wolfSSL | 15:117db924cf7c | 50 | * client. |
wolfSSL | 15:117db924cf7c | 51 | * WOLFSSL_SEND_HRR_COOKIE |
wolfSSL | 15:117db924cf7c | 52 | * Send a cookie in hello_retry_request message to enable stateless tracking |
wolfSSL | 15:117db924cf7c | 53 | * of ClientHello replies. |
wolfSSL | 15:117db924cf7c | 54 | * WOLFSSL_TLS13 |
wolfSSL | 15:117db924cf7c | 55 | * Enable TLS 1.3 protocol implementation. |
wolfSSL | 15:117db924cf7c | 56 | * WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 57 | * Conform with Draft 18 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 58 | * WOLFSSL_TLS13_DRAFT_22 |
wolfSSL | 15:117db924cf7c | 59 | * Conform with Draft 22 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 60 | * WOLFSSL_TLS13_DRAFT_23 |
wolfSSL | 15:117db924cf7c | 61 | * Conform with Draft 23 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 62 | * WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 63 | * Enable middlebox compatability in the TLS 1.3 handshake. |
wolfSSL | 15:117db924cf7c | 64 | * This includes sending ChangeCipherSpec before encrypted messages and |
wolfSSL | 15:117db924cf7c | 65 | * including a session id. |
wolfSSL | 15:117db924cf7c | 66 | * WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 67 | * Allow generation of SHA-512 digests in handshake - no ciphersuite |
wolfSSL | 15:117db924cf7c | 68 | * requires SHA-512 at this time. |
wolfSSL | 15:117db924cf7c | 69 | * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 70 | * Allow a NewSessionTicket message to be sent by server before Client's |
wolfSSL | 15:117db924cf7c | 71 | * Finished message. |
wolfSSL | 15:117db924cf7c | 72 | * See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note). |
wolfSSL | 15:117db924cf7c | 73 | */ |
wolfSSL | 15:117db924cf7c | 74 | |
wolfSSL | 15:117db924cf7c | 75 | #ifdef HAVE_CONFIG_H |
wolfSSL | 15:117db924cf7c | 76 | #include <config.h> |
wolfSSL | 15:117db924cf7c | 77 | #endif |
wolfSSL | 15:117db924cf7c | 78 | |
wolfSSL | 15:117db924cf7c | 79 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 15:117db924cf7c | 80 | |
wolfSSL | 15:117db924cf7c | 81 | #ifdef WOLFSSL_TLS13 |
wolfSSL | 15:117db924cf7c | 82 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 83 | #include <wolfssl/wolfcrypt/wc_port.h> |
wolfSSL | 15:117db924cf7c | 84 | #endif |
wolfSSL | 15:117db924cf7c | 85 | |
wolfSSL | 15:117db924cf7c | 86 | #ifndef WOLFCRYPT_ONLY |
wolfSSL | 15:117db924cf7c | 87 | |
wolfSSL | 15:117db924cf7c | 88 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 89 | #include <errno.h> |
wolfSSL | 15:117db924cf7c | 90 | #endif |
wolfSSL | 15:117db924cf7c | 91 | |
wolfSSL | 15:117db924cf7c | 92 | #include <wolfssl/internal.h> |
wolfSSL | 15:117db924cf7c | 93 | #include <wolfssl/error-ssl.h> |
wolfSSL | 15:117db924cf7c | 94 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 15:117db924cf7c | 95 | #include <wolfssl/wolfcrypt/dh.h> |
wolfSSL | 15:117db924cf7c | 96 | #ifdef NO_INLINE |
wolfSSL | 15:117db924cf7c | 97 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 15:117db924cf7c | 98 | #else |
wolfSSL | 15:117db924cf7c | 99 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 15:117db924cf7c | 100 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 15:117db924cf7c | 101 | #endif |
wolfSSL | 15:117db924cf7c | 102 | |
wolfSSL | 15:117db924cf7c | 103 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 104 | #include "libntruencrypt/ntru_crypto.h" |
wolfSSL | 15:117db924cf7c | 105 | #endif |
wolfSSL | 15:117db924cf7c | 106 | |
wolfSSL | 15:117db924cf7c | 107 | #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG) || \ |
wolfSSL | 15:117db924cf7c | 108 | defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG) |
wolfSSL | 15:117db924cf7c | 109 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 15:117db924cf7c | 110 | #if MQX_USE_IO_OLD |
wolfSSL | 15:117db924cf7c | 111 | #include <fio.h> |
wolfSSL | 15:117db924cf7c | 112 | #else |
wolfSSL | 15:117db924cf7c | 113 | #include <nio.h> |
wolfSSL | 15:117db924cf7c | 114 | #endif |
wolfSSL | 15:117db924cf7c | 115 | #else |
wolfSSL | 15:117db924cf7c | 116 | #include <stdio.h> |
wolfSSL | 15:117db924cf7c | 117 | #endif |
wolfSSL | 15:117db924cf7c | 118 | #endif |
wolfSSL | 15:117db924cf7c | 119 | |
wolfSSL | 15:117db924cf7c | 120 | #ifdef __sun |
wolfSSL | 15:117db924cf7c | 121 | #include <sys/filio.h> |
wolfSSL | 15:117db924cf7c | 122 | #endif |
wolfSSL | 15:117db924cf7c | 123 | |
wolfSSL | 15:117db924cf7c | 124 | #ifndef TRUE |
wolfSSL | 15:117db924cf7c | 125 | #define TRUE 1 |
wolfSSL | 15:117db924cf7c | 126 | #endif |
wolfSSL | 15:117db924cf7c | 127 | #ifndef FALSE |
wolfSSL | 15:117db924cf7c | 128 | #define FALSE 0 |
wolfSSL | 15:117db924cf7c | 129 | #endif |
wolfSSL | 15:117db924cf7c | 130 | |
wolfSSL | 15:117db924cf7c | 131 | #ifndef HAVE_HKDF |
wolfSSL | 15:117db924cf7c | 132 | #error The build option HAVE_HKDF is required for TLS 1.3 |
wolfSSL | 15:117db924cf7c | 133 | #endif |
wolfSSL | 15:117db924cf7c | 134 | |
wolfSSL | 15:117db924cf7c | 135 | |
wolfSSL | 15:117db924cf7c | 136 | /* Set ret to error value and jump to label. |
wolfSSL | 15:117db924cf7c | 137 | * |
wolfSSL | 15:117db924cf7c | 138 | * err The error value to set. |
wolfSSL | 15:117db924cf7c | 139 | * eLabel The label to jump to. |
wolfSSL | 15:117db924cf7c | 140 | */ |
wolfSSL | 15:117db924cf7c | 141 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } |
wolfSSL | 15:117db924cf7c | 142 | |
wolfSSL | 15:117db924cf7c | 143 | |
wolfSSL | 15:117db924cf7c | 144 | /* Extract data using HMAC, salt and input. |
wolfSSL | 15:117db924cf7c | 145 | * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF) |
wolfSSL | 15:117db924cf7c | 146 | * |
wolfSSL | 15:117db924cf7c | 147 | * prk The generated pseudorandom key. |
wolfSSL | 15:117db924cf7c | 148 | * salt The salt. |
wolfSSL | 15:117db924cf7c | 149 | * saltLen The length of the salt. |
wolfSSL | 15:117db924cf7c | 150 | * ikm The input keying material. |
wolfSSL | 15:117db924cf7c | 151 | * ikmLen The length of the input keying material. |
wolfSSL | 15:117db924cf7c | 152 | * mac The type of digest to use. |
wolfSSL | 15:117db924cf7c | 153 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 154 | */ |
wolfSSL | 15:117db924cf7c | 155 | static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen, |
wolfSSL | 15:117db924cf7c | 156 | byte* ikm, int ikmLen, int mac) |
wolfSSL | 15:117db924cf7c | 157 | { |
wolfSSL | 15:117db924cf7c | 158 | int ret; |
wolfSSL | 15:117db924cf7c | 159 | int hash = 0; |
wolfSSL | 15:117db924cf7c | 160 | int len = 0; |
wolfSSL | 15:117db924cf7c | 161 | |
wolfSSL | 15:117db924cf7c | 162 | switch (mac) { |
wolfSSL | 15:117db924cf7c | 163 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 164 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 165 | hash = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 166 | len = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 167 | break; |
wolfSSL | 15:117db924cf7c | 168 | #endif |
wolfSSL | 15:117db924cf7c | 169 | |
wolfSSL | 15:117db924cf7c | 170 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 171 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 172 | hash = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 173 | len = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 174 | break; |
wolfSSL | 15:117db924cf7c | 175 | #endif |
wolfSSL | 15:117db924cf7c | 176 | |
wolfSSL | 15:117db924cf7c | 177 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 178 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 179 | hash = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 180 | len = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 181 | break; |
wolfSSL | 15:117db924cf7c | 182 | #endif |
wolfSSL | 15:117db924cf7c | 183 | } |
wolfSSL | 15:117db924cf7c | 184 | |
wolfSSL | 15:117db924cf7c | 185 | /* When length is 0 then use zeroed data of digest length. */ |
wolfSSL | 15:117db924cf7c | 186 | if (ikmLen == 0) { |
wolfSSL | 15:117db924cf7c | 187 | ikmLen = len; |
wolfSSL | 15:117db924cf7c | 188 | XMEMSET(ikm, 0, len); |
wolfSSL | 15:117db924cf7c | 189 | } |
wolfSSL | 15:117db924cf7c | 190 | |
wolfSSL | 15:117db924cf7c | 191 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 192 | WOLFSSL_MSG(" Salt"); |
wolfSSL | 15:117db924cf7c | 193 | WOLFSSL_BUFFER(salt, saltLen); |
wolfSSL | 15:117db924cf7c | 194 | WOLFSSL_MSG(" IKM"); |
wolfSSL | 15:117db924cf7c | 195 | WOLFSSL_BUFFER(ikm, ikmLen); |
wolfSSL | 15:117db924cf7c | 196 | #endif |
wolfSSL | 15:117db924cf7c | 197 | |
wolfSSL | 15:117db924cf7c | 198 | ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk); |
wolfSSL | 15:117db924cf7c | 199 | |
wolfSSL | 15:117db924cf7c | 200 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 201 | WOLFSSL_MSG(" PRK"); |
wolfSSL | 15:117db924cf7c | 202 | WOLFSSL_BUFFER(prk, len); |
wolfSSL | 15:117db924cf7c | 203 | #endif |
wolfSSL | 15:117db924cf7c | 204 | |
wolfSSL | 15:117db924cf7c | 205 | return ret; |
wolfSSL | 15:117db924cf7c | 206 | } |
wolfSSL | 15:117db924cf7c | 207 | |
wolfSSL | 15:117db924cf7c | 208 | /* Expand data using HMAC, salt and label and info. |
wolfSSL | 15:117db924cf7c | 209 | * TLS v1.3 defines this function. |
wolfSSL | 15:117db924cf7c | 210 | * |
wolfSSL | 15:117db924cf7c | 211 | * okm The generated pseudorandom key - output key material. |
wolfSSL | 15:117db924cf7c | 212 | * okmLen The length of generated pseudorandom key - output key material. |
wolfSSL | 15:117db924cf7c | 213 | * prk The salt - pseudo-random key. |
wolfSSL | 15:117db924cf7c | 214 | * prkLen The length of the salt - pseudo-random key. |
wolfSSL | 15:117db924cf7c | 215 | * protocol The TLS protocol label. |
wolfSSL | 15:117db924cf7c | 216 | * protocolLen The length of the TLS protocol label. |
wolfSSL | 15:117db924cf7c | 217 | * info The information to expand. |
wolfSSL | 15:117db924cf7c | 218 | * infoLen The length of the information. |
wolfSSL | 15:117db924cf7c | 219 | * digest The type of digest to use. |
wolfSSL | 15:117db924cf7c | 220 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 221 | */ |
wolfSSL | 15:117db924cf7c | 222 | static int HKDF_Expand_Label(byte* okm, word32 okmLen, |
wolfSSL | 15:117db924cf7c | 223 | const byte* prk, word32 prkLen, |
wolfSSL | 15:117db924cf7c | 224 | const byte* protocol, word32 protocolLen, |
wolfSSL | 15:117db924cf7c | 225 | const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 226 | const byte* info, word32 infoLen, |
wolfSSL | 15:117db924cf7c | 227 | int digest) |
wolfSSL | 15:117db924cf7c | 228 | { |
wolfSSL | 15:117db924cf7c | 229 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 230 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 231 | byte data[MAX_HKDF_LABEL_SZ]; |
wolfSSL | 15:117db924cf7c | 232 | |
wolfSSL | 15:117db924cf7c | 233 | /* Output length. */ |
wolfSSL | 15:117db924cf7c | 234 | data[idx++] = (byte)(okmLen >> 8); |
wolfSSL | 15:117db924cf7c | 235 | data[idx++] = (byte)okmLen; |
wolfSSL | 15:117db924cf7c | 236 | /* Length of protocol | label. */ |
wolfSSL | 15:117db924cf7c | 237 | data[idx++] = (byte)(protocolLen + labelLen); |
wolfSSL | 15:117db924cf7c | 238 | /* Protocol */ |
wolfSSL | 15:117db924cf7c | 239 | XMEMCPY(&data[idx], protocol, protocolLen); |
wolfSSL | 15:117db924cf7c | 240 | idx += protocolLen; |
wolfSSL | 15:117db924cf7c | 241 | /* Label */ |
wolfSSL | 15:117db924cf7c | 242 | XMEMCPY(&data[idx], label, labelLen); |
wolfSSL | 15:117db924cf7c | 243 | idx += labelLen; |
wolfSSL | 15:117db924cf7c | 244 | /* Length of hash of messages */ |
wolfSSL | 15:117db924cf7c | 245 | data[idx++] = (byte)infoLen; |
wolfSSL | 15:117db924cf7c | 246 | /* Hash of messages */ |
wolfSSL | 15:117db924cf7c | 247 | XMEMCPY(&data[idx], info, infoLen); |
wolfSSL | 15:117db924cf7c | 248 | idx += infoLen; |
wolfSSL | 15:117db924cf7c | 249 | |
wolfSSL | 15:117db924cf7c | 250 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 251 | WOLFSSL_MSG(" PRK"); |
wolfSSL | 15:117db924cf7c | 252 | WOLFSSL_BUFFER(prk, prkLen); |
wolfSSL | 15:117db924cf7c | 253 | WOLFSSL_MSG(" Info"); |
wolfSSL | 15:117db924cf7c | 254 | WOLFSSL_BUFFER(data, idx); |
wolfSSL | 15:117db924cf7c | 255 | #endif |
wolfSSL | 15:117db924cf7c | 256 | |
wolfSSL | 15:117db924cf7c | 257 | ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen); |
wolfSSL | 15:117db924cf7c | 258 | |
wolfSSL | 15:117db924cf7c | 259 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 260 | WOLFSSL_MSG(" OKM"); |
wolfSSL | 15:117db924cf7c | 261 | WOLFSSL_BUFFER(okm, okmLen); |
wolfSSL | 15:117db924cf7c | 262 | #endif |
wolfSSL | 15:117db924cf7c | 263 | |
wolfSSL | 15:117db924cf7c | 264 | ForceZero(data, idx); |
wolfSSL | 15:117db924cf7c | 265 | |
wolfSSL | 15:117db924cf7c | 266 | return ret; |
wolfSSL | 15:117db924cf7c | 267 | } |
wolfSSL | 15:117db924cf7c | 268 | |
wolfSSL | 15:117db924cf7c | 269 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 270 | /* Size of the TLS v1.3 label use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 271 | #define TLS13_PROTOCOL_LABEL_SZ 9 |
wolfSSL | 15:117db924cf7c | 272 | /* The protocol label for TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 273 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, "; |
wolfSSL | 15:117db924cf7c | 274 | #else |
wolfSSL | 15:117db924cf7c | 275 | /* Size of the TLS v1.3 label use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 276 | #define TLS13_PROTOCOL_LABEL_SZ 6 |
wolfSSL | 15:117db924cf7c | 277 | /* The protocol label for TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 278 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 "; |
wolfSSL | 15:117db924cf7c | 279 | #endif |
wolfSSL | 15:117db924cf7c | 280 | |
wolfSSL | 15:117db924cf7c | 281 | #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \ |
wolfSSL | 15:117db924cf7c | 282 | !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 283 | /* Derive a key from a message. |
wolfSSL | 15:117db924cf7c | 284 | * |
wolfSSL | 15:117db924cf7c | 285 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 286 | * output The buffer to hold the derived key. |
wolfSSL | 15:117db924cf7c | 287 | * outputLen The length of the derived key. |
wolfSSL | 15:117db924cf7c | 288 | * secret The secret used to derive the key (HMAC secret). |
wolfSSL | 15:117db924cf7c | 289 | * label The label used to distinguish the context. |
wolfSSL | 15:117db924cf7c | 290 | * labelLen The length of the label. |
wolfSSL | 15:117db924cf7c | 291 | * msg The message data to derive key from. |
wolfSSL | 15:117db924cf7c | 292 | * msgLen The length of the message data to derive key from. |
wolfSSL | 15:117db924cf7c | 293 | * hashAlgo The hash algorithm to use in the HMAC. |
wolfSSL | 15:117db924cf7c | 294 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 295 | */ |
wolfSSL | 15:117db924cf7c | 296 | static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, |
wolfSSL | 15:117db924cf7c | 297 | const byte* secret, const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 298 | byte* msg, int msgLen, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 299 | { |
wolfSSL | 15:117db924cf7c | 300 | byte hash[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 301 | Digest digest; |
wolfSSL | 15:117db924cf7c | 302 | word32 hashSz = 0; |
wolfSSL | 15:117db924cf7c | 303 | const byte* protocol; |
wolfSSL | 15:117db924cf7c | 304 | word32 protocolLen; |
wolfSSL | 15:117db924cf7c | 305 | int digestAlg = -1; |
wolfSSL | 15:117db924cf7c | 306 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 307 | |
wolfSSL | 15:117db924cf7c | 308 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 309 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 310 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 311 | ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 312 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 313 | ret = wc_Sha256Update(&digest.sha256, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 314 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 315 | ret = wc_Sha256Final(&digest.sha256, hash); |
wolfSSL | 15:117db924cf7c | 316 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 317 | } |
wolfSSL | 15:117db924cf7c | 318 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 319 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 320 | break; |
wolfSSL | 15:117db924cf7c | 321 | #endif |
wolfSSL | 15:117db924cf7c | 322 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 323 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 324 | ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 325 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 326 | ret = wc_Sha384Update(&digest.sha384, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 327 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 328 | ret = wc_Sha384Final(&digest.sha384, hash); |
wolfSSL | 15:117db924cf7c | 329 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 330 | } |
wolfSSL | 15:117db924cf7c | 331 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 332 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 333 | break; |
wolfSSL | 15:117db924cf7c | 334 | #endif |
wolfSSL | 15:117db924cf7c | 335 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 336 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 337 | ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 338 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 339 | ret = wc_Sha512Update(&digest.sha512, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 340 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 341 | ret = wc_Sha512Final(&digest.sha512, hash); |
wolfSSL | 15:117db924cf7c | 342 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 343 | } |
wolfSSL | 15:117db924cf7c | 344 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 345 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 346 | break; |
wolfSSL | 15:117db924cf7c | 347 | #endif |
wolfSSL | 15:117db924cf7c | 348 | default: |
wolfSSL | 15:117db924cf7c | 349 | digestAlg = -1; |
wolfSSL | 15:117db924cf7c | 350 | break; |
wolfSSL | 15:117db924cf7c | 351 | } |
wolfSSL | 15:117db924cf7c | 352 | |
wolfSSL | 15:117db924cf7c | 353 | if (digestAlg < 0) |
wolfSSL | 15:117db924cf7c | 354 | return HASH_TYPE_E; |
wolfSSL | 15:117db924cf7c | 355 | |
wolfSSL | 15:117db924cf7c | 356 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 357 | return ret; |
wolfSSL | 15:117db924cf7c | 358 | |
wolfSSL | 15:117db924cf7c | 359 | switch (ssl->version.minor) { |
wolfSSL | 15:117db924cf7c | 360 | case TLSv1_3_MINOR: |
wolfSSL | 15:117db924cf7c | 361 | protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 362 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 363 | break; |
wolfSSL | 15:117db924cf7c | 364 | |
wolfSSL | 15:117db924cf7c | 365 | default: |
wolfSSL | 15:117db924cf7c | 366 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 367 | } |
wolfSSL | 15:117db924cf7c | 368 | if (outputLen == -1) |
wolfSSL | 15:117db924cf7c | 369 | outputLen = hashSz; |
wolfSSL | 15:117db924cf7c | 370 | |
wolfSSL | 15:117db924cf7c | 371 | return HKDF_Expand_Label(output, outputLen, secret, hashSz, |
wolfSSL | 15:117db924cf7c | 372 | protocol, protocolLen, label, labelLen, |
wolfSSL | 15:117db924cf7c | 373 | hash, hashSz, digestAlg); |
wolfSSL | 15:117db924cf7c | 374 | } |
wolfSSL | 15:117db924cf7c | 375 | #endif |
wolfSSL | 15:117db924cf7c | 376 | |
wolfSSL | 15:117db924cf7c | 377 | /* Derive a key. |
wolfSSL | 15:117db924cf7c | 378 | * |
wolfSSL | 15:117db924cf7c | 379 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 380 | * output The buffer to hold the derived key. |
wolfSSL | 15:117db924cf7c | 381 | * outputLen The length of the derived key. |
wolfSSL | 15:117db924cf7c | 382 | * secret The secret used to derive the key (HMAC secret). |
wolfSSL | 15:117db924cf7c | 383 | * label The label used to distinguish the context. |
wolfSSL | 15:117db924cf7c | 384 | * labelLen The length of the label. |
wolfSSL | 15:117db924cf7c | 385 | * hashAlgo The hash algorithm to use in the HMAC. |
wolfSSL | 15:117db924cf7c | 386 | * includeMsgs Whether to include a hash of the handshake messages so far. |
wolfSSL | 15:117db924cf7c | 387 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 388 | */ |
wolfSSL | 15:117db924cf7c | 389 | static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen, |
wolfSSL | 15:117db924cf7c | 390 | const byte* secret, const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 391 | int hashAlgo, int includeMsgs) |
wolfSSL | 15:117db924cf7c | 392 | { |
wolfSSL | 15:117db924cf7c | 393 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 394 | byte hash[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 395 | word32 hashSz = 0; |
wolfSSL | 15:117db924cf7c | 396 | word32 hashOutSz = 0; |
wolfSSL | 15:117db924cf7c | 397 | const byte* protocol; |
wolfSSL | 15:117db924cf7c | 398 | word32 protocolLen; |
wolfSSL | 15:117db924cf7c | 399 | int digestAlg = 0; |
wolfSSL | 15:117db924cf7c | 400 | |
wolfSSL | 15:117db924cf7c | 401 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 402 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 403 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 404 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 405 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 406 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 407 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 408 | break; |
wolfSSL | 15:117db924cf7c | 409 | #endif |
wolfSSL | 15:117db924cf7c | 410 | |
wolfSSL | 15:117db924cf7c | 411 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 412 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 413 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 414 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 415 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 416 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 417 | break; |
wolfSSL | 15:117db924cf7c | 418 | #endif |
wolfSSL | 15:117db924cf7c | 419 | |
wolfSSL | 15:117db924cf7c | 420 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 421 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 422 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 423 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 424 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 425 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 426 | break; |
wolfSSL | 15:117db924cf7c | 427 | #endif |
wolfSSL | 15:117db924cf7c | 428 | } |
wolfSSL | 15:117db924cf7c | 429 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 430 | return ret; |
wolfSSL | 15:117db924cf7c | 431 | |
wolfSSL | 15:117db924cf7c | 432 | /* Only one protocol version defined at this time. */ |
wolfSSL | 15:117db924cf7c | 433 | protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 434 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 435 | |
wolfSSL | 15:117db924cf7c | 436 | if (outputLen == -1) |
wolfSSL | 15:117db924cf7c | 437 | outputLen = hashSz; |
wolfSSL | 15:117db924cf7c | 438 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 439 | hashOutSz = hashSz; |
wolfSSL | 15:117db924cf7c | 440 | |
wolfSSL | 15:117db924cf7c | 441 | return HKDF_Expand_Label(output, outputLen, secret, hashSz, |
wolfSSL | 15:117db924cf7c | 442 | protocol, protocolLen, label, labelLen, |
wolfSSL | 15:117db924cf7c | 443 | hash, hashOutSz, digestAlg); |
wolfSSL | 15:117db924cf7c | 444 | } |
wolfSSL | 15:117db924cf7c | 445 | |
wolfSSL | 15:117db924cf7c | 446 | |
wolfSSL | 15:117db924cf7c | 447 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 448 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 449 | /* The length of the binder key label. */ |
wolfSSL | 15:117db924cf7c | 450 | #define BINDER_KEY_LABEL_SZ 23 |
wolfSSL | 15:117db924cf7c | 451 | /* The binder key label. */ |
wolfSSL | 15:117db924cf7c | 452 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 453 | "external psk binder key"; |
wolfSSL | 15:117db924cf7c | 454 | #else |
wolfSSL | 15:117db924cf7c | 455 | /* The length of the binder key label. */ |
wolfSSL | 15:117db924cf7c | 456 | #define BINDER_KEY_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 457 | /* The binder key label. */ |
wolfSSL | 15:117db924cf7c | 458 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 459 | "ext binder"; |
wolfSSL | 15:117db924cf7c | 460 | #endif |
wolfSSL | 15:117db924cf7c | 461 | /* Derive the binder key. |
wolfSSL | 15:117db924cf7c | 462 | * |
wolfSSL | 15:117db924cf7c | 463 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 464 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 465 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 466 | */ |
wolfSSL | 15:117db924cf7c | 467 | static int DeriveBinderKey(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 468 | { |
wolfSSL | 15:117db924cf7c | 469 | WOLFSSL_MSG("Derive Binder Key"); |
wolfSSL | 15:117db924cf7c | 470 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 471 | binderKeyLabel, BINDER_KEY_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 472 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 473 | } |
wolfSSL | 15:117db924cf7c | 474 | #endif /* !NO_PSK */ |
wolfSSL | 15:117db924cf7c | 475 | |
wolfSSL | 15:117db924cf7c | 476 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 477 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 478 | /* The length of the binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 479 | #define BINDER_KEY_RESUME_LABEL_SZ 25 |
wolfSSL | 15:117db924cf7c | 480 | /* The binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 481 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 482 | "resumption psk binder key"; |
wolfSSL | 15:117db924cf7c | 483 | #else |
wolfSSL | 15:117db924cf7c | 484 | /* The length of the binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 485 | #define BINDER_KEY_RESUME_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 486 | /* The binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 487 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 488 | "res binder"; |
wolfSSL | 15:117db924cf7c | 489 | #endif |
wolfSSL | 15:117db924cf7c | 490 | /* Derive the binder resumption key. |
wolfSSL | 15:117db924cf7c | 491 | * |
wolfSSL | 15:117db924cf7c | 492 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 493 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 494 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 495 | */ |
wolfSSL | 15:117db924cf7c | 496 | static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 497 | { |
wolfSSL | 15:117db924cf7c | 498 | WOLFSSL_MSG("Derive Binder Key - Resumption"); |
wolfSSL | 15:117db924cf7c | 499 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 500 | binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 501 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 502 | } |
wolfSSL | 15:117db924cf7c | 503 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 504 | |
wolfSSL | 15:117db924cf7c | 505 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 506 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 507 | /* The length of the early traffic label. */ |
wolfSSL | 15:117db924cf7c | 508 | #define EARLY_TRAFFIC_LABEL_SZ 27 |
wolfSSL | 15:117db924cf7c | 509 | /* The early traffic label. */ |
wolfSSL | 15:117db924cf7c | 510 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 511 | "client early traffic secret"; |
wolfSSL | 15:117db924cf7c | 512 | #else |
wolfSSL | 15:117db924cf7c | 513 | /* The length of the early traffic label. */ |
wolfSSL | 15:117db924cf7c | 514 | #define EARLY_TRAFFIC_LABEL_SZ 11 |
wolfSSL | 15:117db924cf7c | 515 | /* The early traffic label. */ |
wolfSSL | 15:117db924cf7c | 516 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 517 | "c e traffic"; |
wolfSSL | 15:117db924cf7c | 518 | #endif |
wolfSSL | 15:117db924cf7c | 519 | /* Derive the early traffic key. |
wolfSSL | 15:117db924cf7c | 520 | * |
wolfSSL | 15:117db924cf7c | 521 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 522 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 523 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 524 | */ |
wolfSSL | 15:117db924cf7c | 525 | static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 526 | { |
wolfSSL | 15:117db924cf7c | 527 | WOLFSSL_MSG("Derive Early Traffic Secret"); |
wolfSSL | 15:117db924cf7c | 528 | return DeriveKey(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 529 | earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 530 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 531 | } |
wolfSSL | 15:117db924cf7c | 532 | |
wolfSSL | 15:117db924cf7c | 533 | #ifdef TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 15:117db924cf7c | 534 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 535 | /* The length of the early exporter label. */ |
wolfSSL | 15:117db924cf7c | 536 | #define EARLY_EXPORTER_LABEL_SZ 28 |
wolfSSL | 15:117db924cf7c | 537 | /* The early exporter label. */ |
wolfSSL | 15:117db924cf7c | 538 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 539 | "early exporter master secret"; |
wolfSSL | 15:117db924cf7c | 540 | #else |
wolfSSL | 15:117db924cf7c | 541 | /* The length of the early exporter label. */ |
wolfSSL | 15:117db924cf7c | 542 | #define EARLY_EXPORTER_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 543 | /* The early exporter label. */ |
wolfSSL | 15:117db924cf7c | 544 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 545 | "e exp master"; |
wolfSSL | 15:117db924cf7c | 546 | #endif |
wolfSSL | 15:117db924cf7c | 547 | /* Derive the early exporter key. |
wolfSSL | 15:117db924cf7c | 548 | * |
wolfSSL | 15:117db924cf7c | 549 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 550 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 551 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 552 | */ |
wolfSSL | 15:117db924cf7c | 553 | static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 554 | { |
wolfSSL | 15:117db924cf7c | 555 | WOLFSSL_MSG("Derive Early Exporter Secret"); |
wolfSSL | 15:117db924cf7c | 556 | return DeriveKey(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 557 | earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 558 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 559 | } |
wolfSSL | 15:117db924cf7c | 560 | #endif |
wolfSSL | 15:117db924cf7c | 561 | #endif |
wolfSSL | 15:117db924cf7c | 562 | |
wolfSSL | 15:117db924cf7c | 563 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 564 | /* The length of the client hanshake label. */ |
wolfSSL | 15:117db924cf7c | 565 | #define CLIENT_HANDSHAKE_LABEL_SZ 31 |
wolfSSL | 15:117db924cf7c | 566 | /* The client hanshake label. */ |
wolfSSL | 15:117db924cf7c | 567 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 568 | "client handshake traffic secret"; |
wolfSSL | 15:117db924cf7c | 569 | #else |
wolfSSL | 15:117db924cf7c | 570 | /* The length of the client hanshake label. */ |
wolfSSL | 15:117db924cf7c | 571 | #define CLIENT_HANDSHAKE_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 572 | /* The client hanshake label. */ |
wolfSSL | 15:117db924cf7c | 573 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 574 | "c hs traffic"; |
wolfSSL | 15:117db924cf7c | 575 | #endif |
wolfSSL | 15:117db924cf7c | 576 | /* Derive the client handshake key. |
wolfSSL | 15:117db924cf7c | 577 | * |
wolfSSL | 15:117db924cf7c | 578 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 579 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 580 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 581 | */ |
wolfSSL | 15:117db924cf7c | 582 | static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 583 | { |
wolfSSL | 15:117db924cf7c | 584 | WOLFSSL_MSG("Derive Client Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 585 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 586 | clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 587 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 588 | } |
wolfSSL | 15:117db924cf7c | 589 | |
wolfSSL | 15:117db924cf7c | 590 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 591 | /* The length of the server handshake label. */ |
wolfSSL | 15:117db924cf7c | 592 | #define SERVER_HANDSHAKE_LABEL_SZ 31 |
wolfSSL | 15:117db924cf7c | 593 | /* The server handshake label. */ |
wolfSSL | 15:117db924cf7c | 594 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 595 | "server handshake traffic secret"; |
wolfSSL | 15:117db924cf7c | 596 | #else |
wolfSSL | 15:117db924cf7c | 597 | /* The length of the server handshake label. */ |
wolfSSL | 15:117db924cf7c | 598 | #define SERVER_HANDSHAKE_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 599 | /* The server handshake label. */ |
wolfSSL | 15:117db924cf7c | 600 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 601 | "s hs traffic"; |
wolfSSL | 15:117db924cf7c | 602 | #endif |
wolfSSL | 15:117db924cf7c | 603 | /* Derive the server handshake key. |
wolfSSL | 15:117db924cf7c | 604 | * |
wolfSSL | 15:117db924cf7c | 605 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 606 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 607 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 608 | */ |
wolfSSL | 15:117db924cf7c | 609 | static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 610 | { |
wolfSSL | 15:117db924cf7c | 611 | WOLFSSL_MSG("Derive Server Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 612 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 613 | serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 614 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 615 | } |
wolfSSL | 15:117db924cf7c | 616 | |
wolfSSL | 15:117db924cf7c | 617 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 618 | /* The length of the client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 619 | #define CLIENT_APP_LABEL_SZ 33 |
wolfSSL | 15:117db924cf7c | 620 | /* The client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 621 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 622 | "client application traffic secret"; |
wolfSSL | 15:117db924cf7c | 623 | #else |
wolfSSL | 15:117db924cf7c | 624 | /* The length of the client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 625 | #define CLIENT_APP_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 626 | /* The client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 627 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 628 | "c ap traffic"; |
wolfSSL | 15:117db924cf7c | 629 | #endif |
wolfSSL | 15:117db924cf7c | 630 | /* Derive the client application traffic key. |
wolfSSL | 15:117db924cf7c | 631 | * |
wolfSSL | 15:117db924cf7c | 632 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 633 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 634 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 635 | */ |
wolfSSL | 15:117db924cf7c | 636 | static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 637 | { |
wolfSSL | 15:117db924cf7c | 638 | WOLFSSL_MSG("Derive Client Traffic Secret"); |
wolfSSL | 15:117db924cf7c | 639 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 640 | clientAppLabel, CLIENT_APP_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 641 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 642 | } |
wolfSSL | 15:117db924cf7c | 643 | |
wolfSSL | 15:117db924cf7c | 644 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 645 | /* The length of the server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 646 | #define SERVER_APP_LABEL_SZ 33 |
wolfSSL | 15:117db924cf7c | 647 | /* The server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 648 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 649 | "server application traffic secret"; |
wolfSSL | 15:117db924cf7c | 650 | #else |
wolfSSL | 15:117db924cf7c | 651 | /* The length of the server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 652 | #define SERVER_APP_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 653 | /* The server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 654 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 655 | "s ap traffic"; |
wolfSSL | 15:117db924cf7c | 656 | #endif |
wolfSSL | 15:117db924cf7c | 657 | /* Derive the server application traffic key. |
wolfSSL | 15:117db924cf7c | 658 | * |
wolfSSL | 15:117db924cf7c | 659 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 660 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 661 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 662 | */ |
wolfSSL | 15:117db924cf7c | 663 | static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 664 | { |
wolfSSL | 15:117db924cf7c | 665 | WOLFSSL_MSG("Derive Server Traffic Secret"); |
wolfSSL | 15:117db924cf7c | 666 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 667 | serverAppLabel, SERVER_APP_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 668 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 669 | } |
wolfSSL | 15:117db924cf7c | 670 | |
wolfSSL | 15:117db924cf7c | 671 | #ifdef TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 15:117db924cf7c | 672 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 673 | /* The length of the exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 674 | #define EXPORTER_MASTER_LABEL_SZ 22 |
wolfSSL | 15:117db924cf7c | 675 | /* The exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 676 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 677 | "exporter master secret"; |
wolfSSL | 15:117db924cf7c | 678 | #else |
wolfSSL | 15:117db924cf7c | 679 | /* The length of the exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 680 | #define EXPORTER_MASTER_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 681 | /* The exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 682 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 683 | "exp master"; |
wolfSSL | 15:117db924cf7c | 684 | #endif |
wolfSSL | 15:117db924cf7c | 685 | /* Derive the exporter secret. |
wolfSSL | 15:117db924cf7c | 686 | * |
wolfSSL | 15:117db924cf7c | 687 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 688 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 689 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 690 | */ |
wolfSSL | 15:117db924cf7c | 691 | static int DeriveExporterSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 692 | { |
wolfSSL | 15:117db924cf7c | 693 | WOLFSSL_MSG("Derive Exporter Secret"); |
wolfSSL | 15:117db924cf7c | 694 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 695 | exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 696 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 697 | } |
wolfSSL | 15:117db924cf7c | 698 | #endif |
wolfSSL | 15:117db924cf7c | 699 | |
wolfSSL | 15:117db924cf7c | 700 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 701 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 702 | /* The length of the resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 703 | #define RESUME_MASTER_LABEL_SZ 24 |
wolfSSL | 15:117db924cf7c | 704 | /* The resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 705 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 706 | "resumption master secret"; |
wolfSSL | 15:117db924cf7c | 707 | #else |
wolfSSL | 15:117db924cf7c | 708 | /* The length of the resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 709 | #define RESUME_MASTER_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 710 | /* The resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 711 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 712 | "res master"; |
wolfSSL | 15:117db924cf7c | 713 | #endif |
wolfSSL | 15:117db924cf7c | 714 | /* Derive the resumption secret. |
wolfSSL | 15:117db924cf7c | 715 | * |
wolfSSL | 15:117db924cf7c | 716 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 717 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 718 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 719 | */ |
wolfSSL | 15:117db924cf7c | 720 | static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 721 | { |
wolfSSL | 15:117db924cf7c | 722 | WOLFSSL_MSG("Derive Resumption Secret"); |
wolfSSL | 15:117db924cf7c | 723 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 724 | resumeMasterLabel, RESUME_MASTER_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 725 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 726 | } |
wolfSSL | 15:117db924cf7c | 727 | #endif |
wolfSSL | 15:117db924cf7c | 728 | |
wolfSSL | 15:117db924cf7c | 729 | /* Length of the finished label. */ |
wolfSSL | 15:117db924cf7c | 730 | #define FINISHED_LABEL_SZ 8 |
wolfSSL | 15:117db924cf7c | 731 | /* Finished label for generating finished key. */ |
wolfSSL | 15:117db924cf7c | 732 | static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished"; |
wolfSSL | 15:117db924cf7c | 733 | /* Derive the finished secret. |
wolfSSL | 15:117db924cf7c | 734 | * |
wolfSSL | 15:117db924cf7c | 735 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 736 | * key The key to use with the HMAC. |
wolfSSL | 15:117db924cf7c | 737 | * secret The derived secret. |
wolfSSL | 15:117db924cf7c | 738 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 739 | */ |
wolfSSL | 15:117db924cf7c | 740 | static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret) |
wolfSSL | 15:117db924cf7c | 741 | { |
wolfSSL | 15:117db924cf7c | 742 | WOLFSSL_MSG("Derive Finished Secret"); |
wolfSSL | 15:117db924cf7c | 743 | return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 744 | ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 745 | } |
wolfSSL | 15:117db924cf7c | 746 | |
wolfSSL | 15:117db924cf7c | 747 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 748 | /* The length of the application traffic label. */ |
wolfSSL | 15:117db924cf7c | 749 | #define APP_TRAFFIC_LABEL_SZ 26 |
wolfSSL | 15:117db924cf7c | 750 | /* The application traffic label. */ |
wolfSSL | 15:117db924cf7c | 751 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 752 | "application traffic secret"; |
wolfSSL | 15:117db924cf7c | 753 | #else |
wolfSSL | 15:117db924cf7c | 754 | /* The length of the application traffic label. */ |
wolfSSL | 15:117db924cf7c | 755 | #define APP_TRAFFIC_LABEL_SZ 11 |
wolfSSL | 15:117db924cf7c | 756 | /* The application traffic label. */ |
wolfSSL | 15:117db924cf7c | 757 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 758 | "traffic upd"; |
wolfSSL | 15:117db924cf7c | 759 | #endif |
wolfSSL | 15:117db924cf7c | 760 | /* Update the traffic secret. |
wolfSSL | 15:117db924cf7c | 761 | * |
wolfSSL | 15:117db924cf7c | 762 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 763 | * secret The previous secret and derived secret. |
wolfSSL | 15:117db924cf7c | 764 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 765 | */ |
wolfSSL | 15:117db924cf7c | 766 | static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret) |
wolfSSL | 15:117db924cf7c | 767 | { |
wolfSSL | 15:117db924cf7c | 768 | WOLFSSL_MSG("Derive New Application Traffic Secret"); |
wolfSSL | 15:117db924cf7c | 769 | return DeriveKey(ssl, secret, -1, secret, |
wolfSSL | 15:117db924cf7c | 770 | appTrafficLabel, APP_TRAFFIC_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 771 | ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 772 | } |
wolfSSL | 15:117db924cf7c | 773 | |
wolfSSL | 15:117db924cf7c | 774 | /* Derive the early secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 775 | * |
wolfSSL | 15:117db924cf7c | 776 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 777 | */ |
wolfSSL | 15:117db924cf7c | 778 | static int DeriveEarlySecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 779 | { |
wolfSSL | 15:117db924cf7c | 780 | WOLFSSL_MSG("Derive Early Secret"); |
wolfSSL | 15:117db924cf7c | 781 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 782 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0, |
wolfSSL | 15:117db924cf7c | 783 | ssl->arrays->psk_key, ssl->arrays->psk_keySz, |
wolfSSL | 15:117db924cf7c | 784 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 785 | #else |
wolfSSL | 15:117db924cf7c | 786 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0, |
wolfSSL | 15:117db924cf7c | 787 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 788 | #endif |
wolfSSL | 15:117db924cf7c | 789 | } |
wolfSSL | 15:117db924cf7c | 790 | |
wolfSSL | 15:117db924cf7c | 791 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 792 | /* The length of the derived label. */ |
wolfSSL | 15:117db924cf7c | 793 | #define DERIVED_LABEL_SZ 7 |
wolfSSL | 15:117db924cf7c | 794 | /* The derived label. */ |
wolfSSL | 15:117db924cf7c | 795 | static const byte derivedLabel[DERIVED_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 796 | "derived"; |
wolfSSL | 15:117db924cf7c | 797 | #endif |
wolfSSL | 15:117db924cf7c | 798 | /* Derive the handshake secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 799 | * |
wolfSSL | 15:117db924cf7c | 800 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 801 | */ |
wolfSSL | 15:117db924cf7c | 802 | static int DeriveHandshakeSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 803 | { |
wolfSSL | 15:117db924cf7c | 804 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 805 | WOLFSSL_MSG("Derive Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 806 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 807 | ssl->arrays->secret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 808 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, |
wolfSSL | 15:117db924cf7c | 809 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 810 | #else |
wolfSSL | 15:117db924cf7c | 811 | byte key[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 812 | int ret; |
wolfSSL | 15:117db924cf7c | 813 | |
wolfSSL | 15:117db924cf7c | 814 | WOLFSSL_MSG("Derive Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 815 | |
wolfSSL | 15:117db924cf7c | 816 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 817 | derivedLabel, DERIVED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 818 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 819 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 820 | return ret; |
wolfSSL | 15:117db924cf7c | 821 | |
wolfSSL | 15:117db924cf7c | 822 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 823 | key, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 824 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, |
wolfSSL | 15:117db924cf7c | 825 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 826 | #endif |
wolfSSL | 15:117db924cf7c | 827 | } |
wolfSSL | 15:117db924cf7c | 828 | |
wolfSSL | 15:117db924cf7c | 829 | /* Derive the master secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 830 | * |
wolfSSL | 15:117db924cf7c | 831 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 832 | */ |
wolfSSL | 15:117db924cf7c | 833 | static int DeriveMasterSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 834 | { |
wolfSSL | 15:117db924cf7c | 835 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 836 | WOLFSSL_MSG("Derive Master Secret"); |
wolfSSL | 15:117db924cf7c | 837 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 838 | ssl->arrays->preMasterSecret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 839 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 840 | #else |
wolfSSL | 15:117db924cf7c | 841 | byte key[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 842 | int ret; |
wolfSSL | 15:117db924cf7c | 843 | |
wolfSSL | 15:117db924cf7c | 844 | WOLFSSL_MSG("Derive Master Secret"); |
wolfSSL | 15:117db924cf7c | 845 | |
wolfSSL | 15:117db924cf7c | 846 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 847 | derivedLabel, DERIVED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 848 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 849 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 850 | return ret; |
wolfSSL | 15:117db924cf7c | 851 | |
wolfSSL | 15:117db924cf7c | 852 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 853 | key, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 854 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 855 | #endif |
wolfSSL | 15:117db924cf7c | 856 | } |
wolfSSL | 15:117db924cf7c | 857 | |
wolfSSL | 15:117db924cf7c | 858 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 859 | #if defined(HAVE_SESSION_TICKET) |
wolfSSL | 15:117db924cf7c | 860 | /* Length of the resumption label. */ |
wolfSSL | 15:117db924cf7c | 861 | #define RESUMPTION_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 862 | /* Resumption label for generating PSK assocated with the ticket. */ |
wolfSSL | 15:117db924cf7c | 863 | static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption"; |
wolfSSL | 15:117db924cf7c | 864 | /* Derive the PSK assocated with the ticket. |
wolfSSL | 15:117db924cf7c | 865 | * |
wolfSSL | 15:117db924cf7c | 866 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 867 | * nonce The nonce to derive with. |
wolfSSL | 15:117db924cf7c | 868 | * nonceLen The length of the nonce to derive with. |
wolfSSL | 15:117db924cf7c | 869 | * secret The derived secret. |
wolfSSL | 15:117db924cf7c | 870 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 871 | */ |
wolfSSL | 15:117db924cf7c | 872 | static int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, |
wolfSSL | 15:117db924cf7c | 873 | byte* secret) |
wolfSSL | 15:117db924cf7c | 874 | { |
wolfSSL | 15:117db924cf7c | 875 | int digestAlg; |
wolfSSL | 15:117db924cf7c | 876 | /* Only one protocol version defined at this time. */ |
wolfSSL | 15:117db924cf7c | 877 | const byte* protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 878 | word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 879 | |
wolfSSL | 15:117db924cf7c | 880 | WOLFSSL_MSG("Derive Resumption PSK"); |
wolfSSL | 15:117db924cf7c | 881 | |
wolfSSL | 15:117db924cf7c | 882 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 883 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 884 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 885 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 886 | break; |
wolfSSL | 15:117db924cf7c | 887 | #endif |
wolfSSL | 15:117db924cf7c | 888 | |
wolfSSL | 15:117db924cf7c | 889 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 890 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 891 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 892 | break; |
wolfSSL | 15:117db924cf7c | 893 | #endif |
wolfSSL | 15:117db924cf7c | 894 | |
wolfSSL | 15:117db924cf7c | 895 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 896 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 897 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 898 | break; |
wolfSSL | 15:117db924cf7c | 899 | #endif |
wolfSSL | 15:117db924cf7c | 900 | |
wolfSSL | 15:117db924cf7c | 901 | default: |
wolfSSL | 15:117db924cf7c | 902 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 903 | } |
wolfSSL | 15:117db924cf7c | 904 | |
wolfSSL | 15:117db924cf7c | 905 | return HKDF_Expand_Label(secret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 906 | ssl->session.masterSecret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 907 | protocol, protocolLen, resumptionLabel, |
wolfSSL | 15:117db924cf7c | 908 | RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg); |
wolfSSL | 15:117db924cf7c | 909 | } |
wolfSSL | 15:117db924cf7c | 910 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 911 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 912 | |
wolfSSL | 15:117db924cf7c | 913 | |
wolfSSL | 15:117db924cf7c | 914 | /* Calculate the HMAC of message data to this point. |
wolfSSL | 15:117db924cf7c | 915 | * |
wolfSSL | 15:117db924cf7c | 916 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 917 | * key The HMAC key. |
wolfSSL | 15:117db924cf7c | 918 | * hash The hash result - verify data. |
wolfSSL | 15:117db924cf7c | 919 | * returns length of verify data generated. |
wolfSSL | 15:117db924cf7c | 920 | */ |
wolfSSL | 15:117db924cf7c | 921 | static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash, |
wolfSSL | 15:117db924cf7c | 922 | word32* pHashSz) |
wolfSSL | 15:117db924cf7c | 923 | { |
wolfSSL | 15:117db924cf7c | 924 | Hmac verifyHmac; |
wolfSSL | 15:117db924cf7c | 925 | int hashType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 926 | int hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 927 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 928 | |
wolfSSL | 15:117db924cf7c | 929 | /* Get the hash of the previous handshake messages. */ |
wolfSSL | 15:117db924cf7c | 930 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 931 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 932 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 933 | hashType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 934 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 935 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 936 | break; |
wolfSSL | 15:117db924cf7c | 937 | #endif /* !NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 938 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 939 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 940 | hashType = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 941 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 942 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 943 | break; |
wolfSSL | 15:117db924cf7c | 944 | #endif /* WOLFSSL_SHA384 */ |
wolfSSL | 15:117db924cf7c | 945 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 946 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 947 | hashType = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 948 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 949 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 950 | break; |
wolfSSL | 15:117db924cf7c | 951 | #endif /* WOLFSSL_TLS13_SHA512 */ |
wolfSSL | 15:117db924cf7c | 952 | } |
wolfSSL | 15:117db924cf7c | 953 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 954 | return ret; |
wolfSSL | 15:117db924cf7c | 955 | |
wolfSSL | 15:117db924cf7c | 956 | /* Calculate the verify data. */ |
wolfSSL | 15:117db924cf7c | 957 | ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId); |
wolfSSL | 15:117db924cf7c | 958 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 959 | ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size); |
wolfSSL | 15:117db924cf7c | 960 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 961 | ret = wc_HmacUpdate(&verifyHmac, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 962 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 963 | ret = wc_HmacFinal(&verifyHmac, hash); |
wolfSSL | 15:117db924cf7c | 964 | wc_HmacFree(&verifyHmac); |
wolfSSL | 15:117db924cf7c | 965 | } |
wolfSSL | 15:117db924cf7c | 966 | |
wolfSSL | 15:117db924cf7c | 967 | if (pHashSz) |
wolfSSL | 15:117db924cf7c | 968 | *pHashSz = hashSz; |
wolfSSL | 15:117db924cf7c | 969 | |
wolfSSL | 15:117db924cf7c | 970 | return ret; |
wolfSSL | 15:117db924cf7c | 971 | } |
wolfSSL | 15:117db924cf7c | 972 | |
wolfSSL | 15:117db924cf7c | 973 | /* The length of the label to use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 974 | #define WRITE_KEY_LABEL_SZ 3 |
wolfSSL | 15:117db924cf7c | 975 | /* The length of the label to use when deriving IVs. */ |
wolfSSL | 15:117db924cf7c | 976 | #define WRITE_IV_LABEL_SZ 2 |
wolfSSL | 15:117db924cf7c | 977 | /* The label to use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 978 | static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key"; |
wolfSSL | 15:117db924cf7c | 979 | /* The label to use when deriving IVs. */ |
wolfSSL | 15:117db924cf7c | 980 | static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv"; |
wolfSSL | 15:117db924cf7c | 981 | |
wolfSSL | 15:117db924cf7c | 982 | /* Derive the keys and IVs for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 983 | * |
wolfSSL | 15:117db924cf7c | 984 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 985 | * sercret early_data_key when deriving the key and IV for encrypting early |
wolfSSL | 15:117db924cf7c | 986 | * data application data and end_of_early_data messages. |
wolfSSL | 15:117db924cf7c | 987 | * handshake_key when deriving keys and IVs for encrypting handshake |
wolfSSL | 15:117db924cf7c | 988 | * messages. |
wolfSSL | 15:117db924cf7c | 989 | * traffic_key when deriving first keys and IVs for encrypting |
wolfSSL | 15:117db924cf7c | 990 | * traffic messages. |
wolfSSL | 15:117db924cf7c | 991 | * update_traffic_key when deriving next keys and IVs for encrypting |
wolfSSL | 15:117db924cf7c | 992 | * traffic messages. |
wolfSSL | 15:117db924cf7c | 993 | * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 994 | * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 995 | * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 996 | * store 1 indicates to derive the keys and IVs from derived secret and |
wolfSSL | 15:117db924cf7c | 997 | * store ready for provisioning. |
wolfSSL | 15:117db924cf7c | 998 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 999 | */ |
wolfSSL | 15:117db924cf7c | 1000 | static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store) |
wolfSSL | 15:117db924cf7c | 1001 | { |
wolfSSL | 15:117db924cf7c | 1002 | int ret = BAD_FUNC_ARG; /* Assume failure */ |
wolfSSL | 15:117db924cf7c | 1003 | int i = 0; |
wolfSSL | 15:117db924cf7c | 1004 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1005 | byte* key_dig; |
wolfSSL | 15:117db924cf7c | 1006 | #else |
wolfSSL | 15:117db924cf7c | 1007 | byte key_dig[MAX_PRF_DIG]; |
wolfSSL | 15:117db924cf7c | 1008 | #endif |
wolfSSL | 15:117db924cf7c | 1009 | int provision; |
wolfSSL | 15:117db924cf7c | 1010 | |
wolfSSL | 15:117db924cf7c | 1011 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1012 | key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 1013 | if (key_dig == NULL) |
wolfSSL | 15:117db924cf7c | 1014 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1015 | #endif |
wolfSSL | 15:117db924cf7c | 1016 | |
wolfSSL | 15:117db924cf7c | 1017 | if (side == ENCRYPT_AND_DECRYPT_SIDE) { |
wolfSSL | 15:117db924cf7c | 1018 | provision = PROVISION_CLIENT_SERVER; |
wolfSSL | 15:117db924cf7c | 1019 | } |
wolfSSL | 15:117db924cf7c | 1020 | else { |
wolfSSL | 15:117db924cf7c | 1021 | provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^ |
wolfSSL | 15:117db924cf7c | 1022 | (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT : |
wolfSSL | 15:117db924cf7c | 1023 | PROVISION_SERVER; |
wolfSSL | 15:117db924cf7c | 1024 | } |
wolfSSL | 15:117db924cf7c | 1025 | |
wolfSSL | 15:117db924cf7c | 1026 | /* Derive the appropriate secret to use in the HKDF. */ |
wolfSSL | 15:117db924cf7c | 1027 | switch (secret) { |
wolfSSL | 15:117db924cf7c | 1028 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 1029 | case early_data_key: |
wolfSSL | 15:117db924cf7c | 1030 | ret = DeriveEarlyTrafficSecret(ssl, ssl->arrays->clientSecret); |
wolfSSL | 15:117db924cf7c | 1031 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1032 | goto end; |
wolfSSL | 15:117db924cf7c | 1033 | break; |
wolfSSL | 15:117db924cf7c | 1034 | #endif |
wolfSSL | 15:117db924cf7c | 1035 | |
wolfSSL | 15:117db924cf7c | 1036 | case handshake_key: |
wolfSSL | 15:117db924cf7c | 1037 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1038 | ret = DeriveClientHandshakeSecret(ssl, |
wolfSSL | 15:117db924cf7c | 1039 | ssl->arrays->clientSecret); |
wolfSSL | 15:117db924cf7c | 1040 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1041 | goto end; |
wolfSSL | 15:117db924cf7c | 1042 | } |
wolfSSL | 15:117db924cf7c | 1043 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1044 | ret = DeriveServerHandshakeSecret(ssl, |
wolfSSL | 15:117db924cf7c | 1045 | ssl->arrays->serverSecret); |
wolfSSL | 15:117db924cf7c | 1046 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1047 | goto end; |
wolfSSL | 15:117db924cf7c | 1048 | } |
wolfSSL | 15:117db924cf7c | 1049 | break; |
wolfSSL | 15:117db924cf7c | 1050 | |
wolfSSL | 15:117db924cf7c | 1051 | case traffic_key: |
wolfSSL | 15:117db924cf7c | 1052 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1053 | ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret); |
wolfSSL | 15:117db924cf7c | 1054 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1055 | goto end; |
wolfSSL | 15:117db924cf7c | 1056 | } |
wolfSSL | 15:117db924cf7c | 1057 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1058 | ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret); |
wolfSSL | 15:117db924cf7c | 1059 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1060 | goto end; |
wolfSSL | 15:117db924cf7c | 1061 | } |
wolfSSL | 15:117db924cf7c | 1062 | break; |
wolfSSL | 15:117db924cf7c | 1063 | |
wolfSSL | 15:117db924cf7c | 1064 | case update_traffic_key: |
wolfSSL | 15:117db924cf7c | 1065 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1066 | ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret); |
wolfSSL | 15:117db924cf7c | 1067 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1068 | goto end; |
wolfSSL | 15:117db924cf7c | 1069 | } |
wolfSSL | 15:117db924cf7c | 1070 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1071 | ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret); |
wolfSSL | 15:117db924cf7c | 1072 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1073 | goto end; |
wolfSSL | 15:117db924cf7c | 1074 | } |
wolfSSL | 15:117db924cf7c | 1075 | break; |
wolfSSL | 15:117db924cf7c | 1076 | } |
wolfSSL | 15:117db924cf7c | 1077 | |
wolfSSL | 15:117db924cf7c | 1078 | if (!store) |
wolfSSL | 15:117db924cf7c | 1079 | goto end; |
wolfSSL | 15:117db924cf7c | 1080 | |
wolfSSL | 15:117db924cf7c | 1081 | /* Key data = client key | server key | client IV | server IV */ |
wolfSSL | 15:117db924cf7c | 1082 | |
wolfSSL | 15:117db924cf7c | 1083 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1084 | /* Derive the client key. */ |
wolfSSL | 15:117db924cf7c | 1085 | WOLFSSL_MSG("Derive Client Key"); |
wolfSSL | 15:117db924cf7c | 1086 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
wolfSSL | 15:117db924cf7c | 1087 | ssl->arrays->clientSecret, writeKeyLabel, |
wolfSSL | 15:117db924cf7c | 1088 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1089 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1090 | goto end; |
wolfSSL | 15:117db924cf7c | 1091 | i += ssl->specs.key_size; |
wolfSSL | 15:117db924cf7c | 1092 | } |
wolfSSL | 15:117db924cf7c | 1093 | |
wolfSSL | 15:117db924cf7c | 1094 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1095 | /* Derive the server key. */ |
wolfSSL | 15:117db924cf7c | 1096 | WOLFSSL_MSG("Derive Server Key"); |
wolfSSL | 15:117db924cf7c | 1097 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
wolfSSL | 15:117db924cf7c | 1098 | ssl->arrays->serverSecret, writeKeyLabel, |
wolfSSL | 15:117db924cf7c | 1099 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1100 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1101 | goto end; |
wolfSSL | 15:117db924cf7c | 1102 | i += ssl->specs.key_size; |
wolfSSL | 15:117db924cf7c | 1103 | } |
wolfSSL | 15:117db924cf7c | 1104 | |
wolfSSL | 15:117db924cf7c | 1105 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1106 | /* Derive the client IV. */ |
wolfSSL | 15:117db924cf7c | 1107 | WOLFSSL_MSG("Derive Client IV"); |
wolfSSL | 15:117db924cf7c | 1108 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
wolfSSL | 15:117db924cf7c | 1109 | ssl->arrays->clientSecret, writeIVLabel, |
wolfSSL | 15:117db924cf7c | 1110 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1111 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1112 | goto end; |
wolfSSL | 15:117db924cf7c | 1113 | i += ssl->specs.iv_size; |
wolfSSL | 15:117db924cf7c | 1114 | } |
wolfSSL | 15:117db924cf7c | 1115 | |
wolfSSL | 15:117db924cf7c | 1116 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1117 | /* Derive the server IV. */ |
wolfSSL | 15:117db924cf7c | 1118 | WOLFSSL_MSG("Derive Server IV"); |
wolfSSL | 15:117db924cf7c | 1119 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
wolfSSL | 15:117db924cf7c | 1120 | ssl->arrays->serverSecret, writeIVLabel, |
wolfSSL | 15:117db924cf7c | 1121 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1122 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1123 | goto end; |
wolfSSL | 15:117db924cf7c | 1124 | } |
wolfSSL | 15:117db924cf7c | 1125 | |
wolfSSL | 15:117db924cf7c | 1126 | /* Store keys and IVs but don't activate them. */ |
wolfSSL | 15:117db924cf7c | 1127 | ret = StoreKeys(ssl, key_dig, provision); |
wolfSSL | 15:117db924cf7c | 1128 | |
wolfSSL | 15:117db924cf7c | 1129 | end: |
wolfSSL | 15:117db924cf7c | 1130 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1131 | XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 1132 | #endif |
wolfSSL | 15:117db924cf7c | 1133 | |
wolfSSL | 15:117db924cf7c | 1134 | return ret; |
wolfSSL | 15:117db924cf7c | 1135 | } |
wolfSSL | 15:117db924cf7c | 1136 | |
wolfSSL | 15:117db924cf7c | 1137 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 1138 | #if defined(USER_TICKS) |
wolfSSL | 15:117db924cf7c | 1139 | #if 0 |
wolfSSL | 15:117db924cf7c | 1140 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1141 | { |
wolfSSL | 15:117db924cf7c | 1142 | /* |
wolfSSL | 15:117db924cf7c | 1143 | write your own clock tick function if don't want gettimeofday() |
wolfSSL | 15:117db924cf7c | 1144 | needs millisecond accuracy but doesn't have to correlated to EPOCH |
wolfSSL | 15:117db924cf7c | 1145 | */ |
wolfSSL | 15:117db924cf7c | 1146 | } |
wolfSSL | 15:117db924cf7c | 1147 | #endif |
wolfSSL | 15:117db924cf7c | 1148 | |
wolfSSL | 15:117db924cf7c | 1149 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 15:117db924cf7c | 1150 | #ifndef HAVE_TIME_T_TYPE |
wolfSSL | 15:117db924cf7c | 1151 | typedef long time_t; |
wolfSSL | 15:117db924cf7c | 1152 | #endif |
wolfSSL | 15:117db924cf7c | 1153 | extern time_t XTIME(time_t * timer); |
wolfSSL | 15:117db924cf7c | 1154 | |
wolfSSL | 15:117db924cf7c | 1155 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1156 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1157 | * sending. |
wolfSSL | 15:117db924cf7c | 1158 | * |
wolfSSL | 15:117db924cf7c | 1159 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1160 | */ |
wolfSSL | 15:117db924cf7c | 1161 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1162 | { |
wolfSSL | 15:117db924cf7c | 1163 | return (word32) XTIME(0) * 1000; |
wolfSSL | 15:117db924cf7c | 1164 | } |
wolfSSL | 15:117db924cf7c | 1165 | #elif defined(USE_WINDOWS_API) |
wolfSSL | 15:117db924cf7c | 1166 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1167 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1168 | * sending. |
wolfSSL | 15:117db924cf7c | 1169 | * |
wolfSSL | 15:117db924cf7c | 1170 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1171 | */ |
wolfSSL | 15:117db924cf7c | 1172 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1173 | { |
wolfSSL | 15:117db924cf7c | 1174 | static int init = 0; |
wolfSSL | 15:117db924cf7c | 1175 | static LARGE_INTEGER freq; |
wolfSSL | 15:117db924cf7c | 1176 | LARGE_INTEGER count; |
wolfSSL | 15:117db924cf7c | 1177 | |
wolfSSL | 15:117db924cf7c | 1178 | if (!init) { |
wolfSSL | 15:117db924cf7c | 1179 | QueryPerformanceFrequency(&freq); |
wolfSSL | 15:117db924cf7c | 1180 | init = 1; |
wolfSSL | 15:117db924cf7c | 1181 | } |
wolfSSL | 15:117db924cf7c | 1182 | |
wolfSSL | 15:117db924cf7c | 1183 | QueryPerformanceCounter(&count); |
wolfSSL | 15:117db924cf7c | 1184 | |
wolfSSL | 15:117db924cf7c | 1185 | return (word32)(count.QuadPart / (freq.QuadPart / 1000)); |
wolfSSL | 15:117db924cf7c | 1186 | } |
wolfSSL | 15:117db924cf7c | 1187 | |
wolfSSL | 15:117db924cf7c | 1188 | #elif defined(HAVE_RTP_SYS) |
wolfSSL | 15:117db924cf7c | 1189 | #include "rtptime.h" |
wolfSSL | 15:117db924cf7c | 1190 | |
wolfSSL | 15:117db924cf7c | 1191 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1192 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1193 | * sending. |
wolfSSL | 15:117db924cf7c | 1194 | * |
wolfSSL | 15:117db924cf7c | 1195 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1196 | */ |
wolfSSL | 15:117db924cf7c | 1197 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1198 | { |
wolfSSL | 15:117db924cf7c | 1199 | return (word32)rtp_get_system_sec() * 1000; |
wolfSSL | 15:117db924cf7c | 1200 | } |
wolfSSL | 15:117db924cf7c | 1201 | #elif defined(MICRIUM) |
wolfSSL | 15:117db924cf7c | 1202 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1203 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1204 | * sending. |
wolfSSL | 15:117db924cf7c | 1205 | * |
wolfSSL | 15:117db924cf7c | 1206 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1207 | */ |
wolfSSL | 15:117db924cf7c | 1208 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1209 | { |
wolfSSL | 15:117db924cf7c | 1210 | OS_TICK ticks = 0; |
wolfSSL | 15:117db924cf7c | 1211 | OS_ERR err; |
wolfSSL | 15:117db924cf7c | 1212 | |
wolfSSL | 15:117db924cf7c | 1213 | ticks = OSTimeGet(&err); |
wolfSSL | 15:117db924cf7c | 1214 | |
wolfSSL | 15:117db924cf7c | 1215 | return (word32) (ticks / OSCfg_TickRate_Hz) * 1000; |
wolfSSL | 15:117db924cf7c | 1216 | } |
wolfSSL | 15:117db924cf7c | 1217 | #elif defined(MICROCHIP_TCPIP_V5) |
wolfSSL | 15:117db924cf7c | 1218 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1219 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1220 | * sending. |
wolfSSL | 15:117db924cf7c | 1221 | * |
wolfSSL | 15:117db924cf7c | 1222 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1223 | */ |
wolfSSL | 15:117db924cf7c | 1224 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1225 | { |
wolfSSL | 15:117db924cf7c | 1226 | return (word32) (TickGet() / (TICKS_PER_SECOND / 1000)); |
wolfSSL | 15:117db924cf7c | 1227 | } |
wolfSSL | 15:117db924cf7c | 1228 | #elif defined(MICROCHIP_TCPIP) |
wolfSSL | 15:117db924cf7c | 1229 | #if defined(MICROCHIP_MPLAB_HARMONY) |
wolfSSL | 15:117db924cf7c | 1230 | #include <system/tmr/sys_tmr.h> |
wolfSSL | 15:117db924cf7c | 1231 | |
wolfSSL | 15:117db924cf7c | 1232 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1233 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1234 | * sending. |
wolfSSL | 15:117db924cf7c | 1235 | * |
wolfSSL | 15:117db924cf7c | 1236 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1237 | */ |
wolfSSL | 15:117db924cf7c | 1238 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1239 | { |
wolfSSL | 15:117db924cf7c | 1240 | return (word32)(SYS_TMR_TickCountGet() / |
wolfSSL | 15:117db924cf7c | 1241 | (SYS_TMR_TickCounterFrequencyGet() / 1000)); |
wolfSSL | 15:117db924cf7c | 1242 | } |
wolfSSL | 15:117db924cf7c | 1243 | #else |
wolfSSL | 15:117db924cf7c | 1244 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1245 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1246 | * sending. |
wolfSSL | 15:117db924cf7c | 1247 | * |
wolfSSL | 15:117db924cf7c | 1248 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1249 | */ |
wolfSSL | 15:117db924cf7c | 1250 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1251 | { |
wolfSSL | 15:117db924cf7c | 1252 | return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000)); |
wolfSSL | 15:117db924cf7c | 1253 | } |
wolfSSL | 15:117db924cf7c | 1254 | |
wolfSSL | 15:117db924cf7c | 1255 | #endif |
wolfSSL | 15:117db924cf7c | 1256 | |
wolfSSL | 15:117db924cf7c | 1257 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 15:117db924cf7c | 1258 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1259 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1260 | * sending. |
wolfSSL | 15:117db924cf7c | 1261 | * |
wolfSSL | 15:117db924cf7c | 1262 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1263 | */ |
wolfSSL | 15:117db924cf7c | 1264 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1265 | { |
wolfSSL | 15:117db924cf7c | 1266 | TIME_STRUCT mqxTime; |
wolfSSL | 15:117db924cf7c | 1267 | |
wolfSSL | 15:117db924cf7c | 1268 | _time_get_elapsed(&mqxTime); |
wolfSSL | 15:117db924cf7c | 1269 | |
wolfSSL | 15:117db924cf7c | 1270 | return (word32) mqxTime.SECONDS * 1000; |
wolfSSL | 15:117db924cf7c | 1271 | } |
wolfSSL | 15:117db924cf7c | 1272 | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) |
wolfSSL | 15:117db924cf7c | 1273 | #include "include/task.h" |
wolfSSL | 15:117db924cf7c | 1274 | |
wolfSSL | 15:117db924cf7c | 1275 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1276 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1277 | * sending. |
wolfSSL | 15:117db924cf7c | 1278 | * |
wolfSSL | 15:117db924cf7c | 1279 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1280 | */ |
wolfSSL | 15:117db924cf7c | 1281 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1282 | { |
wolfSSL | 15:117db924cf7c | 1283 | return (unsigned int)(((float)xTaskGetTickCount()) / |
wolfSSL | 15:117db924cf7c | 1284 | (configTICK_RATE_HZ / 1000)); |
wolfSSL | 15:117db924cf7c | 1285 | } |
wolfSSL | 15:117db924cf7c | 1286 | #elif defined(FREESCALE_KSDK_BM) |
wolfSSL | 15:117db924cf7c | 1287 | #include "lwip/sys.h" /* lwIP */ |
wolfSSL | 15:117db924cf7c | 1288 | |
wolfSSL | 15:117db924cf7c | 1289 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1290 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1291 | * sending. |
wolfSSL | 15:117db924cf7c | 1292 | * |
wolfSSL | 15:117db924cf7c | 1293 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1294 | */ |
wolfSSL | 15:117db924cf7c | 1295 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1296 | { |
wolfSSL | 15:117db924cf7c | 1297 | return sys_now(); |
wolfSSL | 15:117db924cf7c | 1298 | } |
wolfSSL | 15:117db924cf7c | 1299 | #elif defined(WOLFSSL_TIRTOS) |
wolfSSL | 15:117db924cf7c | 1300 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1301 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1302 | * sending. |
wolfSSL | 15:117db924cf7c | 1303 | * |
wolfSSL | 15:117db924cf7c | 1304 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1305 | */ |
wolfSSL | 15:117db924cf7c | 1306 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1307 | { |
wolfSSL | 15:117db924cf7c | 1308 | return (word32) Seconds_get() * 1000; |
wolfSSL | 15:117db924cf7c | 1309 | } |
wolfSSL | 15:117db924cf7c | 1310 | #elif defined(WOLFSSL_UTASKER) |
wolfSSL | 15:117db924cf7c | 1311 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1312 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1313 | * sending. |
wolfSSL | 15:117db924cf7c | 1314 | * |
wolfSSL | 15:117db924cf7c | 1315 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1316 | */ |
wolfSSL | 15:117db924cf7c | 1317 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1318 | { |
wolfSSL | 15:117db924cf7c | 1319 | return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000)); |
wolfSSL | 15:117db924cf7c | 1320 | } |
wolfSSL | 15:117db924cf7c | 1321 | #else |
wolfSSL | 15:117db924cf7c | 1322 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1323 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1324 | * sending. |
wolfSSL | 15:117db924cf7c | 1325 | * |
wolfSSL | 15:117db924cf7c | 1326 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1327 | */ |
wolfSSL | 15:117db924cf7c | 1328 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1329 | { |
wolfSSL | 15:117db924cf7c | 1330 | struct timeval now; |
wolfSSL | 15:117db924cf7c | 1331 | |
wolfSSL | 15:117db924cf7c | 1332 | if (gettimeofday(&now, 0) < 0) |
wolfSSL | 15:117db924cf7c | 1333 | return GETTIME_ERROR; |
wolfSSL | 15:117db924cf7c | 1334 | /* Convert to milliseconds number. */ |
wolfSSL | 15:117db924cf7c | 1335 | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); |
wolfSSL | 15:117db924cf7c | 1336 | } |
wolfSSL | 15:117db924cf7c | 1337 | #endif |
wolfSSL | 15:117db924cf7c | 1338 | #endif /* HAVE_SESSION_TICKET || !NO_PSK */ |
wolfSSL | 15:117db924cf7c | 1339 | |
wolfSSL | 15:117db924cf7c | 1340 | |
wolfSSL | 15:117db924cf7c | 1341 | #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \ |
wolfSSL | 15:117db924cf7c | 1342 | !defined(NO_PSK)) |
wolfSSL | 15:117db924cf7c | 1343 | /* Add input to all handshake hashes. |
wolfSSL | 15:117db924cf7c | 1344 | * |
wolfSSL | 15:117db924cf7c | 1345 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1346 | * input The data to hash. |
wolfSSL | 15:117db924cf7c | 1347 | * sz The size of the data to hash. |
wolfSSL | 15:117db924cf7c | 1348 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1349 | */ |
wolfSSL | 15:117db924cf7c | 1350 | static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz) |
wolfSSL | 15:117db924cf7c | 1351 | { |
wolfSSL | 15:117db924cf7c | 1352 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 1353 | |
wolfSSL | 15:117db924cf7c | 1354 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1355 | ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz); |
wolfSSL | 15:117db924cf7c | 1356 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1357 | return ret; |
wolfSSL | 15:117db924cf7c | 1358 | #endif |
wolfSSL | 15:117db924cf7c | 1359 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1360 | ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz); |
wolfSSL | 15:117db924cf7c | 1361 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1362 | return ret; |
wolfSSL | 15:117db924cf7c | 1363 | #endif |
wolfSSL | 15:117db924cf7c | 1364 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 1365 | ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz); |
wolfSSL | 15:117db924cf7c | 1366 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1367 | return ret; |
wolfSSL | 15:117db924cf7c | 1368 | #endif |
wolfSSL | 15:117db924cf7c | 1369 | |
wolfSSL | 15:117db924cf7c | 1370 | return ret; |
wolfSSL | 15:117db924cf7c | 1371 | } |
wolfSSL | 15:117db924cf7c | 1372 | #endif |
wolfSSL | 15:117db924cf7c | 1373 | |
wolfSSL | 15:117db924cf7c | 1374 | /* Extract the handshake header information. |
wolfSSL | 15:117db924cf7c | 1375 | * |
wolfSSL | 15:117db924cf7c | 1376 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1377 | * input The buffer holding the message data. |
wolfSSL | 15:117db924cf7c | 1378 | * inOutIdx On entry, the index into the buffer of the handshake data. |
wolfSSL | 15:117db924cf7c | 1379 | * On exit, the start of the hanshake data. |
wolfSSL | 15:117db924cf7c | 1380 | * type Type of handshake message. |
wolfSSL | 15:117db924cf7c | 1381 | * size The length of the handshake message data. |
wolfSSL | 15:117db924cf7c | 1382 | * totalSz The total size of data in the buffer. |
wolfSSL | 15:117db924cf7c | 1383 | * returns BUFFER_E if there is not enough input data and 0 on success. |
wolfSSL | 15:117db924cf7c | 1384 | */ |
wolfSSL | 15:117db924cf7c | 1385 | static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 1386 | byte* type, word32* size, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 1387 | { |
wolfSSL | 15:117db924cf7c | 1388 | const byte* ptr = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 1389 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 1390 | |
wolfSSL | 15:117db924cf7c | 1391 | *inOutIdx += HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1392 | if (*inOutIdx > totalSz) |
wolfSSL | 15:117db924cf7c | 1393 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 1394 | |
wolfSSL | 15:117db924cf7c | 1395 | *type = ptr[0]; |
wolfSSL | 15:117db924cf7c | 1396 | c24to32(&ptr[1], size); |
wolfSSL | 15:117db924cf7c | 1397 | |
wolfSSL | 15:117db924cf7c | 1398 | return 0; |
wolfSSL | 15:117db924cf7c | 1399 | } |
wolfSSL | 15:117db924cf7c | 1400 | |
wolfSSL | 15:117db924cf7c | 1401 | /* Add record layer header to message. |
wolfSSL | 15:117db924cf7c | 1402 | * |
wolfSSL | 15:117db924cf7c | 1403 | * output The buffer to write the record layer header into. |
wolfSSL | 15:117db924cf7c | 1404 | * length The length of the record data. |
wolfSSL | 15:117db924cf7c | 1405 | * type The type of record message. |
wolfSSL | 15:117db924cf7c | 1406 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1407 | */ |
wolfSSL | 15:117db924cf7c | 1408 | static void AddTls13RecordHeader(byte* output, word32 length, byte type, |
wolfSSL | 15:117db924cf7c | 1409 | WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1410 | { |
wolfSSL | 15:117db924cf7c | 1411 | RecordLayerHeader* rl; |
wolfSSL | 15:117db924cf7c | 1412 | |
wolfSSL | 15:117db924cf7c | 1413 | rl = (RecordLayerHeader*)output; |
wolfSSL | 15:117db924cf7c | 1414 | rl->type = type; |
wolfSSL | 15:117db924cf7c | 1415 | rl->pvMajor = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 1416 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 1417 | rl->pvMinor = TLSv1_MINOR; |
wolfSSL | 15:117db924cf7c | 1418 | #else |
wolfSSL | 15:117db924cf7c | 1419 | rl->pvMinor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 1420 | #endif |
wolfSSL | 15:117db924cf7c | 1421 | c16toa((word16)length, rl->length); |
wolfSSL | 15:117db924cf7c | 1422 | } |
wolfSSL | 15:117db924cf7c | 1423 | |
wolfSSL | 15:117db924cf7c | 1424 | /* Add handshake header to message. |
wolfSSL | 15:117db924cf7c | 1425 | * |
wolfSSL | 15:117db924cf7c | 1426 | * output The buffer to write the hanshake header into. |
wolfSSL | 15:117db924cf7c | 1427 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1428 | * fragOffset The offset of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1429 | * fragLength The length of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1430 | * type The type of handshake message. |
wolfSSL | 15:117db924cf7c | 1431 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1432 | */ |
wolfSSL | 15:117db924cf7c | 1433 | static void AddTls13HandShakeHeader(byte* output, word32 length, |
wolfSSL | 15:117db924cf7c | 1434 | word32 fragOffset, word32 fragLength, |
wolfSSL | 15:117db924cf7c | 1435 | byte type, WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1436 | { |
wolfSSL | 15:117db924cf7c | 1437 | HandShakeHeader* hs; |
wolfSSL | 15:117db924cf7c | 1438 | (void)fragOffset; |
wolfSSL | 15:117db924cf7c | 1439 | (void)fragLength; |
wolfSSL | 15:117db924cf7c | 1440 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 1441 | |
wolfSSL | 15:117db924cf7c | 1442 | /* handshake header */ |
wolfSSL | 15:117db924cf7c | 1443 | hs = (HandShakeHeader*)output; |
wolfSSL | 15:117db924cf7c | 1444 | hs->type = type; |
wolfSSL | 15:117db924cf7c | 1445 | c32to24(length, hs->length); |
wolfSSL | 15:117db924cf7c | 1446 | } |
wolfSSL | 15:117db924cf7c | 1447 | |
wolfSSL | 15:117db924cf7c | 1448 | |
wolfSSL | 15:117db924cf7c | 1449 | /* Add both record layer and handshake header to message. |
wolfSSL | 15:117db924cf7c | 1450 | * |
wolfSSL | 15:117db924cf7c | 1451 | * output The buffer to write the headers into. |
wolfSSL | 15:117db924cf7c | 1452 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1453 | * type The type of record layer message. |
wolfSSL | 15:117db924cf7c | 1454 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1455 | */ |
wolfSSL | 15:117db924cf7c | 1456 | static void AddTls13Headers(byte* output, word32 length, byte type, |
wolfSSL | 15:117db924cf7c | 1457 | WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1458 | { |
wolfSSL | 15:117db924cf7c | 1459 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1460 | word32 outputAdj = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1461 | |
wolfSSL | 15:117db924cf7c | 1462 | AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 1463 | AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl); |
wolfSSL | 15:117db924cf7c | 1464 | } |
wolfSSL | 15:117db924cf7c | 1465 | |
wolfSSL | 15:117db924cf7c | 1466 | |
wolfSSL | 15:117db924cf7c | 1467 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 1468 | /* Add both record layer and fragement handshake header to message. |
wolfSSL | 15:117db924cf7c | 1469 | * |
wolfSSL | 15:117db924cf7c | 1470 | * output The buffer to write the headers into. |
wolfSSL | 15:117db924cf7c | 1471 | * fragOffset The offset of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1472 | * fragLength The length of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1473 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1474 | * type The type of record layer message. |
wolfSSL | 15:117db924cf7c | 1475 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1476 | */ |
wolfSSL | 15:117db924cf7c | 1477 | static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset, |
wolfSSL | 15:117db924cf7c | 1478 | word32 length, byte type, WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1479 | { |
wolfSSL | 15:117db924cf7c | 1480 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1481 | word32 outputAdj = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1482 | (void)fragSz; |
wolfSSL | 15:117db924cf7c | 1483 | |
wolfSSL | 15:117db924cf7c | 1484 | AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 1485 | AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz, |
wolfSSL | 15:117db924cf7c | 1486 | type, ssl); |
wolfSSL | 15:117db924cf7c | 1487 | } |
wolfSSL | 15:117db924cf7c | 1488 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 1489 | |
wolfSSL | 15:117db924cf7c | 1490 | /* Write the sequence number into the buffer. |
wolfSSL | 15:117db924cf7c | 1491 | * No DTLS v1.3 support. |
wolfSSL | 15:117db924cf7c | 1492 | * |
wolfSSL | 15:117db924cf7c | 1493 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1494 | * verifyOrder Which set of sequence numbers to use. |
wolfSSL | 15:117db924cf7c | 1495 | * out The buffer to write into. |
wolfSSL | 15:117db924cf7c | 1496 | */ |
wolfSSL | 15:117db924cf7c | 1497 | static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) |
wolfSSL | 15:117db924cf7c | 1498 | { |
wolfSSL | 15:117db924cf7c | 1499 | word32 seq[2] = {0, 0}; |
wolfSSL | 15:117db924cf7c | 1500 | |
wolfSSL | 15:117db924cf7c | 1501 | if (verifyOrder) { |
wolfSSL | 15:117db924cf7c | 1502 | seq[0] = ssl->keys.peer_sequence_number_hi; |
wolfSSL | 15:117db924cf7c | 1503 | seq[1] = ssl->keys.peer_sequence_number_lo++; |
wolfSSL | 15:117db924cf7c | 1504 | /* handle rollover */ |
wolfSSL | 15:117db924cf7c | 1505 | if (seq[1] > ssl->keys.peer_sequence_number_lo) |
wolfSSL | 15:117db924cf7c | 1506 | ssl->keys.peer_sequence_number_hi++; |
wolfSSL | 15:117db924cf7c | 1507 | } |
wolfSSL | 15:117db924cf7c | 1508 | else { |
wolfSSL | 15:117db924cf7c | 1509 | seq[0] = ssl->keys.sequence_number_hi; |
wolfSSL | 15:117db924cf7c | 1510 | seq[1] = ssl->keys.sequence_number_lo++; |
wolfSSL | 15:117db924cf7c | 1511 | /* handle rollover */ |
wolfSSL | 15:117db924cf7c | 1512 | if (seq[1] > ssl->keys.sequence_number_lo) |
wolfSSL | 15:117db924cf7c | 1513 | ssl->keys.sequence_number_hi++; |
wolfSSL | 15:117db924cf7c | 1514 | } |
wolfSSL | 15:117db924cf7c | 1515 | |
wolfSSL | 15:117db924cf7c | 1516 | c32toa(seq[0], out); |
wolfSSL | 15:117db924cf7c | 1517 | c32toa(seq[1], out + OPAQUE32_LEN); |
wolfSSL | 15:117db924cf7c | 1518 | } |
wolfSSL | 15:117db924cf7c | 1519 | |
wolfSSL | 15:117db924cf7c | 1520 | /* Build the nonce for TLS v1.3 encryption and decryption. |
wolfSSL | 15:117db924cf7c | 1521 | * |
wolfSSL | 15:117db924cf7c | 1522 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1523 | * nonce The nonce data to use when encrypting or decrypting. |
wolfSSL | 15:117db924cf7c | 1524 | * iv The derived IV. |
wolfSSL | 15:117db924cf7c | 1525 | * order The side on which the message is to be or was sent. |
wolfSSL | 15:117db924cf7c | 1526 | */ |
wolfSSL | 15:117db924cf7c | 1527 | static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv, |
wolfSSL | 15:117db924cf7c | 1528 | int order) |
wolfSSL | 15:117db924cf7c | 1529 | { |
wolfSSL | 15:117db924cf7c | 1530 | int i; |
wolfSSL | 15:117db924cf7c | 1531 | |
wolfSSL | 15:117db924cf7c | 1532 | /* The nonce is the IV with the sequence XORed into the last bytes. */ |
wolfSSL | 15:117db924cf7c | 1533 | WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ); |
wolfSSL | 15:117db924cf7c | 1534 | for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++) |
wolfSSL | 15:117db924cf7c | 1535 | nonce[i] = iv[i]; |
wolfSSL | 15:117db924cf7c | 1536 | for (; i < AEAD_NONCE_SZ; i++) |
wolfSSL | 15:117db924cf7c | 1537 | nonce[i] ^= iv[i]; |
wolfSSL | 15:117db924cf7c | 1538 | } |
wolfSSL | 15:117db924cf7c | 1539 | |
wolfSSL | 15:117db924cf7c | 1540 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1541 | /* Encrypt with ChaCha20 and create authenication tag with Poly1305. |
wolfSSL | 15:117db924cf7c | 1542 | * |
wolfSSL | 15:117db924cf7c | 1543 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1544 | * output The buffer to write encrypted data and authentication tag into. |
wolfSSL | 15:117db924cf7c | 1545 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1546 | * input The data to encrypt. |
wolfSSL | 15:117db924cf7c | 1547 | * sz The number of bytes to encrypt. |
wolfSSL | 15:117db924cf7c | 1548 | * nonce The nonce to use with ChaCha20. |
wolfSSL | 15:117db924cf7c | 1549 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1550 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1551 | * tag The authentication tag buffer. |
wolfSSL | 15:117db924cf7c | 1552 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1553 | */ |
wolfSSL | 15:117db924cf7c | 1554 | static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 15:117db924cf7c | 1555 | const byte* input, word16 sz, byte* nonce, |
wolfSSL | 15:117db924cf7c | 1556 | const byte* aad, word16 aadSz, byte* tag) |
wolfSSL | 15:117db924cf7c | 1557 | { |
wolfSSL | 15:117db924cf7c | 1558 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 1559 | byte poly[CHACHA20_256_KEY_SIZE]; |
wolfSSL | 15:117db924cf7c | 1560 | |
wolfSSL | 15:117db924cf7c | 1561 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
wolfSSL | 15:117db924cf7c | 1562 | XMEMSET(poly, 0, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1563 | |
wolfSSL | 15:117db924cf7c | 1564 | /* Set the nonce for ChaCha and get Poly1305 key. */ |
wolfSSL | 15:117db924cf7c | 1565 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0); |
wolfSSL | 15:117db924cf7c | 1566 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1567 | return ret; |
wolfSSL | 15:117db924cf7c | 1568 | /* Create Poly1305 key using ChaCha20 keystream. */ |
wolfSSL | 15:117db924cf7c | 1569 | ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1570 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1571 | return ret; |
wolfSSL | 15:117db924cf7c | 1572 | /* Encrypt the plain text. */ |
wolfSSL | 15:117db924cf7c | 1573 | ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz); |
wolfSSL | 15:117db924cf7c | 1574 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 1575 | ForceZero(poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1576 | return ret; |
wolfSSL | 15:117db924cf7c | 1577 | } |
wolfSSL | 15:117db924cf7c | 1578 | |
wolfSSL | 15:117db924cf7c | 1579 | /* Set key for Poly1305. */ |
wolfSSL | 15:117db924cf7c | 1580 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1581 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
wolfSSL | 15:117db924cf7c | 1582 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1583 | return ret; |
wolfSSL | 15:117db924cf7c | 1584 | /* Add authentication code of encrypted data to end. */ |
wolfSSL | 15:117db924cf7c | 1585 | ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, output, sz, |
wolfSSL | 15:117db924cf7c | 1586 | tag, POLY1305_AUTH_SZ); |
wolfSSL | 15:117db924cf7c | 1587 | |
wolfSSL | 15:117db924cf7c | 1588 | return ret; |
wolfSSL | 15:117db924cf7c | 1589 | } |
wolfSSL | 15:117db924cf7c | 1590 | #endif |
wolfSSL | 15:117db924cf7c | 1591 | |
wolfSSL | 15:117db924cf7c | 1592 | /* Encrypt data for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 1593 | * |
wolfSSL | 15:117db924cf7c | 1594 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1595 | * output The buffer to write encrypted data and authentication tag into. |
wolfSSL | 15:117db924cf7c | 1596 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1597 | * input The record header and data to encrypt. |
wolfSSL | 15:117db924cf7c | 1598 | * sz The number of bytes to encrypt. |
wolfSSL | 15:117db924cf7c | 1599 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1600 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1601 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
wolfSSL | 15:117db924cf7c | 1602 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1603 | */ |
wolfSSL | 15:117db924cf7c | 1604 | static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, |
wolfSSL | 15:117db924cf7c | 1605 | word16 sz, const byte* aad, word16 aadSz, int asyncOkay) |
wolfSSL | 15:117db924cf7c | 1606 | { |
wolfSSL | 15:117db924cf7c | 1607 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 1608 | word16 dataSz = sz - ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1609 | word16 macSz = ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1610 | word32 nonceSz = 0; |
wolfSSL | 15:117db924cf7c | 1611 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1612 | WC_ASYNC_DEV* asyncDev = NULL; |
wolfSSL | 15:117db924cf7c | 1613 | word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN; |
wolfSSL | 15:117db924cf7c | 1614 | #endif |
wolfSSL | 15:117db924cf7c | 1615 | |
wolfSSL | 15:117db924cf7c | 1616 | WOLFSSL_ENTER("EncryptTls13"); |
wolfSSL | 15:117db924cf7c | 1617 | |
wolfSSL | 15:117db924cf7c | 1618 | (void)output; |
wolfSSL | 15:117db924cf7c | 1619 | (void)input; |
wolfSSL | 15:117db924cf7c | 1620 | (void)sz; |
wolfSSL | 15:117db924cf7c | 1621 | (void)dataSz; |
wolfSSL | 15:117db924cf7c | 1622 | (void)macSz; |
wolfSSL | 15:117db924cf7c | 1623 | (void)asyncOkay; |
wolfSSL | 15:117db924cf7c | 1624 | (void)nonceSz; |
wolfSSL | 15:117db924cf7c | 1625 | |
wolfSSL | 15:117db924cf7c | 1626 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1627 | if (ssl->error == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1628 | ssl->error = 0; /* clear async */ |
wolfSSL | 15:117db924cf7c | 1629 | } |
wolfSSL | 15:117db924cf7c | 1630 | #endif |
wolfSSL | 15:117db924cf7c | 1631 | |
wolfSSL | 15:117db924cf7c | 1632 | switch (ssl->encrypt.state) { |
wolfSSL | 15:117db924cf7c | 1633 | case CIPHER_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 1634 | { |
wolfSSL | 15:117db924cf7c | 1635 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 1636 | WOLFSSL_MSG("Data to encrypt"); |
wolfSSL | 15:117db924cf7c | 1637 | WOLFSSL_BUFFER(input, dataSz); |
wolfSSL | 15:117db924cf7c | 1638 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \ |
wolfSSL | 15:117db924cf7c | 1639 | !defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 1640 | WOLFSSL_MSG("Additional Authentication Data"); |
wolfSSL | 15:117db924cf7c | 1641 | WOLFSSL_BUFFER(aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1642 | #endif |
wolfSSL | 15:117db924cf7c | 1643 | #endif |
wolfSSL | 15:117db924cf7c | 1644 | |
wolfSSL | 15:117db924cf7c | 1645 | if (ssl->encrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1646 | ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ, |
wolfSSL | 15:117db924cf7c | 1647 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER); |
wolfSSL | 15:117db924cf7c | 1648 | if (ssl->encrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1649 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1650 | |
wolfSSL | 15:117db924cf7c | 1651 | BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV, |
wolfSSL | 15:117db924cf7c | 1652 | CUR_ORDER); |
wolfSSL | 15:117db924cf7c | 1653 | |
wolfSSL | 15:117db924cf7c | 1654 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 1655 | ssl->encrypt.state = CIPHER_STATE_DO; |
wolfSSL | 15:117db924cf7c | 1656 | } |
wolfSSL | 15:117db924cf7c | 1657 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1658 | |
wolfSSL | 15:117db924cf7c | 1659 | case CIPHER_STATE_DO: |
wolfSSL | 15:117db924cf7c | 1660 | { |
wolfSSL | 15:117db924cf7c | 1661 | switch (ssl->specs.bulk_cipher_algorithm) { |
wolfSSL | 15:117db924cf7c | 1662 | #ifdef BUILD_AESGCM |
wolfSSL | 15:117db924cf7c | 1663 | case wolfssl_aes_gcm: |
wolfSSL | 15:117db924cf7c | 1664 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1665 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1666 | asyncDev = &ssl->encrypt.aes->asyncDev; |
wolfSSL | 15:117db924cf7c | 1667 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1668 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1669 | break; |
wolfSSL | 15:117db924cf7c | 1670 | #endif |
wolfSSL | 15:117db924cf7c | 1671 | |
wolfSSL | 15:117db924cf7c | 1672 | nonceSz = AESGCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 1673 | ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1674 | dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1675 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1676 | break; |
wolfSSL | 15:117db924cf7c | 1677 | #endif |
wolfSSL | 15:117db924cf7c | 1678 | |
wolfSSL | 15:117db924cf7c | 1679 | #ifdef HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 1680 | case wolfssl_aes_ccm: |
wolfSSL | 15:117db924cf7c | 1681 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1682 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1683 | asyncDev = &ssl->encrypt.aes->asyncDev; |
wolfSSL | 15:117db924cf7c | 1684 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1685 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1686 | break; |
wolfSSL | 15:117db924cf7c | 1687 | #endif |
wolfSSL | 15:117db924cf7c | 1688 | |
wolfSSL | 15:117db924cf7c | 1689 | nonceSz = AESCCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 1690 | ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1691 | dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1692 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1693 | break; |
wolfSSL | 15:117db924cf7c | 1694 | #endif |
wolfSSL | 15:117db924cf7c | 1695 | |
wolfSSL | 15:117db924cf7c | 1696 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1697 | case wolfssl_chacha: |
wolfSSL | 15:117db924cf7c | 1698 | ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz, |
wolfSSL | 15:117db924cf7c | 1699 | ssl->encrypt.nonce, aad, aadSz, output + dataSz); |
wolfSSL | 15:117db924cf7c | 1700 | break; |
wolfSSL | 15:117db924cf7c | 1701 | #endif |
wolfSSL | 15:117db924cf7c | 1702 | |
wolfSSL | 15:117db924cf7c | 1703 | default: |
wolfSSL | 15:117db924cf7c | 1704 | WOLFSSL_MSG("wolfSSL Encrypt programming error"); |
wolfSSL | 15:117db924cf7c | 1705 | return ENCRYPT_ERROR; |
wolfSSL | 15:117db924cf7c | 1706 | } |
wolfSSL | 15:117db924cf7c | 1707 | |
wolfSSL | 15:117db924cf7c | 1708 | /* Advance state */ |
wolfSSL | 15:117db924cf7c | 1709 | ssl->encrypt.state = CIPHER_STATE_END; |
wolfSSL | 15:117db924cf7c | 1710 | |
wolfSSL | 15:117db924cf7c | 1711 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1712 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1713 | /* if async is not okay, then block */ |
wolfSSL | 15:117db924cf7c | 1714 | if (!asyncOkay) { |
wolfSSL | 15:117db924cf7c | 1715 | ret = wc_AsyncWait(ret, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1716 | } |
wolfSSL | 15:117db924cf7c | 1717 | else { |
wolfSSL | 15:117db924cf7c | 1718 | /* If pending, then leave and return will resume below */ |
wolfSSL | 15:117db924cf7c | 1719 | return wolfSSL_AsyncPush(ssl, asyncDev); |
wolfSSL | 15:117db924cf7c | 1720 | } |
wolfSSL | 15:117db924cf7c | 1721 | } |
wolfSSL | 15:117db924cf7c | 1722 | #endif |
wolfSSL | 15:117db924cf7c | 1723 | } |
wolfSSL | 15:117db924cf7c | 1724 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1725 | |
wolfSSL | 15:117db924cf7c | 1726 | case CIPHER_STATE_END: |
wolfSSL | 15:117db924cf7c | 1727 | { |
wolfSSL | 15:117db924cf7c | 1728 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 1729 | WOLFSSL_MSG("Nonce"); |
wolfSSL | 15:117db924cf7c | 1730 | WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size); |
wolfSSL | 15:117db924cf7c | 1731 | WOLFSSL_MSG("Encrypted data"); |
wolfSSL | 15:117db924cf7c | 1732 | WOLFSSL_BUFFER(output, dataSz); |
wolfSSL | 15:117db924cf7c | 1733 | WOLFSSL_MSG("Authentication Tag"); |
wolfSSL | 15:117db924cf7c | 1734 | WOLFSSL_BUFFER(output + dataSz, macSz); |
wolfSSL | 15:117db924cf7c | 1735 | #endif |
wolfSSL | 15:117db924cf7c | 1736 | |
wolfSSL | 15:117db924cf7c | 1737 | ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ); |
wolfSSL | 15:117db924cf7c | 1738 | |
wolfSSL | 15:117db924cf7c | 1739 | break; |
wolfSSL | 15:117db924cf7c | 1740 | } |
wolfSSL | 15:117db924cf7c | 1741 | } |
wolfSSL | 15:117db924cf7c | 1742 | |
wolfSSL | 15:117db924cf7c | 1743 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 1744 | ssl->encrypt.state = CIPHER_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 1745 | |
wolfSSL | 15:117db924cf7c | 1746 | return ret; |
wolfSSL | 15:117db924cf7c | 1747 | } |
wolfSSL | 15:117db924cf7c | 1748 | |
wolfSSL | 15:117db924cf7c | 1749 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1750 | /* Decrypt with ChaCha20 and check authenication tag with Poly1305. |
wolfSSL | 15:117db924cf7c | 1751 | * |
wolfSSL | 15:117db924cf7c | 1752 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1753 | * output The buffer to write decrypted data into. |
wolfSSL | 15:117db924cf7c | 1754 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1755 | * input The data to decrypt. |
wolfSSL | 15:117db924cf7c | 1756 | * sz The number of bytes to decrypt. |
wolfSSL | 15:117db924cf7c | 1757 | * nonce The nonce to use with ChaCha20. |
wolfSSL | 15:117db924cf7c | 1758 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1759 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1760 | * tagIn The authentication tag data from packet. |
wolfSSL | 15:117db924cf7c | 1761 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1762 | */ |
wolfSSL | 15:117db924cf7c | 1763 | static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 15:117db924cf7c | 1764 | const byte* input, word16 sz, byte* nonce, |
wolfSSL | 15:117db924cf7c | 1765 | const byte* aad, word16 aadSz, |
wolfSSL | 15:117db924cf7c | 1766 | const byte* tagIn) |
wolfSSL | 15:117db924cf7c | 1767 | { |
wolfSSL | 15:117db924cf7c | 1768 | int ret; |
wolfSSL | 15:117db924cf7c | 1769 | byte tag[POLY1305_AUTH_SZ]; |
wolfSSL | 15:117db924cf7c | 1770 | byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ |
wolfSSL | 15:117db924cf7c | 1771 | |
wolfSSL | 15:117db924cf7c | 1772 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
wolfSSL | 15:117db924cf7c | 1773 | XMEMSET(poly, 0, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1774 | |
wolfSSL | 15:117db924cf7c | 1775 | /* Set nonce and get Poly1305 key. */ |
wolfSSL | 15:117db924cf7c | 1776 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0); |
wolfSSL | 15:117db924cf7c | 1777 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1778 | return ret; |
wolfSSL | 15:117db924cf7c | 1779 | /* Use ChaCha20 keystream to get Poly1305 key for tag. */ |
wolfSSL | 15:117db924cf7c | 1780 | ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1781 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1782 | return ret; |
wolfSSL | 15:117db924cf7c | 1783 | |
wolfSSL | 15:117db924cf7c | 1784 | /* Set key for Poly1305. */ |
wolfSSL | 15:117db924cf7c | 1785 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1786 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
wolfSSL | 15:117db924cf7c | 1787 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1788 | return ret; |
wolfSSL | 15:117db924cf7c | 1789 | /* Generate authentication tag for encrypted data. */ |
wolfSSL | 15:117db924cf7c | 1790 | if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, |
wolfSSL | 15:117db924cf7c | 1791 | (byte*)input, sz, tag, sizeof(tag))) != 0) { |
wolfSSL | 15:117db924cf7c | 1792 | return ret; |
wolfSSL | 15:117db924cf7c | 1793 | } |
wolfSSL | 15:117db924cf7c | 1794 | |
wolfSSL | 15:117db924cf7c | 1795 | /* Check tag sent along with packet. */ |
wolfSSL | 15:117db924cf7c | 1796 | if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) { |
wolfSSL | 15:117db924cf7c | 1797 | WOLFSSL_MSG("MAC did not match"); |
wolfSSL | 15:117db924cf7c | 1798 | return VERIFY_MAC_ERROR; |
wolfSSL | 15:117db924cf7c | 1799 | } |
wolfSSL | 15:117db924cf7c | 1800 | |
wolfSSL | 15:117db924cf7c | 1801 | /* If the tag was good decrypt message. */ |
wolfSSL | 15:117db924cf7c | 1802 | ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz); |
wolfSSL | 15:117db924cf7c | 1803 | |
wolfSSL | 15:117db924cf7c | 1804 | return ret; |
wolfSSL | 15:117db924cf7c | 1805 | } |
wolfSSL | 15:117db924cf7c | 1806 | #endif |
wolfSSL | 15:117db924cf7c | 1807 | |
wolfSSL | 15:117db924cf7c | 1808 | /* Decrypt data for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 1809 | * |
wolfSSL | 15:117db924cf7c | 1810 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1811 | * output The buffer to write decrypted data into. |
wolfSSL | 15:117db924cf7c | 1812 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1813 | * input The data to decrypt and authentication tag. |
wolfSSL | 15:117db924cf7c | 1814 | * sz The length of the encrypted data plus authentication tag. |
wolfSSL | 15:117db924cf7c | 1815 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1816 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1817 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1818 | */ |
wolfSSL | 15:117db924cf7c | 1819 | int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, |
wolfSSL | 15:117db924cf7c | 1820 | const byte* aad, word16 aadSz) |
wolfSSL | 15:117db924cf7c | 1821 | { |
wolfSSL | 15:117db924cf7c | 1822 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 1823 | word16 dataSz = sz - ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1824 | word16 macSz = ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1825 | word32 nonceSz = 0; |
wolfSSL | 15:117db924cf7c | 1826 | |
wolfSSL | 15:117db924cf7c | 1827 | WOLFSSL_ENTER("DecryptTls13"); |
wolfSSL | 15:117db924cf7c | 1828 | |
wolfSSL | 15:117db924cf7c | 1829 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1830 | ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state); |
wolfSSL | 15:117db924cf7c | 1831 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1832 | /* check for still pending */ |
wolfSSL | 15:117db924cf7c | 1833 | if (ret == WC_PENDING_E) |
wolfSSL | 15:117db924cf7c | 1834 | return ret; |
wolfSSL | 15:117db924cf7c | 1835 | |
wolfSSL | 15:117db924cf7c | 1836 | ssl->error = 0; /* clear async */ |
wolfSSL | 15:117db924cf7c | 1837 | |
wolfSSL | 15:117db924cf7c | 1838 | /* let failures through so CIPHER_STATE_END logic is run */ |
wolfSSL | 15:117db924cf7c | 1839 | } |
wolfSSL | 15:117db924cf7c | 1840 | else |
wolfSSL | 15:117db924cf7c | 1841 | #endif |
wolfSSL | 15:117db924cf7c | 1842 | { |
wolfSSL | 15:117db924cf7c | 1843 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 1844 | ret = 0; |
wolfSSL | 15:117db924cf7c | 1845 | ssl->decrypt.state = CIPHER_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 1846 | } |
wolfSSL | 15:117db924cf7c | 1847 | |
wolfSSL | 15:117db924cf7c | 1848 | (void)output; |
wolfSSL | 15:117db924cf7c | 1849 | (void)input; |
wolfSSL | 15:117db924cf7c | 1850 | (void)sz; |
wolfSSL | 15:117db924cf7c | 1851 | (void)dataSz; |
wolfSSL | 15:117db924cf7c | 1852 | (void)macSz; |
wolfSSL | 15:117db924cf7c | 1853 | (void)nonceSz; |
wolfSSL | 15:117db924cf7c | 1854 | |
wolfSSL | 15:117db924cf7c | 1855 | switch (ssl->decrypt.state) { |
wolfSSL | 15:117db924cf7c | 1856 | case CIPHER_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 1857 | { |
wolfSSL | 15:117db924cf7c | 1858 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 1859 | WOLFSSL_MSG("Data to decrypt"); |
wolfSSL | 15:117db924cf7c | 1860 | WOLFSSL_BUFFER(input, dataSz); |
wolfSSL | 15:117db924cf7c | 1861 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \ |
wolfSSL | 15:117db924cf7c | 1862 | !defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 1863 | WOLFSSL_MSG("Additional Authentication Data"); |
wolfSSL | 15:117db924cf7c | 1864 | WOLFSSL_BUFFER(aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1865 | #endif |
wolfSSL | 15:117db924cf7c | 1866 | WOLFSSL_MSG("Authentication tag"); |
wolfSSL | 15:117db924cf7c | 1867 | WOLFSSL_BUFFER(input + dataSz, macSz); |
wolfSSL | 15:117db924cf7c | 1868 | #endif |
wolfSSL | 15:117db924cf7c | 1869 | |
wolfSSL | 15:117db924cf7c | 1870 | if (ssl->decrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1871 | ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ, |
wolfSSL | 15:117db924cf7c | 1872 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER); |
wolfSSL | 15:117db924cf7c | 1873 | if (ssl->decrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1874 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1875 | |
wolfSSL | 15:117db924cf7c | 1876 | BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, |
wolfSSL | 15:117db924cf7c | 1877 | PEER_ORDER); |
wolfSSL | 15:117db924cf7c | 1878 | |
wolfSSL | 15:117db924cf7c | 1879 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 1880 | ssl->decrypt.state = CIPHER_STATE_DO; |
wolfSSL | 15:117db924cf7c | 1881 | } |
wolfSSL | 15:117db924cf7c | 1882 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1883 | |
wolfSSL | 15:117db924cf7c | 1884 | case CIPHER_STATE_DO: |
wolfSSL | 15:117db924cf7c | 1885 | { |
wolfSSL | 15:117db924cf7c | 1886 | switch (ssl->specs.bulk_cipher_algorithm) { |
wolfSSL | 15:117db924cf7c | 1887 | #ifdef BUILD_AESGCM |
wolfSSL | 15:117db924cf7c | 1888 | case wolfssl_aes_gcm: |
wolfSSL | 15:117db924cf7c | 1889 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1890 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1891 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
wolfSSL | 15:117db924cf7c | 1892 | WC_ASYNC_FLAG_CALL_AGAIN); |
wolfSSL | 15:117db924cf7c | 1893 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1894 | break; |
wolfSSL | 15:117db924cf7c | 1895 | #endif |
wolfSSL | 15:117db924cf7c | 1896 | |
wolfSSL | 15:117db924cf7c | 1897 | nonceSz = AESGCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 1898 | ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1899 | dataSz, ssl->decrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1900 | input + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1901 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1902 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1903 | ret = wolfSSL_AsyncPush(ssl, |
wolfSSL | 15:117db924cf7c | 1904 | &ssl->decrypt.aes->asyncDev); |
wolfSSL | 15:117db924cf7c | 1905 | } |
wolfSSL | 15:117db924cf7c | 1906 | #endif |
wolfSSL | 15:117db924cf7c | 1907 | break; |
wolfSSL | 15:117db924cf7c | 1908 | #endif |
wolfSSL | 15:117db924cf7c | 1909 | |
wolfSSL | 15:117db924cf7c | 1910 | #ifdef HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 1911 | case wolfssl_aes_ccm: |
wolfSSL | 15:117db924cf7c | 1912 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1913 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1914 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
wolfSSL | 15:117db924cf7c | 1915 | WC_ASYNC_FLAG_CALL_AGAIN); |
wolfSSL | 15:117db924cf7c | 1916 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1917 | break; |
wolfSSL | 15:117db924cf7c | 1918 | #endif |
wolfSSL | 15:117db924cf7c | 1919 | |
wolfSSL | 15:117db924cf7c | 1920 | nonceSz = AESCCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 1921 | ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1922 | dataSz, ssl->decrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1923 | input + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1924 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1925 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1926 | ret = wolfSSL_AsyncPush(ssl, |
wolfSSL | 15:117db924cf7c | 1927 | &ssl->decrypt.aes->asyncDev); |
wolfSSL | 15:117db924cf7c | 1928 | } |
wolfSSL | 15:117db924cf7c | 1929 | #endif |
wolfSSL | 15:117db924cf7c | 1930 | break; |
wolfSSL | 15:117db924cf7c | 1931 | #endif |
wolfSSL | 15:117db924cf7c | 1932 | |
wolfSSL | 15:117db924cf7c | 1933 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1934 | case wolfssl_chacha: |
wolfSSL | 15:117db924cf7c | 1935 | ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz, |
wolfSSL | 15:117db924cf7c | 1936 | ssl->decrypt.nonce, aad, aadSz, input + dataSz); |
wolfSSL | 15:117db924cf7c | 1937 | break; |
wolfSSL | 15:117db924cf7c | 1938 | #endif |
wolfSSL | 15:117db924cf7c | 1939 | |
wolfSSL | 15:117db924cf7c | 1940 | default: |
wolfSSL | 15:117db924cf7c | 1941 | WOLFSSL_MSG("wolfSSL Decrypt programming error"); |
wolfSSL | 15:117db924cf7c | 1942 | return DECRYPT_ERROR; |
wolfSSL | 15:117db924cf7c | 1943 | } |
wolfSSL | 15:117db924cf7c | 1944 | |
wolfSSL | 15:117db924cf7c | 1945 | /* Advance state */ |
wolfSSL | 15:117db924cf7c | 1946 | ssl->decrypt.state = CIPHER_STATE_END; |
wolfSSL | 15:117db924cf7c | 1947 | |
wolfSSL | 15:117db924cf7c | 1948 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1949 | /* If pending, leave now */ |
wolfSSL | 15:117db924cf7c | 1950 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1951 | return ret; |
wolfSSL | 15:117db924cf7c | 1952 | } |
wolfSSL | 15:117db924cf7c | 1953 | #endif |
wolfSSL | 15:117db924cf7c | 1954 | } |
wolfSSL | 15:117db924cf7c | 1955 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1956 | |
wolfSSL | 15:117db924cf7c | 1957 | case CIPHER_STATE_END: |
wolfSSL | 15:117db924cf7c | 1958 | { |
wolfSSL | 15:117db924cf7c | 1959 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 1960 | WOLFSSL_MSG("Nonce"); |
wolfSSL | 15:117db924cf7c | 1961 | WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size); |
wolfSSL | 15:117db924cf7c | 1962 | WOLFSSL_MSG("Decrypted data"); |
wolfSSL | 15:117db924cf7c | 1963 | WOLFSSL_BUFFER(output, dataSz); |
wolfSSL | 15:117db924cf7c | 1964 | #endif |
wolfSSL | 15:117db924cf7c | 1965 | |
wolfSSL | 15:117db924cf7c | 1966 | ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ); |
wolfSSL | 15:117db924cf7c | 1967 | |
wolfSSL | 15:117db924cf7c | 1968 | break; |
wolfSSL | 15:117db924cf7c | 1969 | } |
wolfSSL | 15:117db924cf7c | 1970 | } |
wolfSSL | 15:117db924cf7c | 1971 | |
wolfSSL | 15:117db924cf7c | 1972 | #ifndef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 1973 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 1974 | SendAlert(ssl, alert_fatal, bad_record_mac); |
wolfSSL | 15:117db924cf7c | 1975 | ret = VERIFY_MAC_ERROR; |
wolfSSL | 15:117db924cf7c | 1976 | } |
wolfSSL | 15:117db924cf7c | 1977 | #endif |
wolfSSL | 15:117db924cf7c | 1978 | |
wolfSSL | 15:117db924cf7c | 1979 | return ret; |
wolfSSL | 15:117db924cf7c | 1980 | } |
wolfSSL | 15:117db924cf7c | 1981 | |
wolfSSL | 15:117db924cf7c | 1982 | /* Persistable BuildTls13Message arguments */ |
wolfSSL | 15:117db924cf7c | 1983 | typedef struct BuildMsg13Args { |
wolfSSL | 15:117db924cf7c | 1984 | word32 sz; |
wolfSSL | 15:117db924cf7c | 1985 | word32 idx; |
wolfSSL | 15:117db924cf7c | 1986 | word32 headerSz; |
wolfSSL | 15:117db924cf7c | 1987 | word16 size; |
wolfSSL | 15:117db924cf7c | 1988 | } BuildMsg13Args; |
wolfSSL | 15:117db924cf7c | 1989 | |
wolfSSL | 15:117db924cf7c | 1990 | static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 1991 | { |
wolfSSL | 15:117db924cf7c | 1992 | BuildMsg13Args* args = (BuildMsg13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 1993 | |
wolfSSL | 15:117db924cf7c | 1994 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 1995 | (void)args; |
wolfSSL | 15:117db924cf7c | 1996 | |
wolfSSL | 15:117db924cf7c | 1997 | /* no allocations in BuildTls13Message */ |
wolfSSL | 15:117db924cf7c | 1998 | } |
wolfSSL | 15:117db924cf7c | 1999 | |
wolfSSL | 15:117db924cf7c | 2000 | /* Build SSL Message, encrypted. |
wolfSSL | 15:117db924cf7c | 2001 | * TLS v1.3 encryption is AEAD only. |
wolfSSL | 15:117db924cf7c | 2002 | * |
wolfSSL | 15:117db924cf7c | 2003 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2004 | * output The buffer to write record message to. |
wolfSSL | 15:117db924cf7c | 2005 | * outSz Size of the buffer being written into. |
wolfSSL | 15:117db924cf7c | 2006 | * input The record data to encrypt (excluding record header). |
wolfSSL | 15:117db924cf7c | 2007 | * inSz The size of the record data. |
wolfSSL | 15:117db924cf7c | 2008 | * type The recorder header content type. |
wolfSSL | 15:117db924cf7c | 2009 | * hashOutput Whether to hash the unencrypted record data. |
wolfSSL | 15:117db924cf7c | 2010 | * sizeOnly Only want the size of the record message. |
wolfSSL | 15:117db924cf7c | 2011 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
wolfSSL | 15:117db924cf7c | 2012 | * returns the size of the encrypted record message or negative value on error. |
wolfSSL | 15:117db924cf7c | 2013 | */ |
wolfSSL | 15:117db924cf7c | 2014 | int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, |
wolfSSL | 15:117db924cf7c | 2015 | int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) |
wolfSSL | 15:117db924cf7c | 2016 | { |
wolfSSL | 15:117db924cf7c | 2017 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 2018 | BuildMsg13Args* args; |
wolfSSL | 15:117db924cf7c | 2019 | BuildMsg13Args lcl_args; |
wolfSSL | 15:117db924cf7c | 2020 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2021 | args = (BuildMsg13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 2022 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 2023 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 2024 | #endif |
wolfSSL | 15:117db924cf7c | 2025 | |
wolfSSL | 15:117db924cf7c | 2026 | WOLFSSL_ENTER("BuildTls13Message"); |
wolfSSL | 15:117db924cf7c | 2027 | |
wolfSSL | 15:117db924cf7c | 2028 | ret = WC_NOT_PENDING_E; |
wolfSSL | 15:117db924cf7c | 2029 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2030 | if (asyncOkay) { |
wolfSSL | 15:117db924cf7c | 2031 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState); |
wolfSSL | 15:117db924cf7c | 2032 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2033 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 2034 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 2035 | goto exit_buildmsg; |
wolfSSL | 15:117db924cf7c | 2036 | } |
wolfSSL | 15:117db924cf7c | 2037 | } |
wolfSSL | 15:117db924cf7c | 2038 | else |
wolfSSL | 15:117db924cf7c | 2039 | #endif |
wolfSSL | 15:117db924cf7c | 2040 | { |
wolfSSL | 15:117db924cf7c | 2041 | args = &lcl_args; |
wolfSSL | 15:117db924cf7c | 2042 | } |
wolfSSL | 15:117db924cf7c | 2043 | |
wolfSSL | 15:117db924cf7c | 2044 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 2045 | if (ret == WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2046 | ret = 0; |
wolfSSL | 15:117db924cf7c | 2047 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
wolfSSL | 15:117db924cf7c | 2048 | XMEMSET(args, 0, sizeof(BuildMsg13Args)); |
wolfSSL | 15:117db924cf7c | 2049 | |
wolfSSL | 15:117db924cf7c | 2050 | args->sz = RECORD_HEADER_SZ + inSz; |
wolfSSL | 15:117db924cf7c | 2051 | args->idx = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2052 | args->headerSz = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2053 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2054 | ssl->async.freeArgs = FreeBuildMsg13Args; |
wolfSSL | 15:117db924cf7c | 2055 | #endif |
wolfSSL | 15:117db924cf7c | 2056 | } |
wolfSSL | 15:117db924cf7c | 2057 | |
wolfSSL | 15:117db924cf7c | 2058 | switch (ssl->options.buildMsgState) { |
wolfSSL | 15:117db924cf7c | 2059 | case BUILD_MSG_BEGIN: |
wolfSSL | 15:117db924cf7c | 2060 | { |
wolfSSL | 15:117db924cf7c | 2061 | /* catch mistaken sizeOnly parameter */ |
wolfSSL | 15:117db924cf7c | 2062 | if (sizeOnly) { |
wolfSSL | 15:117db924cf7c | 2063 | if (output || input) { |
wolfSSL | 15:117db924cf7c | 2064 | WOLFSSL_MSG("BuildTls13Message with sizeOnly " |
wolfSSL | 15:117db924cf7c | 2065 | "doesn't need input or output"); |
wolfSSL | 15:117db924cf7c | 2066 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2067 | } |
wolfSSL | 15:117db924cf7c | 2068 | } |
wolfSSL | 15:117db924cf7c | 2069 | else if (output == NULL || input == NULL) { |
wolfSSL | 15:117db924cf7c | 2070 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2071 | } |
wolfSSL | 15:117db924cf7c | 2072 | |
wolfSSL | 15:117db924cf7c | 2073 | /* Record layer content type at the end of record data. */ |
wolfSSL | 15:117db924cf7c | 2074 | args->sz++; |
wolfSSL | 15:117db924cf7c | 2075 | /* Authentication data at the end. */ |
wolfSSL | 15:117db924cf7c | 2076 | args->sz += ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 2077 | |
wolfSSL | 15:117db924cf7c | 2078 | if (sizeOnly) |
wolfSSL | 15:117db924cf7c | 2079 | return args->sz; |
wolfSSL | 15:117db924cf7c | 2080 | |
wolfSSL | 15:117db924cf7c | 2081 | if (args->sz > (word32)outSz) { |
wolfSSL | 15:117db924cf7c | 2082 | WOLFSSL_MSG("Oops, want to write past output buffer size"); |
wolfSSL | 15:117db924cf7c | 2083 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2084 | } |
wolfSSL | 15:117db924cf7c | 2085 | |
wolfSSL | 15:117db924cf7c | 2086 | /* Record data length. */ |
wolfSSL | 15:117db924cf7c | 2087 | args->size = (word16)(args->sz - args->headerSz); |
wolfSSL | 15:117db924cf7c | 2088 | /* Write/update the record header with the new size. |
wolfSSL | 15:117db924cf7c | 2089 | * Always have the content type as application data for encrypted |
wolfSSL | 15:117db924cf7c | 2090 | * messages in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2091 | */ |
wolfSSL | 15:117db924cf7c | 2092 | AddTls13RecordHeader(output, args->size, application_data, ssl); |
wolfSSL | 15:117db924cf7c | 2093 | |
wolfSSL | 15:117db924cf7c | 2094 | /* TLS v1.3 can do in place encryption. */ |
wolfSSL | 15:117db924cf7c | 2095 | if (input != output + args->idx) |
wolfSSL | 15:117db924cf7c | 2096 | XMEMCPY(output + args->idx, input, inSz); |
wolfSSL | 15:117db924cf7c | 2097 | args->idx += inSz; |
wolfSSL | 15:117db924cf7c | 2098 | |
wolfSSL | 15:117db924cf7c | 2099 | ssl->options.buildMsgState = BUILD_MSG_HASH; |
wolfSSL | 15:117db924cf7c | 2100 | } |
wolfSSL | 15:117db924cf7c | 2101 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2102 | |
wolfSSL | 15:117db924cf7c | 2103 | case BUILD_MSG_HASH: |
wolfSSL | 15:117db924cf7c | 2104 | { |
wolfSSL | 15:117db924cf7c | 2105 | if (hashOutput) { |
wolfSSL | 15:117db924cf7c | 2106 | ret = HashOutput(ssl, output, args->headerSz + inSz, 0); |
wolfSSL | 15:117db924cf7c | 2107 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2108 | goto exit_buildmsg; |
wolfSSL | 15:117db924cf7c | 2109 | } |
wolfSSL | 15:117db924cf7c | 2110 | |
wolfSSL | 15:117db924cf7c | 2111 | ssl->options.buildMsgState = BUILD_MSG_ENCRYPT; |
wolfSSL | 15:117db924cf7c | 2112 | } |
wolfSSL | 15:117db924cf7c | 2113 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2114 | |
wolfSSL | 15:117db924cf7c | 2115 | case BUILD_MSG_ENCRYPT: |
wolfSSL | 15:117db924cf7c | 2116 | { |
wolfSSL | 15:117db924cf7c | 2117 | /* The real record content type goes at the end of the data. */ |
wolfSSL | 15:117db924cf7c | 2118 | output[args->idx++] = (byte)type; |
wolfSSL | 15:117db924cf7c | 2119 | |
wolfSSL | 15:117db924cf7c | 2120 | #ifdef ATOMIC_USER |
wolfSSL | 15:117db924cf7c | 2121 | if (ssl->ctx->MacEncryptCb) { |
wolfSSL | 15:117db924cf7c | 2122 | /* User Record Layer Callback handling */ |
wolfSSL | 15:117db924cf7c | 2123 | byte* mac = output + args->idx; |
wolfSSL | 15:117db924cf7c | 2124 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2125 | |
wolfSSL | 15:117db924cf7c | 2126 | ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0, |
wolfSSL | 15:117db924cf7c | 2127 | output, output, args->size, ssl->MacEncryptCtx); |
wolfSSL | 15:117db924cf7c | 2128 | } |
wolfSSL | 15:117db924cf7c | 2129 | else |
wolfSSL | 15:117db924cf7c | 2130 | #endif |
wolfSSL | 15:117db924cf7c | 2131 | { |
wolfSSL | 15:117db924cf7c | 2132 | #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22) || \ |
wolfSSL | 15:117db924cf7c | 2133 | defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 2134 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2135 | ret = EncryptTls13(ssl, output, output, args->size, NULL, 0, |
wolfSSL | 15:117db924cf7c | 2136 | asyncOkay); |
wolfSSL | 15:117db924cf7c | 2137 | #else |
wolfSSL | 15:117db924cf7c | 2138 | const byte* aad = output; |
wolfSSL | 15:117db924cf7c | 2139 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2140 | ret = EncryptTls13(ssl, output, output, args->size, aad, |
wolfSSL | 15:117db924cf7c | 2141 | RECORD_HEADER_SZ, asyncOkay); |
wolfSSL | 15:117db924cf7c | 2142 | #endif |
wolfSSL | 15:117db924cf7c | 2143 | } |
wolfSSL | 15:117db924cf7c | 2144 | break; |
wolfSSL | 15:117db924cf7c | 2145 | } |
wolfSSL | 15:117db924cf7c | 2146 | } |
wolfSSL | 15:117db924cf7c | 2147 | |
wolfSSL | 15:117db924cf7c | 2148 | exit_buildmsg: |
wolfSSL | 15:117db924cf7c | 2149 | |
wolfSSL | 15:117db924cf7c | 2150 | WOLFSSL_LEAVE("BuildTls13Message", ret); |
wolfSSL | 15:117db924cf7c | 2151 | |
wolfSSL | 15:117db924cf7c | 2152 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2153 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2154 | return ret; |
wolfSSL | 15:117db924cf7c | 2155 | } |
wolfSSL | 15:117db924cf7c | 2156 | #endif |
wolfSSL | 15:117db924cf7c | 2157 | |
wolfSSL | 15:117db924cf7c | 2158 | /* make sure build message state is reset */ |
wolfSSL | 15:117db924cf7c | 2159 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
wolfSSL | 15:117db924cf7c | 2160 | |
wolfSSL | 15:117db924cf7c | 2161 | /* return sz on success */ |
wolfSSL | 15:117db924cf7c | 2162 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 2163 | ret = args->sz; |
wolfSSL | 15:117db924cf7c | 2164 | |
wolfSSL | 15:117db924cf7c | 2165 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 2166 | FreeBuildMsg13Args(ssl, args); |
wolfSSL | 15:117db924cf7c | 2167 | |
wolfSSL | 15:117db924cf7c | 2168 | return ret; |
wolfSSL | 15:117db924cf7c | 2169 | } |
wolfSSL | 15:117db924cf7c | 2170 | |
wolfSSL | 15:117db924cf7c | 2171 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2172 | /* Find the cipher suite in the suites set in the SSL. |
wolfSSL | 15:117db924cf7c | 2173 | * |
wolfSSL | 15:117db924cf7c | 2174 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2175 | * suite Cipher suite to look for. |
wolfSSL | 15:117db924cf7c | 2176 | * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 2177 | */ |
wolfSSL | 15:117db924cf7c | 2178 | static int FindSuite(WOLFSSL* ssl, byte* suite) |
wolfSSL | 15:117db924cf7c | 2179 | { |
wolfSSL | 15:117db924cf7c | 2180 | int i; |
wolfSSL | 15:117db924cf7c | 2181 | |
wolfSSL | 15:117db924cf7c | 2182 | for (i = 0; i < ssl->suites->suiteSz; i += 2) { |
wolfSSL | 15:117db924cf7c | 2183 | if (ssl->suites->suites[i+0] == suite[0] && |
wolfSSL | 15:117db924cf7c | 2184 | ssl->suites->suites[i+1] == suite[1]) { |
wolfSSL | 15:117db924cf7c | 2185 | return 1; |
wolfSSL | 15:117db924cf7c | 2186 | } |
wolfSSL | 15:117db924cf7c | 2187 | } |
wolfSSL | 15:117db924cf7c | 2188 | |
wolfSSL | 15:117db924cf7c | 2189 | return 0; |
wolfSSL | 15:117db924cf7c | 2190 | } |
wolfSSL | 15:117db924cf7c | 2191 | #endif |
wolfSSL | 15:117db924cf7c | 2192 | |
wolfSSL | 15:117db924cf7c | 2193 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2194 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
wolfSSL | 15:117db924cf7c | 2195 | /* Create Cookie extension using the hash of the first ClientHello. |
wolfSSL | 15:117db924cf7c | 2196 | * |
wolfSSL | 15:117db924cf7c | 2197 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2198 | * hash The hash data. |
wolfSSL | 15:117db924cf7c | 2199 | * hashSz The size of the hash data in bytes. |
wolfSSL | 15:117db924cf7c | 2200 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 2201 | */ |
wolfSSL | 15:117db924cf7c | 2202 | static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz) |
wolfSSL | 15:117db924cf7c | 2203 | { |
wolfSSL | 15:117db924cf7c | 2204 | int ret; |
wolfSSL | 15:117db924cf7c | 2205 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 2206 | Hmac cookieHmac; |
wolfSSL | 15:117db924cf7c | 2207 | byte cookieType; |
wolfSSL | 15:117db924cf7c | 2208 | byte macSz; |
wolfSSL | 15:117db924cf7c | 2209 | |
wolfSSL | 15:117db924cf7c | 2210 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 2211 | cookieType = SHA; |
wolfSSL | 15:117db924cf7c | 2212 | macSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 2213 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 2214 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2215 | cookieType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 2216 | macSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 2217 | #endif /* NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 2218 | |
wolfSSL | 15:117db924cf7c | 2219 | ret = wc_HmacSetKey(&cookieHmac, cookieType, |
wolfSSL | 15:117db924cf7c | 2220 | ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 2221 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 2222 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2223 | return ret; |
wolfSSL | 15:117db924cf7c | 2224 | if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0) |
wolfSSL | 15:117db924cf7c | 2225 | return ret; |
wolfSSL | 15:117db924cf7c | 2226 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) |
wolfSSL | 15:117db924cf7c | 2227 | return ret; |
wolfSSL | 15:117db924cf7c | 2228 | |
wolfSSL | 15:117db924cf7c | 2229 | /* The cookie data is the hash and the integrity check. */ |
wolfSSL | 15:117db924cf7c | 2230 | return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1); |
wolfSSL | 15:117db924cf7c | 2231 | } |
wolfSSL | 15:117db924cf7c | 2232 | #endif |
wolfSSL | 15:117db924cf7c | 2233 | |
wolfSSL | 15:117db924cf7c | 2234 | /* Restart the Hanshake hash with a hash of the previous messages. |
wolfSSL | 15:117db924cf7c | 2235 | * |
wolfSSL | 15:117db924cf7c | 2236 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2237 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 2238 | */ |
wolfSSL | 15:117db924cf7c | 2239 | static int RestartHandshakeHash(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 2240 | { |
wolfSSL | 15:117db924cf7c | 2241 | int ret; |
wolfSSL | 15:117db924cf7c | 2242 | Hashes hashes; |
wolfSSL | 15:117db924cf7c | 2243 | byte header[HANDSHAKE_HEADER_SZ]; |
wolfSSL | 15:117db924cf7c | 2244 | byte* hash = NULL; |
wolfSSL | 15:117db924cf7c | 2245 | byte hashSz = 0; |
wolfSSL | 15:117db924cf7c | 2246 | |
wolfSSL | 15:117db924cf7c | 2247 | ret = BuildCertHashes(ssl, &hashes); |
wolfSSL | 15:117db924cf7c | 2248 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2249 | return ret; |
wolfSSL | 15:117db924cf7c | 2250 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 2251 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2252 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 2253 | hash = hashes.sha256; |
wolfSSL | 15:117db924cf7c | 2254 | break; |
wolfSSL | 15:117db924cf7c | 2255 | #endif |
wolfSSL | 15:117db924cf7c | 2256 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 2257 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 2258 | hash = hashes.sha384; |
wolfSSL | 15:117db924cf7c | 2259 | break; |
wolfSSL | 15:117db924cf7c | 2260 | #endif |
wolfSSL | 15:117db924cf7c | 2261 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 2262 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 2263 | hash = hashes.sha512; |
wolfSSL | 15:117db924cf7c | 2264 | break; |
wolfSSL | 15:117db924cf7c | 2265 | #endif |
wolfSSL | 15:117db924cf7c | 2266 | } |
wolfSSL | 15:117db924cf7c | 2267 | hashSz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 2268 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
wolfSSL | 15:117db924cf7c | 2269 | |
wolfSSL | 15:117db924cf7c | 2270 | WOLFSSL_MSG("Restart Hash"); |
wolfSSL | 15:117db924cf7c | 2271 | WOLFSSL_BUFFER(hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2272 | |
wolfSSL | 15:117db924cf7c | 2273 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
wolfSSL | 15:117db924cf7c | 2274 | if (ssl->options.sendCookie) { |
wolfSSL | 15:117db924cf7c | 2275 | byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2]; |
wolfSSL | 15:117db924cf7c | 2276 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 2277 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 2278 | |
wolfSSL | 15:117db924cf7c | 2279 | /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */ |
wolfSSL | 15:117db924cf7c | 2280 | cookie[idx++] = hashSz; |
wolfSSL | 15:117db924cf7c | 2281 | XMEMCPY(cookie + idx, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2282 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 2283 | cookie[idx++] = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2284 | cookie[idx++] = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 2285 | if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) { |
wolfSSL | 15:117db924cf7c | 2286 | KeyShareEntry* kse = (KeyShareEntry*)ext->data; |
wolfSSL | 15:117db924cf7c | 2287 | c16toa(kse->group, cookie + idx); |
wolfSSL | 15:117db924cf7c | 2288 | idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2289 | } |
wolfSSL | 15:117db924cf7c | 2290 | return CreateCookie(ssl, cookie, idx); |
wolfSSL | 15:117db924cf7c | 2291 | } |
wolfSSL | 15:117db924cf7c | 2292 | #endif |
wolfSSL | 15:117db924cf7c | 2293 | |
wolfSSL | 15:117db924cf7c | 2294 | ret = InitHandshakeHashes(ssl); |
wolfSSL | 15:117db924cf7c | 2295 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2296 | return ret; |
wolfSSL | 15:117db924cf7c | 2297 | ret = HashOutputRaw(ssl, header, sizeof(header)); |
wolfSSL | 15:117db924cf7c | 2298 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2299 | return ret; |
wolfSSL | 15:117db924cf7c | 2300 | return HashOutputRaw(ssl, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2301 | } |
wolfSSL | 15:117db924cf7c | 2302 | |
wolfSSL | 15:117db924cf7c | 2303 | /* The value in the random field of a ServerHello to indicate |
wolfSSL | 15:117db924cf7c | 2304 | * HelloRetryRequest. |
wolfSSL | 15:117db924cf7c | 2305 | */ |
wolfSSL | 15:117db924cf7c | 2306 | static byte helloRetryRequestRandom[] = { |
wolfSSL | 15:117db924cf7c | 2307 | 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, |
wolfSSL | 15:117db924cf7c | 2308 | 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, |
wolfSSL | 15:117db924cf7c | 2309 | 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, |
wolfSSL | 15:117db924cf7c | 2310 | 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C |
wolfSSL | 15:117db924cf7c | 2311 | }; |
wolfSSL | 15:117db924cf7c | 2312 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 2313 | |
wolfSSL | 15:117db924cf7c | 2314 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 2315 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2316 | /* Setup pre-shared key based on the details in the extension data. |
wolfSSL | 15:117db924cf7c | 2317 | * |
wolfSSL | 15:117db924cf7c | 2318 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2319 | * psk Pre-shared key extension data. |
wolfSSL | 15:117db924cf7c | 2320 | * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and |
wolfSSL | 15:117db924cf7c | 2321 | * other negative value on failure. |
wolfSSL | 15:117db924cf7c | 2322 | */ |
wolfSSL | 15:117db924cf7c | 2323 | static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk) |
wolfSSL | 15:117db924cf7c | 2324 | { |
wolfSSL | 15:117db924cf7c | 2325 | int ret; |
wolfSSL | 15:117db924cf7c | 2326 | byte suite[2]; |
wolfSSL | 15:117db924cf7c | 2327 | |
wolfSSL | 15:117db924cf7c | 2328 | if (ssl->options.noPskDheKe && ssl->arrays->preMasterSz != 0) |
wolfSSL | 15:117db924cf7c | 2329 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2330 | |
wolfSSL | 15:117db924cf7c | 2331 | suite[0] = psk->cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2332 | suite[1] = psk->cipherSuite; |
wolfSSL | 15:117db924cf7c | 2333 | if (!FindSuite(ssl, suite)) |
wolfSSL | 15:117db924cf7c | 2334 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2335 | |
wolfSSL | 15:117db924cf7c | 2336 | ssl->options.cipherSuite0 = psk->cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2337 | ssl->options.cipherSuite = psk->cipherSuite; |
wolfSSL | 15:117db924cf7c | 2338 | if ((ret = SetCipherSpecs(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 2339 | return ret; |
wolfSSL | 15:117db924cf7c | 2340 | |
wolfSSL | 15:117db924cf7c | 2341 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2342 | if (psk->resumption) { |
wolfSSL | 15:117db924cf7c | 2343 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2344 | if (ssl->session.maxEarlyDataSz == 0) |
wolfSSL | 15:117db924cf7c | 2345 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2346 | #endif |
wolfSSL | 15:117db924cf7c | 2347 | /* Resumption PSK is master secret. */ |
wolfSSL | 15:117db924cf7c | 2348 | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 2349 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2350 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 2351 | ssl->arrays->psk_keySz); |
wolfSSL | 15:117db924cf7c | 2352 | #else |
wolfSSL | 15:117db924cf7c | 2353 | if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, |
wolfSSL | 15:117db924cf7c | 2354 | ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
wolfSSL | 15:117db924cf7c | 2355 | return ret; |
wolfSSL | 15:117db924cf7c | 2356 | } |
wolfSSL | 15:117db924cf7c | 2357 | #endif |
wolfSSL | 15:117db924cf7c | 2358 | } |
wolfSSL | 15:117db924cf7c | 2359 | #endif |
wolfSSL | 15:117db924cf7c | 2360 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 2361 | if (!psk->resumption) { |
wolfSSL | 15:117db924cf7c | 2362 | /* Get the pre-shared key. */ |
wolfSSL | 15:117db924cf7c | 2363 | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, |
wolfSSL | 15:117db924cf7c | 2364 | (char *)psk->identity, ssl->arrays->client_identity, |
wolfSSL | 15:117db924cf7c | 2365 | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); |
wolfSSL | 15:117db924cf7c | 2366 | if (ssl->arrays->psk_keySz == 0 || |
wolfSSL | 15:117db924cf7c | 2367 | ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { |
wolfSSL | 15:117db924cf7c | 2368 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2369 | } |
wolfSSL | 15:117db924cf7c | 2370 | /* TODO: Callback should be able to specify ciphersuite. */ |
wolfSSL | 15:117db924cf7c | 2371 | |
wolfSSL | 15:117db924cf7c | 2372 | if (psk->cipherSuite0 != TLS13_BYTE || |
wolfSSL | 15:117db924cf7c | 2373 | psk->cipherSuite != WOLFSSL_DEF_PSK_CIPHER) { |
wolfSSL | 15:117db924cf7c | 2374 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2375 | } |
wolfSSL | 15:117db924cf7c | 2376 | } |
wolfSSL | 15:117db924cf7c | 2377 | #endif |
wolfSSL | 15:117db924cf7c | 2378 | |
wolfSSL | 15:117db924cf7c | 2379 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 2380 | return DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 2381 | } |
wolfSSL | 15:117db924cf7c | 2382 | |
wolfSSL | 15:117db924cf7c | 2383 | /* Derive and write the binders into the ClientHello in space left when |
wolfSSL | 15:117db924cf7c | 2384 | * writing the Pre-Shared Key extension. |
wolfSSL | 15:117db924cf7c | 2385 | * |
wolfSSL | 15:117db924cf7c | 2386 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2387 | * output The buffer containing the ClientHello. |
wolfSSL | 15:117db924cf7c | 2388 | * idx The index at the end of the completed ClientHello. |
wolfSSL | 15:117db924cf7c | 2389 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2390 | */ |
wolfSSL | 15:117db924cf7c | 2391 | static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx) |
wolfSSL | 15:117db924cf7c | 2392 | { |
wolfSSL | 15:117db924cf7c | 2393 | int ret; |
wolfSSL | 15:117db924cf7c | 2394 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 2395 | PreSharedKey* current; |
wolfSSL | 15:117db924cf7c | 2396 | byte binderKey[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 2397 | word16 len; |
wolfSSL | 15:117db924cf7c | 2398 | |
wolfSSL | 15:117db924cf7c | 2399 | WOLFSSL_ENTER("WritePSKBinders"); |
wolfSSL | 15:117db924cf7c | 2400 | |
wolfSSL | 15:117db924cf7c | 2401 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 2402 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 2403 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 2404 | |
wolfSSL | 15:117db924cf7c | 2405 | /* Get the size of the binders to determine where to write binders. */ |
wolfSSL | 15:117db924cf7c | 2406 | idx -= TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
wolfSSL | 15:117db924cf7c | 2407 | client_hello); |
wolfSSL | 15:117db924cf7c | 2408 | |
wolfSSL | 15:117db924cf7c | 2409 | /* Hash truncated ClientHello - up to binders. */ |
wolfSSL | 15:117db924cf7c | 2410 | ret = HashOutput(ssl, output, idx, 0); |
wolfSSL | 15:117db924cf7c | 2411 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2412 | return ret; |
wolfSSL | 15:117db924cf7c | 2413 | |
wolfSSL | 15:117db924cf7c | 2414 | current = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 2415 | /* Calculate the binder for each identity based on previous handshake data. |
wolfSSL | 15:117db924cf7c | 2416 | */ |
wolfSSL | 15:117db924cf7c | 2417 | while (current != NULL) { |
wolfSSL | 15:117db924cf7c | 2418 | if ((ret = SetupPskKey(ssl, current)) != 0) |
wolfSSL | 15:117db924cf7c | 2419 | return ret; |
wolfSSL | 15:117db924cf7c | 2420 | |
wolfSSL | 15:117db924cf7c | 2421 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2422 | if (current->resumption) |
wolfSSL | 15:117db924cf7c | 2423 | ret = DeriveBinderKeyResume(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 2424 | #endif |
wolfSSL | 15:117db924cf7c | 2425 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 2426 | if (!current->resumption) |
wolfSSL | 15:117db924cf7c | 2427 | ret = DeriveBinderKey(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 2428 | #endif |
wolfSSL | 15:117db924cf7c | 2429 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2430 | return ret; |
wolfSSL | 15:117db924cf7c | 2431 | |
wolfSSL | 15:117db924cf7c | 2432 | /* Derive the Finished message secret. */ |
wolfSSL | 15:117db924cf7c | 2433 | ret = DeriveFinishedSecret(ssl, binderKey, |
wolfSSL | 15:117db924cf7c | 2434 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 2435 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2436 | return ret; |
wolfSSL | 15:117db924cf7c | 2437 | |
wolfSSL | 15:117db924cf7c | 2438 | /* Build the HMAC of the handshake message data = binder. */ |
wolfSSL | 15:117db924cf7c | 2439 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, |
wolfSSL | 15:117db924cf7c | 2440 | current->binder, ¤t->binderLen); |
wolfSSL | 15:117db924cf7c | 2441 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2442 | return ret; |
wolfSSL | 15:117db924cf7c | 2443 | |
wolfSSL | 15:117db924cf7c | 2444 | current = current->next; |
wolfSSL | 15:117db924cf7c | 2445 | } |
wolfSSL | 15:117db924cf7c | 2446 | |
wolfSSL | 15:117db924cf7c | 2447 | /* Data entered into extension, now write to message. */ |
wolfSSL | 15:117db924cf7c | 2448 | len = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx, |
wolfSSL | 15:117db924cf7c | 2449 | client_hello); |
wolfSSL | 15:117db924cf7c | 2450 | |
wolfSSL | 15:117db924cf7c | 2451 | /* Hash binders to complete the hash of the ClientHello. */ |
wolfSSL | 15:117db924cf7c | 2452 | ret = HashOutputRaw(ssl, output + idx, len); |
wolfSSL | 15:117db924cf7c | 2453 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 2454 | return ret; |
wolfSSL | 15:117db924cf7c | 2455 | |
wolfSSL | 15:117db924cf7c | 2456 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2457 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 2458 | if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0) |
wolfSSL | 15:117db924cf7c | 2459 | return ret; |
wolfSSL | 15:117db924cf7c | 2460 | |
wolfSSL | 15:117db924cf7c | 2461 | /* Derive early data encryption key. */ |
wolfSSL | 15:117db924cf7c | 2462 | ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1); |
wolfSSL | 15:117db924cf7c | 2463 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2464 | return ret; |
wolfSSL | 15:117db924cf7c | 2465 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 2466 | return ret; |
wolfSSL | 15:117db924cf7c | 2467 | } |
wolfSSL | 15:117db924cf7c | 2468 | #endif |
wolfSSL | 15:117db924cf7c | 2469 | |
wolfSSL | 15:117db924cf7c | 2470 | WOLFSSL_LEAVE("WritePSKBinders", ret); |
wolfSSL | 15:117db924cf7c | 2471 | |
wolfSSL | 15:117db924cf7c | 2472 | return ret; |
wolfSSL | 15:117db924cf7c | 2473 | } |
wolfSSL | 15:117db924cf7c | 2474 | #endif |
wolfSSL | 15:117db924cf7c | 2475 | |
wolfSSL | 15:117db924cf7c | 2476 | /* handle generation of TLS 1.3 client_hello (1) */ |
wolfSSL | 15:117db924cf7c | 2477 | /* Send a ClientHello message to the server. |
wolfSSL | 15:117db924cf7c | 2478 | * Include the information required to start a handshake with servers using |
wolfSSL | 15:117db924cf7c | 2479 | * protocol versions less than TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2480 | * Only a client will send this message. |
wolfSSL | 15:117db924cf7c | 2481 | * |
wolfSSL | 15:117db924cf7c | 2482 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2483 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2484 | */ |
wolfSSL | 15:117db924cf7c | 2485 | int SendTls13ClientHello(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 2486 | { |
wolfSSL | 15:117db924cf7c | 2487 | byte* output; |
wolfSSL | 15:117db924cf7c | 2488 | word16 length; |
wolfSSL | 15:117db924cf7c | 2489 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2490 | int sendSz; |
wolfSSL | 15:117db924cf7c | 2491 | int ret; |
wolfSSL | 15:117db924cf7c | 2492 | |
wolfSSL | 15:117db924cf7c | 2493 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 2494 | WOLFSSL_ENTER("SendTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 2495 | |
wolfSSL | 15:117db924cf7c | 2496 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2497 | if (ssl->options.resuming && |
wolfSSL | 15:117db924cf7c | 2498 | (ssl->session.version.major != ssl->version.major || |
wolfSSL | 15:117db924cf7c | 2499 | ssl->session.version.minor != ssl->version.minor)) { |
wolfSSL | 15:117db924cf7c | 2500 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2501 | if (ssl->session.version.major == ssl->version.major && |
wolfSSL | 15:117db924cf7c | 2502 | ssl->session.version.minor < ssl->version.minor) { |
wolfSSL | 15:117db924cf7c | 2503 | /* Cannot resume with a different protocol version. */ |
wolfSSL | 15:117db924cf7c | 2504 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 2505 | ssl->version.major = ssl->session.version.major; |
wolfSSL | 15:117db924cf7c | 2506 | ssl->version.minor = ssl->session.version.minor; |
wolfSSL | 15:117db924cf7c | 2507 | return SendClientHello(ssl); |
wolfSSL | 15:117db924cf7c | 2508 | } |
wolfSSL | 15:117db924cf7c | 2509 | else |
wolfSSL | 15:117db924cf7c | 2510 | #endif |
wolfSSL | 15:117db924cf7c | 2511 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 2512 | } |
wolfSSL | 15:117db924cf7c | 2513 | #endif |
wolfSSL | 15:117db924cf7c | 2514 | |
wolfSSL | 15:117db924cf7c | 2515 | if (ssl->suites == NULL) { |
wolfSSL | 15:117db924cf7c | 2516 | WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 2517 | return SUITES_ERROR; |
wolfSSL | 15:117db924cf7c | 2518 | } |
wolfSSL | 15:117db924cf7c | 2519 | |
wolfSSL | 15:117db924cf7c | 2520 | /* Version | Random | Session Id | Cipher Suites | Compression */ |
wolfSSL | 15:117db924cf7c | 2521 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz + |
wolfSSL | 15:117db924cf7c | 2522 | SUITE_LEN + COMP_LEN + ENUM_LEN; |
wolfSSL | 15:117db924cf7c | 2523 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2524 | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 2525 | length += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2526 | #else |
wolfSSL | 15:117db924cf7c | 2527 | if (ssl->session.sessionIDSz > 0) |
wolfSSL | 15:117db924cf7c | 2528 | length += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 2529 | #endif |
wolfSSL | 15:117db924cf7c | 2530 | #endif |
wolfSSL | 15:117db924cf7c | 2531 | |
wolfSSL | 15:117db924cf7c | 2532 | /* Auto populate extensions supported unless user defined. */ |
wolfSSL | 15:117db924cf7c | 2533 | if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 2534 | return ret; |
wolfSSL | 15:117db924cf7c | 2535 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2536 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 2537 | if (!ssl->options.resuming && ssl->options.client_psk_cb == NULL) |
wolfSSL | 15:117db924cf7c | 2538 | #else |
wolfSSL | 15:117db924cf7c | 2539 | if (!ssl->options.resuming) |
wolfSSL | 15:117db924cf7c | 2540 | #endif |
wolfSSL | 15:117db924cf7c | 2541 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2542 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
wolfSSL | 15:117db924cf7c | 2543 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2544 | if (ssl->earlyData == no_early_data) |
wolfSSL | 15:117db924cf7c | 2545 | TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap); |
wolfSSL | 15:117db924cf7c | 2546 | if (ssl->earlyData != no_early_data && |
wolfSSL | 15:117db924cf7c | 2547 | (ret = TLSX_EarlyData_Use(ssl, 0)) < 0) { |
wolfSSL | 15:117db924cf7c | 2548 | return ret; |
wolfSSL | 15:117db924cf7c | 2549 | } |
wolfSSL | 15:117db924cf7c | 2550 | #endif |
wolfSSL | 15:117db924cf7c | 2551 | #ifdef HAVE_QSH |
wolfSSL | 15:117db924cf7c | 2552 | if (QSH_Init(ssl) != 0) |
wolfSSL | 15:117db924cf7c | 2553 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2554 | #endif |
wolfSSL | 15:117db924cf7c | 2555 | /* Include length of TLS extensions. */ |
wolfSSL | 15:117db924cf7c | 2556 | ret = TLSX_GetRequestSize(ssl, client_hello, &length); |
wolfSSL | 15:117db924cf7c | 2557 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2558 | return ret; |
wolfSSL | 15:117db924cf7c | 2559 | |
wolfSSL | 15:117db924cf7c | 2560 | /* Total message size. */ |
wolfSSL | 15:117db924cf7c | 2561 | sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2562 | |
wolfSSL | 15:117db924cf7c | 2563 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 2564 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 2565 | return ret; |
wolfSSL | 15:117db924cf7c | 2566 | |
wolfSSL | 15:117db924cf7c | 2567 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 2568 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 2569 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 2570 | |
wolfSSL | 15:117db924cf7c | 2571 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 2572 | AddTls13Headers(output, length, client_hello, ssl); |
wolfSSL | 15:117db924cf7c | 2573 | |
wolfSSL | 15:117db924cf7c | 2574 | /* Protocol version - negotiation now in extension: supported_versions. */ |
wolfSSL | 15:117db924cf7c | 2575 | output[idx++] = SSLv3_MAJOR; |
wolfSSL | 15:117db924cf7c | 2576 | output[idx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2577 | /* Keep for downgrade. */ |
wolfSSL | 15:117db924cf7c | 2578 | ssl->chVersion = ssl->version; |
wolfSSL | 15:117db924cf7c | 2579 | |
wolfSSL | 15:117db924cf7c | 2580 | /* Client Random */ |
wolfSSL | 15:117db924cf7c | 2581 | if (ssl->options.connectState == CONNECT_BEGIN) { |
wolfSSL | 15:117db924cf7c | 2582 | ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2583 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2584 | return ret; |
wolfSSL | 15:117db924cf7c | 2585 | |
wolfSSL | 15:117db924cf7c | 2586 | /* Store random for possible second ClientHello. */ |
wolfSSL | 15:117db924cf7c | 2587 | XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2588 | } |
wolfSSL | 15:117db924cf7c | 2589 | else |
wolfSSL | 15:117db924cf7c | 2590 | XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2591 | idx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 2592 | |
wolfSSL | 15:117db924cf7c | 2593 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2594 | /* TLS v1.3 does not use session id - 0 length. */ |
wolfSSL | 15:117db924cf7c | 2595 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 2596 | #else |
wolfSSL | 15:117db924cf7c | 2597 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 2598 | /* Session resumption for old versions of protocol. */ |
wolfSSL | 15:117db924cf7c | 2599 | output[idx++] = ID_LEN; |
wolfSSL | 15:117db924cf7c | 2600 | XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 2601 | idx += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2602 | } |
wolfSSL | 15:117db924cf7c | 2603 | else { |
wolfSSL | 15:117db924cf7c | 2604 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 2605 | output[idx++] = ID_LEN; |
wolfSSL | 15:117db924cf7c | 2606 | XMEMCPY(output + idx, ssl->arrays->clientRandom, ID_LEN); |
wolfSSL | 15:117db924cf7c | 2607 | idx += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2608 | #else |
wolfSSL | 15:117db924cf7c | 2609 | /* TLS v1.3 does not use session id - 0 length. */ |
wolfSSL | 15:117db924cf7c | 2610 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 2611 | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
wolfSSL | 15:117db924cf7c | 2612 | } |
wolfSSL | 15:117db924cf7c | 2613 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 2614 | |
wolfSSL | 15:117db924cf7c | 2615 | /* Cipher suites */ |
wolfSSL | 15:117db924cf7c | 2616 | c16toa(ssl->suites->suiteSz, output + idx); |
wolfSSL | 15:117db924cf7c | 2617 | idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2618 | XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz); |
wolfSSL | 15:117db924cf7c | 2619 | idx += ssl->suites->suiteSz; |
wolfSSL | 15:117db924cf7c | 2620 | |
wolfSSL | 15:117db924cf7c | 2621 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 2622 | output[idx++] = COMP_LEN; |
wolfSSL | 15:117db924cf7c | 2623 | output[idx++] = NO_COMPRESSION; |
wolfSSL | 15:117db924cf7c | 2624 | |
wolfSSL | 15:117db924cf7c | 2625 | /* Write out extensions for a request. */ |
wolfSSL | 15:117db924cf7c | 2626 | length = 0; |
wolfSSL | 15:117db924cf7c | 2627 | ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &length); |
wolfSSL | 15:117db924cf7c | 2628 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2629 | return ret; |
wolfSSL | 15:117db924cf7c | 2630 | idx += length; |
wolfSSL | 15:117db924cf7c | 2631 | |
wolfSSL | 15:117db924cf7c | 2632 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2633 | /* Resumption has a specific set of extensions and binder is calculated |
wolfSSL | 15:117db924cf7c | 2634 | * for each identity. |
wolfSSL | 15:117db924cf7c | 2635 | */ |
wolfSSL | 15:117db924cf7c | 2636 | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) |
wolfSSL | 15:117db924cf7c | 2637 | ret = WritePSKBinders(ssl, output, idx); |
wolfSSL | 15:117db924cf7c | 2638 | else |
wolfSSL | 15:117db924cf7c | 2639 | #endif |
wolfSSL | 15:117db924cf7c | 2640 | ret = HashOutput(ssl, output, idx, 0); |
wolfSSL | 15:117db924cf7c | 2641 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2642 | return ret; |
wolfSSL | 15:117db924cf7c | 2643 | |
wolfSSL | 15:117db924cf7c | 2644 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2645 | |
wolfSSL | 15:117db924cf7c | 2646 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 2647 | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
wolfSSL | 15:117db924cf7c | 2648 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 2649 | AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 2650 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 2651 | } |
wolfSSL | 15:117db924cf7c | 2652 | #endif |
wolfSSL | 15:117db924cf7c | 2653 | |
wolfSSL | 15:117db924cf7c | 2654 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 2655 | |
wolfSSL | 15:117db924cf7c | 2656 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 2657 | |
wolfSSL | 15:117db924cf7c | 2658 | WOLFSSL_LEAVE("SendTls13ClientHello", ret); |
wolfSSL | 15:117db924cf7c | 2659 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 2660 | |
wolfSSL | 15:117db924cf7c | 2661 | return ret; |
wolfSSL | 15:117db924cf7c | 2662 | } |
wolfSSL | 15:117db924cf7c | 2663 | |
wolfSSL | 15:117db924cf7c | 2664 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2665 | /* handle rocessing of TLS 1.3 hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 2666 | /* Parse and handle a HelloRetryRequest message. |
wolfSSL | 15:117db924cf7c | 2667 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 2668 | * |
wolfSSL | 15:117db924cf7c | 2669 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2670 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 2671 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 2672 | * HelloRetryRequest. |
wolfSSL | 15:117db924cf7c | 2673 | * On exit, the index of byte after the HelloRetryRequest message. |
wolfSSL | 15:117db924cf7c | 2674 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 2675 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2676 | */ |
wolfSSL | 15:117db924cf7c | 2677 | static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 2678 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 2679 | { |
wolfSSL | 15:117db924cf7c | 2680 | int ret; |
wolfSSL | 15:117db924cf7c | 2681 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2682 | word32 i = begin; |
wolfSSL | 15:117db924cf7c | 2683 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 2684 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 2685 | |
wolfSSL | 15:117db924cf7c | 2686 | WOLFSSL_ENTER("DoTls13HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 2687 | |
wolfSSL | 15:117db924cf7c | 2688 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 2689 | if (ssl->hsInfoOn) AddPacketName(ssl, "HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 2690 | if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 2691 | #endif |
wolfSSL | 15:117db924cf7c | 2692 | |
wolfSSL | 15:117db924cf7c | 2693 | /* Version info and length field of extension data. */ |
wolfSSL | 15:117db924cf7c | 2694 | if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 2695 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2696 | |
wolfSSL | 15:117db924cf7c | 2697 | /* Protocol version. */ |
wolfSSL | 15:117db924cf7c | 2698 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 2699 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2700 | ret = CheckVersion(ssl, pv); |
wolfSSL | 15:117db924cf7c | 2701 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2702 | return ret; |
wolfSSL | 15:117db924cf7c | 2703 | |
wolfSSL | 15:117db924cf7c | 2704 | /* Length of extension data. */ |
wolfSSL | 15:117db924cf7c | 2705 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 2706 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2707 | if (totalExtSz == 0) { |
wolfSSL | 15:117db924cf7c | 2708 | WOLFSSL_MSG("HelloRetryRequest must contain extensions"); |
wolfSSL | 15:117db924cf7c | 2709 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 2710 | } |
wolfSSL | 15:117db924cf7c | 2711 | |
wolfSSL | 15:117db924cf7c | 2712 | /* Extension data. */ |
wolfSSL | 15:117db924cf7c | 2713 | if (i - begin + totalExtSz > totalSz) |
wolfSSL | 15:117db924cf7c | 2714 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2715 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz, |
wolfSSL | 15:117db924cf7c | 2716 | hello_retry_request, NULL)) != 0) |
wolfSSL | 15:117db924cf7c | 2717 | return ret; |
wolfSSL | 15:117db924cf7c | 2718 | /* The KeyShare extension parsing fails when not valid. */ |
wolfSSL | 15:117db924cf7c | 2719 | |
wolfSSL | 15:117db924cf7c | 2720 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 2721 | *inOutIdx = i + totalExtSz; |
wolfSSL | 15:117db924cf7c | 2722 | |
wolfSSL | 15:117db924cf7c | 2723 | ssl->options.tls1_3 = 1; |
wolfSSL | 15:117db924cf7c | 2724 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2725 | |
wolfSSL | 15:117db924cf7c | 2726 | WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret); |
wolfSSL | 15:117db924cf7c | 2727 | |
wolfSSL | 15:117db924cf7c | 2728 | return ret; |
wolfSSL | 15:117db924cf7c | 2729 | } |
wolfSSL | 15:117db924cf7c | 2730 | #endif |
wolfSSL | 15:117db924cf7c | 2731 | |
wolfSSL | 15:117db924cf7c | 2732 | |
wolfSSL | 15:117db924cf7c | 2733 | /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 2734 | /* Handle the ServerHello message from the server. |
wolfSSL | 15:117db924cf7c | 2735 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 2736 | * |
wolfSSL | 15:117db924cf7c | 2737 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2738 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 2739 | * inOutIdx On entry, the index into the message buffer of ServerHello. |
wolfSSL | 15:117db924cf7c | 2740 | * On exit, the index of byte after the ServerHello message. |
wolfSSL | 15:117db924cf7c | 2741 | * helloSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 2742 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2743 | */ |
wolfSSL | 15:117db924cf7c | 2744 | int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 2745 | word32 helloSz, byte* extMsgType) |
wolfSSL | 15:117db924cf7c | 2746 | { |
wolfSSL | 15:117db924cf7c | 2747 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 2748 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2749 | word32 begin = i; |
wolfSSL | 15:117db924cf7c | 2750 | int ret; |
wolfSSL | 15:117db924cf7c | 2751 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2752 | byte sessIdSz; |
wolfSSL | 15:117db924cf7c | 2753 | const byte* sessId; |
wolfSSL | 15:117db924cf7c | 2754 | byte b; |
wolfSSL | 15:117db924cf7c | 2755 | #endif |
wolfSSL | 15:117db924cf7c | 2756 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 2757 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2758 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 2759 | PreSharedKey* psk = NULL; |
wolfSSL | 15:117db924cf7c | 2760 | #endif |
wolfSSL | 15:117db924cf7c | 2761 | |
wolfSSL | 15:117db924cf7c | 2762 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 2763 | WOLFSSL_ENTER("DoTls13ServerHello"); |
wolfSSL | 15:117db924cf7c | 2764 | |
wolfSSL | 15:117db924cf7c | 2765 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 2766 | if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); |
wolfSSL | 15:117db924cf7c | 2767 | if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 2768 | #endif |
wolfSSL | 15:117db924cf7c | 2769 | |
wolfSSL | 15:117db924cf7c | 2770 | /* Protocol version length check. */ |
wolfSSL | 15:117db924cf7c | 2771 | if (OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2772 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2773 | |
wolfSSL | 15:117db924cf7c | 2774 | /* Protocol version */ |
wolfSSL | 15:117db924cf7c | 2775 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 2776 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2777 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2778 | ret = CheckVersion(ssl, pv); |
wolfSSL | 15:117db924cf7c | 2779 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2780 | return ret; |
wolfSSL | 15:117db924cf7c | 2781 | if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) { |
wolfSSL | 15:117db924cf7c | 2782 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2783 | if (ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 2784 | ssl->version = pv; |
wolfSSL | 15:117db924cf7c | 2785 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 15:117db924cf7c | 2786 | } |
wolfSSL | 15:117db924cf7c | 2787 | #endif |
wolfSSL | 15:117db924cf7c | 2788 | |
wolfSSL | 15:117db924cf7c | 2789 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 2790 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 2791 | } |
wolfSSL | 15:117db924cf7c | 2792 | #else |
wolfSSL | 15:117db924cf7c | 2793 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2794 | if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR && |
wolfSSL | 15:117db924cf7c | 2795 | ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 2796 | /* Force client hello version 1.2 to work for static RSA. */ |
wolfSSL | 15:117db924cf7c | 2797 | ssl->chVersion.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2798 | ssl->version.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2799 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 15:117db924cf7c | 2800 | } |
wolfSSL | 15:117db924cf7c | 2801 | #endif |
wolfSSL | 15:117db924cf7c | 2802 | if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR) |
wolfSSL | 15:117db924cf7c | 2803 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 2804 | #endif |
wolfSSL | 15:117db924cf7c | 2805 | |
wolfSSL | 15:117db924cf7c | 2806 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2807 | /* Random length check */ |
wolfSSL | 15:117db924cf7c | 2808 | if ((i - begin) + RAN_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2809 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2810 | #else |
wolfSSL | 15:117db924cf7c | 2811 | /* Random and session id length check */ |
wolfSSL | 15:117db924cf7c | 2812 | if ((i - begin) + RAN_LEN + ENUM_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2813 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2814 | |
wolfSSL | 15:117db924cf7c | 2815 | if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0) |
wolfSSL | 15:117db924cf7c | 2816 | *extMsgType = hello_retry_request; |
wolfSSL | 15:117db924cf7c | 2817 | #endif |
wolfSSL | 15:117db924cf7c | 2818 | |
wolfSSL | 15:117db924cf7c | 2819 | /* Server random - keep for debugging. */ |
wolfSSL | 15:117db924cf7c | 2820 | XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2821 | i += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 2822 | |
wolfSSL | 15:117db924cf7c | 2823 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2824 | /* Session id */ |
wolfSSL | 15:117db924cf7c | 2825 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 2826 | if ((i - begin) + sessIdSz > helloSz) |
wolfSSL | 15:117db924cf7c | 2827 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2828 | sessId = input + i; |
wolfSSL | 15:117db924cf7c | 2829 | i += sessIdSz; |
wolfSSL | 15:117db924cf7c | 2830 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 2831 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 2832 | |
wolfSSL | 15:117db924cf7c | 2833 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2834 | /* Ciphersuite check */ |
wolfSSL | 15:117db924cf7c | 2835 | if ((i - begin) + OPAQUE16_LEN + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2836 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2837 | #else |
wolfSSL | 15:117db924cf7c | 2838 | /* Ciphersuite and compression check */ |
wolfSSL | 15:117db924cf7c | 2839 | if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2840 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2841 | #endif |
wolfSSL | 15:117db924cf7c | 2842 | |
wolfSSL | 15:117db924cf7c | 2843 | /* Set the cipher suite from the message. */ |
wolfSSL | 15:117db924cf7c | 2844 | ssl->options.cipherSuite0 = input[i++]; |
wolfSSL | 15:117db924cf7c | 2845 | ssl->options.cipherSuite = input[i++]; |
wolfSSL | 15:117db924cf7c | 2846 | |
wolfSSL | 15:117db924cf7c | 2847 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2848 | /* Compression */ |
wolfSSL | 15:117db924cf7c | 2849 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 2850 | if (b != 0) { |
wolfSSL | 15:117db924cf7c | 2851 | WOLFSSL_MSG("Must be no compression types in list"); |
wolfSSL | 15:117db924cf7c | 2852 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 2853 | } |
wolfSSL | 15:117db924cf7c | 2854 | #endif |
wolfSSL | 15:117db924cf7c | 2855 | |
wolfSSL | 15:117db924cf7c | 2856 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2857 | if ((i - begin) + OPAQUE16_LEN > helloSz) { |
wolfSSL | 15:117db924cf7c | 2858 | if (!ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 2859 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2860 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2861 | ssl->version.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2862 | #endif |
wolfSSL | 15:117db924cf7c | 2863 | ssl->options.haveEMS = 0; |
wolfSSL | 15:117db924cf7c | 2864 | } |
wolfSSL | 15:117db924cf7c | 2865 | if ((i - begin) < helloSz) |
wolfSSL | 15:117db924cf7c | 2866 | #endif |
wolfSSL | 15:117db924cf7c | 2867 | { |
wolfSSL | 15:117db924cf7c | 2868 | /* Get extension length and length check. */ |
wolfSSL | 15:117db924cf7c | 2869 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 2870 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2871 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 2872 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2873 | if ((i - begin) + totalExtSz > helloSz) |
wolfSSL | 15:117db924cf7c | 2874 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2875 | |
wolfSSL | 15:117db924cf7c | 2876 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2877 | if (ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 2878 | ssl->version.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2879 | #endif |
wolfSSL | 15:117db924cf7c | 2880 | /* Parse and handle extensions. */ |
wolfSSL | 15:117db924cf7c | 2881 | ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, *extMsgType, |
wolfSSL | 15:117db924cf7c | 2882 | NULL); |
wolfSSL | 15:117db924cf7c | 2883 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2884 | return ret; |
wolfSSL | 15:117db924cf7c | 2885 | |
wolfSSL | 15:117db924cf7c | 2886 | i += totalExtSz; |
wolfSSL | 15:117db924cf7c | 2887 | } |
wolfSSL | 15:117db924cf7c | 2888 | *inOutIdx = i; |
wolfSSL | 15:117db924cf7c | 2889 | |
wolfSSL | 15:117db924cf7c | 2890 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2891 | |
wolfSSL | 15:117db924cf7c | 2892 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 15:117db924cf7c | 2893 | if (ssl->sessionSecretCb != NULL) { |
wolfSSL | 15:117db924cf7c | 2894 | int secretSz = SECRET_LEN; |
wolfSSL | 15:117db924cf7c | 2895 | ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 2896 | &secretSz, ssl->sessionSecretCtx); |
wolfSSL | 15:117db924cf7c | 2897 | if (ret != 0 || secretSz != SECRET_LEN) |
wolfSSL | 15:117db924cf7c | 2898 | return SESSION_SECRET_CB_E; |
wolfSSL | 15:117db924cf7c | 2899 | } |
wolfSSL | 15:117db924cf7c | 2900 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 15:117db924cf7c | 2901 | |
wolfSSL | 15:117db924cf7c | 2902 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2903 | /* Version only negotiated in extensions for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2904 | * Only now do we know how to deal with session id. |
wolfSSL | 15:117db924cf7c | 2905 | */ |
wolfSSL | 15:117db924cf7c | 2906 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 15:117db924cf7c | 2907 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2908 | ssl->arrays->sessionIDSz = sessIdSz; |
wolfSSL | 15:117db924cf7c | 2909 | |
wolfSSL | 15:117db924cf7c | 2910 | if (ssl->arrays->sessionIDSz > ID_LEN) { |
wolfSSL | 15:117db924cf7c | 2911 | WOLFSSL_MSG("Invalid session ID size"); |
wolfSSL | 15:117db924cf7c | 2912 | ssl->arrays->sessionIDSz = 0; |
wolfSSL | 15:117db924cf7c | 2913 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2914 | } |
wolfSSL | 15:117db924cf7c | 2915 | else if (ssl->arrays->sessionIDSz) { |
wolfSSL | 15:117db924cf7c | 2916 | XMEMCPY(ssl->arrays->sessionID, sessId, ssl->arrays->sessionIDSz); |
wolfSSL | 15:117db924cf7c | 2917 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 2918 | } |
wolfSSL | 15:117db924cf7c | 2919 | |
wolfSSL | 15:117db924cf7c | 2920 | /* Force client hello version 1.2 to work for static RSA. */ |
wolfSSL | 15:117db924cf7c | 2921 | ssl->chVersion.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2922 | /* Complete TLS v1.2 processing of ServerHello. */ |
wolfSSL | 15:117db924cf7c | 2923 | ret = CompleteServerHello(ssl); |
wolfSSL | 15:117db924cf7c | 2924 | #else |
wolfSSL | 15:117db924cf7c | 2925 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 2926 | ret = VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 2927 | #endif |
wolfSSL | 15:117db924cf7c | 2928 | |
wolfSSL | 15:117db924cf7c | 2929 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 2930 | |
wolfSSL | 15:117db924cf7c | 2931 | return ret; |
wolfSSL | 15:117db924cf7c | 2932 | } |
wolfSSL | 15:117db924cf7c | 2933 | |
wolfSSL | 15:117db924cf7c | 2934 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 2935 | if (sessIdSz == 0) |
wolfSSL | 15:117db924cf7c | 2936 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 2937 | if (ssl->session.sessionIDSz != 0) { |
wolfSSL | 15:117db924cf7c | 2938 | if (ssl->session.sessionIDSz != sessIdSz || |
wolfSSL | 15:117db924cf7c | 2939 | XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0) { |
wolfSSL | 15:117db924cf7c | 2940 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 2941 | } |
wolfSSL | 15:117db924cf7c | 2942 | } |
wolfSSL | 15:117db924cf7c | 2943 | else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0) |
wolfSSL | 15:117db924cf7c | 2944 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 2945 | #else |
wolfSSL | 15:117db924cf7c | 2946 | if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 && |
wolfSSL | 15:117db924cf7c | 2947 | XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) { |
wolfSSL | 15:117db924cf7c | 2948 | WOLFSSL_MSG("Server sent different session id"); |
wolfSSL | 15:117db924cf7c | 2949 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 2950 | } |
wolfSSL | 15:117db924cf7c | 2951 | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
wolfSSL | 15:117db924cf7c | 2952 | #endif |
wolfSSL | 15:117db924cf7c | 2953 | |
wolfSSL | 15:117db924cf7c | 2954 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 2955 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2956 | return ret; |
wolfSSL | 15:117db924cf7c | 2957 | |
wolfSSL | 15:117db924cf7c | 2958 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2959 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2960 | if (*extMsgType == server_hello) |
wolfSSL | 15:117db924cf7c | 2961 | #endif |
wolfSSL | 15:117db924cf7c | 2962 | { |
wolfSSL | 15:117db924cf7c | 2963 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 2964 | if (ext != NULL) |
wolfSSL | 15:117db924cf7c | 2965 | psk = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 2966 | while (psk != NULL && !psk->chosen) |
wolfSSL | 15:117db924cf7c | 2967 | psk = psk->next; |
wolfSSL | 15:117db924cf7c | 2968 | if (psk == NULL) { |
wolfSSL | 15:117db924cf7c | 2969 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 2970 | ssl->arrays->psk_keySz = 0; |
wolfSSL | 15:117db924cf7c | 2971 | XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN); |
wolfSSL | 15:117db924cf7c | 2972 | } |
wolfSSL | 15:117db924cf7c | 2973 | else if ((ret = SetupPskKey(ssl, psk)) != 0) |
wolfSSL | 15:117db924cf7c | 2974 | return ret; |
wolfSSL | 15:117db924cf7c | 2975 | } |
wolfSSL | 15:117db924cf7c | 2976 | #endif |
wolfSSL | 15:117db924cf7c | 2977 | |
wolfSSL | 15:117db924cf7c | 2978 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2979 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 2980 | #else |
wolfSSL | 15:117db924cf7c | 2981 | if (*extMsgType == server_hello) { |
wolfSSL | 15:117db924cf7c | 2982 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 2983 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2984 | } |
wolfSSL | 15:117db924cf7c | 2985 | else { |
wolfSSL | 15:117db924cf7c | 2986 | ssl->options.tls1_3 = 1; |
wolfSSL | 15:117db924cf7c | 2987 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2988 | |
wolfSSL | 15:117db924cf7c | 2989 | ret = RestartHandshakeHash(ssl); |
wolfSSL | 15:117db924cf7c | 2990 | } |
wolfSSL | 15:117db924cf7c | 2991 | #endif |
wolfSSL | 15:117db924cf7c | 2992 | |
wolfSSL | 15:117db924cf7c | 2993 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 2994 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 2995 | |
wolfSSL | 15:117db924cf7c | 2996 | return ret; |
wolfSSL | 15:117db924cf7c | 2997 | } |
wolfSSL | 15:117db924cf7c | 2998 | |
wolfSSL | 15:117db924cf7c | 2999 | /* handle processing TLS 1.3 encrypted_extensions (8) */ |
wolfSSL | 15:117db924cf7c | 3000 | /* Parse and handle an EncryptedExtensions message. |
wolfSSL | 15:117db924cf7c | 3001 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 3002 | * |
wolfSSL | 15:117db924cf7c | 3003 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3004 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 3005 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 3006 | * EncryptedExtensions. |
wolfSSL | 15:117db924cf7c | 3007 | * On exit, the index of byte after the EncryptedExtensions |
wolfSSL | 15:117db924cf7c | 3008 | * message. |
wolfSSL | 15:117db924cf7c | 3009 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3010 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3011 | */ |
wolfSSL | 15:117db924cf7c | 3012 | static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 3013 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 3014 | { |
wolfSSL | 15:117db924cf7c | 3015 | int ret; |
wolfSSL | 15:117db924cf7c | 3016 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3017 | word32 i = begin; |
wolfSSL | 15:117db924cf7c | 3018 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 3019 | |
wolfSSL | 15:117db924cf7c | 3020 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
wolfSSL | 15:117db924cf7c | 3021 | WOLFSSL_ENTER("DoTls13EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 3022 | |
wolfSSL | 15:117db924cf7c | 3023 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3024 | if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 3025 | if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3026 | #endif |
wolfSSL | 15:117db924cf7c | 3027 | |
wolfSSL | 15:117db924cf7c | 3028 | /* Length field of extension data. */ |
wolfSSL | 15:117db924cf7c | 3029 | if (totalSz < i - begin + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3030 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3031 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 3032 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3033 | |
wolfSSL | 15:117db924cf7c | 3034 | /* Extension data. */ |
wolfSSL | 15:117db924cf7c | 3035 | if (i - begin + totalExtSz > totalSz) |
wolfSSL | 15:117db924cf7c | 3036 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3037 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz, |
wolfSSL | 15:117db924cf7c | 3038 | encrypted_extensions, NULL))) |
wolfSSL | 15:117db924cf7c | 3039 | return ret; |
wolfSSL | 15:117db924cf7c | 3040 | |
wolfSSL | 15:117db924cf7c | 3041 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 3042 | *inOutIdx = i + totalExtSz; |
wolfSSL | 15:117db924cf7c | 3043 | |
wolfSSL | 15:117db924cf7c | 3044 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 3045 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 3046 | |
wolfSSL | 15:117db924cf7c | 3047 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3048 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 3049 | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
wolfSSL | 15:117db924cf7c | 3050 | if (ext == NULL || !ext->val) |
wolfSSL | 15:117db924cf7c | 3051 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 3052 | } |
wolfSSL | 15:117db924cf7c | 3053 | #endif |
wolfSSL | 15:117db924cf7c | 3054 | |
wolfSSL | 15:117db924cf7c | 3055 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3056 | if (ssl->earlyData == no_early_data) { |
wolfSSL | 15:117db924cf7c | 3057 | ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY); |
wolfSSL | 15:117db924cf7c | 3058 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3059 | return ret; |
wolfSSL | 15:117db924cf7c | 3060 | } |
wolfSSL | 15:117db924cf7c | 3061 | #endif |
wolfSSL | 15:117db924cf7c | 3062 | |
wolfSSL | 15:117db924cf7c | 3063 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3064 | |
wolfSSL | 15:117db924cf7c | 3065 | WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret); |
wolfSSL | 15:117db924cf7c | 3066 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
wolfSSL | 15:117db924cf7c | 3067 | |
wolfSSL | 15:117db924cf7c | 3068 | return ret; |
wolfSSL | 15:117db924cf7c | 3069 | } |
wolfSSL | 15:117db924cf7c | 3070 | |
wolfSSL | 15:117db924cf7c | 3071 | /* handle processing TLS v1.3 certificate_request (13) */ |
wolfSSL | 15:117db924cf7c | 3072 | /* Handle a TLS v1.3 CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 3073 | * This message is always encrypted. |
wolfSSL | 15:117db924cf7c | 3074 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 3075 | * |
wolfSSL | 15:117db924cf7c | 3076 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3077 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 3078 | * inOutIdx On entry, the index into the message buffer of CertificateRequest. |
wolfSSL | 15:117db924cf7c | 3079 | * On exit, the index of byte after the CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 3080 | * size The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3081 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3082 | */ |
wolfSSL | 15:117db924cf7c | 3083 | static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 3084 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 3085 | { |
wolfSSL | 15:117db924cf7c | 3086 | word16 len; |
wolfSSL | 15:117db924cf7c | 3087 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3088 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 3089 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3090 | Suites peerSuites; |
wolfSSL | 15:117db924cf7c | 3091 | #endif |
wolfSSL | 15:117db924cf7c | 3092 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 3093 | CertReqCtx* certReqCtx; |
wolfSSL | 15:117db924cf7c | 3094 | #endif |
wolfSSL | 15:117db924cf7c | 3095 | |
wolfSSL | 15:117db924cf7c | 3096 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO); |
wolfSSL | 15:117db924cf7c | 3097 | WOLFSSL_ENTER("DoTls13CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 3098 | |
wolfSSL | 15:117db924cf7c | 3099 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3100 | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 3101 | if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3102 | #endif |
wolfSSL | 15:117db924cf7c | 3103 | |
wolfSSL | 15:117db924cf7c | 3104 | if ((*inOutIdx - begin) + OPAQUE8_LEN > size) |
wolfSSL | 15:117db924cf7c | 3105 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3106 | |
wolfSSL | 15:117db924cf7c | 3107 | /* Length of the request context. */ |
wolfSSL | 15:117db924cf7c | 3108 | len = input[(*inOutIdx)++]; |
wolfSSL | 15:117db924cf7c | 3109 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3110 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3111 | if (ssl->options.connectState < FINISHED_DONE && len > 0) |
wolfSSL | 15:117db924cf7c | 3112 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3113 | |
wolfSSL | 15:117db924cf7c | 3114 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 3115 | /* CertReqCtx has one byte at end for context value. |
wolfSSL | 15:117db924cf7c | 3116 | * Increase size to handle other implementations sending more than one byte. |
wolfSSL | 15:117db924cf7c | 3117 | * That is, allocate extra space, over one byte, to hold the context value. |
wolfSSL | 15:117db924cf7c | 3118 | */ |
wolfSSL | 15:117db924cf7c | 3119 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap, |
wolfSSL | 15:117db924cf7c | 3120 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3121 | if (certReqCtx == NULL) |
wolfSSL | 15:117db924cf7c | 3122 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3123 | certReqCtx->next = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 3124 | certReqCtx->len = len; |
wolfSSL | 15:117db924cf7c | 3125 | XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len); |
wolfSSL | 15:117db924cf7c | 3126 | ssl->certReqCtx = certReqCtx; |
wolfSSL | 15:117db924cf7c | 3127 | #endif |
wolfSSL | 15:117db924cf7c | 3128 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3129 | |
wolfSSL | 15:117db924cf7c | 3130 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3131 | /* Signature and hash algorithms. */ |
wolfSSL | 15:117db924cf7c | 3132 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3133 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3134 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3135 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3136 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3137 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3138 | PickHashSigAlgo(ssl, input + *inOutIdx, len); |
wolfSSL | 15:117db924cf7c | 3139 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3140 | |
wolfSSL | 15:117db924cf7c | 3141 | /* Length of certificate authority data. */ |
wolfSSL | 15:117db924cf7c | 3142 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3143 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3144 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3145 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3146 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3147 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3148 | |
wolfSSL | 15:117db924cf7c | 3149 | /* Certificate authorities. */ |
wolfSSL | 15:117db924cf7c | 3150 | while (len) { |
wolfSSL | 15:117db924cf7c | 3151 | word16 dnSz; |
wolfSSL | 15:117db924cf7c | 3152 | |
wolfSSL | 15:117db924cf7c | 3153 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3154 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3155 | |
wolfSSL | 15:117db924cf7c | 3156 | ato16(input + *inOutIdx, &dnSz); |
wolfSSL | 15:117db924cf7c | 3157 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3158 | |
wolfSSL | 15:117db924cf7c | 3159 | if ((*inOutIdx - begin) + dnSz > size) |
wolfSSL | 15:117db924cf7c | 3160 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3161 | |
wolfSSL | 15:117db924cf7c | 3162 | *inOutIdx += dnSz; |
wolfSSL | 15:117db924cf7c | 3163 | len -= OPAQUE16_LEN + dnSz; |
wolfSSL | 15:117db924cf7c | 3164 | } |
wolfSSL | 15:117db924cf7c | 3165 | |
wolfSSL | 15:117db924cf7c | 3166 | /* Certificate extensions */ |
wolfSSL | 15:117db924cf7c | 3167 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3168 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3169 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3170 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3171 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3172 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3173 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3174 | #else |
wolfSSL | 15:117db924cf7c | 3175 | /* TODO: Add support for more extensions: |
wolfSSL | 15:117db924cf7c | 3176 | * signed_certificate_timestamp, certificate_authorities, oid_filters. |
wolfSSL | 15:117db924cf7c | 3177 | */ |
wolfSSL | 15:117db924cf7c | 3178 | /* Certificate extensions */ |
wolfSSL | 15:117db924cf7c | 3179 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3180 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3181 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3182 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3183 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3184 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3185 | if (len == 0) |
wolfSSL | 15:117db924cf7c | 3186 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3187 | if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len, |
wolfSSL | 15:117db924cf7c | 3188 | certificate_request, &peerSuites))) { |
wolfSSL | 15:117db924cf7c | 3189 | return ret; |
wolfSSL | 15:117db924cf7c | 3190 | } |
wolfSSL | 15:117db924cf7c | 3191 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3192 | |
wolfSSL | 15:117db924cf7c | 3193 | PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, peerSuites.hashSigAlgoSz); |
wolfSSL | 15:117db924cf7c | 3194 | #endif |
wolfSSL | 15:117db924cf7c | 3195 | |
wolfSSL | 15:117db924cf7c | 3196 | if (ssl->buffers.certificate && ssl->buffers.certificate->buffer && |
wolfSSL | 15:117db924cf7c | 3197 | ssl->buffers.key && ssl->buffers.key->buffer) |
wolfSSL | 15:117db924cf7c | 3198 | ssl->options.sendVerify = SEND_CERT; |
wolfSSL | 15:117db924cf7c | 3199 | else |
wolfSSL | 15:117db924cf7c | 3200 | ssl->options.sendVerify = SEND_BLANK_CERT; |
wolfSSL | 15:117db924cf7c | 3201 | |
wolfSSL | 15:117db924cf7c | 3202 | /* This message is always encrypted so add encryption padding. */ |
wolfSSL | 15:117db924cf7c | 3203 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 3204 | |
wolfSSL | 15:117db924cf7c | 3205 | WOLFSSL_LEAVE("DoTls13CertificateRequest", ret); |
wolfSSL | 15:117db924cf7c | 3206 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO); |
wolfSSL | 15:117db924cf7c | 3207 | |
wolfSSL | 15:117db924cf7c | 3208 | return ret; |
wolfSSL | 15:117db924cf7c | 3209 | } |
wolfSSL | 15:117db924cf7c | 3210 | |
wolfSSL | 15:117db924cf7c | 3211 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 3212 | |
wolfSSL | 15:117db924cf7c | 3213 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 3214 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 3215 | /* Refine list of supported cipher suites to those common to server and client. |
wolfSSL | 15:117db924cf7c | 3216 | * |
wolfSSL | 15:117db924cf7c | 3217 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3218 | * peerSuites The peer's advertised list of supported cipher suites. |
wolfSSL | 15:117db924cf7c | 3219 | */ |
wolfSSL | 15:117db924cf7c | 3220 | static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites) |
wolfSSL | 15:117db924cf7c | 3221 | { |
wolfSSL | 15:117db924cf7c | 3222 | byte suites[WOLFSSL_MAX_SUITE_SZ]; |
wolfSSL | 15:117db924cf7c | 3223 | int suiteSz = 0; |
wolfSSL | 15:117db924cf7c | 3224 | int i, j; |
wolfSSL | 15:117db924cf7c | 3225 | |
wolfSSL | 15:117db924cf7c | 3226 | for (i = 0; i < ssl->suites->suiteSz; i += 2) { |
wolfSSL | 15:117db924cf7c | 3227 | for (j = 0; j < peerSuites->suiteSz; j += 2) { |
wolfSSL | 15:117db924cf7c | 3228 | if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] && |
wolfSSL | 15:117db924cf7c | 3229 | ssl->suites->suites[i+1] == peerSuites->suites[j+1]) { |
wolfSSL | 15:117db924cf7c | 3230 | suites[suiteSz++] = peerSuites->suites[j+0]; |
wolfSSL | 15:117db924cf7c | 3231 | suites[suiteSz++] = peerSuites->suites[j+1]; |
wolfSSL | 15:117db924cf7c | 3232 | } |
wolfSSL | 15:117db924cf7c | 3233 | } |
wolfSSL | 15:117db924cf7c | 3234 | } |
wolfSSL | 15:117db924cf7c | 3235 | |
wolfSSL | 15:117db924cf7c | 3236 | ssl->suites->suiteSz = suiteSz; |
wolfSSL | 15:117db924cf7c | 3237 | XMEMCPY(ssl->suites->suites, &suites, sizeof(suites)); |
wolfSSL | 15:117db924cf7c | 3238 | } |
wolfSSL | 15:117db924cf7c | 3239 | |
wolfSSL | 15:117db924cf7c | 3240 | /* Handle any Pre-Shared Key (PSK) extension. |
wolfSSL | 15:117db924cf7c | 3241 | * Must do this in ClientHello as it requires a hash of the truncated message. |
wolfSSL | 15:117db924cf7c | 3242 | * Don't know size of binders until Pre-Shared Key extension has been parsed. |
wolfSSL | 15:117db924cf7c | 3243 | * |
wolfSSL | 15:117db924cf7c | 3244 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3245 | * input The ClientHello message. |
wolfSSL | 15:117db924cf7c | 3246 | * helloSz The size of the ClientHello message (including binders if present). |
wolfSSL | 15:117db924cf7c | 3247 | * usingPSK Indicates handshake is using Pre-Shared Keys. |
wolfSSL | 15:117db924cf7c | 3248 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3249 | */ |
wolfSSL | 15:117db924cf7c | 3250 | static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, |
wolfSSL | 15:117db924cf7c | 3251 | int* usingPSK) |
wolfSSL | 15:117db924cf7c | 3252 | { |
wolfSSL | 15:117db924cf7c | 3253 | int ret; |
wolfSSL | 15:117db924cf7c | 3254 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 3255 | word16 bindersLen; |
wolfSSL | 15:117db924cf7c | 3256 | PreSharedKey* current; |
wolfSSL | 15:117db924cf7c | 3257 | byte binderKey[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 3258 | byte binder[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 3259 | word32 binderLen; |
wolfSSL | 15:117db924cf7c | 3260 | word16 modes; |
wolfSSL | 15:117db924cf7c | 3261 | byte suite[2]; |
wolfSSL | 15:117db924cf7c | 3262 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3263 | int pskCnt = 0; |
wolfSSL | 15:117db924cf7c | 3264 | TLSX* extEarlyData; |
wolfSSL | 15:117db924cf7c | 3265 | #endif |
wolfSSL | 15:117db924cf7c | 3266 | |
wolfSSL | 15:117db924cf7c | 3267 | WOLFSSL_ENTER("DoPreSharedKeys"); |
wolfSSL | 15:117db924cf7c | 3268 | |
wolfSSL | 15:117db924cf7c | 3269 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 3270 | if (ext == NULL) { |
wolfSSL | 15:117db924cf7c | 3271 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3272 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 3273 | #endif |
wolfSSL | 15:117db924cf7c | 3274 | return 0; |
wolfSSL | 15:117db924cf7c | 3275 | } |
wolfSSL | 15:117db924cf7c | 3276 | |
wolfSSL | 15:117db924cf7c | 3277 | /* Extensions pushed on stack/list and PSK must be last. */ |
wolfSSL | 15:117db924cf7c | 3278 | if (ssl->extensions != ext) |
wolfSSL | 15:117db924cf7c | 3279 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3280 | |
wolfSSL | 15:117db924cf7c | 3281 | /* Assume we are going to resume with a pre-shared key. */ |
wolfSSL | 15:117db924cf7c | 3282 | ssl->options.resuming = 1; |
wolfSSL | 15:117db924cf7c | 3283 | |
wolfSSL | 15:117db924cf7c | 3284 | /* Find the pre-shared key extension and calculate hash of truncated |
wolfSSL | 15:117db924cf7c | 3285 | * ClientHello for binders. |
wolfSSL | 15:117db924cf7c | 3286 | */ |
wolfSSL | 15:117db924cf7c | 3287 | bindersLen = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
wolfSSL | 15:117db924cf7c | 3288 | client_hello); |
wolfSSL | 15:117db924cf7c | 3289 | |
wolfSSL | 15:117db924cf7c | 3290 | /* Hash data up to binders for deriving binders in PSK extension. */ |
wolfSSL | 15:117db924cf7c | 3291 | ret = HashInput(ssl, input, helloSz - bindersLen); |
wolfSSL | 15:117db924cf7c | 3292 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3293 | return ret; |
wolfSSL | 15:117db924cf7c | 3294 | |
wolfSSL | 15:117db924cf7c | 3295 | /* Look through all client's pre-shared keys for a match. */ |
wolfSSL | 15:117db924cf7c | 3296 | current = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 3297 | while (current != NULL) { |
wolfSSL | 15:117db924cf7c | 3298 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3299 | pskCnt++; |
wolfSSL | 15:117db924cf7c | 3300 | #endif |
wolfSSL | 15:117db924cf7c | 3301 | |
wolfSSL | 15:117db924cf7c | 3302 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 3303 | XMEMCPY(ssl->arrays->client_identity, current->identity, |
wolfSSL | 15:117db924cf7c | 3304 | current->identityLen); |
wolfSSL | 15:117db924cf7c | 3305 | ssl->arrays->client_identity[current->identityLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 3306 | #endif |
wolfSSL | 15:117db924cf7c | 3307 | |
wolfSSL | 15:117db924cf7c | 3308 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3309 | /* Decode the identity. */ |
wolfSSL | 15:117db924cf7c | 3310 | if ((ret = DoClientTicket(ssl, current->identity, current->identityLen)) |
wolfSSL | 15:117db924cf7c | 3311 | == WOLFSSL_TICKET_RET_OK) { |
wolfSSL | 15:117db924cf7c | 3312 | word32 now; |
wolfSSL | 15:117db924cf7c | 3313 | int diff; |
wolfSSL | 15:117db924cf7c | 3314 | |
wolfSSL | 15:117db924cf7c | 3315 | now = TimeNowInMilliseconds(); |
wolfSSL | 15:117db924cf7c | 3316 | if (now == (word32)GETTIME_ERROR) |
wolfSSL | 15:117db924cf7c | 3317 | return now; |
wolfSSL | 15:117db924cf7c | 3318 | diff = now - ssl->session.ticketSeen; |
wolfSSL | 15:117db924cf7c | 3319 | diff -= current->ticketAge - ssl->session.ticketAdd; |
wolfSSL | 15:117db924cf7c | 3320 | /* Check session and ticket age timeout. |
wolfSSL | 15:117db924cf7c | 3321 | * Allow +/- 1000 milliseconds on ticket age. |
wolfSSL | 15:117db924cf7c | 3322 | */ |
wolfSSL | 15:117db924cf7c | 3323 | if (diff > (int)ssl->timeout * 1000 || diff < -1000 || |
wolfSSL | 15:117db924cf7c | 3324 | diff - MAX_TICKET_AGE_SECS * 1000 > 1000) { |
wolfSSL | 15:117db924cf7c | 3325 | /* Invalid difference, fallback to full handshake. */ |
wolfSSL | 15:117db924cf7c | 3326 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3327 | break; |
wolfSSL | 15:117db924cf7c | 3328 | } |
wolfSSL | 15:117db924cf7c | 3329 | |
wolfSSL | 15:117db924cf7c | 3330 | /* Check whether resumption is possible based on suites in SSL and |
wolfSSL | 15:117db924cf7c | 3331 | * ciphersuite in ticket. |
wolfSSL | 15:117db924cf7c | 3332 | */ |
wolfSSL | 15:117db924cf7c | 3333 | suite[0] = ssl->session.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 3334 | suite[1] = ssl->session.cipherSuite; |
wolfSSL | 15:117db924cf7c | 3335 | if (!FindSuite(ssl, suite)) { |
wolfSSL | 15:117db924cf7c | 3336 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3337 | continue; |
wolfSSL | 15:117db924cf7c | 3338 | } |
wolfSSL | 15:117db924cf7c | 3339 | |
wolfSSL | 15:117db924cf7c | 3340 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3341 | ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 3342 | #endif |
wolfSSL | 15:117db924cf7c | 3343 | /* Use the same cipher suite as before and set up for use. */ |
wolfSSL | 15:117db924cf7c | 3344 | ssl->options.cipherSuite0 = ssl->session.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 3345 | ssl->options.cipherSuite = ssl->session.cipherSuite; |
wolfSSL | 15:117db924cf7c | 3346 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 3347 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3348 | return ret; |
wolfSSL | 15:117db924cf7c | 3349 | |
wolfSSL | 15:117db924cf7c | 3350 | /* Resumption PSK is resumption master secret. */ |
wolfSSL | 15:117db924cf7c | 3351 | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 3352 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3353 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 3354 | ssl->arrays->psk_keySz); |
wolfSSL | 15:117db924cf7c | 3355 | #else |
wolfSSL | 15:117db924cf7c | 3356 | if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, |
wolfSSL | 15:117db924cf7c | 3357 | ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
wolfSSL | 15:117db924cf7c | 3358 | return ret; |
wolfSSL | 15:117db924cf7c | 3359 | } |
wolfSSL | 15:117db924cf7c | 3360 | #endif |
wolfSSL | 15:117db924cf7c | 3361 | |
wolfSSL | 15:117db924cf7c | 3362 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 3363 | ret = DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 3364 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3365 | return ret; |
wolfSSL | 15:117db924cf7c | 3366 | /* Derive the binder key to use to with HMAC. */ |
wolfSSL | 15:117db924cf7c | 3367 | ret = DeriveBinderKeyResume(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 3368 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3369 | return ret; |
wolfSSL | 15:117db924cf7c | 3370 | } |
wolfSSL | 15:117db924cf7c | 3371 | else |
wolfSSL | 15:117db924cf7c | 3372 | #endif |
wolfSSL | 15:117db924cf7c | 3373 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 3374 | if (ssl->options.server_psk_cb != NULL && |
wolfSSL | 15:117db924cf7c | 3375 | (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, |
wolfSSL | 15:117db924cf7c | 3376 | ssl->arrays->client_identity, ssl->arrays->psk_key, |
wolfSSL | 15:117db924cf7c | 3377 | MAX_PSK_KEY_LEN)) != 0) { |
wolfSSL | 15:117db924cf7c | 3378 | if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) |
wolfSSL | 15:117db924cf7c | 3379 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3380 | /* TODO: Callback should be able to specify ciphersuite. */ |
wolfSSL | 15:117db924cf7c | 3381 | |
wolfSSL | 15:117db924cf7c | 3382 | suite[0] = TLS13_BYTE; |
wolfSSL | 15:117db924cf7c | 3383 | suite[1] = WOLFSSL_DEF_PSK_CIPHER; |
wolfSSL | 15:117db924cf7c | 3384 | if (!FindSuite(ssl, suite)) { |
wolfSSL | 15:117db924cf7c | 3385 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3386 | continue; |
wolfSSL | 15:117db924cf7c | 3387 | } |
wolfSSL | 15:117db924cf7c | 3388 | |
wolfSSL | 15:117db924cf7c | 3389 | /* Default to ciphersuite if cb doesn't specify. */ |
wolfSSL | 15:117db924cf7c | 3390 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3391 | |
wolfSSL | 15:117db924cf7c | 3392 | /* PSK age is always zero. */ |
wolfSSL | 15:117db924cf7c | 3393 | if (current->ticketAge != ssl->session.ticketAdd) |
wolfSSL | 15:117db924cf7c | 3394 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3395 | |
wolfSSL | 15:117db924cf7c | 3396 | /* Check whether PSK ciphersuite is in SSL. */ |
wolfSSL | 15:117db924cf7c | 3397 | ssl->options.cipherSuite0 = TLS13_BYTE; |
wolfSSL | 15:117db924cf7c | 3398 | ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
wolfSSL | 15:117db924cf7c | 3399 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 3400 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3401 | return ret; |
wolfSSL | 15:117db924cf7c | 3402 | |
wolfSSL | 15:117db924cf7c | 3403 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 3404 | ret = DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 3405 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3406 | return ret; |
wolfSSL | 15:117db924cf7c | 3407 | /* Derive the binder key to use to with HMAC. */ |
wolfSSL | 15:117db924cf7c | 3408 | ret = DeriveBinderKey(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 3409 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3410 | return ret; |
wolfSSL | 15:117db924cf7c | 3411 | } |
wolfSSL | 15:117db924cf7c | 3412 | else |
wolfSSL | 15:117db924cf7c | 3413 | #endif |
wolfSSL | 15:117db924cf7c | 3414 | { |
wolfSSL | 15:117db924cf7c | 3415 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3416 | continue; |
wolfSSL | 15:117db924cf7c | 3417 | } |
wolfSSL | 15:117db924cf7c | 3418 | |
wolfSSL | 15:117db924cf7c | 3419 | ssl->options.sendVerify = 0; |
wolfSSL | 15:117db924cf7c | 3420 | |
wolfSSL | 15:117db924cf7c | 3421 | /* Derive the Finished message secret. */ |
wolfSSL | 15:117db924cf7c | 3422 | ret = DeriveFinishedSecret(ssl, binderKey, |
wolfSSL | 15:117db924cf7c | 3423 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 3424 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3425 | return ret; |
wolfSSL | 15:117db924cf7c | 3426 | |
wolfSSL | 15:117db924cf7c | 3427 | /* Derive the binder and compare with the one in the extension. */ |
wolfSSL | 15:117db924cf7c | 3428 | ret = BuildTls13HandshakeHmac(ssl, |
wolfSSL | 15:117db924cf7c | 3429 | ssl->keys.client_write_MAC_secret, binder, &binderLen); |
wolfSSL | 15:117db924cf7c | 3430 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3431 | return ret; |
wolfSSL | 15:117db924cf7c | 3432 | if (binderLen != current->binderLen || |
wolfSSL | 15:117db924cf7c | 3433 | XMEMCMP(binder, current->binder, binderLen) != 0) { |
wolfSSL | 15:117db924cf7c | 3434 | return BAD_BINDER; |
wolfSSL | 15:117db924cf7c | 3435 | } |
wolfSSL | 15:117db924cf7c | 3436 | |
wolfSSL | 15:117db924cf7c | 3437 | /* This PSK works, no need to try any more. */ |
wolfSSL | 15:117db924cf7c | 3438 | current->chosen = 1; |
wolfSSL | 15:117db924cf7c | 3439 | ext->resp = 1; |
wolfSSL | 15:117db924cf7c | 3440 | break; |
wolfSSL | 15:117db924cf7c | 3441 | } |
wolfSSL | 15:117db924cf7c | 3442 | |
wolfSSL | 15:117db924cf7c | 3443 | if (current == NULL) { |
wolfSSL | 15:117db924cf7c | 3444 | #ifdef WOLFSSL_PSK_ID_PROTECTION |
wolfSSL | 15:117db924cf7c | 3445 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 3446 | if (ssl->buffers.certChainCnt != 0) |
wolfSSL | 15:117db924cf7c | 3447 | return 0; |
wolfSSL | 15:117db924cf7c | 3448 | #endif |
wolfSSL | 15:117db924cf7c | 3449 | return BAD_BINDER; |
wolfSSL | 15:117db924cf7c | 3450 | #else |
wolfSSL | 15:117db924cf7c | 3451 | return 0; |
wolfSSL | 15:117db924cf7c | 3452 | #endif |
wolfSSL | 15:117db924cf7c | 3453 | } |
wolfSSL | 15:117db924cf7c | 3454 | |
wolfSSL | 15:117db924cf7c | 3455 | /* Hash the rest of the ClientHello. */ |
wolfSSL | 15:117db924cf7c | 3456 | ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen); |
wolfSSL | 15:117db924cf7c | 3457 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3458 | return ret; |
wolfSSL | 15:117db924cf7c | 3459 | |
wolfSSL | 15:117db924cf7c | 3460 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3461 | extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
wolfSSL | 15:117db924cf7c | 3462 | if (extEarlyData != NULL) { |
wolfSSL | 15:117db924cf7c | 3463 | if (ssl->earlyData != no_early_data && current == ext->data) { |
wolfSSL | 15:117db924cf7c | 3464 | extEarlyData->resp = 1; |
wolfSSL | 15:117db924cf7c | 3465 | |
wolfSSL | 15:117db924cf7c | 3466 | /* Derive early data decryption key. */ |
wolfSSL | 15:117db924cf7c | 3467 | ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1); |
wolfSSL | 15:117db924cf7c | 3468 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3469 | return ret; |
wolfSSL | 15:117db924cf7c | 3470 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 3471 | return ret; |
wolfSSL | 15:117db924cf7c | 3472 | |
wolfSSL | 15:117db924cf7c | 3473 | ssl->earlyData = process_early_data; |
wolfSSL | 15:117db924cf7c | 3474 | } |
wolfSSL | 15:117db924cf7c | 3475 | else |
wolfSSL | 15:117db924cf7c | 3476 | extEarlyData->resp = 0; |
wolfSSL | 15:117db924cf7c | 3477 | } |
wolfSSL | 15:117db924cf7c | 3478 | #endif |
wolfSSL | 15:117db924cf7c | 3479 | |
wolfSSL | 15:117db924cf7c | 3480 | /* Get the PSK key exchange modes the client wants to negotiate. */ |
wolfSSL | 15:117db924cf7c | 3481 | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
wolfSSL | 15:117db924cf7c | 3482 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 3483 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 3484 | modes = ext->val; |
wolfSSL | 15:117db924cf7c | 3485 | |
wolfSSL | 15:117db924cf7c | 3486 | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
wolfSSL | 15:117db924cf7c | 3487 | /* Use (EC)DHE for forward-security if possible. */ |
wolfSSL | 15:117db924cf7c | 3488 | if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe && |
wolfSSL | 15:117db924cf7c | 3489 | ext != NULL) { |
wolfSSL | 15:117db924cf7c | 3490 | /* Only use named group used in last session. */ |
wolfSSL | 15:117db924cf7c | 3491 | ssl->namedGroup = ssl->session.namedGroup; |
wolfSSL | 15:117db924cf7c | 3492 | |
wolfSSL | 15:117db924cf7c | 3493 | /* Pick key share and Generate a new key if not present. */ |
wolfSSL | 15:117db924cf7c | 3494 | ret = TLSX_KeyShare_Establish(ssl); |
wolfSSL | 15:117db924cf7c | 3495 | if (ret == KEY_SHARE_ERROR) { |
wolfSSL | 15:117db924cf7c | 3496 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3497 | ret = 0; |
wolfSSL | 15:117db924cf7c | 3498 | } |
wolfSSL | 15:117db924cf7c | 3499 | else if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3500 | return ret; |
wolfSSL | 15:117db924cf7c | 3501 | |
wolfSSL | 15:117db924cf7c | 3502 | /* Send new public key to client. */ |
wolfSSL | 15:117db924cf7c | 3503 | ext->resp = 1; |
wolfSSL | 15:117db924cf7c | 3504 | } |
wolfSSL | 15:117db924cf7c | 3505 | else { |
wolfSSL | 15:117db924cf7c | 3506 | if ((modes & (1 << PSK_KE)) == 0) |
wolfSSL | 15:117db924cf7c | 3507 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3508 | ssl->options.noPskDheKe = 1; |
wolfSSL | 15:117db924cf7c | 3509 | } |
wolfSSL | 15:117db924cf7c | 3510 | |
wolfSSL | 15:117db924cf7c | 3511 | *usingPSK = 1; |
wolfSSL | 15:117db924cf7c | 3512 | |
wolfSSL | 15:117db924cf7c | 3513 | WOLFSSL_LEAVE("DoPreSharedKeys", ret); |
wolfSSL | 15:117db924cf7c | 3514 | |
wolfSSL | 15:117db924cf7c | 3515 | return ret; |
wolfSSL | 15:117db924cf7c | 3516 | } |
wolfSSL | 15:117db924cf7c | 3517 | #endif |
wolfSSL | 15:117db924cf7c | 3518 | |
wolfSSL | 15:117db924cf7c | 3519 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 15:117db924cf7c | 3520 | /* Check that the Cookie data's integrity. |
wolfSSL | 15:117db924cf7c | 3521 | * |
wolfSSL | 15:117db924cf7c | 3522 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3523 | * cookie The cookie data - hash and MAC. |
wolfSSL | 15:117db924cf7c | 3524 | * cookieSz The length of the cookie data in bytes. |
wolfSSL | 15:117db924cf7c | 3525 | * returns Length of the hash on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 3526 | */ |
wolfSSL | 15:117db924cf7c | 3527 | static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz) |
wolfSSL | 15:117db924cf7c | 3528 | { |
wolfSSL | 15:117db924cf7c | 3529 | int ret; |
wolfSSL | 15:117db924cf7c | 3530 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 3531 | Hmac cookieHmac; |
wolfSSL | 15:117db924cf7c | 3532 | byte cookieType; |
wolfSSL | 15:117db924cf7c | 3533 | byte macSz; |
wolfSSL | 15:117db924cf7c | 3534 | |
wolfSSL | 15:117db924cf7c | 3535 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 3536 | cookieType = SHA; |
wolfSSL | 15:117db924cf7c | 3537 | macSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 3538 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 3539 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 3540 | cookieType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 3541 | macSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 3542 | #endif /* NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 3543 | |
wolfSSL | 15:117db924cf7c | 3544 | if (cookieSz < ssl->specs.hash_size + macSz) |
wolfSSL | 15:117db924cf7c | 3545 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3546 | cookieSz -= macSz; |
wolfSSL | 15:117db924cf7c | 3547 | |
wolfSSL | 15:117db924cf7c | 3548 | ret = wc_HmacSetKey(&cookieHmac, cookieType, |
wolfSSL | 15:117db924cf7c | 3549 | ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 3550 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 3551 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3552 | return ret; |
wolfSSL | 15:117db924cf7c | 3553 | if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3554 | return ret; |
wolfSSL | 15:117db924cf7c | 3555 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) |
wolfSSL | 15:117db924cf7c | 3556 | return ret; |
wolfSSL | 15:117db924cf7c | 3557 | |
wolfSSL | 15:117db924cf7c | 3558 | if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) |
wolfSSL | 15:117db924cf7c | 3559 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3560 | return cookieSz; |
wolfSSL | 15:117db924cf7c | 3561 | } |
wolfSSL | 15:117db924cf7c | 3562 | |
wolfSSL | 15:117db924cf7c | 3563 | /* Length of the KeyShare Extension */ |
wolfSSL | 15:117db924cf7c | 3564 | #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3565 | /* Length of the Supported Vresions Extension */ |
wolfSSL | 15:117db924cf7c | 3566 | #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3567 | /* Length of the Cookie Extension excluding cookie data */ |
wolfSSL | 15:117db924cf7c | 3568 | #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3569 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3570 | /* PV | CipherSuite | Ext Len */ |
wolfSSL | 15:117db924cf7c | 3571 | #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3572 | /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */ |
wolfSSL | 15:117db924cf7c | 3573 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \ |
wolfSSL | 15:117db924cf7c | 3574 | HRR_BODY_SZ + \ |
wolfSSL | 15:117db924cf7c | 3575 | HRR_KEY_SHARE_SZ + \ |
wolfSSL | 15:117db924cf7c | 3576 | HRR_COOKIE_HDR_SZ) |
wolfSSL | 15:117db924cf7c | 3577 | #else |
wolfSSL | 15:117db924cf7c | 3578 | /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */ |
wolfSSL | 15:117db924cf7c | 3579 | #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \ |
wolfSSL | 15:117db924cf7c | 3580 | SUITE_LEN + COMP_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3581 | /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */ |
wolfSSL | 15:117db924cf7c | 3582 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \ |
wolfSSL | 15:117db924cf7c | 3583 | HRR_BODY_SZ + \ |
wolfSSL | 15:117db924cf7c | 3584 | HRR_KEY_SHARE_SZ + \ |
wolfSSL | 15:117db924cf7c | 3585 | HRR_VERSIONS_SZ + \ |
wolfSSL | 15:117db924cf7c | 3586 | HRR_COOKIE_HDR_SZ) |
wolfSSL | 15:117db924cf7c | 3587 | #endif |
wolfSSL | 15:117db924cf7c | 3588 | |
wolfSSL | 15:117db924cf7c | 3589 | /* Restart the Hanshake hash from the cookie value. |
wolfSSL | 15:117db924cf7c | 3590 | * |
wolfSSL | 15:117db924cf7c | 3591 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3592 | * cookie Cookie data from client. |
wolfSSL | 15:117db924cf7c | 3593 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 3594 | */ |
wolfSSL | 15:117db924cf7c | 3595 | static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie) |
wolfSSL | 15:117db924cf7c | 3596 | { |
wolfSSL | 15:117db924cf7c | 3597 | byte header[HANDSHAKE_HEADER_SZ]; |
wolfSSL | 15:117db924cf7c | 3598 | byte hrr[MAX_HRR_SZ]; |
wolfSSL | 15:117db924cf7c | 3599 | int hrrIdx; |
wolfSSL | 15:117db924cf7c | 3600 | word32 idx; |
wolfSSL | 15:117db924cf7c | 3601 | byte hashSz; |
wolfSSL | 15:117db924cf7c | 3602 | byte* cookieData; |
wolfSSL | 15:117db924cf7c | 3603 | byte cookieDataSz; |
wolfSSL | 15:117db924cf7c | 3604 | word16 length; |
wolfSSL | 15:117db924cf7c | 3605 | int keyShareExt = 0; |
wolfSSL | 15:117db924cf7c | 3606 | int ret; |
wolfSSL | 15:117db924cf7c | 3607 | |
wolfSSL | 15:117db924cf7c | 3608 | cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len); |
wolfSSL | 15:117db924cf7c | 3609 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3610 | return ret; |
wolfSSL | 15:117db924cf7c | 3611 | hashSz = cookie->data; |
wolfSSL | 15:117db924cf7c | 3612 | cookieData = &cookie->data; |
wolfSSL | 15:117db924cf7c | 3613 | idx = OPAQUE8_LEN; |
wolfSSL | 15:117db924cf7c | 3614 | |
wolfSSL | 15:117db924cf7c | 3615 | /* Restart handshake hash with synthetic message hash. */ |
wolfSSL | 15:117db924cf7c | 3616 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
wolfSSL | 15:117db924cf7c | 3617 | if ((ret = InitHandshakeHashes(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3618 | return ret; |
wolfSSL | 15:117db924cf7c | 3619 | if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0) |
wolfSSL | 15:117db924cf7c | 3620 | return ret; |
wolfSSL | 15:117db924cf7c | 3621 | if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3622 | return ret; |
wolfSSL | 15:117db924cf7c | 3623 | |
wolfSSL | 15:117db924cf7c | 3624 | /* Reconstruct the HelloRetryMessage for handshake hash. */ |
wolfSSL | 15:117db924cf7c | 3625 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3626 | length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len; |
wolfSSL | 15:117db924cf7c | 3627 | #else |
wolfSSL | 15:117db924cf7c | 3628 | length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz + |
wolfSSL | 15:117db924cf7c | 3629 | HRR_COOKIE_HDR_SZ + cookie->len; |
wolfSSL | 15:117db924cf7c | 3630 | length += HRR_VERSIONS_SZ; |
wolfSSL | 15:117db924cf7c | 3631 | #endif |
wolfSSL | 15:117db924cf7c | 3632 | if (cookieDataSz > hashSz + OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 3633 | keyShareExt = 1; |
wolfSSL | 15:117db924cf7c | 3634 | length += HRR_KEY_SHARE_SZ; |
wolfSSL | 15:117db924cf7c | 3635 | } |
wolfSSL | 15:117db924cf7c | 3636 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3637 | AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl); |
wolfSSL | 15:117db924cf7c | 3638 | |
wolfSSL | 15:117db924cf7c | 3639 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 3640 | hrrIdx = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 3641 | /* TODO: [TLS13] Replace existing code with code in comment. |
wolfSSL | 15:117db924cf7c | 3642 | * Use the TLS v1.3 draft version for now. |
wolfSSL | 15:117db924cf7c | 3643 | * |
wolfSSL | 15:117db924cf7c | 3644 | * Change to: |
wolfSSL | 15:117db924cf7c | 3645 | * hrr[hrrIdx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 3646 | * hrr[hrrIdx++] = ssl->version.minor; |
wolfSSL | 15:117db924cf7c | 3647 | */ |
wolfSSL | 15:117db924cf7c | 3648 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 3649 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 3650 | hrr[hrrIdx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 3651 | /* Cipher Suite */ |
wolfSSL | 15:117db924cf7c | 3652 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3653 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3654 | |
wolfSSL | 15:117db924cf7c | 3655 | /* Extensions' length */ |
wolfSSL | 15:117db924cf7c | 3656 | length -= HRR_BODY_SZ; |
wolfSSL | 15:117db924cf7c | 3657 | c16toa(length, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3658 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3659 | #else |
wolfSSL | 15:117db924cf7c | 3660 | AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl); |
wolfSSL | 15:117db924cf7c | 3661 | |
wolfSSL | 15:117db924cf7c | 3662 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 3663 | hrrIdx = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 3664 | |
wolfSSL | 15:117db924cf7c | 3665 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 3666 | hrr[hrrIdx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 3667 | hrr[hrrIdx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3668 | |
wolfSSL | 15:117db924cf7c | 3669 | /* HelloRetryRequest message has fixed value for random. */ |
wolfSSL | 15:117db924cf7c | 3670 | XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 3671 | hrrIdx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 3672 | |
wolfSSL | 15:117db924cf7c | 3673 | hrr[hrrIdx++] = ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 3674 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 3675 | XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 3676 | hrrIdx += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 3677 | } |
wolfSSL | 15:117db924cf7c | 3678 | |
wolfSSL | 15:117db924cf7c | 3679 | /* Cipher Suite */ |
wolfSSL | 15:117db924cf7c | 3680 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3681 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3682 | |
wolfSSL | 15:117db924cf7c | 3683 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 3684 | hrr[hrrIdx++] = 0; |
wolfSSL | 15:117db924cf7c | 3685 | |
wolfSSL | 15:117db924cf7c | 3686 | /* Extensions' length */ |
wolfSSL | 15:117db924cf7c | 3687 | length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 3688 | c16toa(length, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3689 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3690 | |
wolfSSL | 15:117db924cf7c | 3691 | #endif |
wolfSSL | 15:117db924cf7c | 3692 | /* Optional KeyShare Extension */ |
wolfSSL | 15:117db924cf7c | 3693 | if (keyShareExt) { |
wolfSSL | 15:117db924cf7c | 3694 | c16toa(TLSX_KEY_SHARE, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3695 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3696 | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3697 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3698 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3699 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3700 | } |
wolfSSL | 15:117db924cf7c | 3701 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3702 | c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3703 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3704 | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3705 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3706 | /* TODO: [TLS13] Change to ssl->version.major and minor once final. */ |
wolfSSL | 15:117db924cf7c | 3707 | #ifdef WOLFSSL_TLS13_FINAL |
wolfSSL | 15:117db924cf7c | 3708 | hrr[hrrIdx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 3709 | hrr[hrrIdx++] = ssl->version.minor; |
wolfSSL | 15:117db924cf7c | 3710 | #else |
wolfSSL | 15:117db924cf7c | 3711 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 3712 | hrr[hrrIdx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 3713 | #endif |
wolfSSL | 15:117db924cf7c | 3714 | #endif |
wolfSSL | 15:117db924cf7c | 3715 | /* Mandatory Cookie Extension */ |
wolfSSL | 15:117db924cf7c | 3716 | c16toa(TLSX_COOKIE, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3717 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3718 | c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3719 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3720 | c16toa(cookie->len, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3721 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3722 | |
wolfSSL | 15:117db924cf7c | 3723 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 3724 | WOLFSSL_MSG("Reconstucted HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 3725 | WOLFSSL_BUFFER(hrr, hrrIdx); |
wolfSSL | 15:117db924cf7c | 3726 | WOLFSSL_MSG("Cookie"); |
wolfSSL | 15:117db924cf7c | 3727 | WOLFSSL_BUFFER(cookieData, cookie->len); |
wolfSSL | 15:117db924cf7c | 3728 | #endif |
wolfSSL | 15:117db924cf7c | 3729 | |
wolfSSL | 15:117db924cf7c | 3730 | if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0) |
wolfSSL | 15:117db924cf7c | 3731 | return ret; |
wolfSSL | 15:117db924cf7c | 3732 | return HashOutputRaw(ssl, cookieData, cookie->len); |
wolfSSL | 15:117db924cf7c | 3733 | } |
wolfSSL | 15:117db924cf7c | 3734 | #endif |
wolfSSL | 15:117db924cf7c | 3735 | |
wolfSSL | 15:117db924cf7c | 3736 | /* Handle a ClientHello handshake message. |
wolfSSL | 15:117db924cf7c | 3737 | * If the protocol version in the message is not TLS v1.3 or higher, use |
wolfSSL | 15:117db924cf7c | 3738 | * DoClientHello() |
wolfSSL | 15:117db924cf7c | 3739 | * Only a server will receive this message. |
wolfSSL | 15:117db924cf7c | 3740 | * |
wolfSSL | 15:117db924cf7c | 3741 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3742 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 3743 | * inOutIdx On entry, the index into the message buffer of ClientHello. |
wolfSSL | 15:117db924cf7c | 3744 | * On exit, the index of byte after the ClientHello message and |
wolfSSL | 15:117db924cf7c | 3745 | * padding. |
wolfSSL | 15:117db924cf7c | 3746 | * helloSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3747 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3748 | */ |
wolfSSL | 15:117db924cf7c | 3749 | int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 3750 | word32 helloSz) |
wolfSSL | 15:117db924cf7c | 3751 | { |
wolfSSL | 15:117db924cf7c | 3752 | int ret = VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3753 | byte b; |
wolfSSL | 15:117db924cf7c | 3754 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 3755 | Suites clSuites; |
wolfSSL | 15:117db924cf7c | 3756 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3757 | word32 begin = i; |
wolfSSL | 15:117db924cf7c | 3758 | word16 totalExtSz = 0; |
wolfSSL | 15:117db924cf7c | 3759 | int usingPSK = 0; |
wolfSSL | 15:117db924cf7c | 3760 | byte sessIdSz; |
wolfSSL | 15:117db924cf7c | 3761 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3762 | int bogusID = 0; |
wolfSSL | 15:117db924cf7c | 3763 | #endif |
wolfSSL | 15:117db924cf7c | 3764 | |
wolfSSL | 15:117db924cf7c | 3765 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 3766 | WOLFSSL_ENTER("DoTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 3767 | |
wolfSSL | 15:117db924cf7c | 3768 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3769 | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
wolfSSL | 15:117db924cf7c | 3770 | if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3771 | #endif |
wolfSSL | 15:117db924cf7c | 3772 | |
wolfSSL | 15:117db924cf7c | 3773 | /* protocol version, random and session id length check */ |
wolfSSL | 15:117db924cf7c | 3774 | if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3775 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3776 | |
wolfSSL | 15:117db924cf7c | 3777 | /* Protocol version */ |
wolfSSL | 15:117db924cf7c | 3778 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 3779 | ssl->chVersion = pv; /* store */ |
wolfSSL | 15:117db924cf7c | 3780 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3781 | /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */ |
wolfSSL | 15:117db924cf7c | 3782 | if (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR) |
wolfSSL | 15:117db924cf7c | 3783 | pv.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3784 | |
wolfSSL | 15:117db924cf7c | 3785 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3786 | if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor < TLSv1_3_MINOR) |
wolfSSL | 15:117db924cf7c | 3787 | return DoClientHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 15:117db924cf7c | 3788 | #endif |
wolfSSL | 15:117db924cf7c | 3789 | |
wolfSSL | 15:117db924cf7c | 3790 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3791 | if (ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3792 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3793 | return ret; |
wolfSSL | 15:117db924cf7c | 3794 | } |
wolfSSL | 15:117db924cf7c | 3795 | #endif |
wolfSSL | 15:117db924cf7c | 3796 | |
wolfSSL | 15:117db924cf7c | 3797 | /* Client random */ |
wolfSSL | 15:117db924cf7c | 3798 | XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 3799 | i += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 3800 | |
wolfSSL | 15:117db924cf7c | 3801 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 3802 | WOLFSSL_MSG("client random"); |
wolfSSL | 15:117db924cf7c | 3803 | WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 3804 | #endif |
wolfSSL | 15:117db924cf7c | 3805 | |
wolfSSL | 15:117db924cf7c | 3806 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3807 | /* Session id - empty in TLS v1.3 */ |
wolfSSL | 15:117db924cf7c | 3808 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 3809 | if (sessIdSz > 0 && !ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3810 | WOLFSSL_MSG("Client sent session id - not supported"); |
wolfSSL | 15:117db924cf7c | 3811 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3812 | } |
wolfSSL | 15:117db924cf7c | 3813 | #else |
wolfSSL | 15:117db924cf7c | 3814 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 3815 | if (sessIdSz != ID_LEN && sessIdSz != 0) |
wolfSSL | 15:117db924cf7c | 3816 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3817 | #endif |
wolfSSL | 15:117db924cf7c | 3818 | ssl->session.sessionIDSz = sessIdSz; |
wolfSSL | 15:117db924cf7c | 3819 | if (sessIdSz == ID_LEN) { |
wolfSSL | 15:117db924cf7c | 3820 | XMEMCPY(ssl->session.sessionID, input + i, sessIdSz); |
wolfSSL | 15:117db924cf7c | 3821 | i += ID_LEN; |
wolfSSL | 15:117db924cf7c | 3822 | } |
wolfSSL | 15:117db924cf7c | 3823 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3824 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3825 | if (sessIdSz > 0 && sessIdSz < ID_LEN) |
wolfSSL | 15:117db924cf7c | 3826 | bogusID = 1; |
wolfSSL | 15:117db924cf7c | 3827 | #endif |
wolfSSL | 15:117db924cf7c | 3828 | #endif |
wolfSSL | 15:117db924cf7c | 3829 | |
wolfSSL | 15:117db924cf7c | 3830 | /* Cipher suites */ |
wolfSSL | 15:117db924cf7c | 3831 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3832 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3833 | ato16(&input[i], &clSuites.suiteSz); |
wolfSSL | 15:117db924cf7c | 3834 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3835 | /* suites and compression length check */ |
wolfSSL | 15:117db924cf7c | 3836 | if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3837 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3838 | if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) |
wolfSSL | 15:117db924cf7c | 3839 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3840 | XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); |
wolfSSL | 15:117db924cf7c | 3841 | i += clSuites.suiteSz; |
wolfSSL | 15:117db924cf7c | 3842 | clSuites.hashSigAlgoSz = 0; |
wolfSSL | 15:117db924cf7c | 3843 | |
wolfSSL | 15:117db924cf7c | 3844 | /* Compression */ |
wolfSSL | 15:117db924cf7c | 3845 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 3846 | if ((i - begin) + b > helloSz) |
wolfSSL | 15:117db924cf7c | 3847 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3848 | if (b != COMP_LEN) { |
wolfSSL | 15:117db924cf7c | 3849 | WOLFSSL_MSG("Must be one compression type in list"); |
wolfSSL | 15:117db924cf7c | 3850 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3851 | } |
wolfSSL | 15:117db924cf7c | 3852 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 3853 | if (b != NO_COMPRESSION) { |
wolfSSL | 15:117db924cf7c | 3854 | WOLFSSL_MSG("Must be no compression type in list"); |
wolfSSL | 15:117db924cf7c | 3855 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3856 | } |
wolfSSL | 15:117db924cf7c | 3857 | |
wolfSSL | 15:117db924cf7c | 3858 | if ((i - begin) < helloSz) { |
wolfSSL | 15:117db924cf7c | 3859 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3860 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3861 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 3862 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3863 | if ((i - begin) + totalExtSz > helloSz) |
wolfSSL | 15:117db924cf7c | 3864 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3865 | |
wolfSSL | 15:117db924cf7c | 3866 | #ifdef HAVE_QSH |
wolfSSL | 15:117db924cf7c | 3867 | QSH_Init(ssl); |
wolfSSL | 15:117db924cf7c | 3868 | #endif |
wolfSSL | 15:117db924cf7c | 3869 | |
wolfSSL | 15:117db924cf7c | 3870 | /* Auto populate extensions supported unless user defined. */ |
wolfSSL | 15:117db924cf7c | 3871 | if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) |
wolfSSL | 15:117db924cf7c | 3872 | return ret; |
wolfSSL | 15:117db924cf7c | 3873 | |
wolfSSL | 15:117db924cf7c | 3874 | /* Parse extensions */ |
wolfSSL | 15:117db924cf7c | 3875 | if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello, |
wolfSSL | 15:117db924cf7c | 3876 | &clSuites))) { |
wolfSSL | 15:117db924cf7c | 3877 | return ret; |
wolfSSL | 15:117db924cf7c | 3878 | } |
wolfSSL | 15:117db924cf7c | 3879 | |
wolfSSL | 15:117db924cf7c | 3880 | #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ |
wolfSSL | 15:117db924cf7c | 3881 | defined(WOLFSSL_HAPROXY) |
wolfSSL | 15:117db924cf7c | 3882 | if ((ret = SNI_Callback(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3883 | return ret; |
wolfSSL | 15:117db924cf7c | 3884 | ssl->options.side = WOLFSSL_SERVER_END; |
wolfSSL | 15:117db924cf7c | 3885 | #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ |
wolfSSL | 15:117db924cf7c | 3886 | } |
wolfSSL | 15:117db924cf7c | 3887 | |
wolfSSL | 15:117db924cf7c | 3888 | i += totalExtSz; |
wolfSSL | 15:117db924cf7c | 3889 | *inOutIdx = i; |
wolfSSL | 15:117db924cf7c | 3890 | |
wolfSSL | 15:117db924cf7c | 3891 | if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL) { |
wolfSSL | 15:117db924cf7c | 3892 | if (!ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3893 | WOLFSSL_MSG("Client trying to connect with lesser version than " |
wolfSSL | 15:117db924cf7c | 3894 | "TLS v1.3"); |
wolfSSL | 15:117db924cf7c | 3895 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3896 | } |
wolfSSL | 15:117db924cf7c | 3897 | |
wolfSSL | 15:117db924cf7c | 3898 | if (pv.minor < ssl->options.minDowngrade) |
wolfSSL | 15:117db924cf7c | 3899 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3900 | ssl->version.minor = pv.minor; |
wolfSSL | 15:117db924cf7c | 3901 | } |
wolfSSL | 15:117db924cf7c | 3902 | |
wolfSSL | 15:117db924cf7c | 3903 | ssl->options.sendVerify = SEND_CERT; |
wolfSSL | 15:117db924cf7c | 3904 | |
wolfSSL | 15:117db924cf7c | 3905 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3906 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 3907 | |
wolfSSL | 15:117db924cf7c | 3908 | if (IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 15:117db924cf7c | 3909 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 15:117db924cf7c | 3910 | if (ssl->options.sendCookie && |
wolfSSL | 15:117db924cf7c | 3911 | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 3912 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 3913 | |
wolfSSL | 15:117db924cf7c | 3914 | if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL) |
wolfSSL | 15:117db924cf7c | 3915 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3916 | /* Ensure the cookie came from client and isn't the one in the |
wolfSSL | 15:117db924cf7c | 3917 | * response - HelloRetryRequest. |
wolfSSL | 15:117db924cf7c | 3918 | */ |
wolfSSL | 15:117db924cf7c | 3919 | if (ext->resp == 1) |
wolfSSL | 15:117db924cf7c | 3920 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3921 | ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data); |
wolfSSL | 15:117db924cf7c | 3922 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3923 | return ret; |
wolfSSL | 15:117db924cf7c | 3924 | } |
wolfSSL | 15:117db924cf7c | 3925 | #endif |
wolfSSL | 15:117db924cf7c | 3926 | |
wolfSSL | 15:117db924cf7c | 3927 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 3928 | if (ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3929 | if ((ret = InitHandshakeHashes(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3930 | return ret; |
wolfSSL | 15:117db924cf7c | 3931 | } |
wolfSSL | 15:117db924cf7c | 3932 | |
wolfSSL | 15:117db924cf7c | 3933 | /* Refine list for PSK processing. */ |
wolfSSL | 15:117db924cf7c | 3934 | RefineSuites(ssl, &clSuites); |
wolfSSL | 15:117db924cf7c | 3935 | |
wolfSSL | 15:117db924cf7c | 3936 | /* Process the Pre-Shared Key extension if present. */ |
wolfSSL | 15:117db924cf7c | 3937 | ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK); |
wolfSSL | 15:117db924cf7c | 3938 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3939 | return ret; |
wolfSSL | 15:117db924cf7c | 3940 | #endif |
wolfSSL | 15:117db924cf7c | 3941 | } |
wolfSSL | 15:117db924cf7c | 3942 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3943 | else if (ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 3944 | ret = HandleTlsResumption(ssl, bogusID, &clSuites); |
wolfSSL | 15:117db924cf7c | 3945 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3946 | return ret; |
wolfSSL | 15:117db924cf7c | 3947 | /* Check wheter resuming has been chosen */ |
wolfSSL | 15:117db924cf7c | 3948 | if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 3949 | WOLFSSL_LEAVE("DoTls13ClientHello", ret); |
wolfSSL | 15:117db924cf7c | 3950 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 3951 | |
wolfSSL | 15:117db924cf7c | 3952 | return ret; |
wolfSSL | 15:117db924cf7c | 3953 | } |
wolfSSL | 15:117db924cf7c | 3954 | } |
wolfSSL | 15:117db924cf7c | 3955 | #else |
wolfSSL | 15:117db924cf7c | 3956 | else { |
wolfSSL | 15:117db924cf7c | 3957 | WOLFSSL_MSG("Negotiated lesser version than TLS v1.3"); |
wolfSSL | 15:117db924cf7c | 3958 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3959 | } |
wolfSSL | 15:117db924cf7c | 3960 | #endif |
wolfSSL | 15:117db924cf7c | 3961 | |
wolfSSL | 15:117db924cf7c | 3962 | if (!usingPSK) { |
wolfSSL | 15:117db924cf7c | 3963 | if ((ret = MatchSuite(ssl, &clSuites)) < 0) { |
wolfSSL | 15:117db924cf7c | 3964 | WOLFSSL_MSG("Unsupported cipher suite, ClientHello"); |
wolfSSL | 15:117db924cf7c | 3965 | return ret; |
wolfSSL | 15:117db924cf7c | 3966 | } |
wolfSSL | 15:117db924cf7c | 3967 | |
wolfSSL | 15:117db924cf7c | 3968 | /* Check that the negotiated ciphersuite matches protocol version. */ |
wolfSSL | 15:117db924cf7c | 3969 | if (IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 15:117db924cf7c | 3970 | if (ssl->options.cipherSuite0 != TLS13_BYTE) { |
wolfSSL | 15:117db924cf7c | 3971 | WOLFSSL_MSG("Negotiated ciphersuite from lesser version than " |
wolfSSL | 15:117db924cf7c | 3972 | "TLS v1.3"); |
wolfSSL | 15:117db924cf7c | 3973 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3974 | } |
wolfSSL | 15:117db924cf7c | 3975 | } |
wolfSSL | 15:117db924cf7c | 3976 | /* VerifyServerSuite handles when version is less than 1.3 */ |
wolfSSL | 15:117db924cf7c | 3977 | |
wolfSSL | 15:117db924cf7c | 3978 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3979 | if (ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 3980 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3981 | XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size); |
wolfSSL | 15:117db924cf7c | 3982 | /* May or may not have done any hashing. */ |
wolfSSL | 15:117db924cf7c | 3983 | if ((ret = InitHandshakeHashes(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3984 | return ret; |
wolfSSL | 15:117db924cf7c | 3985 | } |
wolfSSL | 15:117db924cf7c | 3986 | #endif |
wolfSSL | 15:117db924cf7c | 3987 | |
wolfSSL | 15:117db924cf7c | 3988 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3989 | if (IsAtLeastTLSv1_3(ssl->version) || !ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 3990 | #endif |
wolfSSL | 15:117db924cf7c | 3991 | { |
wolfSSL | 15:117db924cf7c | 3992 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3993 | return ret; |
wolfSSL | 15:117db924cf7c | 3994 | } |
wolfSSL | 15:117db924cf7c | 3995 | |
wolfSSL | 15:117db924cf7c | 3996 | if (IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 15:117db924cf7c | 3997 | /* Derive early secret for handshake secret. */ |
wolfSSL | 15:117db924cf7c | 3998 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3999 | return ret; |
wolfSSL | 15:117db924cf7c | 4000 | } |
wolfSSL | 15:117db924cf7c | 4001 | } |
wolfSSL | 15:117db924cf7c | 4002 | |
wolfSSL | 15:117db924cf7c | 4003 | WOLFSSL_LEAVE("DoTls13ClientHello", ret); |
wolfSSL | 15:117db924cf7c | 4004 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 4005 | |
wolfSSL | 15:117db924cf7c | 4006 | return ret; |
wolfSSL | 15:117db924cf7c | 4007 | } |
wolfSSL | 15:117db924cf7c | 4008 | |
wolfSSL | 15:117db924cf7c | 4009 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4010 | /* handle generation of TLS 1.3 hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 4011 | /* Send the HelloRetryRequest message to indicate the negotiated protocol |
wolfSSL | 15:117db924cf7c | 4012 | * version and security parameters the server is willing to use. |
wolfSSL | 15:117db924cf7c | 4013 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4014 | * |
wolfSSL | 15:117db924cf7c | 4015 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4016 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4017 | */ |
wolfSSL | 15:117db924cf7c | 4018 | int SendTls13HelloRetryRequest(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 4019 | { |
wolfSSL | 15:117db924cf7c | 4020 | int ret; |
wolfSSL | 15:117db924cf7c | 4021 | byte* output; |
wolfSSL | 15:117db924cf7c | 4022 | word32 length; |
wolfSSL | 15:117db924cf7c | 4023 | word16 len; |
wolfSSL | 15:117db924cf7c | 4024 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4025 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4026 | |
wolfSSL | 15:117db924cf7c | 4027 | WOLFSSL_ENTER("SendTls13HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4028 | |
wolfSSL | 15:117db924cf7c | 4029 | /* Get the length of the extensions that will be written. */ |
wolfSSL | 15:117db924cf7c | 4030 | len = 0; |
wolfSSL | 15:117db924cf7c | 4031 | ret = TLSX_GetResponseSize(ssl, hello_retry_request, &len); |
wolfSSL | 15:117db924cf7c | 4032 | /* There must be extensions sent to indicate what client needs to do. */ |
wolfSSL | 15:117db924cf7c | 4033 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4034 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 4035 | |
wolfSSL | 15:117db924cf7c | 4036 | /* Protocol version + Extensions */ |
wolfSSL | 15:117db924cf7c | 4037 | length = OPAQUE16_LEN + len; |
wolfSSL | 15:117db924cf7c | 4038 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4039 | |
wolfSSL | 15:117db924cf7c | 4040 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4041 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4042 | return ret; |
wolfSSL | 15:117db924cf7c | 4043 | |
wolfSSL | 15:117db924cf7c | 4044 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4045 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4046 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4047 | /* Add record and hanshake headers. */ |
wolfSSL | 15:117db924cf7c | 4048 | AddTls13Headers(output, length, hello_retry_request, ssl); |
wolfSSL | 15:117db924cf7c | 4049 | |
wolfSSL | 15:117db924cf7c | 4050 | /* TODO: [TLS13] Replace existing code with code in comment. |
wolfSSL | 15:117db924cf7c | 4051 | * Use the TLS v1.3 draft version for now. |
wolfSSL | 15:117db924cf7c | 4052 | * |
wolfSSL | 15:117db924cf7c | 4053 | * Change to: |
wolfSSL | 15:117db924cf7c | 4054 | * output[idx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 4055 | * output[idx++] = ssl->version.minor; |
wolfSSL | 15:117db924cf7c | 4056 | */ |
wolfSSL | 15:117db924cf7c | 4057 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 4058 | output[idx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 4059 | output[idx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 4060 | |
wolfSSL | 15:117db924cf7c | 4061 | /* Add TLS extensions. */ |
wolfSSL | 15:117db924cf7c | 4062 | ret = TLSX_WriteResponse(ssl, output + idx, hello_retry_request, NULL); |
wolfSSL | 15:117db924cf7c | 4063 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4064 | return ret; |
wolfSSL | 15:117db924cf7c | 4065 | idx += len; |
wolfSSL | 15:117db924cf7c | 4066 | |
wolfSSL | 15:117db924cf7c | 4067 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4068 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4069 | AddPacketName(ssl, "HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4070 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4071 | AddPacketInfo(ssl, "HelloRetryRequest", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 4072 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4073 | } |
wolfSSL | 15:117db924cf7c | 4074 | #endif |
wolfSSL | 15:117db924cf7c | 4075 | if ((ret = HashOutput(ssl, output, idx, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 4076 | return ret; |
wolfSSL | 15:117db924cf7c | 4077 | |
wolfSSL | 15:117db924cf7c | 4078 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4079 | |
wolfSSL | 15:117db924cf7c | 4080 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4081 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4082 | |
wolfSSL | 15:117db924cf7c | 4083 | WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret); |
wolfSSL | 15:117db924cf7c | 4084 | |
wolfSSL | 15:117db924cf7c | 4085 | return ret; |
wolfSSL | 15:117db924cf7c | 4086 | } |
wolfSSL | 15:117db924cf7c | 4087 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 4088 | |
wolfSSL | 15:117db924cf7c | 4089 | /* Send TLS v1.3 ServerHello message to client. |
wolfSSL | 15:117db924cf7c | 4090 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4091 | * |
wolfSSL | 15:117db924cf7c | 4092 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4093 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4094 | */ |
wolfSSL | 15:117db924cf7c | 4095 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4096 | static |
wolfSSL | 15:117db924cf7c | 4097 | #endif |
wolfSSL | 15:117db924cf7c | 4098 | /* handle generation of TLS 1.3 server_hello (2) */ |
wolfSSL | 15:117db924cf7c | 4099 | int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType) |
wolfSSL | 15:117db924cf7c | 4100 | { |
wolfSSL | 15:117db924cf7c | 4101 | int ret; |
wolfSSL | 15:117db924cf7c | 4102 | byte* output; |
wolfSSL | 15:117db924cf7c | 4103 | word16 length; |
wolfSSL | 15:117db924cf7c | 4104 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4105 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4106 | |
wolfSSL | 15:117db924cf7c | 4107 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 4108 | WOLFSSL_ENTER("SendTls13ServerHello"); |
wolfSSL | 15:117db924cf7c | 4109 | |
wolfSSL | 15:117db924cf7c | 4110 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4111 | if (extMsgType == hello_retry_request) { |
wolfSSL | 15:117db924cf7c | 4112 | if ((ret = RestartHandshakeHash(ssl)) < 0) |
wolfSSL | 15:117db924cf7c | 4113 | return ret; |
wolfSSL | 15:117db924cf7c | 4114 | } |
wolfSSL | 15:117db924cf7c | 4115 | #endif |
wolfSSL | 15:117db924cf7c | 4116 | |
wolfSSL | 15:117db924cf7c | 4117 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4118 | /* Protocol version, server random, cipher suite and extensions. */ |
wolfSSL | 15:117db924cf7c | 4119 | length = VERSION_SZ + RAN_LEN + SUITE_LEN; |
wolfSSL | 15:117db924cf7c | 4120 | ret = TLSX_GetResponseSize(ssl, server_hello, &length); |
wolfSSL | 15:117db924cf7c | 4121 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4122 | return ret; |
wolfSSL | 15:117db924cf7c | 4123 | #else |
wolfSSL | 15:117db924cf7c | 4124 | /* Protocol version, server random, session id, cipher suite, compression |
wolfSSL | 15:117db924cf7c | 4125 | * and extensions. |
wolfSSL | 15:117db924cf7c | 4126 | */ |
wolfSSL | 15:117db924cf7c | 4127 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz + |
wolfSSL | 15:117db924cf7c | 4128 | SUITE_LEN + COMP_LEN; |
wolfSSL | 15:117db924cf7c | 4129 | ret = TLSX_GetResponseSize(ssl, extMsgType, &length); |
wolfSSL | 15:117db924cf7c | 4130 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4131 | return ret; |
wolfSSL | 15:117db924cf7c | 4132 | #endif |
wolfSSL | 15:117db924cf7c | 4133 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4134 | |
wolfSSL | 15:117db924cf7c | 4135 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4136 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4137 | return ret; |
wolfSSL | 15:117db924cf7c | 4138 | |
wolfSSL | 15:117db924cf7c | 4139 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4140 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4141 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4142 | |
wolfSSL | 15:117db924cf7c | 4143 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4144 | AddTls13Headers(output, length, server_hello, ssl); |
wolfSSL | 15:117db924cf7c | 4145 | |
wolfSSL | 15:117db924cf7c | 4146 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4147 | /* TODO: [TLS13] Replace existing code with code in comment. |
wolfSSL | 15:117db924cf7c | 4148 | * Use the TLS v1.3 draft version for now. |
wolfSSL | 15:117db924cf7c | 4149 | * |
wolfSSL | 15:117db924cf7c | 4150 | * Change to: |
wolfSSL | 15:117db924cf7c | 4151 | * output[idx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 4152 | * output[idx++] = ssl->version.minor; |
wolfSSL | 15:117db924cf7c | 4153 | */ |
wolfSSL | 15:117db924cf7c | 4154 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 4155 | output[idx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 4156 | output[idx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 4157 | #else |
wolfSSL | 15:117db924cf7c | 4158 | /* The protocol version must be TLS v1.2 for middleboxes. */ |
wolfSSL | 15:117db924cf7c | 4159 | output[idx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 4160 | output[idx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 4161 | #endif |
wolfSSL | 15:117db924cf7c | 4162 | |
wolfSSL | 15:117db924cf7c | 4163 | if (extMsgType == server_hello) { |
wolfSSL | 15:117db924cf7c | 4164 | /* Generate server random. */ |
wolfSSL | 15:117db924cf7c | 4165 | if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0) |
wolfSSL | 15:117db924cf7c | 4166 | return ret; |
wolfSSL | 15:117db924cf7c | 4167 | } |
wolfSSL | 15:117db924cf7c | 4168 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4169 | else { |
wolfSSL | 15:117db924cf7c | 4170 | /* HelloRetryRequest message has fixed value for random. */ |
wolfSSL | 15:117db924cf7c | 4171 | XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4172 | } |
wolfSSL | 15:117db924cf7c | 4173 | #endif |
wolfSSL | 15:117db924cf7c | 4174 | /* Store in SSL for debugging. */ |
wolfSSL | 15:117db924cf7c | 4175 | XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4176 | idx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 4177 | |
wolfSSL | 15:117db924cf7c | 4178 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 4179 | WOLFSSL_MSG("Server random"); |
wolfSSL | 15:117db924cf7c | 4180 | WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4181 | #endif |
wolfSSL | 15:117db924cf7c | 4182 | |
wolfSSL | 15:117db924cf7c | 4183 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4184 | output[idx++] = ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 4185 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 4186 | XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 4187 | idx += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 4188 | } |
wolfSSL | 15:117db924cf7c | 4189 | #endif |
wolfSSL | 15:117db924cf7c | 4190 | |
wolfSSL | 15:117db924cf7c | 4191 | /* Chosen cipher suite */ |
wolfSSL | 15:117db924cf7c | 4192 | output[idx++] = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 4193 | output[idx++] = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 4194 | |
wolfSSL | 15:117db924cf7c | 4195 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4196 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 4197 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 4198 | #endif |
wolfSSL | 15:117db924cf7c | 4199 | |
wolfSSL | 15:117db924cf7c | 4200 | /* Extensions */ |
wolfSSL | 15:117db924cf7c | 4201 | ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL); |
wolfSSL | 15:117db924cf7c | 4202 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4203 | return ret; |
wolfSSL | 15:117db924cf7c | 4204 | |
wolfSSL | 15:117db924cf7c | 4205 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4206 | |
wolfSSL | 15:117db924cf7c | 4207 | if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 4208 | return ret; |
wolfSSL | 15:117db924cf7c | 4209 | |
wolfSSL | 15:117db924cf7c | 4210 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4211 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4212 | AddPacketName(ssl, "ServerHello"); |
wolfSSL | 15:117db924cf7c | 4213 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4214 | AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 4215 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4216 | } |
wolfSSL | 15:117db924cf7c | 4217 | #endif |
wolfSSL | 15:117db924cf7c | 4218 | |
wolfSSL | 15:117db924cf7c | 4219 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4220 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4221 | #else |
wolfSSL | 15:117db924cf7c | 4222 | if (extMsgType == server_hello) |
wolfSSL | 15:117db924cf7c | 4223 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4224 | #endif |
wolfSSL | 15:117db924cf7c | 4225 | |
wolfSSL | 15:117db924cf7c | 4226 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4227 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4228 | |
wolfSSL | 15:117db924cf7c | 4229 | WOLFSSL_LEAVE("SendTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 4230 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 4231 | |
wolfSSL | 15:117db924cf7c | 4232 | return ret; |
wolfSSL | 15:117db924cf7c | 4233 | } |
wolfSSL | 15:117db924cf7c | 4234 | |
wolfSSL | 15:117db924cf7c | 4235 | /* handle generation of TLS 1.3 encrypted_extensions (8) */ |
wolfSSL | 15:117db924cf7c | 4236 | /* Send the rest of the extensions encrypted under the handshake key. |
wolfSSL | 15:117db924cf7c | 4237 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 4238 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4239 | * |
wolfSSL | 15:117db924cf7c | 4240 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4241 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4242 | */ |
wolfSSL | 15:117db924cf7c | 4243 | static int SendTls13EncryptedExtensions(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 4244 | { |
wolfSSL | 15:117db924cf7c | 4245 | int ret; |
wolfSSL | 15:117db924cf7c | 4246 | byte* output; |
wolfSSL | 15:117db924cf7c | 4247 | word16 length = 0; |
wolfSSL | 15:117db924cf7c | 4248 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4249 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4250 | |
wolfSSL | 15:117db924cf7c | 4251 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
wolfSSL | 15:117db924cf7c | 4252 | WOLFSSL_ENTER("SendTls13EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 4253 | |
wolfSSL | 15:117db924cf7c | 4254 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 4255 | |
wolfSSL | 15:117db924cf7c | 4256 | #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT |
wolfSSL | 15:117db924cf7c | 4257 | if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 4258 | return ret; |
wolfSSL | 15:117db924cf7c | 4259 | #endif |
wolfSSL | 15:117db924cf7c | 4260 | |
wolfSSL | 15:117db924cf7c | 4261 | /* Derive the handshake secret now that we are at first message to be |
wolfSSL | 15:117db924cf7c | 4262 | * encrypted under the keys. |
wolfSSL | 15:117db924cf7c | 4263 | */ |
wolfSSL | 15:117db924cf7c | 4264 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 4265 | return ret; |
wolfSSL | 15:117db924cf7c | 4266 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
wolfSSL | 15:117db924cf7c | 4267 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) |
wolfSSL | 15:117db924cf7c | 4268 | return ret; |
wolfSSL | 15:117db924cf7c | 4269 | |
wolfSSL | 15:117db924cf7c | 4270 | /* Setup encrypt/decrypt keys for following messages. */ |
wolfSSL | 15:117db924cf7c | 4271 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 4272 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 4273 | return ret; |
wolfSSL | 15:117db924cf7c | 4274 | if (ssl->earlyData != process_early_data) { |
wolfSSL | 15:117db924cf7c | 4275 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 4276 | return ret; |
wolfSSL | 15:117db924cf7c | 4277 | } |
wolfSSL | 15:117db924cf7c | 4278 | #else |
wolfSSL | 15:117db924cf7c | 4279 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 4280 | return ret; |
wolfSSL | 15:117db924cf7c | 4281 | #endif |
wolfSSL | 15:117db924cf7c | 4282 | |
wolfSSL | 15:117db924cf7c | 4283 | ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length); |
wolfSSL | 15:117db924cf7c | 4284 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4285 | return ret; |
wolfSSL | 15:117db924cf7c | 4286 | |
wolfSSL | 15:117db924cf7c | 4287 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4288 | /* Encryption always on. */ |
wolfSSL | 15:117db924cf7c | 4289 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4290 | |
wolfSSL | 15:117db924cf7c | 4291 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4292 | ret = CheckAvailableSize(ssl, sendSz); |
wolfSSL | 15:117db924cf7c | 4293 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4294 | return ret; |
wolfSSL | 15:117db924cf7c | 4295 | |
wolfSSL | 15:117db924cf7c | 4296 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4297 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4298 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4299 | |
wolfSSL | 15:117db924cf7c | 4300 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4301 | AddTls13Headers(output, length, encrypted_extensions, ssl); |
wolfSSL | 15:117db924cf7c | 4302 | |
wolfSSL | 15:117db924cf7c | 4303 | ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL); |
wolfSSL | 15:117db924cf7c | 4304 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4305 | return ret; |
wolfSSL | 15:117db924cf7c | 4306 | idx += length; |
wolfSSL | 15:117db924cf7c | 4307 | |
wolfSSL | 15:117db924cf7c | 4308 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4309 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4310 | AddPacketName(ssl, "EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 4311 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4312 | AddPacketInfo(ssl, "EncryptedExtensions", handshake, output, |
wolfSSL | 15:117db924cf7c | 4313 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4314 | } |
wolfSSL | 15:117db924cf7c | 4315 | #endif |
wolfSSL | 15:117db924cf7c | 4316 | |
wolfSSL | 15:117db924cf7c | 4317 | /* This handshake message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 4318 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 4319 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 4320 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 4321 | return sendSz; |
wolfSSL | 15:117db924cf7c | 4322 | |
wolfSSL | 15:117db924cf7c | 4323 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4324 | |
wolfSSL | 15:117db924cf7c | 4325 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4326 | |
wolfSSL | 15:117db924cf7c | 4327 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4328 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4329 | |
wolfSSL | 15:117db924cf7c | 4330 | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret); |
wolfSSL | 15:117db924cf7c | 4331 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
wolfSSL | 15:117db924cf7c | 4332 | |
wolfSSL | 15:117db924cf7c | 4333 | return ret; |
wolfSSL | 15:117db924cf7c | 4334 | } |
wolfSSL | 15:117db924cf7c | 4335 | |
wolfSSL | 15:117db924cf7c | 4336 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 4337 | /* handle generation TLS v1.3 certificate_request (13) */ |
wolfSSL | 15:117db924cf7c | 4338 | /* Send the TLS v1.3 CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 4339 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 4340 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4341 | * |
wolfSSL | 15:117db924cf7c | 4342 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4343 | * reqCtx Request context. |
wolfSSL | 15:117db924cf7c | 4344 | * reqCtxLen Length of context. 0 when sending as part of handshake. |
wolfSSL | 15:117db924cf7c | 4345 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4346 | */ |
wolfSSL | 15:117db924cf7c | 4347 | static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, |
wolfSSL | 15:117db924cf7c | 4348 | int reqCtxLen) |
wolfSSL | 15:117db924cf7c | 4349 | { |
wolfSSL | 15:117db924cf7c | 4350 | byte* output; |
wolfSSL | 15:117db924cf7c | 4351 | int ret; |
wolfSSL | 15:117db924cf7c | 4352 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4353 | word32 i; |
wolfSSL | 15:117db924cf7c | 4354 | word16 reqSz; |
wolfSSL | 15:117db924cf7c | 4355 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4356 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 4357 | #endif |
wolfSSL | 15:117db924cf7c | 4358 | |
wolfSSL | 15:117db924cf7c | 4359 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
wolfSSL | 15:117db924cf7c | 4360 | WOLFSSL_ENTER("SendTls13CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 4361 | |
wolfSSL | 15:117db924cf7c | 4362 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 4363 | InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz); |
wolfSSL | 15:117db924cf7c | 4364 | |
wolfSSL | 15:117db924cf7c | 4365 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4366 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4367 | reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4368 | reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz; |
wolfSSL | 15:117db924cf7c | 4369 | |
wolfSSL | 15:117db924cf7c | 4370 | sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz; |
wolfSSL | 15:117db924cf7c | 4371 | /* Always encrypted and make room for padding. */ |
wolfSSL | 15:117db924cf7c | 4372 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4373 | |
wolfSSL | 15:117db924cf7c | 4374 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4375 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4376 | return ret; |
wolfSSL | 15:117db924cf7c | 4377 | |
wolfSSL | 15:117db924cf7c | 4378 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4379 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4380 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4381 | |
wolfSSL | 15:117db924cf7c | 4382 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4383 | AddTls13Headers(output, reqSz, certificate_request, ssl); |
wolfSSL | 15:117db924cf7c | 4384 | |
wolfSSL | 15:117db924cf7c | 4385 | /* Certificate request context. */ |
wolfSSL | 15:117db924cf7c | 4386 | output[i++] = reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4387 | if (reqCtxLen != 0) { |
wolfSSL | 15:117db924cf7c | 4388 | XMEMCPY(output + i, reqCtx, reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4389 | i += reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4390 | } |
wolfSSL | 15:117db924cf7c | 4391 | |
wolfSSL | 15:117db924cf7c | 4392 | /* supported hash/sig */ |
wolfSSL | 15:117db924cf7c | 4393 | c16toa(ssl->suites->hashSigAlgoSz, &output[i]); |
wolfSSL | 15:117db924cf7c | 4394 | i += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 4395 | |
wolfSSL | 15:117db924cf7c | 4396 | XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz); |
wolfSSL | 15:117db924cf7c | 4397 | i += ssl->suites->hashSigAlgoSz; |
wolfSSL | 15:117db924cf7c | 4398 | |
wolfSSL | 15:117db924cf7c | 4399 | /* Certificate authorities not supported yet - empty buffer. */ |
wolfSSL | 15:117db924cf7c | 4400 | c16toa(0, &output[i]); |
wolfSSL | 15:117db924cf7c | 4401 | i += REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4402 | |
wolfSSL | 15:117db924cf7c | 4403 | /* Certificate extensions. */ |
wolfSSL | 15:117db924cf7c | 4404 | c16toa(0, &output[i]); /* auth's */ |
wolfSSL | 15:117db924cf7c | 4405 | i += REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4406 | #else |
wolfSSL | 15:117db924cf7c | 4407 | ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS); |
wolfSSL | 15:117db924cf7c | 4408 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 4409 | return EXT_MISSING; |
wolfSSL | 15:117db924cf7c | 4410 | ext->resp = 0; |
wolfSSL | 15:117db924cf7c | 4411 | |
wolfSSL | 15:117db924cf7c | 4412 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4413 | reqSz = (word16)(OPAQUE8_LEN + reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4414 | ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz); |
wolfSSL | 15:117db924cf7c | 4415 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4416 | return ret; |
wolfSSL | 15:117db924cf7c | 4417 | |
wolfSSL | 15:117db924cf7c | 4418 | sendSz = i + reqSz; |
wolfSSL | 15:117db924cf7c | 4419 | /* Always encrypted and make room for padding. */ |
wolfSSL | 15:117db924cf7c | 4420 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4421 | |
wolfSSL | 15:117db924cf7c | 4422 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4423 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4424 | return ret; |
wolfSSL | 15:117db924cf7c | 4425 | |
wolfSSL | 15:117db924cf7c | 4426 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4427 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4428 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4429 | |
wolfSSL | 15:117db924cf7c | 4430 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4431 | AddTls13Headers(output, reqSz, certificate_request, ssl); |
wolfSSL | 15:117db924cf7c | 4432 | |
wolfSSL | 15:117db924cf7c | 4433 | /* Certificate request context. */ |
wolfSSL | 15:117db924cf7c | 4434 | output[i++] = (byte)reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4435 | if (reqCtxLen != 0) { |
wolfSSL | 15:117db924cf7c | 4436 | XMEMCPY(output + i, reqCtx, reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4437 | i += reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4438 | } |
wolfSSL | 15:117db924cf7c | 4439 | |
wolfSSL | 15:117db924cf7c | 4440 | /* Certificate extensions. */ |
wolfSSL | 15:117db924cf7c | 4441 | reqSz = 0; |
wolfSSL | 15:117db924cf7c | 4442 | ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz); |
wolfSSL | 15:117db924cf7c | 4443 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4444 | return ret; |
wolfSSL | 15:117db924cf7c | 4445 | i += reqSz; |
wolfSSL | 15:117db924cf7c | 4446 | #endif |
wolfSSL | 15:117db924cf7c | 4447 | |
wolfSSL | 15:117db924cf7c | 4448 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 4449 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 4450 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 4451 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 4452 | return sendSz; |
wolfSSL | 15:117db924cf7c | 4453 | |
wolfSSL | 15:117db924cf7c | 4454 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4455 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4456 | AddPacketName(ssl, "CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 4457 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4458 | AddPacketInfo(ssl, "CertificateRequest", handshake, output, |
wolfSSL | 15:117db924cf7c | 4459 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4460 | } |
wolfSSL | 15:117db924cf7c | 4461 | #endif |
wolfSSL | 15:117db924cf7c | 4462 | |
wolfSSL | 15:117db924cf7c | 4463 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4464 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4465 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4466 | |
wolfSSL | 15:117db924cf7c | 4467 | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret); |
wolfSSL | 15:117db924cf7c | 4468 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
wolfSSL | 15:117db924cf7c | 4469 | |
wolfSSL | 15:117db924cf7c | 4470 | return ret; |
wolfSSL | 15:117db924cf7c | 4471 | } |
wolfSSL | 15:117db924cf7c | 4472 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 4473 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 4474 | |
wolfSSL | 15:117db924cf7c | 4475 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 4476 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) |
wolfSSL | 15:117db924cf7c | 4477 | /* Encode the signature algorithm into buffer. |
wolfSSL | 15:117db924cf7c | 4478 | * |
wolfSSL | 15:117db924cf7c | 4479 | * hashalgo The hash algorithm. |
wolfSSL | 15:117db924cf7c | 4480 | * hsType The signature type. |
wolfSSL | 15:117db924cf7c | 4481 | * output The buffer to encode into. |
wolfSSL | 15:117db924cf7c | 4482 | */ |
wolfSSL | 15:117db924cf7c | 4483 | static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output) |
wolfSSL | 15:117db924cf7c | 4484 | { |
wolfSSL | 15:117db924cf7c | 4485 | switch (hsType) { |
wolfSSL | 15:117db924cf7c | 4486 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 4487 | case ecc_dsa_sa_algo: |
wolfSSL | 15:117db924cf7c | 4488 | output[0] = hashAlgo; |
wolfSSL | 15:117db924cf7c | 4489 | output[1] = ecc_dsa_sa_algo; |
wolfSSL | 15:117db924cf7c | 4490 | break; |
wolfSSL | 15:117db924cf7c | 4491 | #endif |
wolfSSL | 15:117db924cf7c | 4492 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 4493 | /* ED25519: 0x0807 */ |
wolfSSL | 15:117db924cf7c | 4494 | case ed25519_sa_algo: |
wolfSSL | 15:117db924cf7c | 4495 | output[0] = ED25519_SA_MAJOR; |
wolfSSL | 15:117db924cf7c | 4496 | output[1] = ED25519_SA_MINOR; |
wolfSSL | 15:117db924cf7c | 4497 | (void)hashAlgo; |
wolfSSL | 15:117db924cf7c | 4498 | break; |
wolfSSL | 15:117db924cf7c | 4499 | #endif |
wolfSSL | 15:117db924cf7c | 4500 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 4501 | /* PSS signatures: 0x080[4-6] */ |
wolfSSL | 15:117db924cf7c | 4502 | case rsa_pss_sa_algo: |
wolfSSL | 15:117db924cf7c | 4503 | output[0] = rsa_pss_sa_algo; |
wolfSSL | 15:117db924cf7c | 4504 | output[1] = hashAlgo; |
wolfSSL | 15:117db924cf7c | 4505 | break; |
wolfSSL | 15:117db924cf7c | 4506 | #endif |
wolfSSL | 15:117db924cf7c | 4507 | /* ED448: 0x0808 */ |
wolfSSL | 15:117db924cf7c | 4508 | } |
wolfSSL | 15:117db924cf7c | 4509 | } |
wolfSSL | 15:117db924cf7c | 4510 | |
wolfSSL | 15:117db924cf7c | 4511 | /* Decode the signature algorithm. |
wolfSSL | 15:117db924cf7c | 4512 | * |
wolfSSL | 15:117db924cf7c | 4513 | * input The encoded signature algorithm. |
wolfSSL | 15:117db924cf7c | 4514 | * hashalgo The hash algorithm. |
wolfSSL | 15:117db924cf7c | 4515 | * hsType The signature type. |
wolfSSL | 15:117db924cf7c | 4516 | */ |
wolfSSL | 15:117db924cf7c | 4517 | static WC_INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType) |
wolfSSL | 15:117db924cf7c | 4518 | { |
wolfSSL | 15:117db924cf7c | 4519 | switch (input[0]) { |
wolfSSL | 15:117db924cf7c | 4520 | case NEW_SA_MAJOR: |
wolfSSL | 15:117db924cf7c | 4521 | /* PSS signatures: 0x080[4-6] */ |
wolfSSL | 15:117db924cf7c | 4522 | if (input[1] <= sha512_mac) { |
wolfSSL | 15:117db924cf7c | 4523 | *hsType = input[0]; |
wolfSSL | 15:117db924cf7c | 4524 | *hashAlgo = input[1]; |
wolfSSL | 15:117db924cf7c | 4525 | } |
wolfSSL | 15:117db924cf7c | 4526 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 4527 | /* ED25519: 0x0807 */ |
wolfSSL | 15:117db924cf7c | 4528 | if (input[1] == ED25519_SA_MINOR) { |
wolfSSL | 15:117db924cf7c | 4529 | *hsType = ed25519_sa_algo; |
wolfSSL | 15:117db924cf7c | 4530 | /* Hash performed as part of sign/verify operation. */ |
wolfSSL | 15:117db924cf7c | 4531 | *hashAlgo = sha512_mac; |
wolfSSL | 15:117db924cf7c | 4532 | } |
wolfSSL | 15:117db924cf7c | 4533 | #endif |
wolfSSL | 15:117db924cf7c | 4534 | /* ED448: 0x0808 */ |
wolfSSL | 15:117db924cf7c | 4535 | break; |
wolfSSL | 15:117db924cf7c | 4536 | default: |
wolfSSL | 15:117db924cf7c | 4537 | *hashAlgo = input[0]; |
wolfSSL | 15:117db924cf7c | 4538 | *hsType = input[1]; |
wolfSSL | 15:117db924cf7c | 4539 | break; |
wolfSSL | 15:117db924cf7c | 4540 | } |
wolfSSL | 15:117db924cf7c | 4541 | } |
wolfSSL | 15:117db924cf7c | 4542 | |
wolfSSL | 15:117db924cf7c | 4543 | /* Get the hash of the messages so far. |
wolfSSL | 15:117db924cf7c | 4544 | * |
wolfSSL | 15:117db924cf7c | 4545 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4546 | * hash The buffer to write the hash to. |
wolfSSL | 15:117db924cf7c | 4547 | * returns the length of the hash. |
wolfSSL | 15:117db924cf7c | 4548 | */ |
wolfSSL | 15:117db924cf7c | 4549 | static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash) |
wolfSSL | 15:117db924cf7c | 4550 | { |
wolfSSL | 15:117db924cf7c | 4551 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 4552 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 4553 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 4554 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 4555 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 4556 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4557 | ret = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4558 | break; |
wolfSSL | 15:117db924cf7c | 4559 | #endif /* !NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 4560 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 4561 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 4562 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 4563 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4564 | ret = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4565 | break; |
wolfSSL | 15:117db924cf7c | 4566 | #endif /* WOLFSSL_SHA384 */ |
wolfSSL | 15:117db924cf7c | 4567 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 4568 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 4569 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 4570 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4571 | ret = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4572 | break; |
wolfSSL | 15:117db924cf7c | 4573 | #endif /* WOLFSSL_TLS13_SHA512 */ |
wolfSSL | 15:117db924cf7c | 4574 | } |
wolfSSL | 15:117db924cf7c | 4575 | return ret; |
wolfSSL | 15:117db924cf7c | 4576 | } |
wolfSSL | 15:117db924cf7c | 4577 | |
wolfSSL | 15:117db924cf7c | 4578 | /* The length of the certificate verification label - client and server. */ |
wolfSSL | 15:117db924cf7c | 4579 | #define CERT_VFY_LABEL_SZ 34 |
wolfSSL | 15:117db924cf7c | 4580 | /* The server certificate verification label. */ |
wolfSSL | 15:117db924cf7c | 4581 | static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] = |
wolfSSL | 15:117db924cf7c | 4582 | "TLS 1.3, server CertificateVerify"; |
wolfSSL | 15:117db924cf7c | 4583 | /* The client certificate verification label. */ |
wolfSSL | 15:117db924cf7c | 4584 | static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] = |
wolfSSL | 15:117db924cf7c | 4585 | "TLS 1.3, client CertificateVerify"; |
wolfSSL | 15:117db924cf7c | 4586 | |
wolfSSL | 15:117db924cf7c | 4587 | /* The number of prefix bytes for signature data. */ |
wolfSSL | 15:117db924cf7c | 4588 | #define SIGNING_DATA_PREFIX_SZ 64 |
wolfSSL | 15:117db924cf7c | 4589 | /* The prefix byte in the signature data. */ |
wolfSSL | 15:117db924cf7c | 4590 | #define SIGNING_DATA_PREFIX_BYTE 0x20 |
wolfSSL | 15:117db924cf7c | 4591 | /* Maximum length of the signature data. */ |
wolfSSL | 15:117db924cf7c | 4592 | #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \ |
wolfSSL | 15:117db924cf7c | 4593 | CERT_VFY_LABEL_SZ + \ |
wolfSSL | 15:117db924cf7c | 4594 | WC_MAX_DIGEST_SIZE) |
wolfSSL | 15:117db924cf7c | 4595 | |
wolfSSL | 15:117db924cf7c | 4596 | /* Create the signature data for TLS v1.3 certificate verification. |
wolfSSL | 15:117db924cf7c | 4597 | * |
wolfSSL | 15:117db924cf7c | 4598 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4599 | * sigData The signature data. |
wolfSSL | 15:117db924cf7c | 4600 | * sigDataSz The length of the signature data. |
wolfSSL | 15:117db924cf7c | 4601 | * check Indicates this is a check not create. |
wolfSSL | 15:117db924cf7c | 4602 | */ |
wolfSSL | 15:117db924cf7c | 4603 | static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz, |
wolfSSL | 15:117db924cf7c | 4604 | int check) |
wolfSSL | 15:117db924cf7c | 4605 | { |
wolfSSL | 15:117db924cf7c | 4606 | word16 idx; |
wolfSSL | 15:117db924cf7c | 4607 | int side = ssl->options.side; |
wolfSSL | 15:117db924cf7c | 4608 | int ret; |
wolfSSL | 15:117db924cf7c | 4609 | |
wolfSSL | 15:117db924cf7c | 4610 | /* Signature Data = Prefix | Label | Handshake Hash */ |
wolfSSL | 15:117db924cf7c | 4611 | XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ); |
wolfSSL | 15:117db924cf7c | 4612 | idx = SIGNING_DATA_PREFIX_SZ; |
wolfSSL | 15:117db924cf7c | 4613 | |
wolfSSL | 15:117db924cf7c | 4614 | if ((side == WOLFSSL_SERVER_END && check) || |
wolfSSL | 15:117db924cf7c | 4615 | (side == WOLFSSL_CLIENT_END && !check)) { |
wolfSSL | 15:117db924cf7c | 4616 | XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ); |
wolfSSL | 15:117db924cf7c | 4617 | } |
wolfSSL | 15:117db924cf7c | 4618 | if ((side == WOLFSSL_CLIENT_END && check) || |
wolfSSL | 15:117db924cf7c | 4619 | (side == WOLFSSL_SERVER_END && !check)) { |
wolfSSL | 15:117db924cf7c | 4620 | XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ); |
wolfSSL | 15:117db924cf7c | 4621 | } |
wolfSSL | 15:117db924cf7c | 4622 | idx += CERT_VFY_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 4623 | |
wolfSSL | 15:117db924cf7c | 4624 | ret = GetMsgHash(ssl, &sigData[idx]); |
wolfSSL | 15:117db924cf7c | 4625 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4626 | return ret; |
wolfSSL | 15:117db924cf7c | 4627 | |
wolfSSL | 15:117db924cf7c | 4628 | *sigDataSz = (word16)(idx + ret); |
wolfSSL | 15:117db924cf7c | 4629 | ret = 0; |
wolfSSL | 15:117db924cf7c | 4630 | |
wolfSSL | 15:117db924cf7c | 4631 | return ret; |
wolfSSL | 15:117db924cf7c | 4632 | } |
wolfSSL | 15:117db924cf7c | 4633 | |
wolfSSL | 15:117db924cf7c | 4634 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 4635 | /* Encode the PKCS #1.5 RSA signature. |
wolfSSL | 15:117db924cf7c | 4636 | * |
wolfSSL | 15:117db924cf7c | 4637 | * sig The buffer to place the encoded signature into. |
wolfSSL | 15:117db924cf7c | 4638 | * sigData The data to be signed. |
wolfSSL | 15:117db924cf7c | 4639 | * sigDataSz The size of the data to be signed. |
wolfSSL | 15:117db924cf7c | 4640 | * hashAlgo The hash algorithm to use when signing. |
wolfSSL | 15:117db924cf7c | 4641 | * returns the length of the encoded signature or negative on error. |
wolfSSL | 15:117db924cf7c | 4642 | */ |
wolfSSL | 15:117db924cf7c | 4643 | static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz, |
wolfSSL | 15:117db924cf7c | 4644 | int sigAlgo, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 4645 | { |
wolfSSL | 15:117db924cf7c | 4646 | Digest digest; |
wolfSSL | 15:117db924cf7c | 4647 | int hashSz = 0; |
wolfSSL | 15:117db924cf7c | 4648 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4649 | byte* hash; |
wolfSSL | 15:117db924cf7c | 4650 | |
wolfSSL | 15:117db924cf7c | 4651 | (void)sigAlgo; |
wolfSSL | 15:117db924cf7c | 4652 | |
wolfSSL | 15:117db924cf7c | 4653 | hash = sig; |
wolfSSL | 15:117db924cf7c | 4654 | |
wolfSSL | 15:117db924cf7c | 4655 | /* Digest the signature data. */ |
wolfSSL | 15:117db924cf7c | 4656 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 4657 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 4658 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 4659 | ret = wc_InitSha256(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 4660 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4661 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4662 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4663 | ret = wc_Sha256Final(&digest.sha256, hash); |
wolfSSL | 15:117db924cf7c | 4664 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 4665 | } |
wolfSSL | 15:117db924cf7c | 4666 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4667 | break; |
wolfSSL | 15:117db924cf7c | 4668 | #endif |
wolfSSL | 15:117db924cf7c | 4669 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 4670 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 4671 | ret = wc_InitSha384(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 4672 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4673 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4674 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4675 | ret = wc_Sha384Final(&digest.sha384, hash); |
wolfSSL | 15:117db924cf7c | 4676 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 4677 | } |
wolfSSL | 15:117db924cf7c | 4678 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4679 | break; |
wolfSSL | 15:117db924cf7c | 4680 | #endif |
wolfSSL | 15:117db924cf7c | 4681 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 4682 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 4683 | ret = wc_InitSha512(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 4684 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4685 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4686 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4687 | ret = wc_Sha512Final(&digest.sha512, hash); |
wolfSSL | 15:117db924cf7c | 4688 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 4689 | } |
wolfSSL | 15:117db924cf7c | 4690 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4691 | break; |
wolfSSL | 15:117db924cf7c | 4692 | #endif |
wolfSSL | 15:117db924cf7c | 4693 | } |
wolfSSL | 15:117db924cf7c | 4694 | |
wolfSSL | 15:117db924cf7c | 4695 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4696 | return ret; |
wolfSSL | 15:117db924cf7c | 4697 | |
wolfSSL | 15:117db924cf7c | 4698 | return hashSz; |
wolfSSL | 15:117db924cf7c | 4699 | } |
wolfSSL | 15:117db924cf7c | 4700 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 4701 | |
wolfSSL | 15:117db924cf7c | 4702 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 4703 | /* Encode the ECC signature. |
wolfSSL | 15:117db924cf7c | 4704 | * |
wolfSSL | 15:117db924cf7c | 4705 | * sigData The data to be signed. |
wolfSSL | 15:117db924cf7c | 4706 | * sigDataSz The size of the data to be signed. |
wolfSSL | 15:117db924cf7c | 4707 | * hashAlgo The hash algorithm to use when signing. |
wolfSSL | 15:117db924cf7c | 4708 | * returns the length of the encoded signature or negative on error. |
wolfSSL | 15:117db924cf7c | 4709 | */ |
wolfSSL | 15:117db924cf7c | 4710 | static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 4711 | { |
wolfSSL | 15:117db924cf7c | 4712 | Digest digest; |
wolfSSL | 15:117db924cf7c | 4713 | int hashSz = 0; |
wolfSSL | 15:117db924cf7c | 4714 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 4715 | |
wolfSSL | 15:117db924cf7c | 4716 | /* Digest the signature data. */ |
wolfSSL | 15:117db924cf7c | 4717 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 4718 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 4719 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 4720 | ret = wc_InitSha256(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 4721 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4722 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4723 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4724 | ret = wc_Sha256Final(&digest.sha256, sigData); |
wolfSSL | 15:117db924cf7c | 4725 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 4726 | } |
wolfSSL | 15:117db924cf7c | 4727 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4728 | break; |
wolfSSL | 15:117db924cf7c | 4729 | #endif |
wolfSSL | 15:117db924cf7c | 4730 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 4731 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 4732 | ret = wc_InitSha384(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 4733 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4734 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4735 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4736 | ret = wc_Sha384Final(&digest.sha384, sigData); |
wolfSSL | 15:117db924cf7c | 4737 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 4738 | } |
wolfSSL | 15:117db924cf7c | 4739 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4740 | break; |
wolfSSL | 15:117db924cf7c | 4741 | #endif |
wolfSSL | 15:117db924cf7c | 4742 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 4743 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 4744 | ret = wc_InitSha512(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 4745 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 4746 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 4747 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4748 | ret = wc_Sha512Final(&digest.sha512, sigData); |
wolfSSL | 15:117db924cf7c | 4749 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 4750 | } |
wolfSSL | 15:117db924cf7c | 4751 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4752 | break; |
wolfSSL | 15:117db924cf7c | 4753 | #endif |
wolfSSL | 15:117db924cf7c | 4754 | } |
wolfSSL | 15:117db924cf7c | 4755 | |
wolfSSL | 15:117db924cf7c | 4756 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4757 | return ret; |
wolfSSL | 15:117db924cf7c | 4758 | |
wolfSSL | 15:117db924cf7c | 4759 | return hashSz; |
wolfSSL | 15:117db924cf7c | 4760 | } |
wolfSSL | 15:117db924cf7c | 4761 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 4762 | |
wolfSSL | 15:117db924cf7c | 4763 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 4764 | /* Check that the decrypted signature matches the encoded signature |
wolfSSL | 15:117db924cf7c | 4765 | * based on the digest of the signature data. |
wolfSSL | 15:117db924cf7c | 4766 | * |
wolfSSL | 15:117db924cf7c | 4767 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4768 | * sigAlgo The signature algorithm used to generate signature. |
wolfSSL | 15:117db924cf7c | 4769 | * hashAlgo The hash algorithm used to generate signature. |
wolfSSL | 15:117db924cf7c | 4770 | * decSig The decrypted signature. |
wolfSSL | 15:117db924cf7c | 4771 | * decSigSz The size of the decrypted signature. |
wolfSSL | 15:117db924cf7c | 4772 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4773 | */ |
wolfSSL | 15:117db924cf7c | 4774 | static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo, |
wolfSSL | 15:117db924cf7c | 4775 | byte* decSig, word32 decSigSz) |
wolfSSL | 15:117db924cf7c | 4776 | { |
wolfSSL | 15:117db924cf7c | 4777 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 4778 | byte sigData[MAX_SIG_DATA_SZ]; |
wolfSSL | 15:117db924cf7c | 4779 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 4780 | word32 sigSz; |
wolfSSL | 15:117db924cf7c | 4781 | |
wolfSSL | 15:117db924cf7c | 4782 | ret = CreateSigData(ssl, sigData, &sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 4783 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4784 | return ret; |
wolfSSL | 15:117db924cf7c | 4785 | |
wolfSSL | 15:117db924cf7c | 4786 | if (sigAlgo == rsa_pss_sa_algo) { |
wolfSSL | 15:117db924cf7c | 4787 | enum wc_HashType hashType = WC_HASH_TYPE_NONE; |
wolfSSL | 15:117db924cf7c | 4788 | |
wolfSSL | 15:117db924cf7c | 4789 | ret = ConvertHashPss(hashAlgo, &hashType, NULL); |
wolfSSL | 15:117db924cf7c | 4790 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4791 | return ret; |
wolfSSL | 15:117db924cf7c | 4792 | |
wolfSSL | 15:117db924cf7c | 4793 | /* PSS signature can be done in-place */ |
wolfSSL | 15:117db924cf7c | 4794 | ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz, |
wolfSSL | 15:117db924cf7c | 4795 | sigAlgo, hashAlgo); |
wolfSSL | 15:117db924cf7c | 4796 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4797 | return ret; |
wolfSSL | 15:117db924cf7c | 4798 | sigSz = ret; |
wolfSSL | 15:117db924cf7c | 4799 | |
wolfSSL | 15:117db924cf7c | 4800 | ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz, |
wolfSSL | 15:117db924cf7c | 4801 | hashType); |
wolfSSL | 15:117db924cf7c | 4802 | } |
wolfSSL | 15:117db924cf7c | 4803 | |
wolfSSL | 15:117db924cf7c | 4804 | return ret; |
wolfSSL | 15:117db924cf7c | 4805 | } |
wolfSSL | 15:117db924cf7c | 4806 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 4807 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 4808 | |
wolfSSL | 15:117db924cf7c | 4809 | /* Get the next certificate from the list for writing into the TLS v1.3 |
wolfSSL | 15:117db924cf7c | 4810 | * Certificate message. |
wolfSSL | 15:117db924cf7c | 4811 | * |
wolfSSL | 15:117db924cf7c | 4812 | * data The certificate list. |
wolfSSL | 15:117db924cf7c | 4813 | * length The length of the certificate data in the list. |
wolfSSL | 15:117db924cf7c | 4814 | * idx The index of the next certificate. |
wolfSSL | 15:117db924cf7c | 4815 | * returns the length of the certificate data. 0 indicates no more certificates |
wolfSSL | 15:117db924cf7c | 4816 | * in the list. |
wolfSSL | 15:117db924cf7c | 4817 | */ |
wolfSSL | 15:117db924cf7c | 4818 | static word32 NextCert(byte* data, word32 length, word32* idx) |
wolfSSL | 15:117db924cf7c | 4819 | { |
wolfSSL | 15:117db924cf7c | 4820 | word32 len; |
wolfSSL | 15:117db924cf7c | 4821 | |
wolfSSL | 15:117db924cf7c | 4822 | /* Is index at end of list. */ |
wolfSSL | 15:117db924cf7c | 4823 | if (*idx == length) |
wolfSSL | 15:117db924cf7c | 4824 | return 0; |
wolfSSL | 15:117db924cf7c | 4825 | |
wolfSSL | 15:117db924cf7c | 4826 | /* Length of the current ASN.1 encoded certificate. */ |
wolfSSL | 15:117db924cf7c | 4827 | c24to32(data + *idx, &len); |
wolfSSL | 15:117db924cf7c | 4828 | /* Include the length field. */ |
wolfSSL | 15:117db924cf7c | 4829 | len += 3; |
wolfSSL | 15:117db924cf7c | 4830 | |
wolfSSL | 15:117db924cf7c | 4831 | /* Move index to next certificate and return the current certificate's |
wolfSSL | 15:117db924cf7c | 4832 | * length. |
wolfSSL | 15:117db924cf7c | 4833 | */ |
wolfSSL | 15:117db924cf7c | 4834 | *idx += len; |
wolfSSL | 15:117db924cf7c | 4835 | return len; |
wolfSSL | 15:117db924cf7c | 4836 | } |
wolfSSL | 15:117db924cf7c | 4837 | |
wolfSSL | 15:117db924cf7c | 4838 | /* Add certificate data and empty extension to output up to the fragment size. |
wolfSSL | 15:117db924cf7c | 4839 | * |
wolfSSL | 15:117db924cf7c | 4840 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4841 | * cert The certificate data to write out. |
wolfSSL | 15:117db924cf7c | 4842 | * len The length of the certificate data. |
wolfSSL | 15:117db924cf7c | 4843 | * extSz Length of the extension data with the certificate. |
wolfSSL | 15:117db924cf7c | 4844 | * idx The start of the certificate data to write out. |
wolfSSL | 15:117db924cf7c | 4845 | * fragSz The maximum size of this fragment. |
wolfSSL | 15:117db924cf7c | 4846 | * output The buffer to write to. |
wolfSSL | 15:117db924cf7c | 4847 | * returns the number of bytes written. |
wolfSSL | 15:117db924cf7c | 4848 | */ |
wolfSSL | 15:117db924cf7c | 4849 | static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz, |
wolfSSL | 15:117db924cf7c | 4850 | word32 idx, word32 fragSz, byte* output) |
wolfSSL | 15:117db924cf7c | 4851 | { |
wolfSSL | 15:117db924cf7c | 4852 | word32 i = 0; |
wolfSSL | 15:117db924cf7c | 4853 | word32 copySz = min(len - idx, fragSz); |
wolfSSL | 15:117db924cf7c | 4854 | |
wolfSSL | 15:117db924cf7c | 4855 | if (idx < len) { |
wolfSSL | 15:117db924cf7c | 4856 | XMEMCPY(output, cert + idx, copySz); |
wolfSSL | 15:117db924cf7c | 4857 | i = copySz; |
wolfSSL | 15:117db924cf7c | 4858 | if (copySz == fragSz) |
wolfSSL | 15:117db924cf7c | 4859 | return i; |
wolfSSL | 15:117db924cf7c | 4860 | } |
wolfSSL | 15:117db924cf7c | 4861 | copySz = len + extSz - idx - i; |
wolfSSL | 15:117db924cf7c | 4862 | |
wolfSSL | 15:117db924cf7c | 4863 | if (extSz == OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 4864 | if (copySz <= fragSz) { |
wolfSSL | 15:117db924cf7c | 4865 | /* Empty extension */ |
wolfSSL | 15:117db924cf7c | 4866 | output[i++] = 0; |
wolfSSL | 15:117db924cf7c | 4867 | output[i++] = 0; |
wolfSSL | 15:117db924cf7c | 4868 | } |
wolfSSL | 15:117db924cf7c | 4869 | } |
wolfSSL | 15:117db924cf7c | 4870 | else { |
wolfSSL | 15:117db924cf7c | 4871 | byte* certExts = ssl->buffers.certExts->buffer + idx + i - len; |
wolfSSL | 15:117db924cf7c | 4872 | /* Put out as much of the extensions' data as will fit in fragment. */ |
wolfSSL | 15:117db924cf7c | 4873 | if (copySz > fragSz - i) |
wolfSSL | 15:117db924cf7c | 4874 | copySz = fragSz - i; |
wolfSSL | 15:117db924cf7c | 4875 | XMEMCPY(output + i, certExts, copySz); |
wolfSSL | 15:117db924cf7c | 4876 | i += copySz; |
wolfSSL | 15:117db924cf7c | 4877 | } |
wolfSSL | 15:117db924cf7c | 4878 | |
wolfSSL | 15:117db924cf7c | 4879 | return i; |
wolfSSL | 15:117db924cf7c | 4880 | } |
wolfSSL | 15:117db924cf7c | 4881 | |
wolfSSL | 15:117db924cf7c | 4882 | /* handle generation TLS v1.3 certificate (11) */ |
wolfSSL | 15:117db924cf7c | 4883 | /* Send the certificate for this end and any CAs that help with validation. |
wolfSSL | 15:117db924cf7c | 4884 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 4885 | * |
wolfSSL | 15:117db924cf7c | 4886 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4887 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4888 | */ |
wolfSSL | 15:117db924cf7c | 4889 | static int SendTls13Certificate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 4890 | { |
wolfSSL | 15:117db924cf7c | 4891 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 4892 | word32 certSz, certChainSz, headerSz, listSz, payloadSz; |
wolfSSL | 15:117db924cf7c | 4893 | word16 extSz = 0; |
wolfSSL | 15:117db924cf7c | 4894 | word32 length, maxFragment; |
wolfSSL | 15:117db924cf7c | 4895 | word32 len = 0; |
wolfSSL | 15:117db924cf7c | 4896 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 4897 | word32 offset = OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 4898 | byte* p = NULL; |
wolfSSL | 15:117db924cf7c | 4899 | byte certReqCtxLen = 0; |
wolfSSL | 15:117db924cf7c | 4900 | byte* certReqCtx = NULL; |
wolfSSL | 15:117db924cf7c | 4901 | |
wolfSSL | 15:117db924cf7c | 4902 | WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND); |
wolfSSL | 15:117db924cf7c | 4903 | WOLFSSL_ENTER("SendTls13Certificate"); |
wolfSSL | 15:117db924cf7c | 4904 | |
wolfSSL | 15:117db924cf7c | 4905 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 4906 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
wolfSSL | 15:117db924cf7c | 4907 | certReqCtxLen = ssl->certReqCtx->len; |
wolfSSL | 15:117db924cf7c | 4908 | certReqCtx = &ssl->certReqCtx->ctx; |
wolfSSL | 15:117db924cf7c | 4909 | } |
wolfSSL | 15:117db924cf7c | 4910 | #endif |
wolfSSL | 15:117db924cf7c | 4911 | |
wolfSSL | 15:117db924cf7c | 4912 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
wolfSSL | 15:117db924cf7c | 4913 | certSz = 0; |
wolfSSL | 15:117db924cf7c | 4914 | certChainSz = 0; |
wolfSSL | 15:117db924cf7c | 4915 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4916 | length = headerSz; |
wolfSSL | 15:117db924cf7c | 4917 | listSz = 0; |
wolfSSL | 15:117db924cf7c | 4918 | } |
wolfSSL | 15:117db924cf7c | 4919 | else { |
wolfSSL | 15:117db924cf7c | 4920 | if (!ssl->buffers.certificate) { |
wolfSSL | 15:117db924cf7c | 4921 | WOLFSSL_MSG("Send Cert missing certificate buffer"); |
wolfSSL | 15:117db924cf7c | 4922 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4923 | } |
wolfSSL | 15:117db924cf7c | 4924 | /* Certificate Data */ |
wolfSSL | 15:117db924cf7c | 4925 | certSz = ssl->buffers.certificate->length; |
wolfSSL | 15:117db924cf7c | 4926 | /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */ |
wolfSSL | 15:117db924cf7c | 4927 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ + |
wolfSSL | 15:117db924cf7c | 4928 | CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4929 | |
wolfSSL | 15:117db924cf7c | 4930 | ret = TLSX_GetResponseSize(ssl, certificate, &extSz); |
wolfSSL | 15:117db924cf7c | 4931 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4932 | return ret; |
wolfSSL | 15:117db924cf7c | 4933 | |
wolfSSL | 15:117db924cf7c | 4934 | /* Create extensions' data if none already present. */ |
wolfSSL | 15:117db924cf7c | 4935 | if (extSz > OPAQUE16_LEN && ssl->buffers.certExts == NULL) { |
wolfSSL | 15:117db924cf7c | 4936 | ret = AllocDer(&ssl->buffers.certExts, extSz, CERT_TYPE, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4937 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4938 | return ret; |
wolfSSL | 15:117db924cf7c | 4939 | |
wolfSSL | 15:117db924cf7c | 4940 | ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer, |
wolfSSL | 15:117db924cf7c | 4941 | certificate, &extSz); |
wolfSSL | 15:117db924cf7c | 4942 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 4943 | return ret; |
wolfSSL | 15:117db924cf7c | 4944 | } |
wolfSSL | 15:117db924cf7c | 4945 | |
wolfSSL | 15:117db924cf7c | 4946 | /* Length of message data with one certificate and extensions. */ |
wolfSSL | 15:117db924cf7c | 4947 | length = headerSz + certSz + extSz; |
wolfSSL | 15:117db924cf7c | 4948 | /* Length of list data with one certificate and extensions. */ |
wolfSSL | 15:117db924cf7c | 4949 | listSz = CERT_HEADER_SZ + certSz + extSz; |
wolfSSL | 15:117db924cf7c | 4950 | |
wolfSSL | 15:117db924cf7c | 4951 | /* Send rest of chain if sending cert (chain has leading size/s). */ |
wolfSSL | 15:117db924cf7c | 4952 | if (certSz > 0 && ssl->buffers.certChainCnt > 0) { |
wolfSSL | 15:117db924cf7c | 4953 | p = ssl->buffers.certChain->buffer; |
wolfSSL | 15:117db924cf7c | 4954 | /* Chain length including extensions. */ |
wolfSSL | 15:117db924cf7c | 4955 | certChainSz = ssl->buffers.certChain->length + |
wolfSSL | 15:117db924cf7c | 4956 | OPAQUE16_LEN * ssl->buffers.certChainCnt; |
wolfSSL | 15:117db924cf7c | 4957 | length += certChainSz; |
wolfSSL | 15:117db924cf7c | 4958 | listSz += certChainSz; |
wolfSSL | 15:117db924cf7c | 4959 | } |
wolfSSL | 15:117db924cf7c | 4960 | else |
wolfSSL | 15:117db924cf7c | 4961 | certChainSz = 0; |
wolfSSL | 15:117db924cf7c | 4962 | } |
wolfSSL | 15:117db924cf7c | 4963 | |
wolfSSL | 15:117db924cf7c | 4964 | payloadSz = length; |
wolfSSL | 15:117db924cf7c | 4965 | |
wolfSSL | 15:117db924cf7c | 4966 | if (ssl->fragOffset != 0) |
wolfSSL | 15:117db924cf7c | 4967 | length -= (ssl->fragOffset + headerSz); |
wolfSSL | 15:117db924cf7c | 4968 | |
wolfSSL | 15:117db924cf7c | 4969 | maxFragment = wolfSSL_GetMaxRecordSize(ssl, MAX_RECORD_SIZE); |
wolfSSL | 15:117db924cf7c | 4970 | |
wolfSSL | 15:117db924cf7c | 4971 | while (length > 0 && ret == 0) { |
wolfSSL | 15:117db924cf7c | 4972 | byte* output = NULL; |
wolfSSL | 15:117db924cf7c | 4973 | word32 fragSz = 0; |
wolfSSL | 15:117db924cf7c | 4974 | word32 i = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4975 | int sendSz = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4976 | |
wolfSSL | 15:117db924cf7c | 4977 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 4978 | if (headerSz + certSz + extSz + certChainSz <= |
wolfSSL | 15:117db924cf7c | 4979 | maxFragment - HANDSHAKE_HEADER_SZ) { |
wolfSSL | 15:117db924cf7c | 4980 | fragSz = headerSz + certSz + extSz + certChainSz; |
wolfSSL | 15:117db924cf7c | 4981 | } |
wolfSSL | 15:117db924cf7c | 4982 | else |
wolfSSL | 15:117db924cf7c | 4983 | fragSz = maxFragment - HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4984 | |
wolfSSL | 15:117db924cf7c | 4985 | sendSz += fragSz + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4986 | i += HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4987 | } |
wolfSSL | 15:117db924cf7c | 4988 | else { |
wolfSSL | 15:117db924cf7c | 4989 | fragSz = min(length, maxFragment); |
wolfSSL | 15:117db924cf7c | 4990 | sendSz += fragSz; |
wolfSSL | 15:117db924cf7c | 4991 | } |
wolfSSL | 15:117db924cf7c | 4992 | |
wolfSSL | 15:117db924cf7c | 4993 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4994 | |
wolfSSL | 15:117db924cf7c | 4995 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4996 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4997 | return ret; |
wolfSSL | 15:117db924cf7c | 4998 | |
wolfSSL | 15:117db924cf7c | 4999 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 5000 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 5001 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 5002 | |
wolfSSL | 15:117db924cf7c | 5003 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 5004 | AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); |
wolfSSL | 15:117db924cf7c | 5005 | |
wolfSSL | 15:117db924cf7c | 5006 | /* Request context. */ |
wolfSSL | 15:117db924cf7c | 5007 | output[i++] = certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5008 | if (certReqCtxLen > 0) { |
wolfSSL | 15:117db924cf7c | 5009 | XMEMCPY(output + i, certReqCtx, certReqCtxLen); |
wolfSSL | 15:117db924cf7c | 5010 | i += certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5011 | } |
wolfSSL | 15:117db924cf7c | 5012 | length -= OPAQUE8_LEN + certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5013 | fragSz -= OPAQUE8_LEN + certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5014 | /* Certificate list length. */ |
wolfSSL | 15:117db924cf7c | 5015 | c32to24(listSz, output + i); |
wolfSSL | 15:117db924cf7c | 5016 | i += CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5017 | length -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5018 | fragSz -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5019 | /* Leaf certificate data length. */ |
wolfSSL | 15:117db924cf7c | 5020 | if (certSz > 0) { |
wolfSSL | 15:117db924cf7c | 5021 | c32to24(certSz, output + i); |
wolfSSL | 15:117db924cf7c | 5022 | i += CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5023 | length -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5024 | fragSz -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5025 | } |
wolfSSL | 15:117db924cf7c | 5026 | } |
wolfSSL | 15:117db924cf7c | 5027 | else |
wolfSSL | 15:117db924cf7c | 5028 | AddTls13RecordHeader(output, fragSz, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 5029 | |
wolfSSL | 15:117db924cf7c | 5030 | if (certSz > 0 && ssl->fragOffset < certSz + extSz) { |
wolfSSL | 15:117db924cf7c | 5031 | /* Put in the leaf certificate with extensions. */ |
wolfSSL | 15:117db924cf7c | 5032 | word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer, |
wolfSSL | 15:117db924cf7c | 5033 | certSz, extSz, ssl->fragOffset, fragSz, output + i); |
wolfSSL | 15:117db924cf7c | 5034 | i += copySz; |
wolfSSL | 15:117db924cf7c | 5035 | ssl->fragOffset += copySz; |
wolfSSL | 15:117db924cf7c | 5036 | length -= copySz; |
wolfSSL | 15:117db924cf7c | 5037 | fragSz -= copySz; |
wolfSSL | 15:117db924cf7c | 5038 | if (ssl->fragOffset == certSz + extSz) |
wolfSSL | 15:117db924cf7c | 5039 | FreeDer(&ssl->buffers.certExts); |
wolfSSL | 15:117db924cf7c | 5040 | } |
wolfSSL | 15:117db924cf7c | 5041 | if (certChainSz > 0 && fragSz > 0) { |
wolfSSL | 15:117db924cf7c | 5042 | /* Put in the CA certificates with empty extensions. */ |
wolfSSL | 15:117db924cf7c | 5043 | while (fragSz > 0) { |
wolfSSL | 15:117db924cf7c | 5044 | word32 l; |
wolfSSL | 15:117db924cf7c | 5045 | |
wolfSSL | 15:117db924cf7c | 5046 | if (offset == len + OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 5047 | /* Find next CA certificate to write out. */ |
wolfSSL | 15:117db924cf7c | 5048 | offset = 0; |
wolfSSL | 15:117db924cf7c | 5049 | /* Point to the start of current cert in chain buffer. */ |
wolfSSL | 15:117db924cf7c | 5050 | p = ssl->buffers.certChain->buffer + idx; |
wolfSSL | 15:117db924cf7c | 5051 | len = NextCert(ssl->buffers.certChain->buffer, |
wolfSSL | 15:117db924cf7c | 5052 | ssl->buffers.certChain->length, &idx); |
wolfSSL | 15:117db924cf7c | 5053 | if (len == 0) |
wolfSSL | 15:117db924cf7c | 5054 | break; |
wolfSSL | 15:117db924cf7c | 5055 | } |
wolfSSL | 15:117db924cf7c | 5056 | |
wolfSSL | 15:117db924cf7c | 5057 | /* Write out certificate and empty extension. */ |
wolfSSL | 15:117db924cf7c | 5058 | l = AddCertExt(ssl, p, len, OPAQUE16_LEN, offset, fragSz, |
wolfSSL | 15:117db924cf7c | 5059 | output + i); |
wolfSSL | 15:117db924cf7c | 5060 | i += l; |
wolfSSL | 15:117db924cf7c | 5061 | ssl->fragOffset += l; |
wolfSSL | 15:117db924cf7c | 5062 | length -= l; |
wolfSSL | 15:117db924cf7c | 5063 | fragSz -= l; |
wolfSSL | 15:117db924cf7c | 5064 | offset += l; |
wolfSSL | 15:117db924cf7c | 5065 | } |
wolfSSL | 15:117db924cf7c | 5066 | } |
wolfSSL | 15:117db924cf7c | 5067 | |
wolfSSL | 15:117db924cf7c | 5068 | if ((int)i - RECORD_HEADER_SZ < 0) { |
wolfSSL | 15:117db924cf7c | 5069 | WOLFSSL_MSG("Send Cert bad inputSz"); |
wolfSSL | 15:117db924cf7c | 5070 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 5071 | } |
wolfSSL | 15:117db924cf7c | 5072 | |
wolfSSL | 15:117db924cf7c | 5073 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5074 | sendSz = BuildTls13Message(ssl, output, sendSz, |
wolfSSL | 15:117db924cf7c | 5075 | output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 5076 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 5077 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 5078 | return sendSz; |
wolfSSL | 15:117db924cf7c | 5079 | |
wolfSSL | 15:117db924cf7c | 5080 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5081 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 5082 | AddPacketName(ssl, "Certificate"); |
wolfSSL | 15:117db924cf7c | 5083 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 5084 | AddPacketInfo(ssl, "Certificate", handshake, output, |
wolfSSL | 15:117db924cf7c | 5085 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 5086 | } |
wolfSSL | 15:117db924cf7c | 5087 | #endif |
wolfSSL | 15:117db924cf7c | 5088 | |
wolfSSL | 15:117db924cf7c | 5089 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 5090 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 5091 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 5092 | } |
wolfSSL | 15:117db924cf7c | 5093 | |
wolfSSL | 15:117db924cf7c | 5094 | if (ret != WANT_WRITE) { |
wolfSSL | 15:117db924cf7c | 5095 | /* Clean up the fragment offset. */ |
wolfSSL | 15:117db924cf7c | 5096 | ssl->fragOffset = 0; |
wolfSSL | 15:117db924cf7c | 5097 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 5098 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5099 | } |
wolfSSL | 15:117db924cf7c | 5100 | |
wolfSSL | 15:117db924cf7c | 5101 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 5102 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
wolfSSL | 15:117db924cf7c | 5103 | CertReqCtx* ctx = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 5104 | ssl->certReqCtx = ssl->certReqCtx->next; |
wolfSSL | 15:117db924cf7c | 5105 | XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5106 | } |
wolfSSL | 15:117db924cf7c | 5107 | #endif |
wolfSSL | 15:117db924cf7c | 5108 | |
wolfSSL | 15:117db924cf7c | 5109 | WOLFSSL_LEAVE("SendTls13Certificate", ret); |
wolfSSL | 15:117db924cf7c | 5110 | WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND); |
wolfSSL | 15:117db924cf7c | 5111 | |
wolfSSL | 15:117db924cf7c | 5112 | return ret; |
wolfSSL | 15:117db924cf7c | 5113 | } |
wolfSSL | 15:117db924cf7c | 5114 | |
wolfSSL | 15:117db924cf7c | 5115 | typedef struct Scv13Args { |
wolfSSL | 15:117db924cf7c | 5116 | byte* output; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5117 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5118 | byte* verifySig; |
wolfSSL | 15:117db924cf7c | 5119 | #endif |
wolfSSL | 15:117db924cf7c | 5120 | byte* verify; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5121 | word32 idx; |
wolfSSL | 15:117db924cf7c | 5122 | word32 sigLen; |
wolfSSL | 15:117db924cf7c | 5123 | int sendSz; |
wolfSSL | 15:117db924cf7c | 5124 | word16 length; |
wolfSSL | 15:117db924cf7c | 5125 | |
wolfSSL | 15:117db924cf7c | 5126 | byte sigAlgo; |
wolfSSL | 15:117db924cf7c | 5127 | byte* sigData; |
wolfSSL | 15:117db924cf7c | 5128 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 5129 | } Scv13Args; |
wolfSSL | 15:117db924cf7c | 5130 | |
wolfSSL | 15:117db924cf7c | 5131 | static void FreeScv13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 5132 | { |
wolfSSL | 15:117db924cf7c | 5133 | Scv13Args* args = (Scv13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 5134 | |
wolfSSL | 15:117db924cf7c | 5135 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 5136 | |
wolfSSL | 15:117db924cf7c | 5137 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5138 | if (args->verifySig) { |
wolfSSL | 15:117db924cf7c | 5139 | XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5140 | args->verifySig = NULL; |
wolfSSL | 15:117db924cf7c | 5141 | } |
wolfSSL | 15:117db924cf7c | 5142 | #endif |
wolfSSL | 15:117db924cf7c | 5143 | if (args->sigData) { |
wolfSSL | 15:117db924cf7c | 5144 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5145 | args->sigData = NULL; |
wolfSSL | 15:117db924cf7c | 5146 | } |
wolfSSL | 15:117db924cf7c | 5147 | } |
wolfSSL | 15:117db924cf7c | 5148 | |
wolfSSL | 15:117db924cf7c | 5149 | /* handle generation TLS v1.3 certificate_verify (15) */ |
wolfSSL | 15:117db924cf7c | 5150 | /* Send the TLS v1.3 CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5151 | * A hash of all the message so far is used. |
wolfSSL | 15:117db924cf7c | 5152 | * The signed data is: |
wolfSSL | 15:117db924cf7c | 5153 | * 0x20 * 64 | context string | 0x00 | hash of messages |
wolfSSL | 15:117db924cf7c | 5154 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 5155 | * |
wolfSSL | 15:117db924cf7c | 5156 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5157 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 5158 | */ |
wolfSSL | 15:117db924cf7c | 5159 | static int SendTls13CertificateVerify(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 5160 | { |
wolfSSL | 15:117db924cf7c | 5161 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5162 | buffer* sig = &ssl->buffers.sig; |
wolfSSL | 15:117db924cf7c | 5163 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5164 | Scv13Args* args = (Scv13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 5165 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 5166 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 5167 | #else |
wolfSSL | 15:117db924cf7c | 5168 | Scv13Args args[1]; |
wolfSSL | 15:117db924cf7c | 5169 | #endif |
wolfSSL | 15:117db924cf7c | 5170 | |
wolfSSL | 15:117db924cf7c | 5171 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
wolfSSL | 15:117db924cf7c | 5172 | WOLFSSL_ENTER("SendTls13CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5173 | |
wolfSSL | 15:117db924cf7c | 5174 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5175 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
wolfSSL | 15:117db924cf7c | 5176 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5177 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5178 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5179 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5180 | } |
wolfSSL | 15:117db924cf7c | 5181 | else |
wolfSSL | 15:117db924cf7c | 5182 | #endif |
wolfSSL | 15:117db924cf7c | 5183 | { |
wolfSSL | 15:117db924cf7c | 5184 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 5185 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5186 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
wolfSSL | 15:117db924cf7c | 5187 | XMEMSET(args, 0, sizeof(Scv13Args)); |
wolfSSL | 15:117db924cf7c | 5188 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5189 | ssl->async.freeArgs = FreeScv13Args; |
wolfSSL | 15:117db924cf7c | 5190 | #endif |
wolfSSL | 15:117db924cf7c | 5191 | } |
wolfSSL | 15:117db924cf7c | 5192 | |
wolfSSL | 15:117db924cf7c | 5193 | switch(ssl->options.asyncState) |
wolfSSL | 15:117db924cf7c | 5194 | { |
wolfSSL | 15:117db924cf7c | 5195 | case TLS_ASYNC_BEGIN: |
wolfSSL | 15:117db924cf7c | 5196 | { |
wolfSSL | 15:117db924cf7c | 5197 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
wolfSSL | 15:117db924cf7c | 5198 | return 0; /* sent blank cert, can't verify */ |
wolfSSL | 15:117db924cf7c | 5199 | } |
wolfSSL | 15:117db924cf7c | 5200 | |
wolfSSL | 15:117db924cf7c | 5201 | args->sendSz = MAX_CERT_VERIFY_SZ; |
wolfSSL | 15:117db924cf7c | 5202 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5203 | args->sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 5204 | |
wolfSSL | 15:117db924cf7c | 5205 | /* check for available size */ |
wolfSSL | 15:117db924cf7c | 5206 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { |
wolfSSL | 15:117db924cf7c | 5207 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5208 | } |
wolfSSL | 15:117db924cf7c | 5209 | |
wolfSSL | 15:117db924cf7c | 5210 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 5211 | args->output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 5212 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 5213 | |
wolfSSL | 15:117db924cf7c | 5214 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5215 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
wolfSSL | 15:117db924cf7c | 5216 | } /* case TLS_ASYNC_BEGIN */ |
wolfSSL | 15:117db924cf7c | 5217 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5218 | |
wolfSSL | 15:117db924cf7c | 5219 | case TLS_ASYNC_BUILD: |
wolfSSL | 15:117db924cf7c | 5220 | { |
wolfSSL | 15:117db924cf7c | 5221 | /* idx is used to track verify pointer offset to output */ |
wolfSSL | 15:117db924cf7c | 5222 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5223 | args->verify = |
wolfSSL | 15:117db924cf7c | 5224 | &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; |
wolfSSL | 15:117db924cf7c | 5225 | |
wolfSSL | 15:117db924cf7c | 5226 | if (ssl->buffers.key == NULL) { |
wolfSSL | 15:117db924cf7c | 5227 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5228 | if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) |
wolfSSL | 15:117db924cf7c | 5229 | args->length = GetPrivateKeySigSize(ssl); |
wolfSSL | 15:117db924cf7c | 5230 | else |
wolfSSL | 15:117db924cf7c | 5231 | #endif |
wolfSSL | 15:117db924cf7c | 5232 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
wolfSSL | 15:117db924cf7c | 5233 | } |
wolfSSL | 15:117db924cf7c | 5234 | else { |
wolfSSL | 15:117db924cf7c | 5235 | ret = DecodePrivateKey(ssl, &args->length); |
wolfSSL | 15:117db924cf7c | 5236 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5237 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5238 | } |
wolfSSL | 15:117db924cf7c | 5239 | |
wolfSSL | 15:117db924cf7c | 5240 | if (args->length <= 0) { |
wolfSSL | 15:117db924cf7c | 5241 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
wolfSSL | 15:117db924cf7c | 5242 | } |
wolfSSL | 15:117db924cf7c | 5243 | |
wolfSSL | 15:117db924cf7c | 5244 | /* Add signature algorithm. */ |
wolfSSL | 15:117db924cf7c | 5245 | if (ssl->hsType == DYNAMIC_TYPE_RSA) |
wolfSSL | 15:117db924cf7c | 5246 | args->sigAlgo = rsa_pss_sa_algo; |
wolfSSL | 15:117db924cf7c | 5247 | else if (ssl->hsType == DYNAMIC_TYPE_ECC) |
wolfSSL | 15:117db924cf7c | 5248 | args->sigAlgo = ecc_dsa_sa_algo; |
wolfSSL | 15:117db924cf7c | 5249 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5250 | else if (ssl->hsType == DYNAMIC_TYPE_ED25519) |
wolfSSL | 15:117db924cf7c | 5251 | args->sigAlgo = ed25519_sa_algo; |
wolfSSL | 15:117db924cf7c | 5252 | #endif |
wolfSSL | 15:117db924cf7c | 5253 | EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify); |
wolfSSL | 15:117db924cf7c | 5254 | |
wolfSSL | 15:117db924cf7c | 5255 | /* Create the data to be signed. */ |
wolfSSL | 15:117db924cf7c | 5256 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5257 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5258 | if (args->sigData == NULL) { |
wolfSSL | 15:117db924cf7c | 5259 | ERROR_OUT(MEMORY_E, exit_scv); |
wolfSSL | 15:117db924cf7c | 5260 | } |
wolfSSL | 15:117db924cf7c | 5261 | |
wolfSSL | 15:117db924cf7c | 5262 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0); |
wolfSSL | 15:117db924cf7c | 5263 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5264 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5265 | |
wolfSSL | 15:117db924cf7c | 5266 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5267 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 15:117db924cf7c | 5268 | /* build encoded signature buffer */ |
wolfSSL | 15:117db924cf7c | 5269 | sig->length = MAX_ENCODED_SIG_SZ; |
wolfSSL | 15:117db924cf7c | 5270 | sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5271 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5272 | if (sig->buffer == NULL) { |
wolfSSL | 15:117db924cf7c | 5273 | ERROR_OUT(MEMORY_E, exit_scv); |
wolfSSL | 15:117db924cf7c | 5274 | } |
wolfSSL | 15:117db924cf7c | 5275 | |
wolfSSL | 15:117db924cf7c | 5276 | ret = CreateRSAEncodedSig(sig->buffer, args->sigData, |
wolfSSL | 15:117db924cf7c | 5277 | args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo); |
wolfSSL | 15:117db924cf7c | 5278 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5279 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5280 | sig->length = ret; |
wolfSSL | 15:117db924cf7c | 5281 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5282 | |
wolfSSL | 15:117db924cf7c | 5283 | /* Maximum size of RSA Signature. */ |
wolfSSL | 15:117db924cf7c | 5284 | args->sigLen = args->length; |
wolfSSL | 15:117db924cf7c | 5285 | } |
wolfSSL | 15:117db924cf7c | 5286 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5287 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5288 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
wolfSSL | 15:117db924cf7c | 5289 | sig->length = args->sendSz - args->idx - HASH_SIG_SIZE - |
wolfSSL | 15:117db924cf7c | 5290 | VERIFY_HEADER; |
wolfSSL | 15:117db924cf7c | 5291 | ret = CreateECCEncodedSig(args->sigData, |
wolfSSL | 15:117db924cf7c | 5292 | args->sigDataSz, ssl->suites->hashAlgo); |
wolfSSL | 15:117db924cf7c | 5293 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5294 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5295 | args->sigDataSz = (word16)ret; |
wolfSSL | 15:117db924cf7c | 5296 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5297 | } |
wolfSSL | 15:117db924cf7c | 5298 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5299 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5300 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
wolfSSL | 15:117db924cf7c | 5301 | ret = Ed25519CheckPubKey(ssl); |
wolfSSL | 15:117db924cf7c | 5302 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 5303 | ERROR_OUT(ret, exit_scv); |
wolfSSL | 15:117db924cf7c | 5304 | } |
wolfSSL | 15:117db924cf7c | 5305 | sig->length = ED25519_SIG_SIZE; |
wolfSSL | 15:117db924cf7c | 5306 | } |
wolfSSL | 15:117db924cf7c | 5307 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5308 | |
wolfSSL | 15:117db924cf7c | 5309 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5310 | ssl->options.asyncState = TLS_ASYNC_DO; |
wolfSSL | 15:117db924cf7c | 5311 | } /* case TLS_ASYNC_BUILD */ |
wolfSSL | 15:117db924cf7c | 5312 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5313 | |
wolfSSL | 15:117db924cf7c | 5314 | case TLS_ASYNC_DO: |
wolfSSL | 15:117db924cf7c | 5315 | { |
wolfSSL | 15:117db924cf7c | 5316 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5317 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
wolfSSL | 15:117db924cf7c | 5318 | ret = EccSign(ssl, args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5319 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 15:117db924cf7c | 5320 | &sig->length, (ecc_key*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5321 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5322 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5323 | #else |
wolfSSL | 15:117db924cf7c | 5324 | NULL |
wolfSSL | 15:117db924cf7c | 5325 | #endif |
wolfSSL | 15:117db924cf7c | 5326 | ); |
wolfSSL | 15:117db924cf7c | 5327 | args->length = (word16)sig->length; |
wolfSSL | 15:117db924cf7c | 5328 | } |
wolfSSL | 15:117db924cf7c | 5329 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5330 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5331 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
wolfSSL | 15:117db924cf7c | 5332 | ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5333 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 15:117db924cf7c | 5334 | &sig->length, (ed25519_key*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5335 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5336 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5337 | #else |
wolfSSL | 15:117db924cf7c | 5338 | NULL |
wolfSSL | 15:117db924cf7c | 5339 | #endif |
wolfSSL | 15:117db924cf7c | 5340 | ); |
wolfSSL | 15:117db924cf7c | 5341 | args->length = sig->length; |
wolfSSL | 15:117db924cf7c | 5342 | } |
wolfSSL | 15:117db924cf7c | 5343 | #endif |
wolfSSL | 15:117db924cf7c | 5344 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5345 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 15:117db924cf7c | 5346 | |
wolfSSL | 15:117db924cf7c | 5347 | ret = RsaSign(ssl, sig->buffer, sig->length, |
wolfSSL | 15:117db924cf7c | 5348 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen, |
wolfSSL | 15:117db924cf7c | 5349 | args->sigAlgo, ssl->suites->hashAlgo, |
wolfSSL | 15:117db924cf7c | 5350 | (RsaKey*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5351 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5352 | ); |
wolfSSL | 15:117db924cf7c | 5353 | args->length = (word16)args->sigLen; |
wolfSSL | 15:117db924cf7c | 5354 | } |
wolfSSL | 15:117db924cf7c | 5355 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5356 | |
wolfSSL | 15:117db924cf7c | 5357 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5358 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 5359 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5360 | } |
wolfSSL | 15:117db924cf7c | 5361 | |
wolfSSL | 15:117db924cf7c | 5362 | /* Add signature length. */ |
wolfSSL | 15:117db924cf7c | 5363 | c16toa(args->length, args->verify + HASH_SIG_SIZE); |
wolfSSL | 15:117db924cf7c | 5364 | |
wolfSSL | 15:117db924cf7c | 5365 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5366 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
wolfSSL | 15:117db924cf7c | 5367 | } /* case TLS_ASYNC_DO */ |
wolfSSL | 15:117db924cf7c | 5368 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5369 | |
wolfSSL | 15:117db924cf7c | 5370 | case TLS_ASYNC_VERIFY: |
wolfSSL | 15:117db924cf7c | 5371 | { |
wolfSSL | 15:117db924cf7c | 5372 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5373 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 15:117db924cf7c | 5374 | if (args->verifySig == NULL) { |
wolfSSL | 15:117db924cf7c | 5375 | args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5376 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5377 | if (args->verifySig == NULL) { |
wolfSSL | 15:117db924cf7c | 5378 | ERROR_OUT(MEMORY_E, exit_scv); |
wolfSSL | 15:117db924cf7c | 5379 | } |
wolfSSL | 15:117db924cf7c | 5380 | XMEMCPY(args->verifySig, |
wolfSSL | 15:117db924cf7c | 5381 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 15:117db924cf7c | 5382 | args->sigLen); |
wolfSSL | 15:117db924cf7c | 5383 | } |
wolfSSL | 15:117db924cf7c | 5384 | |
wolfSSL | 15:117db924cf7c | 5385 | /* check for signature faults */ |
wolfSSL | 15:117db924cf7c | 5386 | ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen, |
wolfSSL | 15:117db924cf7c | 5387 | sig->buffer, sig->length, args->sigAlgo, |
wolfSSL | 15:117db924cf7c | 5388 | ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5389 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5390 | ); |
wolfSSL | 15:117db924cf7c | 5391 | } |
wolfSSL | 15:117db924cf7c | 5392 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5393 | |
wolfSSL | 15:117db924cf7c | 5394 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5395 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 5396 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5397 | } |
wolfSSL | 15:117db924cf7c | 5398 | |
wolfSSL | 15:117db924cf7c | 5399 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5400 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
wolfSSL | 15:117db924cf7c | 5401 | } /* case TLS_ASYNC_VERIFY */ |
wolfSSL | 15:117db924cf7c | 5402 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5403 | |
wolfSSL | 15:117db924cf7c | 5404 | case TLS_ASYNC_FINALIZE: |
wolfSSL | 15:117db924cf7c | 5405 | { |
wolfSSL | 15:117db924cf7c | 5406 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 5407 | AddTls13Headers(args->output, args->length + HASH_SIG_SIZE + |
wolfSSL | 15:117db924cf7c | 5408 | VERIFY_HEADER, certificate_verify, ssl); |
wolfSSL | 15:117db924cf7c | 5409 | |
wolfSSL | 15:117db924cf7c | 5410 | args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + |
wolfSSL | 15:117db924cf7c | 5411 | args->length + HASH_SIG_SIZE + VERIFY_HEADER; |
wolfSSL | 15:117db924cf7c | 5412 | |
wolfSSL | 15:117db924cf7c | 5413 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5414 | ssl->options.asyncState = TLS_ASYNC_END; |
wolfSSL | 15:117db924cf7c | 5415 | } /* case TLS_ASYNC_FINALIZE */ |
wolfSSL | 15:117db924cf7c | 5416 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5417 | |
wolfSSL | 15:117db924cf7c | 5418 | case TLS_ASYNC_END: |
wolfSSL | 15:117db924cf7c | 5419 | { |
wolfSSL | 15:117db924cf7c | 5420 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5421 | ret = BuildTls13Message(ssl, args->output, |
wolfSSL | 15:117db924cf7c | 5422 | MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, |
wolfSSL | 15:117db924cf7c | 5423 | args->output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 5424 | args->sendSz - RECORD_HEADER_SZ, handshake, |
wolfSSL | 15:117db924cf7c | 5425 | 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 5426 | |
wolfSSL | 15:117db924cf7c | 5427 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 5428 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5429 | } |
wolfSSL | 15:117db924cf7c | 5430 | else { |
wolfSSL | 15:117db924cf7c | 5431 | args->sendSz = ret; |
wolfSSL | 15:117db924cf7c | 5432 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5433 | } |
wolfSSL | 15:117db924cf7c | 5434 | |
wolfSSL | 15:117db924cf7c | 5435 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5436 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 5437 | AddPacketName(ssl, "CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5438 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 5439 | AddPacketInfo(ssl, "CertificateVerify", handshake, |
wolfSSL | 15:117db924cf7c | 5440 | args->output, args->sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 5441 | } |
wolfSSL | 15:117db924cf7c | 5442 | #endif |
wolfSSL | 15:117db924cf7c | 5443 | |
wolfSSL | 15:117db924cf7c | 5444 | ssl->buffers.outputBuffer.length += args->sendSz; |
wolfSSL | 15:117db924cf7c | 5445 | |
wolfSSL | 15:117db924cf7c | 5446 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 5447 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 5448 | break; |
wolfSSL | 15:117db924cf7c | 5449 | } |
wolfSSL | 15:117db924cf7c | 5450 | default: |
wolfSSL | 15:117db924cf7c | 5451 | ret = INPUT_CASE_ERROR; |
wolfSSL | 15:117db924cf7c | 5452 | } /* switch(ssl->options.asyncState) */ |
wolfSSL | 15:117db924cf7c | 5453 | |
wolfSSL | 15:117db924cf7c | 5454 | exit_scv: |
wolfSSL | 15:117db924cf7c | 5455 | |
wolfSSL | 15:117db924cf7c | 5456 | WOLFSSL_LEAVE("SendTls13CertificateVerify", ret); |
wolfSSL | 15:117db924cf7c | 5457 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
wolfSSL | 15:117db924cf7c | 5458 | |
wolfSSL | 15:117db924cf7c | 5459 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5460 | /* Handle async operation */ |
wolfSSL | 15:117db924cf7c | 5461 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5462 | return ret; |
wolfSSL | 15:117db924cf7c | 5463 | } |
wolfSSL | 15:117db924cf7c | 5464 | #endif /* WOLFSSL_ASYNC_CRYPT */ |
wolfSSL | 15:117db924cf7c | 5465 | |
wolfSSL | 15:117db924cf7c | 5466 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 5467 | FreeScv13Args(ssl, args); |
wolfSSL | 15:117db924cf7c | 5468 | FreeKeyExchange(ssl); |
wolfSSL | 15:117db924cf7c | 5469 | |
wolfSSL | 15:117db924cf7c | 5470 | return ret; |
wolfSSL | 15:117db924cf7c | 5471 | } |
wolfSSL | 15:117db924cf7c | 5472 | |
wolfSSL | 15:117db924cf7c | 5473 | /* handle processing TLS v1.3 certificate (11) */ |
wolfSSL | 15:117db924cf7c | 5474 | /* Parse and handle a TLS v1.3 Certificate message. |
wolfSSL | 15:117db924cf7c | 5475 | * |
wolfSSL | 15:117db924cf7c | 5476 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5477 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 5478 | * inOutIdx On entry, the index into the message buffer of Certificate. |
wolfSSL | 15:117db924cf7c | 5479 | * On exit, the index of byte after the Certificate message. |
wolfSSL | 15:117db924cf7c | 5480 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 5481 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 5482 | */ |
wolfSSL | 15:117db924cf7c | 5483 | static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 5484 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 5485 | { |
wolfSSL | 15:117db924cf7c | 5486 | int ret; |
wolfSSL | 15:117db924cf7c | 5487 | |
wolfSSL | 15:117db924cf7c | 5488 | WOLFSSL_START(WC_FUNC_CERTIFICATE_DO); |
wolfSSL | 15:117db924cf7c | 5489 | WOLFSSL_ENTER("DoTls13Certificate"); |
wolfSSL | 15:117db924cf7c | 5490 | |
wolfSSL | 15:117db924cf7c | 5491 | ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz); |
wolfSSL | 15:117db924cf7c | 5492 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5493 | #if !defined(NO_WOLFSSL_CLIENT) |
wolfSSL | 15:117db924cf7c | 5494 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 5495 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5496 | #endif |
wolfSSL | 15:117db924cf7c | 5497 | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
wolfSSL | 15:117db924cf7c | 5498 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 5499 | ssl->options.handShakeState == HANDSHAKE_DONE) { |
wolfSSL | 15:117db924cf7c | 5500 | /* reset handshake states */ |
wolfSSL | 15:117db924cf7c | 5501 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5502 | ssl->options.acceptState = TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 5503 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5504 | } |
wolfSSL | 15:117db924cf7c | 5505 | #endif |
wolfSSL | 15:117db924cf7c | 5506 | } |
wolfSSL | 15:117db924cf7c | 5507 | |
wolfSSL | 15:117db924cf7c | 5508 | WOLFSSL_LEAVE("DoTls13Certificate", ret); |
wolfSSL | 15:117db924cf7c | 5509 | WOLFSSL_END(WC_FUNC_CERTIFICATE_DO); |
wolfSSL | 15:117db924cf7c | 5510 | |
wolfSSL | 15:117db924cf7c | 5511 | return ret; |
wolfSSL | 15:117db924cf7c | 5512 | } |
wolfSSL | 15:117db924cf7c | 5513 | |
wolfSSL | 15:117db924cf7c | 5514 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) |
wolfSSL | 15:117db924cf7c | 5515 | |
wolfSSL | 15:117db924cf7c | 5516 | typedef struct Dcv13Args { |
wolfSSL | 15:117db924cf7c | 5517 | byte* output; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5518 | word32 sendSz; |
wolfSSL | 15:117db924cf7c | 5519 | word16 sz; |
wolfSSL | 15:117db924cf7c | 5520 | word32 sigSz; |
wolfSSL | 15:117db924cf7c | 5521 | word32 idx; |
wolfSSL | 15:117db924cf7c | 5522 | word32 begin; |
wolfSSL | 15:117db924cf7c | 5523 | byte hashAlgo; |
wolfSSL | 15:117db924cf7c | 5524 | byte sigAlgo; |
wolfSSL | 15:117db924cf7c | 5525 | |
wolfSSL | 15:117db924cf7c | 5526 | byte* sigData; |
wolfSSL | 15:117db924cf7c | 5527 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 5528 | } Dcv13Args; |
wolfSSL | 15:117db924cf7c | 5529 | |
wolfSSL | 15:117db924cf7c | 5530 | static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 5531 | { |
wolfSSL | 15:117db924cf7c | 5532 | Dcv13Args* args = (Dcv13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 5533 | |
wolfSSL | 15:117db924cf7c | 5534 | if (args->sigData != NULL) { |
wolfSSL | 15:117db924cf7c | 5535 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5536 | args->sigData = NULL; |
wolfSSL | 15:117db924cf7c | 5537 | } |
wolfSSL | 15:117db924cf7c | 5538 | |
wolfSSL | 15:117db924cf7c | 5539 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 5540 | } |
wolfSSL | 15:117db924cf7c | 5541 | |
wolfSSL | 15:117db924cf7c | 5542 | /* handle processing TLS v1.3 certificate_verify (15) */ |
wolfSSL | 15:117db924cf7c | 5543 | /* Parse and handle a TLS v1.3 CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5544 | * |
wolfSSL | 15:117db924cf7c | 5545 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5546 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 5547 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 5548 | * CertificateVerify. |
wolfSSL | 15:117db924cf7c | 5549 | * On exit, the index of byte after the CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5550 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 5551 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 5552 | */ |
wolfSSL | 15:117db924cf7c | 5553 | static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, |
wolfSSL | 15:117db924cf7c | 5554 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 5555 | { |
wolfSSL | 15:117db924cf7c | 5556 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5557 | buffer* sig = &ssl->buffers.sig; |
wolfSSL | 15:117db924cf7c | 5558 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5559 | Dcv13Args* args = (Dcv13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 5560 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 5561 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 5562 | #else |
wolfSSL | 15:117db924cf7c | 5563 | Dcv13Args args[1]; |
wolfSSL | 15:117db924cf7c | 5564 | #endif |
wolfSSL | 15:117db924cf7c | 5565 | |
wolfSSL | 15:117db924cf7c | 5566 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO); |
wolfSSL | 15:117db924cf7c | 5567 | WOLFSSL_ENTER("DoTls13CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5568 | |
wolfSSL | 15:117db924cf7c | 5569 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5570 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
wolfSSL | 15:117db924cf7c | 5571 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5572 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5573 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5574 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 5575 | } |
wolfSSL | 15:117db924cf7c | 5576 | else |
wolfSSL | 15:117db924cf7c | 5577 | #endif |
wolfSSL | 15:117db924cf7c | 5578 | { |
wolfSSL | 15:117db924cf7c | 5579 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 5580 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5581 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
wolfSSL | 15:117db924cf7c | 5582 | XMEMSET(args, 0, sizeof(Dcv13Args)); |
wolfSSL | 15:117db924cf7c | 5583 | args->hashAlgo = sha_mac; |
wolfSSL | 15:117db924cf7c | 5584 | args->sigAlgo = anonymous_sa_algo; |
wolfSSL | 15:117db924cf7c | 5585 | args->idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 5586 | args->begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 5587 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5588 | ssl->async.freeArgs = FreeDcv13Args; |
wolfSSL | 15:117db924cf7c | 5589 | #endif |
wolfSSL | 15:117db924cf7c | 5590 | } |
wolfSSL | 15:117db924cf7c | 5591 | |
wolfSSL | 15:117db924cf7c | 5592 | switch(ssl->options.asyncState) |
wolfSSL | 15:117db924cf7c | 5593 | { |
wolfSSL | 15:117db924cf7c | 5594 | case TLS_ASYNC_BEGIN: |
wolfSSL | 15:117db924cf7c | 5595 | { |
wolfSSL | 15:117db924cf7c | 5596 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5597 | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5598 | if (ssl->toInfoOn) AddLateName("CertificateVerify", |
wolfSSL | 15:117db924cf7c | 5599 | &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 5600 | #endif |
wolfSSL | 15:117db924cf7c | 5601 | |
wolfSSL | 15:117db924cf7c | 5602 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5603 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
wolfSSL | 15:117db924cf7c | 5604 | } /* case TLS_ASYNC_BEGIN */ |
wolfSSL | 15:117db924cf7c | 5605 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5606 | |
wolfSSL | 15:117db924cf7c | 5607 | case TLS_ASYNC_BUILD: |
wolfSSL | 15:117db924cf7c | 5608 | { |
wolfSSL | 15:117db924cf7c | 5609 | /* Signature algorithm. */ |
wolfSSL | 15:117db924cf7c | 5610 | if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) { |
wolfSSL | 15:117db924cf7c | 5611 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5612 | } |
wolfSSL | 15:117db924cf7c | 5613 | DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo); |
wolfSSL | 15:117db924cf7c | 5614 | args->idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 5615 | |
wolfSSL | 15:117db924cf7c | 5616 | /* Signature length. */ |
wolfSSL | 15:117db924cf7c | 5617 | if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) { |
wolfSSL | 15:117db924cf7c | 5618 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5619 | } |
wolfSSL | 15:117db924cf7c | 5620 | ato16(input + args->idx, &args->sz); |
wolfSSL | 15:117db924cf7c | 5621 | args->idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 5622 | |
wolfSSL | 15:117db924cf7c | 5623 | /* Signature data. */ |
wolfSSL | 15:117db924cf7c | 5624 | if ((args->idx - args->begin) + args->sz > totalSz || |
wolfSSL | 15:117db924cf7c | 5625 | args->sz > ENCRYPT_LEN) { |
wolfSSL | 15:117db924cf7c | 5626 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5627 | } |
wolfSSL | 15:117db924cf7c | 5628 | |
wolfSSL | 15:117db924cf7c | 5629 | /* Check for public key of required type. */ |
wolfSSL | 15:117db924cf7c | 5630 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5631 | if (args->sigAlgo == ed25519_sa_algo && |
wolfSSL | 15:117db924cf7c | 5632 | !ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 5633 | WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); |
wolfSSL | 15:117db924cf7c | 5634 | } |
wolfSSL | 15:117db924cf7c | 5635 | #endif |
wolfSSL | 15:117db924cf7c | 5636 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5637 | if (args->sigAlgo == ecc_dsa_sa_algo && |
wolfSSL | 15:117db924cf7c | 5638 | !ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 5639 | WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); |
wolfSSL | 15:117db924cf7c | 5640 | } |
wolfSSL | 15:117db924cf7c | 5641 | #endif |
wolfSSL | 15:117db924cf7c | 5642 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5643 | if ((args->sigAlgo == rsa_sa_algo || |
wolfSSL | 15:117db924cf7c | 5644 | args->sigAlgo == rsa_pss_sa_algo) && |
wolfSSL | 15:117db924cf7c | 5645 | (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { |
wolfSSL | 15:117db924cf7c | 5646 | WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); |
wolfSSL | 15:117db924cf7c | 5647 | } |
wolfSSL | 15:117db924cf7c | 5648 | #endif |
wolfSSL | 15:117db924cf7c | 5649 | |
wolfSSL | 15:117db924cf7c | 5650 | sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5651 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5652 | if (sig->buffer == NULL) { |
wolfSSL | 15:117db924cf7c | 5653 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5654 | } |
wolfSSL | 15:117db924cf7c | 5655 | sig->length = args->sz; |
wolfSSL | 15:117db924cf7c | 5656 | XMEMCPY(sig->buffer, input + args->idx, args->sz); |
wolfSSL | 15:117db924cf7c | 5657 | |
wolfSSL | 15:117db924cf7c | 5658 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5659 | if (ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 5660 | WOLFSSL_MSG("Doing ECC peer cert verify"); |
wolfSSL | 15:117db924cf7c | 5661 | |
wolfSSL | 15:117db924cf7c | 5662 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5663 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5664 | if (args->sigData == NULL) { |
wolfSSL | 15:117db924cf7c | 5665 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5666 | } |
wolfSSL | 15:117db924cf7c | 5667 | |
wolfSSL | 15:117db924cf7c | 5668 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 5669 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5670 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 5671 | ret = CreateECCEncodedSig(args->sigData, |
wolfSSL | 15:117db924cf7c | 5672 | args->sigDataSz, args->hashAlgo); |
wolfSSL | 15:117db924cf7c | 5673 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5674 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 5675 | args->sigDataSz = (word16)ret; |
wolfSSL | 15:117db924cf7c | 5676 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5677 | } |
wolfSSL | 15:117db924cf7c | 5678 | #endif |
wolfSSL | 15:117db924cf7c | 5679 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5680 | if (ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 5681 | WOLFSSL_MSG("Doing ED25519 peer cert verify"); |
wolfSSL | 15:117db924cf7c | 5682 | |
wolfSSL | 15:117db924cf7c | 5683 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 15:117db924cf7c | 5684 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5685 | if (args->sigData == NULL) { |
wolfSSL | 15:117db924cf7c | 5686 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 5687 | } |
wolfSSL | 15:117db924cf7c | 5688 | |
wolfSSL | 15:117db924cf7c | 5689 | CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 5690 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5691 | } |
wolfSSL | 15:117db924cf7c | 5692 | #endif |
wolfSSL | 15:117db924cf7c | 5693 | |
wolfSSL | 15:117db924cf7c | 5694 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5695 | ssl->options.asyncState = TLS_ASYNC_DO; |
wolfSSL | 15:117db924cf7c | 5696 | } /* case TLS_ASYNC_BUILD */ |
wolfSSL | 15:117db924cf7c | 5697 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5698 | |
wolfSSL | 15:117db924cf7c | 5699 | case TLS_ASYNC_DO: |
wolfSSL | 15:117db924cf7c | 5700 | { |
wolfSSL | 15:117db924cf7c | 5701 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5702 | if (args->sigAlgo == rsa_sa_algo || |
wolfSSL | 15:117db924cf7c | 5703 | args->sigAlgo == rsa_pss_sa_algo) { |
wolfSSL | 15:117db924cf7c | 5704 | WOLFSSL_MSG("Doing RSA peer cert verify"); |
wolfSSL | 15:117db924cf7c | 5705 | |
wolfSSL | 15:117db924cf7c | 5706 | ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output, |
wolfSSL | 15:117db924cf7c | 5707 | args->sigAlgo, args->hashAlgo, ssl->peerRsaKey, |
wolfSSL | 15:117db924cf7c | 5708 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5709 | &ssl->buffers.peerRsaKey |
wolfSSL | 15:117db924cf7c | 5710 | #else |
wolfSSL | 15:117db924cf7c | 5711 | NULL |
wolfSSL | 15:117db924cf7c | 5712 | #endif |
wolfSSL | 15:117db924cf7c | 5713 | ); |
wolfSSL | 15:117db924cf7c | 5714 | if (ret >= 0) { |
wolfSSL | 15:117db924cf7c | 5715 | args->sendSz = ret; |
wolfSSL | 15:117db924cf7c | 5716 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5717 | } |
wolfSSL | 15:117db924cf7c | 5718 | } |
wolfSSL | 15:117db924cf7c | 5719 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5720 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5721 | if (ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 5722 | WOLFSSL_MSG("Doing ECC peer cert verify"); |
wolfSSL | 15:117db924cf7c | 5723 | |
wolfSSL | 15:117db924cf7c | 5724 | ret = EccVerify(ssl, input + args->idx, args->sz, |
wolfSSL | 15:117db924cf7c | 5725 | args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5726 | ssl->peerEccDsaKey, |
wolfSSL | 15:117db924cf7c | 5727 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5728 | &ssl->buffers.peerEccDsaKey |
wolfSSL | 15:117db924cf7c | 5729 | #else |
wolfSSL | 15:117db924cf7c | 5730 | NULL |
wolfSSL | 15:117db924cf7c | 5731 | #endif |
wolfSSL | 15:117db924cf7c | 5732 | ); |
wolfSSL | 15:117db924cf7c | 5733 | } |
wolfSSL | 15:117db924cf7c | 5734 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5735 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5736 | if (ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 5737 | WOLFSSL_MSG("Doing ED25519 peer cert verify"); |
wolfSSL | 15:117db924cf7c | 5738 | |
wolfSSL | 15:117db924cf7c | 5739 | ret = Ed25519Verify(ssl, input + args->idx, args->sz, |
wolfSSL | 15:117db924cf7c | 5740 | args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5741 | ssl->peerEd25519Key, |
wolfSSL | 15:117db924cf7c | 5742 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5743 | &ssl->buffers.peerEd25519Key |
wolfSSL | 15:117db924cf7c | 5744 | #else |
wolfSSL | 15:117db924cf7c | 5745 | NULL |
wolfSSL | 15:117db924cf7c | 5746 | #endif |
wolfSSL | 15:117db924cf7c | 5747 | ); |
wolfSSL | 15:117db924cf7c | 5748 | } |
wolfSSL | 15:117db924cf7c | 5749 | #endif |
wolfSSL | 15:117db924cf7c | 5750 | |
wolfSSL | 15:117db924cf7c | 5751 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5752 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 5753 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 5754 | } |
wolfSSL | 15:117db924cf7c | 5755 | |
wolfSSL | 15:117db924cf7c | 5756 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5757 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
wolfSSL | 15:117db924cf7c | 5758 | } /* case TLS_ASYNC_DO */ |
wolfSSL | 15:117db924cf7c | 5759 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5760 | |
wolfSSL | 15:117db924cf7c | 5761 | case TLS_ASYNC_VERIFY: |
wolfSSL | 15:117db924cf7c | 5762 | { |
wolfSSL | 15:117db924cf7c | 5763 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5764 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { |
wolfSSL | 15:117db924cf7c | 5765 | ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo, |
wolfSSL | 15:117db924cf7c | 5766 | args->output, args->sendSz); |
wolfSSL | 15:117db924cf7c | 5767 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5768 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 5769 | } |
wolfSSL | 15:117db924cf7c | 5770 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5771 | |
wolfSSL | 15:117db924cf7c | 5772 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5773 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
wolfSSL | 15:117db924cf7c | 5774 | } /* case TLS_ASYNC_VERIFY */ |
wolfSSL | 15:117db924cf7c | 5775 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5776 | |
wolfSSL | 15:117db924cf7c | 5777 | case TLS_ASYNC_FINALIZE: |
wolfSSL | 15:117db924cf7c | 5778 | { |
wolfSSL | 15:117db924cf7c | 5779 | ssl->options.havePeerVerify = 1; |
wolfSSL | 15:117db924cf7c | 5780 | |
wolfSSL | 15:117db924cf7c | 5781 | /* Set final index */ |
wolfSSL | 15:117db924cf7c | 5782 | args->idx += args->sz; |
wolfSSL | 15:117db924cf7c | 5783 | *inOutIdx = args->idx; |
wolfSSL | 15:117db924cf7c | 5784 | |
wolfSSL | 15:117db924cf7c | 5785 | /* Encryption is always on: add padding */ |
wolfSSL | 15:117db924cf7c | 5786 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 5787 | |
wolfSSL | 15:117db924cf7c | 5788 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5789 | ssl->options.asyncState = TLS_ASYNC_END; |
wolfSSL | 15:117db924cf7c | 5790 | } /* case TLS_ASYNC_FINALIZE */ |
wolfSSL | 15:117db924cf7c | 5791 | |
wolfSSL | 15:117db924cf7c | 5792 | case TLS_ASYNC_END: |
wolfSSL | 15:117db924cf7c | 5793 | { |
wolfSSL | 15:117db924cf7c | 5794 | break; |
wolfSSL | 15:117db924cf7c | 5795 | } |
wolfSSL | 15:117db924cf7c | 5796 | default: |
wolfSSL | 15:117db924cf7c | 5797 | ret = INPUT_CASE_ERROR; |
wolfSSL | 15:117db924cf7c | 5798 | } /* switch(ssl->options.asyncState) */ |
wolfSSL | 15:117db924cf7c | 5799 | |
wolfSSL | 15:117db924cf7c | 5800 | exit_dcv: |
wolfSSL | 15:117db924cf7c | 5801 | |
wolfSSL | 15:117db924cf7c | 5802 | WOLFSSL_LEAVE("DoTls13CertificateVerify", ret); |
wolfSSL | 15:117db924cf7c | 5803 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO); |
wolfSSL | 15:117db924cf7c | 5804 | |
wolfSSL | 15:117db924cf7c | 5805 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5806 | /* Handle async operation */ |
wolfSSL | 15:117db924cf7c | 5807 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5808 | /* Mark message as not recevied so it can process again */ |
wolfSSL | 15:117db924cf7c | 5809 | ssl->msgsReceived.got_certificate_verify = 0; |
wolfSSL | 15:117db924cf7c | 5810 | |
wolfSSL | 15:117db924cf7c | 5811 | return ret; |
wolfSSL | 15:117db924cf7c | 5812 | } |
wolfSSL | 15:117db924cf7c | 5813 | else |
wolfSSL | 15:117db924cf7c | 5814 | #endif /* WOLFSSL_ASYNC_CRYPT */ |
wolfSSL | 15:117db924cf7c | 5815 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5816 | SendAlert(ssl, alert_fatal, decrypt_error); |
wolfSSL | 15:117db924cf7c | 5817 | |
wolfSSL | 15:117db924cf7c | 5818 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 5819 | FreeDcv13Args(ssl, args); |
wolfSSL | 15:117db924cf7c | 5820 | FreeKeyExchange(ssl); |
wolfSSL | 15:117db924cf7c | 5821 | |
wolfSSL | 15:117db924cf7c | 5822 | return ret; |
wolfSSL | 15:117db924cf7c | 5823 | } |
wolfSSL | 15:117db924cf7c | 5824 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5825 | |
wolfSSL | 15:117db924cf7c | 5826 | /* Parse and handle a TLS v1.3 Finished message. |
wolfSSL | 15:117db924cf7c | 5827 | * |
wolfSSL | 15:117db924cf7c | 5828 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5829 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 5830 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 5831 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 5832 | * size Length of message data. |
wolfSSL | 15:117db924cf7c | 5833 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 5834 | * sniff Indicates whether we are sniffing packets. |
wolfSSL | 15:117db924cf7c | 5835 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 5836 | */ |
wolfSSL | 15:117db924cf7c | 5837 | static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 5838 | word32 size, word32 totalSz, int sniff) |
wolfSSL | 15:117db924cf7c | 5839 | { |
wolfSSL | 15:117db924cf7c | 5840 | int ret; |
wolfSSL | 15:117db924cf7c | 5841 | word32 finishedSz = 0; |
wolfSSL | 15:117db924cf7c | 5842 | byte* secret; |
wolfSSL | 15:117db924cf7c | 5843 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 5844 | |
wolfSSL | 15:117db924cf7c | 5845 | WOLFSSL_START(WC_FUNC_FINISHED_DO); |
wolfSSL | 15:117db924cf7c | 5846 | WOLFSSL_ENTER("DoTls13Finished"); |
wolfSSL | 15:117db924cf7c | 5847 | |
wolfSSL | 15:117db924cf7c | 5848 | /* check against totalSz */ |
wolfSSL | 15:117db924cf7c | 5849 | if (*inOutIdx + size + ssl->keys.padSz > totalSz) |
wolfSSL | 15:117db924cf7c | 5850 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 5851 | |
wolfSSL | 15:117db924cf7c | 5852 | if (ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 5853 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret, |
wolfSSL | 15:117db924cf7c | 5854 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5855 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5856 | return ret; |
wolfSSL | 15:117db924cf7c | 5857 | |
wolfSSL | 15:117db924cf7c | 5858 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5859 | } |
wolfSSL | 15:117db924cf7c | 5860 | else if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 5861 | /* All the handshake messages have been received to calculate |
wolfSSL | 15:117db924cf7c | 5862 | * client and server finished keys. |
wolfSSL | 15:117db924cf7c | 5863 | */ |
wolfSSL | 15:117db924cf7c | 5864 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret, |
wolfSSL | 15:117db924cf7c | 5865 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5866 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5867 | return ret; |
wolfSSL | 15:117db924cf7c | 5868 | |
wolfSSL | 15:117db924cf7c | 5869 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret, |
wolfSSL | 15:117db924cf7c | 5870 | ssl->keys.server_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5871 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5872 | return ret; |
wolfSSL | 15:117db924cf7c | 5873 | |
wolfSSL | 15:117db924cf7c | 5874 | secret = ssl->keys.server_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5875 | } |
wolfSSL | 15:117db924cf7c | 5876 | else |
wolfSSL | 15:117db924cf7c | 5877 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5878 | |
wolfSSL | 15:117db924cf7c | 5879 | ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); |
wolfSSL | 15:117db924cf7c | 5880 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5881 | return ret; |
wolfSSL | 15:117db924cf7c | 5882 | if (size != finishedSz) |
wolfSSL | 15:117db924cf7c | 5883 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 5884 | |
wolfSSL | 15:117db924cf7c | 5885 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5886 | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
wolfSSL | 15:117db924cf7c | 5887 | if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 5888 | #endif |
wolfSSL | 15:117db924cf7c | 5889 | |
wolfSSL | 15:117db924cf7c | 5890 | if (sniff == NO_SNIFF) { |
wolfSSL | 15:117db924cf7c | 5891 | /* Actually check verify data. */ |
wolfSSL | 15:117db924cf7c | 5892 | if (XMEMCMP(input + *inOutIdx, mac, size) != 0){ |
wolfSSL | 15:117db924cf7c | 5893 | WOLFSSL_MSG("Verify finished error on hashes"); |
wolfSSL | 15:117db924cf7c | 5894 | SendAlert(ssl, alert_fatal, decrypt_error); |
wolfSSL | 15:117db924cf7c | 5895 | return VERIFY_FINISHED_ERROR; |
wolfSSL | 15:117db924cf7c | 5896 | } |
wolfSSL | 15:117db924cf7c | 5897 | } |
wolfSSL | 15:117db924cf7c | 5898 | |
wolfSSL | 15:117db924cf7c | 5899 | /* Force input exhaustion at ProcessReply by consuming padSz. */ |
wolfSSL | 15:117db924cf7c | 5900 | *inOutIdx += size + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 5901 | |
wolfSSL | 15:117db924cf7c | 5902 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 5903 | !ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 5904 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 5905 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 5906 | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0) |
wolfSSL | 15:117db924cf7c | 5907 | return ret; |
wolfSSL | 15:117db924cf7c | 5908 | } |
wolfSSL | 15:117db924cf7c | 5909 | #endif |
wolfSSL | 15:117db924cf7c | 5910 | /* Setup keys for application data messages from client. */ |
wolfSSL | 15:117db924cf7c | 5911 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 5912 | return ret; |
wolfSSL | 15:117db924cf7c | 5913 | } |
wolfSSL | 15:117db924cf7c | 5914 | |
wolfSSL | 15:117db924cf7c | 5915 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 5916 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 5917 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5918 | #endif |
wolfSSL | 15:117db924cf7c | 5919 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 5920 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 5921 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5922 | ssl->options.handShakeState = HANDSHAKE_DONE; |
wolfSSL | 15:117db924cf7c | 5923 | ssl->options.handShakeDone = 1; |
wolfSSL | 15:117db924cf7c | 5924 | } |
wolfSSL | 15:117db924cf7c | 5925 | #endif |
wolfSSL | 15:117db924cf7c | 5926 | |
wolfSSL | 15:117db924cf7c | 5927 | WOLFSSL_LEAVE("DoTls13Finished", 0); |
wolfSSL | 15:117db924cf7c | 5928 | WOLFSSL_END(WC_FUNC_FINISHED_DO); |
wolfSSL | 15:117db924cf7c | 5929 | |
wolfSSL | 15:117db924cf7c | 5930 | return 0; |
wolfSSL | 15:117db924cf7c | 5931 | } |
wolfSSL | 15:117db924cf7c | 5932 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 5933 | |
wolfSSL | 15:117db924cf7c | 5934 | /* Send the TLS v1.3 Finished message. |
wolfSSL | 15:117db924cf7c | 5935 | * |
wolfSSL | 15:117db924cf7c | 5936 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5937 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 5938 | */ |
wolfSSL | 15:117db924cf7c | 5939 | static int SendTls13Finished(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 5940 | { |
wolfSSL | 15:117db924cf7c | 5941 | int sendSz; |
wolfSSL | 15:117db924cf7c | 5942 | int finishedSz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 5943 | byte* input; |
wolfSSL | 15:117db924cf7c | 5944 | byte* output; |
wolfSSL | 15:117db924cf7c | 5945 | int ret; |
wolfSSL | 15:117db924cf7c | 5946 | int headerSz = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5947 | int outputSz; |
wolfSSL | 15:117db924cf7c | 5948 | byte* secret; |
wolfSSL | 15:117db924cf7c | 5949 | |
wolfSSL | 15:117db924cf7c | 5950 | WOLFSSL_START(WC_FUNC_FINISHED_SEND); |
wolfSSL | 15:117db924cf7c | 5951 | WOLFSSL_ENTER("SendTls13Finished"); |
wolfSSL | 15:117db924cf7c | 5952 | |
wolfSSL | 15:117db924cf7c | 5953 | outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 5954 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 5955 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
wolfSSL | 15:117db924cf7c | 5956 | return ret; |
wolfSSL | 15:117db924cf7c | 5957 | |
wolfSSL | 15:117db924cf7c | 5958 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 5959 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 5960 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 5961 | input = output + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5962 | |
wolfSSL | 15:117db924cf7c | 5963 | AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl); |
wolfSSL | 15:117db924cf7c | 5964 | |
wolfSSL | 15:117db924cf7c | 5965 | /* make finished hashes */ |
wolfSSL | 15:117db924cf7c | 5966 | if (ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 5967 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret, |
wolfSSL | 15:117db924cf7c | 5968 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5969 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5970 | return ret; |
wolfSSL | 15:117db924cf7c | 5971 | |
wolfSSL | 15:117db924cf7c | 5972 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5973 | } |
wolfSSL | 15:117db924cf7c | 5974 | else if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 5975 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5976 | else { |
wolfSSL | 15:117db924cf7c | 5977 | /* All the handshake messages have been done to calculate client and |
wolfSSL | 15:117db924cf7c | 5978 | * server finished keys. |
wolfSSL | 15:117db924cf7c | 5979 | */ |
wolfSSL | 15:117db924cf7c | 5980 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret, |
wolfSSL | 15:117db924cf7c | 5981 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5982 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5983 | return ret; |
wolfSSL | 15:117db924cf7c | 5984 | |
wolfSSL | 15:117db924cf7c | 5985 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret, |
wolfSSL | 15:117db924cf7c | 5986 | ssl->keys.server_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 5987 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5988 | return ret; |
wolfSSL | 15:117db924cf7c | 5989 | |
wolfSSL | 15:117db924cf7c | 5990 | secret = ssl->keys.server_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 5991 | } |
wolfSSL | 15:117db924cf7c | 5992 | ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL); |
wolfSSL | 15:117db924cf7c | 5993 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5994 | return ret; |
wolfSSL | 15:117db924cf7c | 5995 | |
wolfSSL | 15:117db924cf7c | 5996 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5997 | sendSz = BuildTls13Message(ssl, output, outputSz, input, |
wolfSSL | 15:117db924cf7c | 5998 | headerSz + finishedSz, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 5999 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6000 | return BUILD_MSG_ERROR; |
wolfSSL | 15:117db924cf7c | 6001 | |
wolfSSL | 15:117db924cf7c | 6002 | if (!ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 6003 | #ifndef NO_SESSION_CACHE |
wolfSSL | 15:117db924cf7c | 6004 | AddSession(ssl); /* just try */ |
wolfSSL | 15:117db924cf7c | 6005 | #endif |
wolfSSL | 15:117db924cf7c | 6006 | } |
wolfSSL | 15:117db924cf7c | 6007 | |
wolfSSL | 15:117db924cf7c | 6008 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6009 | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
wolfSSL | 15:117db924cf7c | 6010 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 6011 | AddPacketInfo(ssl, "Finished", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 6012 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 6013 | } |
wolfSSL | 15:117db924cf7c | 6014 | #endif |
wolfSSL | 15:117db924cf7c | 6015 | |
wolfSSL | 15:117db924cf7c | 6016 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6017 | |
wolfSSL | 15:117db924cf7c | 6018 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6019 | /* Can send application data now. */ |
wolfSSL | 15:117db924cf7c | 6020 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6021 | return ret; |
wolfSSL | 15:117db924cf7c | 6022 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6023 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6024 | != 0) { |
wolfSSL | 15:117db924cf7c | 6025 | return ret; |
wolfSSL | 15:117db924cf7c | 6026 | } |
wolfSSL | 15:117db924cf7c | 6027 | if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY, |
wolfSSL | 15:117db924cf7c | 6028 | ssl->earlyData == no_early_data)) != 0) { |
wolfSSL | 15:117db924cf7c | 6029 | return ret; |
wolfSSL | 15:117db924cf7c | 6030 | } |
wolfSSL | 15:117db924cf7c | 6031 | #else |
wolfSSL | 15:117db924cf7c | 6032 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 6033 | 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 6034 | return ret; |
wolfSSL | 15:117db924cf7c | 6035 | } |
wolfSSL | 15:117db924cf7c | 6036 | #endif |
wolfSSL | 15:117db924cf7c | 6037 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6038 | return ret; |
wolfSSL | 15:117db924cf7c | 6039 | } |
wolfSSL | 15:117db924cf7c | 6040 | |
wolfSSL | 15:117db924cf7c | 6041 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 6042 | !ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 6043 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6044 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 6045 | if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 6046 | 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 6047 | return ret; |
wolfSSL | 15:117db924cf7c | 6048 | } |
wolfSSL | 15:117db924cf7c | 6049 | } |
wolfSSL | 15:117db924cf7c | 6050 | #endif |
wolfSSL | 15:117db924cf7c | 6051 | /* Setup keys for application data messages. */ |
wolfSSL | 15:117db924cf7c | 6052 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 6053 | return ret; |
wolfSSL | 15:117db924cf7c | 6054 | |
wolfSSL | 15:117db924cf7c | 6055 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 6056 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret); |
wolfSSL | 15:117db924cf7c | 6057 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6058 | return ret; |
wolfSSL | 15:117db924cf7c | 6059 | #endif |
wolfSSL | 15:117db924cf7c | 6060 | } |
wolfSSL | 15:117db924cf7c | 6061 | |
wolfSSL | 15:117db924cf7c | 6062 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6063 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6064 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6065 | ssl->options.handShakeState = HANDSHAKE_DONE; |
wolfSSL | 15:117db924cf7c | 6066 | ssl->options.handShakeDone = 1; |
wolfSSL | 15:117db924cf7c | 6067 | } |
wolfSSL | 15:117db924cf7c | 6068 | #endif |
wolfSSL | 15:117db924cf7c | 6069 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6070 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6071 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6072 | } |
wolfSSL | 15:117db924cf7c | 6073 | #endif |
wolfSSL | 15:117db924cf7c | 6074 | |
wolfSSL | 15:117db924cf7c | 6075 | if ((ret = SendBuffered(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6076 | return ret; |
wolfSSL | 15:117db924cf7c | 6077 | |
wolfSSL | 15:117db924cf7c | 6078 | WOLFSSL_LEAVE("SendTls13Finished", ret); |
wolfSSL | 15:117db924cf7c | 6079 | WOLFSSL_END(WC_FUNC_FINISHED_SEND); |
wolfSSL | 15:117db924cf7c | 6080 | |
wolfSSL | 15:117db924cf7c | 6081 | return ret; |
wolfSSL | 15:117db924cf7c | 6082 | } |
wolfSSL | 15:117db924cf7c | 6083 | |
wolfSSL | 15:117db924cf7c | 6084 | /* handle generation TLS v1.3 key_update (24) */ |
wolfSSL | 15:117db924cf7c | 6085 | /* Send the TLS v1.3 KeyUpdate message. |
wolfSSL | 15:117db924cf7c | 6086 | * |
wolfSSL | 15:117db924cf7c | 6087 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6088 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6089 | */ |
wolfSSL | 15:117db924cf7c | 6090 | static int SendTls13KeyUpdate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6091 | { |
wolfSSL | 15:117db924cf7c | 6092 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6093 | byte* input; |
wolfSSL | 15:117db924cf7c | 6094 | byte* output; |
wolfSSL | 15:117db924cf7c | 6095 | int ret; |
wolfSSL | 15:117db924cf7c | 6096 | int headerSz = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6097 | int outputSz; |
wolfSSL | 15:117db924cf7c | 6098 | word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6099 | |
wolfSSL | 15:117db924cf7c | 6100 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND); |
wolfSSL | 15:117db924cf7c | 6101 | WOLFSSL_ENTER("SendTls13KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6102 | |
wolfSSL | 15:117db924cf7c | 6103 | outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6104 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6105 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6106 | return ret; |
wolfSSL | 15:117db924cf7c | 6107 | |
wolfSSL | 15:117db924cf7c | 6108 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 6109 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6110 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6111 | input = output + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6112 | |
wolfSSL | 15:117db924cf7c | 6113 | AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl); |
wolfSSL | 15:117db924cf7c | 6114 | |
wolfSSL | 15:117db924cf7c | 6115 | /* If: |
wolfSSL | 15:117db924cf7c | 6116 | * 1. I haven't sent a KeyUpdate requesting a response and |
wolfSSL | 15:117db924cf7c | 6117 | * 2. This isn't responding to peer KeyUpdate requiring a response then, |
wolfSSL | 15:117db924cf7c | 6118 | * I want a response. |
wolfSSL | 15:117db924cf7c | 6119 | */ |
wolfSSL | 15:117db924cf7c | 6120 | ssl->keys.updateResponseReq = output[i++] = |
wolfSSL | 15:117db924cf7c | 6121 | !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond; |
wolfSSL | 15:117db924cf7c | 6122 | /* Sent response, no longer need to respond. */ |
wolfSSL | 15:117db924cf7c | 6123 | ssl->keys.keyUpdateRespond = 0; |
wolfSSL | 15:117db924cf7c | 6124 | |
wolfSSL | 15:117db924cf7c | 6125 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6126 | sendSz = BuildTls13Message(ssl, output, outputSz, input, |
wolfSSL | 15:117db924cf7c | 6127 | headerSz + OPAQUE8_LEN, handshake, 0, 0, 0); |
wolfSSL | 15:117db924cf7c | 6128 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6129 | return BUILD_MSG_ERROR; |
wolfSSL | 15:117db924cf7c | 6130 | |
wolfSSL | 15:117db924cf7c | 6131 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6132 | if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6133 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 6134 | AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 6135 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 6136 | } |
wolfSSL | 15:117db924cf7c | 6137 | #endif |
wolfSSL | 15:117db924cf7c | 6138 | |
wolfSSL | 15:117db924cf7c | 6139 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6140 | |
wolfSSL | 15:117db924cf7c | 6141 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 6142 | if (ret != 0 && ret != WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 6143 | return ret; |
wolfSSL | 15:117db924cf7c | 6144 | |
wolfSSL | 15:117db924cf7c | 6145 | /* Future traffic uses new encryption keys. */ |
wolfSSL | 15:117db924cf7c | 6146 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6147 | != 0) |
wolfSSL | 15:117db924cf7c | 6148 | return ret; |
wolfSSL | 15:117db924cf7c | 6149 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6150 | return ret; |
wolfSSL | 15:117db924cf7c | 6151 | |
wolfSSL | 15:117db924cf7c | 6152 | WOLFSSL_LEAVE("SendTls13KeyUpdate", ret); |
wolfSSL | 15:117db924cf7c | 6153 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND); |
wolfSSL | 15:117db924cf7c | 6154 | |
wolfSSL | 15:117db924cf7c | 6155 | return ret; |
wolfSSL | 15:117db924cf7c | 6156 | } |
wolfSSL | 15:117db924cf7c | 6157 | |
wolfSSL | 15:117db924cf7c | 6158 | /* handle processing TLS v1.3 key_update (24) */ |
wolfSSL | 15:117db924cf7c | 6159 | /* Parse and handle a TLS v1.3 KeyUpdate message. |
wolfSSL | 15:117db924cf7c | 6160 | * |
wolfSSL | 15:117db924cf7c | 6161 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6162 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6163 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 6164 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 6165 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 6166 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6167 | */ |
wolfSSL | 15:117db924cf7c | 6168 | static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 6169 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 6170 | { |
wolfSSL | 15:117db924cf7c | 6171 | int ret; |
wolfSSL | 15:117db924cf7c | 6172 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6173 | |
wolfSSL | 15:117db924cf7c | 6174 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO); |
wolfSSL | 15:117db924cf7c | 6175 | WOLFSSL_ENTER("DoTls13KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6176 | |
wolfSSL | 15:117db924cf7c | 6177 | /* check against totalSz */ |
wolfSSL | 15:117db924cf7c | 6178 | if (OPAQUE8_LEN != totalSz) |
wolfSSL | 15:117db924cf7c | 6179 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 6180 | |
wolfSSL | 15:117db924cf7c | 6181 | switch (input[i]) { |
wolfSSL | 15:117db924cf7c | 6182 | case update_not_requested: |
wolfSSL | 15:117db924cf7c | 6183 | /* This message in response to any oustanding request. */ |
wolfSSL | 15:117db924cf7c | 6184 | ssl->keys.keyUpdateRespond = 0; |
wolfSSL | 15:117db924cf7c | 6185 | ssl->keys.updateResponseReq = 0; |
wolfSSL | 15:117db924cf7c | 6186 | break; |
wolfSSL | 15:117db924cf7c | 6187 | case update_requested: |
wolfSSL | 15:117db924cf7c | 6188 | /* New key update requiring a response. */ |
wolfSSL | 15:117db924cf7c | 6189 | ssl->keys.keyUpdateRespond = 1; |
wolfSSL | 15:117db924cf7c | 6190 | break; |
wolfSSL | 15:117db924cf7c | 6191 | default: |
wolfSSL | 15:117db924cf7c | 6192 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 6193 | break; |
wolfSSL | 15:117db924cf7c | 6194 | } |
wolfSSL | 15:117db924cf7c | 6195 | |
wolfSSL | 15:117db924cf7c | 6196 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 6197 | *inOutIdx += totalSz; |
wolfSSL | 15:117db924cf7c | 6198 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6199 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6200 | |
wolfSSL | 15:117db924cf7c | 6201 | /* Future traffic uses new decryption keys. */ |
wolfSSL | 15:117db924cf7c | 6202 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6203 | != 0) { |
wolfSSL | 15:117db924cf7c | 6204 | return ret; |
wolfSSL | 15:117db924cf7c | 6205 | } |
wolfSSL | 15:117db924cf7c | 6206 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6207 | return ret; |
wolfSSL | 15:117db924cf7c | 6208 | |
wolfSSL | 15:117db924cf7c | 6209 | if (ssl->keys.keyUpdateRespond) |
wolfSSL | 15:117db924cf7c | 6210 | return SendTls13KeyUpdate(ssl); |
wolfSSL | 15:117db924cf7c | 6211 | |
wolfSSL | 15:117db924cf7c | 6212 | WOLFSSL_LEAVE("DoTls13KeyUpdate", ret); |
wolfSSL | 15:117db924cf7c | 6213 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO); |
wolfSSL | 15:117db924cf7c | 6214 | |
wolfSSL | 15:117db924cf7c | 6215 | return 0; |
wolfSSL | 15:117db924cf7c | 6216 | } |
wolfSSL | 15:117db924cf7c | 6217 | |
wolfSSL | 15:117db924cf7c | 6218 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6219 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6220 | /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no |
wolfSSL | 15:117db924cf7c | 6221 | * more early application data. |
wolfSSL | 15:117db924cf7c | 6222 | * The encryption key now changes to the pre-calculated handshake key. |
wolfSSL | 15:117db924cf7c | 6223 | * |
wolfSSL | 15:117db924cf7c | 6224 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6225 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6226 | */ |
wolfSSL | 15:117db924cf7c | 6227 | static int SendTls13EndOfEarlyData(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6228 | { |
wolfSSL | 15:117db924cf7c | 6229 | byte* output; |
wolfSSL | 15:117db924cf7c | 6230 | int ret; |
wolfSSL | 15:117db924cf7c | 6231 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6232 | word32 length; |
wolfSSL | 15:117db924cf7c | 6233 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6234 | |
wolfSSL | 15:117db924cf7c | 6235 | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND); |
wolfSSL | 15:117db924cf7c | 6236 | WOLFSSL_ENTER("SendTls13EndOfEarlyData"); |
wolfSSL | 15:117db924cf7c | 6237 | |
wolfSSL | 15:117db924cf7c | 6238 | length = 0; |
wolfSSL | 15:117db924cf7c | 6239 | sendSz = idx + length + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6240 | |
wolfSSL | 15:117db924cf7c | 6241 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6242 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6243 | return ret; |
wolfSSL | 15:117db924cf7c | 6244 | |
wolfSSL | 15:117db924cf7c | 6245 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 6246 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6247 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6248 | |
wolfSSL | 15:117db924cf7c | 6249 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 6250 | AddTls13Headers(output, length, end_of_early_data, ssl); |
wolfSSL | 15:117db924cf7c | 6251 | |
wolfSSL | 15:117db924cf7c | 6252 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6253 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 6254 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 6255 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6256 | return sendSz; |
wolfSSL | 15:117db924cf7c | 6257 | |
wolfSSL | 15:117db924cf7c | 6258 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6259 | |
wolfSSL | 15:117db924cf7c | 6260 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6261 | return ret; |
wolfSSL | 15:117db924cf7c | 6262 | |
wolfSSL | 15:117db924cf7c | 6263 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 6264 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 6265 | |
wolfSSL | 15:117db924cf7c | 6266 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret); |
wolfSSL | 15:117db924cf7c | 6267 | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND); |
wolfSSL | 15:117db924cf7c | 6268 | |
wolfSSL | 15:117db924cf7c | 6269 | return ret; |
wolfSSL | 15:117db924cf7c | 6270 | } |
wolfSSL | 15:117db924cf7c | 6271 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 6272 | |
wolfSSL | 15:117db924cf7c | 6273 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6274 | /* handle processing of TLS 1.3 end_of_early_data (5) */ |
wolfSSL | 15:117db924cf7c | 6275 | /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be |
wolfSSL | 15:117db924cf7c | 6276 | * no more early application data. |
wolfSSL | 15:117db924cf7c | 6277 | * The decryption key now changes to the pre-calculated handshake key. |
wolfSSL | 15:117db924cf7c | 6278 | * |
wolfSSL | 15:117db924cf7c | 6279 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6280 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6281 | */ |
wolfSSL | 15:117db924cf7c | 6282 | static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 6283 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 6284 | { |
wolfSSL | 15:117db924cf7c | 6285 | int ret; |
wolfSSL | 15:117db924cf7c | 6286 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6287 | |
wolfSSL | 15:117db924cf7c | 6288 | (void)input; |
wolfSSL | 15:117db924cf7c | 6289 | |
wolfSSL | 15:117db924cf7c | 6290 | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO); |
wolfSSL | 15:117db924cf7c | 6291 | WOLFSSL_ENTER("DoTls13EndOfEarlyData"); |
wolfSSL | 15:117db924cf7c | 6292 | |
wolfSSL | 15:117db924cf7c | 6293 | if ((*inOutIdx - begin) != size) |
wolfSSL | 15:117db924cf7c | 6294 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6295 | |
wolfSSL | 15:117db924cf7c | 6296 | if (ssl->earlyData == no_early_data) { |
wolfSSL | 15:117db924cf7c | 6297 | WOLFSSL_MSG("EndOfEarlyData recieved unexpectedly"); |
wolfSSL | 15:117db924cf7c | 6298 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 6299 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6300 | } |
wolfSSL | 15:117db924cf7c | 6301 | |
wolfSSL | 15:117db924cf7c | 6302 | ssl->earlyData = done_early_data; |
wolfSSL | 15:117db924cf7c | 6303 | |
wolfSSL | 15:117db924cf7c | 6304 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6305 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6306 | |
wolfSSL | 15:117db924cf7c | 6307 | ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY); |
wolfSSL | 15:117db924cf7c | 6308 | |
wolfSSL | 15:117db924cf7c | 6309 | WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret); |
wolfSSL | 15:117db924cf7c | 6310 | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO); |
wolfSSL | 15:117db924cf7c | 6311 | |
wolfSSL | 15:117db924cf7c | 6312 | return ret; |
wolfSSL | 15:117db924cf7c | 6313 | } |
wolfSSL | 15:117db924cf7c | 6314 | #endif /* !NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 6315 | #endif /* WOLFSSL_EARLY_DATA */ |
wolfSSL | 15:117db924cf7c | 6316 | |
wolfSSL | 15:117db924cf7c | 6317 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6318 | /* Handle a New Session Ticket handshake message. |
wolfSSL | 15:117db924cf7c | 6319 | * Message contains the information required to perform resumption. |
wolfSSL | 15:117db924cf7c | 6320 | * |
wolfSSL | 15:117db924cf7c | 6321 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6322 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6323 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 6324 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 6325 | * size The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 6326 | * retuns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6327 | */ |
wolfSSL | 15:117db924cf7c | 6328 | static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 6329 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 6330 | { |
wolfSSL | 15:117db924cf7c | 6331 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 6332 | int ret; |
wolfSSL | 15:117db924cf7c | 6333 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6334 | word32 lifetime; |
wolfSSL | 15:117db924cf7c | 6335 | word32 ageAdd; |
wolfSSL | 15:117db924cf7c | 6336 | word16 length; |
wolfSSL | 15:117db924cf7c | 6337 | word32 now; |
wolfSSL | 15:117db924cf7c | 6338 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6339 | const byte* nonce; |
wolfSSL | 15:117db924cf7c | 6340 | byte nonceLength; |
wolfSSL | 15:117db924cf7c | 6341 | #endif |
wolfSSL | 15:117db924cf7c | 6342 | |
wolfSSL | 15:117db924cf7c | 6343 | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO); |
wolfSSL | 15:117db924cf7c | 6344 | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 6345 | |
wolfSSL | 15:117db924cf7c | 6346 | /* Lifetime hint. */ |
wolfSSL | 15:117db924cf7c | 6347 | if ((*inOutIdx - begin) + SESSION_HINT_SZ > size) |
wolfSSL | 15:117db924cf7c | 6348 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6349 | ato32(input + *inOutIdx, &lifetime); |
wolfSSL | 15:117db924cf7c | 6350 | *inOutIdx += SESSION_HINT_SZ; |
wolfSSL | 15:117db924cf7c | 6351 | if (lifetime > MAX_LIFETIME) |
wolfSSL | 15:117db924cf7c | 6352 | return SERVER_HINT_ERROR; |
wolfSSL | 15:117db924cf7c | 6353 | |
wolfSSL | 15:117db924cf7c | 6354 | /* Age add. */ |
wolfSSL | 15:117db924cf7c | 6355 | if ((*inOutIdx - begin) + SESSION_ADD_SZ > size) |
wolfSSL | 15:117db924cf7c | 6356 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6357 | ato32(input + *inOutIdx, &ageAdd); |
wolfSSL | 15:117db924cf7c | 6358 | *inOutIdx += SESSION_ADD_SZ; |
wolfSSL | 15:117db924cf7c | 6359 | |
wolfSSL | 15:117db924cf7c | 6360 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6361 | /* Ticket nonce. */ |
wolfSSL | 15:117db924cf7c | 6362 | if ((*inOutIdx - begin) + 1 > size) |
wolfSSL | 15:117db924cf7c | 6363 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6364 | nonceLength = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 6365 | if (nonceLength > MAX_TICKET_NONCE_SZ) { |
wolfSSL | 15:117db924cf7c | 6366 | WOLFSSL_MSG("Nonce length not supported"); |
wolfSSL | 15:117db924cf7c | 6367 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 6368 | } |
wolfSSL | 15:117db924cf7c | 6369 | *inOutIdx += 1; |
wolfSSL | 15:117db924cf7c | 6370 | if ((*inOutIdx - begin) + nonceLength > size) |
wolfSSL | 15:117db924cf7c | 6371 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6372 | nonce = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6373 | *inOutIdx += nonceLength; |
wolfSSL | 15:117db924cf7c | 6374 | #endif |
wolfSSL | 15:117db924cf7c | 6375 | |
wolfSSL | 15:117db924cf7c | 6376 | /* Ticket length. */ |
wolfSSL | 15:117db924cf7c | 6377 | if ((*inOutIdx - begin) + LENGTH_SZ > size) |
wolfSSL | 15:117db924cf7c | 6378 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6379 | ato16(input + *inOutIdx, &length); |
wolfSSL | 15:117db924cf7c | 6380 | *inOutIdx += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 6381 | if ((*inOutIdx - begin) + length > size) |
wolfSSL | 15:117db924cf7c | 6382 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6383 | |
wolfSSL | 15:117db924cf7c | 6384 | if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0) |
wolfSSL | 15:117db924cf7c | 6385 | return ret; |
wolfSSL | 15:117db924cf7c | 6386 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 6387 | |
wolfSSL | 15:117db924cf7c | 6388 | now = TimeNowInMilliseconds(); |
wolfSSL | 15:117db924cf7c | 6389 | if (now == (word32)GETTIME_ERROR) |
wolfSSL | 15:117db924cf7c | 6390 | return now; |
wolfSSL | 15:117db924cf7c | 6391 | /* Copy in ticket data (server identity). */ |
wolfSSL | 15:117db924cf7c | 6392 | ssl->timeout = lifetime; |
wolfSSL | 15:117db924cf7c | 6393 | ssl->session.timeout = lifetime; |
wolfSSL | 15:117db924cf7c | 6394 | ssl->session.cipherSuite0 = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 6395 | ssl->session.cipherSuite = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 6396 | ssl->session.ticketSeen = now; |
wolfSSL | 15:117db924cf7c | 6397 | ssl->session.ticketAdd = ageAdd; |
wolfSSL | 15:117db924cf7c | 6398 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6399 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 6400 | #endif |
wolfSSL | 15:117db924cf7c | 6401 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6402 | ssl->session.ticketNonce.len = nonceLength; |
wolfSSL | 15:117db924cf7c | 6403 | if (nonceLength > 0) |
wolfSSL | 15:117db924cf7c | 6404 | XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength); |
wolfSSL | 15:117db924cf7c | 6405 | #endif |
wolfSSL | 15:117db924cf7c | 6406 | ssl->session.namedGroup = ssl->namedGroup; |
wolfSSL | 15:117db924cf7c | 6407 | |
wolfSSL | 15:117db924cf7c | 6408 | if ((*inOutIdx - begin) + EXTS_SZ > size) |
wolfSSL | 15:117db924cf7c | 6409 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6410 | ato16(input + *inOutIdx, &length); |
wolfSSL | 15:117db924cf7c | 6411 | *inOutIdx += EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 6412 | if ((*inOutIdx - begin) + length != size) |
wolfSSL | 15:117db924cf7c | 6413 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6414 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6415 | ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket, |
wolfSSL | 15:117db924cf7c | 6416 | NULL); |
wolfSSL | 15:117db924cf7c | 6417 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6418 | return ret; |
wolfSSL | 15:117db924cf7c | 6419 | #endif |
wolfSSL | 15:117db924cf7c | 6420 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 6421 | |
wolfSSL | 15:117db924cf7c | 6422 | #ifndef NO_SESSION_CACHE |
wolfSSL | 15:117db924cf7c | 6423 | AddSession(ssl); |
wolfSSL | 15:117db924cf7c | 6424 | #endif |
wolfSSL | 15:117db924cf7c | 6425 | |
wolfSSL | 15:117db924cf7c | 6426 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6427 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6428 | |
wolfSSL | 15:117db924cf7c | 6429 | ssl->expect_session_ticket = 0; |
wolfSSL | 15:117db924cf7c | 6430 | #else |
wolfSSL | 15:117db924cf7c | 6431 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 6432 | (void)input; |
wolfSSL | 15:117db924cf7c | 6433 | |
wolfSSL | 15:117db924cf7c | 6434 | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 6435 | |
wolfSSL | 15:117db924cf7c | 6436 | *inOutIdx += size + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6437 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 6438 | |
wolfSSL | 15:117db924cf7c | 6439 | WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0); |
wolfSSL | 15:117db924cf7c | 6440 | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO); |
wolfSSL | 15:117db924cf7c | 6441 | |
wolfSSL | 15:117db924cf7c | 6442 | return 0; |
wolfSSL | 15:117db924cf7c | 6443 | } |
wolfSSL | 15:117db924cf7c | 6444 | #endif /* NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 6445 | |
wolfSSL | 15:117db924cf7c | 6446 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6447 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 6448 | |
wolfSSL | 15:117db924cf7c | 6449 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 6450 | /* Offset of the MAC size in the finished message. */ |
wolfSSL | 15:117db924cf7c | 6451 | #define FINISHED_MSG_SIZE_OFFSET 3 |
wolfSSL | 15:117db924cf7c | 6452 | |
wolfSSL | 15:117db924cf7c | 6453 | /* Calculate the resumption secret which includes the unseen client finished |
wolfSSL | 15:117db924cf7c | 6454 | * message. |
wolfSSL | 15:117db924cf7c | 6455 | * |
wolfSSL | 15:117db924cf7c | 6456 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6457 | * retuns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6458 | */ |
wolfSSL | 15:117db924cf7c | 6459 | static int ExpectedResumptionSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6460 | { |
wolfSSL | 15:117db924cf7c | 6461 | int ret; |
wolfSSL | 15:117db924cf7c | 6462 | word32 finishedSz = 0; |
wolfSSL | 15:117db924cf7c | 6463 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 6464 | Digest digest; |
wolfSSL | 15:117db924cf7c | 6465 | static byte header[] = { 0x14, 0x00, 0x00, 0x00 }; |
wolfSSL | 15:117db924cf7c | 6466 | |
wolfSSL | 15:117db924cf7c | 6467 | /* Copy the running hash so we cna restore it after. */ |
wolfSSL | 15:117db924cf7c | 6468 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 6469 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 6470 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 6471 | ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256); |
wolfSSL | 15:117db924cf7c | 6472 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6473 | return ret; |
wolfSSL | 15:117db924cf7c | 6474 | break; |
wolfSSL | 15:117db924cf7c | 6475 | #endif |
wolfSSL | 15:117db924cf7c | 6476 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 6477 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 6478 | ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384); |
wolfSSL | 15:117db924cf7c | 6479 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6480 | return ret; |
wolfSSL | 15:117db924cf7c | 6481 | break; |
wolfSSL | 15:117db924cf7c | 6482 | #endif |
wolfSSL | 15:117db924cf7c | 6483 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 6484 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 6485 | ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512); |
wolfSSL | 15:117db924cf7c | 6486 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6487 | return ret; |
wolfSSL | 15:117db924cf7c | 6488 | break; |
wolfSSL | 15:117db924cf7c | 6489 | #endif |
wolfSSL | 15:117db924cf7c | 6490 | } |
wolfSSL | 15:117db924cf7c | 6491 | |
wolfSSL | 15:117db924cf7c | 6492 | /* Generate the Client's Finished message and hash it. */ |
wolfSSL | 15:117db924cf7c | 6493 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac, |
wolfSSL | 15:117db924cf7c | 6494 | &finishedSz); |
wolfSSL | 15:117db924cf7c | 6495 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6496 | return ret; |
wolfSSL | 15:117db924cf7c | 6497 | header[FINISHED_MSG_SIZE_OFFSET] = finishedSz; |
wolfSSL | 15:117db924cf7c | 6498 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6499 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 6500 | static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 }; |
wolfSSL | 15:117db924cf7c | 6501 | ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData)); |
wolfSSL | 15:117db924cf7c | 6502 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6503 | return ret; |
wolfSSL | 15:117db924cf7c | 6504 | } |
wolfSSL | 15:117db924cf7c | 6505 | #endif |
wolfSSL | 15:117db924cf7c | 6506 | if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0) |
wolfSSL | 15:117db924cf7c | 6507 | return ret; |
wolfSSL | 15:117db924cf7c | 6508 | if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6509 | return ret; |
wolfSSL | 15:117db924cf7c | 6510 | |
wolfSSL | 15:117db924cf7c | 6511 | if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0) |
wolfSSL | 15:117db924cf7c | 6512 | return ret; |
wolfSSL | 15:117db924cf7c | 6513 | |
wolfSSL | 15:117db924cf7c | 6514 | /* Restore the hash inline with currently seen messages. */ |
wolfSSL | 15:117db924cf7c | 6515 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 6516 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 6517 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 6518 | ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256); |
wolfSSL | 15:117db924cf7c | 6519 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6520 | return ret; |
wolfSSL | 15:117db924cf7c | 6521 | break; |
wolfSSL | 15:117db924cf7c | 6522 | #endif |
wolfSSL | 15:117db924cf7c | 6523 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 6524 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 6525 | ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384); |
wolfSSL | 15:117db924cf7c | 6526 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6527 | return ret; |
wolfSSL | 15:117db924cf7c | 6528 | break; |
wolfSSL | 15:117db924cf7c | 6529 | #endif |
wolfSSL | 15:117db924cf7c | 6530 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 6531 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 6532 | ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384); |
wolfSSL | 15:117db924cf7c | 6533 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6534 | return ret; |
wolfSSL | 15:117db924cf7c | 6535 | break; |
wolfSSL | 15:117db924cf7c | 6536 | #endif |
wolfSSL | 15:117db924cf7c | 6537 | } |
wolfSSL | 15:117db924cf7c | 6538 | |
wolfSSL | 15:117db924cf7c | 6539 | return ret; |
wolfSSL | 15:117db924cf7c | 6540 | } |
wolfSSL | 15:117db924cf7c | 6541 | #endif |
wolfSSL | 15:117db924cf7c | 6542 | |
wolfSSL | 15:117db924cf7c | 6543 | /* Send New Session Ticket handshake message. |
wolfSSL | 15:117db924cf7c | 6544 | * Message contains the information required to perform resumption. |
wolfSSL | 15:117db924cf7c | 6545 | * |
wolfSSL | 15:117db924cf7c | 6546 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6547 | * retuns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6548 | */ |
wolfSSL | 15:117db924cf7c | 6549 | static int SendTls13NewSessionTicket(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6550 | { |
wolfSSL | 15:117db924cf7c | 6551 | byte* output; |
wolfSSL | 15:117db924cf7c | 6552 | int ret; |
wolfSSL | 15:117db924cf7c | 6553 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6554 | word16 extSz; |
wolfSSL | 15:117db924cf7c | 6555 | word32 length; |
wolfSSL | 15:117db924cf7c | 6556 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6557 | |
wolfSSL | 15:117db924cf7c | 6558 | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND); |
wolfSSL | 15:117db924cf7c | 6559 | WOLFSSL_ENTER("SendTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 6560 | |
wolfSSL | 15:117db924cf7c | 6561 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 6562 | if (!ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 6563 | if ((ret = ExpectedResumptionSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6564 | return ret; |
wolfSSL | 15:117db924cf7c | 6565 | } |
wolfSSL | 15:117db924cf7c | 6566 | #endif |
wolfSSL | 15:117db924cf7c | 6567 | |
wolfSSL | 15:117db924cf7c | 6568 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6569 | /* Start ticket nonce at 0 and go up to 255. */ |
wolfSSL | 15:117db924cf7c | 6570 | if (ssl->session.ticketNonce.len == 0) { |
wolfSSL | 15:117db924cf7c | 6571 | ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 6572 | ssl->session.ticketNonce.data[0] = 0; |
wolfSSL | 15:117db924cf7c | 6573 | } |
wolfSSL | 15:117db924cf7c | 6574 | else |
wolfSSL | 15:117db924cf7c | 6575 | ssl->session.ticketNonce.data[0]++; |
wolfSSL | 15:117db924cf7c | 6576 | #endif |
wolfSSL | 15:117db924cf7c | 6577 | |
wolfSSL | 15:117db924cf7c | 6578 | if (!ssl->options.noTicketTls13) { |
wolfSSL | 15:117db924cf7c | 6579 | if ((ret = CreateTicket(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6580 | return ret; |
wolfSSL | 15:117db924cf7c | 6581 | } |
wolfSSL | 15:117db924cf7c | 6582 | |
wolfSSL | 15:117db924cf7c | 6583 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6584 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 6585 | if (ssl->session.maxEarlyDataSz > 0) |
wolfSSL | 15:117db924cf7c | 6586 | TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz); |
wolfSSL | 15:117db924cf7c | 6587 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 6588 | ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz); |
wolfSSL | 15:117db924cf7c | 6589 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6590 | return ret; |
wolfSSL | 15:117db924cf7c | 6591 | #else |
wolfSSL | 15:117db924cf7c | 6592 | extSz = EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 6593 | #endif |
wolfSSL | 15:117db924cf7c | 6594 | |
wolfSSL | 15:117db924cf7c | 6595 | /* Lifetime | Age Add | Ticket | Extensions */ |
wolfSSL | 15:117db924cf7c | 6596 | length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ + |
wolfSSL | 15:117db924cf7c | 6597 | ssl->session.ticketLen + extSz; |
wolfSSL | 15:117db924cf7c | 6598 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6599 | /* Nonce */ |
wolfSSL | 15:117db924cf7c | 6600 | length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 6601 | #endif |
wolfSSL | 15:117db924cf7c | 6602 | sendSz = idx + length + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6603 | |
wolfSSL | 15:117db924cf7c | 6604 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6605 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6606 | return ret; |
wolfSSL | 15:117db924cf7c | 6607 | |
wolfSSL | 15:117db924cf7c | 6608 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 6609 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6610 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6611 | |
wolfSSL | 15:117db924cf7c | 6612 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 6613 | AddTls13Headers(output, length, session_ticket, ssl); |
wolfSSL | 15:117db924cf7c | 6614 | |
wolfSSL | 15:117db924cf7c | 6615 | /* Lifetime hint */ |
wolfSSL | 15:117db924cf7c | 6616 | c32toa(ssl->ctx->ticketHint, output + idx); |
wolfSSL | 15:117db924cf7c | 6617 | idx += SESSION_HINT_SZ; |
wolfSSL | 15:117db924cf7c | 6618 | /* Age add - obfuscator */ |
wolfSSL | 15:117db924cf7c | 6619 | c32toa(ssl->session.ticketAdd, output + idx); |
wolfSSL | 15:117db924cf7c | 6620 | idx += SESSION_ADD_SZ; |
wolfSSL | 15:117db924cf7c | 6621 | |
wolfSSL | 15:117db924cf7c | 6622 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6623 | output[idx++] = ssl->session.ticketNonce.len; |
wolfSSL | 15:117db924cf7c | 6624 | output[idx++] = ssl->session.ticketNonce.data[0]; |
wolfSSL | 15:117db924cf7c | 6625 | #endif |
wolfSSL | 15:117db924cf7c | 6626 | |
wolfSSL | 15:117db924cf7c | 6627 | /* length */ |
wolfSSL | 15:117db924cf7c | 6628 | c16toa(ssl->session.ticketLen, output + idx); |
wolfSSL | 15:117db924cf7c | 6629 | idx += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 6630 | /* ticket */ |
wolfSSL | 15:117db924cf7c | 6631 | XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen); |
wolfSSL | 15:117db924cf7c | 6632 | idx += ssl->session.ticketLen; |
wolfSSL | 15:117db924cf7c | 6633 | |
wolfSSL | 15:117db924cf7c | 6634 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6635 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 6636 | ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz); |
wolfSSL | 15:117db924cf7c | 6637 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6638 | return ret; |
wolfSSL | 15:117db924cf7c | 6639 | idx += extSz; |
wolfSSL | 15:117db924cf7c | 6640 | #else |
wolfSSL | 15:117db924cf7c | 6641 | /* No extension support - empty extensions. */ |
wolfSSL | 15:117db924cf7c | 6642 | c16toa(0, output + idx); |
wolfSSL | 15:117db924cf7c | 6643 | idx += EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 6644 | #endif |
wolfSSL | 15:117db924cf7c | 6645 | |
wolfSSL | 15:117db924cf7c | 6646 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 6647 | |
wolfSSL | 15:117db924cf7c | 6648 | #ifndef NO_SESSION_CACHE |
wolfSSL | 15:117db924cf7c | 6649 | AddSession(ssl); |
wolfSSL | 15:117db924cf7c | 6650 | #endif |
wolfSSL | 15:117db924cf7c | 6651 | |
wolfSSL | 15:117db924cf7c | 6652 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6653 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 6654 | idx - RECORD_HEADER_SZ, handshake, 0, 0, 0); |
wolfSSL | 15:117db924cf7c | 6655 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6656 | return sendSz; |
wolfSSL | 15:117db924cf7c | 6657 | |
wolfSSL | 15:117db924cf7c | 6658 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6659 | |
wolfSSL | 15:117db924cf7c | 6660 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 6661 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 6662 | |
wolfSSL | 15:117db924cf7c | 6663 | WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0); |
wolfSSL | 15:117db924cf7c | 6664 | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND); |
wolfSSL | 15:117db924cf7c | 6665 | |
wolfSSL | 15:117db924cf7c | 6666 | return ret; |
wolfSSL | 15:117db924cf7c | 6667 | } |
wolfSSL | 15:117db924cf7c | 6668 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 6669 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 6670 | |
wolfSSL | 15:117db924cf7c | 6671 | /* Make sure no duplicates, no fast forward, or other problems |
wolfSSL | 15:117db924cf7c | 6672 | * |
wolfSSL | 15:117db924cf7c | 6673 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6674 | * type Type of handshake message received. |
wolfSSL | 15:117db924cf7c | 6675 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6676 | */ |
wolfSSL | 15:117db924cf7c | 6677 | static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type) |
wolfSSL | 15:117db924cf7c | 6678 | { |
wolfSSL | 15:117db924cf7c | 6679 | /* verify not a duplicate, mark received, check state */ |
wolfSSL | 15:117db924cf7c | 6680 | switch (type) { |
wolfSSL | 15:117db924cf7c | 6681 | |
wolfSSL | 15:117db924cf7c | 6682 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6683 | case client_hello: |
wolfSSL | 15:117db924cf7c | 6684 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6685 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6686 | WOLFSSL_MSG("ClientHello received by client"); |
wolfSSL | 15:117db924cf7c | 6687 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6688 | } |
wolfSSL | 15:117db924cf7c | 6689 | #endif |
wolfSSL | 15:117db924cf7c | 6690 | if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6691 | WOLFSSL_MSG("ClientHello received out of order"); |
wolfSSL | 15:117db924cf7c | 6692 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6693 | } |
wolfSSL | 15:117db924cf7c | 6694 | if (ssl->msgsReceived.got_client_hello == 2) { |
wolfSSL | 15:117db924cf7c | 6695 | WOLFSSL_MSG("Too many ClientHello received"); |
wolfSSL | 15:117db924cf7c | 6696 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6697 | } |
wolfSSL | 15:117db924cf7c | 6698 | ssl->msgsReceived.got_client_hello++; |
wolfSSL | 15:117db924cf7c | 6699 | |
wolfSSL | 15:117db924cf7c | 6700 | break; |
wolfSSL | 15:117db924cf7c | 6701 | #endif |
wolfSSL | 15:117db924cf7c | 6702 | |
wolfSSL | 15:117db924cf7c | 6703 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6704 | case server_hello: |
wolfSSL | 15:117db924cf7c | 6705 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6706 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6707 | WOLFSSL_MSG("ServerHello received by server"); |
wolfSSL | 15:117db924cf7c | 6708 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6709 | } |
wolfSSL | 15:117db924cf7c | 6710 | #endif |
wolfSSL | 15:117db924cf7c | 6711 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6712 | if (ssl->msgsReceived.got_server_hello) { |
wolfSSL | 15:117db924cf7c | 6713 | WOLFSSL_MSG("Duplicate ServerHello received"); |
wolfSSL | 15:117db924cf7c | 6714 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6715 | } |
wolfSSL | 15:117db924cf7c | 6716 | ssl->msgsReceived.got_server_hello = 1; |
wolfSSL | 15:117db924cf7c | 6717 | #else |
wolfSSL | 15:117db924cf7c | 6718 | if (ssl->msgsReceived.got_server_hello == 2) { |
wolfSSL | 15:117db924cf7c | 6719 | WOLFSSL_MSG("Duplicate ServerHello received"); |
wolfSSL | 15:117db924cf7c | 6720 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6721 | } |
wolfSSL | 15:117db924cf7c | 6722 | ssl->msgsReceived.got_server_hello++; |
wolfSSL | 15:117db924cf7c | 6723 | #endif |
wolfSSL | 15:117db924cf7c | 6724 | |
wolfSSL | 15:117db924cf7c | 6725 | break; |
wolfSSL | 15:117db924cf7c | 6726 | #endif |
wolfSSL | 15:117db924cf7c | 6727 | |
wolfSSL | 15:117db924cf7c | 6728 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6729 | case session_ticket: |
wolfSSL | 15:117db924cf7c | 6730 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6731 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6732 | WOLFSSL_MSG("NewSessionTicket received by server"); |
wolfSSL | 15:117db924cf7c | 6733 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6734 | } |
wolfSSL | 15:117db924cf7c | 6735 | #endif |
wolfSSL | 15:117db924cf7c | 6736 | if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6737 | WOLFSSL_MSG("NewSessionTicket received out of order"); |
wolfSSL | 15:117db924cf7c | 6738 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6739 | } |
wolfSSL | 15:117db924cf7c | 6740 | ssl->msgsReceived.got_session_ticket = 1; |
wolfSSL | 15:117db924cf7c | 6741 | |
wolfSSL | 15:117db924cf7c | 6742 | break; |
wolfSSL | 15:117db924cf7c | 6743 | #endif |
wolfSSL | 15:117db924cf7c | 6744 | |
wolfSSL | 15:117db924cf7c | 6745 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6746 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6747 | case end_of_early_data: |
wolfSSL | 15:117db924cf7c | 6748 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6749 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6750 | WOLFSSL_MSG("EndOfEarlyData received by client"); |
wolfSSL | 15:117db924cf7c | 6751 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6752 | } |
wolfSSL | 15:117db924cf7c | 6753 | #endif |
wolfSSL | 15:117db924cf7c | 6754 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6755 | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
wolfSSL | 15:117db924cf7c | 6756 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6757 | } |
wolfSSL | 15:117db924cf7c | 6758 | if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6759 | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
wolfSSL | 15:117db924cf7c | 6760 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6761 | } |
wolfSSL | 15:117db924cf7c | 6762 | if (ssl->msgsReceived.got_end_of_early_data == 1) { |
wolfSSL | 15:117db924cf7c | 6763 | WOLFSSL_MSG("Too many EndOfEarlyData received"); |
wolfSSL | 15:117db924cf7c | 6764 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6765 | } |
wolfSSL | 15:117db924cf7c | 6766 | ssl->msgsReceived.got_end_of_early_data++; |
wolfSSL | 15:117db924cf7c | 6767 | |
wolfSSL | 15:117db924cf7c | 6768 | break; |
wolfSSL | 15:117db924cf7c | 6769 | #endif |
wolfSSL | 15:117db924cf7c | 6770 | #endif |
wolfSSL | 15:117db924cf7c | 6771 | |
wolfSSL | 15:117db924cf7c | 6772 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6773 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6774 | case hello_retry_request: |
wolfSSL | 15:117db924cf7c | 6775 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6776 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6777 | WOLFSSL_MSG("HelloRetryRequest received by server"); |
wolfSSL | 15:117db924cf7c | 6778 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6779 | } |
wolfSSL | 15:117db924cf7c | 6780 | #endif |
wolfSSL | 15:117db924cf7c | 6781 | if (ssl->options.clientState > CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6782 | WOLFSSL_MSG("HelloRetryRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 6783 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6784 | } |
wolfSSL | 15:117db924cf7c | 6785 | if (ssl->msgsReceived.got_hello_retry_request) { |
wolfSSL | 15:117db924cf7c | 6786 | WOLFSSL_MSG("Duplicate HelloRetryRequest received"); |
wolfSSL | 15:117db924cf7c | 6787 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6788 | } |
wolfSSL | 15:117db924cf7c | 6789 | ssl->msgsReceived.got_hello_retry_request = 1; |
wolfSSL | 15:117db924cf7c | 6790 | |
wolfSSL | 15:117db924cf7c | 6791 | break; |
wolfSSL | 15:117db924cf7c | 6792 | #endif |
wolfSSL | 15:117db924cf7c | 6793 | #endif |
wolfSSL | 15:117db924cf7c | 6794 | |
wolfSSL | 15:117db924cf7c | 6795 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6796 | case encrypted_extensions: |
wolfSSL | 15:117db924cf7c | 6797 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6798 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6799 | WOLFSSL_MSG("EncryptedExtensions received by server"); |
wolfSSL | 15:117db924cf7c | 6800 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6801 | } |
wolfSSL | 15:117db924cf7c | 6802 | #endif |
wolfSSL | 15:117db924cf7c | 6803 | if (ssl->options.serverState != SERVER_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6804 | WOLFSSL_MSG("EncryptedExtensions received out of order"); |
wolfSSL | 15:117db924cf7c | 6805 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6806 | } |
wolfSSL | 15:117db924cf7c | 6807 | if (ssl->msgsReceived.got_encrypted_extensions) { |
wolfSSL | 15:117db924cf7c | 6808 | WOLFSSL_MSG("Duplicate EncryptedExtensions received"); |
wolfSSL | 15:117db924cf7c | 6809 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6810 | } |
wolfSSL | 15:117db924cf7c | 6811 | ssl->msgsReceived.got_encrypted_extensions = 1; |
wolfSSL | 15:117db924cf7c | 6812 | |
wolfSSL | 15:117db924cf7c | 6813 | break; |
wolfSSL | 15:117db924cf7c | 6814 | #endif |
wolfSSL | 15:117db924cf7c | 6815 | |
wolfSSL | 15:117db924cf7c | 6816 | case certificate: |
wolfSSL | 15:117db924cf7c | 6817 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6818 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 6819 | ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 6820 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6821 | WOLFSSL_MSG("Certificate received out of order - Client"); |
wolfSSL | 15:117db924cf7c | 6822 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6823 | } |
wolfSSL | 15:117db924cf7c | 6824 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 6825 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 6826 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 6827 | ssl->options.serverState == SERVER_CERT_COMPLETE && |
wolfSSL | 15:117db924cf7c | 6828 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 6829 | WOLFSSL_MSG("Certificate received while using PSK"); |
wolfSSL | 15:117db924cf7c | 6830 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 6831 | } |
wolfSSL | 15:117db924cf7c | 6832 | #endif |
wolfSSL | 15:117db924cf7c | 6833 | #endif |
wolfSSL | 15:117db924cf7c | 6834 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6835 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 6836 | ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6837 | WOLFSSL_MSG("Certificate received out of order - Server"); |
wolfSSL | 15:117db924cf7c | 6838 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6839 | } |
wolfSSL | 15:117db924cf7c | 6840 | #endif |
wolfSSL | 15:117db924cf7c | 6841 | if (ssl->msgsReceived.got_certificate) { |
wolfSSL | 15:117db924cf7c | 6842 | WOLFSSL_MSG("Duplicate Certificate received"); |
wolfSSL | 15:117db924cf7c | 6843 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6844 | } |
wolfSSL | 15:117db924cf7c | 6845 | ssl->msgsReceived.got_certificate = 1; |
wolfSSL | 15:117db924cf7c | 6846 | |
wolfSSL | 15:117db924cf7c | 6847 | break; |
wolfSSL | 15:117db924cf7c | 6848 | |
wolfSSL | 15:117db924cf7c | 6849 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6850 | case certificate_request: |
wolfSSL | 15:117db924cf7c | 6851 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6852 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6853 | WOLFSSL_MSG("CertificateRequest received by server"); |
wolfSSL | 15:117db924cf7c | 6854 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6855 | } |
wolfSSL | 15:117db924cf7c | 6856 | #endif |
wolfSSL | 15:117db924cf7c | 6857 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 6858 | if (ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 6859 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6860 | WOLFSSL_MSG("CertificateRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 6861 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6862 | } |
wolfSSL | 15:117db924cf7c | 6863 | #else |
wolfSSL | 15:117db924cf7c | 6864 | if (ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 6865 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && |
wolfSSL | 15:117db924cf7c | 6866 | (ssl->options.serverState != SERVER_FINISHED_COMPLETE || |
wolfSSL | 15:117db924cf7c | 6867 | ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) { |
wolfSSL | 15:117db924cf7c | 6868 | WOLFSSL_MSG("CertificateRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 6869 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6870 | } |
wolfSSL | 15:117db924cf7c | 6871 | #endif |
wolfSSL | 15:117db924cf7c | 6872 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 6873 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 6874 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 6875 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && |
wolfSSL | 15:117db924cf7c | 6876 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 6877 | WOLFSSL_MSG("CertificateRequset received while using PSK"); |
wolfSSL | 15:117db924cf7c | 6878 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 6879 | } |
wolfSSL | 15:117db924cf7c | 6880 | #endif |
wolfSSL | 15:117db924cf7c | 6881 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 6882 | if (ssl->msgsReceived.got_certificate_request) { |
wolfSSL | 15:117db924cf7c | 6883 | WOLFSSL_MSG("Duplicate CertificateRequest received"); |
wolfSSL | 15:117db924cf7c | 6884 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6885 | } |
wolfSSL | 15:117db924cf7c | 6886 | #endif |
wolfSSL | 15:117db924cf7c | 6887 | ssl->msgsReceived.got_certificate_request = 1; |
wolfSSL | 15:117db924cf7c | 6888 | |
wolfSSL | 15:117db924cf7c | 6889 | break; |
wolfSSL | 15:117db924cf7c | 6890 | #endif |
wolfSSL | 15:117db924cf7c | 6891 | |
wolfSSL | 15:117db924cf7c | 6892 | case certificate_verify: |
wolfSSL | 15:117db924cf7c | 6893 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6894 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6895 | if (ssl->options.serverState != SERVER_CERT_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6896 | WOLFSSL_MSG("No Cert before CertVerify"); |
wolfSSL | 15:117db924cf7c | 6897 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6898 | } |
wolfSSL | 15:117db924cf7c | 6899 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 6900 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 6901 | if (ssl->options.serverState == SERVER_CERT_COMPLETE && |
wolfSSL | 15:117db924cf7c | 6902 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 6903 | WOLFSSL_MSG("CertificateVerify received while using PSK"); |
wolfSSL | 15:117db924cf7c | 6904 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 6905 | } |
wolfSSL | 15:117db924cf7c | 6906 | #endif |
wolfSSL | 15:117db924cf7c | 6907 | } |
wolfSSL | 15:117db924cf7c | 6908 | #endif |
wolfSSL | 15:117db924cf7c | 6909 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6910 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6911 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6912 | WOLFSSL_MSG("CertificateVerify received out of order"); |
wolfSSL | 15:117db924cf7c | 6913 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6914 | } |
wolfSSL | 15:117db924cf7c | 6915 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6916 | WOLFSSL_MSG("CertificateVerify before ClientHello done"); |
wolfSSL | 15:117db924cf7c | 6917 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6918 | } |
wolfSSL | 15:117db924cf7c | 6919 | if (!ssl->msgsReceived.got_certificate) { |
wolfSSL | 15:117db924cf7c | 6920 | WOLFSSL_MSG("No Cert before CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 6921 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6922 | } |
wolfSSL | 15:117db924cf7c | 6923 | } |
wolfSSL | 15:117db924cf7c | 6924 | #endif |
wolfSSL | 15:117db924cf7c | 6925 | if (ssl->msgsReceived.got_certificate_verify) { |
wolfSSL | 15:117db924cf7c | 6926 | WOLFSSL_MSG("Duplicate CertificateVerify received"); |
wolfSSL | 15:117db924cf7c | 6927 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6928 | } |
wolfSSL | 15:117db924cf7c | 6929 | ssl->msgsReceived.got_certificate_verify = 1; |
wolfSSL | 15:117db924cf7c | 6930 | |
wolfSSL | 15:117db924cf7c | 6931 | break; |
wolfSSL | 15:117db924cf7c | 6932 | |
wolfSSL | 15:117db924cf7c | 6933 | case finished: |
wolfSSL | 15:117db924cf7c | 6934 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6935 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6936 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6937 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 6938 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6939 | } |
wolfSSL | 15:117db924cf7c | 6940 | if (ssl->options.serverState < |
wolfSSL | 15:117db924cf7c | 6941 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6942 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 6943 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6944 | } |
wolfSSL | 15:117db924cf7c | 6945 | } |
wolfSSL | 15:117db924cf7c | 6946 | #endif |
wolfSSL | 15:117db924cf7c | 6947 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6948 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6949 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6950 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 6951 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6952 | } |
wolfSSL | 15:117db924cf7c | 6953 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 6954 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 6955 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6956 | } |
wolfSSL | 15:117db924cf7c | 6957 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6958 | if (ssl->earlyData == process_early_data) { |
wolfSSL | 15:117db924cf7c | 6959 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6960 | } |
wolfSSL | 15:117db924cf7c | 6961 | #endif |
wolfSSL | 15:117db924cf7c | 6962 | } |
wolfSSL | 15:117db924cf7c | 6963 | #endif |
wolfSSL | 15:117db924cf7c | 6964 | if (ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 6965 | WOLFSSL_MSG("Duplicate Finished received"); |
wolfSSL | 15:117db924cf7c | 6966 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 6967 | } |
wolfSSL | 15:117db924cf7c | 6968 | ssl->msgsReceived.got_finished = 1; |
wolfSSL | 15:117db924cf7c | 6969 | |
wolfSSL | 15:117db924cf7c | 6970 | break; |
wolfSSL | 15:117db924cf7c | 6971 | |
wolfSSL | 15:117db924cf7c | 6972 | case key_update: |
wolfSSL | 15:117db924cf7c | 6973 | if (!ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 6974 | WOLFSSL_MSG("No KeyUpdate before Finished"); |
wolfSSL | 15:117db924cf7c | 6975 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6976 | } |
wolfSSL | 15:117db924cf7c | 6977 | break; |
wolfSSL | 15:117db924cf7c | 6978 | |
wolfSSL | 15:117db924cf7c | 6979 | default: |
wolfSSL | 15:117db924cf7c | 6980 | WOLFSSL_MSG("Unknown message type"); |
wolfSSL | 15:117db924cf7c | 6981 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 6982 | } |
wolfSSL | 15:117db924cf7c | 6983 | |
wolfSSL | 15:117db924cf7c | 6984 | return 0; |
wolfSSL | 15:117db924cf7c | 6985 | } |
wolfSSL | 15:117db924cf7c | 6986 | |
wolfSSL | 15:117db924cf7c | 6987 | /* Handle a type of handshake message that has been received. |
wolfSSL | 15:117db924cf7c | 6988 | * |
wolfSSL | 15:117db924cf7c | 6989 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6990 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6991 | * inOutIdx On entry, the index into the buffer of the current message. |
wolfSSL | 15:117db924cf7c | 6992 | * On exit, the index into the buffer of the next message. |
wolfSSL | 15:117db924cf7c | 6993 | * size The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 6994 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 6995 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6996 | */ |
wolfSSL | 15:117db924cf7c | 6997 | int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 6998 | byte type, word32 size, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 6999 | { |
wolfSSL | 15:117db924cf7c | 7000 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 7001 | word32 inIdx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 7002 | |
wolfSSL | 15:117db924cf7c | 7003 | (void)totalSz; |
wolfSSL | 15:117db924cf7c | 7004 | |
wolfSSL | 15:117db924cf7c | 7005 | WOLFSSL_ENTER("DoTls13HandShakeMsgType"); |
wolfSSL | 15:117db924cf7c | 7006 | |
wolfSSL | 15:117db924cf7c | 7007 | /* make sure can read the message */ |
wolfSSL | 15:117db924cf7c | 7008 | if (*inOutIdx + size > totalSz) |
wolfSSL | 15:117db924cf7c | 7009 | return INCOMPLETE_DATA; |
wolfSSL | 15:117db924cf7c | 7010 | |
wolfSSL | 15:117db924cf7c | 7011 | /* sanity check msg received */ |
wolfSSL | 15:117db924cf7c | 7012 | if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) { |
wolfSSL | 15:117db924cf7c | 7013 | WOLFSSL_MSG("Sanity Check on handshake message type received failed"); |
wolfSSL | 15:117db924cf7c | 7014 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7015 | return ret; |
wolfSSL | 15:117db924cf7c | 7016 | } |
wolfSSL | 15:117db924cf7c | 7017 | |
wolfSSL | 15:117db924cf7c | 7018 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 7019 | /* add name later, add on record and handshake header part back on */ |
wolfSSL | 15:117db924cf7c | 7020 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 7021 | int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7022 | AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add, |
wolfSSL | 15:117db924cf7c | 7023 | size + add, READ_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 7024 | AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 7025 | } |
wolfSSL | 15:117db924cf7c | 7026 | #endif |
wolfSSL | 15:117db924cf7c | 7027 | |
wolfSSL | 15:117db924cf7c | 7028 | if (ssl->options.handShakeState == HANDSHAKE_DONE && |
wolfSSL | 15:117db924cf7c | 7029 | type != session_ticket && type != certificate_request && |
wolfSSL | 15:117db924cf7c | 7030 | type != certificate && type != key_update) { |
wolfSSL | 15:117db924cf7c | 7031 | WOLFSSL_MSG("HandShake message after handshake complete"); |
wolfSSL | 15:117db924cf7c | 7032 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7033 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7034 | } |
wolfSSL | 15:117db924cf7c | 7035 | |
wolfSSL | 15:117db924cf7c | 7036 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 7037 | ssl->options.serverState == NULL_STATE && |
wolfSSL | 15:117db924cf7c | 7038 | type != server_hello && type != hello_retry_request) { |
wolfSSL | 15:117db924cf7c | 7039 | WOLFSSL_MSG("First server message not server hello"); |
wolfSSL | 15:117db924cf7c | 7040 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7041 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7042 | } |
wolfSSL | 15:117db924cf7c | 7043 | |
wolfSSL | 15:117db924cf7c | 7044 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 7045 | ssl->options.clientState == NULL_STATE && type != client_hello) { |
wolfSSL | 15:117db924cf7c | 7046 | WOLFSSL_MSG("First client message not client hello"); |
wolfSSL | 15:117db924cf7c | 7047 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7048 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7049 | } |
wolfSSL | 15:117db924cf7c | 7050 | |
wolfSSL | 15:117db924cf7c | 7051 | /* above checks handshake state */ |
wolfSSL | 15:117db924cf7c | 7052 | switch (type) { |
wolfSSL | 15:117db924cf7c | 7053 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7054 | /* Messages only recieved by client. */ |
wolfSSL | 15:117db924cf7c | 7055 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7056 | case hello_retry_request: |
wolfSSL | 15:117db924cf7c | 7057 | WOLFSSL_MSG("processing hello rety request"); |
wolfSSL | 15:117db924cf7c | 7058 | ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7059 | break; |
wolfSSL | 15:117db924cf7c | 7060 | #endif |
wolfSSL | 15:117db924cf7c | 7061 | |
wolfSSL | 15:117db924cf7c | 7062 | case server_hello: |
wolfSSL | 15:117db924cf7c | 7063 | WOLFSSL_MSG("processing server hello"); |
wolfSSL | 15:117db924cf7c | 7064 | ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type); |
wolfSSL | 15:117db924cf7c | 7065 | break; |
wolfSSL | 15:117db924cf7c | 7066 | |
wolfSSL | 15:117db924cf7c | 7067 | case encrypted_extensions: |
wolfSSL | 15:117db924cf7c | 7068 | WOLFSSL_MSG("processing encrypted extensions"); |
wolfSSL | 15:117db924cf7c | 7069 | ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7070 | break; |
wolfSSL | 15:117db924cf7c | 7071 | |
wolfSSL | 15:117db924cf7c | 7072 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7073 | case certificate_request: |
wolfSSL | 15:117db924cf7c | 7074 | WOLFSSL_MSG("processing certificate request"); |
wolfSSL | 15:117db924cf7c | 7075 | ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7076 | break; |
wolfSSL | 15:117db924cf7c | 7077 | #endif |
wolfSSL | 15:117db924cf7c | 7078 | |
wolfSSL | 15:117db924cf7c | 7079 | case session_ticket: |
wolfSSL | 15:117db924cf7c | 7080 | WOLFSSL_MSG("processing new session ticket"); |
wolfSSL | 15:117db924cf7c | 7081 | ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7082 | break; |
wolfSSL | 15:117db924cf7c | 7083 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 7084 | |
wolfSSL | 15:117db924cf7c | 7085 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7086 | /* Messages only recieved by server. */ |
wolfSSL | 15:117db924cf7c | 7087 | case client_hello: |
wolfSSL | 15:117db924cf7c | 7088 | WOLFSSL_MSG("processing client hello"); |
wolfSSL | 15:117db924cf7c | 7089 | ret = DoTls13ClientHello(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7090 | break; |
wolfSSL | 15:117db924cf7c | 7091 | |
wolfSSL | 15:117db924cf7c | 7092 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7093 | case end_of_early_data: |
wolfSSL | 15:117db924cf7c | 7094 | WOLFSSL_MSG("processing end of early data"); |
wolfSSL | 15:117db924cf7c | 7095 | ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7096 | break; |
wolfSSL | 15:117db924cf7c | 7097 | #endif |
wolfSSL | 15:117db924cf7c | 7098 | #endif /* !NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 7099 | |
wolfSSL | 15:117db924cf7c | 7100 | /* Messages recieved by both client and server. */ |
wolfSSL | 15:117db924cf7c | 7101 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7102 | case certificate: |
wolfSSL | 15:117db924cf7c | 7103 | WOLFSSL_MSG("processing certificate"); |
wolfSSL | 15:117db924cf7c | 7104 | ret = DoTls13Certificate(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7105 | break; |
wolfSSL | 15:117db924cf7c | 7106 | #endif |
wolfSSL | 15:117db924cf7c | 7107 | |
wolfSSL | 15:117db924cf7c | 7108 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) |
wolfSSL | 15:117db924cf7c | 7109 | case certificate_verify: |
wolfSSL | 15:117db924cf7c | 7110 | WOLFSSL_MSG("processing certificate verify"); |
wolfSSL | 15:117db924cf7c | 7111 | ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7112 | break; |
wolfSSL | 15:117db924cf7c | 7113 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 7114 | |
wolfSSL | 15:117db924cf7c | 7115 | case finished: |
wolfSSL | 15:117db924cf7c | 7116 | WOLFSSL_MSG("processing finished"); |
wolfSSL | 15:117db924cf7c | 7117 | ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF); |
wolfSSL | 15:117db924cf7c | 7118 | break; |
wolfSSL | 15:117db924cf7c | 7119 | |
wolfSSL | 15:117db924cf7c | 7120 | case key_update: |
wolfSSL | 15:117db924cf7c | 7121 | WOLFSSL_MSG("processing finished"); |
wolfSSL | 15:117db924cf7c | 7122 | ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7123 | break; |
wolfSSL | 15:117db924cf7c | 7124 | |
wolfSSL | 15:117db924cf7c | 7125 | default: |
wolfSSL | 15:117db924cf7c | 7126 | WOLFSSL_MSG("Unknown handshake message type"); |
wolfSSL | 15:117db924cf7c | 7127 | ret = UNKNOWN_HANDSHAKE_TYPE; |
wolfSSL | 15:117db924cf7c | 7128 | break; |
wolfSSL | 15:117db924cf7c | 7129 | } |
wolfSSL | 15:117db924cf7c | 7130 | |
wolfSSL | 15:117db924cf7c | 7131 | /* reset error */ |
wolfSSL | 15:117db924cf7c | 7132 | if (ret == 0 && ssl->error == WC_PENDING_E) |
wolfSSL | 15:117db924cf7c | 7133 | ssl->error = 0; |
wolfSSL | 15:117db924cf7c | 7134 | |
wolfSSL | 15:117db924cf7c | 7135 | if (ret == 0 && type != client_hello && type != session_ticket && |
wolfSSL | 15:117db924cf7c | 7136 | type != key_update) { |
wolfSSL | 15:117db924cf7c | 7137 | ret = HashInput(ssl, input + inIdx, size); |
wolfSSL | 15:117db924cf7c | 7138 | } |
wolfSSL | 15:117db924cf7c | 7139 | |
wolfSSL | 15:117db924cf7c | 7140 | if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA) |
wolfSSL | 15:117db924cf7c | 7141 | SendAlert(ssl, alert_fatal, decode_error); |
wolfSSL | 15:117db924cf7c | 7142 | else if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR || |
wolfSSL | 15:117db924cf7c | 7143 | ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA || |
wolfSSL | 15:117db924cf7c | 7144 | ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) { |
wolfSSL | 15:117db924cf7c | 7145 | SendAlert(ssl, alert_fatal, illegal_parameter); |
wolfSSL | 15:117db924cf7c | 7146 | } |
wolfSSL | 15:117db924cf7c | 7147 | |
wolfSSL | 15:117db924cf7c | 7148 | if (ssl->options.tls1_3) { |
wolfSSL | 15:117db924cf7c | 7149 | /* Need to hash input message before deriving secrets. */ |
wolfSSL | 15:117db924cf7c | 7150 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7151 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7152 | if (type == server_hello) { |
wolfSSL | 15:117db924cf7c | 7153 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7154 | return ret; |
wolfSSL | 15:117db924cf7c | 7155 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7156 | return ret; |
wolfSSL | 15:117db924cf7c | 7157 | |
wolfSSL | 15:117db924cf7c | 7158 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
wolfSSL | 15:117db924cf7c | 7159 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 7160 | return ret; |
wolfSSL | 15:117db924cf7c | 7161 | } |
wolfSSL | 15:117db924cf7c | 7162 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7163 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 7164 | return ret; |
wolfSSL | 15:117db924cf7c | 7165 | #else |
wolfSSL | 15:117db924cf7c | 7166 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 7167 | return ret; |
wolfSSL | 15:117db924cf7c | 7168 | #endif |
wolfSSL | 15:117db924cf7c | 7169 | } |
wolfSSL | 15:117db924cf7c | 7170 | |
wolfSSL | 15:117db924cf7c | 7171 | if (type == finished) { |
wolfSSL | 15:117db924cf7c | 7172 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7173 | return ret; |
wolfSSL | 15:117db924cf7c | 7174 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7175 | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
wolfSSL | 15:117db924cf7c | 7176 | ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 7177 | ssl->earlyData == no_early_data)) != 0) { |
wolfSSL | 15:117db924cf7c | 7178 | return ret; |
wolfSSL | 15:117db924cf7c | 7179 | } |
wolfSSL | 15:117db924cf7c | 7180 | #else |
wolfSSL | 15:117db924cf7c | 7181 | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
wolfSSL | 15:117db924cf7c | 7182 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 7183 | return ret; |
wolfSSL | 15:117db924cf7c | 7184 | } |
wolfSSL | 15:117db924cf7c | 7185 | #endif |
wolfSSL | 15:117db924cf7c | 7186 | } |
wolfSSL | 15:117db924cf7c | 7187 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 7188 | if (type == certificate_request && |
wolfSSL | 15:117db924cf7c | 7189 | ssl->options.handShakeState == HANDSHAKE_DONE) { |
wolfSSL | 15:117db924cf7c | 7190 | /* reset handshake states */ |
wolfSSL | 15:117db924cf7c | 7191 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7192 | ssl->options.connectState = FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 7193 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7194 | |
wolfSSL | 15:117db924cf7c | 7195 | if (wolfSSL_connect_TLSv13(ssl) != SSL_SUCCESS) |
wolfSSL | 15:117db924cf7c | 7196 | ret = POST_HAND_AUTH_ERROR; |
wolfSSL | 15:117db924cf7c | 7197 | } |
wolfSSL | 15:117db924cf7c | 7198 | #endif |
wolfSSL | 15:117db924cf7c | 7199 | } |
wolfSSL | 15:117db924cf7c | 7200 | #endif /* NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 7201 | |
wolfSSL | 15:117db924cf7c | 7202 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7203 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7204 | if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) { |
wolfSSL | 15:117db924cf7c | 7205 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret); |
wolfSSL | 15:117db924cf7c | 7206 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7207 | return ret; |
wolfSSL | 15:117db924cf7c | 7208 | } |
wolfSSL | 15:117db924cf7c | 7209 | #endif |
wolfSSL | 15:117db924cf7c | 7210 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 7211 | } |
wolfSSL | 15:117db924cf7c | 7212 | |
wolfSSL | 15:117db924cf7c | 7213 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7214 | /* if async, offset index so this msg will be processed again */ |
wolfSSL | 15:117db924cf7c | 7215 | if (ret == WC_PENDING_E && *inOutIdx > 0) { |
wolfSSL | 15:117db924cf7c | 7216 | *inOutIdx -= HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7217 | } |
wolfSSL | 15:117db924cf7c | 7218 | #endif |
wolfSSL | 15:117db924cf7c | 7219 | |
wolfSSL | 15:117db924cf7c | 7220 | WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret); |
wolfSSL | 15:117db924cf7c | 7221 | return ret; |
wolfSSL | 15:117db924cf7c | 7222 | } |
wolfSSL | 15:117db924cf7c | 7223 | |
wolfSSL | 15:117db924cf7c | 7224 | |
wolfSSL | 15:117db924cf7c | 7225 | /* Handle a handshake message that has been received. |
wolfSSL | 15:117db924cf7c | 7226 | * |
wolfSSL | 15:117db924cf7c | 7227 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7228 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 7229 | * inOutIdx On entry, the index into the buffer of the current message. |
wolfSSL | 15:117db924cf7c | 7230 | * On exit, the index into the buffer of the next message. |
wolfSSL | 15:117db924cf7c | 7231 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 7232 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 7233 | */ |
wolfSSL | 15:117db924cf7c | 7234 | int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 7235 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 7236 | { |
wolfSSL | 15:117db924cf7c | 7237 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 7238 | word32 inputLength; |
wolfSSL | 15:117db924cf7c | 7239 | |
wolfSSL | 15:117db924cf7c | 7240 | WOLFSSL_ENTER("DoTls13HandShakeMsg()"); |
wolfSSL | 15:117db924cf7c | 7241 | |
wolfSSL | 15:117db924cf7c | 7242 | if (ssl->arrays == NULL) { |
wolfSSL | 15:117db924cf7c | 7243 | byte type; |
wolfSSL | 15:117db924cf7c | 7244 | word32 size; |
wolfSSL | 15:117db924cf7c | 7245 | |
wolfSSL | 15:117db924cf7c | 7246 | if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0) |
wolfSSL | 15:117db924cf7c | 7247 | return PARSE_ERROR; |
wolfSSL | 15:117db924cf7c | 7248 | |
wolfSSL | 15:117db924cf7c | 7249 | return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, |
wolfSSL | 15:117db924cf7c | 7250 | totalSz); |
wolfSSL | 15:117db924cf7c | 7251 | } |
wolfSSL | 15:117db924cf7c | 7252 | |
wolfSSL | 15:117db924cf7c | 7253 | inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7254 | |
wolfSSL | 15:117db924cf7c | 7255 | /* If there is a pending fragmented handshake message, |
wolfSSL | 15:117db924cf7c | 7256 | * pending message size will be non-zero. */ |
wolfSSL | 15:117db924cf7c | 7257 | if (ssl->arrays->pendingMsgSz == 0) { |
wolfSSL | 15:117db924cf7c | 7258 | byte type; |
wolfSSL | 15:117db924cf7c | 7259 | word32 size; |
wolfSSL | 15:117db924cf7c | 7260 | |
wolfSSL | 15:117db924cf7c | 7261 | if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0) |
wolfSSL | 15:117db924cf7c | 7262 | return PARSE_ERROR; |
wolfSSL | 15:117db924cf7c | 7263 | |
wolfSSL | 15:117db924cf7c | 7264 | /* Cap the maximum size of a handshake message to something reasonable. |
wolfSSL | 15:117db924cf7c | 7265 | * By default is the maximum size of a certificate message assuming |
wolfSSL | 15:117db924cf7c | 7266 | * nine 2048-bit RSA certificates in the chain. */ |
wolfSSL | 15:117db924cf7c | 7267 | if (size > MAX_HANDSHAKE_SZ) { |
wolfSSL | 15:117db924cf7c | 7268 | WOLFSSL_MSG("Handshake message too large"); |
wolfSSL | 15:117db924cf7c | 7269 | return HANDSHAKE_SIZE_ERROR; |
wolfSSL | 15:117db924cf7c | 7270 | } |
wolfSSL | 15:117db924cf7c | 7271 | |
wolfSSL | 15:117db924cf7c | 7272 | /* size is the size of the certificate message payload */ |
wolfSSL | 15:117db924cf7c | 7273 | if (inputLength - HANDSHAKE_HEADER_SZ < size) { |
wolfSSL | 15:117db924cf7c | 7274 | ssl->arrays->pendingMsgType = type; |
wolfSSL | 15:117db924cf7c | 7275 | ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7276 | ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7277 | ssl->heap, |
wolfSSL | 15:117db924cf7c | 7278 | DYNAMIC_TYPE_ARRAYS); |
wolfSSL | 15:117db924cf7c | 7279 | if (ssl->arrays->pendingMsg == NULL) |
wolfSSL | 15:117db924cf7c | 7280 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7281 | XMEMCPY(ssl->arrays->pendingMsg, |
wolfSSL | 15:117db924cf7c | 7282 | input + *inOutIdx - HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7283 | inputLength); |
wolfSSL | 15:117db924cf7c | 7284 | ssl->arrays->pendingMsgOffset = inputLength; |
wolfSSL | 15:117db924cf7c | 7285 | *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7286 | return 0; |
wolfSSL | 15:117db924cf7c | 7287 | } |
wolfSSL | 15:117db924cf7c | 7288 | |
wolfSSL | 15:117db924cf7c | 7289 | ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, |
wolfSSL | 15:117db924cf7c | 7290 | totalSz); |
wolfSSL | 15:117db924cf7c | 7291 | } |
wolfSSL | 15:117db924cf7c | 7292 | else { |
wolfSSL | 15:117db924cf7c | 7293 | if (inputLength + ssl->arrays->pendingMsgOffset > |
wolfSSL | 15:117db924cf7c | 7294 | ssl->arrays->pendingMsgSz) { |
wolfSSL | 15:117db924cf7c | 7295 | inputLength = ssl->arrays->pendingMsgSz - |
wolfSSL | 15:117db924cf7c | 7296 | ssl->arrays->pendingMsgOffset; |
wolfSSL | 15:117db924cf7c | 7297 | } |
wolfSSL | 15:117db924cf7c | 7298 | XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset, |
wolfSSL | 15:117db924cf7c | 7299 | input + *inOutIdx, inputLength); |
wolfSSL | 15:117db924cf7c | 7300 | ssl->arrays->pendingMsgOffset += inputLength; |
wolfSSL | 15:117db924cf7c | 7301 | *inOutIdx += inputLength + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7302 | |
wolfSSL | 15:117db924cf7c | 7303 | if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz) |
wolfSSL | 15:117db924cf7c | 7304 | { |
wolfSSL | 15:117db924cf7c | 7305 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7306 | ret = DoTls13HandShakeMsgType(ssl, |
wolfSSL | 15:117db924cf7c | 7307 | ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7308 | &idx, ssl->arrays->pendingMsgType, |
wolfSSL | 15:117db924cf7c | 7309 | ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7310 | ssl->arrays->pendingMsgSz); |
wolfSSL | 15:117db924cf7c | 7311 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7312 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 7313 | /* setup to process fragment again */ |
wolfSSL | 15:117db924cf7c | 7314 | ssl->arrays->pendingMsgOffset -= inputLength; |
wolfSSL | 15:117db924cf7c | 7315 | *inOutIdx -= inputLength + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7316 | } |
wolfSSL | 15:117db924cf7c | 7317 | else |
wolfSSL | 15:117db924cf7c | 7318 | #endif |
wolfSSL | 15:117db924cf7c | 7319 | { |
wolfSSL | 15:117db924cf7c | 7320 | XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); |
wolfSSL | 15:117db924cf7c | 7321 | ssl->arrays->pendingMsg = NULL; |
wolfSSL | 15:117db924cf7c | 7322 | ssl->arrays->pendingMsgSz = 0; |
wolfSSL | 15:117db924cf7c | 7323 | } |
wolfSSL | 15:117db924cf7c | 7324 | } |
wolfSSL | 15:117db924cf7c | 7325 | } |
wolfSSL | 15:117db924cf7c | 7326 | |
wolfSSL | 15:117db924cf7c | 7327 | WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret); |
wolfSSL | 15:117db924cf7c | 7328 | return ret; |
wolfSSL | 15:117db924cf7c | 7329 | } |
wolfSSL | 15:117db924cf7c | 7330 | |
wolfSSL | 15:117db924cf7c | 7331 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7332 | |
wolfSSL | 15:117db924cf7c | 7333 | /* The client connecting to the server. |
wolfSSL | 15:117db924cf7c | 7334 | * The protocol version is expecting to be TLS v1.3. |
wolfSSL | 15:117db924cf7c | 7335 | * If the server downgrades, and older versions of the protocol are compiled |
wolfSSL | 15:117db924cf7c | 7336 | * in, the client will fallback to wolfSSL_connect(). |
wolfSSL | 15:117db924cf7c | 7337 | * Please see note at top of README if you get an error from connect. |
wolfSSL | 15:117db924cf7c | 7338 | * |
wolfSSL | 15:117db924cf7c | 7339 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7340 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
wolfSSL | 15:117db924cf7c | 7341 | * unrecoverable error occurs and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 7342 | * For more error information use wolfSSL_get_error(). |
wolfSSL | 15:117db924cf7c | 7343 | */ |
wolfSSL | 15:117db924cf7c | 7344 | int wolfSSL_connect_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7345 | { |
wolfSSL | 15:117db924cf7c | 7346 | WOLFSSL_ENTER("wolfSSL_connect_TLSv13()"); |
wolfSSL | 15:117db924cf7c | 7347 | |
wolfSSL | 15:117db924cf7c | 7348 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 7349 | errno = 0; |
wolfSSL | 15:117db924cf7c | 7350 | #endif |
wolfSSL | 15:117db924cf7c | 7351 | |
wolfSSL | 15:117db924cf7c | 7352 | if (ssl->options.side != WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7353 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR); |
wolfSSL | 15:117db924cf7c | 7354 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7355 | } |
wolfSSL | 15:117db924cf7c | 7356 | |
wolfSSL | 15:117db924cf7c | 7357 | if (ssl->buffers.outputBuffer.length > 0) { |
wolfSSL | 15:117db924cf7c | 7358 | if ((ssl->error = SendBuffered(ssl)) == 0) { |
wolfSSL | 15:117db924cf7c | 7359 | /* fragOffset is non-zero when sending fragments. On the last |
wolfSSL | 15:117db924cf7c | 7360 | * fragment, fragOffset is zero again, and the state can be |
wolfSSL | 15:117db924cf7c | 7361 | * advanced. */ |
wolfSSL | 15:117db924cf7c | 7362 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 7363 | ssl->options.connectState++; |
wolfSSL | 15:117db924cf7c | 7364 | WOLFSSL_MSG("connect state: " |
wolfSSL | 15:117db924cf7c | 7365 | "Advanced from last buffered fragment send"); |
wolfSSL | 15:117db924cf7c | 7366 | } |
wolfSSL | 15:117db924cf7c | 7367 | else { |
wolfSSL | 15:117db924cf7c | 7368 | WOLFSSL_MSG("connect state: " |
wolfSSL | 15:117db924cf7c | 7369 | "Not advanced, more fragments to send"); |
wolfSSL | 15:117db924cf7c | 7370 | } |
wolfSSL | 15:117db924cf7c | 7371 | } |
wolfSSL | 15:117db924cf7c | 7372 | else { |
wolfSSL | 15:117db924cf7c | 7373 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7374 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7375 | } |
wolfSSL | 15:117db924cf7c | 7376 | } |
wolfSSL | 15:117db924cf7c | 7377 | |
wolfSSL | 15:117db924cf7c | 7378 | switch (ssl->options.connectState) { |
wolfSSL | 15:117db924cf7c | 7379 | |
wolfSSL | 15:117db924cf7c | 7380 | case CONNECT_BEGIN: |
wolfSSL | 15:117db924cf7c | 7381 | /* Always send client hello first. */ |
wolfSSL | 15:117db924cf7c | 7382 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7383 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7384 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7385 | } |
wolfSSL | 15:117db924cf7c | 7386 | |
wolfSSL | 15:117db924cf7c | 7387 | ssl->options.connectState = CLIENT_HELLO_SENT; |
wolfSSL | 15:117db924cf7c | 7388 | WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT"); |
wolfSSL | 15:117db924cf7c | 7389 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7390 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 7391 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 7392 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 7393 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7394 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7395 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7396 | } |
wolfSSL | 15:117db924cf7c | 7397 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 7398 | #endif |
wolfSSL | 15:117db924cf7c | 7399 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7400 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7401 | } |
wolfSSL | 15:117db924cf7c | 7402 | #endif |
wolfSSL | 15:117db924cf7c | 7403 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7404 | |
wolfSSL | 15:117db924cf7c | 7405 | case CLIENT_HELLO_SENT: |
wolfSSL | 15:117db924cf7c | 7406 | /* Get the response/s from the server. */ |
wolfSSL | 15:117db924cf7c | 7407 | while (ssl->options.serverState < |
wolfSSL | 15:117db924cf7c | 7408 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7409 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 7410 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7411 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7412 | } |
wolfSSL | 15:117db924cf7c | 7413 | } |
wolfSSL | 15:117db924cf7c | 7414 | |
wolfSSL | 15:117db924cf7c | 7415 | ssl->options.connectState = HELLO_AGAIN; |
wolfSSL | 15:117db924cf7c | 7416 | WOLFSSL_MSG("connect state: HELLO_AGAIN"); |
wolfSSL | 15:117db924cf7c | 7417 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7418 | |
wolfSSL | 15:117db924cf7c | 7419 | case HELLO_AGAIN: |
wolfSSL | 15:117db924cf7c | 7420 | if (ssl->options.certOnly) |
wolfSSL | 15:117db924cf7c | 7421 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7422 | |
wolfSSL | 15:117db924cf7c | 7423 | if (!ssl->options.tls1_3) { |
wolfSSL | 15:117db924cf7c | 7424 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 7425 | if (ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 7426 | return wolfSSL_connect(ssl); |
wolfSSL | 15:117db924cf7c | 7427 | #endif |
wolfSSL | 15:117db924cf7c | 7428 | |
wolfSSL | 15:117db924cf7c | 7429 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 7430 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 7431 | } |
wolfSSL | 15:117db924cf7c | 7432 | |
wolfSSL | 15:117db924cf7c | 7433 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 7434 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7435 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 7436 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 7437 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 7438 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7439 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7440 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7441 | } |
wolfSSL | 15:117db924cf7c | 7442 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 7443 | } |
wolfSSL | 15:117db924cf7c | 7444 | #endif |
wolfSSL | 15:117db924cf7c | 7445 | /* Try again with different security parameters. */ |
wolfSSL | 15:117db924cf7c | 7446 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7447 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7448 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7449 | } |
wolfSSL | 15:117db924cf7c | 7450 | } |
wolfSSL | 15:117db924cf7c | 7451 | |
wolfSSL | 15:117db924cf7c | 7452 | ssl->options.connectState = HELLO_AGAIN_REPLY; |
wolfSSL | 15:117db924cf7c | 7453 | WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY"); |
wolfSSL | 15:117db924cf7c | 7454 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7455 | |
wolfSSL | 15:117db924cf7c | 7456 | case HELLO_AGAIN_REPLY: |
wolfSSL | 15:117db924cf7c | 7457 | /* Get the response/s from the server. */ |
wolfSSL | 15:117db924cf7c | 7458 | while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7459 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 7460 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7461 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7462 | } |
wolfSSL | 15:117db924cf7c | 7463 | } |
wolfSSL | 15:117db924cf7c | 7464 | |
wolfSSL | 15:117db924cf7c | 7465 | ssl->options.connectState = FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 7466 | WOLFSSL_MSG("connect state: FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 7467 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7468 | |
wolfSSL | 15:117db924cf7c | 7469 | case FIRST_REPLY_DONE: |
wolfSSL | 15:117db924cf7c | 7470 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7471 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 7472 | if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7473 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7474 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7475 | } |
wolfSSL | 15:117db924cf7c | 7476 | WOLFSSL_MSG("sent: end_of_early_data"); |
wolfSSL | 15:117db924cf7c | 7477 | } |
wolfSSL | 15:117db924cf7c | 7478 | #endif |
wolfSSL | 15:117db924cf7c | 7479 | |
wolfSSL | 15:117db924cf7c | 7480 | ssl->options.connectState = FIRST_REPLY_FIRST; |
wolfSSL | 15:117db924cf7c | 7481 | WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST"); |
wolfSSL | 15:117db924cf7c | 7482 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7483 | |
wolfSSL | 15:117db924cf7c | 7484 | case FIRST_REPLY_FIRST: |
wolfSSL | 15:117db924cf7c | 7485 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 7486 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 7487 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 7488 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7489 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7490 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7491 | } |
wolfSSL | 15:117db924cf7c | 7492 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 7493 | } |
wolfSSL | 15:117db924cf7c | 7494 | #endif |
wolfSSL | 15:117db924cf7c | 7495 | |
wolfSSL | 15:117db924cf7c | 7496 | ssl->options.connectState = FIRST_REPLY_SECOND; |
wolfSSL | 15:117db924cf7c | 7497 | WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND"); |
wolfSSL | 15:117db924cf7c | 7498 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7499 | |
wolfSSL | 15:117db924cf7c | 7500 | case FIRST_REPLY_SECOND: |
wolfSSL | 15:117db924cf7c | 7501 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7502 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 7503 | ssl->error = SendTls13Certificate(ssl); |
wolfSSL | 15:117db924cf7c | 7504 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 7505 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7506 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7507 | } |
wolfSSL | 15:117db924cf7c | 7508 | WOLFSSL_MSG("sent: certificate"); |
wolfSSL | 15:117db924cf7c | 7509 | } |
wolfSSL | 15:117db924cf7c | 7510 | #endif |
wolfSSL | 15:117db924cf7c | 7511 | |
wolfSSL | 15:117db924cf7c | 7512 | ssl->options.connectState = FIRST_REPLY_THIRD; |
wolfSSL | 15:117db924cf7c | 7513 | WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD"); |
wolfSSL | 15:117db924cf7c | 7514 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7515 | |
wolfSSL | 15:117db924cf7c | 7516 | case FIRST_REPLY_THIRD: |
wolfSSL | 15:117db924cf7c | 7517 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7518 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 7519 | ssl->error = SendTls13CertificateVerify(ssl); |
wolfSSL | 15:117db924cf7c | 7520 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 7521 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7522 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7523 | } |
wolfSSL | 15:117db924cf7c | 7524 | WOLFSSL_MSG("sent: certificate verify"); |
wolfSSL | 15:117db924cf7c | 7525 | } |
wolfSSL | 15:117db924cf7c | 7526 | #endif |
wolfSSL | 15:117db924cf7c | 7527 | |
wolfSSL | 15:117db924cf7c | 7528 | ssl->options.connectState = FIRST_REPLY_FOURTH; |
wolfSSL | 15:117db924cf7c | 7529 | WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH"); |
wolfSSL | 15:117db924cf7c | 7530 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7531 | |
wolfSSL | 15:117db924cf7c | 7532 | case FIRST_REPLY_FOURTH: |
wolfSSL | 15:117db924cf7c | 7533 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7534 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7535 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7536 | } |
wolfSSL | 15:117db924cf7c | 7537 | WOLFSSL_MSG("sent: finished"); |
wolfSSL | 15:117db924cf7c | 7538 | |
wolfSSL | 15:117db924cf7c | 7539 | ssl->options.connectState = FINISHED_DONE; |
wolfSSL | 15:117db924cf7c | 7540 | WOLFSSL_MSG("connect state: FINISHED_DONE"); |
wolfSSL | 15:117db924cf7c | 7541 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7542 | |
wolfSSL | 15:117db924cf7c | 7543 | case FINISHED_DONE: |
wolfSSL | 15:117db924cf7c | 7544 | #ifndef NO_HANDSHAKE_DONE_CB |
wolfSSL | 15:117db924cf7c | 7545 | if (ssl->hsDoneCb != NULL) { |
wolfSSL | 15:117db924cf7c | 7546 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
wolfSSL | 15:117db924cf7c | 7547 | if (cbret < 0) { |
wolfSSL | 15:117db924cf7c | 7548 | ssl->error = cbret; |
wolfSSL | 15:117db924cf7c | 7549 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
wolfSSL | 15:117db924cf7c | 7550 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7551 | } |
wolfSSL | 15:117db924cf7c | 7552 | } |
wolfSSL | 15:117db924cf7c | 7553 | #endif /* NO_HANDSHAKE_DONE_CB */ |
wolfSSL | 15:117db924cf7c | 7554 | |
wolfSSL | 15:117db924cf7c | 7555 | WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS); |
wolfSSL | 15:117db924cf7c | 7556 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7557 | |
wolfSSL | 15:117db924cf7c | 7558 | default: |
wolfSSL | 15:117db924cf7c | 7559 | WOLFSSL_MSG("Unknown connect state ERROR"); |
wolfSSL | 15:117db924cf7c | 7560 | return WOLFSSL_FATAL_ERROR; /* unknown connect state */ |
wolfSSL | 15:117db924cf7c | 7561 | } |
wolfSSL | 15:117db924cf7c | 7562 | } |
wolfSSL | 15:117db924cf7c | 7563 | #endif |
wolfSSL | 15:117db924cf7c | 7564 | |
wolfSSL | 15:117db924cf7c | 7565 | #if defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 15:117db924cf7c | 7566 | /* Send a cookie with the HelloRetryRequest to avoid storing state. |
wolfSSL | 15:117db924cf7c | 7567 | * |
wolfSSL | 15:117db924cf7c | 7568 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7569 | * secret Secret to use when generating integrity check for cookie. |
wolfSSL | 15:117db924cf7c | 7570 | * A value of NULL indicates to generate a new random secret. |
wolfSSL | 15:117db924cf7c | 7571 | * secretSz Size of secret data in bytes. |
wolfSSL | 15:117db924cf7c | 7572 | * Use a value of 0 to indicate use of default size. |
wolfSSL | 15:117db924cf7c | 7573 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when |
wolfSSL | 15:117db924cf7c | 7574 | * called on a client; WOLFSSL_SUCCESS on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 7575 | */ |
wolfSSL | 15:117db924cf7c | 7576 | int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, |
wolfSSL | 15:117db924cf7c | 7577 | unsigned int secretSz) |
wolfSSL | 15:117db924cf7c | 7578 | { |
wolfSSL | 15:117db924cf7c | 7579 | int ret; |
wolfSSL | 15:117db924cf7c | 7580 | |
wolfSSL | 15:117db924cf7c | 7581 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7582 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7583 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7584 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 7585 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7586 | |
wolfSSL | 15:117db924cf7c | 7587 | if (secretSz == 0) { |
wolfSSL | 15:117db924cf7c | 7588 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 7589 | secretSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 7590 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 7591 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 7592 | secretSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 7593 | #endif /* NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 7594 | } |
wolfSSL | 15:117db924cf7c | 7595 | |
wolfSSL | 15:117db924cf7c | 7596 | if (secretSz != ssl->buffers.tls13CookieSecret.length) { |
wolfSSL | 15:117db924cf7c | 7597 | byte* newSecret; |
wolfSSL | 15:117db924cf7c | 7598 | |
wolfSSL | 15:117db924cf7c | 7599 | if (ssl->buffers.tls13CookieSecret.buffer != NULL) { |
wolfSSL | 15:117db924cf7c | 7600 | ForceZero(ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 7601 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 7602 | XFREE(ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 7603 | ssl->heap, DYNAMIC_TYPE_COOKIE_PWD); |
wolfSSL | 15:117db924cf7c | 7604 | } |
wolfSSL | 15:117db924cf7c | 7605 | |
wolfSSL | 15:117db924cf7c | 7606 | newSecret = (byte*)XMALLOC(secretSz, ssl->heap, |
wolfSSL | 15:117db924cf7c | 7607 | DYNAMIC_TYPE_COOKIE_PWD); |
wolfSSL | 15:117db924cf7c | 7608 | if (newSecret == NULL) { |
wolfSSL | 15:117db924cf7c | 7609 | ssl->buffers.tls13CookieSecret.buffer = NULL; |
wolfSSL | 15:117db924cf7c | 7610 | ssl->buffers.tls13CookieSecret.length = 0; |
wolfSSL | 15:117db924cf7c | 7611 | WOLFSSL_MSG("couldn't allocate new cookie secret"); |
wolfSSL | 15:117db924cf7c | 7612 | return MEMORY_ERROR; |
wolfSSL | 15:117db924cf7c | 7613 | } |
wolfSSL | 15:117db924cf7c | 7614 | ssl->buffers.tls13CookieSecret.buffer = newSecret; |
wolfSSL | 15:117db924cf7c | 7615 | ssl->buffers.tls13CookieSecret.length = secretSz; |
wolfSSL | 15:117db924cf7c | 7616 | } |
wolfSSL | 15:117db924cf7c | 7617 | |
wolfSSL | 15:117db924cf7c | 7618 | /* If the supplied secret is NULL, randomly generate a new secret. */ |
wolfSSL | 15:117db924cf7c | 7619 | if (secret == NULL) { |
wolfSSL | 15:117db924cf7c | 7620 | ret = wc_RNG_GenerateBlock(ssl->rng, |
wolfSSL | 15:117db924cf7c | 7621 | ssl->buffers.tls13CookieSecret.buffer, secretSz); |
wolfSSL | 15:117db924cf7c | 7622 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 7623 | return ret; |
wolfSSL | 15:117db924cf7c | 7624 | } |
wolfSSL | 15:117db924cf7c | 7625 | else |
wolfSSL | 15:117db924cf7c | 7626 | XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz); |
wolfSSL | 15:117db924cf7c | 7627 | |
wolfSSL | 15:117db924cf7c | 7628 | ssl->options.sendCookie = 1; |
wolfSSL | 15:117db924cf7c | 7629 | |
wolfSSL | 15:117db924cf7c | 7630 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7631 | #else |
wolfSSL | 15:117db924cf7c | 7632 | (void)secret; |
wolfSSL | 15:117db924cf7c | 7633 | (void)secretSz; |
wolfSSL | 15:117db924cf7c | 7634 | |
wolfSSL | 15:117db924cf7c | 7635 | ret = SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7636 | #endif |
wolfSSL | 15:117db924cf7c | 7637 | |
wolfSSL | 15:117db924cf7c | 7638 | return ret; |
wolfSSL | 15:117db924cf7c | 7639 | } |
wolfSSL | 15:117db924cf7c | 7640 | #endif |
wolfSSL | 15:117db924cf7c | 7641 | |
wolfSSL | 15:117db924cf7c | 7642 | /* Create a key share entry from group. |
wolfSSL | 15:117db924cf7c | 7643 | * Generates a key pair. |
wolfSSL | 15:117db924cf7c | 7644 | * |
wolfSSL | 15:117db924cf7c | 7645 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7646 | * group The named group. |
wolfSSL | 15:117db924cf7c | 7647 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 7648 | */ |
wolfSSL | 15:117db924cf7c | 7649 | int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group) |
wolfSSL | 15:117db924cf7c | 7650 | { |
wolfSSL | 15:117db924cf7c | 7651 | int ret; |
wolfSSL | 15:117db924cf7c | 7652 | |
wolfSSL | 15:117db924cf7c | 7653 | if (ssl == NULL) |
wolfSSL | 15:117db924cf7c | 7654 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7655 | |
wolfSSL | 15:117db924cf7c | 7656 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL); |
wolfSSL | 15:117db924cf7c | 7657 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7658 | return ret; |
wolfSSL | 15:117db924cf7c | 7659 | |
wolfSSL | 15:117db924cf7c | 7660 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7661 | } |
wolfSSL | 15:117db924cf7c | 7662 | |
wolfSSL | 15:117db924cf7c | 7663 | /* Send no key share entries - use HelloRetryRequest to negotiate shared group. |
wolfSSL | 15:117db924cf7c | 7664 | * |
wolfSSL | 15:117db924cf7c | 7665 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7666 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 7667 | */ |
wolfSSL | 15:117db924cf7c | 7668 | int wolfSSL_NoKeyShares(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7669 | { |
wolfSSL | 15:117db924cf7c | 7670 | int ret; |
wolfSSL | 15:117db924cf7c | 7671 | |
wolfSSL | 15:117db924cf7c | 7672 | if (ssl == NULL) |
wolfSSL | 15:117db924cf7c | 7673 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7674 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 7675 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7676 | |
wolfSSL | 15:117db924cf7c | 7677 | ret = TLSX_KeyShare_Empty(ssl); |
wolfSSL | 15:117db924cf7c | 7678 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7679 | return ret; |
wolfSSL | 15:117db924cf7c | 7680 | |
wolfSSL | 15:117db924cf7c | 7681 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7682 | } |
wolfSSL | 15:117db924cf7c | 7683 | |
wolfSSL | 15:117db924cf7c | 7684 | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
wolfSSL | 15:117db924cf7c | 7685 | * |
wolfSSL | 15:117db924cf7c | 7686 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 7687 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
wolfSSL | 15:117db924cf7c | 7688 | */ |
wolfSSL | 15:117db924cf7c | 7689 | int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 7690 | { |
wolfSSL | 15:117db924cf7c | 7691 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 7692 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7693 | if (ctx->method->side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 7694 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7695 | |
wolfSSL | 15:117db924cf7c | 7696 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 7697 | ctx->noTicketTls13 = 1; |
wolfSSL | 15:117db924cf7c | 7698 | #endif |
wolfSSL | 15:117db924cf7c | 7699 | |
wolfSSL | 15:117db924cf7c | 7700 | return 0; |
wolfSSL | 15:117db924cf7c | 7701 | } |
wolfSSL | 15:117db924cf7c | 7702 | |
wolfSSL | 15:117db924cf7c | 7703 | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
wolfSSL | 15:117db924cf7c | 7704 | * |
wolfSSL | 15:117db924cf7c | 7705 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7706 | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on |
wolfSSL | 15:117db924cf7c | 7707 | * a client and 0 on success. |
wolfSSL | 15:117db924cf7c | 7708 | */ |
wolfSSL | 15:117db924cf7c | 7709 | int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7710 | { |
wolfSSL | 15:117db924cf7c | 7711 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7712 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7713 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 7714 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7715 | |
wolfSSL | 15:117db924cf7c | 7716 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 7717 | ssl->options.noTicketTls13 = 1; |
wolfSSL | 15:117db924cf7c | 7718 | #endif |
wolfSSL | 15:117db924cf7c | 7719 | |
wolfSSL | 15:117db924cf7c | 7720 | return 0; |
wolfSSL | 15:117db924cf7c | 7721 | } |
wolfSSL | 15:117db924cf7c | 7722 | |
wolfSSL | 15:117db924cf7c | 7723 | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
wolfSSL | 15:117db924cf7c | 7724 | * |
wolfSSL | 15:117db924cf7c | 7725 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 7726 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
wolfSSL | 15:117db924cf7c | 7727 | */ |
wolfSSL | 15:117db924cf7c | 7728 | int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 7729 | { |
wolfSSL | 15:117db924cf7c | 7730 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 7731 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7732 | |
wolfSSL | 15:117db924cf7c | 7733 | ctx->noPskDheKe = 1; |
wolfSSL | 15:117db924cf7c | 7734 | |
wolfSSL | 15:117db924cf7c | 7735 | return 0; |
wolfSSL | 15:117db924cf7c | 7736 | } |
wolfSSL | 15:117db924cf7c | 7737 | |
wolfSSL | 15:117db924cf7c | 7738 | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
wolfSSL | 15:117db924cf7c | 7739 | * |
wolfSSL | 15:117db924cf7c | 7740 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7741 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on |
wolfSSL | 15:117db924cf7c | 7742 | * success. |
wolfSSL | 15:117db924cf7c | 7743 | */ |
wolfSSL | 15:117db924cf7c | 7744 | int wolfSSL_no_dhe_psk(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7745 | { |
wolfSSL | 15:117db924cf7c | 7746 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7747 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7748 | |
wolfSSL | 15:117db924cf7c | 7749 | ssl->options.noPskDheKe = 1; |
wolfSSL | 15:117db924cf7c | 7750 | |
wolfSSL | 15:117db924cf7c | 7751 | return 0; |
wolfSSL | 15:117db924cf7c | 7752 | } |
wolfSSL | 15:117db924cf7c | 7753 | |
wolfSSL | 15:117db924cf7c | 7754 | /* Update the keys for encryption and decryption. |
wolfSSL | 15:117db924cf7c | 7755 | * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then |
wolfSSL | 15:117db924cf7c | 7756 | * calling wolfSSL_write() will have the message sent when ready. |
wolfSSL | 15:117db924cf7c | 7757 | * |
wolfSSL | 15:117db924cf7c | 7758 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7759 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 7760 | * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write, |
wolfSSL | 15:117db924cf7c | 7761 | * WOLFSSL_SUCCESS on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 7762 | */ |
wolfSSL | 15:117db924cf7c | 7763 | int wolfSSL_update_keys(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7764 | { |
wolfSSL | 15:117db924cf7c | 7765 | int ret; |
wolfSSL | 15:117db924cf7c | 7766 | |
wolfSSL | 15:117db924cf7c | 7767 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7768 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7769 | |
wolfSSL | 15:117db924cf7c | 7770 | ret = SendTls13KeyUpdate(ssl); |
wolfSSL | 15:117db924cf7c | 7771 | if (ret == WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 7772 | ret = WOLFSSL_ERROR_WANT_WRITE; |
wolfSSL | 15:117db924cf7c | 7773 | else if (ret == 0) |
wolfSSL | 15:117db924cf7c | 7774 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7775 | return ret; |
wolfSSL | 15:117db924cf7c | 7776 | } |
wolfSSL | 15:117db924cf7c | 7777 | |
wolfSSL | 15:117db924cf7c | 7778 | #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
wolfSSL | 15:117db924cf7c | 7779 | /* Allow post-handshake authentication in TLS v1.3 connections. |
wolfSSL | 15:117db924cf7c | 7780 | * |
wolfSSL | 15:117db924cf7c | 7781 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 7782 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and |
wolfSSL | 15:117db924cf7c | 7783 | * 0 on success. |
wolfSSL | 15:117db924cf7c | 7784 | */ |
wolfSSL | 15:117db924cf7c | 7785 | int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 7786 | { |
wolfSSL | 15:117db924cf7c | 7787 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 7788 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7789 | if (ctx->method->side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 7790 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7791 | |
wolfSSL | 15:117db924cf7c | 7792 | ctx->postHandshakeAuth = 1; |
wolfSSL | 15:117db924cf7c | 7793 | |
wolfSSL | 15:117db924cf7c | 7794 | return 0; |
wolfSSL | 15:117db924cf7c | 7795 | } |
wolfSSL | 15:117db924cf7c | 7796 | |
wolfSSL | 15:117db924cf7c | 7797 | /* Allow post-handshake authentication in TLS v1.3 connection. |
wolfSSL | 15:117db924cf7c | 7798 | * |
wolfSSL | 15:117db924cf7c | 7799 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7800 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 7801 | * SIDE_ERROR when not a client and 0 on success. |
wolfSSL | 15:117db924cf7c | 7802 | */ |
wolfSSL | 15:117db924cf7c | 7803 | int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7804 | { |
wolfSSL | 15:117db924cf7c | 7805 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7806 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7807 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 7808 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7809 | |
wolfSSL | 15:117db924cf7c | 7810 | ssl->options.postHandshakeAuth = 1; |
wolfSSL | 15:117db924cf7c | 7811 | |
wolfSSL | 15:117db924cf7c | 7812 | return 0; |
wolfSSL | 15:117db924cf7c | 7813 | } |
wolfSSL | 15:117db924cf7c | 7814 | |
wolfSSL | 15:117db924cf7c | 7815 | /* Request a certificate of the client. |
wolfSSL | 15:117db924cf7c | 7816 | * Can be called any time after handshake completion. |
wolfSSL | 15:117db924cf7c | 7817 | * A maximum of 256 requests can be sent on a connection. |
wolfSSL | 15:117db924cf7c | 7818 | * |
wolfSSL | 15:117db924cf7c | 7819 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7820 | */ |
wolfSSL | 15:117db924cf7c | 7821 | int wolfSSL_request_certificate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7822 | { |
wolfSSL | 15:117db924cf7c | 7823 | int ret; |
wolfSSL | 15:117db924cf7c | 7824 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7825 | CertReqCtx* certReqCtx; |
wolfSSL | 15:117db924cf7c | 7826 | #endif |
wolfSSL | 15:117db924cf7c | 7827 | |
wolfSSL | 15:117db924cf7c | 7828 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7829 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7830 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7831 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 7832 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7833 | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
wolfSSL | 15:117db924cf7c | 7834 | return NOT_READY_ERROR; |
wolfSSL | 15:117db924cf7c | 7835 | if (!ssl->options.postHandshakeAuth) |
wolfSSL | 15:117db924cf7c | 7836 | return POST_HAND_AUTH_ERROR; |
wolfSSL | 15:117db924cf7c | 7837 | |
wolfSSL | 15:117db924cf7c | 7838 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap, |
wolfSSL | 15:117db924cf7c | 7839 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 7840 | if (certReqCtx == NULL) |
wolfSSL | 15:117db924cf7c | 7841 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7842 | XMEMSET(certReqCtx, 0, sizeof(CertReqCtx)); |
wolfSSL | 15:117db924cf7c | 7843 | certReqCtx->next = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 7844 | certReqCtx->len = 1; |
wolfSSL | 15:117db924cf7c | 7845 | if (certReqCtx->next != NULL) |
wolfSSL | 15:117db924cf7c | 7846 | certReqCtx->ctx = certReqCtx->next->ctx + 1; |
wolfSSL | 15:117db924cf7c | 7847 | ssl->certReqCtx = certReqCtx; |
wolfSSL | 15:117db924cf7c | 7848 | |
wolfSSL | 15:117db924cf7c | 7849 | ssl->msgsReceived.got_certificate = 0; |
wolfSSL | 15:117db924cf7c | 7850 | ssl->msgsReceived.got_certificate_verify = 0; |
wolfSSL | 15:117db924cf7c | 7851 | ssl->msgsReceived.got_finished = 0; |
wolfSSL | 15:117db924cf7c | 7852 | |
wolfSSL | 15:117db924cf7c | 7853 | ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len); |
wolfSSL | 15:117db924cf7c | 7854 | if (ret == WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 7855 | ret = WOLFSSL_ERROR_WANT_WRITE; |
wolfSSL | 15:117db924cf7c | 7856 | else if (ret == 0) |
wolfSSL | 15:117db924cf7c | 7857 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7858 | #else |
wolfSSL | 15:117db924cf7c | 7859 | ret = SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7860 | #endif |
wolfSSL | 15:117db924cf7c | 7861 | |
wolfSSL | 15:117db924cf7c | 7862 | return ret; |
wolfSSL | 15:117db924cf7c | 7863 | } |
wolfSSL | 15:117db924cf7c | 7864 | #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */ |
wolfSSL | 15:117db924cf7c | 7865 | |
wolfSSL | 15:117db924cf7c | 7866 | #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
wolfSSL | 15:117db924cf7c | 7867 | /* Get the preferred key exchange group. |
wolfSSL | 15:117db924cf7c | 7868 | * |
wolfSSL | 15:117db924cf7c | 7869 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7870 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 7871 | * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete |
wolfSSL | 15:117db924cf7c | 7872 | * and group number on success. |
wolfSSL | 15:117db924cf7c | 7873 | */ |
wolfSSL | 15:117db924cf7c | 7874 | int wolfSSL_preferred_group(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7875 | { |
wolfSSL | 15:117db924cf7c | 7876 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7877 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7878 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7879 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 7880 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7881 | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
wolfSSL | 15:117db924cf7c | 7882 | return NOT_READY_ERROR; |
wolfSSL | 15:117db924cf7c | 7883 | |
wolfSSL | 15:117db924cf7c | 7884 | /* Return supported groups only. */ |
wolfSSL | 15:117db924cf7c | 7885 | return TLSX_SupportedCurve_Preferred(ssl, 1); |
wolfSSL | 15:117db924cf7c | 7886 | #else |
wolfSSL | 15:117db924cf7c | 7887 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 7888 | #endif |
wolfSSL | 15:117db924cf7c | 7889 | } |
wolfSSL | 15:117db924cf7c | 7890 | #endif |
wolfSSL | 15:117db924cf7c | 7891 | |
wolfSSL | 15:117db924cf7c | 7892 | /* Sets the key exchange groups in rank order on a context. |
wolfSSL | 15:117db924cf7c | 7893 | * |
wolfSSL | 15:117db924cf7c | 7894 | * ctx SSL/TLS context object. |
wolfSSL | 15:117db924cf7c | 7895 | * groups Array of groups. |
wolfSSL | 15:117db924cf7c | 7896 | * count Number of groups in array. |
wolfSSL | 15:117db924cf7c | 7897 | * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or |
wolfSSL | 15:117db924cf7c | 7898 | * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. |
wolfSSL | 15:117db924cf7c | 7899 | */ |
wolfSSL | 15:117db924cf7c | 7900 | int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) |
wolfSSL | 15:117db924cf7c | 7901 | { |
wolfSSL | 15:117db924cf7c | 7902 | int i; |
wolfSSL | 15:117db924cf7c | 7903 | |
wolfSSL | 15:117db924cf7c | 7904 | if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) |
wolfSSL | 15:117db924cf7c | 7905 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7906 | if (!IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 7907 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7908 | |
wolfSSL | 15:117db924cf7c | 7909 | for (i = 0; i < count; i++) |
wolfSSL | 15:117db924cf7c | 7910 | ctx->group[i] = (word16)groups[i]; |
wolfSSL | 15:117db924cf7c | 7911 | ctx->numGroups = (byte)count; |
wolfSSL | 15:117db924cf7c | 7912 | |
wolfSSL | 15:117db924cf7c | 7913 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7914 | } |
wolfSSL | 15:117db924cf7c | 7915 | |
wolfSSL | 15:117db924cf7c | 7916 | /* Sets the key exchange groups in rank order. |
wolfSSL | 15:117db924cf7c | 7917 | * |
wolfSSL | 15:117db924cf7c | 7918 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7919 | * groups Array of groups. |
wolfSSL | 15:117db924cf7c | 7920 | * count Number of groups in array. |
wolfSSL | 15:117db924cf7c | 7921 | * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or |
wolfSSL | 15:117db924cf7c | 7922 | * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. |
wolfSSL | 15:117db924cf7c | 7923 | */ |
wolfSSL | 15:117db924cf7c | 7924 | int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) |
wolfSSL | 15:117db924cf7c | 7925 | { |
wolfSSL | 15:117db924cf7c | 7926 | int i; |
wolfSSL | 15:117db924cf7c | 7927 | |
wolfSSL | 15:117db924cf7c | 7928 | if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) |
wolfSSL | 15:117db924cf7c | 7929 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7930 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 7931 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 7932 | |
wolfSSL | 15:117db924cf7c | 7933 | for (i = 0; i < count; i++) |
wolfSSL | 15:117db924cf7c | 7934 | ssl->group[i] = (word16)groups[i]; |
wolfSSL | 15:117db924cf7c | 7935 | ssl->numGroups = (byte)count; |
wolfSSL | 15:117db924cf7c | 7936 | |
wolfSSL | 15:117db924cf7c | 7937 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7938 | } |
wolfSSL | 15:117db924cf7c | 7939 | |
wolfSSL | 15:117db924cf7c | 7940 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7941 | /* The server accepting a connection from a client. |
wolfSSL | 15:117db924cf7c | 7942 | * The protocol version is expecting to be TLS v1.3. |
wolfSSL | 15:117db924cf7c | 7943 | * If the client downgrades, and older versions of the protocol are compiled |
wolfSSL | 15:117db924cf7c | 7944 | * in, the server will fallback to wolfSSL_accept(). |
wolfSSL | 15:117db924cf7c | 7945 | * Please see note at top of README if you get an error from accept. |
wolfSSL | 15:117db924cf7c | 7946 | * |
wolfSSL | 15:117db924cf7c | 7947 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7948 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
wolfSSL | 15:117db924cf7c | 7949 | * unrecoverable error occurs and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 7950 | * For more error information use wolfSSL_get_error(). |
wolfSSL | 15:117db924cf7c | 7951 | */ |
wolfSSL | 15:117db924cf7c | 7952 | int wolfSSL_accept_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7953 | { |
wolfSSL | 15:117db924cf7c | 7954 | word16 havePSK = 0; |
wolfSSL | 15:117db924cf7c | 7955 | WOLFSSL_ENTER("SSL_accept_TLSv13()"); |
wolfSSL | 15:117db924cf7c | 7956 | |
wolfSSL | 15:117db924cf7c | 7957 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 7958 | errno = 0; |
wolfSSL | 15:117db924cf7c | 7959 | #endif |
wolfSSL | 15:117db924cf7c | 7960 | |
wolfSSL | 15:117db924cf7c | 7961 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7962 | havePSK = ssl->options.havePSK; |
wolfSSL | 15:117db924cf7c | 7963 | #endif |
wolfSSL | 15:117db924cf7c | 7964 | (void)havePSK; |
wolfSSL | 15:117db924cf7c | 7965 | |
wolfSSL | 15:117db924cf7c | 7966 | if (ssl->options.side != WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7967 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR); |
wolfSSL | 15:117db924cf7c | 7968 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7969 | } |
wolfSSL | 15:117db924cf7c | 7970 | |
wolfSSL | 15:117db924cf7c | 7971 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7972 | /* allow no private key if using PK callbacks and CB is set */ |
wolfSSL | 15:117db924cf7c | 7973 | if (!havePSK) { |
wolfSSL | 15:117db924cf7c | 7974 | if (!ssl->buffers.certificate || |
wolfSSL | 15:117db924cf7c | 7975 | !ssl->buffers.certificate->buffer) { |
wolfSSL | 15:117db924cf7c | 7976 | |
wolfSSL | 15:117db924cf7c | 7977 | WOLFSSL_MSG("accept error: server cert required"); |
wolfSSL | 15:117db924cf7c | 7978 | WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); |
wolfSSL | 15:117db924cf7c | 7979 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7980 | } |
wolfSSL | 15:117db924cf7c | 7981 | |
wolfSSL | 15:117db924cf7c | 7982 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 7983 | if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { |
wolfSSL | 15:117db924cf7c | 7984 | WOLFSSL_MSG("Using PK for server private key"); |
wolfSSL | 15:117db924cf7c | 7985 | } |
wolfSSL | 15:117db924cf7c | 7986 | else |
wolfSSL | 15:117db924cf7c | 7987 | #endif |
wolfSSL | 15:117db924cf7c | 7988 | if (!ssl->buffers.key || !ssl->buffers.key->buffer) { |
wolfSSL | 15:117db924cf7c | 7989 | WOLFSSL_MSG("accept error: server key required"); |
wolfSSL | 15:117db924cf7c | 7990 | WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); |
wolfSSL | 15:117db924cf7c | 7991 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7992 | } |
wolfSSL | 15:117db924cf7c | 7993 | } |
wolfSSL | 15:117db924cf7c | 7994 | #endif |
wolfSSL | 15:117db924cf7c | 7995 | |
wolfSSL | 15:117db924cf7c | 7996 | if (ssl->buffers.outputBuffer.length > 0) { |
wolfSSL | 15:117db924cf7c | 7997 | if ((ssl->error = SendBuffered(ssl)) == 0) { |
wolfSSL | 15:117db924cf7c | 7998 | /* fragOffset is non-zero when sending fragments. On the last |
wolfSSL | 15:117db924cf7c | 7999 | * fragment, fragOffset is zero again, and the state can be |
wolfSSL | 15:117db924cf7c | 8000 | * advanced. */ |
wolfSSL | 15:117db924cf7c | 8001 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 8002 | ssl->options.acceptState++; |
wolfSSL | 15:117db924cf7c | 8003 | WOLFSSL_MSG("accept state: " |
wolfSSL | 15:117db924cf7c | 8004 | "Advanced from last buffered fragment send"); |
wolfSSL | 15:117db924cf7c | 8005 | } |
wolfSSL | 15:117db924cf7c | 8006 | else { |
wolfSSL | 15:117db924cf7c | 8007 | WOLFSSL_MSG("accept state: " |
wolfSSL | 15:117db924cf7c | 8008 | "Not advanced, more fragments to send"); |
wolfSSL | 15:117db924cf7c | 8009 | } |
wolfSSL | 15:117db924cf7c | 8010 | } |
wolfSSL | 15:117db924cf7c | 8011 | else { |
wolfSSL | 15:117db924cf7c | 8012 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8013 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8014 | } |
wolfSSL | 15:117db924cf7c | 8015 | } |
wolfSSL | 15:117db924cf7c | 8016 | |
wolfSSL | 15:117db924cf7c | 8017 | switch (ssl->options.acceptState) { |
wolfSSL | 15:117db924cf7c | 8018 | |
wolfSSL | 15:117db924cf7c | 8019 | case TLS13_ACCEPT_BEGIN : |
wolfSSL | 15:117db924cf7c | 8020 | /* get client_hello */ |
wolfSSL | 15:117db924cf7c | 8021 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8022 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8023 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8024 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8025 | } |
wolfSSL | 15:117db924cf7c | 8026 | } |
wolfSSL | 15:117db924cf7c | 8027 | |
wolfSSL | 15:117db924cf7c | 8028 | ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE; |
wolfSSL | 15:117db924cf7c | 8029 | WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE"); |
wolfSSL | 15:117db924cf7c | 8030 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8031 | |
wolfSSL | 15:117db924cf7c | 8032 | case TLS13_ACCEPT_CLIENT_HELLO_DONE : |
wolfSSL | 15:117db924cf7c | 8033 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 8034 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8035 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8036 | if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8037 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8038 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8039 | } |
wolfSSL | 15:117db924cf7c | 8040 | } |
wolfSSL | 15:117db924cf7c | 8041 | |
wolfSSL | 15:117db924cf7c | 8042 | ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8043 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8044 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8045 | |
wolfSSL | 15:117db924cf7c | 8046 | case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE : |
wolfSSL | 15:117db924cf7c | 8047 | #else |
wolfSSL | 15:117db924cf7c | 8048 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8049 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8050 | if ((ssl->error = SendTls13ServerHello(ssl, |
wolfSSL | 15:117db924cf7c | 8051 | hello_retry_request)) != 0) { |
wolfSSL | 15:117db924cf7c | 8052 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8053 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8054 | } |
wolfSSL | 15:117db924cf7c | 8055 | } |
wolfSSL | 15:117db924cf7c | 8056 | |
wolfSSL | 15:117db924cf7c | 8057 | ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE; |
wolfSSL | 15:117db924cf7c | 8058 | WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE"); |
wolfSSL | 15:117db924cf7c | 8059 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8060 | |
wolfSSL | 15:117db924cf7c | 8061 | case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE : |
wolfSSL | 15:117db924cf7c | 8062 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 8063 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8064 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8065 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8066 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8067 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8068 | } |
wolfSSL | 15:117db924cf7c | 8069 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 8070 | } |
wolfSSL | 15:117db924cf7c | 8071 | #endif |
wolfSSL | 15:117db924cf7c | 8072 | ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8073 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8074 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8075 | #endif |
wolfSSL | 15:117db924cf7c | 8076 | |
wolfSSL | 15:117db924cf7c | 8077 | case TLS13_ACCEPT_FIRST_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8078 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8079 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8080 | ssl->options.clientState = NULL_STATE; |
wolfSSL | 15:117db924cf7c | 8081 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8082 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8083 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8084 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8085 | } |
wolfSSL | 15:117db924cf7c | 8086 | } |
wolfSSL | 15:117db924cf7c | 8087 | } |
wolfSSL | 15:117db924cf7c | 8088 | |
wolfSSL | 15:117db924cf7c | 8089 | ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8090 | WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8091 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8092 | |
wolfSSL | 15:117db924cf7c | 8093 | case TLS13_ACCEPT_SECOND_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8094 | if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) { |
wolfSSL | 15:117db924cf7c | 8095 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8096 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8097 | } |
wolfSSL | 15:117db924cf7c | 8098 | ssl->options.acceptState = TLS13_SERVER_HELLO_SENT; |
wolfSSL | 15:117db924cf7c | 8099 | WOLFSSL_MSG("accept state SERVER_HELLO_SENT"); |
wolfSSL | 15:117db924cf7c | 8100 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8101 | |
wolfSSL | 15:117db924cf7c | 8102 | case TLS13_SERVER_HELLO_SENT : |
wolfSSL | 15:117db924cf7c | 8103 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 8104 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 8105 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 8106 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8107 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8108 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8109 | } |
wolfSSL | 15:117db924cf7c | 8110 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 8111 | } |
wolfSSL | 15:117db924cf7c | 8112 | #endif |
wolfSSL | 15:117db924cf7c | 8113 | |
wolfSSL | 15:117db924cf7c | 8114 | ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8115 | WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8116 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8117 | |
wolfSSL | 15:117db924cf7c | 8118 | case TLS13_ACCEPT_THIRD_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8119 | if (!ssl->options.noPskDheKe) { |
wolfSSL | 15:117db924cf7c | 8120 | ssl->error = TLSX_KeyShare_DeriveSecret(ssl); |
wolfSSL | 15:117db924cf7c | 8121 | if (ssl->error != 0) |
wolfSSL | 15:117db924cf7c | 8122 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8123 | } |
wolfSSL | 15:117db924cf7c | 8124 | |
wolfSSL | 15:117db924cf7c | 8125 | if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8126 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8127 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8128 | } |
wolfSSL | 15:117db924cf7c | 8129 | ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT; |
wolfSSL | 15:117db924cf7c | 8130 | WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT"); |
wolfSSL | 15:117db924cf7c | 8131 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8132 | |
wolfSSL | 15:117db924cf7c | 8133 | case TLS13_SERVER_EXTENSIONS_SENT : |
wolfSSL | 15:117db924cf7c | 8134 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8135 | if (!ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 8136 | if (ssl->options.verifyPeer) { |
wolfSSL | 15:117db924cf7c | 8137 | ssl->error = SendTls13CertificateRequest(ssl, NULL, 0); |
wolfSSL | 15:117db924cf7c | 8138 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 8139 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8140 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8141 | } |
wolfSSL | 15:117db924cf7c | 8142 | } |
wolfSSL | 15:117db924cf7c | 8143 | } |
wolfSSL | 15:117db924cf7c | 8144 | #endif |
wolfSSL | 15:117db924cf7c | 8145 | ssl->options.acceptState = TLS13_CERT_REQ_SENT; |
wolfSSL | 15:117db924cf7c | 8146 | WOLFSSL_MSG("accept state CERT_REQ_SENT"); |
wolfSSL | 15:117db924cf7c | 8147 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8148 | |
wolfSSL | 15:117db924cf7c | 8149 | case TLS13_CERT_REQ_SENT : |
wolfSSL | 15:117db924cf7c | 8150 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8151 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8152 | if ((ssl->error = SendTls13Certificate(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8153 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8154 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8155 | } |
wolfSSL | 15:117db924cf7c | 8156 | } |
wolfSSL | 15:117db924cf7c | 8157 | #endif |
wolfSSL | 15:117db924cf7c | 8158 | ssl->options.acceptState = TLS13_CERT_SENT; |
wolfSSL | 15:117db924cf7c | 8159 | WOLFSSL_MSG("accept state CERT_SENT"); |
wolfSSL | 15:117db924cf7c | 8160 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8161 | |
wolfSSL | 15:117db924cf7c | 8162 | case TLS13_CERT_SENT : |
wolfSSL | 15:117db924cf7c | 8163 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8164 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8165 | if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8166 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8167 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8168 | } |
wolfSSL | 15:117db924cf7c | 8169 | } |
wolfSSL | 15:117db924cf7c | 8170 | #endif |
wolfSSL | 15:117db924cf7c | 8171 | ssl->options.acceptState = TLS13_CERT_VERIFY_SENT; |
wolfSSL | 15:117db924cf7c | 8172 | WOLFSSL_MSG("accept state CERT_VERIFY_SENT"); |
wolfSSL | 15:117db924cf7c | 8173 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8174 | |
wolfSSL | 15:117db924cf7c | 8175 | case TLS13_CERT_VERIFY_SENT : |
wolfSSL | 15:117db924cf7c | 8176 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8177 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8178 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8179 | } |
wolfSSL | 15:117db924cf7c | 8180 | |
wolfSSL | 15:117db924cf7c | 8181 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT; |
wolfSSL | 15:117db924cf7c | 8182 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT"); |
wolfSSL | 15:117db924cf7c | 8183 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 8184 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 8185 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 8186 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8187 | } |
wolfSSL | 15:117db924cf7c | 8188 | #endif |
wolfSSL | 15:117db924cf7c | 8189 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8190 | |
wolfSSL | 15:117db924cf7c | 8191 | case TLS13_ACCEPT_FINISHED_SENT : |
wolfSSL | 15:117db924cf7c | 8192 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8193 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 8194 | if (!ssl->options.resuming && !ssl->options.verifyPeer && |
wolfSSL | 15:117db924cf7c | 8195 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) { |
wolfSSL | 15:117db924cf7c | 8196 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8197 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8198 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8199 | } |
wolfSSL | 15:117db924cf7c | 8200 | } |
wolfSSL | 15:117db924cf7c | 8201 | #endif |
wolfSSL | 15:117db924cf7c | 8202 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 8203 | ssl->options.acceptState = TLS13_PRE_TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 8204 | WOLFSSL_MSG("accept state TICKET_SENT"); |
wolfSSL | 15:117db924cf7c | 8205 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8206 | |
wolfSSL | 15:117db924cf7c | 8207 | case TLS13_PRE_TICKET_SENT : |
wolfSSL | 15:117db924cf7c | 8208 | while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) |
wolfSSL | 15:117db924cf7c | 8209 | if ( (ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8210 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8211 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8212 | } |
wolfSSL | 15:117db924cf7c | 8213 | |
wolfSSL | 15:117db924cf7c | 8214 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE; |
wolfSSL | 15:117db924cf7c | 8215 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE"); |
wolfSSL | 15:117db924cf7c | 8216 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8217 | |
wolfSSL | 15:117db924cf7c | 8218 | case TLS13_ACCEPT_FINISHED_DONE : |
wolfSSL | 15:117db924cf7c | 8219 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8220 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 8221 | if (!ssl->options.verifyPeer) { |
wolfSSL | 15:117db924cf7c | 8222 | } |
wolfSSL | 15:117db924cf7c | 8223 | else |
wolfSSL | 15:117db924cf7c | 8224 | #endif |
wolfSSL | 15:117db924cf7c | 8225 | if (!ssl->options.resuming && |
wolfSSL | 15:117db924cf7c | 8226 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) { |
wolfSSL | 15:117db924cf7c | 8227 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8228 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8229 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8230 | } |
wolfSSL | 15:117db924cf7c | 8231 | } |
wolfSSL | 15:117db924cf7c | 8232 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 8233 | ssl->options.acceptState = TLS13_TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 8234 | WOLFSSL_MSG("accept state TICKET_SENT"); |
wolfSSL | 15:117db924cf7c | 8235 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8236 | |
wolfSSL | 15:117db924cf7c | 8237 | case TLS13_TICKET_SENT : |
wolfSSL | 15:117db924cf7c | 8238 | #ifndef NO_HANDSHAKE_DONE_CB |
wolfSSL | 15:117db924cf7c | 8239 | if (ssl->hsDoneCb) { |
wolfSSL | 15:117db924cf7c | 8240 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
wolfSSL | 15:117db924cf7c | 8241 | if (cbret < 0) { |
wolfSSL | 15:117db924cf7c | 8242 | ssl->error = cbret; |
wolfSSL | 15:117db924cf7c | 8243 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
wolfSSL | 15:117db924cf7c | 8244 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8245 | } |
wolfSSL | 15:117db924cf7c | 8246 | } |
wolfSSL | 15:117db924cf7c | 8247 | #endif /* NO_HANDSHAKE_DONE_CB */ |
wolfSSL | 15:117db924cf7c | 8248 | |
wolfSSL | 15:117db924cf7c | 8249 | WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS); |
wolfSSL | 15:117db924cf7c | 8250 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8251 | |
wolfSSL | 15:117db924cf7c | 8252 | default : |
wolfSSL | 15:117db924cf7c | 8253 | WOLFSSL_MSG("Unknown accept state ERROR"); |
wolfSSL | 15:117db924cf7c | 8254 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8255 | } |
wolfSSL | 15:117db924cf7c | 8256 | } |
wolfSSL | 15:117db924cf7c | 8257 | #endif |
wolfSSL | 15:117db924cf7c | 8258 | |
wolfSSL | 15:117db924cf7c | 8259 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 8260 | /* Sets the maximum amount of early data that can be seen by server when using |
wolfSSL | 15:117db924cf7c | 8261 | * session tickets for resumption. |
wolfSSL | 15:117db924cf7c | 8262 | * A value of zero indicates no early data is to be sent by client using session |
wolfSSL | 15:117db924cf7c | 8263 | * tickets. |
wolfSSL | 15:117db924cf7c | 8264 | * |
wolfSSL | 15:117db924cf7c | 8265 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 8266 | * sz Maximum size of the early data. |
wolfSSL | 15:117db924cf7c | 8267 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and |
wolfSSL | 15:117db924cf7c | 8268 | * 0 on success. |
wolfSSL | 15:117db924cf7c | 8269 | */ |
wolfSSL | 15:117db924cf7c | 8270 | int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz) |
wolfSSL | 15:117db924cf7c | 8271 | { |
wolfSSL | 15:117db924cf7c | 8272 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8273 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8274 | if (ctx->method->side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8275 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8276 | |
wolfSSL | 15:117db924cf7c | 8277 | ctx->maxEarlyDataSz = sz; |
wolfSSL | 15:117db924cf7c | 8278 | |
wolfSSL | 15:117db924cf7c | 8279 | return 0; |
wolfSSL | 15:117db924cf7c | 8280 | } |
wolfSSL | 15:117db924cf7c | 8281 | |
wolfSSL | 15:117db924cf7c | 8282 | /* Sets the maximum amount of early data that can be seen by server when using |
wolfSSL | 15:117db924cf7c | 8283 | * session tickets for resumption. |
wolfSSL | 15:117db924cf7c | 8284 | * A value of zero indicates no early data is to be sent by client using session |
wolfSSL | 15:117db924cf7c | 8285 | * tickets. |
wolfSSL | 15:117db924cf7c | 8286 | * |
wolfSSL | 15:117db924cf7c | 8287 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8288 | * sz Maximum size of the early data. |
wolfSSL | 15:117db924cf7c | 8289 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 8290 | * SIDE_ERROR when not a server and 0 on success. |
wolfSSL | 15:117db924cf7c | 8291 | */ |
wolfSSL | 15:117db924cf7c | 8292 | int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz) |
wolfSSL | 15:117db924cf7c | 8293 | { |
wolfSSL | 15:117db924cf7c | 8294 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8295 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8296 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8297 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8298 | |
wolfSSL | 15:117db924cf7c | 8299 | ssl->options.maxEarlyDataSz = sz; |
wolfSSL | 15:117db924cf7c | 8300 | |
wolfSSL | 15:117db924cf7c | 8301 | return 0; |
wolfSSL | 15:117db924cf7c | 8302 | } |
wolfSSL | 15:117db924cf7c | 8303 | |
wolfSSL | 15:117db924cf7c | 8304 | /* Write early data to the server. |
wolfSSL | 15:117db924cf7c | 8305 | * |
wolfSSL | 15:117db924cf7c | 8306 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8307 | * data Early data to write |
wolfSSL | 15:117db924cf7c | 8308 | * sz The size of the eary data in bytes. |
wolfSSL | 15:117db924cf7c | 8309 | * outSz The number of early data bytes written. |
wolfSSL | 15:117db924cf7c | 8310 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
wolfSSL | 15:117db924cf7c | 8311 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of |
wolfSSL | 15:117db924cf7c | 8312 | * early data bytes written. |
wolfSSL | 15:117db924cf7c | 8313 | */ |
wolfSSL | 15:117db924cf7c | 8314 | int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) |
wolfSSL | 15:117db924cf7c | 8315 | { |
wolfSSL | 15:117db924cf7c | 8316 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 8317 | |
wolfSSL | 15:117db924cf7c | 8318 | WOLFSSL_ENTER("SSL_write_early_data()"); |
wolfSSL | 15:117db924cf7c | 8319 | |
wolfSSL | 15:117db924cf7c | 8320 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
wolfSSL | 15:117db924cf7c | 8321 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8322 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8323 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8324 | |
wolfSSL | 15:117db924cf7c | 8325 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 8326 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8327 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8328 | |
wolfSSL | 15:117db924cf7c | 8329 | if (ssl->options.handShakeState == NULL_STATE) { |
wolfSSL | 15:117db924cf7c | 8330 | ssl->earlyData = expecting_early_data; |
wolfSSL | 15:117db924cf7c | 8331 | ret = wolfSSL_connect_TLSv13(ssl); |
wolfSSL | 15:117db924cf7c | 8332 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 8333 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8334 | } |
wolfSSL | 15:117db924cf7c | 8335 | if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8336 | ret = SendData(ssl, data, sz); |
wolfSSL | 15:117db924cf7c | 8337 | if (ret > 0) |
wolfSSL | 15:117db924cf7c | 8338 | *outSz = ret; |
wolfSSL | 15:117db924cf7c | 8339 | } |
wolfSSL | 15:117db924cf7c | 8340 | #else |
wolfSSL | 15:117db924cf7c | 8341 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8342 | #endif |
wolfSSL | 15:117db924cf7c | 8343 | |
wolfSSL | 15:117db924cf7c | 8344 | WOLFSSL_LEAVE("SSL_write_early_data()", ret); |
wolfSSL | 15:117db924cf7c | 8345 | |
wolfSSL | 15:117db924cf7c | 8346 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8347 | ret = WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8348 | return ret; |
wolfSSL | 15:117db924cf7c | 8349 | } |
wolfSSL | 15:117db924cf7c | 8350 | |
wolfSSL | 15:117db924cf7c | 8351 | /* Read the any early data from the client. |
wolfSSL | 15:117db924cf7c | 8352 | * |
wolfSSL | 15:117db924cf7c | 8353 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8354 | * data Buffer to put the early data into. |
wolfSSL | 15:117db924cf7c | 8355 | * sz The size of the buffer in bytes. |
wolfSSL | 15:117db924cf7c | 8356 | * outSz The number of early data bytes read. |
wolfSSL | 15:117db924cf7c | 8357 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
wolfSSL | 15:117db924cf7c | 8358 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of |
wolfSSL | 15:117db924cf7c | 8359 | * early data bytes read. |
wolfSSL | 15:117db924cf7c | 8360 | */ |
wolfSSL | 15:117db924cf7c | 8361 | int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) |
wolfSSL | 15:117db924cf7c | 8362 | { |
wolfSSL | 15:117db924cf7c | 8363 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 8364 | |
wolfSSL | 15:117db924cf7c | 8365 | WOLFSSL_ENTER("wolfSSL_read_early_data()"); |
wolfSSL | 15:117db924cf7c | 8366 | |
wolfSSL | 15:117db924cf7c | 8367 | |
wolfSSL | 15:117db924cf7c | 8368 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
wolfSSL | 15:117db924cf7c | 8369 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8370 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8371 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8372 | |
wolfSSL | 15:117db924cf7c | 8373 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 8374 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8375 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8376 | |
wolfSSL | 15:117db924cf7c | 8377 | if (ssl->options.handShakeState == NULL_STATE) { |
wolfSSL | 15:117db924cf7c | 8378 | ssl->earlyData = expecting_early_data; |
wolfSSL | 15:117db924cf7c | 8379 | ret = wolfSSL_accept_TLSv13(ssl); |
wolfSSL | 15:117db924cf7c | 8380 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 8381 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8382 | } |
wolfSSL | 15:117db924cf7c | 8383 | if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8384 | ret = ReceiveData(ssl, (byte*)data, sz, FALSE); |
wolfSSL | 15:117db924cf7c | 8385 | if (ret > 0) |
wolfSSL | 15:117db924cf7c | 8386 | *outSz = ret; |
wolfSSL | 15:117db924cf7c | 8387 | if (ssl->error == ZERO_RETURN) |
wolfSSL | 15:117db924cf7c | 8388 | ssl->error = WOLFSSL_ERROR_NONE; |
wolfSSL | 15:117db924cf7c | 8389 | } |
wolfSSL | 15:117db924cf7c | 8390 | else |
wolfSSL | 15:117db924cf7c | 8391 | ret = 0; |
wolfSSL | 15:117db924cf7c | 8392 | #else |
wolfSSL | 15:117db924cf7c | 8393 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8394 | #endif |
wolfSSL | 15:117db924cf7c | 8395 | |
wolfSSL | 15:117db924cf7c | 8396 | WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret); |
wolfSSL | 15:117db924cf7c | 8397 | |
wolfSSL | 15:117db924cf7c | 8398 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8399 | ret = WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8400 | return ret; |
wolfSSL | 15:117db924cf7c | 8401 | } |
wolfSSL | 15:117db924cf7c | 8402 | #endif |
wolfSSL | 15:117db924cf7c | 8403 | |
wolfSSL | 15:117db924cf7c | 8404 | #undef ERROR_OUT |
wolfSSL | 15:117db924cf7c | 8405 | |
wolfSSL | 15:117db924cf7c | 8406 | #endif /* !WOLFCRYPT_ONLY */ |
wolfSSL | 15:117db924cf7c | 8407 | |
wolfSSL | 15:117db924cf7c | 8408 | #endif /* WOLFSSL_TLS13 */ |
wolfSSL | 15:117db924cf7c | 8409 |