wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/tls13.c@15:117db924cf7c, 2018-08-18 (annotated)

Committer:
wolfSSL
Date:
Sat Aug 18 22:20:43 2018 +0000
Revision:
15:117db924cf7c
Child:
16:8e0d178b1d1e
wolfSSL 3.15.3

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* tls13.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 15:117db924cf7c 3 * Copyright (C) 2006-2017 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23 /*
wolfSSL 15:117db924cf7c 24 * BUILD_GCM
wolfSSL 15:117db924cf7c 25 * Enables AES-GCM ciphersuites.
wolfSSL 15:117db924cf7c 26 * HAVE_AESCCM
wolfSSL 15:117db924cf7c 27 * Enables AES-CCM ciphersuites.
wolfSSL 15:117db924cf7c 28 * HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 29 * Enables session tickets - required for TLS 1.3 resumption.
wolfSSL 15:117db924cf7c 30 * NO_PSK
wolfSSL 15:117db924cf7c 31 * Do not enable Pre-Shared Keys.
wolfSSL 15:117db924cf7c 32 * TLS13_SUPPORTS_EXPORTERS
wolfSSL 15:117db924cf7c 33 * Gaurd to compile out any code for exporter keys.
wolfSSL 15:117db924cf7c 34 * Feature not supported yet.
wolfSSL 15:117db924cf7c 35 * WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 36 * Enables the use of asynchornous cryptographic operations.
wolfSSL 15:117db924cf7c 37 * This is available for ciphers and certificates.
wolfSSL 15:117db924cf7c 38 * HAVE_CHACHA && HAVE_POLY1305
wolfSSL 15:117db924cf7c 39 * Enables use of CHACHA20-POLY1305 ciphersuites.
wolfSSL 15:117db924cf7c 40 * WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 41 * Writes out details of TLS 1.3 protocol including hanshake message buffers
wolfSSL 15:117db924cf7c 42 * and key generation input and output.
wolfSSL 15:117db924cf7c 43 * WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 44 * Allow 0-RTT Handshake using Early Data extensions and handshake message
wolfSSL 15:117db924cf7c 45 * WOLFSSL_NO_SERVER_GROUPS_EXT
wolfSSL 15:117db924cf7c 46 * Do not send the server's groups in an extension when the server's top
wolfSSL 15:117db924cf7c 47 * preference is not in client's list.
wolfSSL 15:117db924cf7c 48 * WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 49 * Allow TLS v1.3 code to perform post-handshake authentication of the
wolfSSL 15:117db924cf7c 50 * client.
wolfSSL 15:117db924cf7c 51 * WOLFSSL_SEND_HRR_COOKIE
wolfSSL 15:117db924cf7c 52 * Send a cookie in hello_retry_request message to enable stateless tracking
wolfSSL 15:117db924cf7c 53 * of ClientHello replies.
wolfSSL 15:117db924cf7c 54 * WOLFSSL_TLS13
wolfSSL 15:117db924cf7c 55 * Enable TLS 1.3 protocol implementation.
wolfSSL 15:117db924cf7c 56 * WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 57 * Conform with Draft 18 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 58 * WOLFSSL_TLS13_DRAFT_22
wolfSSL 15:117db924cf7c 59 * Conform with Draft 22 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 60 * WOLFSSL_TLS13_DRAFT_23
wolfSSL 15:117db924cf7c 61 * Conform with Draft 23 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 62 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 63 * Enable middlebox compatability in the TLS 1.3 handshake.
wolfSSL 15:117db924cf7c 64 * This includes sending ChangeCipherSpec before encrypted messages and
wolfSSL 15:117db924cf7c 65 * including a session id.
wolfSSL 15:117db924cf7c 66 * WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 67 * Allow generation of SHA-512 digests in handshake - no ciphersuite
wolfSSL 15:117db924cf7c 68 * requires SHA-512 at this time.
wolfSSL 15:117db924cf7c 69 * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 70 * Allow a NewSessionTicket message to be sent by server before Client's
wolfSSL 15:117db924cf7c 71 * Finished message.
wolfSSL 15:117db924cf7c 72 * See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note).
wolfSSL 15:117db924cf7c 73 */
wolfSSL 15:117db924cf7c 74
wolfSSL 15:117db924cf7c 75 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 76 #include <config.h>
wolfSSL 15:117db924cf7c 77 #endif
wolfSSL 15:117db924cf7c 78
wolfSSL 15:117db924cf7c 79 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 80
wolfSSL 15:117db924cf7c 81 #ifdef WOLFSSL_TLS13
wolfSSL 15:117db924cf7c 82 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 83 #include <wolfssl/wolfcrypt/wc_port.h>
wolfSSL 15:117db924cf7c 84 #endif
wolfSSL 15:117db924cf7c 85
wolfSSL 15:117db924cf7c 86 #ifndef WOLFCRYPT_ONLY
wolfSSL 15:117db924cf7c 87
wolfSSL 15:117db924cf7c 88 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 89 #include <errno.h>
wolfSSL 15:117db924cf7c 90 #endif
wolfSSL 15:117db924cf7c 91
wolfSSL 15:117db924cf7c 92 #include <wolfssl/internal.h>
wolfSSL 15:117db924cf7c 93 #include <wolfssl/error-ssl.h>
wolfSSL 15:117db924cf7c 94 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 15:117db924cf7c 95 #include <wolfssl/wolfcrypt/dh.h>
wolfSSL 15:117db924cf7c 96 #ifdef NO_INLINE
wolfSSL 15:117db924cf7c 97 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 15:117db924cf7c 98 #else
wolfSSL 15:117db924cf7c 99 #define WOLFSSL_MISC_INCLUDED
wolfSSL 15:117db924cf7c 100 #include <wolfcrypt/src/misc.c>
wolfSSL 15:117db924cf7c 101 #endif
wolfSSL 15:117db924cf7c 102
wolfSSL 15:117db924cf7c 103 #ifdef HAVE_NTRU
wolfSSL 15:117db924cf7c 104 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 15:117db924cf7c 105 #endif
wolfSSL 15:117db924cf7c 106
wolfSSL 15:117db924cf7c 107 #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG) || \
wolfSSL 15:117db924cf7c 108 defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
wolfSSL 15:117db924cf7c 109 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 15:117db924cf7c 110 #if MQX_USE_IO_OLD
wolfSSL 15:117db924cf7c 111 #include <fio.h>
wolfSSL 15:117db924cf7c 112 #else
wolfSSL 15:117db924cf7c 113 #include <nio.h>
wolfSSL 15:117db924cf7c 114 #endif
wolfSSL 15:117db924cf7c 115 #else
wolfSSL 15:117db924cf7c 116 #include <stdio.h>
wolfSSL 15:117db924cf7c 117 #endif
wolfSSL 15:117db924cf7c 118 #endif
wolfSSL 15:117db924cf7c 119
wolfSSL 15:117db924cf7c 120 #ifdef __sun
wolfSSL 15:117db924cf7c 121 #include <sys/filio.h>
wolfSSL 15:117db924cf7c 122 #endif
wolfSSL 15:117db924cf7c 123
wolfSSL 15:117db924cf7c 124 #ifndef TRUE
wolfSSL 15:117db924cf7c 125 #define TRUE 1
wolfSSL 15:117db924cf7c 126 #endif
wolfSSL 15:117db924cf7c 127 #ifndef FALSE
wolfSSL 15:117db924cf7c 128 #define FALSE 0
wolfSSL 15:117db924cf7c 129 #endif
wolfSSL 15:117db924cf7c 130
wolfSSL 15:117db924cf7c 131 #ifndef HAVE_HKDF
wolfSSL 15:117db924cf7c 132 #error The build option HAVE_HKDF is required for TLS 1.3
wolfSSL 15:117db924cf7c 133 #endif
wolfSSL 15:117db924cf7c 134
wolfSSL 15:117db924cf7c 135
wolfSSL 15:117db924cf7c 136 /* Set ret to error value and jump to label.
wolfSSL 15:117db924cf7c 137 *
wolfSSL 15:117db924cf7c 138 * err The error value to set.
wolfSSL 15:117db924cf7c 139 * eLabel The label to jump to.
wolfSSL 15:117db924cf7c 140 */
wolfSSL 15:117db924cf7c 141 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL 15:117db924cf7c 142
wolfSSL 15:117db924cf7c 143
wolfSSL 15:117db924cf7c 144 /* Extract data using HMAC, salt and input.
wolfSSL 15:117db924cf7c 145 * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
wolfSSL 15:117db924cf7c 146 *
wolfSSL 15:117db924cf7c 147 * prk The generated pseudorandom key.
wolfSSL 15:117db924cf7c 148 * salt The salt.
wolfSSL 15:117db924cf7c 149 * saltLen The length of the salt.
wolfSSL 15:117db924cf7c 150 * ikm The input keying material.
wolfSSL 15:117db924cf7c 151 * ikmLen The length of the input keying material.
wolfSSL 15:117db924cf7c 152 * mac The type of digest to use.
wolfSSL 15:117db924cf7c 153 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 154 */
wolfSSL 15:117db924cf7c 155 static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
wolfSSL 15:117db924cf7c 156 byte* ikm, int ikmLen, int mac)
wolfSSL 15:117db924cf7c 157 {
wolfSSL 15:117db924cf7c 158 int ret;
wolfSSL 15:117db924cf7c 159 int hash = 0;
wolfSSL 15:117db924cf7c 160 int len = 0;
wolfSSL 15:117db924cf7c 161
wolfSSL 15:117db924cf7c 162 switch (mac) {
wolfSSL 15:117db924cf7c 163 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 164 case sha256_mac:
wolfSSL 15:117db924cf7c 165 hash = WC_SHA256;
wolfSSL 15:117db924cf7c 166 len = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 167 break;
wolfSSL 15:117db924cf7c 168 #endif
wolfSSL 15:117db924cf7c 169
wolfSSL 15:117db924cf7c 170 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 171 case sha384_mac:
wolfSSL 15:117db924cf7c 172 hash = WC_SHA384;
wolfSSL 15:117db924cf7c 173 len = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 174 break;
wolfSSL 15:117db924cf7c 175 #endif
wolfSSL 15:117db924cf7c 176
wolfSSL 15:117db924cf7c 177 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 178 case sha512_mac:
wolfSSL 15:117db924cf7c 179 hash = WC_SHA512;
wolfSSL 15:117db924cf7c 180 len = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 181 break;
wolfSSL 15:117db924cf7c 182 #endif
wolfSSL 15:117db924cf7c 183 }
wolfSSL 15:117db924cf7c 184
wolfSSL 15:117db924cf7c 185 /* When length is 0 then use zeroed data of digest length. */
wolfSSL 15:117db924cf7c 186 if (ikmLen == 0) {
wolfSSL 15:117db924cf7c 187 ikmLen = len;
wolfSSL 15:117db924cf7c 188 XMEMSET(ikm, 0, len);
wolfSSL 15:117db924cf7c 189 }
wolfSSL 15:117db924cf7c 190
wolfSSL 15:117db924cf7c 191 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 192 WOLFSSL_MSG(" Salt");
wolfSSL 15:117db924cf7c 193 WOLFSSL_BUFFER(salt, saltLen);
wolfSSL 15:117db924cf7c 194 WOLFSSL_MSG(" IKM");
wolfSSL 15:117db924cf7c 195 WOLFSSL_BUFFER(ikm, ikmLen);
wolfSSL 15:117db924cf7c 196 #endif
wolfSSL 15:117db924cf7c 197
wolfSSL 15:117db924cf7c 198 ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
wolfSSL 15:117db924cf7c 199
wolfSSL 15:117db924cf7c 200 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 201 WOLFSSL_MSG(" PRK");
wolfSSL 15:117db924cf7c 202 WOLFSSL_BUFFER(prk, len);
wolfSSL 15:117db924cf7c 203 #endif
wolfSSL 15:117db924cf7c 204
wolfSSL 15:117db924cf7c 205 return ret;
wolfSSL 15:117db924cf7c 206 }
wolfSSL 15:117db924cf7c 207
wolfSSL 15:117db924cf7c 208 /* Expand data using HMAC, salt and label and info.
wolfSSL 15:117db924cf7c 209 * TLS v1.3 defines this function.
wolfSSL 15:117db924cf7c 210 *
wolfSSL 15:117db924cf7c 211 * okm The generated pseudorandom key - output key material.
wolfSSL 15:117db924cf7c 212 * okmLen The length of generated pseudorandom key - output key material.
wolfSSL 15:117db924cf7c 213 * prk The salt - pseudo-random key.
wolfSSL 15:117db924cf7c 214 * prkLen The length of the salt - pseudo-random key.
wolfSSL 15:117db924cf7c 215 * protocol The TLS protocol label.
wolfSSL 15:117db924cf7c 216 * protocolLen The length of the TLS protocol label.
wolfSSL 15:117db924cf7c 217 * info The information to expand.
wolfSSL 15:117db924cf7c 218 * infoLen The length of the information.
wolfSSL 15:117db924cf7c 219 * digest The type of digest to use.
wolfSSL 15:117db924cf7c 220 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 221 */
wolfSSL 15:117db924cf7c 222 static int HKDF_Expand_Label(byte* okm, word32 okmLen,
wolfSSL 15:117db924cf7c 223 const byte* prk, word32 prkLen,
wolfSSL 15:117db924cf7c 224 const byte* protocol, word32 protocolLen,
wolfSSL 15:117db924cf7c 225 const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 226 const byte* info, word32 infoLen,
wolfSSL 15:117db924cf7c 227 int digest)
wolfSSL 15:117db924cf7c 228 {
wolfSSL 15:117db924cf7c 229 int ret = 0;
wolfSSL 15:117db924cf7c 230 int idx = 0;
wolfSSL 15:117db924cf7c 231 byte data[MAX_HKDF_LABEL_SZ];
wolfSSL 15:117db924cf7c 232
wolfSSL 15:117db924cf7c 233 /* Output length. */
wolfSSL 15:117db924cf7c 234 data[idx++] = (byte)(okmLen >> 8);
wolfSSL 15:117db924cf7c 235 data[idx++] = (byte)okmLen;
wolfSSL 15:117db924cf7c 236 /* Length of protocol | label. */
wolfSSL 15:117db924cf7c 237 data[idx++] = (byte)(protocolLen + labelLen);
wolfSSL 15:117db924cf7c 238 /* Protocol */
wolfSSL 15:117db924cf7c 239 XMEMCPY(&data[idx], protocol, protocolLen);
wolfSSL 15:117db924cf7c 240 idx += protocolLen;
wolfSSL 15:117db924cf7c 241 /* Label */
wolfSSL 15:117db924cf7c 242 XMEMCPY(&data[idx], label, labelLen);
wolfSSL 15:117db924cf7c 243 idx += labelLen;
wolfSSL 15:117db924cf7c 244 /* Length of hash of messages */
wolfSSL 15:117db924cf7c 245 data[idx++] = (byte)infoLen;
wolfSSL 15:117db924cf7c 246 /* Hash of messages */
wolfSSL 15:117db924cf7c 247 XMEMCPY(&data[idx], info, infoLen);
wolfSSL 15:117db924cf7c 248 idx += infoLen;
wolfSSL 15:117db924cf7c 249
wolfSSL 15:117db924cf7c 250 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 251 WOLFSSL_MSG(" PRK");
wolfSSL 15:117db924cf7c 252 WOLFSSL_BUFFER(prk, prkLen);
wolfSSL 15:117db924cf7c 253 WOLFSSL_MSG(" Info");
wolfSSL 15:117db924cf7c 254 WOLFSSL_BUFFER(data, idx);
wolfSSL 15:117db924cf7c 255 #endif
wolfSSL 15:117db924cf7c 256
wolfSSL 15:117db924cf7c 257 ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
wolfSSL 15:117db924cf7c 258
wolfSSL 15:117db924cf7c 259 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 260 WOLFSSL_MSG(" OKM");
wolfSSL 15:117db924cf7c 261 WOLFSSL_BUFFER(okm, okmLen);
wolfSSL 15:117db924cf7c 262 #endif
wolfSSL 15:117db924cf7c 263
wolfSSL 15:117db924cf7c 264 ForceZero(data, idx);
wolfSSL 15:117db924cf7c 265
wolfSSL 15:117db924cf7c 266 return ret;
wolfSSL 15:117db924cf7c 267 }
wolfSSL 15:117db924cf7c 268
wolfSSL 15:117db924cf7c 269 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 270 /* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL 15:117db924cf7c 271 #define TLS13_PROTOCOL_LABEL_SZ 9
wolfSSL 15:117db924cf7c 272 /* The protocol label for TLS v1.3. */
wolfSSL 15:117db924cf7c 273 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
wolfSSL 15:117db924cf7c 274 #else
wolfSSL 15:117db924cf7c 275 /* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL 15:117db924cf7c 276 #define TLS13_PROTOCOL_LABEL_SZ 6
wolfSSL 15:117db924cf7c 277 /* The protocol label for TLS v1.3. */
wolfSSL 15:117db924cf7c 278 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
wolfSSL 15:117db924cf7c 279 #endif
wolfSSL 15:117db924cf7c 280
wolfSSL 15:117db924cf7c 281 #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \
wolfSSL 15:117db924cf7c 282 !defined(NO_PSK)
wolfSSL 15:117db924cf7c 283 /* Derive a key from a message.
wolfSSL 15:117db924cf7c 284 *
wolfSSL 15:117db924cf7c 285 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 286 * output The buffer to hold the derived key.
wolfSSL 15:117db924cf7c 287 * outputLen The length of the derived key.
wolfSSL 15:117db924cf7c 288 * secret The secret used to derive the key (HMAC secret).
wolfSSL 15:117db924cf7c 289 * label The label used to distinguish the context.
wolfSSL 15:117db924cf7c 290 * labelLen The length of the label.
wolfSSL 15:117db924cf7c 291 * msg The message data to derive key from.
wolfSSL 15:117db924cf7c 292 * msgLen The length of the message data to derive key from.
wolfSSL 15:117db924cf7c 293 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 15:117db924cf7c 294 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 295 */
wolfSSL 15:117db924cf7c 296 static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 15:117db924cf7c 297 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 298 byte* msg, int msgLen, int hashAlgo)
wolfSSL 15:117db924cf7c 299 {
wolfSSL 15:117db924cf7c 300 byte hash[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 301 Digest digest;
wolfSSL 15:117db924cf7c 302 word32 hashSz = 0;
wolfSSL 15:117db924cf7c 303 const byte* protocol;
wolfSSL 15:117db924cf7c 304 word32 protocolLen;
wolfSSL 15:117db924cf7c 305 int digestAlg = -1;
wolfSSL 15:117db924cf7c 306 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 307
wolfSSL 15:117db924cf7c 308 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 309 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 310 case sha256_mac:
wolfSSL 15:117db924cf7c 311 ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 312 if (ret == 0) {
wolfSSL 15:117db924cf7c 313 ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
wolfSSL 15:117db924cf7c 314 if (ret == 0)
wolfSSL 15:117db924cf7c 315 ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL 15:117db924cf7c 316 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 317 }
wolfSSL 15:117db924cf7c 318 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 319 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 320 break;
wolfSSL 15:117db924cf7c 321 #endif
wolfSSL 15:117db924cf7c 322 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 323 case sha384_mac:
wolfSSL 15:117db924cf7c 324 ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 325 if (ret == 0) {
wolfSSL 15:117db924cf7c 326 ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
wolfSSL 15:117db924cf7c 327 if (ret == 0)
wolfSSL 15:117db924cf7c 328 ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL 15:117db924cf7c 329 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 330 }
wolfSSL 15:117db924cf7c 331 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 332 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 333 break;
wolfSSL 15:117db924cf7c 334 #endif
wolfSSL 15:117db924cf7c 335 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 336 case sha512_mac:
wolfSSL 15:117db924cf7c 337 ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 338 if (ret == 0) {
wolfSSL 15:117db924cf7c 339 ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
wolfSSL 15:117db924cf7c 340 if (ret == 0)
wolfSSL 15:117db924cf7c 341 ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL 15:117db924cf7c 342 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 343 }
wolfSSL 15:117db924cf7c 344 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 345 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 346 break;
wolfSSL 15:117db924cf7c 347 #endif
wolfSSL 15:117db924cf7c 348 default:
wolfSSL 15:117db924cf7c 349 digestAlg = -1;
wolfSSL 15:117db924cf7c 350 break;
wolfSSL 15:117db924cf7c 351 }
wolfSSL 15:117db924cf7c 352
wolfSSL 15:117db924cf7c 353 if (digestAlg < 0)
wolfSSL 15:117db924cf7c 354 return HASH_TYPE_E;
wolfSSL 15:117db924cf7c 355
wolfSSL 15:117db924cf7c 356 if (ret != 0)
wolfSSL 15:117db924cf7c 357 return ret;
wolfSSL 15:117db924cf7c 358
wolfSSL 15:117db924cf7c 359 switch (ssl->version.minor) {
wolfSSL 15:117db924cf7c 360 case TLSv1_3_MINOR:
wolfSSL 15:117db924cf7c 361 protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 362 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 363 break;
wolfSSL 15:117db924cf7c 364
wolfSSL 15:117db924cf7c 365 default:
wolfSSL 15:117db924cf7c 366 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 367 }
wolfSSL 15:117db924cf7c 368 if (outputLen == -1)
wolfSSL 15:117db924cf7c 369 outputLen = hashSz;
wolfSSL 15:117db924cf7c 370
wolfSSL 15:117db924cf7c 371 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 15:117db924cf7c 372 protocol, protocolLen, label, labelLen,
wolfSSL 15:117db924cf7c 373 hash, hashSz, digestAlg);
wolfSSL 15:117db924cf7c 374 }
wolfSSL 15:117db924cf7c 375 #endif
wolfSSL 15:117db924cf7c 376
wolfSSL 15:117db924cf7c 377 /* Derive a key.
wolfSSL 15:117db924cf7c 378 *
wolfSSL 15:117db924cf7c 379 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 380 * output The buffer to hold the derived key.
wolfSSL 15:117db924cf7c 381 * outputLen The length of the derived key.
wolfSSL 15:117db924cf7c 382 * secret The secret used to derive the key (HMAC secret).
wolfSSL 15:117db924cf7c 383 * label The label used to distinguish the context.
wolfSSL 15:117db924cf7c 384 * labelLen The length of the label.
wolfSSL 15:117db924cf7c 385 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 15:117db924cf7c 386 * includeMsgs Whether to include a hash of the handshake messages so far.
wolfSSL 15:117db924cf7c 387 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 388 */
wolfSSL 15:117db924cf7c 389 static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 15:117db924cf7c 390 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 391 int hashAlgo, int includeMsgs)
wolfSSL 15:117db924cf7c 392 {
wolfSSL 15:117db924cf7c 393 int ret = 0;
wolfSSL 15:117db924cf7c 394 byte hash[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 395 word32 hashSz = 0;
wolfSSL 15:117db924cf7c 396 word32 hashOutSz = 0;
wolfSSL 15:117db924cf7c 397 const byte* protocol;
wolfSSL 15:117db924cf7c 398 word32 protocolLen;
wolfSSL 15:117db924cf7c 399 int digestAlg = 0;
wolfSSL 15:117db924cf7c 400
wolfSSL 15:117db924cf7c 401 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 402 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 403 case sha256_mac:
wolfSSL 15:117db924cf7c 404 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 405 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 406 if (includeMsgs)
wolfSSL 15:117db924cf7c 407 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 408 break;
wolfSSL 15:117db924cf7c 409 #endif
wolfSSL 15:117db924cf7c 410
wolfSSL 15:117db924cf7c 411 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 412 case sha384_mac:
wolfSSL 15:117db924cf7c 413 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 414 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 415 if (includeMsgs)
wolfSSL 15:117db924cf7c 416 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 417 break;
wolfSSL 15:117db924cf7c 418 #endif
wolfSSL 15:117db924cf7c 419
wolfSSL 15:117db924cf7c 420 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 421 case sha512_mac:
wolfSSL 15:117db924cf7c 422 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 423 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 424 if (includeMsgs)
wolfSSL 15:117db924cf7c 425 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 426 break;
wolfSSL 15:117db924cf7c 427 #endif
wolfSSL 15:117db924cf7c 428 }
wolfSSL 15:117db924cf7c 429 if (ret != 0)
wolfSSL 15:117db924cf7c 430 return ret;
wolfSSL 15:117db924cf7c 431
wolfSSL 15:117db924cf7c 432 /* Only one protocol version defined at this time. */
wolfSSL 15:117db924cf7c 433 protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 434 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 435
wolfSSL 15:117db924cf7c 436 if (outputLen == -1)
wolfSSL 15:117db924cf7c 437 outputLen = hashSz;
wolfSSL 15:117db924cf7c 438 if (includeMsgs)
wolfSSL 15:117db924cf7c 439 hashOutSz = hashSz;
wolfSSL 15:117db924cf7c 440
wolfSSL 15:117db924cf7c 441 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 15:117db924cf7c 442 protocol, protocolLen, label, labelLen,
wolfSSL 15:117db924cf7c 443 hash, hashOutSz, digestAlg);
wolfSSL 15:117db924cf7c 444 }
wolfSSL 15:117db924cf7c 445
wolfSSL 15:117db924cf7c 446
wolfSSL 15:117db924cf7c 447 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 448 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 449 /* The length of the binder key label. */
wolfSSL 15:117db924cf7c 450 #define BINDER_KEY_LABEL_SZ 23
wolfSSL 15:117db924cf7c 451 /* The binder key label. */
wolfSSL 15:117db924cf7c 452 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 453 "external psk binder key";
wolfSSL 15:117db924cf7c 454 #else
wolfSSL 15:117db924cf7c 455 /* The length of the binder key label. */
wolfSSL 15:117db924cf7c 456 #define BINDER_KEY_LABEL_SZ 10
wolfSSL 15:117db924cf7c 457 /* The binder key label. */
wolfSSL 15:117db924cf7c 458 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 459 "ext binder";
wolfSSL 15:117db924cf7c 460 #endif
wolfSSL 15:117db924cf7c 461 /* Derive the binder key.
wolfSSL 15:117db924cf7c 462 *
wolfSSL 15:117db924cf7c 463 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 464 * key The derived key.
wolfSSL 15:117db924cf7c 465 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 466 */
wolfSSL 15:117db924cf7c 467 static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 468 {
wolfSSL 15:117db924cf7c 469 WOLFSSL_MSG("Derive Binder Key");
wolfSSL 15:117db924cf7c 470 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 471 binderKeyLabel, BINDER_KEY_LABEL_SZ,
wolfSSL 15:117db924cf7c 472 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 473 }
wolfSSL 15:117db924cf7c 474 #endif /* !NO_PSK */
wolfSSL 15:117db924cf7c 475
wolfSSL 15:117db924cf7c 476 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 477 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 478 /* The length of the binder key resume label. */
wolfSSL 15:117db924cf7c 479 #define BINDER_KEY_RESUME_LABEL_SZ 25
wolfSSL 15:117db924cf7c 480 /* The binder key resume label. */
wolfSSL 15:117db924cf7c 481 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 482 "resumption psk binder key";
wolfSSL 15:117db924cf7c 483 #else
wolfSSL 15:117db924cf7c 484 /* The length of the binder key resume label. */
wolfSSL 15:117db924cf7c 485 #define BINDER_KEY_RESUME_LABEL_SZ 10
wolfSSL 15:117db924cf7c 486 /* The binder key resume label. */
wolfSSL 15:117db924cf7c 487 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 488 "res binder";
wolfSSL 15:117db924cf7c 489 #endif
wolfSSL 15:117db924cf7c 490 /* Derive the binder resumption key.
wolfSSL 15:117db924cf7c 491 *
wolfSSL 15:117db924cf7c 492 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 493 * key The derived key.
wolfSSL 15:117db924cf7c 494 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 495 */
wolfSSL 15:117db924cf7c 496 static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 497 {
wolfSSL 15:117db924cf7c 498 WOLFSSL_MSG("Derive Binder Key - Resumption");
wolfSSL 15:117db924cf7c 499 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 500 binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
wolfSSL 15:117db924cf7c 501 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 502 }
wolfSSL 15:117db924cf7c 503 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 504
wolfSSL 15:117db924cf7c 505 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 506 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 507 /* The length of the early traffic label. */
wolfSSL 15:117db924cf7c 508 #define EARLY_TRAFFIC_LABEL_SZ 27
wolfSSL 15:117db924cf7c 509 /* The early traffic label. */
wolfSSL 15:117db924cf7c 510 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 511 "client early traffic secret";
wolfSSL 15:117db924cf7c 512 #else
wolfSSL 15:117db924cf7c 513 /* The length of the early traffic label. */
wolfSSL 15:117db924cf7c 514 #define EARLY_TRAFFIC_LABEL_SZ 11
wolfSSL 15:117db924cf7c 515 /* The early traffic label. */
wolfSSL 15:117db924cf7c 516 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 517 "c e traffic";
wolfSSL 15:117db924cf7c 518 #endif
wolfSSL 15:117db924cf7c 519 /* Derive the early traffic key.
wolfSSL 15:117db924cf7c 520 *
wolfSSL 15:117db924cf7c 521 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 522 * key The derived key.
wolfSSL 15:117db924cf7c 523 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 524 */
wolfSSL 15:117db924cf7c 525 static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 526 {
wolfSSL 15:117db924cf7c 527 WOLFSSL_MSG("Derive Early Traffic Secret");
wolfSSL 15:117db924cf7c 528 return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 529 earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
wolfSSL 15:117db924cf7c 530 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 531 }
wolfSSL 15:117db924cf7c 532
wolfSSL 15:117db924cf7c 533 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 15:117db924cf7c 534 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 535 /* The length of the early exporter label. */
wolfSSL 15:117db924cf7c 536 #define EARLY_EXPORTER_LABEL_SZ 28
wolfSSL 15:117db924cf7c 537 /* The early exporter label. */
wolfSSL 15:117db924cf7c 538 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 539 "early exporter master secret";
wolfSSL 15:117db924cf7c 540 #else
wolfSSL 15:117db924cf7c 541 /* The length of the early exporter label. */
wolfSSL 15:117db924cf7c 542 #define EARLY_EXPORTER_LABEL_SZ 12
wolfSSL 15:117db924cf7c 543 /* The early exporter label. */
wolfSSL 15:117db924cf7c 544 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 545 "e exp master";
wolfSSL 15:117db924cf7c 546 #endif
wolfSSL 15:117db924cf7c 547 /* Derive the early exporter key.
wolfSSL 15:117db924cf7c 548 *
wolfSSL 15:117db924cf7c 549 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 550 * key The derived key.
wolfSSL 15:117db924cf7c 551 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 552 */
wolfSSL 15:117db924cf7c 553 static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 554 {
wolfSSL 15:117db924cf7c 555 WOLFSSL_MSG("Derive Early Exporter Secret");
wolfSSL 15:117db924cf7c 556 return DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 557 earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
wolfSSL 15:117db924cf7c 558 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 559 }
wolfSSL 15:117db924cf7c 560 #endif
wolfSSL 15:117db924cf7c 561 #endif
wolfSSL 15:117db924cf7c 562
wolfSSL 15:117db924cf7c 563 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 564 /* The length of the client hanshake label. */
wolfSSL 15:117db924cf7c 565 #define CLIENT_HANDSHAKE_LABEL_SZ 31
wolfSSL 15:117db924cf7c 566 /* The client hanshake label. */
wolfSSL 15:117db924cf7c 567 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 568 "client handshake traffic secret";
wolfSSL 15:117db924cf7c 569 #else
wolfSSL 15:117db924cf7c 570 /* The length of the client hanshake label. */
wolfSSL 15:117db924cf7c 571 #define CLIENT_HANDSHAKE_LABEL_SZ 12
wolfSSL 15:117db924cf7c 572 /* The client hanshake label. */
wolfSSL 15:117db924cf7c 573 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 574 "c hs traffic";
wolfSSL 15:117db924cf7c 575 #endif
wolfSSL 15:117db924cf7c 576 /* Derive the client handshake key.
wolfSSL 15:117db924cf7c 577 *
wolfSSL 15:117db924cf7c 578 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 579 * key The derived key.
wolfSSL 15:117db924cf7c 580 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 581 */
wolfSSL 15:117db924cf7c 582 static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 583 {
wolfSSL 15:117db924cf7c 584 WOLFSSL_MSG("Derive Client Handshake Secret");
wolfSSL 15:117db924cf7c 585 return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 586 clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
wolfSSL 15:117db924cf7c 587 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 588 }
wolfSSL 15:117db924cf7c 589
wolfSSL 15:117db924cf7c 590 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 591 /* The length of the server handshake label. */
wolfSSL 15:117db924cf7c 592 #define SERVER_HANDSHAKE_LABEL_SZ 31
wolfSSL 15:117db924cf7c 593 /* The server handshake label. */
wolfSSL 15:117db924cf7c 594 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 595 "server handshake traffic secret";
wolfSSL 15:117db924cf7c 596 #else
wolfSSL 15:117db924cf7c 597 /* The length of the server handshake label. */
wolfSSL 15:117db924cf7c 598 #define SERVER_HANDSHAKE_LABEL_SZ 12
wolfSSL 15:117db924cf7c 599 /* The server handshake label. */
wolfSSL 15:117db924cf7c 600 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 601 "s hs traffic";
wolfSSL 15:117db924cf7c 602 #endif
wolfSSL 15:117db924cf7c 603 /* Derive the server handshake key.
wolfSSL 15:117db924cf7c 604 *
wolfSSL 15:117db924cf7c 605 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 606 * key The derived key.
wolfSSL 15:117db924cf7c 607 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 608 */
wolfSSL 15:117db924cf7c 609 static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 610 {
wolfSSL 15:117db924cf7c 611 WOLFSSL_MSG("Derive Server Handshake Secret");
wolfSSL 15:117db924cf7c 612 return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 613 serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
wolfSSL 15:117db924cf7c 614 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 615 }
wolfSSL 15:117db924cf7c 616
wolfSSL 15:117db924cf7c 617 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 618 /* The length of the client application traffic label. */
wolfSSL 15:117db924cf7c 619 #define CLIENT_APP_LABEL_SZ 33
wolfSSL 15:117db924cf7c 620 /* The client application traffic label. */
wolfSSL 15:117db924cf7c 621 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 622 "client application traffic secret";
wolfSSL 15:117db924cf7c 623 #else
wolfSSL 15:117db924cf7c 624 /* The length of the client application traffic label. */
wolfSSL 15:117db924cf7c 625 #define CLIENT_APP_LABEL_SZ 12
wolfSSL 15:117db924cf7c 626 /* The client application traffic label. */
wolfSSL 15:117db924cf7c 627 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 628 "c ap traffic";
wolfSSL 15:117db924cf7c 629 #endif
wolfSSL 15:117db924cf7c 630 /* Derive the client application traffic key.
wolfSSL 15:117db924cf7c 631 *
wolfSSL 15:117db924cf7c 632 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 633 * key The derived key.
wolfSSL 15:117db924cf7c 634 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 635 */
wolfSSL 15:117db924cf7c 636 static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 637 {
wolfSSL 15:117db924cf7c 638 WOLFSSL_MSG("Derive Client Traffic Secret");
wolfSSL 15:117db924cf7c 639 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 640 clientAppLabel, CLIENT_APP_LABEL_SZ,
wolfSSL 15:117db924cf7c 641 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 642 }
wolfSSL 15:117db924cf7c 643
wolfSSL 15:117db924cf7c 644 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 645 /* The length of the server application traffic label. */
wolfSSL 15:117db924cf7c 646 #define SERVER_APP_LABEL_SZ 33
wolfSSL 15:117db924cf7c 647 /* The server application traffic label. */
wolfSSL 15:117db924cf7c 648 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 649 "server application traffic secret";
wolfSSL 15:117db924cf7c 650 #else
wolfSSL 15:117db924cf7c 651 /* The length of the server application traffic label. */
wolfSSL 15:117db924cf7c 652 #define SERVER_APP_LABEL_SZ 12
wolfSSL 15:117db924cf7c 653 /* The server application traffic label. */
wolfSSL 15:117db924cf7c 654 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 655 "s ap traffic";
wolfSSL 15:117db924cf7c 656 #endif
wolfSSL 15:117db924cf7c 657 /* Derive the server application traffic key.
wolfSSL 15:117db924cf7c 658 *
wolfSSL 15:117db924cf7c 659 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 660 * key The derived key.
wolfSSL 15:117db924cf7c 661 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 662 */
wolfSSL 15:117db924cf7c 663 static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 664 {
wolfSSL 15:117db924cf7c 665 WOLFSSL_MSG("Derive Server Traffic Secret");
wolfSSL 15:117db924cf7c 666 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 667 serverAppLabel, SERVER_APP_LABEL_SZ,
wolfSSL 15:117db924cf7c 668 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 669 }
wolfSSL 15:117db924cf7c 670
wolfSSL 15:117db924cf7c 671 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 15:117db924cf7c 672 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 673 /* The length of the exporter master secret label. */
wolfSSL 15:117db924cf7c 674 #define EXPORTER_MASTER_LABEL_SZ 22
wolfSSL 15:117db924cf7c 675 /* The exporter master secret label. */
wolfSSL 15:117db924cf7c 676 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 677 "exporter master secret";
wolfSSL 15:117db924cf7c 678 #else
wolfSSL 15:117db924cf7c 679 /* The length of the exporter master secret label. */
wolfSSL 15:117db924cf7c 680 #define EXPORTER_MASTER_LABEL_SZ 10
wolfSSL 15:117db924cf7c 681 /* The exporter master secret label. */
wolfSSL 15:117db924cf7c 682 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 683 "exp master";
wolfSSL 15:117db924cf7c 684 #endif
wolfSSL 15:117db924cf7c 685 /* Derive the exporter secret.
wolfSSL 15:117db924cf7c 686 *
wolfSSL 15:117db924cf7c 687 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 688 * key The derived key.
wolfSSL 15:117db924cf7c 689 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 690 */
wolfSSL 15:117db924cf7c 691 static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 692 {
wolfSSL 15:117db924cf7c 693 WOLFSSL_MSG("Derive Exporter Secret");
wolfSSL 15:117db924cf7c 694 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 695 exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
wolfSSL 15:117db924cf7c 696 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 697 }
wolfSSL 15:117db924cf7c 698 #endif
wolfSSL 15:117db924cf7c 699
wolfSSL 15:117db924cf7c 700 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 701 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 702 /* The length of the resumption master secret label. */
wolfSSL 15:117db924cf7c 703 #define RESUME_MASTER_LABEL_SZ 24
wolfSSL 15:117db924cf7c 704 /* The resumption master secret label. */
wolfSSL 15:117db924cf7c 705 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 706 "resumption master secret";
wolfSSL 15:117db924cf7c 707 #else
wolfSSL 15:117db924cf7c 708 /* The length of the resumption master secret label. */
wolfSSL 15:117db924cf7c 709 #define RESUME_MASTER_LABEL_SZ 10
wolfSSL 15:117db924cf7c 710 /* The resumption master secret label. */
wolfSSL 15:117db924cf7c 711 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 712 "res master";
wolfSSL 15:117db924cf7c 713 #endif
wolfSSL 15:117db924cf7c 714 /* Derive the resumption secret.
wolfSSL 15:117db924cf7c 715 *
wolfSSL 15:117db924cf7c 716 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 717 * key The derived key.
wolfSSL 15:117db924cf7c 718 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 719 */
wolfSSL 15:117db924cf7c 720 static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 721 {
wolfSSL 15:117db924cf7c 722 WOLFSSL_MSG("Derive Resumption Secret");
wolfSSL 15:117db924cf7c 723 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 724 resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
wolfSSL 15:117db924cf7c 725 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 726 }
wolfSSL 15:117db924cf7c 727 #endif
wolfSSL 15:117db924cf7c 728
wolfSSL 15:117db924cf7c 729 /* Length of the finished label. */
wolfSSL 15:117db924cf7c 730 #define FINISHED_LABEL_SZ 8
wolfSSL 15:117db924cf7c 731 /* Finished label for generating finished key. */
wolfSSL 15:117db924cf7c 732 static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
wolfSSL 15:117db924cf7c 733 /* Derive the finished secret.
wolfSSL 15:117db924cf7c 734 *
wolfSSL 15:117db924cf7c 735 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 736 * key The key to use with the HMAC.
wolfSSL 15:117db924cf7c 737 * secret The derived secret.
wolfSSL 15:117db924cf7c 738 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 739 */
wolfSSL 15:117db924cf7c 740 static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
wolfSSL 15:117db924cf7c 741 {
wolfSSL 15:117db924cf7c 742 WOLFSSL_MSG("Derive Finished Secret");
wolfSSL 15:117db924cf7c 743 return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
wolfSSL 15:117db924cf7c 744 ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 745 }
wolfSSL 15:117db924cf7c 746
wolfSSL 15:117db924cf7c 747 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 748 /* The length of the application traffic label. */
wolfSSL 15:117db924cf7c 749 #define APP_TRAFFIC_LABEL_SZ 26
wolfSSL 15:117db924cf7c 750 /* The application traffic label. */
wolfSSL 15:117db924cf7c 751 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 752 "application traffic secret";
wolfSSL 15:117db924cf7c 753 #else
wolfSSL 15:117db924cf7c 754 /* The length of the application traffic label. */
wolfSSL 15:117db924cf7c 755 #define APP_TRAFFIC_LABEL_SZ 11
wolfSSL 15:117db924cf7c 756 /* The application traffic label. */
wolfSSL 15:117db924cf7c 757 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 758 "traffic upd";
wolfSSL 15:117db924cf7c 759 #endif
wolfSSL 15:117db924cf7c 760 /* Update the traffic secret.
wolfSSL 15:117db924cf7c 761 *
wolfSSL 15:117db924cf7c 762 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 763 * secret The previous secret and derived secret.
wolfSSL 15:117db924cf7c 764 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 765 */
wolfSSL 15:117db924cf7c 766 static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
wolfSSL 15:117db924cf7c 767 {
wolfSSL 15:117db924cf7c 768 WOLFSSL_MSG("Derive New Application Traffic Secret");
wolfSSL 15:117db924cf7c 769 return DeriveKey(ssl, secret, -1, secret,
wolfSSL 15:117db924cf7c 770 appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
wolfSSL 15:117db924cf7c 771 ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 772 }
wolfSSL 15:117db924cf7c 773
wolfSSL 15:117db924cf7c 774 /* Derive the early secret using HKDF Extract.
wolfSSL 15:117db924cf7c 775 *
wolfSSL 15:117db924cf7c 776 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 777 */
wolfSSL 15:117db924cf7c 778 static int DeriveEarlySecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 779 {
wolfSSL 15:117db924cf7c 780 WOLFSSL_MSG("Derive Early Secret");
wolfSSL 15:117db924cf7c 781 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 782 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 15:117db924cf7c 783 ssl->arrays->psk_key, ssl->arrays->psk_keySz,
wolfSSL 15:117db924cf7c 784 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 785 #else
wolfSSL 15:117db924cf7c 786 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 15:117db924cf7c 787 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 788 #endif
wolfSSL 15:117db924cf7c 789 }
wolfSSL 15:117db924cf7c 790
wolfSSL 15:117db924cf7c 791 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 792 /* The length of the derived label. */
wolfSSL 15:117db924cf7c 793 #define DERIVED_LABEL_SZ 7
wolfSSL 15:117db924cf7c 794 /* The derived label. */
wolfSSL 15:117db924cf7c 795 static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 796 "derived";
wolfSSL 15:117db924cf7c 797 #endif
wolfSSL 15:117db924cf7c 798 /* Derive the handshake secret using HKDF Extract.
wolfSSL 15:117db924cf7c 799 *
wolfSSL 15:117db924cf7c 800 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 801 */
wolfSSL 15:117db924cf7c 802 static int DeriveHandshakeSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 803 {
wolfSSL 15:117db924cf7c 804 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 805 WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL 15:117db924cf7c 806 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 807 ssl->arrays->secret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 808 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL 15:117db924cf7c 809 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 810 #else
wolfSSL 15:117db924cf7c 811 byte key[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 812 int ret;
wolfSSL 15:117db924cf7c 813
wolfSSL 15:117db924cf7c 814 WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL 15:117db924cf7c 815
wolfSSL 15:117db924cf7c 816 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 817 derivedLabel, DERIVED_LABEL_SZ,
wolfSSL 15:117db924cf7c 818 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 819 if (ret != 0)
wolfSSL 15:117db924cf7c 820 return ret;
wolfSSL 15:117db924cf7c 821
wolfSSL 15:117db924cf7c 822 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 823 key, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 824 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL 15:117db924cf7c 825 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 826 #endif
wolfSSL 15:117db924cf7c 827 }
wolfSSL 15:117db924cf7c 828
wolfSSL 15:117db924cf7c 829 /* Derive the master secret using HKDF Extract.
wolfSSL 15:117db924cf7c 830 *
wolfSSL 15:117db924cf7c 831 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 832 */
wolfSSL 15:117db924cf7c 833 static int DeriveMasterSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 834 {
wolfSSL 15:117db924cf7c 835 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 836 WOLFSSL_MSG("Derive Master Secret");
wolfSSL 15:117db924cf7c 837 return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 838 ssl->arrays->preMasterSecret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 839 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 840 #else
wolfSSL 15:117db924cf7c 841 byte key[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 842 int ret;
wolfSSL 15:117db924cf7c 843
wolfSSL 15:117db924cf7c 844 WOLFSSL_MSG("Derive Master Secret");
wolfSSL 15:117db924cf7c 845
wolfSSL 15:117db924cf7c 846 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 847 derivedLabel, DERIVED_LABEL_SZ,
wolfSSL 15:117db924cf7c 848 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 849 if (ret != 0)
wolfSSL 15:117db924cf7c 850 return ret;
wolfSSL 15:117db924cf7c 851
wolfSSL 15:117db924cf7c 852 return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 853 key, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 854 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 855 #endif
wolfSSL 15:117db924cf7c 856 }
wolfSSL 15:117db924cf7c 857
wolfSSL 15:117db924cf7c 858 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 859 #if defined(HAVE_SESSION_TICKET)
wolfSSL 15:117db924cf7c 860 /* Length of the resumption label. */
wolfSSL 15:117db924cf7c 861 #define RESUMPTION_LABEL_SZ 10
wolfSSL 15:117db924cf7c 862 /* Resumption label for generating PSK assocated with the ticket. */
wolfSSL 15:117db924cf7c 863 static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption";
wolfSSL 15:117db924cf7c 864 /* Derive the PSK assocated with the ticket.
wolfSSL 15:117db924cf7c 865 *
wolfSSL 15:117db924cf7c 866 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 867 * nonce The nonce to derive with.
wolfSSL 15:117db924cf7c 868 * nonceLen The length of the nonce to derive with.
wolfSSL 15:117db924cf7c 869 * secret The derived secret.
wolfSSL 15:117db924cf7c 870 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 871 */
wolfSSL 15:117db924cf7c 872 static int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen,
wolfSSL 15:117db924cf7c 873 byte* secret)
wolfSSL 15:117db924cf7c 874 {
wolfSSL 15:117db924cf7c 875 int digestAlg;
wolfSSL 15:117db924cf7c 876 /* Only one protocol version defined at this time. */
wolfSSL 15:117db924cf7c 877 const byte* protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 878 word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 879
wolfSSL 15:117db924cf7c 880 WOLFSSL_MSG("Derive Resumption PSK");
wolfSSL 15:117db924cf7c 881
wolfSSL 15:117db924cf7c 882 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 883 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 884 case sha256_mac:
wolfSSL 15:117db924cf7c 885 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 886 break;
wolfSSL 15:117db924cf7c 887 #endif
wolfSSL 15:117db924cf7c 888
wolfSSL 15:117db924cf7c 889 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 890 case sha384_mac:
wolfSSL 15:117db924cf7c 891 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 892 break;
wolfSSL 15:117db924cf7c 893 #endif
wolfSSL 15:117db924cf7c 894
wolfSSL 15:117db924cf7c 895 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 896 case sha512_mac:
wolfSSL 15:117db924cf7c 897 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 898 break;
wolfSSL 15:117db924cf7c 899 #endif
wolfSSL 15:117db924cf7c 900
wolfSSL 15:117db924cf7c 901 default:
wolfSSL 15:117db924cf7c 902 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 903 }
wolfSSL 15:117db924cf7c 904
wolfSSL 15:117db924cf7c 905 return HKDF_Expand_Label(secret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 906 ssl->session.masterSecret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 907 protocol, protocolLen, resumptionLabel,
wolfSSL 15:117db924cf7c 908 RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
wolfSSL 15:117db924cf7c 909 }
wolfSSL 15:117db924cf7c 910 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 911 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 912
wolfSSL 15:117db924cf7c 913
wolfSSL 15:117db924cf7c 914 /* Calculate the HMAC of message data to this point.
wolfSSL 15:117db924cf7c 915 *
wolfSSL 15:117db924cf7c 916 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 917 * key The HMAC key.
wolfSSL 15:117db924cf7c 918 * hash The hash result - verify data.
wolfSSL 15:117db924cf7c 919 * returns length of verify data generated.
wolfSSL 15:117db924cf7c 920 */
wolfSSL 15:117db924cf7c 921 static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
wolfSSL 15:117db924cf7c 922 word32* pHashSz)
wolfSSL 15:117db924cf7c 923 {
wolfSSL 15:117db924cf7c 924 Hmac verifyHmac;
wolfSSL 15:117db924cf7c 925 int hashType = WC_SHA256;
wolfSSL 15:117db924cf7c 926 int hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 927 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 928
wolfSSL 15:117db924cf7c 929 /* Get the hash of the previous handshake messages. */
wolfSSL 15:117db924cf7c 930 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 931 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 932 case sha256_mac:
wolfSSL 15:117db924cf7c 933 hashType = WC_SHA256;
wolfSSL 15:117db924cf7c 934 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 935 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 936 break;
wolfSSL 15:117db924cf7c 937 #endif /* !NO_SHA256 */
wolfSSL 15:117db924cf7c 938 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 939 case sha384_mac:
wolfSSL 15:117db924cf7c 940 hashType = WC_SHA384;
wolfSSL 15:117db924cf7c 941 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 942 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 943 break;
wolfSSL 15:117db924cf7c 944 #endif /* WOLFSSL_SHA384 */
wolfSSL 15:117db924cf7c 945 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 946 case sha512_mac:
wolfSSL 15:117db924cf7c 947 hashType = WC_SHA512;
wolfSSL 15:117db924cf7c 948 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 949 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 950 break;
wolfSSL 15:117db924cf7c 951 #endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL 15:117db924cf7c 952 }
wolfSSL 15:117db924cf7c 953 if (ret != 0)
wolfSSL 15:117db924cf7c 954 return ret;
wolfSSL 15:117db924cf7c 955
wolfSSL 15:117db924cf7c 956 /* Calculate the verify data. */
wolfSSL 15:117db924cf7c 957 ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId);
wolfSSL 15:117db924cf7c 958 if (ret == 0) {
wolfSSL 15:117db924cf7c 959 ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
wolfSSL 15:117db924cf7c 960 if (ret == 0)
wolfSSL 15:117db924cf7c 961 ret = wc_HmacUpdate(&verifyHmac, hash, hashSz);
wolfSSL 15:117db924cf7c 962 if (ret == 0)
wolfSSL 15:117db924cf7c 963 ret = wc_HmacFinal(&verifyHmac, hash);
wolfSSL 15:117db924cf7c 964 wc_HmacFree(&verifyHmac);
wolfSSL 15:117db924cf7c 965 }
wolfSSL 15:117db924cf7c 966
wolfSSL 15:117db924cf7c 967 if (pHashSz)
wolfSSL 15:117db924cf7c 968 *pHashSz = hashSz;
wolfSSL 15:117db924cf7c 969
wolfSSL 15:117db924cf7c 970 return ret;
wolfSSL 15:117db924cf7c 971 }
wolfSSL 15:117db924cf7c 972
wolfSSL 15:117db924cf7c 973 /* The length of the label to use when deriving keys. */
wolfSSL 15:117db924cf7c 974 #define WRITE_KEY_LABEL_SZ 3
wolfSSL 15:117db924cf7c 975 /* The length of the label to use when deriving IVs. */
wolfSSL 15:117db924cf7c 976 #define WRITE_IV_LABEL_SZ 2
wolfSSL 15:117db924cf7c 977 /* The label to use when deriving keys. */
wolfSSL 15:117db924cf7c 978 static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
wolfSSL 15:117db924cf7c 979 /* The label to use when deriving IVs. */
wolfSSL 15:117db924cf7c 980 static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
wolfSSL 15:117db924cf7c 981
wolfSSL 15:117db924cf7c 982 /* Derive the keys and IVs for TLS v1.3.
wolfSSL 15:117db924cf7c 983 *
wolfSSL 15:117db924cf7c 984 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 985 * sercret early_data_key when deriving the key and IV for encrypting early
wolfSSL 15:117db924cf7c 986 * data application data and end_of_early_data messages.
wolfSSL 15:117db924cf7c 987 * handshake_key when deriving keys and IVs for encrypting handshake
wolfSSL 15:117db924cf7c 988 * messages.
wolfSSL 15:117db924cf7c 989 * traffic_key when deriving first keys and IVs for encrypting
wolfSSL 15:117db924cf7c 990 * traffic messages.
wolfSSL 15:117db924cf7c 991 * update_traffic_key when deriving next keys and IVs for encrypting
wolfSSL 15:117db924cf7c 992 * traffic messages.
wolfSSL 15:117db924cf7c 993 * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
wolfSSL 15:117db924cf7c 994 * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
wolfSSL 15:117db924cf7c 995 * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
wolfSSL 15:117db924cf7c 996 * store 1 indicates to derive the keys and IVs from derived secret and
wolfSSL 15:117db924cf7c 997 * store ready for provisioning.
wolfSSL 15:117db924cf7c 998 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 999 */
wolfSSL 15:117db924cf7c 1000 static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
wolfSSL 15:117db924cf7c 1001 {
wolfSSL 15:117db924cf7c 1002 int ret = BAD_FUNC_ARG; /* Assume failure */
wolfSSL 15:117db924cf7c 1003 int i = 0;
wolfSSL 15:117db924cf7c 1004 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1005 byte* key_dig;
wolfSSL 15:117db924cf7c 1006 #else
wolfSSL 15:117db924cf7c 1007 byte key_dig[MAX_PRF_DIG];
wolfSSL 15:117db924cf7c 1008 #endif
wolfSSL 15:117db924cf7c 1009 int provision;
wolfSSL 15:117db924cf7c 1010
wolfSSL 15:117db924cf7c 1011 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1012 key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL 15:117db924cf7c 1013 if (key_dig == NULL)
wolfSSL 15:117db924cf7c 1014 return MEMORY_E;
wolfSSL 15:117db924cf7c 1015 #endif
wolfSSL 15:117db924cf7c 1016
wolfSSL 15:117db924cf7c 1017 if (side == ENCRYPT_AND_DECRYPT_SIDE) {
wolfSSL 15:117db924cf7c 1018 provision = PROVISION_CLIENT_SERVER;
wolfSSL 15:117db924cf7c 1019 }
wolfSSL 15:117db924cf7c 1020 else {
wolfSSL 15:117db924cf7c 1021 provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
wolfSSL 15:117db924cf7c 1022 (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
wolfSSL 15:117db924cf7c 1023 PROVISION_SERVER;
wolfSSL 15:117db924cf7c 1024 }
wolfSSL 15:117db924cf7c 1025
wolfSSL 15:117db924cf7c 1026 /* Derive the appropriate secret to use in the HKDF. */
wolfSSL 15:117db924cf7c 1027 switch (secret) {
wolfSSL 15:117db924cf7c 1028 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 1029 case early_data_key:
wolfSSL 15:117db924cf7c 1030 ret = DeriveEarlyTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL 15:117db924cf7c 1031 if (ret != 0)
wolfSSL 15:117db924cf7c 1032 goto end;
wolfSSL 15:117db924cf7c 1033 break;
wolfSSL 15:117db924cf7c 1034 #endif
wolfSSL 15:117db924cf7c 1035
wolfSSL 15:117db924cf7c 1036 case handshake_key:
wolfSSL 15:117db924cf7c 1037 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1038 ret = DeriveClientHandshakeSecret(ssl,
wolfSSL 15:117db924cf7c 1039 ssl->arrays->clientSecret);
wolfSSL 15:117db924cf7c 1040 if (ret != 0)
wolfSSL 15:117db924cf7c 1041 goto end;
wolfSSL 15:117db924cf7c 1042 }
wolfSSL 15:117db924cf7c 1043 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1044 ret = DeriveServerHandshakeSecret(ssl,
wolfSSL 15:117db924cf7c 1045 ssl->arrays->serverSecret);
wolfSSL 15:117db924cf7c 1046 if (ret != 0)
wolfSSL 15:117db924cf7c 1047 goto end;
wolfSSL 15:117db924cf7c 1048 }
wolfSSL 15:117db924cf7c 1049 break;
wolfSSL 15:117db924cf7c 1050
wolfSSL 15:117db924cf7c 1051 case traffic_key:
wolfSSL 15:117db924cf7c 1052 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1053 ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL 15:117db924cf7c 1054 if (ret != 0)
wolfSSL 15:117db924cf7c 1055 goto end;
wolfSSL 15:117db924cf7c 1056 }
wolfSSL 15:117db924cf7c 1057 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1058 ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL 15:117db924cf7c 1059 if (ret != 0)
wolfSSL 15:117db924cf7c 1060 goto end;
wolfSSL 15:117db924cf7c 1061 }
wolfSSL 15:117db924cf7c 1062 break;
wolfSSL 15:117db924cf7c 1063
wolfSSL 15:117db924cf7c 1064 case update_traffic_key:
wolfSSL 15:117db924cf7c 1065 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1066 ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret);
wolfSSL 15:117db924cf7c 1067 if (ret != 0)
wolfSSL 15:117db924cf7c 1068 goto end;
wolfSSL 15:117db924cf7c 1069 }
wolfSSL 15:117db924cf7c 1070 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1071 ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret);
wolfSSL 15:117db924cf7c 1072 if (ret != 0)
wolfSSL 15:117db924cf7c 1073 goto end;
wolfSSL 15:117db924cf7c 1074 }
wolfSSL 15:117db924cf7c 1075 break;
wolfSSL 15:117db924cf7c 1076 }
wolfSSL 15:117db924cf7c 1077
wolfSSL 15:117db924cf7c 1078 if (!store)
wolfSSL 15:117db924cf7c 1079 goto end;
wolfSSL 15:117db924cf7c 1080
wolfSSL 15:117db924cf7c 1081 /* Key data = client key | server key | client IV | server IV */
wolfSSL 15:117db924cf7c 1082
wolfSSL 15:117db924cf7c 1083 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1084 /* Derive the client key. */
wolfSSL 15:117db924cf7c 1085 WOLFSSL_MSG("Derive Client Key");
wolfSSL 15:117db924cf7c 1086 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL 15:117db924cf7c 1087 ssl->arrays->clientSecret, writeKeyLabel,
wolfSSL 15:117db924cf7c 1088 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1089 if (ret != 0)
wolfSSL 15:117db924cf7c 1090 goto end;
wolfSSL 15:117db924cf7c 1091 i += ssl->specs.key_size;
wolfSSL 15:117db924cf7c 1092 }
wolfSSL 15:117db924cf7c 1093
wolfSSL 15:117db924cf7c 1094 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1095 /* Derive the server key. */
wolfSSL 15:117db924cf7c 1096 WOLFSSL_MSG("Derive Server Key");
wolfSSL 15:117db924cf7c 1097 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL 15:117db924cf7c 1098 ssl->arrays->serverSecret, writeKeyLabel,
wolfSSL 15:117db924cf7c 1099 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1100 if (ret != 0)
wolfSSL 15:117db924cf7c 1101 goto end;
wolfSSL 15:117db924cf7c 1102 i += ssl->specs.key_size;
wolfSSL 15:117db924cf7c 1103 }
wolfSSL 15:117db924cf7c 1104
wolfSSL 15:117db924cf7c 1105 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1106 /* Derive the client IV. */
wolfSSL 15:117db924cf7c 1107 WOLFSSL_MSG("Derive Client IV");
wolfSSL 15:117db924cf7c 1108 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL 15:117db924cf7c 1109 ssl->arrays->clientSecret, writeIVLabel,
wolfSSL 15:117db924cf7c 1110 WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1111 if (ret != 0)
wolfSSL 15:117db924cf7c 1112 goto end;
wolfSSL 15:117db924cf7c 1113 i += ssl->specs.iv_size;
wolfSSL 15:117db924cf7c 1114 }
wolfSSL 15:117db924cf7c 1115
wolfSSL 15:117db924cf7c 1116 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1117 /* Derive the server IV. */
wolfSSL 15:117db924cf7c 1118 WOLFSSL_MSG("Derive Server IV");
wolfSSL 15:117db924cf7c 1119 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL 15:117db924cf7c 1120 ssl->arrays->serverSecret, writeIVLabel,
wolfSSL 15:117db924cf7c 1121 WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1122 if (ret != 0)
wolfSSL 15:117db924cf7c 1123 goto end;
wolfSSL 15:117db924cf7c 1124 }
wolfSSL 15:117db924cf7c 1125
wolfSSL 15:117db924cf7c 1126 /* Store keys and IVs but don't activate them. */
wolfSSL 15:117db924cf7c 1127 ret = StoreKeys(ssl, key_dig, provision);
wolfSSL 15:117db924cf7c 1128
wolfSSL 15:117db924cf7c 1129 end:
wolfSSL 15:117db924cf7c 1130 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1131 XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL 15:117db924cf7c 1132 #endif
wolfSSL 15:117db924cf7c 1133
wolfSSL 15:117db924cf7c 1134 return ret;
wolfSSL 15:117db924cf7c 1135 }
wolfSSL 15:117db924cf7c 1136
wolfSSL 15:117db924cf7c 1137 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 1138 #if defined(USER_TICKS)
wolfSSL 15:117db924cf7c 1139 #if 0
wolfSSL 15:117db924cf7c 1140 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1141 {
wolfSSL 15:117db924cf7c 1142 /*
wolfSSL 15:117db924cf7c 1143 write your own clock tick function if don't want gettimeofday()
wolfSSL 15:117db924cf7c 1144 needs millisecond accuracy but doesn't have to correlated to EPOCH
wolfSSL 15:117db924cf7c 1145 */
wolfSSL 15:117db924cf7c 1146 }
wolfSSL 15:117db924cf7c 1147 #endif
wolfSSL 15:117db924cf7c 1148
wolfSSL 15:117db924cf7c 1149 #elif defined(TIME_OVERRIDES)
wolfSSL 15:117db924cf7c 1150 #ifndef HAVE_TIME_T_TYPE
wolfSSL 15:117db924cf7c 1151 typedef long time_t;
wolfSSL 15:117db924cf7c 1152 #endif
wolfSSL 15:117db924cf7c 1153 extern time_t XTIME(time_t * timer);
wolfSSL 15:117db924cf7c 1154
wolfSSL 15:117db924cf7c 1155 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1156 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1157 * sending.
wolfSSL 15:117db924cf7c 1158 *
wolfSSL 15:117db924cf7c 1159 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1160 */
wolfSSL 15:117db924cf7c 1161 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1162 {
wolfSSL 15:117db924cf7c 1163 return (word32) XTIME(0) * 1000;
wolfSSL 15:117db924cf7c 1164 }
wolfSSL 15:117db924cf7c 1165 #elif defined(USE_WINDOWS_API)
wolfSSL 15:117db924cf7c 1166 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1167 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1168 * sending.
wolfSSL 15:117db924cf7c 1169 *
wolfSSL 15:117db924cf7c 1170 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1171 */
wolfSSL 15:117db924cf7c 1172 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1173 {
wolfSSL 15:117db924cf7c 1174 static int init = 0;
wolfSSL 15:117db924cf7c 1175 static LARGE_INTEGER freq;
wolfSSL 15:117db924cf7c 1176 LARGE_INTEGER count;
wolfSSL 15:117db924cf7c 1177
wolfSSL 15:117db924cf7c 1178 if (!init) {
wolfSSL 15:117db924cf7c 1179 QueryPerformanceFrequency(&freq);
wolfSSL 15:117db924cf7c 1180 init = 1;
wolfSSL 15:117db924cf7c 1181 }
wolfSSL 15:117db924cf7c 1182
wolfSSL 15:117db924cf7c 1183 QueryPerformanceCounter(&count);
wolfSSL 15:117db924cf7c 1184
wolfSSL 15:117db924cf7c 1185 return (word32)(count.QuadPart / (freq.QuadPart / 1000));
wolfSSL 15:117db924cf7c 1186 }
wolfSSL 15:117db924cf7c 1187
wolfSSL 15:117db924cf7c 1188 #elif defined(HAVE_RTP_SYS)
wolfSSL 15:117db924cf7c 1189 #include "rtptime.h"
wolfSSL 15:117db924cf7c 1190
wolfSSL 15:117db924cf7c 1191 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1192 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1193 * sending.
wolfSSL 15:117db924cf7c 1194 *
wolfSSL 15:117db924cf7c 1195 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1196 */
wolfSSL 15:117db924cf7c 1197 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1198 {
wolfSSL 15:117db924cf7c 1199 return (word32)rtp_get_system_sec() * 1000;
wolfSSL 15:117db924cf7c 1200 }
wolfSSL 15:117db924cf7c 1201 #elif defined(MICRIUM)
wolfSSL 15:117db924cf7c 1202 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1203 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1204 * sending.
wolfSSL 15:117db924cf7c 1205 *
wolfSSL 15:117db924cf7c 1206 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1207 */
wolfSSL 15:117db924cf7c 1208 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1209 {
wolfSSL 15:117db924cf7c 1210 OS_TICK ticks = 0;
wolfSSL 15:117db924cf7c 1211 OS_ERR err;
wolfSSL 15:117db924cf7c 1212
wolfSSL 15:117db924cf7c 1213 ticks = OSTimeGet(&err);
wolfSSL 15:117db924cf7c 1214
wolfSSL 15:117db924cf7c 1215 return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
wolfSSL 15:117db924cf7c 1216 }
wolfSSL 15:117db924cf7c 1217 #elif defined(MICROCHIP_TCPIP_V5)
wolfSSL 15:117db924cf7c 1218 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1219 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1220 * sending.
wolfSSL 15:117db924cf7c 1221 *
wolfSSL 15:117db924cf7c 1222 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1223 */
wolfSSL 15:117db924cf7c 1224 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1225 {
wolfSSL 15:117db924cf7c 1226 return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
wolfSSL 15:117db924cf7c 1227 }
wolfSSL 15:117db924cf7c 1228 #elif defined(MICROCHIP_TCPIP)
wolfSSL 15:117db924cf7c 1229 #if defined(MICROCHIP_MPLAB_HARMONY)
wolfSSL 15:117db924cf7c 1230 #include <system/tmr/sys_tmr.h>
wolfSSL 15:117db924cf7c 1231
wolfSSL 15:117db924cf7c 1232 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1233 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1234 * sending.
wolfSSL 15:117db924cf7c 1235 *
wolfSSL 15:117db924cf7c 1236 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1237 */
wolfSSL 15:117db924cf7c 1238 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1239 {
wolfSSL 15:117db924cf7c 1240 return (word32)(SYS_TMR_TickCountGet() /
wolfSSL 15:117db924cf7c 1241 (SYS_TMR_TickCounterFrequencyGet() / 1000));
wolfSSL 15:117db924cf7c 1242 }
wolfSSL 15:117db924cf7c 1243 #else
wolfSSL 15:117db924cf7c 1244 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1245 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1246 * sending.
wolfSSL 15:117db924cf7c 1247 *
wolfSSL 15:117db924cf7c 1248 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1249 */
wolfSSL 15:117db924cf7c 1250 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1251 {
wolfSSL 15:117db924cf7c 1252 return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
wolfSSL 15:117db924cf7c 1253 }
wolfSSL 15:117db924cf7c 1254
wolfSSL 15:117db924cf7c 1255 #endif
wolfSSL 15:117db924cf7c 1256
wolfSSL 15:117db924cf7c 1257 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 15:117db924cf7c 1258 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1259 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1260 * sending.
wolfSSL 15:117db924cf7c 1261 *
wolfSSL 15:117db924cf7c 1262 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1263 */
wolfSSL 15:117db924cf7c 1264 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1265 {
wolfSSL 15:117db924cf7c 1266 TIME_STRUCT mqxTime;
wolfSSL 15:117db924cf7c 1267
wolfSSL 15:117db924cf7c 1268 _time_get_elapsed(&mqxTime);
wolfSSL 15:117db924cf7c 1269
wolfSSL 15:117db924cf7c 1270 return (word32) mqxTime.SECONDS * 1000;
wolfSSL 15:117db924cf7c 1271 }
wolfSSL 15:117db924cf7c 1272 #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
wolfSSL 15:117db924cf7c 1273 #include "include/task.h"
wolfSSL 15:117db924cf7c 1274
wolfSSL 15:117db924cf7c 1275 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1276 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1277 * sending.
wolfSSL 15:117db924cf7c 1278 *
wolfSSL 15:117db924cf7c 1279 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1280 */
wolfSSL 15:117db924cf7c 1281 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1282 {
wolfSSL 15:117db924cf7c 1283 return (unsigned int)(((float)xTaskGetTickCount()) /
wolfSSL 15:117db924cf7c 1284 (configTICK_RATE_HZ / 1000));
wolfSSL 15:117db924cf7c 1285 }
wolfSSL 15:117db924cf7c 1286 #elif defined(FREESCALE_KSDK_BM)
wolfSSL 15:117db924cf7c 1287 #include "lwip/sys.h" /* lwIP */
wolfSSL 15:117db924cf7c 1288
wolfSSL 15:117db924cf7c 1289 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1290 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1291 * sending.
wolfSSL 15:117db924cf7c 1292 *
wolfSSL 15:117db924cf7c 1293 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1294 */
wolfSSL 15:117db924cf7c 1295 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1296 {
wolfSSL 15:117db924cf7c 1297 return sys_now();
wolfSSL 15:117db924cf7c 1298 }
wolfSSL 15:117db924cf7c 1299 #elif defined(WOLFSSL_TIRTOS)
wolfSSL 15:117db924cf7c 1300 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1301 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1302 * sending.
wolfSSL 15:117db924cf7c 1303 *
wolfSSL 15:117db924cf7c 1304 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1305 */
wolfSSL 15:117db924cf7c 1306 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1307 {
wolfSSL 15:117db924cf7c 1308 return (word32) Seconds_get() * 1000;
wolfSSL 15:117db924cf7c 1309 }
wolfSSL 15:117db924cf7c 1310 #elif defined(WOLFSSL_UTASKER)
wolfSSL 15:117db924cf7c 1311 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1312 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1313 * sending.
wolfSSL 15:117db924cf7c 1314 *
wolfSSL 15:117db924cf7c 1315 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1316 */
wolfSSL 15:117db924cf7c 1317 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1318 {
wolfSSL 15:117db924cf7c 1319 return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
wolfSSL 15:117db924cf7c 1320 }
wolfSSL 15:117db924cf7c 1321 #else
wolfSSL 15:117db924cf7c 1322 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1323 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1324 * sending.
wolfSSL 15:117db924cf7c 1325 *
wolfSSL 15:117db924cf7c 1326 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1327 */
wolfSSL 15:117db924cf7c 1328 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1329 {
wolfSSL 15:117db924cf7c 1330 struct timeval now;
wolfSSL 15:117db924cf7c 1331
wolfSSL 15:117db924cf7c 1332 if (gettimeofday(&now, 0) < 0)
wolfSSL 15:117db924cf7c 1333 return GETTIME_ERROR;
wolfSSL 15:117db924cf7c 1334 /* Convert to milliseconds number. */
wolfSSL 15:117db924cf7c 1335 return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
wolfSSL 15:117db924cf7c 1336 }
wolfSSL 15:117db924cf7c 1337 #endif
wolfSSL 15:117db924cf7c 1338 #endif /* HAVE_SESSION_TICKET || !NO_PSK */
wolfSSL 15:117db924cf7c 1339
wolfSSL 15:117db924cf7c 1340
wolfSSL 15:117db924cf7c 1341 #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \
wolfSSL 15:117db924cf7c 1342 !defined(NO_PSK))
wolfSSL 15:117db924cf7c 1343 /* Add input to all handshake hashes.
wolfSSL 15:117db924cf7c 1344 *
wolfSSL 15:117db924cf7c 1345 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1346 * input The data to hash.
wolfSSL 15:117db924cf7c 1347 * sz The size of the data to hash.
wolfSSL 15:117db924cf7c 1348 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1349 */
wolfSSL 15:117db924cf7c 1350 static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
wolfSSL 15:117db924cf7c 1351 {
wolfSSL 15:117db924cf7c 1352 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 1353
wolfSSL 15:117db924cf7c 1354 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 1355 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
wolfSSL 15:117db924cf7c 1356 if (ret != 0)
wolfSSL 15:117db924cf7c 1357 return ret;
wolfSSL 15:117db924cf7c 1358 #endif
wolfSSL 15:117db924cf7c 1359 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 1360 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
wolfSSL 15:117db924cf7c 1361 if (ret != 0)
wolfSSL 15:117db924cf7c 1362 return ret;
wolfSSL 15:117db924cf7c 1363 #endif
wolfSSL 15:117db924cf7c 1364 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 1365 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
wolfSSL 15:117db924cf7c 1366 if (ret != 0)
wolfSSL 15:117db924cf7c 1367 return ret;
wolfSSL 15:117db924cf7c 1368 #endif
wolfSSL 15:117db924cf7c 1369
wolfSSL 15:117db924cf7c 1370 return ret;
wolfSSL 15:117db924cf7c 1371 }
wolfSSL 15:117db924cf7c 1372 #endif
wolfSSL 15:117db924cf7c 1373
wolfSSL 15:117db924cf7c 1374 /* Extract the handshake header information.
wolfSSL 15:117db924cf7c 1375 *
wolfSSL 15:117db924cf7c 1376 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1377 * input The buffer holding the message data.
wolfSSL 15:117db924cf7c 1378 * inOutIdx On entry, the index into the buffer of the handshake data.
wolfSSL 15:117db924cf7c 1379 * On exit, the start of the hanshake data.
wolfSSL 15:117db924cf7c 1380 * type Type of handshake message.
wolfSSL 15:117db924cf7c 1381 * size The length of the handshake message data.
wolfSSL 15:117db924cf7c 1382 * totalSz The total size of data in the buffer.
wolfSSL 15:117db924cf7c 1383 * returns BUFFER_E if there is not enough input data and 0 on success.
wolfSSL 15:117db924cf7c 1384 */
wolfSSL 15:117db924cf7c 1385 static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 1386 byte* type, word32* size, word32 totalSz)
wolfSSL 15:117db924cf7c 1387 {
wolfSSL 15:117db924cf7c 1388 const byte* ptr = input + *inOutIdx;
wolfSSL 15:117db924cf7c 1389 (void)ssl;
wolfSSL 15:117db924cf7c 1390
wolfSSL 15:117db924cf7c 1391 *inOutIdx += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1392 if (*inOutIdx > totalSz)
wolfSSL 15:117db924cf7c 1393 return BUFFER_E;
wolfSSL 15:117db924cf7c 1394
wolfSSL 15:117db924cf7c 1395 *type = ptr[0];
wolfSSL 15:117db924cf7c 1396 c24to32(&ptr[1], size);
wolfSSL 15:117db924cf7c 1397
wolfSSL 15:117db924cf7c 1398 return 0;
wolfSSL 15:117db924cf7c 1399 }
wolfSSL 15:117db924cf7c 1400
wolfSSL 15:117db924cf7c 1401 /* Add record layer header to message.
wolfSSL 15:117db924cf7c 1402 *
wolfSSL 15:117db924cf7c 1403 * output The buffer to write the record layer header into.
wolfSSL 15:117db924cf7c 1404 * length The length of the record data.
wolfSSL 15:117db924cf7c 1405 * type The type of record message.
wolfSSL 15:117db924cf7c 1406 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1407 */
wolfSSL 15:117db924cf7c 1408 static void AddTls13RecordHeader(byte* output, word32 length, byte type,
wolfSSL 15:117db924cf7c 1409 WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1410 {
wolfSSL 15:117db924cf7c 1411 RecordLayerHeader* rl;
wolfSSL 15:117db924cf7c 1412
wolfSSL 15:117db924cf7c 1413 rl = (RecordLayerHeader*)output;
wolfSSL 15:117db924cf7c 1414 rl->type = type;
wolfSSL 15:117db924cf7c 1415 rl->pvMajor = ssl->version.major;
wolfSSL 15:117db924cf7c 1416 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 1417 rl->pvMinor = TLSv1_MINOR;
wolfSSL 15:117db924cf7c 1418 #else
wolfSSL 15:117db924cf7c 1419 rl->pvMinor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 1420 #endif
wolfSSL 15:117db924cf7c 1421 c16toa((word16)length, rl->length);
wolfSSL 15:117db924cf7c 1422 }
wolfSSL 15:117db924cf7c 1423
wolfSSL 15:117db924cf7c 1424 /* Add handshake header to message.
wolfSSL 15:117db924cf7c 1425 *
wolfSSL 15:117db924cf7c 1426 * output The buffer to write the hanshake header into.
wolfSSL 15:117db924cf7c 1427 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1428 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1429 * fragLength The length of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1430 * type The type of handshake message.
wolfSSL 15:117db924cf7c 1431 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1432 */
wolfSSL 15:117db924cf7c 1433 static void AddTls13HandShakeHeader(byte* output, word32 length,
wolfSSL 15:117db924cf7c 1434 word32 fragOffset, word32 fragLength,
wolfSSL 15:117db924cf7c 1435 byte type, WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1436 {
wolfSSL 15:117db924cf7c 1437 HandShakeHeader* hs;
wolfSSL 15:117db924cf7c 1438 (void)fragOffset;
wolfSSL 15:117db924cf7c 1439 (void)fragLength;
wolfSSL 15:117db924cf7c 1440 (void)ssl;
wolfSSL 15:117db924cf7c 1441
wolfSSL 15:117db924cf7c 1442 /* handshake header */
wolfSSL 15:117db924cf7c 1443 hs = (HandShakeHeader*)output;
wolfSSL 15:117db924cf7c 1444 hs->type = type;
wolfSSL 15:117db924cf7c 1445 c32to24(length, hs->length);
wolfSSL 15:117db924cf7c 1446 }
wolfSSL 15:117db924cf7c 1447
wolfSSL 15:117db924cf7c 1448
wolfSSL 15:117db924cf7c 1449 /* Add both record layer and handshake header to message.
wolfSSL 15:117db924cf7c 1450 *
wolfSSL 15:117db924cf7c 1451 * output The buffer to write the headers into.
wolfSSL 15:117db924cf7c 1452 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1453 * type The type of record layer message.
wolfSSL 15:117db924cf7c 1454 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1455 */
wolfSSL 15:117db924cf7c 1456 static void AddTls13Headers(byte* output, word32 length, byte type,
wolfSSL 15:117db924cf7c 1457 WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1458 {
wolfSSL 15:117db924cf7c 1459 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1460 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 1461
wolfSSL 15:117db924cf7c 1462 AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
wolfSSL 15:117db924cf7c 1463 AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
wolfSSL 15:117db924cf7c 1464 }
wolfSSL 15:117db924cf7c 1465
wolfSSL 15:117db924cf7c 1466
wolfSSL 15:117db924cf7c 1467 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 1468 /* Add both record layer and fragement handshake header to message.
wolfSSL 15:117db924cf7c 1469 *
wolfSSL 15:117db924cf7c 1470 * output The buffer to write the headers into.
wolfSSL 15:117db924cf7c 1471 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1472 * fragLength The length of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1473 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1474 * type The type of record layer message.
wolfSSL 15:117db924cf7c 1475 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1476 */
wolfSSL 15:117db924cf7c 1477 static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
wolfSSL 15:117db924cf7c 1478 word32 length, byte type, WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1479 {
wolfSSL 15:117db924cf7c 1480 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1481 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 1482 (void)fragSz;
wolfSSL 15:117db924cf7c 1483
wolfSSL 15:117db924cf7c 1484 AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
wolfSSL 15:117db924cf7c 1485 AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
wolfSSL 15:117db924cf7c 1486 type, ssl);
wolfSSL 15:117db924cf7c 1487 }
wolfSSL 15:117db924cf7c 1488 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 1489
wolfSSL 15:117db924cf7c 1490 /* Write the sequence number into the buffer.
wolfSSL 15:117db924cf7c 1491 * No DTLS v1.3 support.
wolfSSL 15:117db924cf7c 1492 *
wolfSSL 15:117db924cf7c 1493 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1494 * verifyOrder Which set of sequence numbers to use.
wolfSSL 15:117db924cf7c 1495 * out The buffer to write into.
wolfSSL 15:117db924cf7c 1496 */
wolfSSL 15:117db924cf7c 1497 static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
wolfSSL 15:117db924cf7c 1498 {
wolfSSL 15:117db924cf7c 1499 word32 seq[2] = {0, 0};
wolfSSL 15:117db924cf7c 1500
wolfSSL 15:117db924cf7c 1501 if (verifyOrder) {
wolfSSL 15:117db924cf7c 1502 seq[0] = ssl->keys.peer_sequence_number_hi;
wolfSSL 15:117db924cf7c 1503 seq[1] = ssl->keys.peer_sequence_number_lo++;
wolfSSL 15:117db924cf7c 1504 /* handle rollover */
wolfSSL 15:117db924cf7c 1505 if (seq[1] > ssl->keys.peer_sequence_number_lo)
wolfSSL 15:117db924cf7c 1506 ssl->keys.peer_sequence_number_hi++;
wolfSSL 15:117db924cf7c 1507 }
wolfSSL 15:117db924cf7c 1508 else {
wolfSSL 15:117db924cf7c 1509 seq[0] = ssl->keys.sequence_number_hi;
wolfSSL 15:117db924cf7c 1510 seq[1] = ssl->keys.sequence_number_lo++;
wolfSSL 15:117db924cf7c 1511 /* handle rollover */
wolfSSL 15:117db924cf7c 1512 if (seq[1] > ssl->keys.sequence_number_lo)
wolfSSL 15:117db924cf7c 1513 ssl->keys.sequence_number_hi++;
wolfSSL 15:117db924cf7c 1514 }
wolfSSL 15:117db924cf7c 1515
wolfSSL 15:117db924cf7c 1516 c32toa(seq[0], out);
wolfSSL 15:117db924cf7c 1517 c32toa(seq[1], out + OPAQUE32_LEN);
wolfSSL 15:117db924cf7c 1518 }
wolfSSL 15:117db924cf7c 1519
wolfSSL 15:117db924cf7c 1520 /* Build the nonce for TLS v1.3 encryption and decryption.
wolfSSL 15:117db924cf7c 1521 *
wolfSSL 15:117db924cf7c 1522 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1523 * nonce The nonce data to use when encrypting or decrypting.
wolfSSL 15:117db924cf7c 1524 * iv The derived IV.
wolfSSL 15:117db924cf7c 1525 * order The side on which the message is to be or was sent.
wolfSSL 15:117db924cf7c 1526 */
wolfSSL 15:117db924cf7c 1527 static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
wolfSSL 15:117db924cf7c 1528 int order)
wolfSSL 15:117db924cf7c 1529 {
wolfSSL 15:117db924cf7c 1530 int i;
wolfSSL 15:117db924cf7c 1531
wolfSSL 15:117db924cf7c 1532 /* The nonce is the IV with the sequence XORed into the last bytes. */
wolfSSL 15:117db924cf7c 1533 WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
wolfSSL 15:117db924cf7c 1534 for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
wolfSSL 15:117db924cf7c 1535 nonce[i] = iv[i];
wolfSSL 15:117db924cf7c 1536 for (; i < AEAD_NONCE_SZ; i++)
wolfSSL 15:117db924cf7c 1537 nonce[i] ^= iv[i];
wolfSSL 15:117db924cf7c 1538 }
wolfSSL 15:117db924cf7c 1539
wolfSSL 15:117db924cf7c 1540 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1541 /* Encrypt with ChaCha20 and create authenication tag with Poly1305.
wolfSSL 15:117db924cf7c 1542 *
wolfSSL 15:117db924cf7c 1543 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1544 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 15:117db924cf7c 1545 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1546 * input The data to encrypt.
wolfSSL 15:117db924cf7c 1547 * sz The number of bytes to encrypt.
wolfSSL 15:117db924cf7c 1548 * nonce The nonce to use with ChaCha20.
wolfSSL 15:117db924cf7c 1549 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1550 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1551 * tag The authentication tag buffer.
wolfSSL 15:117db924cf7c 1552 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1553 */
wolfSSL 15:117db924cf7c 1554 static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
wolfSSL 15:117db924cf7c 1555 const byte* input, word16 sz, byte* nonce,
wolfSSL 15:117db924cf7c 1556 const byte* aad, word16 aadSz, byte* tag)
wolfSSL 15:117db924cf7c 1557 {
wolfSSL 15:117db924cf7c 1558 int ret = 0;
wolfSSL 15:117db924cf7c 1559 byte poly[CHACHA20_256_KEY_SIZE];
wolfSSL 15:117db924cf7c 1560
wolfSSL 15:117db924cf7c 1561 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 15:117db924cf7c 1562 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 15:117db924cf7c 1563
wolfSSL 15:117db924cf7c 1564 /* Set the nonce for ChaCha and get Poly1305 key. */
wolfSSL 15:117db924cf7c 1565 ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
wolfSSL 15:117db924cf7c 1566 if (ret != 0)
wolfSSL 15:117db924cf7c 1567 return ret;
wolfSSL 15:117db924cf7c 1568 /* Create Poly1305 key using ChaCha20 keystream. */
wolfSSL 15:117db924cf7c 1569 ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1570 if (ret != 0)
wolfSSL 15:117db924cf7c 1571 return ret;
wolfSSL 15:117db924cf7c 1572 /* Encrypt the plain text. */
wolfSSL 15:117db924cf7c 1573 ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
wolfSSL 15:117db924cf7c 1574 if (ret != 0) {
wolfSSL 15:117db924cf7c 1575 ForceZero(poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1576 return ret;
wolfSSL 15:117db924cf7c 1577 }
wolfSSL 15:117db924cf7c 1578
wolfSSL 15:117db924cf7c 1579 /* Set key for Poly1305. */
wolfSSL 15:117db924cf7c 1580 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1581 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 15:117db924cf7c 1582 if (ret != 0)
wolfSSL 15:117db924cf7c 1583 return ret;
wolfSSL 15:117db924cf7c 1584 /* Add authentication code of encrypted data to end. */
wolfSSL 15:117db924cf7c 1585 ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, output, sz,
wolfSSL 15:117db924cf7c 1586 tag, POLY1305_AUTH_SZ);
wolfSSL 15:117db924cf7c 1587
wolfSSL 15:117db924cf7c 1588 return ret;
wolfSSL 15:117db924cf7c 1589 }
wolfSSL 15:117db924cf7c 1590 #endif
wolfSSL 15:117db924cf7c 1591
wolfSSL 15:117db924cf7c 1592 /* Encrypt data for TLS v1.3.
wolfSSL 15:117db924cf7c 1593 *
wolfSSL 15:117db924cf7c 1594 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1595 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 15:117db924cf7c 1596 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1597 * input The record header and data to encrypt.
wolfSSL 15:117db924cf7c 1598 * sz The number of bytes to encrypt.
wolfSSL 15:117db924cf7c 1599 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1600 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1601 * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL 15:117db924cf7c 1602 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1603 */
wolfSSL 15:117db924cf7c 1604 static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
wolfSSL 15:117db924cf7c 1605 word16 sz, const byte* aad, word16 aadSz, int asyncOkay)
wolfSSL 15:117db924cf7c 1606 {
wolfSSL 15:117db924cf7c 1607 int ret = 0;
wolfSSL 15:117db924cf7c 1608 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1609 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1610 word32 nonceSz = 0;
wolfSSL 15:117db924cf7c 1611 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1612 WC_ASYNC_DEV* asyncDev = NULL;
wolfSSL 15:117db924cf7c 1613 word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
wolfSSL 15:117db924cf7c 1614 #endif
wolfSSL 15:117db924cf7c 1615
wolfSSL 15:117db924cf7c 1616 WOLFSSL_ENTER("EncryptTls13");
wolfSSL 15:117db924cf7c 1617
wolfSSL 15:117db924cf7c 1618 (void)output;
wolfSSL 15:117db924cf7c 1619 (void)input;
wolfSSL 15:117db924cf7c 1620 (void)sz;
wolfSSL 15:117db924cf7c 1621 (void)dataSz;
wolfSSL 15:117db924cf7c 1622 (void)macSz;
wolfSSL 15:117db924cf7c 1623 (void)asyncOkay;
wolfSSL 15:117db924cf7c 1624 (void)nonceSz;
wolfSSL 15:117db924cf7c 1625
wolfSSL 15:117db924cf7c 1626 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1627 if (ssl->error == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1628 ssl->error = 0; /* clear async */
wolfSSL 15:117db924cf7c 1629 }
wolfSSL 15:117db924cf7c 1630 #endif
wolfSSL 15:117db924cf7c 1631
wolfSSL 15:117db924cf7c 1632 switch (ssl->encrypt.state) {
wolfSSL 15:117db924cf7c 1633 case CIPHER_STATE_BEGIN:
wolfSSL 15:117db924cf7c 1634 {
wolfSSL 15:117db924cf7c 1635 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 1636 WOLFSSL_MSG("Data to encrypt");
wolfSSL 15:117db924cf7c 1637 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 15:117db924cf7c 1638 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \
wolfSSL 15:117db924cf7c 1639 !defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 1640 WOLFSSL_MSG("Additional Authentication Data");
wolfSSL 15:117db924cf7c 1641 WOLFSSL_BUFFER(aad, aadSz);
wolfSSL 15:117db924cf7c 1642 #endif
wolfSSL 15:117db924cf7c 1643 #endif
wolfSSL 15:117db924cf7c 1644
wolfSSL 15:117db924cf7c 1645 if (ssl->encrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1646 ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL 15:117db924cf7c 1647 ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL 15:117db924cf7c 1648 if (ssl->encrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1649 return MEMORY_E;
wolfSSL 15:117db924cf7c 1650
wolfSSL 15:117db924cf7c 1651 BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
wolfSSL 15:117db924cf7c 1652 CUR_ORDER);
wolfSSL 15:117db924cf7c 1653
wolfSSL 15:117db924cf7c 1654 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 1655 ssl->encrypt.state = CIPHER_STATE_DO;
wolfSSL 15:117db924cf7c 1656 }
wolfSSL 15:117db924cf7c 1657 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1658
wolfSSL 15:117db924cf7c 1659 case CIPHER_STATE_DO:
wolfSSL 15:117db924cf7c 1660 {
wolfSSL 15:117db924cf7c 1661 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 15:117db924cf7c 1662 #ifdef BUILD_AESGCM
wolfSSL 15:117db924cf7c 1663 case wolfssl_aes_gcm:
wolfSSL 15:117db924cf7c 1664 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1665 /* initialize event */
wolfSSL 15:117db924cf7c 1666 asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL 15:117db924cf7c 1667 ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1668 if (ret != 0)
wolfSSL 15:117db924cf7c 1669 break;
wolfSSL 15:117db924cf7c 1670 #endif
wolfSSL 15:117db924cf7c 1671
wolfSSL 15:117db924cf7c 1672 nonceSz = AESGCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 1673 ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1674 dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1675 output + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 1676 break;
wolfSSL 15:117db924cf7c 1677 #endif
wolfSSL 15:117db924cf7c 1678
wolfSSL 15:117db924cf7c 1679 #ifdef HAVE_AESCCM
wolfSSL 15:117db924cf7c 1680 case wolfssl_aes_ccm:
wolfSSL 15:117db924cf7c 1681 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1682 /* initialize event */
wolfSSL 15:117db924cf7c 1683 asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL 15:117db924cf7c 1684 ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1685 if (ret != 0)
wolfSSL 15:117db924cf7c 1686 break;
wolfSSL 15:117db924cf7c 1687 #endif
wolfSSL 15:117db924cf7c 1688
wolfSSL 15:117db924cf7c 1689 nonceSz = AESCCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 1690 ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1691 dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1692 output + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 1693 break;
wolfSSL 15:117db924cf7c 1694 #endif
wolfSSL 15:117db924cf7c 1695
wolfSSL 15:117db924cf7c 1696 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1697 case wolfssl_chacha:
wolfSSL 15:117db924cf7c 1698 ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
wolfSSL 15:117db924cf7c 1699 ssl->encrypt.nonce, aad, aadSz, output + dataSz);
wolfSSL 15:117db924cf7c 1700 break;
wolfSSL 15:117db924cf7c 1701 #endif
wolfSSL 15:117db924cf7c 1702
wolfSSL 15:117db924cf7c 1703 default:
wolfSSL 15:117db924cf7c 1704 WOLFSSL_MSG("wolfSSL Encrypt programming error");
wolfSSL 15:117db924cf7c 1705 return ENCRYPT_ERROR;
wolfSSL 15:117db924cf7c 1706 }
wolfSSL 15:117db924cf7c 1707
wolfSSL 15:117db924cf7c 1708 /* Advance state */
wolfSSL 15:117db924cf7c 1709 ssl->encrypt.state = CIPHER_STATE_END;
wolfSSL 15:117db924cf7c 1710
wolfSSL 15:117db924cf7c 1711 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1712 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1713 /* if async is not okay, then block */
wolfSSL 15:117db924cf7c 1714 if (!asyncOkay) {
wolfSSL 15:117db924cf7c 1715 ret = wc_AsyncWait(ret, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1716 }
wolfSSL 15:117db924cf7c 1717 else {
wolfSSL 15:117db924cf7c 1718 /* If pending, then leave and return will resume below */
wolfSSL 15:117db924cf7c 1719 return wolfSSL_AsyncPush(ssl, asyncDev);
wolfSSL 15:117db924cf7c 1720 }
wolfSSL 15:117db924cf7c 1721 }
wolfSSL 15:117db924cf7c 1722 #endif
wolfSSL 15:117db924cf7c 1723 }
wolfSSL 15:117db924cf7c 1724 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1725
wolfSSL 15:117db924cf7c 1726 case CIPHER_STATE_END:
wolfSSL 15:117db924cf7c 1727 {
wolfSSL 15:117db924cf7c 1728 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 1729 WOLFSSL_MSG("Nonce");
wolfSSL 15:117db924cf7c 1730 WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
wolfSSL 15:117db924cf7c 1731 WOLFSSL_MSG("Encrypted data");
wolfSSL 15:117db924cf7c 1732 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 15:117db924cf7c 1733 WOLFSSL_MSG("Authentication Tag");
wolfSSL 15:117db924cf7c 1734 WOLFSSL_BUFFER(output + dataSz, macSz);
wolfSSL 15:117db924cf7c 1735 #endif
wolfSSL 15:117db924cf7c 1736
wolfSSL 15:117db924cf7c 1737 ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
wolfSSL 15:117db924cf7c 1738
wolfSSL 15:117db924cf7c 1739 break;
wolfSSL 15:117db924cf7c 1740 }
wolfSSL 15:117db924cf7c 1741 }
wolfSSL 15:117db924cf7c 1742
wolfSSL 15:117db924cf7c 1743 /* Reset state */
wolfSSL 15:117db924cf7c 1744 ssl->encrypt.state = CIPHER_STATE_BEGIN;
wolfSSL 15:117db924cf7c 1745
wolfSSL 15:117db924cf7c 1746 return ret;
wolfSSL 15:117db924cf7c 1747 }
wolfSSL 15:117db924cf7c 1748
wolfSSL 15:117db924cf7c 1749 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1750 /* Decrypt with ChaCha20 and check authenication tag with Poly1305.
wolfSSL 15:117db924cf7c 1751 *
wolfSSL 15:117db924cf7c 1752 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1753 * output The buffer to write decrypted data into.
wolfSSL 15:117db924cf7c 1754 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1755 * input The data to decrypt.
wolfSSL 15:117db924cf7c 1756 * sz The number of bytes to decrypt.
wolfSSL 15:117db924cf7c 1757 * nonce The nonce to use with ChaCha20.
wolfSSL 15:117db924cf7c 1758 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1759 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1760 * tagIn The authentication tag data from packet.
wolfSSL 15:117db924cf7c 1761 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1762 */
wolfSSL 15:117db924cf7c 1763 static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
wolfSSL 15:117db924cf7c 1764 const byte* input, word16 sz, byte* nonce,
wolfSSL 15:117db924cf7c 1765 const byte* aad, word16 aadSz,
wolfSSL 15:117db924cf7c 1766 const byte* tagIn)
wolfSSL 15:117db924cf7c 1767 {
wolfSSL 15:117db924cf7c 1768 int ret;
wolfSSL 15:117db924cf7c 1769 byte tag[POLY1305_AUTH_SZ];
wolfSSL 15:117db924cf7c 1770 byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
wolfSSL 15:117db924cf7c 1771
wolfSSL 15:117db924cf7c 1772 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 15:117db924cf7c 1773 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 15:117db924cf7c 1774
wolfSSL 15:117db924cf7c 1775 /* Set nonce and get Poly1305 key. */
wolfSSL 15:117db924cf7c 1776 ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
wolfSSL 15:117db924cf7c 1777 if (ret != 0)
wolfSSL 15:117db924cf7c 1778 return ret;
wolfSSL 15:117db924cf7c 1779 /* Use ChaCha20 keystream to get Poly1305 key for tag. */
wolfSSL 15:117db924cf7c 1780 ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1781 if (ret != 0)
wolfSSL 15:117db924cf7c 1782 return ret;
wolfSSL 15:117db924cf7c 1783
wolfSSL 15:117db924cf7c 1784 /* Set key for Poly1305. */
wolfSSL 15:117db924cf7c 1785 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1786 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 15:117db924cf7c 1787 if (ret != 0)
wolfSSL 15:117db924cf7c 1788 return ret;
wolfSSL 15:117db924cf7c 1789 /* Generate authentication tag for encrypted data. */
wolfSSL 15:117db924cf7c 1790 if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz,
wolfSSL 15:117db924cf7c 1791 (byte*)input, sz, tag, sizeof(tag))) != 0) {
wolfSSL 15:117db924cf7c 1792 return ret;
wolfSSL 15:117db924cf7c 1793 }
wolfSSL 15:117db924cf7c 1794
wolfSSL 15:117db924cf7c 1795 /* Check tag sent along with packet. */
wolfSSL 15:117db924cf7c 1796 if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
wolfSSL 15:117db924cf7c 1797 WOLFSSL_MSG("MAC did not match");
wolfSSL 15:117db924cf7c 1798 return VERIFY_MAC_ERROR;
wolfSSL 15:117db924cf7c 1799 }
wolfSSL 15:117db924cf7c 1800
wolfSSL 15:117db924cf7c 1801 /* If the tag was good decrypt message. */
wolfSSL 15:117db924cf7c 1802 ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
wolfSSL 15:117db924cf7c 1803
wolfSSL 15:117db924cf7c 1804 return ret;
wolfSSL 15:117db924cf7c 1805 }
wolfSSL 15:117db924cf7c 1806 #endif
wolfSSL 15:117db924cf7c 1807
wolfSSL 15:117db924cf7c 1808 /* Decrypt data for TLS v1.3.
wolfSSL 15:117db924cf7c 1809 *
wolfSSL 15:117db924cf7c 1810 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1811 * output The buffer to write decrypted data into.
wolfSSL 15:117db924cf7c 1812 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1813 * input The data to decrypt and authentication tag.
wolfSSL 15:117db924cf7c 1814 * sz The length of the encrypted data plus authentication tag.
wolfSSL 15:117db924cf7c 1815 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1816 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1817 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1818 */
wolfSSL 15:117db924cf7c 1819 int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
wolfSSL 15:117db924cf7c 1820 const byte* aad, word16 aadSz)
wolfSSL 15:117db924cf7c 1821 {
wolfSSL 15:117db924cf7c 1822 int ret = 0;
wolfSSL 15:117db924cf7c 1823 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1824 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1825 word32 nonceSz = 0;
wolfSSL 15:117db924cf7c 1826
wolfSSL 15:117db924cf7c 1827 WOLFSSL_ENTER("DecryptTls13");
wolfSSL 15:117db924cf7c 1828
wolfSSL 15:117db924cf7c 1829 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1830 ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
wolfSSL 15:117db924cf7c 1831 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 1832 /* check for still pending */
wolfSSL 15:117db924cf7c 1833 if (ret == WC_PENDING_E)
wolfSSL 15:117db924cf7c 1834 return ret;
wolfSSL 15:117db924cf7c 1835
wolfSSL 15:117db924cf7c 1836 ssl->error = 0; /* clear async */
wolfSSL 15:117db924cf7c 1837
wolfSSL 15:117db924cf7c 1838 /* let failures through so CIPHER_STATE_END logic is run */
wolfSSL 15:117db924cf7c 1839 }
wolfSSL 15:117db924cf7c 1840 else
wolfSSL 15:117db924cf7c 1841 #endif
wolfSSL 15:117db924cf7c 1842 {
wolfSSL 15:117db924cf7c 1843 /* Reset state */
wolfSSL 15:117db924cf7c 1844 ret = 0;
wolfSSL 15:117db924cf7c 1845 ssl->decrypt.state = CIPHER_STATE_BEGIN;
wolfSSL 15:117db924cf7c 1846 }
wolfSSL 15:117db924cf7c 1847
wolfSSL 15:117db924cf7c 1848 (void)output;
wolfSSL 15:117db924cf7c 1849 (void)input;
wolfSSL 15:117db924cf7c 1850 (void)sz;
wolfSSL 15:117db924cf7c 1851 (void)dataSz;
wolfSSL 15:117db924cf7c 1852 (void)macSz;
wolfSSL 15:117db924cf7c 1853 (void)nonceSz;
wolfSSL 15:117db924cf7c 1854
wolfSSL 15:117db924cf7c 1855 switch (ssl->decrypt.state) {
wolfSSL 15:117db924cf7c 1856 case CIPHER_STATE_BEGIN:
wolfSSL 15:117db924cf7c 1857 {
wolfSSL 15:117db924cf7c 1858 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 1859 WOLFSSL_MSG("Data to decrypt");
wolfSSL 15:117db924cf7c 1860 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 15:117db924cf7c 1861 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \
wolfSSL 15:117db924cf7c 1862 !defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 1863 WOLFSSL_MSG("Additional Authentication Data");
wolfSSL 15:117db924cf7c 1864 WOLFSSL_BUFFER(aad, aadSz);
wolfSSL 15:117db924cf7c 1865 #endif
wolfSSL 15:117db924cf7c 1866 WOLFSSL_MSG("Authentication tag");
wolfSSL 15:117db924cf7c 1867 WOLFSSL_BUFFER(input + dataSz, macSz);
wolfSSL 15:117db924cf7c 1868 #endif
wolfSSL 15:117db924cf7c 1869
wolfSSL 15:117db924cf7c 1870 if (ssl->decrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1871 ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL 15:117db924cf7c 1872 ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL 15:117db924cf7c 1873 if (ssl->decrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1874 return MEMORY_E;
wolfSSL 15:117db924cf7c 1875
wolfSSL 15:117db924cf7c 1876 BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
wolfSSL 15:117db924cf7c 1877 PEER_ORDER);
wolfSSL 15:117db924cf7c 1878
wolfSSL 15:117db924cf7c 1879 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 1880 ssl->decrypt.state = CIPHER_STATE_DO;
wolfSSL 15:117db924cf7c 1881 }
wolfSSL 15:117db924cf7c 1882 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1883
wolfSSL 15:117db924cf7c 1884 case CIPHER_STATE_DO:
wolfSSL 15:117db924cf7c 1885 {
wolfSSL 15:117db924cf7c 1886 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 15:117db924cf7c 1887 #ifdef BUILD_AESGCM
wolfSSL 15:117db924cf7c 1888 case wolfssl_aes_gcm:
wolfSSL 15:117db924cf7c 1889 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1890 /* initialize event */
wolfSSL 15:117db924cf7c 1891 ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL 15:117db924cf7c 1892 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 15:117db924cf7c 1893 if (ret != 0)
wolfSSL 15:117db924cf7c 1894 break;
wolfSSL 15:117db924cf7c 1895 #endif
wolfSSL 15:117db924cf7c 1896
wolfSSL 15:117db924cf7c 1897 nonceSz = AESGCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 1898 ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1899 dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1900 input + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 1901 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1902 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1903 ret = wolfSSL_AsyncPush(ssl,
wolfSSL 15:117db924cf7c 1904 &ssl->decrypt.aes->asyncDev);
wolfSSL 15:117db924cf7c 1905 }
wolfSSL 15:117db924cf7c 1906 #endif
wolfSSL 15:117db924cf7c 1907 break;
wolfSSL 15:117db924cf7c 1908 #endif
wolfSSL 15:117db924cf7c 1909
wolfSSL 15:117db924cf7c 1910 #ifdef HAVE_AESCCM
wolfSSL 15:117db924cf7c 1911 case wolfssl_aes_ccm:
wolfSSL 15:117db924cf7c 1912 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1913 /* initialize event */
wolfSSL 15:117db924cf7c 1914 ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL 15:117db924cf7c 1915 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 15:117db924cf7c 1916 if (ret != 0)
wolfSSL 15:117db924cf7c 1917 break;
wolfSSL 15:117db924cf7c 1918 #endif
wolfSSL 15:117db924cf7c 1919
wolfSSL 15:117db924cf7c 1920 nonceSz = AESCCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 1921 ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1922 dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1923 input + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 1924 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1925 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1926 ret = wolfSSL_AsyncPush(ssl,
wolfSSL 15:117db924cf7c 1927 &ssl->decrypt.aes->asyncDev);
wolfSSL 15:117db924cf7c 1928 }
wolfSSL 15:117db924cf7c 1929 #endif
wolfSSL 15:117db924cf7c 1930 break;
wolfSSL 15:117db924cf7c 1931 #endif
wolfSSL 15:117db924cf7c 1932
wolfSSL 15:117db924cf7c 1933 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1934 case wolfssl_chacha:
wolfSSL 15:117db924cf7c 1935 ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
wolfSSL 15:117db924cf7c 1936 ssl->decrypt.nonce, aad, aadSz, input + dataSz);
wolfSSL 15:117db924cf7c 1937 break;
wolfSSL 15:117db924cf7c 1938 #endif
wolfSSL 15:117db924cf7c 1939
wolfSSL 15:117db924cf7c 1940 default:
wolfSSL 15:117db924cf7c 1941 WOLFSSL_MSG("wolfSSL Decrypt programming error");
wolfSSL 15:117db924cf7c 1942 return DECRYPT_ERROR;
wolfSSL 15:117db924cf7c 1943 }
wolfSSL 15:117db924cf7c 1944
wolfSSL 15:117db924cf7c 1945 /* Advance state */
wolfSSL 15:117db924cf7c 1946 ssl->decrypt.state = CIPHER_STATE_END;
wolfSSL 15:117db924cf7c 1947
wolfSSL 15:117db924cf7c 1948 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1949 /* If pending, leave now */
wolfSSL 15:117db924cf7c 1950 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1951 return ret;
wolfSSL 15:117db924cf7c 1952 }
wolfSSL 15:117db924cf7c 1953 #endif
wolfSSL 15:117db924cf7c 1954 }
wolfSSL 15:117db924cf7c 1955 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1956
wolfSSL 15:117db924cf7c 1957 case CIPHER_STATE_END:
wolfSSL 15:117db924cf7c 1958 {
wolfSSL 15:117db924cf7c 1959 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 1960 WOLFSSL_MSG("Nonce");
wolfSSL 15:117db924cf7c 1961 WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
wolfSSL 15:117db924cf7c 1962 WOLFSSL_MSG("Decrypted data");
wolfSSL 15:117db924cf7c 1963 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 15:117db924cf7c 1964 #endif
wolfSSL 15:117db924cf7c 1965
wolfSSL 15:117db924cf7c 1966 ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
wolfSSL 15:117db924cf7c 1967
wolfSSL 15:117db924cf7c 1968 break;
wolfSSL 15:117db924cf7c 1969 }
wolfSSL 15:117db924cf7c 1970 }
wolfSSL 15:117db924cf7c 1971
wolfSSL 15:117db924cf7c 1972 #ifndef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 1973 if (ret < 0) {
wolfSSL 15:117db924cf7c 1974 SendAlert(ssl, alert_fatal, bad_record_mac);
wolfSSL 15:117db924cf7c 1975 ret = VERIFY_MAC_ERROR;
wolfSSL 15:117db924cf7c 1976 }
wolfSSL 15:117db924cf7c 1977 #endif
wolfSSL 15:117db924cf7c 1978
wolfSSL 15:117db924cf7c 1979 return ret;
wolfSSL 15:117db924cf7c 1980 }
wolfSSL 15:117db924cf7c 1981
wolfSSL 15:117db924cf7c 1982 /* Persistable BuildTls13Message arguments */
wolfSSL 15:117db924cf7c 1983 typedef struct BuildMsg13Args {
wolfSSL 15:117db924cf7c 1984 word32 sz;
wolfSSL 15:117db924cf7c 1985 word32 idx;
wolfSSL 15:117db924cf7c 1986 word32 headerSz;
wolfSSL 15:117db924cf7c 1987 word16 size;
wolfSSL 15:117db924cf7c 1988 } BuildMsg13Args;
wolfSSL 15:117db924cf7c 1989
wolfSSL 15:117db924cf7c 1990 static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 1991 {
wolfSSL 15:117db924cf7c 1992 BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
wolfSSL 15:117db924cf7c 1993
wolfSSL 15:117db924cf7c 1994 (void)ssl;
wolfSSL 15:117db924cf7c 1995 (void)args;
wolfSSL 15:117db924cf7c 1996
wolfSSL 15:117db924cf7c 1997 /* no allocations in BuildTls13Message */
wolfSSL 15:117db924cf7c 1998 }
wolfSSL 15:117db924cf7c 1999
wolfSSL 15:117db924cf7c 2000 /* Build SSL Message, encrypted.
wolfSSL 15:117db924cf7c 2001 * TLS v1.3 encryption is AEAD only.
wolfSSL 15:117db924cf7c 2002 *
wolfSSL 15:117db924cf7c 2003 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2004 * output The buffer to write record message to.
wolfSSL 15:117db924cf7c 2005 * outSz Size of the buffer being written into.
wolfSSL 15:117db924cf7c 2006 * input The record data to encrypt (excluding record header).
wolfSSL 15:117db924cf7c 2007 * inSz The size of the record data.
wolfSSL 15:117db924cf7c 2008 * type The recorder header content type.
wolfSSL 15:117db924cf7c 2009 * hashOutput Whether to hash the unencrypted record data.
wolfSSL 15:117db924cf7c 2010 * sizeOnly Only want the size of the record message.
wolfSSL 15:117db924cf7c 2011 * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL 15:117db924cf7c 2012 * returns the size of the encrypted record message or negative value on error.
wolfSSL 15:117db924cf7c 2013 */
wolfSSL 15:117db924cf7c 2014 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
wolfSSL 15:117db924cf7c 2015 int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
wolfSSL 15:117db924cf7c 2016 {
wolfSSL 15:117db924cf7c 2017 int ret = 0;
wolfSSL 15:117db924cf7c 2018 BuildMsg13Args* args;
wolfSSL 15:117db924cf7c 2019 BuildMsg13Args lcl_args;
wolfSSL 15:117db924cf7c 2020 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2021 args = (BuildMsg13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 2022 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 2023 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 2024 #endif
wolfSSL 15:117db924cf7c 2025
wolfSSL 15:117db924cf7c 2026 WOLFSSL_ENTER("BuildTls13Message");
wolfSSL 15:117db924cf7c 2027
wolfSSL 15:117db924cf7c 2028 ret = WC_NOT_PENDING_E;
wolfSSL 15:117db924cf7c 2029 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2030 if (asyncOkay) {
wolfSSL 15:117db924cf7c 2031 ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
wolfSSL 15:117db924cf7c 2032 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 2033 /* Check for error */
wolfSSL 15:117db924cf7c 2034 if (ret < 0)
wolfSSL 15:117db924cf7c 2035 goto exit_buildmsg;
wolfSSL 15:117db924cf7c 2036 }
wolfSSL 15:117db924cf7c 2037 }
wolfSSL 15:117db924cf7c 2038 else
wolfSSL 15:117db924cf7c 2039 #endif
wolfSSL 15:117db924cf7c 2040 {
wolfSSL 15:117db924cf7c 2041 args = &lcl_args;
wolfSSL 15:117db924cf7c 2042 }
wolfSSL 15:117db924cf7c 2043
wolfSSL 15:117db924cf7c 2044 /* Reset state */
wolfSSL 15:117db924cf7c 2045 if (ret == WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 2046 ret = 0;
wolfSSL 15:117db924cf7c 2047 ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL 15:117db924cf7c 2048 XMEMSET(args, 0, sizeof(BuildMsg13Args));
wolfSSL 15:117db924cf7c 2049
wolfSSL 15:117db924cf7c 2050 args->sz = RECORD_HEADER_SZ + inSz;
wolfSSL 15:117db924cf7c 2051 args->idx = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2052 args->headerSz = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2053 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2054 ssl->async.freeArgs = FreeBuildMsg13Args;
wolfSSL 15:117db924cf7c 2055 #endif
wolfSSL 15:117db924cf7c 2056 }
wolfSSL 15:117db924cf7c 2057
wolfSSL 15:117db924cf7c 2058 switch (ssl->options.buildMsgState) {
wolfSSL 15:117db924cf7c 2059 case BUILD_MSG_BEGIN:
wolfSSL 15:117db924cf7c 2060 {
wolfSSL 15:117db924cf7c 2061 /* catch mistaken sizeOnly parameter */
wolfSSL 15:117db924cf7c 2062 if (sizeOnly) {
wolfSSL 15:117db924cf7c 2063 if (output || input) {
wolfSSL 15:117db924cf7c 2064 WOLFSSL_MSG("BuildTls13Message with sizeOnly "
wolfSSL 15:117db924cf7c 2065 "doesn't need input or output");
wolfSSL 15:117db924cf7c 2066 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2067 }
wolfSSL 15:117db924cf7c 2068 }
wolfSSL 15:117db924cf7c 2069 else if (output == NULL || input == NULL) {
wolfSSL 15:117db924cf7c 2070 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2071 }
wolfSSL 15:117db924cf7c 2072
wolfSSL 15:117db924cf7c 2073 /* Record layer content type at the end of record data. */
wolfSSL 15:117db924cf7c 2074 args->sz++;
wolfSSL 15:117db924cf7c 2075 /* Authentication data at the end. */
wolfSSL 15:117db924cf7c 2076 args->sz += ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2077
wolfSSL 15:117db924cf7c 2078 if (sizeOnly)
wolfSSL 15:117db924cf7c 2079 return args->sz;
wolfSSL 15:117db924cf7c 2080
wolfSSL 15:117db924cf7c 2081 if (args->sz > (word32)outSz) {
wolfSSL 15:117db924cf7c 2082 WOLFSSL_MSG("Oops, want to write past output buffer size");
wolfSSL 15:117db924cf7c 2083 return BUFFER_E;
wolfSSL 15:117db924cf7c 2084 }
wolfSSL 15:117db924cf7c 2085
wolfSSL 15:117db924cf7c 2086 /* Record data length. */
wolfSSL 15:117db924cf7c 2087 args->size = (word16)(args->sz - args->headerSz);
wolfSSL 15:117db924cf7c 2088 /* Write/update the record header with the new size.
wolfSSL 15:117db924cf7c 2089 * Always have the content type as application data for encrypted
wolfSSL 15:117db924cf7c 2090 * messages in TLS v1.3.
wolfSSL 15:117db924cf7c 2091 */
wolfSSL 15:117db924cf7c 2092 AddTls13RecordHeader(output, args->size, application_data, ssl);
wolfSSL 15:117db924cf7c 2093
wolfSSL 15:117db924cf7c 2094 /* TLS v1.3 can do in place encryption. */
wolfSSL 15:117db924cf7c 2095 if (input != output + args->idx)
wolfSSL 15:117db924cf7c 2096 XMEMCPY(output + args->idx, input, inSz);
wolfSSL 15:117db924cf7c 2097 args->idx += inSz;
wolfSSL 15:117db924cf7c 2098
wolfSSL 15:117db924cf7c 2099 ssl->options.buildMsgState = BUILD_MSG_HASH;
wolfSSL 15:117db924cf7c 2100 }
wolfSSL 15:117db924cf7c 2101 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2102
wolfSSL 15:117db924cf7c 2103 case BUILD_MSG_HASH:
wolfSSL 15:117db924cf7c 2104 {
wolfSSL 15:117db924cf7c 2105 if (hashOutput) {
wolfSSL 15:117db924cf7c 2106 ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
wolfSSL 15:117db924cf7c 2107 if (ret != 0)
wolfSSL 15:117db924cf7c 2108 goto exit_buildmsg;
wolfSSL 15:117db924cf7c 2109 }
wolfSSL 15:117db924cf7c 2110
wolfSSL 15:117db924cf7c 2111 ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
wolfSSL 15:117db924cf7c 2112 }
wolfSSL 15:117db924cf7c 2113 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2114
wolfSSL 15:117db924cf7c 2115 case BUILD_MSG_ENCRYPT:
wolfSSL 15:117db924cf7c 2116 {
wolfSSL 15:117db924cf7c 2117 /* The real record content type goes at the end of the data. */
wolfSSL 15:117db924cf7c 2118 output[args->idx++] = (byte)type;
wolfSSL 15:117db924cf7c 2119
wolfSSL 15:117db924cf7c 2120 #ifdef ATOMIC_USER
wolfSSL 15:117db924cf7c 2121 if (ssl->ctx->MacEncryptCb) {
wolfSSL 15:117db924cf7c 2122 /* User Record Layer Callback handling */
wolfSSL 15:117db924cf7c 2123 byte* mac = output + args->idx;
wolfSSL 15:117db924cf7c 2124 output += args->headerSz;
wolfSSL 15:117db924cf7c 2125
wolfSSL 15:117db924cf7c 2126 ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
wolfSSL 15:117db924cf7c 2127 output, output, args->size, ssl->MacEncryptCtx);
wolfSSL 15:117db924cf7c 2128 }
wolfSSL 15:117db924cf7c 2129 else
wolfSSL 15:117db924cf7c 2130 #endif
wolfSSL 15:117db924cf7c 2131 {
wolfSSL 15:117db924cf7c 2132 #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22) || \
wolfSSL 15:117db924cf7c 2133 defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 2134 output += args->headerSz;
wolfSSL 15:117db924cf7c 2135 ret = EncryptTls13(ssl, output, output, args->size, NULL, 0,
wolfSSL 15:117db924cf7c 2136 asyncOkay);
wolfSSL 15:117db924cf7c 2137 #else
wolfSSL 15:117db924cf7c 2138 const byte* aad = output;
wolfSSL 15:117db924cf7c 2139 output += args->headerSz;
wolfSSL 15:117db924cf7c 2140 ret = EncryptTls13(ssl, output, output, args->size, aad,
wolfSSL 15:117db924cf7c 2141 RECORD_HEADER_SZ, asyncOkay);
wolfSSL 15:117db924cf7c 2142 #endif
wolfSSL 15:117db924cf7c 2143 }
wolfSSL 15:117db924cf7c 2144 break;
wolfSSL 15:117db924cf7c 2145 }
wolfSSL 15:117db924cf7c 2146 }
wolfSSL 15:117db924cf7c 2147
wolfSSL 15:117db924cf7c 2148 exit_buildmsg:
wolfSSL 15:117db924cf7c 2149
wolfSSL 15:117db924cf7c 2150 WOLFSSL_LEAVE("BuildTls13Message", ret);
wolfSSL 15:117db924cf7c 2151
wolfSSL 15:117db924cf7c 2152 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2153 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 2154 return ret;
wolfSSL 15:117db924cf7c 2155 }
wolfSSL 15:117db924cf7c 2156 #endif
wolfSSL 15:117db924cf7c 2157
wolfSSL 15:117db924cf7c 2158 /* make sure build message state is reset */
wolfSSL 15:117db924cf7c 2159 ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL 15:117db924cf7c 2160
wolfSSL 15:117db924cf7c 2161 /* return sz on success */
wolfSSL 15:117db924cf7c 2162 if (ret == 0)
wolfSSL 15:117db924cf7c 2163 ret = args->sz;
wolfSSL 15:117db924cf7c 2164
wolfSSL 15:117db924cf7c 2165 /* Final cleanup */
wolfSSL 15:117db924cf7c 2166 FreeBuildMsg13Args(ssl, args);
wolfSSL 15:117db924cf7c 2167
wolfSSL 15:117db924cf7c 2168 return ret;
wolfSSL 15:117db924cf7c 2169 }
wolfSSL 15:117db924cf7c 2170
wolfSSL 15:117db924cf7c 2171 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2172 /* Find the cipher suite in the suites set in the SSL.
wolfSSL 15:117db924cf7c 2173 *
wolfSSL 15:117db924cf7c 2174 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2175 * suite Cipher suite to look for.
wolfSSL 15:117db924cf7c 2176 * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise.
wolfSSL 15:117db924cf7c 2177 */
wolfSSL 15:117db924cf7c 2178 static int FindSuite(WOLFSSL* ssl, byte* suite)
wolfSSL 15:117db924cf7c 2179 {
wolfSSL 15:117db924cf7c 2180 int i;
wolfSSL 15:117db924cf7c 2181
wolfSSL 15:117db924cf7c 2182 for (i = 0; i < ssl->suites->suiteSz; i += 2) {
wolfSSL 15:117db924cf7c 2183 if (ssl->suites->suites[i+0] == suite[0] &&
wolfSSL 15:117db924cf7c 2184 ssl->suites->suites[i+1] == suite[1]) {
wolfSSL 15:117db924cf7c 2185 return 1;
wolfSSL 15:117db924cf7c 2186 }
wolfSSL 15:117db924cf7c 2187 }
wolfSSL 15:117db924cf7c 2188
wolfSSL 15:117db924cf7c 2189 return 0;
wolfSSL 15:117db924cf7c 2190 }
wolfSSL 15:117db924cf7c 2191 #endif
wolfSSL 15:117db924cf7c 2192
wolfSSL 15:117db924cf7c 2193 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2194 #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
wolfSSL 15:117db924cf7c 2195 /* Create Cookie extension using the hash of the first ClientHello.
wolfSSL 15:117db924cf7c 2196 *
wolfSSL 15:117db924cf7c 2197 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2198 * hash The hash data.
wolfSSL 15:117db924cf7c 2199 * hashSz The size of the hash data in bytes.
wolfSSL 15:117db924cf7c 2200 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 2201 */
wolfSSL 15:117db924cf7c 2202 static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz)
wolfSSL 15:117db924cf7c 2203 {
wolfSSL 15:117db924cf7c 2204 int ret;
wolfSSL 15:117db924cf7c 2205 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 2206 Hmac cookieHmac;
wolfSSL 15:117db924cf7c 2207 byte cookieType;
wolfSSL 15:117db924cf7c 2208 byte macSz;
wolfSSL 15:117db924cf7c 2209
wolfSSL 15:117db924cf7c 2210 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 2211 cookieType = SHA;
wolfSSL 15:117db924cf7c 2212 macSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 2213 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 2214 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 2215 cookieType = WC_SHA256;
wolfSSL 15:117db924cf7c 2216 macSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 2217 #endif /* NO_SHA256 */
wolfSSL 15:117db924cf7c 2218
wolfSSL 15:117db924cf7c 2219 ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL 15:117db924cf7c 2220 ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 2221 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 2222 if (ret != 0)
wolfSSL 15:117db924cf7c 2223 return ret;
wolfSSL 15:117db924cf7c 2224 if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0)
wolfSSL 15:117db924cf7c 2225 return ret;
wolfSSL 15:117db924cf7c 2226 if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL 15:117db924cf7c 2227 return ret;
wolfSSL 15:117db924cf7c 2228
wolfSSL 15:117db924cf7c 2229 /* The cookie data is the hash and the integrity check. */
wolfSSL 15:117db924cf7c 2230 return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1);
wolfSSL 15:117db924cf7c 2231 }
wolfSSL 15:117db924cf7c 2232 #endif
wolfSSL 15:117db924cf7c 2233
wolfSSL 15:117db924cf7c 2234 /* Restart the Hanshake hash with a hash of the previous messages.
wolfSSL 15:117db924cf7c 2235 *
wolfSSL 15:117db924cf7c 2236 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2237 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 2238 */
wolfSSL 15:117db924cf7c 2239 static int RestartHandshakeHash(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 2240 {
wolfSSL 15:117db924cf7c 2241 int ret;
wolfSSL 15:117db924cf7c 2242 Hashes hashes;
wolfSSL 15:117db924cf7c 2243 byte header[HANDSHAKE_HEADER_SZ];
wolfSSL 15:117db924cf7c 2244 byte* hash = NULL;
wolfSSL 15:117db924cf7c 2245 byte hashSz = 0;
wolfSSL 15:117db924cf7c 2246
wolfSSL 15:117db924cf7c 2247 ret = BuildCertHashes(ssl, &hashes);
wolfSSL 15:117db924cf7c 2248 if (ret != 0)
wolfSSL 15:117db924cf7c 2249 return ret;
wolfSSL 15:117db924cf7c 2250 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 2251 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 2252 case sha256_mac:
wolfSSL 15:117db924cf7c 2253 hash = hashes.sha256;
wolfSSL 15:117db924cf7c 2254 break;
wolfSSL 15:117db924cf7c 2255 #endif
wolfSSL 15:117db924cf7c 2256 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 2257 case sha384_mac:
wolfSSL 15:117db924cf7c 2258 hash = hashes.sha384;
wolfSSL 15:117db924cf7c 2259 break;
wolfSSL 15:117db924cf7c 2260 #endif
wolfSSL 15:117db924cf7c 2261 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 2262 case sha512_mac:
wolfSSL 15:117db924cf7c 2263 hash = hashes.sha512;
wolfSSL 15:117db924cf7c 2264 break;
wolfSSL 15:117db924cf7c 2265 #endif
wolfSSL 15:117db924cf7c 2266 }
wolfSSL 15:117db924cf7c 2267 hashSz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 2268 AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL 15:117db924cf7c 2269
wolfSSL 15:117db924cf7c 2270 WOLFSSL_MSG("Restart Hash");
wolfSSL 15:117db924cf7c 2271 WOLFSSL_BUFFER(hash, hashSz);
wolfSSL 15:117db924cf7c 2272
wolfSSL 15:117db924cf7c 2273 #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
wolfSSL 15:117db924cf7c 2274 if (ssl->options.sendCookie) {
wolfSSL 15:117db924cf7c 2275 byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
wolfSSL 15:117db924cf7c 2276 TLSX* ext;
wolfSSL 15:117db924cf7c 2277 word32 idx = 0;
wolfSSL 15:117db924cf7c 2278
wolfSSL 15:117db924cf7c 2279 /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
wolfSSL 15:117db924cf7c 2280 cookie[idx++] = hashSz;
wolfSSL 15:117db924cf7c 2281 XMEMCPY(cookie + idx, hash, hashSz);
wolfSSL 15:117db924cf7c 2282 idx += hashSz;
wolfSSL 15:117db924cf7c 2283 cookie[idx++] = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 2284 cookie[idx++] = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 2285 if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) {
wolfSSL 15:117db924cf7c 2286 KeyShareEntry* kse = (KeyShareEntry*)ext->data;
wolfSSL 15:117db924cf7c 2287 c16toa(kse->group, cookie + idx);
wolfSSL 15:117db924cf7c 2288 idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2289 }
wolfSSL 15:117db924cf7c 2290 return CreateCookie(ssl, cookie, idx);
wolfSSL 15:117db924cf7c 2291 }
wolfSSL 15:117db924cf7c 2292 #endif
wolfSSL 15:117db924cf7c 2293
wolfSSL 15:117db924cf7c 2294 ret = InitHandshakeHashes(ssl);
wolfSSL 15:117db924cf7c 2295 if (ret != 0)
wolfSSL 15:117db924cf7c 2296 return ret;
wolfSSL 15:117db924cf7c 2297 ret = HashOutputRaw(ssl, header, sizeof(header));
wolfSSL 15:117db924cf7c 2298 if (ret != 0)
wolfSSL 15:117db924cf7c 2299 return ret;
wolfSSL 15:117db924cf7c 2300 return HashOutputRaw(ssl, hash, hashSz);
wolfSSL 15:117db924cf7c 2301 }
wolfSSL 15:117db924cf7c 2302
wolfSSL 15:117db924cf7c 2303 /* The value in the random field of a ServerHello to indicate
wolfSSL 15:117db924cf7c 2304 * HelloRetryRequest.
wolfSSL 15:117db924cf7c 2305 */
wolfSSL 15:117db924cf7c 2306 static byte helloRetryRequestRandom[] = {
wolfSSL 15:117db924cf7c 2307 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
wolfSSL 15:117db924cf7c 2308 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
wolfSSL 15:117db924cf7c 2309 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
wolfSSL 15:117db924cf7c 2310 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
wolfSSL 15:117db924cf7c 2311 };
wolfSSL 15:117db924cf7c 2312 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 2313
wolfSSL 15:117db924cf7c 2314 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 2315 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2316 /* Setup pre-shared key based on the details in the extension data.
wolfSSL 15:117db924cf7c 2317 *
wolfSSL 15:117db924cf7c 2318 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2319 * psk Pre-shared key extension data.
wolfSSL 15:117db924cf7c 2320 * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
wolfSSL 15:117db924cf7c 2321 * other negative value on failure.
wolfSSL 15:117db924cf7c 2322 */
wolfSSL 15:117db924cf7c 2323 static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
wolfSSL 15:117db924cf7c 2324 {
wolfSSL 15:117db924cf7c 2325 int ret;
wolfSSL 15:117db924cf7c 2326 byte suite[2];
wolfSSL 15:117db924cf7c 2327
wolfSSL 15:117db924cf7c 2328 if (ssl->options.noPskDheKe && ssl->arrays->preMasterSz != 0)
wolfSSL 15:117db924cf7c 2329 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2330
wolfSSL 15:117db924cf7c 2331 suite[0] = psk->cipherSuite0;
wolfSSL 15:117db924cf7c 2332 suite[1] = psk->cipherSuite;
wolfSSL 15:117db924cf7c 2333 if (!FindSuite(ssl, suite))
wolfSSL 15:117db924cf7c 2334 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2335
wolfSSL 15:117db924cf7c 2336 ssl->options.cipherSuite0 = psk->cipherSuite0;
wolfSSL 15:117db924cf7c 2337 ssl->options.cipherSuite = psk->cipherSuite;
wolfSSL 15:117db924cf7c 2338 if ((ret = SetCipherSpecs(ssl)) != 0)
wolfSSL 15:117db924cf7c 2339 return ret;
wolfSSL 15:117db924cf7c 2340
wolfSSL 15:117db924cf7c 2341 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2342 if (psk->resumption) {
wolfSSL 15:117db924cf7c 2343 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2344 if (ssl->session.maxEarlyDataSz == 0)
wolfSSL 15:117db924cf7c 2345 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2346 #endif
wolfSSL 15:117db924cf7c 2347 /* Resumption PSK is master secret. */
wolfSSL 15:117db924cf7c 2348 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 2349 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2350 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 2351 ssl->arrays->psk_keySz);
wolfSSL 15:117db924cf7c 2352 #else
wolfSSL 15:117db924cf7c 2353 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
wolfSSL 15:117db924cf7c 2354 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
wolfSSL 15:117db924cf7c 2355 return ret;
wolfSSL 15:117db924cf7c 2356 }
wolfSSL 15:117db924cf7c 2357 #endif
wolfSSL 15:117db924cf7c 2358 }
wolfSSL 15:117db924cf7c 2359 #endif
wolfSSL 15:117db924cf7c 2360 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 2361 if (!psk->resumption) {
wolfSSL 15:117db924cf7c 2362 /* Get the pre-shared key. */
wolfSSL 15:117db924cf7c 2363 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
wolfSSL 15:117db924cf7c 2364 (char *)psk->identity, ssl->arrays->client_identity,
wolfSSL 15:117db924cf7c 2365 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
wolfSSL 15:117db924cf7c 2366 if (ssl->arrays->psk_keySz == 0 ||
wolfSSL 15:117db924cf7c 2367 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
wolfSSL 15:117db924cf7c 2368 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2369 }
wolfSSL 15:117db924cf7c 2370 /* TODO: Callback should be able to specify ciphersuite. */
wolfSSL 15:117db924cf7c 2371
wolfSSL 15:117db924cf7c 2372 if (psk->cipherSuite0 != TLS13_BYTE ||
wolfSSL 15:117db924cf7c 2373 psk->cipherSuite != WOLFSSL_DEF_PSK_CIPHER) {
wolfSSL 15:117db924cf7c 2374 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2375 }
wolfSSL 15:117db924cf7c 2376 }
wolfSSL 15:117db924cf7c 2377 #endif
wolfSSL 15:117db924cf7c 2378
wolfSSL 15:117db924cf7c 2379 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 2380 return DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 2381 }
wolfSSL 15:117db924cf7c 2382
wolfSSL 15:117db924cf7c 2383 /* Derive and write the binders into the ClientHello in space left when
wolfSSL 15:117db924cf7c 2384 * writing the Pre-Shared Key extension.
wolfSSL 15:117db924cf7c 2385 *
wolfSSL 15:117db924cf7c 2386 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2387 * output The buffer containing the ClientHello.
wolfSSL 15:117db924cf7c 2388 * idx The index at the end of the completed ClientHello.
wolfSSL 15:117db924cf7c 2389 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2390 */
wolfSSL 15:117db924cf7c 2391 static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
wolfSSL 15:117db924cf7c 2392 {
wolfSSL 15:117db924cf7c 2393 int ret;
wolfSSL 15:117db924cf7c 2394 TLSX* ext;
wolfSSL 15:117db924cf7c 2395 PreSharedKey* current;
wolfSSL 15:117db924cf7c 2396 byte binderKey[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 2397 word16 len;
wolfSSL 15:117db924cf7c 2398
wolfSSL 15:117db924cf7c 2399 WOLFSSL_ENTER("WritePSKBinders");
wolfSSL 15:117db924cf7c 2400
wolfSSL 15:117db924cf7c 2401 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 2402 if (ext == NULL)
wolfSSL 15:117db924cf7c 2403 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 2404
wolfSSL 15:117db924cf7c 2405 /* Get the size of the binders to determine where to write binders. */
wolfSSL 15:117db924cf7c 2406 idx -= TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL 15:117db924cf7c 2407 client_hello);
wolfSSL 15:117db924cf7c 2408
wolfSSL 15:117db924cf7c 2409 /* Hash truncated ClientHello - up to binders. */
wolfSSL 15:117db924cf7c 2410 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 15:117db924cf7c 2411 if (ret != 0)
wolfSSL 15:117db924cf7c 2412 return ret;
wolfSSL 15:117db924cf7c 2413
wolfSSL 15:117db924cf7c 2414 current = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 2415 /* Calculate the binder for each identity based on previous handshake data.
wolfSSL 15:117db924cf7c 2416 */
wolfSSL 15:117db924cf7c 2417 while (current != NULL) {
wolfSSL 15:117db924cf7c 2418 if ((ret = SetupPskKey(ssl, current)) != 0)
wolfSSL 15:117db924cf7c 2419 return ret;
wolfSSL 15:117db924cf7c 2420
wolfSSL 15:117db924cf7c 2421 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2422 if (current->resumption)
wolfSSL 15:117db924cf7c 2423 ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 15:117db924cf7c 2424 #endif
wolfSSL 15:117db924cf7c 2425 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 2426 if (!current->resumption)
wolfSSL 15:117db924cf7c 2427 ret = DeriveBinderKey(ssl, binderKey);
wolfSSL 15:117db924cf7c 2428 #endif
wolfSSL 15:117db924cf7c 2429 if (ret != 0)
wolfSSL 15:117db924cf7c 2430 return ret;
wolfSSL 15:117db924cf7c 2431
wolfSSL 15:117db924cf7c 2432 /* Derive the Finished message secret. */
wolfSSL 15:117db924cf7c 2433 ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL 15:117db924cf7c 2434 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 2435 if (ret != 0)
wolfSSL 15:117db924cf7c 2436 return ret;
wolfSSL 15:117db924cf7c 2437
wolfSSL 15:117db924cf7c 2438 /* Build the HMAC of the handshake message data = binder. */
wolfSSL 15:117db924cf7c 2439 ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
wolfSSL 15:117db924cf7c 2440 current->binder, &current->binderLen);
wolfSSL 15:117db924cf7c 2441 if (ret != 0)
wolfSSL 15:117db924cf7c 2442 return ret;
wolfSSL 15:117db924cf7c 2443
wolfSSL 15:117db924cf7c 2444 current = current->next;
wolfSSL 15:117db924cf7c 2445 }
wolfSSL 15:117db924cf7c 2446
wolfSSL 15:117db924cf7c 2447 /* Data entered into extension, now write to message. */
wolfSSL 15:117db924cf7c 2448 len = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
wolfSSL 15:117db924cf7c 2449 client_hello);
wolfSSL 15:117db924cf7c 2450
wolfSSL 15:117db924cf7c 2451 /* Hash binders to complete the hash of the ClientHello. */
wolfSSL 15:117db924cf7c 2452 ret = HashOutputRaw(ssl, output + idx, len);
wolfSSL 15:117db924cf7c 2453 if (ret < 0)
wolfSSL 15:117db924cf7c 2454 return ret;
wolfSSL 15:117db924cf7c 2455
wolfSSL 15:117db924cf7c 2456 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2457 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 2458 if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0)
wolfSSL 15:117db924cf7c 2459 return ret;
wolfSSL 15:117db924cf7c 2460
wolfSSL 15:117db924cf7c 2461 /* Derive early data encryption key. */
wolfSSL 15:117db924cf7c 2462 ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
wolfSSL 15:117db924cf7c 2463 if (ret != 0)
wolfSSL 15:117db924cf7c 2464 return ret;
wolfSSL 15:117db924cf7c 2465 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 2466 return ret;
wolfSSL 15:117db924cf7c 2467 }
wolfSSL 15:117db924cf7c 2468 #endif
wolfSSL 15:117db924cf7c 2469
wolfSSL 15:117db924cf7c 2470 WOLFSSL_LEAVE("WritePSKBinders", ret);
wolfSSL 15:117db924cf7c 2471
wolfSSL 15:117db924cf7c 2472 return ret;
wolfSSL 15:117db924cf7c 2473 }
wolfSSL 15:117db924cf7c 2474 #endif
wolfSSL 15:117db924cf7c 2475
wolfSSL 15:117db924cf7c 2476 /* handle generation of TLS 1.3 client_hello (1) */
wolfSSL 15:117db924cf7c 2477 /* Send a ClientHello message to the server.
wolfSSL 15:117db924cf7c 2478 * Include the information required to start a handshake with servers using
wolfSSL 15:117db924cf7c 2479 * protocol versions less than TLS v1.3.
wolfSSL 15:117db924cf7c 2480 * Only a client will send this message.
wolfSSL 15:117db924cf7c 2481 *
wolfSSL 15:117db924cf7c 2482 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2483 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2484 */
wolfSSL 15:117db924cf7c 2485 int SendTls13ClientHello(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 2486 {
wolfSSL 15:117db924cf7c 2487 byte* output;
wolfSSL 15:117db924cf7c 2488 word16 length;
wolfSSL 15:117db924cf7c 2489 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 2490 int sendSz;
wolfSSL 15:117db924cf7c 2491 int ret;
wolfSSL 15:117db924cf7c 2492
wolfSSL 15:117db924cf7c 2493 WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
wolfSSL 15:117db924cf7c 2494 WOLFSSL_ENTER("SendTls13ClientHello");
wolfSSL 15:117db924cf7c 2495
wolfSSL 15:117db924cf7c 2496 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2497 if (ssl->options.resuming &&
wolfSSL 15:117db924cf7c 2498 (ssl->session.version.major != ssl->version.major ||
wolfSSL 15:117db924cf7c 2499 ssl->session.version.minor != ssl->version.minor)) {
wolfSSL 15:117db924cf7c 2500 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2501 if (ssl->session.version.major == ssl->version.major &&
wolfSSL 15:117db924cf7c 2502 ssl->session.version.minor < ssl->version.minor) {
wolfSSL 15:117db924cf7c 2503 /* Cannot resume with a different protocol version. */
wolfSSL 15:117db924cf7c 2504 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 2505 ssl->version.major = ssl->session.version.major;
wolfSSL 15:117db924cf7c 2506 ssl->version.minor = ssl->session.version.minor;
wolfSSL 15:117db924cf7c 2507 return SendClientHello(ssl);
wolfSSL 15:117db924cf7c 2508 }
wolfSSL 15:117db924cf7c 2509 else
wolfSSL 15:117db924cf7c 2510 #endif
wolfSSL 15:117db924cf7c 2511 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 2512 }
wolfSSL 15:117db924cf7c 2513 #endif
wolfSSL 15:117db924cf7c 2514
wolfSSL 15:117db924cf7c 2515 if (ssl->suites == NULL) {
wolfSSL 15:117db924cf7c 2516 WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
wolfSSL 15:117db924cf7c 2517 return SUITES_ERROR;
wolfSSL 15:117db924cf7c 2518 }
wolfSSL 15:117db924cf7c 2519
wolfSSL 15:117db924cf7c 2520 /* Version | Random | Session Id | Cipher Suites | Compression */
wolfSSL 15:117db924cf7c 2521 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
wolfSSL 15:117db924cf7c 2522 SUITE_LEN + COMP_LEN + ENUM_LEN;
wolfSSL 15:117db924cf7c 2523 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2524 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 2525 length += ID_LEN;
wolfSSL 15:117db924cf7c 2526 #else
wolfSSL 15:117db924cf7c 2527 if (ssl->session.sessionIDSz > 0)
wolfSSL 15:117db924cf7c 2528 length += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 2529 #endif
wolfSSL 15:117db924cf7c 2530 #endif
wolfSSL 15:117db924cf7c 2531
wolfSSL 15:117db924cf7c 2532 /* Auto populate extensions supported unless user defined. */
wolfSSL 15:117db924cf7c 2533 if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
wolfSSL 15:117db924cf7c 2534 return ret;
wolfSSL 15:117db924cf7c 2535 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2536 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 2537 if (!ssl->options.resuming && ssl->options.client_psk_cb == NULL)
wolfSSL 15:117db924cf7c 2538 #else
wolfSSL 15:117db924cf7c 2539 if (!ssl->options.resuming)
wolfSSL 15:117db924cf7c 2540 #endif
wolfSSL 15:117db924cf7c 2541 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2542 if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
wolfSSL 15:117db924cf7c 2543 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2544 if (ssl->earlyData == no_early_data)
wolfSSL 15:117db924cf7c 2545 TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap);
wolfSSL 15:117db924cf7c 2546 if (ssl->earlyData != no_early_data &&
wolfSSL 15:117db924cf7c 2547 (ret = TLSX_EarlyData_Use(ssl, 0)) < 0) {
wolfSSL 15:117db924cf7c 2548 return ret;
wolfSSL 15:117db924cf7c 2549 }
wolfSSL 15:117db924cf7c 2550 #endif
wolfSSL 15:117db924cf7c 2551 #ifdef HAVE_QSH
wolfSSL 15:117db924cf7c 2552 if (QSH_Init(ssl) != 0)
wolfSSL 15:117db924cf7c 2553 return MEMORY_E;
wolfSSL 15:117db924cf7c 2554 #endif
wolfSSL 15:117db924cf7c 2555 /* Include length of TLS extensions. */
wolfSSL 15:117db924cf7c 2556 ret = TLSX_GetRequestSize(ssl, client_hello, &length);
wolfSSL 15:117db924cf7c 2557 if (ret != 0)
wolfSSL 15:117db924cf7c 2558 return ret;
wolfSSL 15:117db924cf7c 2559
wolfSSL 15:117db924cf7c 2560 /* Total message size. */
wolfSSL 15:117db924cf7c 2561 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2562
wolfSSL 15:117db924cf7c 2563 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 2564 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 2565 return ret;
wolfSSL 15:117db924cf7c 2566
wolfSSL 15:117db924cf7c 2567 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 2568 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 2569 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 2570
wolfSSL 15:117db924cf7c 2571 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 2572 AddTls13Headers(output, length, client_hello, ssl);
wolfSSL 15:117db924cf7c 2573
wolfSSL 15:117db924cf7c 2574 /* Protocol version - negotiation now in extension: supported_versions. */
wolfSSL 15:117db924cf7c 2575 output[idx++] = SSLv3_MAJOR;
wolfSSL 15:117db924cf7c 2576 output[idx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2577 /* Keep for downgrade. */
wolfSSL 15:117db924cf7c 2578 ssl->chVersion = ssl->version;
wolfSSL 15:117db924cf7c 2579
wolfSSL 15:117db924cf7c 2580 /* Client Random */
wolfSSL 15:117db924cf7c 2581 if (ssl->options.connectState == CONNECT_BEGIN) {
wolfSSL 15:117db924cf7c 2582 ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 2583 if (ret != 0)
wolfSSL 15:117db924cf7c 2584 return ret;
wolfSSL 15:117db924cf7c 2585
wolfSSL 15:117db924cf7c 2586 /* Store random for possible second ClientHello. */
wolfSSL 15:117db924cf7c 2587 XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 2588 }
wolfSSL 15:117db924cf7c 2589 else
wolfSSL 15:117db924cf7c 2590 XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 2591 idx += RAN_LEN;
wolfSSL 15:117db924cf7c 2592
wolfSSL 15:117db924cf7c 2593 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2594 /* TLS v1.3 does not use session id - 0 length. */
wolfSSL 15:117db924cf7c 2595 output[idx++] = 0;
wolfSSL 15:117db924cf7c 2596 #else
wolfSSL 15:117db924cf7c 2597 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 2598 /* Session resumption for old versions of protocol. */
wolfSSL 15:117db924cf7c 2599 output[idx++] = ID_LEN;
wolfSSL 15:117db924cf7c 2600 XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 2601 idx += ID_LEN;
wolfSSL 15:117db924cf7c 2602 }
wolfSSL 15:117db924cf7c 2603 else {
wolfSSL 15:117db924cf7c 2604 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 2605 output[idx++] = ID_LEN;
wolfSSL 15:117db924cf7c 2606 XMEMCPY(output + idx, ssl->arrays->clientRandom, ID_LEN);
wolfSSL 15:117db924cf7c 2607 idx += ID_LEN;
wolfSSL 15:117db924cf7c 2608 #else
wolfSSL 15:117db924cf7c 2609 /* TLS v1.3 does not use session id - 0 length. */
wolfSSL 15:117db924cf7c 2610 output[idx++] = 0;
wolfSSL 15:117db924cf7c 2611 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
wolfSSL 15:117db924cf7c 2612 }
wolfSSL 15:117db924cf7c 2613 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 2614
wolfSSL 15:117db924cf7c 2615 /* Cipher suites */
wolfSSL 15:117db924cf7c 2616 c16toa(ssl->suites->suiteSz, output + idx);
wolfSSL 15:117db924cf7c 2617 idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2618 XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
wolfSSL 15:117db924cf7c 2619 idx += ssl->suites->suiteSz;
wolfSSL 15:117db924cf7c 2620
wolfSSL 15:117db924cf7c 2621 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 2622 output[idx++] = COMP_LEN;
wolfSSL 15:117db924cf7c 2623 output[idx++] = NO_COMPRESSION;
wolfSSL 15:117db924cf7c 2624
wolfSSL 15:117db924cf7c 2625 /* Write out extensions for a request. */
wolfSSL 15:117db924cf7c 2626 length = 0;
wolfSSL 15:117db924cf7c 2627 ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &length);
wolfSSL 15:117db924cf7c 2628 if (ret != 0)
wolfSSL 15:117db924cf7c 2629 return ret;
wolfSSL 15:117db924cf7c 2630 idx += length;
wolfSSL 15:117db924cf7c 2631
wolfSSL 15:117db924cf7c 2632 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2633 /* Resumption has a specific set of extensions and binder is calculated
wolfSSL 15:117db924cf7c 2634 * for each identity.
wolfSSL 15:117db924cf7c 2635 */
wolfSSL 15:117db924cf7c 2636 if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY))
wolfSSL 15:117db924cf7c 2637 ret = WritePSKBinders(ssl, output, idx);
wolfSSL 15:117db924cf7c 2638 else
wolfSSL 15:117db924cf7c 2639 #endif
wolfSSL 15:117db924cf7c 2640 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 15:117db924cf7c 2641 if (ret != 0)
wolfSSL 15:117db924cf7c 2642 return ret;
wolfSSL 15:117db924cf7c 2643
wolfSSL 15:117db924cf7c 2644 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 2645
wolfSSL 15:117db924cf7c 2646 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 2647 if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
wolfSSL 15:117db924cf7c 2648 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 2649 AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 2650 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 2651 }
wolfSSL 15:117db924cf7c 2652 #endif
wolfSSL 15:117db924cf7c 2653
wolfSSL 15:117db924cf7c 2654 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 2655
wolfSSL 15:117db924cf7c 2656 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 2657
wolfSSL 15:117db924cf7c 2658 WOLFSSL_LEAVE("SendTls13ClientHello", ret);
wolfSSL 15:117db924cf7c 2659 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
wolfSSL 15:117db924cf7c 2660
wolfSSL 15:117db924cf7c 2661 return ret;
wolfSSL 15:117db924cf7c 2662 }
wolfSSL 15:117db924cf7c 2663
wolfSSL 15:117db924cf7c 2664 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2665 /* handle rocessing of TLS 1.3 hello_retry_request (6) */
wolfSSL 15:117db924cf7c 2666 /* Parse and handle a HelloRetryRequest message.
wolfSSL 15:117db924cf7c 2667 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 2668 *
wolfSSL 15:117db924cf7c 2669 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2670 * input The message buffer.
wolfSSL 15:117db924cf7c 2671 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 2672 * HelloRetryRequest.
wolfSSL 15:117db924cf7c 2673 * On exit, the index of byte after the HelloRetryRequest message.
wolfSSL 15:117db924cf7c 2674 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 2675 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2676 */
wolfSSL 15:117db924cf7c 2677 static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 2678 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 2679 {
wolfSSL 15:117db924cf7c 2680 int ret;
wolfSSL 15:117db924cf7c 2681 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 2682 word32 i = begin;
wolfSSL 15:117db924cf7c 2683 word16 totalExtSz;
wolfSSL 15:117db924cf7c 2684 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 2685
wolfSSL 15:117db924cf7c 2686 WOLFSSL_ENTER("DoTls13HelloRetryRequest");
wolfSSL 15:117db924cf7c 2687
wolfSSL 15:117db924cf7c 2688 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 2689 if (ssl->hsInfoOn) AddPacketName(ssl, "HelloRetryRequest");
wolfSSL 15:117db924cf7c 2690 if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 2691 #endif
wolfSSL 15:117db924cf7c 2692
wolfSSL 15:117db924cf7c 2693 /* Version info and length field of extension data. */
wolfSSL 15:117db924cf7c 2694 if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 2695 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2696
wolfSSL 15:117db924cf7c 2697 /* Protocol version. */
wolfSSL 15:117db924cf7c 2698 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 2699 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2700 ret = CheckVersion(ssl, pv);
wolfSSL 15:117db924cf7c 2701 if (ret != 0)
wolfSSL 15:117db924cf7c 2702 return ret;
wolfSSL 15:117db924cf7c 2703
wolfSSL 15:117db924cf7c 2704 /* Length of extension data. */
wolfSSL 15:117db924cf7c 2705 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 2706 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2707 if (totalExtSz == 0) {
wolfSSL 15:117db924cf7c 2708 WOLFSSL_MSG("HelloRetryRequest must contain extensions");
wolfSSL 15:117db924cf7c 2709 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 2710 }
wolfSSL 15:117db924cf7c 2711
wolfSSL 15:117db924cf7c 2712 /* Extension data. */
wolfSSL 15:117db924cf7c 2713 if (i - begin + totalExtSz > totalSz)
wolfSSL 15:117db924cf7c 2714 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2715 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 15:117db924cf7c 2716 hello_retry_request, NULL)) != 0)
wolfSSL 15:117db924cf7c 2717 return ret;
wolfSSL 15:117db924cf7c 2718 /* The KeyShare extension parsing fails when not valid. */
wolfSSL 15:117db924cf7c 2719
wolfSSL 15:117db924cf7c 2720 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 2721 *inOutIdx = i + totalExtSz;
wolfSSL 15:117db924cf7c 2722
wolfSSL 15:117db924cf7c 2723 ssl->options.tls1_3 = 1;
wolfSSL 15:117db924cf7c 2724 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 2725
wolfSSL 15:117db924cf7c 2726 WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);
wolfSSL 15:117db924cf7c 2727
wolfSSL 15:117db924cf7c 2728 return ret;
wolfSSL 15:117db924cf7c 2729 }
wolfSSL 15:117db924cf7c 2730 #endif
wolfSSL 15:117db924cf7c 2731
wolfSSL 15:117db924cf7c 2732
wolfSSL 15:117db924cf7c 2733 /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
wolfSSL 15:117db924cf7c 2734 /* Handle the ServerHello message from the server.
wolfSSL 15:117db924cf7c 2735 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 2736 *
wolfSSL 15:117db924cf7c 2737 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2738 * input The message buffer.
wolfSSL 15:117db924cf7c 2739 * inOutIdx On entry, the index into the message buffer of ServerHello.
wolfSSL 15:117db924cf7c 2740 * On exit, the index of byte after the ServerHello message.
wolfSSL 15:117db924cf7c 2741 * helloSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 2742 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2743 */
wolfSSL 15:117db924cf7c 2744 int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 2745 word32 helloSz, byte* extMsgType)
wolfSSL 15:117db924cf7c 2746 {
wolfSSL 15:117db924cf7c 2747 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 2748 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 2749 word32 begin = i;
wolfSSL 15:117db924cf7c 2750 int ret;
wolfSSL 15:117db924cf7c 2751 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2752 byte sessIdSz;
wolfSSL 15:117db924cf7c 2753 const byte* sessId;
wolfSSL 15:117db924cf7c 2754 byte b;
wolfSSL 15:117db924cf7c 2755 #endif
wolfSSL 15:117db924cf7c 2756 word16 totalExtSz;
wolfSSL 15:117db924cf7c 2757 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2758 TLSX* ext;
wolfSSL 15:117db924cf7c 2759 PreSharedKey* psk = NULL;
wolfSSL 15:117db924cf7c 2760 #endif
wolfSSL 15:117db924cf7c 2761
wolfSSL 15:117db924cf7c 2762 WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
wolfSSL 15:117db924cf7c 2763 WOLFSSL_ENTER("DoTls13ServerHello");
wolfSSL 15:117db924cf7c 2764
wolfSSL 15:117db924cf7c 2765 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 2766 if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
wolfSSL 15:117db924cf7c 2767 if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 2768 #endif
wolfSSL 15:117db924cf7c 2769
wolfSSL 15:117db924cf7c 2770 /* Protocol version length check. */
wolfSSL 15:117db924cf7c 2771 if (OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 2772 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2773
wolfSSL 15:117db924cf7c 2774 /* Protocol version */
wolfSSL 15:117db924cf7c 2775 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 2776 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2777 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2778 ret = CheckVersion(ssl, pv);
wolfSSL 15:117db924cf7c 2779 if (ret != 0)
wolfSSL 15:117db924cf7c 2780 return ret;
wolfSSL 15:117db924cf7c 2781 if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
wolfSSL 15:117db924cf7c 2782 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2783 if (ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 2784 ssl->version = pv;
wolfSSL 15:117db924cf7c 2785 return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL 15:117db924cf7c 2786 }
wolfSSL 15:117db924cf7c 2787 #endif
wolfSSL 15:117db924cf7c 2788
wolfSSL 15:117db924cf7c 2789 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 2790 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 2791 }
wolfSSL 15:117db924cf7c 2792 #else
wolfSSL 15:117db924cf7c 2793 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2794 if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR &&
wolfSSL 15:117db924cf7c 2795 ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 2796 /* Force client hello version 1.2 to work for static RSA. */
wolfSSL 15:117db924cf7c 2797 ssl->chVersion.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2798 ssl->version.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2799 return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL 15:117db924cf7c 2800 }
wolfSSL 15:117db924cf7c 2801 #endif
wolfSSL 15:117db924cf7c 2802 if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR)
wolfSSL 15:117db924cf7c 2803 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 2804 #endif
wolfSSL 15:117db924cf7c 2805
wolfSSL 15:117db924cf7c 2806 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2807 /* Random length check */
wolfSSL 15:117db924cf7c 2808 if ((i - begin) + RAN_LEN > helloSz)
wolfSSL 15:117db924cf7c 2809 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2810 #else
wolfSSL 15:117db924cf7c 2811 /* Random and session id length check */
wolfSSL 15:117db924cf7c 2812 if ((i - begin) + RAN_LEN + ENUM_LEN > helloSz)
wolfSSL 15:117db924cf7c 2813 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2814
wolfSSL 15:117db924cf7c 2815 if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0)
wolfSSL 15:117db924cf7c 2816 *extMsgType = hello_retry_request;
wolfSSL 15:117db924cf7c 2817 #endif
wolfSSL 15:117db924cf7c 2818
wolfSSL 15:117db924cf7c 2819 /* Server random - keep for debugging. */
wolfSSL 15:117db924cf7c 2820 XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
wolfSSL 15:117db924cf7c 2821 i += RAN_LEN;
wolfSSL 15:117db924cf7c 2822
wolfSSL 15:117db924cf7c 2823 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2824 /* Session id */
wolfSSL 15:117db924cf7c 2825 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 2826 if ((i - begin) + sessIdSz > helloSz)
wolfSSL 15:117db924cf7c 2827 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2828 sessId = input + i;
wolfSSL 15:117db924cf7c 2829 i += sessIdSz;
wolfSSL 15:117db924cf7c 2830 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 2831 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 2832
wolfSSL 15:117db924cf7c 2833 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2834 /* Ciphersuite check */
wolfSSL 15:117db924cf7c 2835 if ((i - begin) + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 2836 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2837 #else
wolfSSL 15:117db924cf7c 2838 /* Ciphersuite and compression check */
wolfSSL 15:117db924cf7c 2839 if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 2840 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2841 #endif
wolfSSL 15:117db924cf7c 2842
wolfSSL 15:117db924cf7c 2843 /* Set the cipher suite from the message. */
wolfSSL 15:117db924cf7c 2844 ssl->options.cipherSuite0 = input[i++];
wolfSSL 15:117db924cf7c 2845 ssl->options.cipherSuite = input[i++];
wolfSSL 15:117db924cf7c 2846
wolfSSL 15:117db924cf7c 2847 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2848 /* Compression */
wolfSSL 15:117db924cf7c 2849 b = input[i++];
wolfSSL 15:117db924cf7c 2850 if (b != 0) {
wolfSSL 15:117db924cf7c 2851 WOLFSSL_MSG("Must be no compression types in list");
wolfSSL 15:117db924cf7c 2852 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 2853 }
wolfSSL 15:117db924cf7c 2854 #endif
wolfSSL 15:117db924cf7c 2855
wolfSSL 15:117db924cf7c 2856 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2857 if ((i - begin) + OPAQUE16_LEN > helloSz) {
wolfSSL 15:117db924cf7c 2858 if (!ssl->options.downgrade)
wolfSSL 15:117db924cf7c 2859 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2860 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2861 ssl->version.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2862 #endif
wolfSSL 15:117db924cf7c 2863 ssl->options.haveEMS = 0;
wolfSSL 15:117db924cf7c 2864 }
wolfSSL 15:117db924cf7c 2865 if ((i - begin) < helloSz)
wolfSSL 15:117db924cf7c 2866 #endif
wolfSSL 15:117db924cf7c 2867 {
wolfSSL 15:117db924cf7c 2868 /* Get extension length and length check. */
wolfSSL 15:117db924cf7c 2869 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 2870 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2871 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 2872 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2873 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 15:117db924cf7c 2874 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2875
wolfSSL 15:117db924cf7c 2876 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2877 if (ssl->options.downgrade)
wolfSSL 15:117db924cf7c 2878 ssl->version.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2879 #endif
wolfSSL 15:117db924cf7c 2880 /* Parse and handle extensions. */
wolfSSL 15:117db924cf7c 2881 ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, *extMsgType,
wolfSSL 15:117db924cf7c 2882 NULL);
wolfSSL 15:117db924cf7c 2883 if (ret != 0)
wolfSSL 15:117db924cf7c 2884 return ret;
wolfSSL 15:117db924cf7c 2885
wolfSSL 15:117db924cf7c 2886 i += totalExtSz;
wolfSSL 15:117db924cf7c 2887 }
wolfSSL 15:117db924cf7c 2888 *inOutIdx = i;
wolfSSL 15:117db924cf7c 2889
wolfSSL 15:117db924cf7c 2890 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 2891
wolfSSL 15:117db924cf7c 2892 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 15:117db924cf7c 2893 if (ssl->sessionSecretCb != NULL) {
wolfSSL 15:117db924cf7c 2894 int secretSz = SECRET_LEN;
wolfSSL 15:117db924cf7c 2895 ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 2896 &secretSz, ssl->sessionSecretCtx);
wolfSSL 15:117db924cf7c 2897 if (ret != 0 || secretSz != SECRET_LEN)
wolfSSL 15:117db924cf7c 2898 return SESSION_SECRET_CB_E;
wolfSSL 15:117db924cf7c 2899 }
wolfSSL 15:117db924cf7c 2900 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 15:117db924cf7c 2901
wolfSSL 15:117db924cf7c 2902 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2903 /* Version only negotiated in extensions for TLS v1.3.
wolfSSL 15:117db924cf7c 2904 * Only now do we know how to deal with session id.
wolfSSL 15:117db924cf7c 2905 */
wolfSSL 15:117db924cf7c 2906 if (!IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 15:117db924cf7c 2907 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2908 ssl->arrays->sessionIDSz = sessIdSz;
wolfSSL 15:117db924cf7c 2909
wolfSSL 15:117db924cf7c 2910 if (ssl->arrays->sessionIDSz > ID_LEN) {
wolfSSL 15:117db924cf7c 2911 WOLFSSL_MSG("Invalid session ID size");
wolfSSL 15:117db924cf7c 2912 ssl->arrays->sessionIDSz = 0;
wolfSSL 15:117db924cf7c 2913 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2914 }
wolfSSL 15:117db924cf7c 2915 else if (ssl->arrays->sessionIDSz) {
wolfSSL 15:117db924cf7c 2916 XMEMCPY(ssl->arrays->sessionID, sessId, ssl->arrays->sessionIDSz);
wolfSSL 15:117db924cf7c 2917 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 2918 }
wolfSSL 15:117db924cf7c 2919
wolfSSL 15:117db924cf7c 2920 /* Force client hello version 1.2 to work for static RSA. */
wolfSSL 15:117db924cf7c 2921 ssl->chVersion.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2922 /* Complete TLS v1.2 processing of ServerHello. */
wolfSSL 15:117db924cf7c 2923 ret = CompleteServerHello(ssl);
wolfSSL 15:117db924cf7c 2924 #else
wolfSSL 15:117db924cf7c 2925 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 2926 ret = VERSION_ERROR;
wolfSSL 15:117db924cf7c 2927 #endif
wolfSSL 15:117db924cf7c 2928
wolfSSL 15:117db924cf7c 2929 WOLFSSL_LEAVE("DoTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 2930
wolfSSL 15:117db924cf7c 2931 return ret;
wolfSSL 15:117db924cf7c 2932 }
wolfSSL 15:117db924cf7c 2933
wolfSSL 15:117db924cf7c 2934 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 2935 if (sessIdSz == 0)
wolfSSL 15:117db924cf7c 2936 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 2937 if (ssl->session.sessionIDSz != 0) {
wolfSSL 15:117db924cf7c 2938 if (ssl->session.sessionIDSz != sessIdSz ||
wolfSSL 15:117db924cf7c 2939 XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0) {
wolfSSL 15:117db924cf7c 2940 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 2941 }
wolfSSL 15:117db924cf7c 2942 }
wolfSSL 15:117db924cf7c 2943 else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0)
wolfSSL 15:117db924cf7c 2944 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 2945 #else
wolfSSL 15:117db924cf7c 2946 if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 &&
wolfSSL 15:117db924cf7c 2947 XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) {
wolfSSL 15:117db924cf7c 2948 WOLFSSL_MSG("Server sent different session id");
wolfSSL 15:117db924cf7c 2949 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 2950 }
wolfSSL 15:117db924cf7c 2951 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
wolfSSL 15:117db924cf7c 2952 #endif
wolfSSL 15:117db924cf7c 2953
wolfSSL 15:117db924cf7c 2954 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 2955 if (ret != 0)
wolfSSL 15:117db924cf7c 2956 return ret;
wolfSSL 15:117db924cf7c 2957
wolfSSL 15:117db924cf7c 2958 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2959 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2960 if (*extMsgType == server_hello)
wolfSSL 15:117db924cf7c 2961 #endif
wolfSSL 15:117db924cf7c 2962 {
wolfSSL 15:117db924cf7c 2963 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 2964 if (ext != NULL)
wolfSSL 15:117db924cf7c 2965 psk = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 2966 while (psk != NULL && !psk->chosen)
wolfSSL 15:117db924cf7c 2967 psk = psk->next;
wolfSSL 15:117db924cf7c 2968 if (psk == NULL) {
wolfSSL 15:117db924cf7c 2969 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 2970 ssl->arrays->psk_keySz = 0;
wolfSSL 15:117db924cf7c 2971 XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
wolfSSL 15:117db924cf7c 2972 }
wolfSSL 15:117db924cf7c 2973 else if ((ret = SetupPskKey(ssl, psk)) != 0)
wolfSSL 15:117db924cf7c 2974 return ret;
wolfSSL 15:117db924cf7c 2975 }
wolfSSL 15:117db924cf7c 2976 #endif
wolfSSL 15:117db924cf7c 2977
wolfSSL 15:117db924cf7c 2978 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2979 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 2980 #else
wolfSSL 15:117db924cf7c 2981 if (*extMsgType == server_hello) {
wolfSSL 15:117db924cf7c 2982 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 2983 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 2984 }
wolfSSL 15:117db924cf7c 2985 else {
wolfSSL 15:117db924cf7c 2986 ssl->options.tls1_3 = 1;
wolfSSL 15:117db924cf7c 2987 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 2988
wolfSSL 15:117db924cf7c 2989 ret = RestartHandshakeHash(ssl);
wolfSSL 15:117db924cf7c 2990 }
wolfSSL 15:117db924cf7c 2991 #endif
wolfSSL 15:117db924cf7c 2992
wolfSSL 15:117db924cf7c 2993 WOLFSSL_LEAVE("DoTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 2994 WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
wolfSSL 15:117db924cf7c 2995
wolfSSL 15:117db924cf7c 2996 return ret;
wolfSSL 15:117db924cf7c 2997 }
wolfSSL 15:117db924cf7c 2998
wolfSSL 15:117db924cf7c 2999 /* handle processing TLS 1.3 encrypted_extensions (8) */
wolfSSL 15:117db924cf7c 3000 /* Parse and handle an EncryptedExtensions message.
wolfSSL 15:117db924cf7c 3001 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 3002 *
wolfSSL 15:117db924cf7c 3003 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3004 * input The message buffer.
wolfSSL 15:117db924cf7c 3005 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 3006 * EncryptedExtensions.
wolfSSL 15:117db924cf7c 3007 * On exit, the index of byte after the EncryptedExtensions
wolfSSL 15:117db924cf7c 3008 * message.
wolfSSL 15:117db924cf7c 3009 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 3010 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3011 */
wolfSSL 15:117db924cf7c 3012 static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 3013 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 3014 {
wolfSSL 15:117db924cf7c 3015 int ret;
wolfSSL 15:117db924cf7c 3016 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 3017 word32 i = begin;
wolfSSL 15:117db924cf7c 3018 word16 totalExtSz;
wolfSSL 15:117db924cf7c 3019
wolfSSL 15:117db924cf7c 3020 WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
wolfSSL 15:117db924cf7c 3021 WOLFSSL_ENTER("DoTls13EncryptedExtensions");
wolfSSL 15:117db924cf7c 3022
wolfSSL 15:117db924cf7c 3023 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3024 if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions");
wolfSSL 15:117db924cf7c 3025 if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3026 #endif
wolfSSL 15:117db924cf7c 3027
wolfSSL 15:117db924cf7c 3028 /* Length field of extension data. */
wolfSSL 15:117db924cf7c 3029 if (totalSz < i - begin + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3030 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3031 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 3032 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3033
wolfSSL 15:117db924cf7c 3034 /* Extension data. */
wolfSSL 15:117db924cf7c 3035 if (i - begin + totalExtSz > totalSz)
wolfSSL 15:117db924cf7c 3036 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3037 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 15:117db924cf7c 3038 encrypted_extensions, NULL)))
wolfSSL 15:117db924cf7c 3039 return ret;
wolfSSL 15:117db924cf7c 3040
wolfSSL 15:117db924cf7c 3041 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 3042 *inOutIdx = i + totalExtSz;
wolfSSL 15:117db924cf7c 3043
wolfSSL 15:117db924cf7c 3044 /* Always encrypted. */
wolfSSL 15:117db924cf7c 3045 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 3046
wolfSSL 15:117db924cf7c 3047 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3048 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 3049 TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL 15:117db924cf7c 3050 if (ext == NULL || !ext->val)
wolfSSL 15:117db924cf7c 3051 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 3052 }
wolfSSL 15:117db924cf7c 3053 #endif
wolfSSL 15:117db924cf7c 3054
wolfSSL 15:117db924cf7c 3055 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3056 if (ssl->earlyData == no_early_data) {
wolfSSL 15:117db924cf7c 3057 ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY);
wolfSSL 15:117db924cf7c 3058 if (ret != 0)
wolfSSL 15:117db924cf7c 3059 return ret;
wolfSSL 15:117db924cf7c 3060 }
wolfSSL 15:117db924cf7c 3061 #endif
wolfSSL 15:117db924cf7c 3062
wolfSSL 15:117db924cf7c 3063 ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL 15:117db924cf7c 3064
wolfSSL 15:117db924cf7c 3065 WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
wolfSSL 15:117db924cf7c 3066 WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
wolfSSL 15:117db924cf7c 3067
wolfSSL 15:117db924cf7c 3068 return ret;
wolfSSL 15:117db924cf7c 3069 }
wolfSSL 15:117db924cf7c 3070
wolfSSL 15:117db924cf7c 3071 /* handle processing TLS v1.3 certificate_request (13) */
wolfSSL 15:117db924cf7c 3072 /* Handle a TLS v1.3 CertificateRequest message.
wolfSSL 15:117db924cf7c 3073 * This message is always encrypted.
wolfSSL 15:117db924cf7c 3074 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 3075 *
wolfSSL 15:117db924cf7c 3076 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3077 * input The message buffer.
wolfSSL 15:117db924cf7c 3078 * inOutIdx On entry, the index into the message buffer of CertificateRequest.
wolfSSL 15:117db924cf7c 3079 * On exit, the index of byte after the CertificateRequest message.
wolfSSL 15:117db924cf7c 3080 * size The length of the current handshake message.
wolfSSL 15:117db924cf7c 3081 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3082 */
wolfSSL 15:117db924cf7c 3083 static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 3084 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 3085 {
wolfSSL 15:117db924cf7c 3086 word16 len;
wolfSSL 15:117db924cf7c 3087 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 3088 int ret = 0;
wolfSSL 15:117db924cf7c 3089 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3090 Suites peerSuites;
wolfSSL 15:117db924cf7c 3091 #endif
wolfSSL 15:117db924cf7c 3092 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 3093 CertReqCtx* certReqCtx;
wolfSSL 15:117db924cf7c 3094 #endif
wolfSSL 15:117db924cf7c 3095
wolfSSL 15:117db924cf7c 3096 WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
wolfSSL 15:117db924cf7c 3097 WOLFSSL_ENTER("DoTls13CertificateRequest");
wolfSSL 15:117db924cf7c 3098
wolfSSL 15:117db924cf7c 3099 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3100 if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest");
wolfSSL 15:117db924cf7c 3101 if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3102 #endif
wolfSSL 15:117db924cf7c 3103
wolfSSL 15:117db924cf7c 3104 if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
wolfSSL 15:117db924cf7c 3105 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3106
wolfSSL 15:117db924cf7c 3107 /* Length of the request context. */
wolfSSL 15:117db924cf7c 3108 len = input[(*inOutIdx)++];
wolfSSL 15:117db924cf7c 3109 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3110 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3111 if (ssl->options.connectState < FINISHED_DONE && len > 0)
wolfSSL 15:117db924cf7c 3112 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3113
wolfSSL 15:117db924cf7c 3114 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 3115 /* CertReqCtx has one byte at end for context value.
wolfSSL 15:117db924cf7c 3116 * Increase size to handle other implementations sending more than one byte.
wolfSSL 15:117db924cf7c 3117 * That is, allocate extra space, over one byte, to hold the context value.
wolfSSL 15:117db924cf7c 3118 */
wolfSSL 15:117db924cf7c 3119 certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
wolfSSL 15:117db924cf7c 3120 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 3121 if (certReqCtx == NULL)
wolfSSL 15:117db924cf7c 3122 return MEMORY_E;
wolfSSL 15:117db924cf7c 3123 certReqCtx->next = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 3124 certReqCtx->len = len;
wolfSSL 15:117db924cf7c 3125 XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
wolfSSL 15:117db924cf7c 3126 ssl->certReqCtx = certReqCtx;
wolfSSL 15:117db924cf7c 3127 #endif
wolfSSL 15:117db924cf7c 3128 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3129
wolfSSL 15:117db924cf7c 3130 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3131 /* Signature and hash algorithms. */
wolfSSL 15:117db924cf7c 3132 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3133 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3134 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3135 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3136 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3137 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3138 PickHashSigAlgo(ssl, input + *inOutIdx, len);
wolfSSL 15:117db924cf7c 3139 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3140
wolfSSL 15:117db924cf7c 3141 /* Length of certificate authority data. */
wolfSSL 15:117db924cf7c 3142 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3143 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3144 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3145 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3146 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3147 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3148
wolfSSL 15:117db924cf7c 3149 /* Certificate authorities. */
wolfSSL 15:117db924cf7c 3150 while (len) {
wolfSSL 15:117db924cf7c 3151 word16 dnSz;
wolfSSL 15:117db924cf7c 3152
wolfSSL 15:117db924cf7c 3153 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3154 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3155
wolfSSL 15:117db924cf7c 3156 ato16(input + *inOutIdx, &dnSz);
wolfSSL 15:117db924cf7c 3157 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3158
wolfSSL 15:117db924cf7c 3159 if ((*inOutIdx - begin) + dnSz > size)
wolfSSL 15:117db924cf7c 3160 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3161
wolfSSL 15:117db924cf7c 3162 *inOutIdx += dnSz;
wolfSSL 15:117db924cf7c 3163 len -= OPAQUE16_LEN + dnSz;
wolfSSL 15:117db924cf7c 3164 }
wolfSSL 15:117db924cf7c 3165
wolfSSL 15:117db924cf7c 3166 /* Certificate extensions */
wolfSSL 15:117db924cf7c 3167 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3168 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3169 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3170 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3171 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3172 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3173 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3174 #else
wolfSSL 15:117db924cf7c 3175 /* TODO: Add support for more extensions:
wolfSSL 15:117db924cf7c 3176 * signed_certificate_timestamp, certificate_authorities, oid_filters.
wolfSSL 15:117db924cf7c 3177 */
wolfSSL 15:117db924cf7c 3178 /* Certificate extensions */
wolfSSL 15:117db924cf7c 3179 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3180 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3181 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3182 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3183 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3184 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3185 if (len == 0)
wolfSSL 15:117db924cf7c 3186 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3187 if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len,
wolfSSL 15:117db924cf7c 3188 certificate_request, &peerSuites))) {
wolfSSL 15:117db924cf7c 3189 return ret;
wolfSSL 15:117db924cf7c 3190 }
wolfSSL 15:117db924cf7c 3191 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3192
wolfSSL 15:117db924cf7c 3193 PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, peerSuites.hashSigAlgoSz);
wolfSSL 15:117db924cf7c 3194 #endif
wolfSSL 15:117db924cf7c 3195
wolfSSL 15:117db924cf7c 3196 if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
wolfSSL 15:117db924cf7c 3197 ssl->buffers.key && ssl->buffers.key->buffer)
wolfSSL 15:117db924cf7c 3198 ssl->options.sendVerify = SEND_CERT;
wolfSSL 15:117db924cf7c 3199 else
wolfSSL 15:117db924cf7c 3200 ssl->options.sendVerify = SEND_BLANK_CERT;
wolfSSL 15:117db924cf7c 3201
wolfSSL 15:117db924cf7c 3202 /* This message is always encrypted so add encryption padding. */
wolfSSL 15:117db924cf7c 3203 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 3204
wolfSSL 15:117db924cf7c 3205 WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
wolfSSL 15:117db924cf7c 3206 WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
wolfSSL 15:117db924cf7c 3207
wolfSSL 15:117db924cf7c 3208 return ret;
wolfSSL 15:117db924cf7c 3209 }
wolfSSL 15:117db924cf7c 3210
wolfSSL 15:117db924cf7c 3211 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 3212
wolfSSL 15:117db924cf7c 3213 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 3214 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 3215 /* Refine list of supported cipher suites to those common to server and client.
wolfSSL 15:117db924cf7c 3216 *
wolfSSL 15:117db924cf7c 3217 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3218 * peerSuites The peer's advertised list of supported cipher suites.
wolfSSL 15:117db924cf7c 3219 */
wolfSSL 15:117db924cf7c 3220 static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)
wolfSSL 15:117db924cf7c 3221 {
wolfSSL 15:117db924cf7c 3222 byte suites[WOLFSSL_MAX_SUITE_SZ];
wolfSSL 15:117db924cf7c 3223 int suiteSz = 0;
wolfSSL 15:117db924cf7c 3224 int i, j;
wolfSSL 15:117db924cf7c 3225
wolfSSL 15:117db924cf7c 3226 for (i = 0; i < ssl->suites->suiteSz; i += 2) {
wolfSSL 15:117db924cf7c 3227 for (j = 0; j < peerSuites->suiteSz; j += 2) {
wolfSSL 15:117db924cf7c 3228 if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&
wolfSSL 15:117db924cf7c 3229 ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {
wolfSSL 15:117db924cf7c 3230 suites[suiteSz++] = peerSuites->suites[j+0];
wolfSSL 15:117db924cf7c 3231 suites[suiteSz++] = peerSuites->suites[j+1];
wolfSSL 15:117db924cf7c 3232 }
wolfSSL 15:117db924cf7c 3233 }
wolfSSL 15:117db924cf7c 3234 }
wolfSSL 15:117db924cf7c 3235
wolfSSL 15:117db924cf7c 3236 ssl->suites->suiteSz = suiteSz;
wolfSSL 15:117db924cf7c 3237 XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));
wolfSSL 15:117db924cf7c 3238 }
wolfSSL 15:117db924cf7c 3239
wolfSSL 15:117db924cf7c 3240 /* Handle any Pre-Shared Key (PSK) extension.
wolfSSL 15:117db924cf7c 3241 * Must do this in ClientHello as it requires a hash of the truncated message.
wolfSSL 15:117db924cf7c 3242 * Don't know size of binders until Pre-Shared Key extension has been parsed.
wolfSSL 15:117db924cf7c 3243 *
wolfSSL 15:117db924cf7c 3244 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3245 * input The ClientHello message.
wolfSSL 15:117db924cf7c 3246 * helloSz The size of the ClientHello message (including binders if present).
wolfSSL 15:117db924cf7c 3247 * usingPSK Indicates handshake is using Pre-Shared Keys.
wolfSSL 15:117db924cf7c 3248 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3249 */
wolfSSL 15:117db924cf7c 3250 static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
wolfSSL 15:117db924cf7c 3251 int* usingPSK)
wolfSSL 15:117db924cf7c 3252 {
wolfSSL 15:117db924cf7c 3253 int ret;
wolfSSL 15:117db924cf7c 3254 TLSX* ext;
wolfSSL 15:117db924cf7c 3255 word16 bindersLen;
wolfSSL 15:117db924cf7c 3256 PreSharedKey* current;
wolfSSL 15:117db924cf7c 3257 byte binderKey[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 3258 byte binder[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 3259 word32 binderLen;
wolfSSL 15:117db924cf7c 3260 word16 modes;
wolfSSL 15:117db924cf7c 3261 byte suite[2];
wolfSSL 15:117db924cf7c 3262 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3263 int pskCnt = 0;
wolfSSL 15:117db924cf7c 3264 TLSX* extEarlyData;
wolfSSL 15:117db924cf7c 3265 #endif
wolfSSL 15:117db924cf7c 3266
wolfSSL 15:117db924cf7c 3267 WOLFSSL_ENTER("DoPreSharedKeys");
wolfSSL 15:117db924cf7c 3268
wolfSSL 15:117db924cf7c 3269 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 3270 if (ext == NULL) {
wolfSSL 15:117db924cf7c 3271 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3272 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 3273 #endif
wolfSSL 15:117db924cf7c 3274 return 0;
wolfSSL 15:117db924cf7c 3275 }
wolfSSL 15:117db924cf7c 3276
wolfSSL 15:117db924cf7c 3277 /* Extensions pushed on stack/list and PSK must be last. */
wolfSSL 15:117db924cf7c 3278 if (ssl->extensions != ext)
wolfSSL 15:117db924cf7c 3279 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3280
wolfSSL 15:117db924cf7c 3281 /* Assume we are going to resume with a pre-shared key. */
wolfSSL 15:117db924cf7c 3282 ssl->options.resuming = 1;
wolfSSL 15:117db924cf7c 3283
wolfSSL 15:117db924cf7c 3284 /* Find the pre-shared key extension and calculate hash of truncated
wolfSSL 15:117db924cf7c 3285 * ClientHello for binders.
wolfSSL 15:117db924cf7c 3286 */
wolfSSL 15:117db924cf7c 3287 bindersLen = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL 15:117db924cf7c 3288 client_hello);
wolfSSL 15:117db924cf7c 3289
wolfSSL 15:117db924cf7c 3290 /* Hash data up to binders for deriving binders in PSK extension. */
wolfSSL 15:117db924cf7c 3291 ret = HashInput(ssl, input, helloSz - bindersLen);
wolfSSL 15:117db924cf7c 3292 if (ret != 0)
wolfSSL 15:117db924cf7c 3293 return ret;
wolfSSL 15:117db924cf7c 3294
wolfSSL 15:117db924cf7c 3295 /* Look through all client's pre-shared keys for a match. */
wolfSSL 15:117db924cf7c 3296 current = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 3297 while (current != NULL) {
wolfSSL 15:117db924cf7c 3298 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3299 pskCnt++;
wolfSSL 15:117db924cf7c 3300 #endif
wolfSSL 15:117db924cf7c 3301
wolfSSL 15:117db924cf7c 3302 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 3303 XMEMCPY(ssl->arrays->client_identity, current->identity,
wolfSSL 15:117db924cf7c 3304 current->identityLen);
wolfSSL 15:117db924cf7c 3305 ssl->arrays->client_identity[current->identityLen] = '\0';
wolfSSL 15:117db924cf7c 3306 #endif
wolfSSL 15:117db924cf7c 3307
wolfSSL 15:117db924cf7c 3308 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3309 /* Decode the identity. */
wolfSSL 15:117db924cf7c 3310 if ((ret = DoClientTicket(ssl, current->identity, current->identityLen))
wolfSSL 15:117db924cf7c 3311 == WOLFSSL_TICKET_RET_OK) {
wolfSSL 15:117db924cf7c 3312 word32 now;
wolfSSL 15:117db924cf7c 3313 int diff;
wolfSSL 15:117db924cf7c 3314
wolfSSL 15:117db924cf7c 3315 now = TimeNowInMilliseconds();
wolfSSL 15:117db924cf7c 3316 if (now == (word32)GETTIME_ERROR)
wolfSSL 15:117db924cf7c 3317 return now;
wolfSSL 15:117db924cf7c 3318 diff = now - ssl->session.ticketSeen;
wolfSSL 15:117db924cf7c 3319 diff -= current->ticketAge - ssl->session.ticketAdd;
wolfSSL 15:117db924cf7c 3320 /* Check session and ticket age timeout.
wolfSSL 15:117db924cf7c 3321 * Allow +/- 1000 milliseconds on ticket age.
wolfSSL 15:117db924cf7c 3322 */
wolfSSL 15:117db924cf7c 3323 if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
wolfSSL 15:117db924cf7c 3324 diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
wolfSSL 15:117db924cf7c 3325 /* Invalid difference, fallback to full handshake. */
wolfSSL 15:117db924cf7c 3326 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3327 break;
wolfSSL 15:117db924cf7c 3328 }
wolfSSL 15:117db924cf7c 3329
wolfSSL 15:117db924cf7c 3330 /* Check whether resumption is possible based on suites in SSL and
wolfSSL 15:117db924cf7c 3331 * ciphersuite in ticket.
wolfSSL 15:117db924cf7c 3332 */
wolfSSL 15:117db924cf7c 3333 suite[0] = ssl->session.cipherSuite0;
wolfSSL 15:117db924cf7c 3334 suite[1] = ssl->session.cipherSuite;
wolfSSL 15:117db924cf7c 3335 if (!FindSuite(ssl, suite)) {
wolfSSL 15:117db924cf7c 3336 current = current->next;
wolfSSL 15:117db924cf7c 3337 continue;
wolfSSL 15:117db924cf7c 3338 }
wolfSSL 15:117db924cf7c 3339
wolfSSL 15:117db924cf7c 3340 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3341 ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 3342 #endif
wolfSSL 15:117db924cf7c 3343 /* Use the same cipher suite as before and set up for use. */
wolfSSL 15:117db924cf7c 3344 ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
wolfSSL 15:117db924cf7c 3345 ssl->options.cipherSuite = ssl->session.cipherSuite;
wolfSSL 15:117db924cf7c 3346 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 3347 if (ret != 0)
wolfSSL 15:117db924cf7c 3348 return ret;
wolfSSL 15:117db924cf7c 3349
wolfSSL 15:117db924cf7c 3350 /* Resumption PSK is resumption master secret. */
wolfSSL 15:117db924cf7c 3351 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 3352 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3353 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 3354 ssl->arrays->psk_keySz);
wolfSSL 15:117db924cf7c 3355 #else
wolfSSL 15:117db924cf7c 3356 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
wolfSSL 15:117db924cf7c 3357 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
wolfSSL 15:117db924cf7c 3358 return ret;
wolfSSL 15:117db924cf7c 3359 }
wolfSSL 15:117db924cf7c 3360 #endif
wolfSSL 15:117db924cf7c 3361
wolfSSL 15:117db924cf7c 3362 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 3363 ret = DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 3364 if (ret != 0)
wolfSSL 15:117db924cf7c 3365 return ret;
wolfSSL 15:117db924cf7c 3366 /* Derive the binder key to use to with HMAC. */
wolfSSL 15:117db924cf7c 3367 ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 15:117db924cf7c 3368 if (ret != 0)
wolfSSL 15:117db924cf7c 3369 return ret;
wolfSSL 15:117db924cf7c 3370 }
wolfSSL 15:117db924cf7c 3371 else
wolfSSL 15:117db924cf7c 3372 #endif
wolfSSL 15:117db924cf7c 3373 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 3374 if (ssl->options.server_psk_cb != NULL &&
wolfSSL 15:117db924cf7c 3375 (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
wolfSSL 15:117db924cf7c 3376 ssl->arrays->client_identity, ssl->arrays->psk_key,
wolfSSL 15:117db924cf7c 3377 MAX_PSK_KEY_LEN)) != 0) {
wolfSSL 15:117db924cf7c 3378 if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
wolfSSL 15:117db924cf7c 3379 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3380 /* TODO: Callback should be able to specify ciphersuite. */
wolfSSL 15:117db924cf7c 3381
wolfSSL 15:117db924cf7c 3382 suite[0] = TLS13_BYTE;
wolfSSL 15:117db924cf7c 3383 suite[1] = WOLFSSL_DEF_PSK_CIPHER;
wolfSSL 15:117db924cf7c 3384 if (!FindSuite(ssl, suite)) {
wolfSSL 15:117db924cf7c 3385 current = current->next;
wolfSSL 15:117db924cf7c 3386 continue;
wolfSSL 15:117db924cf7c 3387 }
wolfSSL 15:117db924cf7c 3388
wolfSSL 15:117db924cf7c 3389 /* Default to ciphersuite if cb doesn't specify. */
wolfSSL 15:117db924cf7c 3390 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3391
wolfSSL 15:117db924cf7c 3392 /* PSK age is always zero. */
wolfSSL 15:117db924cf7c 3393 if (current->ticketAge != ssl->session.ticketAdd)
wolfSSL 15:117db924cf7c 3394 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3395
wolfSSL 15:117db924cf7c 3396 /* Check whether PSK ciphersuite is in SSL. */
wolfSSL 15:117db924cf7c 3397 ssl->options.cipherSuite0 = TLS13_BYTE;
wolfSSL 15:117db924cf7c 3398 ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
wolfSSL 15:117db924cf7c 3399 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 3400 if (ret != 0)
wolfSSL 15:117db924cf7c 3401 return ret;
wolfSSL 15:117db924cf7c 3402
wolfSSL 15:117db924cf7c 3403 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 3404 ret = DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 3405 if (ret != 0)
wolfSSL 15:117db924cf7c 3406 return ret;
wolfSSL 15:117db924cf7c 3407 /* Derive the binder key to use to with HMAC. */
wolfSSL 15:117db924cf7c 3408 ret = DeriveBinderKey(ssl, binderKey);
wolfSSL 15:117db924cf7c 3409 if (ret != 0)
wolfSSL 15:117db924cf7c 3410 return ret;
wolfSSL 15:117db924cf7c 3411 }
wolfSSL 15:117db924cf7c 3412 else
wolfSSL 15:117db924cf7c 3413 #endif
wolfSSL 15:117db924cf7c 3414 {
wolfSSL 15:117db924cf7c 3415 current = current->next;
wolfSSL 15:117db924cf7c 3416 continue;
wolfSSL 15:117db924cf7c 3417 }
wolfSSL 15:117db924cf7c 3418
wolfSSL 15:117db924cf7c 3419 ssl->options.sendVerify = 0;
wolfSSL 15:117db924cf7c 3420
wolfSSL 15:117db924cf7c 3421 /* Derive the Finished message secret. */
wolfSSL 15:117db924cf7c 3422 ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL 15:117db924cf7c 3423 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 3424 if (ret != 0)
wolfSSL 15:117db924cf7c 3425 return ret;
wolfSSL 15:117db924cf7c 3426
wolfSSL 15:117db924cf7c 3427 /* Derive the binder and compare with the one in the extension. */
wolfSSL 15:117db924cf7c 3428 ret = BuildTls13HandshakeHmac(ssl,
wolfSSL 15:117db924cf7c 3429 ssl->keys.client_write_MAC_secret, binder, &binderLen);
wolfSSL 15:117db924cf7c 3430 if (ret != 0)
wolfSSL 15:117db924cf7c 3431 return ret;
wolfSSL 15:117db924cf7c 3432 if (binderLen != current->binderLen ||
wolfSSL 15:117db924cf7c 3433 XMEMCMP(binder, current->binder, binderLen) != 0) {
wolfSSL 15:117db924cf7c 3434 return BAD_BINDER;
wolfSSL 15:117db924cf7c 3435 }
wolfSSL 15:117db924cf7c 3436
wolfSSL 15:117db924cf7c 3437 /* This PSK works, no need to try any more. */
wolfSSL 15:117db924cf7c 3438 current->chosen = 1;
wolfSSL 15:117db924cf7c 3439 ext->resp = 1;
wolfSSL 15:117db924cf7c 3440 break;
wolfSSL 15:117db924cf7c 3441 }
wolfSSL 15:117db924cf7c 3442
wolfSSL 15:117db924cf7c 3443 if (current == NULL) {
wolfSSL 15:117db924cf7c 3444 #ifdef WOLFSSL_PSK_ID_PROTECTION
wolfSSL 15:117db924cf7c 3445 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 3446 if (ssl->buffers.certChainCnt != 0)
wolfSSL 15:117db924cf7c 3447 return 0;
wolfSSL 15:117db924cf7c 3448 #endif
wolfSSL 15:117db924cf7c 3449 return BAD_BINDER;
wolfSSL 15:117db924cf7c 3450 #else
wolfSSL 15:117db924cf7c 3451 return 0;
wolfSSL 15:117db924cf7c 3452 #endif
wolfSSL 15:117db924cf7c 3453 }
wolfSSL 15:117db924cf7c 3454
wolfSSL 15:117db924cf7c 3455 /* Hash the rest of the ClientHello. */
wolfSSL 15:117db924cf7c 3456 ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
wolfSSL 15:117db924cf7c 3457 if (ret != 0)
wolfSSL 15:117db924cf7c 3458 return ret;
wolfSSL 15:117db924cf7c 3459
wolfSSL 15:117db924cf7c 3460 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3461 extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL 15:117db924cf7c 3462 if (extEarlyData != NULL) {
wolfSSL 15:117db924cf7c 3463 if (ssl->earlyData != no_early_data && current == ext->data) {
wolfSSL 15:117db924cf7c 3464 extEarlyData->resp = 1;
wolfSSL 15:117db924cf7c 3465
wolfSSL 15:117db924cf7c 3466 /* Derive early data decryption key. */
wolfSSL 15:117db924cf7c 3467 ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1);
wolfSSL 15:117db924cf7c 3468 if (ret != 0)
wolfSSL 15:117db924cf7c 3469 return ret;
wolfSSL 15:117db924cf7c 3470 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 3471 return ret;
wolfSSL 15:117db924cf7c 3472
wolfSSL 15:117db924cf7c 3473 ssl->earlyData = process_early_data;
wolfSSL 15:117db924cf7c 3474 }
wolfSSL 15:117db924cf7c 3475 else
wolfSSL 15:117db924cf7c 3476 extEarlyData->resp = 0;
wolfSSL 15:117db924cf7c 3477 }
wolfSSL 15:117db924cf7c 3478 #endif
wolfSSL 15:117db924cf7c 3479
wolfSSL 15:117db924cf7c 3480 /* Get the PSK key exchange modes the client wants to negotiate. */
wolfSSL 15:117db924cf7c 3481 ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
wolfSSL 15:117db924cf7c 3482 if (ext == NULL)
wolfSSL 15:117db924cf7c 3483 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 3484 modes = ext->val;
wolfSSL 15:117db924cf7c 3485
wolfSSL 15:117db924cf7c 3486 ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
wolfSSL 15:117db924cf7c 3487 /* Use (EC)DHE for forward-security if possible. */
wolfSSL 15:117db924cf7c 3488 if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
wolfSSL 15:117db924cf7c 3489 ext != NULL) {
wolfSSL 15:117db924cf7c 3490 /* Only use named group used in last session. */
wolfSSL 15:117db924cf7c 3491 ssl->namedGroup = ssl->session.namedGroup;
wolfSSL 15:117db924cf7c 3492
wolfSSL 15:117db924cf7c 3493 /* Pick key share and Generate a new key if not present. */
wolfSSL 15:117db924cf7c 3494 ret = TLSX_KeyShare_Establish(ssl);
wolfSSL 15:117db924cf7c 3495 if (ret == KEY_SHARE_ERROR) {
wolfSSL 15:117db924cf7c 3496 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 3497 ret = 0;
wolfSSL 15:117db924cf7c 3498 }
wolfSSL 15:117db924cf7c 3499 else if (ret < 0)
wolfSSL 15:117db924cf7c 3500 return ret;
wolfSSL 15:117db924cf7c 3501
wolfSSL 15:117db924cf7c 3502 /* Send new public key to client. */
wolfSSL 15:117db924cf7c 3503 ext->resp = 1;
wolfSSL 15:117db924cf7c 3504 }
wolfSSL 15:117db924cf7c 3505 else {
wolfSSL 15:117db924cf7c 3506 if ((modes & (1 << PSK_KE)) == 0)
wolfSSL 15:117db924cf7c 3507 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3508 ssl->options.noPskDheKe = 1;
wolfSSL 15:117db924cf7c 3509 }
wolfSSL 15:117db924cf7c 3510
wolfSSL 15:117db924cf7c 3511 *usingPSK = 1;
wolfSSL 15:117db924cf7c 3512
wolfSSL 15:117db924cf7c 3513 WOLFSSL_LEAVE("DoPreSharedKeys", ret);
wolfSSL 15:117db924cf7c 3514
wolfSSL 15:117db924cf7c 3515 return ret;
wolfSSL 15:117db924cf7c 3516 }
wolfSSL 15:117db924cf7c 3517 #endif
wolfSSL 15:117db924cf7c 3518
wolfSSL 15:117db924cf7c 3519 #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 15:117db924cf7c 3520 /* Check that the Cookie data's integrity.
wolfSSL 15:117db924cf7c 3521 *
wolfSSL 15:117db924cf7c 3522 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3523 * cookie The cookie data - hash and MAC.
wolfSSL 15:117db924cf7c 3524 * cookieSz The length of the cookie data in bytes.
wolfSSL 15:117db924cf7c 3525 * returns Length of the hash on success, otherwise failure.
wolfSSL 15:117db924cf7c 3526 */
wolfSSL 15:117db924cf7c 3527 static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
wolfSSL 15:117db924cf7c 3528 {
wolfSSL 15:117db924cf7c 3529 int ret;
wolfSSL 15:117db924cf7c 3530 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 3531 Hmac cookieHmac;
wolfSSL 15:117db924cf7c 3532 byte cookieType;
wolfSSL 15:117db924cf7c 3533 byte macSz;
wolfSSL 15:117db924cf7c 3534
wolfSSL 15:117db924cf7c 3535 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 3536 cookieType = SHA;
wolfSSL 15:117db924cf7c 3537 macSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 3538 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 3539 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 3540 cookieType = WC_SHA256;
wolfSSL 15:117db924cf7c 3541 macSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 3542 #endif /* NO_SHA256 */
wolfSSL 15:117db924cf7c 3543
wolfSSL 15:117db924cf7c 3544 if (cookieSz < ssl->specs.hash_size + macSz)
wolfSSL 15:117db924cf7c 3545 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3546 cookieSz -= macSz;
wolfSSL 15:117db924cf7c 3547
wolfSSL 15:117db924cf7c 3548 ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL 15:117db924cf7c 3549 ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 3550 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 3551 if (ret != 0)
wolfSSL 15:117db924cf7c 3552 return ret;
wolfSSL 15:117db924cf7c 3553 if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0)
wolfSSL 15:117db924cf7c 3554 return ret;
wolfSSL 15:117db924cf7c 3555 if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL 15:117db924cf7c 3556 return ret;
wolfSSL 15:117db924cf7c 3557
wolfSSL 15:117db924cf7c 3558 if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
wolfSSL 15:117db924cf7c 3559 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3560 return cookieSz;
wolfSSL 15:117db924cf7c 3561 }
wolfSSL 15:117db924cf7c 3562
wolfSSL 15:117db924cf7c 3563 /* Length of the KeyShare Extension */
wolfSSL 15:117db924cf7c 3564 #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3565 /* Length of the Supported Vresions Extension */
wolfSSL 15:117db924cf7c 3566 #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3567 /* Length of the Cookie Extension excluding cookie data */
wolfSSL 15:117db924cf7c 3568 #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3569 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3570 /* PV | CipherSuite | Ext Len */
wolfSSL 15:117db924cf7c 3571 #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3572 /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */
wolfSSL 15:117db924cf7c 3573 #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
wolfSSL 15:117db924cf7c 3574 HRR_BODY_SZ + \
wolfSSL 15:117db924cf7c 3575 HRR_KEY_SHARE_SZ + \
wolfSSL 15:117db924cf7c 3576 HRR_COOKIE_HDR_SZ)
wolfSSL 15:117db924cf7c 3577 #else
wolfSSL 15:117db924cf7c 3578 /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */
wolfSSL 15:117db924cf7c 3579 #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \
wolfSSL 15:117db924cf7c 3580 SUITE_LEN + COMP_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3581 /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */
wolfSSL 15:117db924cf7c 3582 #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
wolfSSL 15:117db924cf7c 3583 HRR_BODY_SZ + \
wolfSSL 15:117db924cf7c 3584 HRR_KEY_SHARE_SZ + \
wolfSSL 15:117db924cf7c 3585 HRR_VERSIONS_SZ + \
wolfSSL 15:117db924cf7c 3586 HRR_COOKIE_HDR_SZ)
wolfSSL 15:117db924cf7c 3587 #endif
wolfSSL 15:117db924cf7c 3588
wolfSSL 15:117db924cf7c 3589 /* Restart the Hanshake hash from the cookie value.
wolfSSL 15:117db924cf7c 3590 *
wolfSSL 15:117db924cf7c 3591 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3592 * cookie Cookie data from client.
wolfSSL 15:117db924cf7c 3593 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 3594 */
wolfSSL 15:117db924cf7c 3595 static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
wolfSSL 15:117db924cf7c 3596 {
wolfSSL 15:117db924cf7c 3597 byte header[HANDSHAKE_HEADER_SZ];
wolfSSL 15:117db924cf7c 3598 byte hrr[MAX_HRR_SZ];
wolfSSL 15:117db924cf7c 3599 int hrrIdx;
wolfSSL 15:117db924cf7c 3600 word32 idx;
wolfSSL 15:117db924cf7c 3601 byte hashSz;
wolfSSL 15:117db924cf7c 3602 byte* cookieData;
wolfSSL 15:117db924cf7c 3603 byte cookieDataSz;
wolfSSL 15:117db924cf7c 3604 word16 length;
wolfSSL 15:117db924cf7c 3605 int keyShareExt = 0;
wolfSSL 15:117db924cf7c 3606 int ret;
wolfSSL 15:117db924cf7c 3607
wolfSSL 15:117db924cf7c 3608 cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len);
wolfSSL 15:117db924cf7c 3609 if (ret < 0)
wolfSSL 15:117db924cf7c 3610 return ret;
wolfSSL 15:117db924cf7c 3611 hashSz = cookie->data;
wolfSSL 15:117db924cf7c 3612 cookieData = &cookie->data;
wolfSSL 15:117db924cf7c 3613 idx = OPAQUE8_LEN;
wolfSSL 15:117db924cf7c 3614
wolfSSL 15:117db924cf7c 3615 /* Restart handshake hash with synthetic message hash. */
wolfSSL 15:117db924cf7c 3616 AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL 15:117db924cf7c 3617 if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL 15:117db924cf7c 3618 return ret;
wolfSSL 15:117db924cf7c 3619 if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL 15:117db924cf7c 3620 return ret;
wolfSSL 15:117db924cf7c 3621 if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0)
wolfSSL 15:117db924cf7c 3622 return ret;
wolfSSL 15:117db924cf7c 3623
wolfSSL 15:117db924cf7c 3624 /* Reconstruct the HelloRetryMessage for handshake hash. */
wolfSSL 15:117db924cf7c 3625 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3626 length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;
wolfSSL 15:117db924cf7c 3627 #else
wolfSSL 15:117db924cf7c 3628 length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz +
wolfSSL 15:117db924cf7c 3629 HRR_COOKIE_HDR_SZ + cookie->len;
wolfSSL 15:117db924cf7c 3630 length += HRR_VERSIONS_SZ;
wolfSSL 15:117db924cf7c 3631 #endif
wolfSSL 15:117db924cf7c 3632 if (cookieDataSz > hashSz + OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 3633 keyShareExt = 1;
wolfSSL 15:117db924cf7c 3634 length += HRR_KEY_SHARE_SZ;
wolfSSL 15:117db924cf7c 3635 }
wolfSSL 15:117db924cf7c 3636 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3637 AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl);
wolfSSL 15:117db924cf7c 3638
wolfSSL 15:117db924cf7c 3639 idx += hashSz;
wolfSSL 15:117db924cf7c 3640 hrrIdx = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 3641 /* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL 15:117db924cf7c 3642 * Use the TLS v1.3 draft version for now.
wolfSSL 15:117db924cf7c 3643 *
wolfSSL 15:117db924cf7c 3644 * Change to:
wolfSSL 15:117db924cf7c 3645 * hrr[hrrIdx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 3646 * hrr[hrrIdx++] = ssl->version.minor;
wolfSSL 15:117db924cf7c 3647 */
wolfSSL 15:117db924cf7c 3648 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 3649 hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 3650 hrr[hrrIdx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 3651 /* Cipher Suite */
wolfSSL 15:117db924cf7c 3652 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3653 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3654
wolfSSL 15:117db924cf7c 3655 /* Extensions' length */
wolfSSL 15:117db924cf7c 3656 length -= HRR_BODY_SZ;
wolfSSL 15:117db924cf7c 3657 c16toa(length, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3658 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3659 #else
wolfSSL 15:117db924cf7c 3660 AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl);
wolfSSL 15:117db924cf7c 3661
wolfSSL 15:117db924cf7c 3662 idx += hashSz;
wolfSSL 15:117db924cf7c 3663 hrrIdx = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 3664
wolfSSL 15:117db924cf7c 3665 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 3666 hrr[hrrIdx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 3667 hrr[hrrIdx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3668
wolfSSL 15:117db924cf7c 3669 /* HelloRetryRequest message has fixed value for random. */
wolfSSL 15:117db924cf7c 3670 XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 3671 hrrIdx += RAN_LEN;
wolfSSL 15:117db924cf7c 3672
wolfSSL 15:117db924cf7c 3673 hrr[hrrIdx++] = ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 3674 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 3675 XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 3676 hrrIdx += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 3677 }
wolfSSL 15:117db924cf7c 3678
wolfSSL 15:117db924cf7c 3679 /* Cipher Suite */
wolfSSL 15:117db924cf7c 3680 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3681 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3682
wolfSSL 15:117db924cf7c 3683 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 3684 hrr[hrrIdx++] = 0;
wolfSSL 15:117db924cf7c 3685
wolfSSL 15:117db924cf7c 3686 /* Extensions' length */
wolfSSL 15:117db924cf7c 3687 length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 3688 c16toa(length, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3689 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3690
wolfSSL 15:117db924cf7c 3691 #endif
wolfSSL 15:117db924cf7c 3692 /* Optional KeyShare Extension */
wolfSSL 15:117db924cf7c 3693 if (keyShareExt) {
wolfSSL 15:117db924cf7c 3694 c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3695 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3696 c16toa(OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3697 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3698 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3699 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3700 }
wolfSSL 15:117db924cf7c 3701 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3702 c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3703 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3704 c16toa(OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3705 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3706 /* TODO: [TLS13] Change to ssl->version.major and minor once final. */
wolfSSL 15:117db924cf7c 3707 #ifdef WOLFSSL_TLS13_FINAL
wolfSSL 15:117db924cf7c 3708 hrr[hrrIdx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 3709 hrr[hrrIdx++] = ssl->version.minor;
wolfSSL 15:117db924cf7c 3710 #else
wolfSSL 15:117db924cf7c 3711 hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 3712 hrr[hrrIdx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 3713 #endif
wolfSSL 15:117db924cf7c 3714 #endif
wolfSSL 15:117db924cf7c 3715 /* Mandatory Cookie Extension */
wolfSSL 15:117db924cf7c 3716 c16toa(TLSX_COOKIE, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3717 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3718 c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3719 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3720 c16toa(cookie->len, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3721 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3722
wolfSSL 15:117db924cf7c 3723 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 3724 WOLFSSL_MSG("Reconstucted HelloRetryRequest");
wolfSSL 15:117db924cf7c 3725 WOLFSSL_BUFFER(hrr, hrrIdx);
wolfSSL 15:117db924cf7c 3726 WOLFSSL_MSG("Cookie");
wolfSSL 15:117db924cf7c 3727 WOLFSSL_BUFFER(cookieData, cookie->len);
wolfSSL 15:117db924cf7c 3728 #endif
wolfSSL 15:117db924cf7c 3729
wolfSSL 15:117db924cf7c 3730 if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0)
wolfSSL 15:117db924cf7c 3731 return ret;
wolfSSL 15:117db924cf7c 3732 return HashOutputRaw(ssl, cookieData, cookie->len);
wolfSSL 15:117db924cf7c 3733 }
wolfSSL 15:117db924cf7c 3734 #endif
wolfSSL 15:117db924cf7c 3735
wolfSSL 15:117db924cf7c 3736 /* Handle a ClientHello handshake message.
wolfSSL 15:117db924cf7c 3737 * If the protocol version in the message is not TLS v1.3 or higher, use
wolfSSL 15:117db924cf7c 3738 * DoClientHello()
wolfSSL 15:117db924cf7c 3739 * Only a server will receive this message.
wolfSSL 15:117db924cf7c 3740 *
wolfSSL 15:117db924cf7c 3741 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3742 * input The message buffer.
wolfSSL 15:117db924cf7c 3743 * inOutIdx On entry, the index into the message buffer of ClientHello.
wolfSSL 15:117db924cf7c 3744 * On exit, the index of byte after the ClientHello message and
wolfSSL 15:117db924cf7c 3745 * padding.
wolfSSL 15:117db924cf7c 3746 * helloSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 3747 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3748 */
wolfSSL 15:117db924cf7c 3749 int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 3750 word32 helloSz)
wolfSSL 15:117db924cf7c 3751 {
wolfSSL 15:117db924cf7c 3752 int ret = VERSION_ERROR;
wolfSSL 15:117db924cf7c 3753 byte b;
wolfSSL 15:117db924cf7c 3754 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 3755 Suites clSuites;
wolfSSL 15:117db924cf7c 3756 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 3757 word32 begin = i;
wolfSSL 15:117db924cf7c 3758 word16 totalExtSz = 0;
wolfSSL 15:117db924cf7c 3759 int usingPSK = 0;
wolfSSL 15:117db924cf7c 3760 byte sessIdSz;
wolfSSL 15:117db924cf7c 3761 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3762 int bogusID = 0;
wolfSSL 15:117db924cf7c 3763 #endif
wolfSSL 15:117db924cf7c 3764
wolfSSL 15:117db924cf7c 3765 WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
wolfSSL 15:117db924cf7c 3766 WOLFSSL_ENTER("DoTls13ClientHello");
wolfSSL 15:117db924cf7c 3767
wolfSSL 15:117db924cf7c 3768 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3769 if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
wolfSSL 15:117db924cf7c 3770 if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3771 #endif
wolfSSL 15:117db924cf7c 3772
wolfSSL 15:117db924cf7c 3773 /* protocol version, random and session id length check */
wolfSSL 15:117db924cf7c 3774 if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 3775 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3776
wolfSSL 15:117db924cf7c 3777 /* Protocol version */
wolfSSL 15:117db924cf7c 3778 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 3779 ssl->chVersion = pv; /* store */
wolfSSL 15:117db924cf7c 3780 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3781 /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
wolfSSL 15:117db924cf7c 3782 if (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR)
wolfSSL 15:117db924cf7c 3783 pv.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3784
wolfSSL 15:117db924cf7c 3785 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3786 if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor < TLSv1_3_MINOR)
wolfSSL 15:117db924cf7c 3787 return DoClientHello(ssl, input, inOutIdx, helloSz);
wolfSSL 15:117db924cf7c 3788 #endif
wolfSSL 15:117db924cf7c 3789
wolfSSL 15:117db924cf7c 3790 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3791 if (ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3792 if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
wolfSSL 15:117db924cf7c 3793 return ret;
wolfSSL 15:117db924cf7c 3794 }
wolfSSL 15:117db924cf7c 3795 #endif
wolfSSL 15:117db924cf7c 3796
wolfSSL 15:117db924cf7c 3797 /* Client random */
wolfSSL 15:117db924cf7c 3798 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
wolfSSL 15:117db924cf7c 3799 i += RAN_LEN;
wolfSSL 15:117db924cf7c 3800
wolfSSL 15:117db924cf7c 3801 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 3802 WOLFSSL_MSG("client random");
wolfSSL 15:117db924cf7c 3803 WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 3804 #endif
wolfSSL 15:117db924cf7c 3805
wolfSSL 15:117db924cf7c 3806 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3807 /* Session id - empty in TLS v1.3 */
wolfSSL 15:117db924cf7c 3808 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 3809 if (sessIdSz > 0 && !ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3810 WOLFSSL_MSG("Client sent session id - not supported");
wolfSSL 15:117db924cf7c 3811 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3812 }
wolfSSL 15:117db924cf7c 3813 #else
wolfSSL 15:117db924cf7c 3814 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 3815 if (sessIdSz != ID_LEN && sessIdSz != 0)
wolfSSL 15:117db924cf7c 3816 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3817 #endif
wolfSSL 15:117db924cf7c 3818 ssl->session.sessionIDSz = sessIdSz;
wolfSSL 15:117db924cf7c 3819 if (sessIdSz == ID_LEN) {
wolfSSL 15:117db924cf7c 3820 XMEMCPY(ssl->session.sessionID, input + i, sessIdSz);
wolfSSL 15:117db924cf7c 3821 i += ID_LEN;
wolfSSL 15:117db924cf7c 3822 }
wolfSSL 15:117db924cf7c 3823 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3824 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3825 if (sessIdSz > 0 && sessIdSz < ID_LEN)
wolfSSL 15:117db924cf7c 3826 bogusID = 1;
wolfSSL 15:117db924cf7c 3827 #endif
wolfSSL 15:117db924cf7c 3828 #endif
wolfSSL 15:117db924cf7c 3829
wolfSSL 15:117db924cf7c 3830 /* Cipher suites */
wolfSSL 15:117db924cf7c 3831 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 3832 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3833 ato16(&input[i], &clSuites.suiteSz);
wolfSSL 15:117db924cf7c 3834 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3835 /* suites and compression length check */
wolfSSL 15:117db924cf7c 3836 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 3837 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3838 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
wolfSSL 15:117db924cf7c 3839 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3840 XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
wolfSSL 15:117db924cf7c 3841 i += clSuites.suiteSz;
wolfSSL 15:117db924cf7c 3842 clSuites.hashSigAlgoSz = 0;
wolfSSL 15:117db924cf7c 3843
wolfSSL 15:117db924cf7c 3844 /* Compression */
wolfSSL 15:117db924cf7c 3845 b = input[i++];
wolfSSL 15:117db924cf7c 3846 if ((i - begin) + b > helloSz)
wolfSSL 15:117db924cf7c 3847 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3848 if (b != COMP_LEN) {
wolfSSL 15:117db924cf7c 3849 WOLFSSL_MSG("Must be one compression type in list");
wolfSSL 15:117db924cf7c 3850 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3851 }
wolfSSL 15:117db924cf7c 3852 b = input[i++];
wolfSSL 15:117db924cf7c 3853 if (b != NO_COMPRESSION) {
wolfSSL 15:117db924cf7c 3854 WOLFSSL_MSG("Must be no compression type in list");
wolfSSL 15:117db924cf7c 3855 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3856 }
wolfSSL 15:117db924cf7c 3857
wolfSSL 15:117db924cf7c 3858 if ((i - begin) < helloSz) {
wolfSSL 15:117db924cf7c 3859 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 3860 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3861 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 3862 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3863 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 15:117db924cf7c 3864 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3865
wolfSSL 15:117db924cf7c 3866 #ifdef HAVE_QSH
wolfSSL 15:117db924cf7c 3867 QSH_Init(ssl);
wolfSSL 15:117db924cf7c 3868 #endif
wolfSSL 15:117db924cf7c 3869
wolfSSL 15:117db924cf7c 3870 /* Auto populate extensions supported unless user defined. */
wolfSSL 15:117db924cf7c 3871 if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
wolfSSL 15:117db924cf7c 3872 return ret;
wolfSSL 15:117db924cf7c 3873
wolfSSL 15:117db924cf7c 3874 /* Parse extensions */
wolfSSL 15:117db924cf7c 3875 if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
wolfSSL 15:117db924cf7c 3876 &clSuites))) {
wolfSSL 15:117db924cf7c 3877 return ret;
wolfSSL 15:117db924cf7c 3878 }
wolfSSL 15:117db924cf7c 3879
wolfSSL 15:117db924cf7c 3880 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
wolfSSL 15:117db924cf7c 3881 defined(WOLFSSL_HAPROXY)
wolfSSL 15:117db924cf7c 3882 if ((ret = SNI_Callback(ssl)) != 0)
wolfSSL 15:117db924cf7c 3883 return ret;
wolfSSL 15:117db924cf7c 3884 ssl->options.side = WOLFSSL_SERVER_END;
wolfSSL 15:117db924cf7c 3885 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
wolfSSL 15:117db924cf7c 3886 }
wolfSSL 15:117db924cf7c 3887
wolfSSL 15:117db924cf7c 3888 i += totalExtSz;
wolfSSL 15:117db924cf7c 3889 *inOutIdx = i;
wolfSSL 15:117db924cf7c 3890
wolfSSL 15:117db924cf7c 3891 if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL) {
wolfSSL 15:117db924cf7c 3892 if (!ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3893 WOLFSSL_MSG("Client trying to connect with lesser version than "
wolfSSL 15:117db924cf7c 3894 "TLS v1.3");
wolfSSL 15:117db924cf7c 3895 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3896 }
wolfSSL 15:117db924cf7c 3897
wolfSSL 15:117db924cf7c 3898 if (pv.minor < ssl->options.minDowngrade)
wolfSSL 15:117db924cf7c 3899 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3900 ssl->version.minor = pv.minor;
wolfSSL 15:117db924cf7c 3901 }
wolfSSL 15:117db924cf7c 3902
wolfSSL 15:117db924cf7c 3903 ssl->options.sendVerify = SEND_CERT;
wolfSSL 15:117db924cf7c 3904
wolfSSL 15:117db924cf7c 3905 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 3906 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 3907
wolfSSL 15:117db924cf7c 3908 if (IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 15:117db924cf7c 3909 #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 15:117db924cf7c 3910 if (ssl->options.sendCookie &&
wolfSSL 15:117db924cf7c 3911 ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 3912 TLSX* ext;
wolfSSL 15:117db924cf7c 3913
wolfSSL 15:117db924cf7c 3914 if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL)
wolfSSL 15:117db924cf7c 3915 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3916 /* Ensure the cookie came from client and isn't the one in the
wolfSSL 15:117db924cf7c 3917 * response - HelloRetryRequest.
wolfSSL 15:117db924cf7c 3918 */
wolfSSL 15:117db924cf7c 3919 if (ext->resp == 1)
wolfSSL 15:117db924cf7c 3920 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3921 ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
wolfSSL 15:117db924cf7c 3922 if (ret != 0)
wolfSSL 15:117db924cf7c 3923 return ret;
wolfSSL 15:117db924cf7c 3924 }
wolfSSL 15:117db924cf7c 3925 #endif
wolfSSL 15:117db924cf7c 3926
wolfSSL 15:117db924cf7c 3927 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 3928 if (ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3929 if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL 15:117db924cf7c 3930 return ret;
wolfSSL 15:117db924cf7c 3931 }
wolfSSL 15:117db924cf7c 3932
wolfSSL 15:117db924cf7c 3933 /* Refine list for PSK processing. */
wolfSSL 15:117db924cf7c 3934 RefineSuites(ssl, &clSuites);
wolfSSL 15:117db924cf7c 3935
wolfSSL 15:117db924cf7c 3936 /* Process the Pre-Shared Key extension if present. */
wolfSSL 15:117db924cf7c 3937 ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
wolfSSL 15:117db924cf7c 3938 if (ret != 0)
wolfSSL 15:117db924cf7c 3939 return ret;
wolfSSL 15:117db924cf7c 3940 #endif
wolfSSL 15:117db924cf7c 3941 }
wolfSSL 15:117db924cf7c 3942 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3943 else if (ssl->options.resuming) {
wolfSSL 15:117db924cf7c 3944 ret = HandleTlsResumption(ssl, bogusID, &clSuites);
wolfSSL 15:117db924cf7c 3945 if (ret != 0)
wolfSSL 15:117db924cf7c 3946 return ret;
wolfSSL 15:117db924cf7c 3947 /* Check wheter resuming has been chosen */
wolfSSL 15:117db924cf7c 3948 if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
wolfSSL 15:117db924cf7c 3949 WOLFSSL_LEAVE("DoTls13ClientHello", ret);
wolfSSL 15:117db924cf7c 3950 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
wolfSSL 15:117db924cf7c 3951
wolfSSL 15:117db924cf7c 3952 return ret;
wolfSSL 15:117db924cf7c 3953 }
wolfSSL 15:117db924cf7c 3954 }
wolfSSL 15:117db924cf7c 3955 #else
wolfSSL 15:117db924cf7c 3956 else {
wolfSSL 15:117db924cf7c 3957 WOLFSSL_MSG("Negotiated lesser version than TLS v1.3");
wolfSSL 15:117db924cf7c 3958 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3959 }
wolfSSL 15:117db924cf7c 3960 #endif
wolfSSL 15:117db924cf7c 3961
wolfSSL 15:117db924cf7c 3962 if (!usingPSK) {
wolfSSL 15:117db924cf7c 3963 if ((ret = MatchSuite(ssl, &clSuites)) < 0) {
wolfSSL 15:117db924cf7c 3964 WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
wolfSSL 15:117db924cf7c 3965 return ret;
wolfSSL 15:117db924cf7c 3966 }
wolfSSL 15:117db924cf7c 3967
wolfSSL 15:117db924cf7c 3968 /* Check that the negotiated ciphersuite matches protocol version. */
wolfSSL 15:117db924cf7c 3969 if (IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 15:117db924cf7c 3970 if (ssl->options.cipherSuite0 != TLS13_BYTE) {
wolfSSL 15:117db924cf7c 3971 WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
wolfSSL 15:117db924cf7c 3972 "TLS v1.3");
wolfSSL 15:117db924cf7c 3973 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3974 }
wolfSSL 15:117db924cf7c 3975 }
wolfSSL 15:117db924cf7c 3976 /* VerifyServerSuite handles when version is less than 1.3 */
wolfSSL 15:117db924cf7c 3977
wolfSSL 15:117db924cf7c 3978 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3979 if (ssl->options.resuming) {
wolfSSL 15:117db924cf7c 3980 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3981 XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
wolfSSL 15:117db924cf7c 3982 /* May or may not have done any hashing. */
wolfSSL 15:117db924cf7c 3983 if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL 15:117db924cf7c 3984 return ret;
wolfSSL 15:117db924cf7c 3985 }
wolfSSL 15:117db924cf7c 3986 #endif
wolfSSL 15:117db924cf7c 3987
wolfSSL 15:117db924cf7c 3988 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3989 if (IsAtLeastTLSv1_3(ssl->version) || !ssl->options.downgrade)
wolfSSL 15:117db924cf7c 3990 #endif
wolfSSL 15:117db924cf7c 3991 {
wolfSSL 15:117db924cf7c 3992 if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
wolfSSL 15:117db924cf7c 3993 return ret;
wolfSSL 15:117db924cf7c 3994 }
wolfSSL 15:117db924cf7c 3995
wolfSSL 15:117db924cf7c 3996 if (IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 15:117db924cf7c 3997 /* Derive early secret for handshake secret. */
wolfSSL 15:117db924cf7c 3998 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 3999 return ret;
wolfSSL 15:117db924cf7c 4000 }
wolfSSL 15:117db924cf7c 4001 }
wolfSSL 15:117db924cf7c 4002
wolfSSL 15:117db924cf7c 4003 WOLFSSL_LEAVE("DoTls13ClientHello", ret);
wolfSSL 15:117db924cf7c 4004 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
wolfSSL 15:117db924cf7c 4005
wolfSSL 15:117db924cf7c 4006 return ret;
wolfSSL 15:117db924cf7c 4007 }
wolfSSL 15:117db924cf7c 4008
wolfSSL 15:117db924cf7c 4009 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4010 /* handle generation of TLS 1.3 hello_retry_request (6) */
wolfSSL 15:117db924cf7c 4011 /* Send the HelloRetryRequest message to indicate the negotiated protocol
wolfSSL 15:117db924cf7c 4012 * version and security parameters the server is willing to use.
wolfSSL 15:117db924cf7c 4013 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4014 *
wolfSSL 15:117db924cf7c 4015 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4016 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4017 */
wolfSSL 15:117db924cf7c 4018 int SendTls13HelloRetryRequest(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 4019 {
wolfSSL 15:117db924cf7c 4020 int ret;
wolfSSL 15:117db924cf7c 4021 byte* output;
wolfSSL 15:117db924cf7c 4022 word32 length;
wolfSSL 15:117db924cf7c 4023 word16 len;
wolfSSL 15:117db924cf7c 4024 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4025 int sendSz;
wolfSSL 15:117db924cf7c 4026
wolfSSL 15:117db924cf7c 4027 WOLFSSL_ENTER("SendTls13HelloRetryRequest");
wolfSSL 15:117db924cf7c 4028
wolfSSL 15:117db924cf7c 4029 /* Get the length of the extensions that will be written. */
wolfSSL 15:117db924cf7c 4030 len = 0;
wolfSSL 15:117db924cf7c 4031 ret = TLSX_GetResponseSize(ssl, hello_retry_request, &len);
wolfSSL 15:117db924cf7c 4032 /* There must be extensions sent to indicate what client needs to do. */
wolfSSL 15:117db924cf7c 4033 if (ret != 0)
wolfSSL 15:117db924cf7c 4034 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 4035
wolfSSL 15:117db924cf7c 4036 /* Protocol version + Extensions */
wolfSSL 15:117db924cf7c 4037 length = OPAQUE16_LEN + len;
wolfSSL 15:117db924cf7c 4038 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4039
wolfSSL 15:117db924cf7c 4040 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4041 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4042 return ret;
wolfSSL 15:117db924cf7c 4043
wolfSSL 15:117db924cf7c 4044 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4045 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4046 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4047 /* Add record and hanshake headers. */
wolfSSL 15:117db924cf7c 4048 AddTls13Headers(output, length, hello_retry_request, ssl);
wolfSSL 15:117db924cf7c 4049
wolfSSL 15:117db924cf7c 4050 /* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL 15:117db924cf7c 4051 * Use the TLS v1.3 draft version for now.
wolfSSL 15:117db924cf7c 4052 *
wolfSSL 15:117db924cf7c 4053 * Change to:
wolfSSL 15:117db924cf7c 4054 * output[idx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 4055 * output[idx++] = ssl->version.minor;
wolfSSL 15:117db924cf7c 4056 */
wolfSSL 15:117db924cf7c 4057 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 4058 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 4059 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 4060
wolfSSL 15:117db924cf7c 4061 /* Add TLS extensions. */
wolfSSL 15:117db924cf7c 4062 ret = TLSX_WriteResponse(ssl, output + idx, hello_retry_request, NULL);
wolfSSL 15:117db924cf7c 4063 if (ret != 0)
wolfSSL 15:117db924cf7c 4064 return ret;
wolfSSL 15:117db924cf7c 4065 idx += len;
wolfSSL 15:117db924cf7c 4066
wolfSSL 15:117db924cf7c 4067 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4068 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4069 AddPacketName(ssl, "HelloRetryRequest");
wolfSSL 15:117db924cf7c 4070 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4071 AddPacketInfo(ssl, "HelloRetryRequest", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 4072 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4073 }
wolfSSL 15:117db924cf7c 4074 #endif
wolfSSL 15:117db924cf7c 4075 if ((ret = HashOutput(ssl, output, idx, 0)) != 0)
wolfSSL 15:117db924cf7c 4076 return ret;
wolfSSL 15:117db924cf7c 4077
wolfSSL 15:117db924cf7c 4078 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4079
wolfSSL 15:117db924cf7c 4080 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4081 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4082
wolfSSL 15:117db924cf7c 4083 WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);
wolfSSL 15:117db924cf7c 4084
wolfSSL 15:117db924cf7c 4085 return ret;
wolfSSL 15:117db924cf7c 4086 }
wolfSSL 15:117db924cf7c 4087 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 4088
wolfSSL 15:117db924cf7c 4089 /* Send TLS v1.3 ServerHello message to client.
wolfSSL 15:117db924cf7c 4090 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4091 *
wolfSSL 15:117db924cf7c 4092 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4093 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4094 */
wolfSSL 15:117db924cf7c 4095 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4096 static
wolfSSL 15:117db924cf7c 4097 #endif
wolfSSL 15:117db924cf7c 4098 /* handle generation of TLS 1.3 server_hello (2) */
wolfSSL 15:117db924cf7c 4099 int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
wolfSSL 15:117db924cf7c 4100 {
wolfSSL 15:117db924cf7c 4101 int ret;
wolfSSL 15:117db924cf7c 4102 byte* output;
wolfSSL 15:117db924cf7c 4103 word16 length;
wolfSSL 15:117db924cf7c 4104 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4105 int sendSz;
wolfSSL 15:117db924cf7c 4106
wolfSSL 15:117db924cf7c 4107 WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
wolfSSL 15:117db924cf7c 4108 WOLFSSL_ENTER("SendTls13ServerHello");
wolfSSL 15:117db924cf7c 4109
wolfSSL 15:117db924cf7c 4110 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4111 if (extMsgType == hello_retry_request) {
wolfSSL 15:117db924cf7c 4112 if ((ret = RestartHandshakeHash(ssl)) < 0)
wolfSSL 15:117db924cf7c 4113 return ret;
wolfSSL 15:117db924cf7c 4114 }
wolfSSL 15:117db924cf7c 4115 #endif
wolfSSL 15:117db924cf7c 4116
wolfSSL 15:117db924cf7c 4117 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4118 /* Protocol version, server random, cipher suite and extensions. */
wolfSSL 15:117db924cf7c 4119 length = VERSION_SZ + RAN_LEN + SUITE_LEN;
wolfSSL 15:117db924cf7c 4120 ret = TLSX_GetResponseSize(ssl, server_hello, &length);
wolfSSL 15:117db924cf7c 4121 if (ret != 0)
wolfSSL 15:117db924cf7c 4122 return ret;
wolfSSL 15:117db924cf7c 4123 #else
wolfSSL 15:117db924cf7c 4124 /* Protocol version, server random, session id, cipher suite, compression
wolfSSL 15:117db924cf7c 4125 * and extensions.
wolfSSL 15:117db924cf7c 4126 */
wolfSSL 15:117db924cf7c 4127 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz +
wolfSSL 15:117db924cf7c 4128 SUITE_LEN + COMP_LEN;
wolfSSL 15:117db924cf7c 4129 ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
wolfSSL 15:117db924cf7c 4130 if (ret != 0)
wolfSSL 15:117db924cf7c 4131 return ret;
wolfSSL 15:117db924cf7c 4132 #endif
wolfSSL 15:117db924cf7c 4133 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4134
wolfSSL 15:117db924cf7c 4135 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4136 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4137 return ret;
wolfSSL 15:117db924cf7c 4138
wolfSSL 15:117db924cf7c 4139 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4140 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4141 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4142
wolfSSL 15:117db924cf7c 4143 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4144 AddTls13Headers(output, length, server_hello, ssl);
wolfSSL 15:117db924cf7c 4145
wolfSSL 15:117db924cf7c 4146 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4147 /* TODO: [TLS13] Replace existing code with code in comment.
wolfSSL 15:117db924cf7c 4148 * Use the TLS v1.3 draft version for now.
wolfSSL 15:117db924cf7c 4149 *
wolfSSL 15:117db924cf7c 4150 * Change to:
wolfSSL 15:117db924cf7c 4151 * output[idx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 4152 * output[idx++] = ssl->version.minor;
wolfSSL 15:117db924cf7c 4153 */
wolfSSL 15:117db924cf7c 4154 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 4155 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 4156 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 4157 #else
wolfSSL 15:117db924cf7c 4158 /* The protocol version must be TLS v1.2 for middleboxes. */
wolfSSL 15:117db924cf7c 4159 output[idx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 4160 output[idx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 4161 #endif
wolfSSL 15:117db924cf7c 4162
wolfSSL 15:117db924cf7c 4163 if (extMsgType == server_hello) {
wolfSSL 15:117db924cf7c 4164 /* Generate server random. */
wolfSSL 15:117db924cf7c 4165 if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
wolfSSL 15:117db924cf7c 4166 return ret;
wolfSSL 15:117db924cf7c 4167 }
wolfSSL 15:117db924cf7c 4168 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4169 else {
wolfSSL 15:117db924cf7c 4170 /* HelloRetryRequest message has fixed value for random. */
wolfSSL 15:117db924cf7c 4171 XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 4172 }
wolfSSL 15:117db924cf7c 4173 #endif
wolfSSL 15:117db924cf7c 4174 /* Store in SSL for debugging. */
wolfSSL 15:117db924cf7c 4175 XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 4176 idx += RAN_LEN;
wolfSSL 15:117db924cf7c 4177
wolfSSL 15:117db924cf7c 4178 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 4179 WOLFSSL_MSG("Server random");
wolfSSL 15:117db924cf7c 4180 WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 4181 #endif
wolfSSL 15:117db924cf7c 4182
wolfSSL 15:117db924cf7c 4183 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4184 output[idx++] = ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 4185 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 4186 XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 4187 idx += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 4188 }
wolfSSL 15:117db924cf7c 4189 #endif
wolfSSL 15:117db924cf7c 4190
wolfSSL 15:117db924cf7c 4191 /* Chosen cipher suite */
wolfSSL 15:117db924cf7c 4192 output[idx++] = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 4193 output[idx++] = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 4194
wolfSSL 15:117db924cf7c 4195 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4196 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 4197 output[idx++] = 0;
wolfSSL 15:117db924cf7c 4198 #endif
wolfSSL 15:117db924cf7c 4199
wolfSSL 15:117db924cf7c 4200 /* Extensions */
wolfSSL 15:117db924cf7c 4201 ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL);
wolfSSL 15:117db924cf7c 4202 if (ret != 0)
wolfSSL 15:117db924cf7c 4203 return ret;
wolfSSL 15:117db924cf7c 4204
wolfSSL 15:117db924cf7c 4205 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4206
wolfSSL 15:117db924cf7c 4207 if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
wolfSSL 15:117db924cf7c 4208 return ret;
wolfSSL 15:117db924cf7c 4209
wolfSSL 15:117db924cf7c 4210 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4211 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4212 AddPacketName(ssl, "ServerHello");
wolfSSL 15:117db924cf7c 4213 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4214 AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 4215 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4216 }
wolfSSL 15:117db924cf7c 4217 #endif
wolfSSL 15:117db924cf7c 4218
wolfSSL 15:117db924cf7c 4219 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4220 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 4221 #else
wolfSSL 15:117db924cf7c 4222 if (extMsgType == server_hello)
wolfSSL 15:117db924cf7c 4223 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 4224 #endif
wolfSSL 15:117db924cf7c 4225
wolfSSL 15:117db924cf7c 4226 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4227 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4228
wolfSSL 15:117db924cf7c 4229 WOLFSSL_LEAVE("SendTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 4230 WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
wolfSSL 15:117db924cf7c 4231
wolfSSL 15:117db924cf7c 4232 return ret;
wolfSSL 15:117db924cf7c 4233 }
wolfSSL 15:117db924cf7c 4234
wolfSSL 15:117db924cf7c 4235 /* handle generation of TLS 1.3 encrypted_extensions (8) */
wolfSSL 15:117db924cf7c 4236 /* Send the rest of the extensions encrypted under the handshake key.
wolfSSL 15:117db924cf7c 4237 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 4238 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4239 *
wolfSSL 15:117db924cf7c 4240 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4241 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4242 */
wolfSSL 15:117db924cf7c 4243 static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 4244 {
wolfSSL 15:117db924cf7c 4245 int ret;
wolfSSL 15:117db924cf7c 4246 byte* output;
wolfSSL 15:117db924cf7c 4247 word16 length = 0;
wolfSSL 15:117db924cf7c 4248 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4249 int sendSz;
wolfSSL 15:117db924cf7c 4250
wolfSSL 15:117db924cf7c 4251 WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
wolfSSL 15:117db924cf7c 4252 WOLFSSL_ENTER("SendTls13EncryptedExtensions");
wolfSSL 15:117db924cf7c 4253
wolfSSL 15:117db924cf7c 4254 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 4255
wolfSSL 15:117db924cf7c 4256 #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT
wolfSSL 15:117db924cf7c 4257 if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
wolfSSL 15:117db924cf7c 4258 return ret;
wolfSSL 15:117db924cf7c 4259 #endif
wolfSSL 15:117db924cf7c 4260
wolfSSL 15:117db924cf7c 4261 /* Derive the handshake secret now that we are at first message to be
wolfSSL 15:117db924cf7c 4262 * encrypted under the keys.
wolfSSL 15:117db924cf7c 4263 */
wolfSSL 15:117db924cf7c 4264 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 4265 return ret;
wolfSSL 15:117db924cf7c 4266 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 15:117db924cf7c 4267 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
wolfSSL 15:117db924cf7c 4268 return ret;
wolfSSL 15:117db924cf7c 4269
wolfSSL 15:117db924cf7c 4270 /* Setup encrypt/decrypt keys for following messages. */
wolfSSL 15:117db924cf7c 4271 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 4272 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 4273 return ret;
wolfSSL 15:117db924cf7c 4274 if (ssl->earlyData != process_early_data) {
wolfSSL 15:117db924cf7c 4275 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 4276 return ret;
wolfSSL 15:117db924cf7c 4277 }
wolfSSL 15:117db924cf7c 4278 #else
wolfSSL 15:117db924cf7c 4279 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 4280 return ret;
wolfSSL 15:117db924cf7c 4281 #endif
wolfSSL 15:117db924cf7c 4282
wolfSSL 15:117db924cf7c 4283 ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length);
wolfSSL 15:117db924cf7c 4284 if (ret != 0)
wolfSSL 15:117db924cf7c 4285 return ret;
wolfSSL 15:117db924cf7c 4286
wolfSSL 15:117db924cf7c 4287 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4288 /* Encryption always on. */
wolfSSL 15:117db924cf7c 4289 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4290
wolfSSL 15:117db924cf7c 4291 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4292 ret = CheckAvailableSize(ssl, sendSz);
wolfSSL 15:117db924cf7c 4293 if (ret != 0)
wolfSSL 15:117db924cf7c 4294 return ret;
wolfSSL 15:117db924cf7c 4295
wolfSSL 15:117db924cf7c 4296 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4297 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4298 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4299
wolfSSL 15:117db924cf7c 4300 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4301 AddTls13Headers(output, length, encrypted_extensions, ssl);
wolfSSL 15:117db924cf7c 4302
wolfSSL 15:117db924cf7c 4303 ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL);
wolfSSL 15:117db924cf7c 4304 if (ret != 0)
wolfSSL 15:117db924cf7c 4305 return ret;
wolfSSL 15:117db924cf7c 4306 idx += length;
wolfSSL 15:117db924cf7c 4307
wolfSSL 15:117db924cf7c 4308 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4309 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4310 AddPacketName(ssl, "EncryptedExtensions");
wolfSSL 15:117db924cf7c 4311 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4312 AddPacketInfo(ssl, "EncryptedExtensions", handshake, output,
wolfSSL 15:117db924cf7c 4313 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4314 }
wolfSSL 15:117db924cf7c 4315 #endif
wolfSSL 15:117db924cf7c 4316
wolfSSL 15:117db924cf7c 4317 /* This handshake message is always encrypted. */
wolfSSL 15:117db924cf7c 4318 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 4319 idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 4320 if (sendSz < 0)
wolfSSL 15:117db924cf7c 4321 return sendSz;
wolfSSL 15:117db924cf7c 4322
wolfSSL 15:117db924cf7c 4323 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4324
wolfSSL 15:117db924cf7c 4325 ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL 15:117db924cf7c 4326
wolfSSL 15:117db924cf7c 4327 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4328 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4329
wolfSSL 15:117db924cf7c 4330 WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
wolfSSL 15:117db924cf7c 4331 WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
wolfSSL 15:117db924cf7c 4332
wolfSSL 15:117db924cf7c 4333 return ret;
wolfSSL 15:117db924cf7c 4334 }
wolfSSL 15:117db924cf7c 4335
wolfSSL 15:117db924cf7c 4336 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 4337 /* handle generation TLS v1.3 certificate_request (13) */
wolfSSL 15:117db924cf7c 4338 /* Send the TLS v1.3 CertificateRequest message.
wolfSSL 15:117db924cf7c 4339 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 4340 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4341 *
wolfSSL 15:117db924cf7c 4342 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 4343 * reqCtx Request context.
wolfSSL 15:117db924cf7c 4344 * reqCtxLen Length of context. 0 when sending as part of handshake.
wolfSSL 15:117db924cf7c 4345 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4346 */
wolfSSL 15:117db924cf7c 4347 static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
wolfSSL 15:117db924cf7c 4348 int reqCtxLen)
wolfSSL 15:117db924cf7c 4349 {
wolfSSL 15:117db924cf7c 4350 byte* output;
wolfSSL 15:117db924cf7c 4351 int ret;
wolfSSL 15:117db924cf7c 4352 int sendSz;
wolfSSL 15:117db924cf7c 4353 word32 i;
wolfSSL 15:117db924cf7c 4354 word16 reqSz;
wolfSSL 15:117db924cf7c 4355 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4356 TLSX* ext;
wolfSSL 15:117db924cf7c 4357 #endif
wolfSSL 15:117db924cf7c 4358
wolfSSL 15:117db924cf7c 4359 WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
wolfSSL 15:117db924cf7c 4360 WOLFSSL_ENTER("SendTls13CertificateRequest");
wolfSSL 15:117db924cf7c 4361
wolfSSL 15:117db924cf7c 4362 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 4363 InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz);
wolfSSL 15:117db924cf7c 4364
wolfSSL 15:117db924cf7c 4365 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4366 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4367 reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4368 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
wolfSSL 15:117db924cf7c 4369
wolfSSL 15:117db924cf7c 4370 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
wolfSSL 15:117db924cf7c 4371 /* Always encrypted and make room for padding. */
wolfSSL 15:117db924cf7c 4372 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4373
wolfSSL 15:117db924cf7c 4374 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4375 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4376 return ret;
wolfSSL 15:117db924cf7c 4377
wolfSSL 15:117db924cf7c 4378 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4379 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4380 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4381
wolfSSL 15:117db924cf7c 4382 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4383 AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL 15:117db924cf7c 4384
wolfSSL 15:117db924cf7c 4385 /* Certificate request context. */
wolfSSL 15:117db924cf7c 4386 output[i++] = reqCtxLen;
wolfSSL 15:117db924cf7c 4387 if (reqCtxLen != 0) {
wolfSSL 15:117db924cf7c 4388 XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL 15:117db924cf7c 4389 i += reqCtxLen;
wolfSSL 15:117db924cf7c 4390 }
wolfSSL 15:117db924cf7c 4391
wolfSSL 15:117db924cf7c 4392 /* supported hash/sig */
wolfSSL 15:117db924cf7c 4393 c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
wolfSSL 15:117db924cf7c 4394 i += LENGTH_SZ;
wolfSSL 15:117db924cf7c 4395
wolfSSL 15:117db924cf7c 4396 XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
wolfSSL 15:117db924cf7c 4397 i += ssl->suites->hashSigAlgoSz;
wolfSSL 15:117db924cf7c 4398
wolfSSL 15:117db924cf7c 4399 /* Certificate authorities not supported yet - empty buffer. */
wolfSSL 15:117db924cf7c 4400 c16toa(0, &output[i]);
wolfSSL 15:117db924cf7c 4401 i += REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4402
wolfSSL 15:117db924cf7c 4403 /* Certificate extensions. */
wolfSSL 15:117db924cf7c 4404 c16toa(0, &output[i]); /* auth's */
wolfSSL 15:117db924cf7c 4405 i += REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4406 #else
wolfSSL 15:117db924cf7c 4407 ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS);
wolfSSL 15:117db924cf7c 4408 if (ext == NULL)
wolfSSL 15:117db924cf7c 4409 return EXT_MISSING;
wolfSSL 15:117db924cf7c 4410 ext->resp = 0;
wolfSSL 15:117db924cf7c 4411
wolfSSL 15:117db924cf7c 4412 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4413 reqSz = (word16)(OPAQUE8_LEN + reqCtxLen);
wolfSSL 15:117db924cf7c 4414 ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz);
wolfSSL 15:117db924cf7c 4415 if (ret != 0)
wolfSSL 15:117db924cf7c 4416 return ret;
wolfSSL 15:117db924cf7c 4417
wolfSSL 15:117db924cf7c 4418 sendSz = i + reqSz;
wolfSSL 15:117db924cf7c 4419 /* Always encrypted and make room for padding. */
wolfSSL 15:117db924cf7c 4420 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4421
wolfSSL 15:117db924cf7c 4422 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4423 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4424 return ret;
wolfSSL 15:117db924cf7c 4425
wolfSSL 15:117db924cf7c 4426 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4427 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4428 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4429
wolfSSL 15:117db924cf7c 4430 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4431 AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL 15:117db924cf7c 4432
wolfSSL 15:117db924cf7c 4433 /* Certificate request context. */
wolfSSL 15:117db924cf7c 4434 output[i++] = (byte)reqCtxLen;
wolfSSL 15:117db924cf7c 4435 if (reqCtxLen != 0) {
wolfSSL 15:117db924cf7c 4436 XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL 15:117db924cf7c 4437 i += reqCtxLen;
wolfSSL 15:117db924cf7c 4438 }
wolfSSL 15:117db924cf7c 4439
wolfSSL 15:117db924cf7c 4440 /* Certificate extensions. */
wolfSSL 15:117db924cf7c 4441 reqSz = 0;
wolfSSL 15:117db924cf7c 4442 ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz);
wolfSSL 15:117db924cf7c 4443 if (ret != 0)
wolfSSL 15:117db924cf7c 4444 return ret;
wolfSSL 15:117db924cf7c 4445 i += reqSz;
wolfSSL 15:117db924cf7c 4446 #endif
wolfSSL 15:117db924cf7c 4447
wolfSSL 15:117db924cf7c 4448 /* Always encrypted. */
wolfSSL 15:117db924cf7c 4449 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 4450 i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 4451 if (sendSz < 0)
wolfSSL 15:117db924cf7c 4452 return sendSz;
wolfSSL 15:117db924cf7c 4453
wolfSSL 15:117db924cf7c 4454 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4455 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4456 AddPacketName(ssl, "CertificateRequest");
wolfSSL 15:117db924cf7c 4457 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4458 AddPacketInfo(ssl, "CertificateRequest", handshake, output,
wolfSSL 15:117db924cf7c 4459 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4460 }
wolfSSL 15:117db924cf7c 4461 #endif
wolfSSL 15:117db924cf7c 4462
wolfSSL 15:117db924cf7c 4463 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4464 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4465 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4466
wolfSSL 15:117db924cf7c 4467 WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
wolfSSL 15:117db924cf7c 4468 WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
wolfSSL 15:117db924cf7c 4469
wolfSSL 15:117db924cf7c 4470 return ret;
wolfSSL 15:117db924cf7c 4471 }
wolfSSL 15:117db924cf7c 4472 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 4473 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 4474
wolfSSL 15:117db924cf7c 4475 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 4476 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
wolfSSL 15:117db924cf7c 4477 /* Encode the signature algorithm into buffer.
wolfSSL 15:117db924cf7c 4478 *
wolfSSL 15:117db924cf7c 4479 * hashalgo The hash algorithm.
wolfSSL 15:117db924cf7c 4480 * hsType The signature type.
wolfSSL 15:117db924cf7c 4481 * output The buffer to encode into.
wolfSSL 15:117db924cf7c 4482 */
wolfSSL 15:117db924cf7c 4483 static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
wolfSSL 15:117db924cf7c 4484 {
wolfSSL 15:117db924cf7c 4485 switch (hsType) {
wolfSSL 15:117db924cf7c 4486 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 4487 case ecc_dsa_sa_algo:
wolfSSL 15:117db924cf7c 4488 output[0] = hashAlgo;
wolfSSL 15:117db924cf7c 4489 output[1] = ecc_dsa_sa_algo;
wolfSSL 15:117db924cf7c 4490 break;
wolfSSL 15:117db924cf7c 4491 #endif
wolfSSL 15:117db924cf7c 4492 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 4493 /* ED25519: 0x0807 */
wolfSSL 15:117db924cf7c 4494 case ed25519_sa_algo:
wolfSSL 15:117db924cf7c 4495 output[0] = ED25519_SA_MAJOR;
wolfSSL 15:117db924cf7c 4496 output[1] = ED25519_SA_MINOR;
wolfSSL 15:117db924cf7c 4497 (void)hashAlgo;
wolfSSL 15:117db924cf7c 4498 break;
wolfSSL 15:117db924cf7c 4499 #endif
wolfSSL 15:117db924cf7c 4500 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 4501 /* PSS signatures: 0x080[4-6] */
wolfSSL 15:117db924cf7c 4502 case rsa_pss_sa_algo:
wolfSSL 15:117db924cf7c 4503 output[0] = rsa_pss_sa_algo;
wolfSSL 15:117db924cf7c 4504 output[1] = hashAlgo;
wolfSSL 15:117db924cf7c 4505 break;
wolfSSL 15:117db924cf7c 4506 #endif
wolfSSL 15:117db924cf7c 4507 /* ED448: 0x0808 */
wolfSSL 15:117db924cf7c 4508 }
wolfSSL 15:117db924cf7c 4509 }
wolfSSL 15:117db924cf7c 4510
wolfSSL 15:117db924cf7c 4511 /* Decode the signature algorithm.
wolfSSL 15:117db924cf7c 4512 *
wolfSSL 15:117db924cf7c 4513 * input The encoded signature algorithm.
wolfSSL 15:117db924cf7c 4514 * hashalgo The hash algorithm.
wolfSSL 15:117db924cf7c 4515 * hsType The signature type.
wolfSSL 15:117db924cf7c 4516 */
wolfSSL 15:117db924cf7c 4517 static WC_INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType)
wolfSSL 15:117db924cf7c 4518 {
wolfSSL 15:117db924cf7c 4519 switch (input[0]) {
wolfSSL 15:117db924cf7c 4520 case NEW_SA_MAJOR:
wolfSSL 15:117db924cf7c 4521 /* PSS signatures: 0x080[4-6] */
wolfSSL 15:117db924cf7c 4522 if (input[1] <= sha512_mac) {
wolfSSL 15:117db924cf7c 4523 *hsType = input[0];
wolfSSL 15:117db924cf7c 4524 *hashAlgo = input[1];
wolfSSL 15:117db924cf7c 4525 }
wolfSSL 15:117db924cf7c 4526 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 4527 /* ED25519: 0x0807 */
wolfSSL 15:117db924cf7c 4528 if (input[1] == ED25519_SA_MINOR) {
wolfSSL 15:117db924cf7c 4529 *hsType = ed25519_sa_algo;
wolfSSL 15:117db924cf7c 4530 /* Hash performed as part of sign/verify operation. */
wolfSSL 15:117db924cf7c 4531 *hashAlgo = sha512_mac;
wolfSSL 15:117db924cf7c 4532 }
wolfSSL 15:117db924cf7c 4533 #endif
wolfSSL 15:117db924cf7c 4534 /* ED448: 0x0808 */
wolfSSL 15:117db924cf7c 4535 break;
wolfSSL 15:117db924cf7c 4536 default:
wolfSSL 15:117db924cf7c 4537 *hashAlgo = input[0];
wolfSSL 15:117db924cf7c 4538 *hsType = input[1];
wolfSSL 15:117db924cf7c 4539 break;
wolfSSL 15:117db924cf7c 4540 }
wolfSSL 15:117db924cf7c 4541 }
wolfSSL 15:117db924cf7c 4542
wolfSSL 15:117db924cf7c 4543 /* Get the hash of the messages so far.
wolfSSL 15:117db924cf7c 4544 *
wolfSSL 15:117db924cf7c 4545 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4546 * hash The buffer to write the hash to.
wolfSSL 15:117db924cf7c 4547 * returns the length of the hash.
wolfSSL 15:117db924cf7c 4548 */
wolfSSL 15:117db924cf7c 4549 static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
wolfSSL 15:117db924cf7c 4550 {
wolfSSL 15:117db924cf7c 4551 int ret = 0;
wolfSSL 15:117db924cf7c 4552 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 4553 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 4554 case sha256_mac:
wolfSSL 15:117db924cf7c 4555 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 4556 if (ret == 0)
wolfSSL 15:117db924cf7c 4557 ret = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4558 break;
wolfSSL 15:117db924cf7c 4559 #endif /* !NO_SHA256 */
wolfSSL 15:117db924cf7c 4560 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 4561 case sha384_mac:
wolfSSL 15:117db924cf7c 4562 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 4563 if (ret == 0)
wolfSSL 15:117db924cf7c 4564 ret = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4565 break;
wolfSSL 15:117db924cf7c 4566 #endif /* WOLFSSL_SHA384 */
wolfSSL 15:117db924cf7c 4567 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 4568 case sha512_mac:
wolfSSL 15:117db924cf7c 4569 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 4570 if (ret == 0)
wolfSSL 15:117db924cf7c 4571 ret = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4572 break;
wolfSSL 15:117db924cf7c 4573 #endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL 15:117db924cf7c 4574 }
wolfSSL 15:117db924cf7c 4575 return ret;
wolfSSL 15:117db924cf7c 4576 }
wolfSSL 15:117db924cf7c 4577
wolfSSL 15:117db924cf7c 4578 /* The length of the certificate verification label - client and server. */
wolfSSL 15:117db924cf7c 4579 #define CERT_VFY_LABEL_SZ 34
wolfSSL 15:117db924cf7c 4580 /* The server certificate verification label. */
wolfSSL 15:117db924cf7c 4581 static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 15:117db924cf7c 4582 "TLS 1.3, server CertificateVerify";
wolfSSL 15:117db924cf7c 4583 /* The client certificate verification label. */
wolfSSL 15:117db924cf7c 4584 static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 15:117db924cf7c 4585 "TLS 1.3, client CertificateVerify";
wolfSSL 15:117db924cf7c 4586
wolfSSL 15:117db924cf7c 4587 /* The number of prefix bytes for signature data. */
wolfSSL 15:117db924cf7c 4588 #define SIGNING_DATA_PREFIX_SZ 64
wolfSSL 15:117db924cf7c 4589 /* The prefix byte in the signature data. */
wolfSSL 15:117db924cf7c 4590 #define SIGNING_DATA_PREFIX_BYTE 0x20
wolfSSL 15:117db924cf7c 4591 /* Maximum length of the signature data. */
wolfSSL 15:117db924cf7c 4592 #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
wolfSSL 15:117db924cf7c 4593 CERT_VFY_LABEL_SZ + \
wolfSSL 15:117db924cf7c 4594 WC_MAX_DIGEST_SIZE)
wolfSSL 15:117db924cf7c 4595
wolfSSL 15:117db924cf7c 4596 /* Create the signature data for TLS v1.3 certificate verification.
wolfSSL 15:117db924cf7c 4597 *
wolfSSL 15:117db924cf7c 4598 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4599 * sigData The signature data.
wolfSSL 15:117db924cf7c 4600 * sigDataSz The length of the signature data.
wolfSSL 15:117db924cf7c 4601 * check Indicates this is a check not create.
wolfSSL 15:117db924cf7c 4602 */
wolfSSL 15:117db924cf7c 4603 static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
wolfSSL 15:117db924cf7c 4604 int check)
wolfSSL 15:117db924cf7c 4605 {
wolfSSL 15:117db924cf7c 4606 word16 idx;
wolfSSL 15:117db924cf7c 4607 int side = ssl->options.side;
wolfSSL 15:117db924cf7c 4608 int ret;
wolfSSL 15:117db924cf7c 4609
wolfSSL 15:117db924cf7c 4610 /* Signature Data = Prefix | Label | Handshake Hash */
wolfSSL 15:117db924cf7c 4611 XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
wolfSSL 15:117db924cf7c 4612 idx = SIGNING_DATA_PREFIX_SZ;
wolfSSL 15:117db924cf7c 4613
wolfSSL 15:117db924cf7c 4614 if ((side == WOLFSSL_SERVER_END && check) ||
wolfSSL 15:117db924cf7c 4615 (side == WOLFSSL_CLIENT_END && !check)) {
wolfSSL 15:117db924cf7c 4616 XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 15:117db924cf7c 4617 }
wolfSSL 15:117db924cf7c 4618 if ((side == WOLFSSL_CLIENT_END && check) ||
wolfSSL 15:117db924cf7c 4619 (side == WOLFSSL_SERVER_END && !check)) {
wolfSSL 15:117db924cf7c 4620 XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 15:117db924cf7c 4621 }
wolfSSL 15:117db924cf7c 4622 idx += CERT_VFY_LABEL_SZ;
wolfSSL 15:117db924cf7c 4623
wolfSSL 15:117db924cf7c 4624 ret = GetMsgHash(ssl, &sigData[idx]);
wolfSSL 15:117db924cf7c 4625 if (ret < 0)
wolfSSL 15:117db924cf7c 4626 return ret;
wolfSSL 15:117db924cf7c 4627
wolfSSL 15:117db924cf7c 4628 *sigDataSz = (word16)(idx + ret);
wolfSSL 15:117db924cf7c 4629 ret = 0;
wolfSSL 15:117db924cf7c 4630
wolfSSL 15:117db924cf7c 4631 return ret;
wolfSSL 15:117db924cf7c 4632 }
wolfSSL 15:117db924cf7c 4633
wolfSSL 15:117db924cf7c 4634 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 4635 /* Encode the PKCS #1.5 RSA signature.
wolfSSL 15:117db924cf7c 4636 *
wolfSSL 15:117db924cf7c 4637 * sig The buffer to place the encoded signature into.
wolfSSL 15:117db924cf7c 4638 * sigData The data to be signed.
wolfSSL 15:117db924cf7c 4639 * sigDataSz The size of the data to be signed.
wolfSSL 15:117db924cf7c 4640 * hashAlgo The hash algorithm to use when signing.
wolfSSL 15:117db924cf7c 4641 * returns the length of the encoded signature or negative on error.
wolfSSL 15:117db924cf7c 4642 */
wolfSSL 15:117db924cf7c 4643 static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
wolfSSL 15:117db924cf7c 4644 int sigAlgo, int hashAlgo)
wolfSSL 15:117db924cf7c 4645 {
wolfSSL 15:117db924cf7c 4646 Digest digest;
wolfSSL 15:117db924cf7c 4647 int hashSz = 0;
wolfSSL 15:117db924cf7c 4648 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 4649 byte* hash;
wolfSSL 15:117db924cf7c 4650
wolfSSL 15:117db924cf7c 4651 (void)sigAlgo;
wolfSSL 15:117db924cf7c 4652
wolfSSL 15:117db924cf7c 4653 hash = sig;
wolfSSL 15:117db924cf7c 4654
wolfSSL 15:117db924cf7c 4655 /* Digest the signature data. */
wolfSSL 15:117db924cf7c 4656 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 4657 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 4658 case sha256_mac:
wolfSSL 15:117db924cf7c 4659 ret = wc_InitSha256(&digest.sha256);
wolfSSL 15:117db924cf7c 4660 if (ret == 0) {
wolfSSL 15:117db924cf7c 4661 ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4662 if (ret == 0)
wolfSSL 15:117db924cf7c 4663 ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL 15:117db924cf7c 4664 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 4665 }
wolfSSL 15:117db924cf7c 4666 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4667 break;
wolfSSL 15:117db924cf7c 4668 #endif
wolfSSL 15:117db924cf7c 4669 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 4670 case sha384_mac:
wolfSSL 15:117db924cf7c 4671 ret = wc_InitSha384(&digest.sha384);
wolfSSL 15:117db924cf7c 4672 if (ret == 0) {
wolfSSL 15:117db924cf7c 4673 ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4674 if (ret == 0)
wolfSSL 15:117db924cf7c 4675 ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL 15:117db924cf7c 4676 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 4677 }
wolfSSL 15:117db924cf7c 4678 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4679 break;
wolfSSL 15:117db924cf7c 4680 #endif
wolfSSL 15:117db924cf7c 4681 #ifdef WOLFSSL_SHA512
wolfSSL 15:117db924cf7c 4682 case sha512_mac:
wolfSSL 15:117db924cf7c 4683 ret = wc_InitSha512(&digest.sha512);
wolfSSL 15:117db924cf7c 4684 if (ret == 0) {
wolfSSL 15:117db924cf7c 4685 ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4686 if (ret == 0)
wolfSSL 15:117db924cf7c 4687 ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL 15:117db924cf7c 4688 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 4689 }
wolfSSL 15:117db924cf7c 4690 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4691 break;
wolfSSL 15:117db924cf7c 4692 #endif
wolfSSL 15:117db924cf7c 4693 }
wolfSSL 15:117db924cf7c 4694
wolfSSL 15:117db924cf7c 4695 if (ret != 0)
wolfSSL 15:117db924cf7c 4696 return ret;
wolfSSL 15:117db924cf7c 4697
wolfSSL 15:117db924cf7c 4698 return hashSz;
wolfSSL 15:117db924cf7c 4699 }
wolfSSL 15:117db924cf7c 4700 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 4701
wolfSSL 15:117db924cf7c 4702 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 4703 /* Encode the ECC signature.
wolfSSL 15:117db924cf7c 4704 *
wolfSSL 15:117db924cf7c 4705 * sigData The data to be signed.
wolfSSL 15:117db924cf7c 4706 * sigDataSz The size of the data to be signed.
wolfSSL 15:117db924cf7c 4707 * hashAlgo The hash algorithm to use when signing.
wolfSSL 15:117db924cf7c 4708 * returns the length of the encoded signature or negative on error.
wolfSSL 15:117db924cf7c 4709 */
wolfSSL 15:117db924cf7c 4710 static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
wolfSSL 15:117db924cf7c 4711 {
wolfSSL 15:117db924cf7c 4712 Digest digest;
wolfSSL 15:117db924cf7c 4713 int hashSz = 0;
wolfSSL 15:117db924cf7c 4714 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 4715
wolfSSL 15:117db924cf7c 4716 /* Digest the signature data. */
wolfSSL 15:117db924cf7c 4717 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 4718 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 4719 case sha256_mac:
wolfSSL 15:117db924cf7c 4720 ret = wc_InitSha256(&digest.sha256);
wolfSSL 15:117db924cf7c 4721 if (ret == 0) {
wolfSSL 15:117db924cf7c 4722 ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4723 if (ret == 0)
wolfSSL 15:117db924cf7c 4724 ret = wc_Sha256Final(&digest.sha256, sigData);
wolfSSL 15:117db924cf7c 4725 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 4726 }
wolfSSL 15:117db924cf7c 4727 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4728 break;
wolfSSL 15:117db924cf7c 4729 #endif
wolfSSL 15:117db924cf7c 4730 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 4731 case sha384_mac:
wolfSSL 15:117db924cf7c 4732 ret = wc_InitSha384(&digest.sha384);
wolfSSL 15:117db924cf7c 4733 if (ret == 0) {
wolfSSL 15:117db924cf7c 4734 ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4735 if (ret == 0)
wolfSSL 15:117db924cf7c 4736 ret = wc_Sha384Final(&digest.sha384, sigData);
wolfSSL 15:117db924cf7c 4737 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 4738 }
wolfSSL 15:117db924cf7c 4739 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4740 break;
wolfSSL 15:117db924cf7c 4741 #endif
wolfSSL 15:117db924cf7c 4742 #ifdef WOLFSSL_SHA512
wolfSSL 15:117db924cf7c 4743 case sha512_mac:
wolfSSL 15:117db924cf7c 4744 ret = wc_InitSha512(&digest.sha512);
wolfSSL 15:117db924cf7c 4745 if (ret == 0) {
wolfSSL 15:117db924cf7c 4746 ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 4747 if (ret == 0)
wolfSSL 15:117db924cf7c 4748 ret = wc_Sha512Final(&digest.sha512, sigData);
wolfSSL 15:117db924cf7c 4749 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 4750 }
wolfSSL 15:117db924cf7c 4751 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4752 break;
wolfSSL 15:117db924cf7c 4753 #endif
wolfSSL 15:117db924cf7c 4754 }
wolfSSL 15:117db924cf7c 4755
wolfSSL 15:117db924cf7c 4756 if (ret != 0)
wolfSSL 15:117db924cf7c 4757 return ret;
wolfSSL 15:117db924cf7c 4758
wolfSSL 15:117db924cf7c 4759 return hashSz;
wolfSSL 15:117db924cf7c 4760 }
wolfSSL 15:117db924cf7c 4761 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 4762
wolfSSL 15:117db924cf7c 4763 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 4764 /* Check that the decrypted signature matches the encoded signature
wolfSSL 15:117db924cf7c 4765 * based on the digest of the signature data.
wolfSSL 15:117db924cf7c 4766 *
wolfSSL 15:117db924cf7c 4767 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4768 * sigAlgo The signature algorithm used to generate signature.
wolfSSL 15:117db924cf7c 4769 * hashAlgo The hash algorithm used to generate signature.
wolfSSL 15:117db924cf7c 4770 * decSig The decrypted signature.
wolfSSL 15:117db924cf7c 4771 * decSigSz The size of the decrypted signature.
wolfSSL 15:117db924cf7c 4772 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4773 */
wolfSSL 15:117db924cf7c 4774 static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
wolfSSL 15:117db924cf7c 4775 byte* decSig, word32 decSigSz)
wolfSSL 15:117db924cf7c 4776 {
wolfSSL 15:117db924cf7c 4777 int ret = 0;
wolfSSL 15:117db924cf7c 4778 byte sigData[MAX_SIG_DATA_SZ];
wolfSSL 15:117db924cf7c 4779 word16 sigDataSz;
wolfSSL 15:117db924cf7c 4780 word32 sigSz;
wolfSSL 15:117db924cf7c 4781
wolfSSL 15:117db924cf7c 4782 ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
wolfSSL 15:117db924cf7c 4783 if (ret != 0)
wolfSSL 15:117db924cf7c 4784 return ret;
wolfSSL 15:117db924cf7c 4785
wolfSSL 15:117db924cf7c 4786 if (sigAlgo == rsa_pss_sa_algo) {
wolfSSL 15:117db924cf7c 4787 enum wc_HashType hashType = WC_HASH_TYPE_NONE;
wolfSSL 15:117db924cf7c 4788
wolfSSL 15:117db924cf7c 4789 ret = ConvertHashPss(hashAlgo, &hashType, NULL);
wolfSSL 15:117db924cf7c 4790 if (ret < 0)
wolfSSL 15:117db924cf7c 4791 return ret;
wolfSSL 15:117db924cf7c 4792
wolfSSL 15:117db924cf7c 4793 /* PSS signature can be done in-place */
wolfSSL 15:117db924cf7c 4794 ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
wolfSSL 15:117db924cf7c 4795 sigAlgo, hashAlgo);
wolfSSL 15:117db924cf7c 4796 if (ret < 0)
wolfSSL 15:117db924cf7c 4797 return ret;
wolfSSL 15:117db924cf7c 4798 sigSz = ret;
wolfSSL 15:117db924cf7c 4799
wolfSSL 15:117db924cf7c 4800 ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
wolfSSL 15:117db924cf7c 4801 hashType);
wolfSSL 15:117db924cf7c 4802 }
wolfSSL 15:117db924cf7c 4803
wolfSSL 15:117db924cf7c 4804 return ret;
wolfSSL 15:117db924cf7c 4805 }
wolfSSL 15:117db924cf7c 4806 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 4807 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 4808
wolfSSL 15:117db924cf7c 4809 /* Get the next certificate from the list for writing into the TLS v1.3
wolfSSL 15:117db924cf7c 4810 * Certificate message.
wolfSSL 15:117db924cf7c 4811 *
wolfSSL 15:117db924cf7c 4812 * data The certificate list.
wolfSSL 15:117db924cf7c 4813 * length The length of the certificate data in the list.
wolfSSL 15:117db924cf7c 4814 * idx The index of the next certificate.
wolfSSL 15:117db924cf7c 4815 * returns the length of the certificate data. 0 indicates no more certificates
wolfSSL 15:117db924cf7c 4816 * in the list.
wolfSSL 15:117db924cf7c 4817 */
wolfSSL 15:117db924cf7c 4818 static word32 NextCert(byte* data, word32 length, word32* idx)
wolfSSL 15:117db924cf7c 4819 {
wolfSSL 15:117db924cf7c 4820 word32 len;
wolfSSL 15:117db924cf7c 4821
wolfSSL 15:117db924cf7c 4822 /* Is index at end of list. */
wolfSSL 15:117db924cf7c 4823 if (*idx == length)
wolfSSL 15:117db924cf7c 4824 return 0;
wolfSSL 15:117db924cf7c 4825
wolfSSL 15:117db924cf7c 4826 /* Length of the current ASN.1 encoded certificate. */
wolfSSL 15:117db924cf7c 4827 c24to32(data + *idx, &len);
wolfSSL 15:117db924cf7c 4828 /* Include the length field. */
wolfSSL 15:117db924cf7c 4829 len += 3;
wolfSSL 15:117db924cf7c 4830
wolfSSL 15:117db924cf7c 4831 /* Move index to next certificate and return the current certificate's
wolfSSL 15:117db924cf7c 4832 * length.
wolfSSL 15:117db924cf7c 4833 */
wolfSSL 15:117db924cf7c 4834 *idx += len;
wolfSSL 15:117db924cf7c 4835 return len;
wolfSSL 15:117db924cf7c 4836 }
wolfSSL 15:117db924cf7c 4837
wolfSSL 15:117db924cf7c 4838 /* Add certificate data and empty extension to output up to the fragment size.
wolfSSL 15:117db924cf7c 4839 *
wolfSSL 15:117db924cf7c 4840 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 4841 * cert The certificate data to write out.
wolfSSL 15:117db924cf7c 4842 * len The length of the certificate data.
wolfSSL 15:117db924cf7c 4843 * extSz Length of the extension data with the certificate.
wolfSSL 15:117db924cf7c 4844 * idx The start of the certificate data to write out.
wolfSSL 15:117db924cf7c 4845 * fragSz The maximum size of this fragment.
wolfSSL 15:117db924cf7c 4846 * output The buffer to write to.
wolfSSL 15:117db924cf7c 4847 * returns the number of bytes written.
wolfSSL 15:117db924cf7c 4848 */
wolfSSL 15:117db924cf7c 4849 static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz,
wolfSSL 15:117db924cf7c 4850 word32 idx, word32 fragSz, byte* output)
wolfSSL 15:117db924cf7c 4851 {
wolfSSL 15:117db924cf7c 4852 word32 i = 0;
wolfSSL 15:117db924cf7c 4853 word32 copySz = min(len - idx, fragSz);
wolfSSL 15:117db924cf7c 4854
wolfSSL 15:117db924cf7c 4855 if (idx < len) {
wolfSSL 15:117db924cf7c 4856 XMEMCPY(output, cert + idx, copySz);
wolfSSL 15:117db924cf7c 4857 i = copySz;
wolfSSL 15:117db924cf7c 4858 if (copySz == fragSz)
wolfSSL 15:117db924cf7c 4859 return i;
wolfSSL 15:117db924cf7c 4860 }
wolfSSL 15:117db924cf7c 4861 copySz = len + extSz - idx - i;
wolfSSL 15:117db924cf7c 4862
wolfSSL 15:117db924cf7c 4863 if (extSz == OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 4864 if (copySz <= fragSz) {
wolfSSL 15:117db924cf7c 4865 /* Empty extension */
wolfSSL 15:117db924cf7c 4866 output[i++] = 0;
wolfSSL 15:117db924cf7c 4867 output[i++] = 0;
wolfSSL 15:117db924cf7c 4868 }
wolfSSL 15:117db924cf7c 4869 }
wolfSSL 15:117db924cf7c 4870 else {
wolfSSL 15:117db924cf7c 4871 byte* certExts = ssl->buffers.certExts->buffer + idx + i - len;
wolfSSL 15:117db924cf7c 4872 /* Put out as much of the extensions' data as will fit in fragment. */
wolfSSL 15:117db924cf7c 4873 if (copySz > fragSz - i)
wolfSSL 15:117db924cf7c 4874 copySz = fragSz - i;
wolfSSL 15:117db924cf7c 4875 XMEMCPY(output + i, certExts, copySz);
wolfSSL 15:117db924cf7c 4876 i += copySz;
wolfSSL 15:117db924cf7c 4877 }
wolfSSL 15:117db924cf7c 4878
wolfSSL 15:117db924cf7c 4879 return i;
wolfSSL 15:117db924cf7c 4880 }
wolfSSL 15:117db924cf7c 4881
wolfSSL 15:117db924cf7c 4882 /* handle generation TLS v1.3 certificate (11) */
wolfSSL 15:117db924cf7c 4883 /* Send the certificate for this end and any CAs that help with validation.
wolfSSL 15:117db924cf7c 4884 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 4885 *
wolfSSL 15:117db924cf7c 4886 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4887 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4888 */
wolfSSL 15:117db924cf7c 4889 static int SendTls13Certificate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 4890 {
wolfSSL 15:117db924cf7c 4891 int ret = 0;
wolfSSL 15:117db924cf7c 4892 word32 certSz, certChainSz, headerSz, listSz, payloadSz;
wolfSSL 15:117db924cf7c 4893 word16 extSz = 0;
wolfSSL 15:117db924cf7c 4894 word32 length, maxFragment;
wolfSSL 15:117db924cf7c 4895 word32 len = 0;
wolfSSL 15:117db924cf7c 4896 word32 idx = 0;
wolfSSL 15:117db924cf7c 4897 word32 offset = OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 4898 byte* p = NULL;
wolfSSL 15:117db924cf7c 4899 byte certReqCtxLen = 0;
wolfSSL 15:117db924cf7c 4900 byte* certReqCtx = NULL;
wolfSSL 15:117db924cf7c 4901
wolfSSL 15:117db924cf7c 4902 WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
wolfSSL 15:117db924cf7c 4903 WOLFSSL_ENTER("SendTls13Certificate");
wolfSSL 15:117db924cf7c 4904
wolfSSL 15:117db924cf7c 4905 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 4906 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL 15:117db924cf7c 4907 certReqCtxLen = ssl->certReqCtx->len;
wolfSSL 15:117db924cf7c 4908 certReqCtx = &ssl->certReqCtx->ctx;
wolfSSL 15:117db924cf7c 4909 }
wolfSSL 15:117db924cf7c 4910 #endif
wolfSSL 15:117db924cf7c 4911
wolfSSL 15:117db924cf7c 4912 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 15:117db924cf7c 4913 certSz = 0;
wolfSSL 15:117db924cf7c 4914 certChainSz = 0;
wolfSSL 15:117db924cf7c 4915 headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 4916 length = headerSz;
wolfSSL 15:117db924cf7c 4917 listSz = 0;
wolfSSL 15:117db924cf7c 4918 }
wolfSSL 15:117db924cf7c 4919 else {
wolfSSL 15:117db924cf7c 4920 if (!ssl->buffers.certificate) {
wolfSSL 15:117db924cf7c 4921 WOLFSSL_MSG("Send Cert missing certificate buffer");
wolfSSL 15:117db924cf7c 4922 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4923 }
wolfSSL 15:117db924cf7c 4924 /* Certificate Data */
wolfSSL 15:117db924cf7c 4925 certSz = ssl->buffers.certificate->length;
wolfSSL 15:117db924cf7c 4926 /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
wolfSSL 15:117db924cf7c 4927 headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
wolfSSL 15:117db924cf7c 4928 CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 4929
wolfSSL 15:117db924cf7c 4930 ret = TLSX_GetResponseSize(ssl, certificate, &extSz);
wolfSSL 15:117db924cf7c 4931 if (ret < 0)
wolfSSL 15:117db924cf7c 4932 return ret;
wolfSSL 15:117db924cf7c 4933
wolfSSL 15:117db924cf7c 4934 /* Create extensions' data if none already present. */
wolfSSL 15:117db924cf7c 4935 if (extSz > OPAQUE16_LEN && ssl->buffers.certExts == NULL) {
wolfSSL 15:117db924cf7c 4936 ret = AllocDer(&ssl->buffers.certExts, extSz, CERT_TYPE, ssl->heap);
wolfSSL 15:117db924cf7c 4937 if (ret < 0)
wolfSSL 15:117db924cf7c 4938 return ret;
wolfSSL 15:117db924cf7c 4939
wolfSSL 15:117db924cf7c 4940 ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer,
wolfSSL 15:117db924cf7c 4941 certificate, &extSz);
wolfSSL 15:117db924cf7c 4942 if (ret < 0)
wolfSSL 15:117db924cf7c 4943 return ret;
wolfSSL 15:117db924cf7c 4944 }
wolfSSL 15:117db924cf7c 4945
wolfSSL 15:117db924cf7c 4946 /* Length of message data with one certificate and extensions. */
wolfSSL 15:117db924cf7c 4947 length = headerSz + certSz + extSz;
wolfSSL 15:117db924cf7c 4948 /* Length of list data with one certificate and extensions. */
wolfSSL 15:117db924cf7c 4949 listSz = CERT_HEADER_SZ + certSz + extSz;
wolfSSL 15:117db924cf7c 4950
wolfSSL 15:117db924cf7c 4951 /* Send rest of chain if sending cert (chain has leading size/s). */
wolfSSL 15:117db924cf7c 4952 if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
wolfSSL 15:117db924cf7c 4953 p = ssl->buffers.certChain->buffer;
wolfSSL 15:117db924cf7c 4954 /* Chain length including extensions. */
wolfSSL 15:117db924cf7c 4955 certChainSz = ssl->buffers.certChain->length +
wolfSSL 15:117db924cf7c 4956 OPAQUE16_LEN * ssl->buffers.certChainCnt;
wolfSSL 15:117db924cf7c 4957 length += certChainSz;
wolfSSL 15:117db924cf7c 4958 listSz += certChainSz;
wolfSSL 15:117db924cf7c 4959 }
wolfSSL 15:117db924cf7c 4960 else
wolfSSL 15:117db924cf7c 4961 certChainSz = 0;
wolfSSL 15:117db924cf7c 4962 }
wolfSSL 15:117db924cf7c 4963
wolfSSL 15:117db924cf7c 4964 payloadSz = length;
wolfSSL 15:117db924cf7c 4965
wolfSSL 15:117db924cf7c 4966 if (ssl->fragOffset != 0)
wolfSSL 15:117db924cf7c 4967 length -= (ssl->fragOffset + headerSz);
wolfSSL 15:117db924cf7c 4968
wolfSSL 15:117db924cf7c 4969 maxFragment = wolfSSL_GetMaxRecordSize(ssl, MAX_RECORD_SIZE);
wolfSSL 15:117db924cf7c 4970
wolfSSL 15:117db924cf7c 4971 while (length > 0 && ret == 0) {
wolfSSL 15:117db924cf7c 4972 byte* output = NULL;
wolfSSL 15:117db924cf7c 4973 word32 fragSz = 0;
wolfSSL 15:117db924cf7c 4974 word32 i = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 4975 int sendSz = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 4976
wolfSSL 15:117db924cf7c 4977 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 4978 if (headerSz + certSz + extSz + certChainSz <=
wolfSSL 15:117db924cf7c 4979 maxFragment - HANDSHAKE_HEADER_SZ) {
wolfSSL 15:117db924cf7c 4980 fragSz = headerSz + certSz + extSz + certChainSz;
wolfSSL 15:117db924cf7c 4981 }
wolfSSL 15:117db924cf7c 4982 else
wolfSSL 15:117db924cf7c 4983 fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4984
wolfSSL 15:117db924cf7c 4985 sendSz += fragSz + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4986 i += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4987 }
wolfSSL 15:117db924cf7c 4988 else {
wolfSSL 15:117db924cf7c 4989 fragSz = min(length, maxFragment);
wolfSSL 15:117db924cf7c 4990 sendSz += fragSz;
wolfSSL 15:117db924cf7c 4991 }
wolfSSL 15:117db924cf7c 4992
wolfSSL 15:117db924cf7c 4993 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4994
wolfSSL 15:117db924cf7c 4995 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4996 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4997 return ret;
wolfSSL 15:117db924cf7c 4998
wolfSSL 15:117db924cf7c 4999 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 5000 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 5001 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 5002
wolfSSL 15:117db924cf7c 5003 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 5004 AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
wolfSSL 15:117db924cf7c 5005
wolfSSL 15:117db924cf7c 5006 /* Request context. */
wolfSSL 15:117db924cf7c 5007 output[i++] = certReqCtxLen;
wolfSSL 15:117db924cf7c 5008 if (certReqCtxLen > 0) {
wolfSSL 15:117db924cf7c 5009 XMEMCPY(output + i, certReqCtx, certReqCtxLen);
wolfSSL 15:117db924cf7c 5010 i += certReqCtxLen;
wolfSSL 15:117db924cf7c 5011 }
wolfSSL 15:117db924cf7c 5012 length -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL 15:117db924cf7c 5013 fragSz -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL 15:117db924cf7c 5014 /* Certificate list length. */
wolfSSL 15:117db924cf7c 5015 c32to24(listSz, output + i);
wolfSSL 15:117db924cf7c 5016 i += CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5017 length -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5018 fragSz -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5019 /* Leaf certificate data length. */
wolfSSL 15:117db924cf7c 5020 if (certSz > 0) {
wolfSSL 15:117db924cf7c 5021 c32to24(certSz, output + i);
wolfSSL 15:117db924cf7c 5022 i += CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5023 length -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5024 fragSz -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5025 }
wolfSSL 15:117db924cf7c 5026 }
wolfSSL 15:117db924cf7c 5027 else
wolfSSL 15:117db924cf7c 5028 AddTls13RecordHeader(output, fragSz, handshake, ssl);
wolfSSL 15:117db924cf7c 5029
wolfSSL 15:117db924cf7c 5030 if (certSz > 0 && ssl->fragOffset < certSz + extSz) {
wolfSSL 15:117db924cf7c 5031 /* Put in the leaf certificate with extensions. */
wolfSSL 15:117db924cf7c 5032 word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
wolfSSL 15:117db924cf7c 5033 certSz, extSz, ssl->fragOffset, fragSz, output + i);
wolfSSL 15:117db924cf7c 5034 i += copySz;
wolfSSL 15:117db924cf7c 5035 ssl->fragOffset += copySz;
wolfSSL 15:117db924cf7c 5036 length -= copySz;
wolfSSL 15:117db924cf7c 5037 fragSz -= copySz;
wolfSSL 15:117db924cf7c 5038 if (ssl->fragOffset == certSz + extSz)
wolfSSL 15:117db924cf7c 5039 FreeDer(&ssl->buffers.certExts);
wolfSSL 15:117db924cf7c 5040 }
wolfSSL 15:117db924cf7c 5041 if (certChainSz > 0 && fragSz > 0) {
wolfSSL 15:117db924cf7c 5042 /* Put in the CA certificates with empty extensions. */
wolfSSL 15:117db924cf7c 5043 while (fragSz > 0) {
wolfSSL 15:117db924cf7c 5044 word32 l;
wolfSSL 15:117db924cf7c 5045
wolfSSL 15:117db924cf7c 5046 if (offset == len + OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 5047 /* Find next CA certificate to write out. */
wolfSSL 15:117db924cf7c 5048 offset = 0;
wolfSSL 15:117db924cf7c 5049 /* Point to the start of current cert in chain buffer. */
wolfSSL 15:117db924cf7c 5050 p = ssl->buffers.certChain->buffer + idx;
wolfSSL 15:117db924cf7c 5051 len = NextCert(ssl->buffers.certChain->buffer,
wolfSSL 15:117db924cf7c 5052 ssl->buffers.certChain->length, &idx);
wolfSSL 15:117db924cf7c 5053 if (len == 0)
wolfSSL 15:117db924cf7c 5054 break;
wolfSSL 15:117db924cf7c 5055 }
wolfSSL 15:117db924cf7c 5056
wolfSSL 15:117db924cf7c 5057 /* Write out certificate and empty extension. */
wolfSSL 15:117db924cf7c 5058 l = AddCertExt(ssl, p, len, OPAQUE16_LEN, offset, fragSz,
wolfSSL 15:117db924cf7c 5059 output + i);
wolfSSL 15:117db924cf7c 5060 i += l;
wolfSSL 15:117db924cf7c 5061 ssl->fragOffset += l;
wolfSSL 15:117db924cf7c 5062 length -= l;
wolfSSL 15:117db924cf7c 5063 fragSz -= l;
wolfSSL 15:117db924cf7c 5064 offset += l;
wolfSSL 15:117db924cf7c 5065 }
wolfSSL 15:117db924cf7c 5066 }
wolfSSL 15:117db924cf7c 5067
wolfSSL 15:117db924cf7c 5068 if ((int)i - RECORD_HEADER_SZ < 0) {
wolfSSL 15:117db924cf7c 5069 WOLFSSL_MSG("Send Cert bad inputSz");
wolfSSL 15:117db924cf7c 5070 return BUFFER_E;
wolfSSL 15:117db924cf7c 5071 }
wolfSSL 15:117db924cf7c 5072
wolfSSL 15:117db924cf7c 5073 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 5074 sendSz = BuildTls13Message(ssl, output, sendSz,
wolfSSL 15:117db924cf7c 5075 output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 5076 i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 5077 if (sendSz < 0)
wolfSSL 15:117db924cf7c 5078 return sendSz;
wolfSSL 15:117db924cf7c 5079
wolfSSL 15:117db924cf7c 5080 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5081 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 5082 AddPacketName(ssl, "Certificate");
wolfSSL 15:117db924cf7c 5083 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 5084 AddPacketInfo(ssl, "Certificate", handshake, output,
wolfSSL 15:117db924cf7c 5085 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 5086 }
wolfSSL 15:117db924cf7c 5087 #endif
wolfSSL 15:117db924cf7c 5088
wolfSSL 15:117db924cf7c 5089 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 5090 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 5091 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 5092 }
wolfSSL 15:117db924cf7c 5093
wolfSSL 15:117db924cf7c 5094 if (ret != WANT_WRITE) {
wolfSSL 15:117db924cf7c 5095 /* Clean up the fragment offset. */
wolfSSL 15:117db924cf7c 5096 ssl->fragOffset = 0;
wolfSSL 15:117db924cf7c 5097 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 5098 ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL 15:117db924cf7c 5099 }
wolfSSL 15:117db924cf7c 5100
wolfSSL 15:117db924cf7c 5101 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 5102 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL 15:117db924cf7c 5103 CertReqCtx* ctx = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 5104 ssl->certReqCtx = ssl->certReqCtx->next;
wolfSSL 15:117db924cf7c 5105 XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 5106 }
wolfSSL 15:117db924cf7c 5107 #endif
wolfSSL 15:117db924cf7c 5108
wolfSSL 15:117db924cf7c 5109 WOLFSSL_LEAVE("SendTls13Certificate", ret);
wolfSSL 15:117db924cf7c 5110 WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
wolfSSL 15:117db924cf7c 5111
wolfSSL 15:117db924cf7c 5112 return ret;
wolfSSL 15:117db924cf7c 5113 }
wolfSSL 15:117db924cf7c 5114
wolfSSL 15:117db924cf7c 5115 typedef struct Scv13Args {
wolfSSL 15:117db924cf7c 5116 byte* output; /* not allocated */
wolfSSL 15:117db924cf7c 5117 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5118 byte* verifySig;
wolfSSL 15:117db924cf7c 5119 #endif
wolfSSL 15:117db924cf7c 5120 byte* verify; /* not allocated */
wolfSSL 15:117db924cf7c 5121 word32 idx;
wolfSSL 15:117db924cf7c 5122 word32 sigLen;
wolfSSL 15:117db924cf7c 5123 int sendSz;
wolfSSL 15:117db924cf7c 5124 word16 length;
wolfSSL 15:117db924cf7c 5125
wolfSSL 15:117db924cf7c 5126 byte sigAlgo;
wolfSSL 15:117db924cf7c 5127 byte* sigData;
wolfSSL 15:117db924cf7c 5128 word16 sigDataSz;
wolfSSL 15:117db924cf7c 5129 } Scv13Args;
wolfSSL 15:117db924cf7c 5130
wolfSSL 15:117db924cf7c 5131 static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 5132 {
wolfSSL 15:117db924cf7c 5133 Scv13Args* args = (Scv13Args*)pArgs;
wolfSSL 15:117db924cf7c 5134
wolfSSL 15:117db924cf7c 5135 (void)ssl;
wolfSSL 15:117db924cf7c 5136
wolfSSL 15:117db924cf7c 5137 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5138 if (args->verifySig) {
wolfSSL 15:117db924cf7c 5139 XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5140 args->verifySig = NULL;
wolfSSL 15:117db924cf7c 5141 }
wolfSSL 15:117db924cf7c 5142 #endif
wolfSSL 15:117db924cf7c 5143 if (args->sigData) {
wolfSSL 15:117db924cf7c 5144 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5145 args->sigData = NULL;
wolfSSL 15:117db924cf7c 5146 }
wolfSSL 15:117db924cf7c 5147 }
wolfSSL 15:117db924cf7c 5148
wolfSSL 15:117db924cf7c 5149 /* handle generation TLS v1.3 certificate_verify (15) */
wolfSSL 15:117db924cf7c 5150 /* Send the TLS v1.3 CertificateVerify message.
wolfSSL 15:117db924cf7c 5151 * A hash of all the message so far is used.
wolfSSL 15:117db924cf7c 5152 * The signed data is:
wolfSSL 15:117db924cf7c 5153 * 0x20 * 64 | context string | 0x00 | hash of messages
wolfSSL 15:117db924cf7c 5154 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 5155 *
wolfSSL 15:117db924cf7c 5156 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5157 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 5158 */
wolfSSL 15:117db924cf7c 5159 static int SendTls13CertificateVerify(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 5160 {
wolfSSL 15:117db924cf7c 5161 int ret = 0;
wolfSSL 15:117db924cf7c 5162 buffer* sig = &ssl->buffers.sig;
wolfSSL 15:117db924cf7c 5163 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5164 Scv13Args* args = (Scv13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 5165 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 5166 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 5167 #else
wolfSSL 15:117db924cf7c 5168 Scv13Args args[1];
wolfSSL 15:117db924cf7c 5169 #endif
wolfSSL 15:117db924cf7c 5170
wolfSSL 15:117db924cf7c 5171 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
wolfSSL 15:117db924cf7c 5172 WOLFSSL_ENTER("SendTls13CertificateVerify");
wolfSSL 15:117db924cf7c 5173
wolfSSL 15:117db924cf7c 5174 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5175 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 15:117db924cf7c 5176 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 5177 /* Check for error */
wolfSSL 15:117db924cf7c 5178 if (ret < 0)
wolfSSL 15:117db924cf7c 5179 goto exit_scv;
wolfSSL 15:117db924cf7c 5180 }
wolfSSL 15:117db924cf7c 5181 else
wolfSSL 15:117db924cf7c 5182 #endif
wolfSSL 15:117db924cf7c 5183 {
wolfSSL 15:117db924cf7c 5184 /* Reset state */
wolfSSL 15:117db924cf7c 5185 ret = 0;
wolfSSL 15:117db924cf7c 5186 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 15:117db924cf7c 5187 XMEMSET(args, 0, sizeof(Scv13Args));
wolfSSL 15:117db924cf7c 5188 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5189 ssl->async.freeArgs = FreeScv13Args;
wolfSSL 15:117db924cf7c 5190 #endif
wolfSSL 15:117db924cf7c 5191 }
wolfSSL 15:117db924cf7c 5192
wolfSSL 15:117db924cf7c 5193 switch(ssl->options.asyncState)
wolfSSL 15:117db924cf7c 5194 {
wolfSSL 15:117db924cf7c 5195 case TLS_ASYNC_BEGIN:
wolfSSL 15:117db924cf7c 5196 {
wolfSSL 15:117db924cf7c 5197 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 15:117db924cf7c 5198 return 0; /* sent blank cert, can't verify */
wolfSSL 15:117db924cf7c 5199 }
wolfSSL 15:117db924cf7c 5200
wolfSSL 15:117db924cf7c 5201 args->sendSz = MAX_CERT_VERIFY_SZ;
wolfSSL 15:117db924cf7c 5202 /* Always encrypted. */
wolfSSL 15:117db924cf7c 5203 args->sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 5204
wolfSSL 15:117db924cf7c 5205 /* check for available size */
wolfSSL 15:117db924cf7c 5206 if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
wolfSSL 15:117db924cf7c 5207 goto exit_scv;
wolfSSL 15:117db924cf7c 5208 }
wolfSSL 15:117db924cf7c 5209
wolfSSL 15:117db924cf7c 5210 /* get output buffer */
wolfSSL 15:117db924cf7c 5211 args->output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 5212 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 5213
wolfSSL 15:117db924cf7c 5214 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5215 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 15:117db924cf7c 5216 } /* case TLS_ASYNC_BEGIN */
wolfSSL 15:117db924cf7c 5217 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5218
wolfSSL 15:117db924cf7c 5219 case TLS_ASYNC_BUILD:
wolfSSL 15:117db924cf7c 5220 {
wolfSSL 15:117db924cf7c 5221 /* idx is used to track verify pointer offset to output */
wolfSSL 15:117db924cf7c 5222 args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5223 args->verify =
wolfSSL 15:117db924cf7c 5224 &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
wolfSSL 15:117db924cf7c 5225
wolfSSL 15:117db924cf7c 5226 if (ssl->buffers.key == NULL) {
wolfSSL 15:117db924cf7c 5227 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5228 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
wolfSSL 15:117db924cf7c 5229 args->length = GetPrivateKeySigSize(ssl);
wolfSSL 15:117db924cf7c 5230 else
wolfSSL 15:117db924cf7c 5231 #endif
wolfSSL 15:117db924cf7c 5232 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
wolfSSL 15:117db924cf7c 5233 }
wolfSSL 15:117db924cf7c 5234 else {
wolfSSL 15:117db924cf7c 5235 ret = DecodePrivateKey(ssl, &args->length);
wolfSSL 15:117db924cf7c 5236 if (ret != 0)
wolfSSL 15:117db924cf7c 5237 goto exit_scv;
wolfSSL 15:117db924cf7c 5238 }
wolfSSL 15:117db924cf7c 5239
wolfSSL 15:117db924cf7c 5240 if (args->length <= 0) {
wolfSSL 15:117db924cf7c 5241 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
wolfSSL 15:117db924cf7c 5242 }
wolfSSL 15:117db924cf7c 5243
wolfSSL 15:117db924cf7c 5244 /* Add signature algorithm. */
wolfSSL 15:117db924cf7c 5245 if (ssl->hsType == DYNAMIC_TYPE_RSA)
wolfSSL 15:117db924cf7c 5246 args->sigAlgo = rsa_pss_sa_algo;
wolfSSL 15:117db924cf7c 5247 else if (ssl->hsType == DYNAMIC_TYPE_ECC)
wolfSSL 15:117db924cf7c 5248 args->sigAlgo = ecc_dsa_sa_algo;
wolfSSL 15:117db924cf7c 5249 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5250 else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
wolfSSL 15:117db924cf7c 5251 args->sigAlgo = ed25519_sa_algo;
wolfSSL 15:117db924cf7c 5252 #endif
wolfSSL 15:117db924cf7c 5253 EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify);
wolfSSL 15:117db924cf7c 5254
wolfSSL 15:117db924cf7c 5255 /* Create the data to be signed. */
wolfSSL 15:117db924cf7c 5256 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 15:117db924cf7c 5257 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5258 if (args->sigData == NULL) {
wolfSSL 15:117db924cf7c 5259 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 15:117db924cf7c 5260 }
wolfSSL 15:117db924cf7c 5261
wolfSSL 15:117db924cf7c 5262 ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
wolfSSL 15:117db924cf7c 5263 if (ret != 0)
wolfSSL 15:117db924cf7c 5264 goto exit_scv;
wolfSSL 15:117db924cf7c 5265
wolfSSL 15:117db924cf7c 5266 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5267 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 15:117db924cf7c 5268 /* build encoded signature buffer */
wolfSSL 15:117db924cf7c 5269 sig->length = MAX_ENCODED_SIG_SZ;
wolfSSL 15:117db924cf7c 5270 sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
wolfSSL 15:117db924cf7c 5271 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5272 if (sig->buffer == NULL) {
wolfSSL 15:117db924cf7c 5273 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 15:117db924cf7c 5274 }
wolfSSL 15:117db924cf7c 5275
wolfSSL 15:117db924cf7c 5276 ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
wolfSSL 15:117db924cf7c 5277 args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo);
wolfSSL 15:117db924cf7c 5278 if (ret < 0)
wolfSSL 15:117db924cf7c 5279 goto exit_scv;
wolfSSL 15:117db924cf7c 5280 sig->length = ret;
wolfSSL 15:117db924cf7c 5281 ret = 0;
wolfSSL 15:117db924cf7c 5282
wolfSSL 15:117db924cf7c 5283 /* Maximum size of RSA Signature. */
wolfSSL 15:117db924cf7c 5284 args->sigLen = args->length;
wolfSSL 15:117db924cf7c 5285 }
wolfSSL 15:117db924cf7c 5286 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5287 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5288 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 15:117db924cf7c 5289 sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
wolfSSL 15:117db924cf7c 5290 VERIFY_HEADER;
wolfSSL 15:117db924cf7c 5291 ret = CreateECCEncodedSig(args->sigData,
wolfSSL 15:117db924cf7c 5292 args->sigDataSz, ssl->suites->hashAlgo);
wolfSSL 15:117db924cf7c 5293 if (ret < 0)
wolfSSL 15:117db924cf7c 5294 goto exit_scv;
wolfSSL 15:117db924cf7c 5295 args->sigDataSz = (word16)ret;
wolfSSL 15:117db924cf7c 5296 ret = 0;
wolfSSL 15:117db924cf7c 5297 }
wolfSSL 15:117db924cf7c 5298 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5299 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5300 if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL 15:117db924cf7c 5301 ret = Ed25519CheckPubKey(ssl);
wolfSSL 15:117db924cf7c 5302 if (ret < 0) {
wolfSSL 15:117db924cf7c 5303 ERROR_OUT(ret, exit_scv);
wolfSSL 15:117db924cf7c 5304 }
wolfSSL 15:117db924cf7c 5305 sig->length = ED25519_SIG_SIZE;
wolfSSL 15:117db924cf7c 5306 }
wolfSSL 15:117db924cf7c 5307 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5308
wolfSSL 15:117db924cf7c 5309 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5310 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 15:117db924cf7c 5311 } /* case TLS_ASYNC_BUILD */
wolfSSL 15:117db924cf7c 5312 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5313
wolfSSL 15:117db924cf7c 5314 case TLS_ASYNC_DO:
wolfSSL 15:117db924cf7c 5315 {
wolfSSL 15:117db924cf7c 5316 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5317 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 15:117db924cf7c 5318 ret = EccSign(ssl, args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5319 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 15:117db924cf7c 5320 &sig->length, (ecc_key*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5321 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5322 ssl->buffers.key
wolfSSL 15:117db924cf7c 5323 #else
wolfSSL 15:117db924cf7c 5324 NULL
wolfSSL 15:117db924cf7c 5325 #endif
wolfSSL 15:117db924cf7c 5326 );
wolfSSL 15:117db924cf7c 5327 args->length = (word16)sig->length;
wolfSSL 15:117db924cf7c 5328 }
wolfSSL 15:117db924cf7c 5329 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5330 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5331 if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL 15:117db924cf7c 5332 ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5333 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 15:117db924cf7c 5334 &sig->length, (ed25519_key*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5335 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5336 ssl->buffers.key
wolfSSL 15:117db924cf7c 5337 #else
wolfSSL 15:117db924cf7c 5338 NULL
wolfSSL 15:117db924cf7c 5339 #endif
wolfSSL 15:117db924cf7c 5340 );
wolfSSL 15:117db924cf7c 5341 args->length = sig->length;
wolfSSL 15:117db924cf7c 5342 }
wolfSSL 15:117db924cf7c 5343 #endif
wolfSSL 15:117db924cf7c 5344 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5345 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 15:117db924cf7c 5346
wolfSSL 15:117db924cf7c 5347 ret = RsaSign(ssl, sig->buffer, sig->length,
wolfSSL 15:117db924cf7c 5348 args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
wolfSSL 15:117db924cf7c 5349 args->sigAlgo, ssl->suites->hashAlgo,
wolfSSL 15:117db924cf7c 5350 (RsaKey*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5351 ssl->buffers.key
wolfSSL 15:117db924cf7c 5352 );
wolfSSL 15:117db924cf7c 5353 args->length = (word16)args->sigLen;
wolfSSL 15:117db924cf7c 5354 }
wolfSSL 15:117db924cf7c 5355 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5356
wolfSSL 15:117db924cf7c 5357 /* Check for error */
wolfSSL 15:117db924cf7c 5358 if (ret != 0) {
wolfSSL 15:117db924cf7c 5359 goto exit_scv;
wolfSSL 15:117db924cf7c 5360 }
wolfSSL 15:117db924cf7c 5361
wolfSSL 15:117db924cf7c 5362 /* Add signature length. */
wolfSSL 15:117db924cf7c 5363 c16toa(args->length, args->verify + HASH_SIG_SIZE);
wolfSSL 15:117db924cf7c 5364
wolfSSL 15:117db924cf7c 5365 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5366 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 15:117db924cf7c 5367 } /* case TLS_ASYNC_DO */
wolfSSL 15:117db924cf7c 5368 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5369
wolfSSL 15:117db924cf7c 5370 case TLS_ASYNC_VERIFY:
wolfSSL 15:117db924cf7c 5371 {
wolfSSL 15:117db924cf7c 5372 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5373 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 15:117db924cf7c 5374 if (args->verifySig == NULL) {
wolfSSL 15:117db924cf7c 5375 args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap,
wolfSSL 15:117db924cf7c 5376 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5377 if (args->verifySig == NULL) {
wolfSSL 15:117db924cf7c 5378 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 15:117db924cf7c 5379 }
wolfSSL 15:117db924cf7c 5380 XMEMCPY(args->verifySig,
wolfSSL 15:117db924cf7c 5381 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 15:117db924cf7c 5382 args->sigLen);
wolfSSL 15:117db924cf7c 5383 }
wolfSSL 15:117db924cf7c 5384
wolfSSL 15:117db924cf7c 5385 /* check for signature faults */
wolfSSL 15:117db924cf7c 5386 ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
wolfSSL 15:117db924cf7c 5387 sig->buffer, sig->length, args->sigAlgo,
wolfSSL 15:117db924cf7c 5388 ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5389 ssl->buffers.key
wolfSSL 15:117db924cf7c 5390 );
wolfSSL 15:117db924cf7c 5391 }
wolfSSL 15:117db924cf7c 5392 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5393
wolfSSL 15:117db924cf7c 5394 /* Check for error */
wolfSSL 15:117db924cf7c 5395 if (ret != 0) {
wolfSSL 15:117db924cf7c 5396 goto exit_scv;
wolfSSL 15:117db924cf7c 5397 }
wolfSSL 15:117db924cf7c 5398
wolfSSL 15:117db924cf7c 5399 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5400 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 15:117db924cf7c 5401 } /* case TLS_ASYNC_VERIFY */
wolfSSL 15:117db924cf7c 5402 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5403
wolfSSL 15:117db924cf7c 5404 case TLS_ASYNC_FINALIZE:
wolfSSL 15:117db924cf7c 5405 {
wolfSSL 15:117db924cf7c 5406 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 5407 AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
wolfSSL 15:117db924cf7c 5408 VERIFY_HEADER, certificate_verify, ssl);
wolfSSL 15:117db924cf7c 5409
wolfSSL 15:117db924cf7c 5410 args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
wolfSSL 15:117db924cf7c 5411 args->length + HASH_SIG_SIZE + VERIFY_HEADER;
wolfSSL 15:117db924cf7c 5412
wolfSSL 15:117db924cf7c 5413 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5414 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 15:117db924cf7c 5415 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 15:117db924cf7c 5416 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5417
wolfSSL 15:117db924cf7c 5418 case TLS_ASYNC_END:
wolfSSL 15:117db924cf7c 5419 {
wolfSSL 15:117db924cf7c 5420 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 5421 ret = BuildTls13Message(ssl, args->output,
wolfSSL 15:117db924cf7c 5422 MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
wolfSSL 15:117db924cf7c 5423 args->output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 5424 args->sendSz - RECORD_HEADER_SZ, handshake,
wolfSSL 15:117db924cf7c 5425 1, 0, 0);
wolfSSL 15:117db924cf7c 5426
wolfSSL 15:117db924cf7c 5427 if (ret < 0) {
wolfSSL 15:117db924cf7c 5428 goto exit_scv;
wolfSSL 15:117db924cf7c 5429 }
wolfSSL 15:117db924cf7c 5430 else {
wolfSSL 15:117db924cf7c 5431 args->sendSz = ret;
wolfSSL 15:117db924cf7c 5432 ret = 0;
wolfSSL 15:117db924cf7c 5433 }
wolfSSL 15:117db924cf7c 5434
wolfSSL 15:117db924cf7c 5435 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5436 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 5437 AddPacketName(ssl, "CertificateVerify");
wolfSSL 15:117db924cf7c 5438 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 5439 AddPacketInfo(ssl, "CertificateVerify", handshake,
wolfSSL 15:117db924cf7c 5440 args->output, args->sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 5441 }
wolfSSL 15:117db924cf7c 5442 #endif
wolfSSL 15:117db924cf7c 5443
wolfSSL 15:117db924cf7c 5444 ssl->buffers.outputBuffer.length += args->sendSz;
wolfSSL 15:117db924cf7c 5445
wolfSSL 15:117db924cf7c 5446 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 5447 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 5448 break;
wolfSSL 15:117db924cf7c 5449 }
wolfSSL 15:117db924cf7c 5450 default:
wolfSSL 15:117db924cf7c 5451 ret = INPUT_CASE_ERROR;
wolfSSL 15:117db924cf7c 5452 } /* switch(ssl->options.asyncState) */
wolfSSL 15:117db924cf7c 5453
wolfSSL 15:117db924cf7c 5454 exit_scv:
wolfSSL 15:117db924cf7c 5455
wolfSSL 15:117db924cf7c 5456 WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
wolfSSL 15:117db924cf7c 5457 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
wolfSSL 15:117db924cf7c 5458
wolfSSL 15:117db924cf7c 5459 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5460 /* Handle async operation */
wolfSSL 15:117db924cf7c 5461 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 5462 return ret;
wolfSSL 15:117db924cf7c 5463 }
wolfSSL 15:117db924cf7c 5464 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 5465
wolfSSL 15:117db924cf7c 5466 /* Final cleanup */
wolfSSL 15:117db924cf7c 5467 FreeScv13Args(ssl, args);
wolfSSL 15:117db924cf7c 5468 FreeKeyExchange(ssl);
wolfSSL 15:117db924cf7c 5469
wolfSSL 15:117db924cf7c 5470 return ret;
wolfSSL 15:117db924cf7c 5471 }
wolfSSL 15:117db924cf7c 5472
wolfSSL 15:117db924cf7c 5473 /* handle processing TLS v1.3 certificate (11) */
wolfSSL 15:117db924cf7c 5474 /* Parse and handle a TLS v1.3 Certificate message.
wolfSSL 15:117db924cf7c 5475 *
wolfSSL 15:117db924cf7c 5476 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5477 * input The message buffer.
wolfSSL 15:117db924cf7c 5478 * inOutIdx On entry, the index into the message buffer of Certificate.
wolfSSL 15:117db924cf7c 5479 * On exit, the index of byte after the Certificate message.
wolfSSL 15:117db924cf7c 5480 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 5481 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 5482 */
wolfSSL 15:117db924cf7c 5483 static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 5484 word32 totalSz)
wolfSSL 15:117db924cf7c 5485 {
wolfSSL 15:117db924cf7c 5486 int ret;
wolfSSL 15:117db924cf7c 5487
wolfSSL 15:117db924cf7c 5488 WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
wolfSSL 15:117db924cf7c 5489 WOLFSSL_ENTER("DoTls13Certificate");
wolfSSL 15:117db924cf7c 5490
wolfSSL 15:117db924cf7c 5491 ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
wolfSSL 15:117db924cf7c 5492 if (ret == 0) {
wolfSSL 15:117db924cf7c 5493 #if !defined(NO_WOLFSSL_CLIENT)
wolfSSL 15:117db924cf7c 5494 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 5495 ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL 15:117db924cf7c 5496 #endif
wolfSSL 15:117db924cf7c 5497 #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL 15:117db924cf7c 5498 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 5499 ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL 15:117db924cf7c 5500 /* reset handshake states */
wolfSSL 15:117db924cf7c 5501 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5502 ssl->options.acceptState = TICKET_SENT;
wolfSSL 15:117db924cf7c 5503 ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5504 }
wolfSSL 15:117db924cf7c 5505 #endif
wolfSSL 15:117db924cf7c 5506 }
wolfSSL 15:117db924cf7c 5507
wolfSSL 15:117db924cf7c 5508 WOLFSSL_LEAVE("DoTls13Certificate", ret);
wolfSSL 15:117db924cf7c 5509 WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
wolfSSL 15:117db924cf7c 5510
wolfSSL 15:117db924cf7c 5511 return ret;
wolfSSL 15:117db924cf7c 5512 }
wolfSSL 15:117db924cf7c 5513
wolfSSL 15:117db924cf7c 5514 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
wolfSSL 15:117db924cf7c 5515
wolfSSL 15:117db924cf7c 5516 typedef struct Dcv13Args {
wolfSSL 15:117db924cf7c 5517 byte* output; /* not allocated */
wolfSSL 15:117db924cf7c 5518 word32 sendSz;
wolfSSL 15:117db924cf7c 5519 word16 sz;
wolfSSL 15:117db924cf7c 5520 word32 sigSz;
wolfSSL 15:117db924cf7c 5521 word32 idx;
wolfSSL 15:117db924cf7c 5522 word32 begin;
wolfSSL 15:117db924cf7c 5523 byte hashAlgo;
wolfSSL 15:117db924cf7c 5524 byte sigAlgo;
wolfSSL 15:117db924cf7c 5525
wolfSSL 15:117db924cf7c 5526 byte* sigData;
wolfSSL 15:117db924cf7c 5527 word16 sigDataSz;
wolfSSL 15:117db924cf7c 5528 } Dcv13Args;
wolfSSL 15:117db924cf7c 5529
wolfSSL 15:117db924cf7c 5530 static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 5531 {
wolfSSL 15:117db924cf7c 5532 Dcv13Args* args = (Dcv13Args*)pArgs;
wolfSSL 15:117db924cf7c 5533
wolfSSL 15:117db924cf7c 5534 if (args->sigData != NULL) {
wolfSSL 15:117db924cf7c 5535 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5536 args->sigData = NULL;
wolfSSL 15:117db924cf7c 5537 }
wolfSSL 15:117db924cf7c 5538
wolfSSL 15:117db924cf7c 5539 (void)ssl;
wolfSSL 15:117db924cf7c 5540 }
wolfSSL 15:117db924cf7c 5541
wolfSSL 15:117db924cf7c 5542 /* handle processing TLS v1.3 certificate_verify (15) */
wolfSSL 15:117db924cf7c 5543 /* Parse and handle a TLS v1.3 CertificateVerify message.
wolfSSL 15:117db924cf7c 5544 *
wolfSSL 15:117db924cf7c 5545 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5546 * input The message buffer.
wolfSSL 15:117db924cf7c 5547 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 5548 * CertificateVerify.
wolfSSL 15:117db924cf7c 5549 * On exit, the index of byte after the CertificateVerify message.
wolfSSL 15:117db924cf7c 5550 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 5551 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 5552 */
wolfSSL 15:117db924cf7c 5553 static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
wolfSSL 15:117db924cf7c 5554 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 5555 {
wolfSSL 15:117db924cf7c 5556 int ret = 0;
wolfSSL 15:117db924cf7c 5557 buffer* sig = &ssl->buffers.sig;
wolfSSL 15:117db924cf7c 5558 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5559 Dcv13Args* args = (Dcv13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 5560 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 5561 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 5562 #else
wolfSSL 15:117db924cf7c 5563 Dcv13Args args[1];
wolfSSL 15:117db924cf7c 5564 #endif
wolfSSL 15:117db924cf7c 5565
wolfSSL 15:117db924cf7c 5566 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
wolfSSL 15:117db924cf7c 5567 WOLFSSL_ENTER("DoTls13CertificateVerify");
wolfSSL 15:117db924cf7c 5568
wolfSSL 15:117db924cf7c 5569 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5570 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 15:117db924cf7c 5571 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 5572 /* Check for error */
wolfSSL 15:117db924cf7c 5573 if (ret < 0)
wolfSSL 15:117db924cf7c 5574 goto exit_dcv;
wolfSSL 15:117db924cf7c 5575 }
wolfSSL 15:117db924cf7c 5576 else
wolfSSL 15:117db924cf7c 5577 #endif
wolfSSL 15:117db924cf7c 5578 {
wolfSSL 15:117db924cf7c 5579 /* Reset state */
wolfSSL 15:117db924cf7c 5580 ret = 0;
wolfSSL 15:117db924cf7c 5581 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 15:117db924cf7c 5582 XMEMSET(args, 0, sizeof(Dcv13Args));
wolfSSL 15:117db924cf7c 5583 args->hashAlgo = sha_mac;
wolfSSL 15:117db924cf7c 5584 args->sigAlgo = anonymous_sa_algo;
wolfSSL 15:117db924cf7c 5585 args->idx = *inOutIdx;
wolfSSL 15:117db924cf7c 5586 args->begin = *inOutIdx;
wolfSSL 15:117db924cf7c 5587 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5588 ssl->async.freeArgs = FreeDcv13Args;
wolfSSL 15:117db924cf7c 5589 #endif
wolfSSL 15:117db924cf7c 5590 }
wolfSSL 15:117db924cf7c 5591
wolfSSL 15:117db924cf7c 5592 switch(ssl->options.asyncState)
wolfSSL 15:117db924cf7c 5593 {
wolfSSL 15:117db924cf7c 5594 case TLS_ASYNC_BEGIN:
wolfSSL 15:117db924cf7c 5595 {
wolfSSL 15:117db924cf7c 5596 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5597 if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify");
wolfSSL 15:117db924cf7c 5598 if (ssl->toInfoOn) AddLateName("CertificateVerify",
wolfSSL 15:117db924cf7c 5599 &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 5600 #endif
wolfSSL 15:117db924cf7c 5601
wolfSSL 15:117db924cf7c 5602 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5603 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 15:117db924cf7c 5604 } /* case TLS_ASYNC_BEGIN */
wolfSSL 15:117db924cf7c 5605 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5606
wolfSSL 15:117db924cf7c 5607 case TLS_ASYNC_BUILD:
wolfSSL 15:117db924cf7c 5608 {
wolfSSL 15:117db924cf7c 5609 /* Signature algorithm. */
wolfSSL 15:117db924cf7c 5610 if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
wolfSSL 15:117db924cf7c 5611 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 5612 }
wolfSSL 15:117db924cf7c 5613 DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo);
wolfSSL 15:117db924cf7c 5614 args->idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 5615
wolfSSL 15:117db924cf7c 5616 /* Signature length. */
wolfSSL 15:117db924cf7c 5617 if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
wolfSSL 15:117db924cf7c 5618 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 5619 }
wolfSSL 15:117db924cf7c 5620 ato16(input + args->idx, &args->sz);
wolfSSL 15:117db924cf7c 5621 args->idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 5622
wolfSSL 15:117db924cf7c 5623 /* Signature data. */
wolfSSL 15:117db924cf7c 5624 if ((args->idx - args->begin) + args->sz > totalSz ||
wolfSSL 15:117db924cf7c 5625 args->sz > ENCRYPT_LEN) {
wolfSSL 15:117db924cf7c 5626 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 5627 }
wolfSSL 15:117db924cf7c 5628
wolfSSL 15:117db924cf7c 5629 /* Check for public key of required type. */
wolfSSL 15:117db924cf7c 5630 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5631 if (args->sigAlgo == ed25519_sa_algo &&
wolfSSL 15:117db924cf7c 5632 !ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 5633 WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
wolfSSL 15:117db924cf7c 5634 }
wolfSSL 15:117db924cf7c 5635 #endif
wolfSSL 15:117db924cf7c 5636 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5637 if (args->sigAlgo == ecc_dsa_sa_algo &&
wolfSSL 15:117db924cf7c 5638 !ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 5639 WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
wolfSSL 15:117db924cf7c 5640 }
wolfSSL 15:117db924cf7c 5641 #endif
wolfSSL 15:117db924cf7c 5642 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5643 if ((args->sigAlgo == rsa_sa_algo ||
wolfSSL 15:117db924cf7c 5644 args->sigAlgo == rsa_pss_sa_algo) &&
wolfSSL 15:117db924cf7c 5645 (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
wolfSSL 15:117db924cf7c 5646 WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
wolfSSL 15:117db924cf7c 5647 }
wolfSSL 15:117db924cf7c 5648 #endif
wolfSSL 15:117db924cf7c 5649
wolfSSL 15:117db924cf7c 5650 sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
wolfSSL 15:117db924cf7c 5651 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5652 if (sig->buffer == NULL) {
wolfSSL 15:117db924cf7c 5653 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 5654 }
wolfSSL 15:117db924cf7c 5655 sig->length = args->sz;
wolfSSL 15:117db924cf7c 5656 XMEMCPY(sig->buffer, input + args->idx, args->sz);
wolfSSL 15:117db924cf7c 5657
wolfSSL 15:117db924cf7c 5658 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5659 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 5660 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 15:117db924cf7c 5661
wolfSSL 15:117db924cf7c 5662 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 15:117db924cf7c 5663 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5664 if (args->sigData == NULL) {
wolfSSL 15:117db924cf7c 5665 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 5666 }
wolfSSL 15:117db924cf7c 5667
wolfSSL 15:117db924cf7c 5668 ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 15:117db924cf7c 5669 if (ret != 0)
wolfSSL 15:117db924cf7c 5670 goto exit_dcv;
wolfSSL 15:117db924cf7c 5671 ret = CreateECCEncodedSig(args->sigData,
wolfSSL 15:117db924cf7c 5672 args->sigDataSz, args->hashAlgo);
wolfSSL 15:117db924cf7c 5673 if (ret < 0)
wolfSSL 15:117db924cf7c 5674 goto exit_dcv;
wolfSSL 15:117db924cf7c 5675 args->sigDataSz = (word16)ret;
wolfSSL 15:117db924cf7c 5676 ret = 0;
wolfSSL 15:117db924cf7c 5677 }
wolfSSL 15:117db924cf7c 5678 #endif
wolfSSL 15:117db924cf7c 5679 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5680 if (ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 5681 WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL 15:117db924cf7c 5682
wolfSSL 15:117db924cf7c 5683 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 15:117db924cf7c 5684 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5685 if (args->sigData == NULL) {
wolfSSL 15:117db924cf7c 5686 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 5687 }
wolfSSL 15:117db924cf7c 5688
wolfSSL 15:117db924cf7c 5689 CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 15:117db924cf7c 5690 ret = 0;
wolfSSL 15:117db924cf7c 5691 }
wolfSSL 15:117db924cf7c 5692 #endif
wolfSSL 15:117db924cf7c 5693
wolfSSL 15:117db924cf7c 5694 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5695 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 15:117db924cf7c 5696 } /* case TLS_ASYNC_BUILD */
wolfSSL 15:117db924cf7c 5697 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5698
wolfSSL 15:117db924cf7c 5699 case TLS_ASYNC_DO:
wolfSSL 15:117db924cf7c 5700 {
wolfSSL 15:117db924cf7c 5701 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5702 if (args->sigAlgo == rsa_sa_algo ||
wolfSSL 15:117db924cf7c 5703 args->sigAlgo == rsa_pss_sa_algo) {
wolfSSL 15:117db924cf7c 5704 WOLFSSL_MSG("Doing RSA peer cert verify");
wolfSSL 15:117db924cf7c 5705
wolfSSL 15:117db924cf7c 5706 ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output,
wolfSSL 15:117db924cf7c 5707 args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
wolfSSL 15:117db924cf7c 5708 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5709 &ssl->buffers.peerRsaKey
wolfSSL 15:117db924cf7c 5710 #else
wolfSSL 15:117db924cf7c 5711 NULL
wolfSSL 15:117db924cf7c 5712 #endif
wolfSSL 15:117db924cf7c 5713 );
wolfSSL 15:117db924cf7c 5714 if (ret >= 0) {
wolfSSL 15:117db924cf7c 5715 args->sendSz = ret;
wolfSSL 15:117db924cf7c 5716 ret = 0;
wolfSSL 15:117db924cf7c 5717 }
wolfSSL 15:117db924cf7c 5718 }
wolfSSL 15:117db924cf7c 5719 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5720 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5721 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 5722 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 15:117db924cf7c 5723
wolfSSL 15:117db924cf7c 5724 ret = EccVerify(ssl, input + args->idx, args->sz,
wolfSSL 15:117db924cf7c 5725 args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5726 ssl->peerEccDsaKey,
wolfSSL 15:117db924cf7c 5727 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5728 &ssl->buffers.peerEccDsaKey
wolfSSL 15:117db924cf7c 5729 #else
wolfSSL 15:117db924cf7c 5730 NULL
wolfSSL 15:117db924cf7c 5731 #endif
wolfSSL 15:117db924cf7c 5732 );
wolfSSL 15:117db924cf7c 5733 }
wolfSSL 15:117db924cf7c 5734 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5735 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5736 if (ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 5737 WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL 15:117db924cf7c 5738
wolfSSL 15:117db924cf7c 5739 ret = Ed25519Verify(ssl, input + args->idx, args->sz,
wolfSSL 15:117db924cf7c 5740 args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5741 ssl->peerEd25519Key,
wolfSSL 15:117db924cf7c 5742 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5743 &ssl->buffers.peerEd25519Key
wolfSSL 15:117db924cf7c 5744 #else
wolfSSL 15:117db924cf7c 5745 NULL
wolfSSL 15:117db924cf7c 5746 #endif
wolfSSL 15:117db924cf7c 5747 );
wolfSSL 15:117db924cf7c 5748 }
wolfSSL 15:117db924cf7c 5749 #endif
wolfSSL 15:117db924cf7c 5750
wolfSSL 15:117db924cf7c 5751 /* Check for error */
wolfSSL 15:117db924cf7c 5752 if (ret != 0) {
wolfSSL 15:117db924cf7c 5753 goto exit_dcv;
wolfSSL 15:117db924cf7c 5754 }
wolfSSL 15:117db924cf7c 5755
wolfSSL 15:117db924cf7c 5756 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5757 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 15:117db924cf7c 5758 } /* case TLS_ASYNC_DO */
wolfSSL 15:117db924cf7c 5759 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5760
wolfSSL 15:117db924cf7c 5761 case TLS_ASYNC_VERIFY:
wolfSSL 15:117db924cf7c 5762 {
wolfSSL 15:117db924cf7c 5763 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5764 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
wolfSSL 15:117db924cf7c 5765 ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
wolfSSL 15:117db924cf7c 5766 args->output, args->sendSz);
wolfSSL 15:117db924cf7c 5767 if (ret != 0)
wolfSSL 15:117db924cf7c 5768 goto exit_dcv;
wolfSSL 15:117db924cf7c 5769 }
wolfSSL 15:117db924cf7c 5770 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5771
wolfSSL 15:117db924cf7c 5772 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5773 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 15:117db924cf7c 5774 } /* case TLS_ASYNC_VERIFY */
wolfSSL 15:117db924cf7c 5775 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5776
wolfSSL 15:117db924cf7c 5777 case TLS_ASYNC_FINALIZE:
wolfSSL 15:117db924cf7c 5778 {
wolfSSL 15:117db924cf7c 5779 ssl->options.havePeerVerify = 1;
wolfSSL 15:117db924cf7c 5780
wolfSSL 15:117db924cf7c 5781 /* Set final index */
wolfSSL 15:117db924cf7c 5782 args->idx += args->sz;
wolfSSL 15:117db924cf7c 5783 *inOutIdx = args->idx;
wolfSSL 15:117db924cf7c 5784
wolfSSL 15:117db924cf7c 5785 /* Encryption is always on: add padding */
wolfSSL 15:117db924cf7c 5786 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 5787
wolfSSL 15:117db924cf7c 5788 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5789 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 15:117db924cf7c 5790 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 15:117db924cf7c 5791
wolfSSL 15:117db924cf7c 5792 case TLS_ASYNC_END:
wolfSSL 15:117db924cf7c 5793 {
wolfSSL 15:117db924cf7c 5794 break;
wolfSSL 15:117db924cf7c 5795 }
wolfSSL 15:117db924cf7c 5796 default:
wolfSSL 15:117db924cf7c 5797 ret = INPUT_CASE_ERROR;
wolfSSL 15:117db924cf7c 5798 } /* switch(ssl->options.asyncState) */
wolfSSL 15:117db924cf7c 5799
wolfSSL 15:117db924cf7c 5800 exit_dcv:
wolfSSL 15:117db924cf7c 5801
wolfSSL 15:117db924cf7c 5802 WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
wolfSSL 15:117db924cf7c 5803 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
wolfSSL 15:117db924cf7c 5804
wolfSSL 15:117db924cf7c 5805 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5806 /* Handle async operation */
wolfSSL 15:117db924cf7c 5807 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 5808 /* Mark message as not recevied so it can process again */
wolfSSL 15:117db924cf7c 5809 ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL 15:117db924cf7c 5810
wolfSSL 15:117db924cf7c 5811 return ret;
wolfSSL 15:117db924cf7c 5812 }
wolfSSL 15:117db924cf7c 5813 else
wolfSSL 15:117db924cf7c 5814 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 5815 if (ret != 0)
wolfSSL 15:117db924cf7c 5816 SendAlert(ssl, alert_fatal, decrypt_error);
wolfSSL 15:117db924cf7c 5817
wolfSSL 15:117db924cf7c 5818 /* Final cleanup */
wolfSSL 15:117db924cf7c 5819 FreeDcv13Args(ssl, args);
wolfSSL 15:117db924cf7c 5820 FreeKeyExchange(ssl);
wolfSSL 15:117db924cf7c 5821
wolfSSL 15:117db924cf7c 5822 return ret;
wolfSSL 15:117db924cf7c 5823 }
wolfSSL 15:117db924cf7c 5824 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 5825
wolfSSL 15:117db924cf7c 5826 /* Parse and handle a TLS v1.3 Finished message.
wolfSSL 15:117db924cf7c 5827 *
wolfSSL 15:117db924cf7c 5828 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5829 * input The message buffer.
wolfSSL 15:117db924cf7c 5830 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 5831 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 5832 * size Length of message data.
wolfSSL 15:117db924cf7c 5833 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 5834 * sniff Indicates whether we are sniffing packets.
wolfSSL 15:117db924cf7c 5835 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 5836 */
wolfSSL 15:117db924cf7c 5837 static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 5838 word32 size, word32 totalSz, int sniff)
wolfSSL 15:117db924cf7c 5839 {
wolfSSL 15:117db924cf7c 5840 int ret;
wolfSSL 15:117db924cf7c 5841 word32 finishedSz = 0;
wolfSSL 15:117db924cf7c 5842 byte* secret;
wolfSSL 15:117db924cf7c 5843 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 5844
wolfSSL 15:117db924cf7c 5845 WOLFSSL_START(WC_FUNC_FINISHED_DO);
wolfSSL 15:117db924cf7c 5846 WOLFSSL_ENTER("DoTls13Finished");
wolfSSL 15:117db924cf7c 5847
wolfSSL 15:117db924cf7c 5848 /* check against totalSz */
wolfSSL 15:117db924cf7c 5849 if (*inOutIdx + size + ssl->keys.padSz > totalSz)
wolfSSL 15:117db924cf7c 5850 return BUFFER_E;
wolfSSL 15:117db924cf7c 5851
wolfSSL 15:117db924cf7c 5852 if (ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 5853 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 15:117db924cf7c 5854 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 5855 if (ret != 0)
wolfSSL 15:117db924cf7c 5856 return ret;
wolfSSL 15:117db924cf7c 5857
wolfSSL 15:117db924cf7c 5858 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 5859 }
wolfSSL 15:117db924cf7c 5860 else if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 5861 /* All the handshake messages have been received to calculate
wolfSSL 15:117db924cf7c 5862 * client and server finished keys.
wolfSSL 15:117db924cf7c 5863 */
wolfSSL 15:117db924cf7c 5864 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 15:117db924cf7c 5865 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 5866 if (ret != 0)
wolfSSL 15:117db924cf7c 5867 return ret;
wolfSSL 15:117db924cf7c 5868
wolfSSL 15:117db924cf7c 5869 ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL 15:117db924cf7c 5870 ssl->keys.server_write_MAC_secret);
wolfSSL 15:117db924cf7c 5871 if (ret != 0)
wolfSSL 15:117db924cf7c 5872 return ret;
wolfSSL 15:117db924cf7c 5873
wolfSSL 15:117db924cf7c 5874 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 15:117db924cf7c 5875 }
wolfSSL 15:117db924cf7c 5876 else
wolfSSL 15:117db924cf7c 5877 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 5878
wolfSSL 15:117db924cf7c 5879 ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
wolfSSL 15:117db924cf7c 5880 if (ret != 0)
wolfSSL 15:117db924cf7c 5881 return ret;
wolfSSL 15:117db924cf7c 5882 if (size != finishedSz)
wolfSSL 15:117db924cf7c 5883 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 5884
wolfSSL 15:117db924cf7c 5885 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5886 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
wolfSSL 15:117db924cf7c 5887 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 5888 #endif
wolfSSL 15:117db924cf7c 5889
wolfSSL 15:117db924cf7c 5890 if (sniff == NO_SNIFF) {
wolfSSL 15:117db924cf7c 5891 /* Actually check verify data. */
wolfSSL 15:117db924cf7c 5892 if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
wolfSSL 15:117db924cf7c 5893 WOLFSSL_MSG("Verify finished error on hashes");
wolfSSL 15:117db924cf7c 5894 SendAlert(ssl, alert_fatal, decrypt_error);
wolfSSL 15:117db924cf7c 5895 return VERIFY_FINISHED_ERROR;
wolfSSL 15:117db924cf7c 5896 }
wolfSSL 15:117db924cf7c 5897 }
wolfSSL 15:117db924cf7c 5898
wolfSSL 15:117db924cf7c 5899 /* Force input exhaustion at ProcessReply by consuming padSz. */
wolfSSL 15:117db924cf7c 5900 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 5901
wolfSSL 15:117db924cf7c 5902 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 5903 !ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 5904 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 5905 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 5906 if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
wolfSSL 15:117db924cf7c 5907 return ret;
wolfSSL 15:117db924cf7c 5908 }
wolfSSL 15:117db924cf7c 5909 #endif
wolfSSL 15:117db924cf7c 5910 /* Setup keys for application data messages from client. */
wolfSSL 15:117db924cf7c 5911 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 5912 return ret;
wolfSSL 15:117db924cf7c 5913 }
wolfSSL 15:117db924cf7c 5914
wolfSSL 15:117db924cf7c 5915 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 5916 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 5917 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5918 #endif
wolfSSL 15:117db924cf7c 5919 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 5920 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 5921 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5922 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 15:117db924cf7c 5923 ssl->options.handShakeDone = 1;
wolfSSL 15:117db924cf7c 5924 }
wolfSSL 15:117db924cf7c 5925 #endif
wolfSSL 15:117db924cf7c 5926
wolfSSL 15:117db924cf7c 5927 WOLFSSL_LEAVE("DoTls13Finished", 0);
wolfSSL 15:117db924cf7c 5928 WOLFSSL_END(WC_FUNC_FINISHED_DO);
wolfSSL 15:117db924cf7c 5929
wolfSSL 15:117db924cf7c 5930 return 0;
wolfSSL 15:117db924cf7c 5931 }
wolfSSL 15:117db924cf7c 5932 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 5933
wolfSSL 15:117db924cf7c 5934 /* Send the TLS v1.3 Finished message.
wolfSSL 15:117db924cf7c 5935 *
wolfSSL 15:117db924cf7c 5936 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5937 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 5938 */
wolfSSL 15:117db924cf7c 5939 static int SendTls13Finished(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 5940 {
wolfSSL 15:117db924cf7c 5941 int sendSz;
wolfSSL 15:117db924cf7c 5942 int finishedSz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 5943 byte* input;
wolfSSL 15:117db924cf7c 5944 byte* output;
wolfSSL 15:117db924cf7c 5945 int ret;
wolfSSL 15:117db924cf7c 5946 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5947 int outputSz;
wolfSSL 15:117db924cf7c 5948 byte* secret;
wolfSSL 15:117db924cf7c 5949
wolfSSL 15:117db924cf7c 5950 WOLFSSL_START(WC_FUNC_FINISHED_SEND);
wolfSSL 15:117db924cf7c 5951 WOLFSSL_ENTER("SendTls13Finished");
wolfSSL 15:117db924cf7c 5952
wolfSSL 15:117db924cf7c 5953 outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 5954 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 5955 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 15:117db924cf7c 5956 return ret;
wolfSSL 15:117db924cf7c 5957
wolfSSL 15:117db924cf7c 5958 /* get output buffer */
wolfSSL 15:117db924cf7c 5959 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 5960 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 5961 input = output + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 5962
wolfSSL 15:117db924cf7c 5963 AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
wolfSSL 15:117db924cf7c 5964
wolfSSL 15:117db924cf7c 5965 /* make finished hashes */
wolfSSL 15:117db924cf7c 5966 if (ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 5967 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 15:117db924cf7c 5968 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 5969 if (ret != 0)
wolfSSL 15:117db924cf7c 5970 return ret;
wolfSSL 15:117db924cf7c 5971
wolfSSL 15:117db924cf7c 5972 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 5973 }
wolfSSL 15:117db924cf7c 5974 else if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 5975 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 5976 else {
wolfSSL 15:117db924cf7c 5977 /* All the handshake messages have been done to calculate client and
wolfSSL 15:117db924cf7c 5978 * server finished keys.
wolfSSL 15:117db924cf7c 5979 */
wolfSSL 15:117db924cf7c 5980 ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
wolfSSL 15:117db924cf7c 5981 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 5982 if (ret != 0)
wolfSSL 15:117db924cf7c 5983 return ret;
wolfSSL 15:117db924cf7c 5984
wolfSSL 15:117db924cf7c 5985 ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
wolfSSL 15:117db924cf7c 5986 ssl->keys.server_write_MAC_secret);
wolfSSL 15:117db924cf7c 5987 if (ret != 0)
wolfSSL 15:117db924cf7c 5988 return ret;
wolfSSL 15:117db924cf7c 5989
wolfSSL 15:117db924cf7c 5990 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 15:117db924cf7c 5991 }
wolfSSL 15:117db924cf7c 5992 ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
wolfSSL 15:117db924cf7c 5993 if (ret != 0)
wolfSSL 15:117db924cf7c 5994 return ret;
wolfSSL 15:117db924cf7c 5995
wolfSSL 15:117db924cf7c 5996 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 5997 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 15:117db924cf7c 5998 headerSz + finishedSz, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 5999 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6000 return BUILD_MSG_ERROR;
wolfSSL 15:117db924cf7c 6001
wolfSSL 15:117db924cf7c 6002 if (!ssl->options.resuming) {
wolfSSL 15:117db924cf7c 6003 #ifndef NO_SESSION_CACHE
wolfSSL 15:117db924cf7c 6004 AddSession(ssl); /* just try */
wolfSSL 15:117db924cf7c 6005 #endif
wolfSSL 15:117db924cf7c 6006 }
wolfSSL 15:117db924cf7c 6007
wolfSSL 15:117db924cf7c 6008 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6009 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
wolfSSL 15:117db924cf7c 6010 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 6011 AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 6012 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 6013 }
wolfSSL 15:117db924cf7c 6014 #endif
wolfSSL 15:117db924cf7c 6015
wolfSSL 15:117db924cf7c 6016 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6017
wolfSSL 15:117db924cf7c 6018 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6019 /* Can send application data now. */
wolfSSL 15:117db924cf7c 6020 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 6021 return ret;
wolfSSL 15:117db924cf7c 6022 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6023 if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6024 != 0) {
wolfSSL 15:117db924cf7c 6025 return ret;
wolfSSL 15:117db924cf7c 6026 }
wolfSSL 15:117db924cf7c 6027 if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
wolfSSL 15:117db924cf7c 6028 ssl->earlyData == no_early_data)) != 0) {
wolfSSL 15:117db924cf7c 6029 return ret;
wolfSSL 15:117db924cf7c 6030 }
wolfSSL 15:117db924cf7c 6031 #else
wolfSSL 15:117db924cf7c 6032 if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 6033 1)) != 0) {
wolfSSL 15:117db924cf7c 6034 return ret;
wolfSSL 15:117db924cf7c 6035 }
wolfSSL 15:117db924cf7c 6036 #endif
wolfSSL 15:117db924cf7c 6037 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6038 return ret;
wolfSSL 15:117db924cf7c 6039 }
wolfSSL 15:117db924cf7c 6040
wolfSSL 15:117db924cf7c 6041 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 6042 !ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 6043 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6044 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 6045 if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 6046 1)) != 0) {
wolfSSL 15:117db924cf7c 6047 return ret;
wolfSSL 15:117db924cf7c 6048 }
wolfSSL 15:117db924cf7c 6049 }
wolfSSL 15:117db924cf7c 6050 #endif
wolfSSL 15:117db924cf7c 6051 /* Setup keys for application data messages. */
wolfSSL 15:117db924cf7c 6052 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 6053 return ret;
wolfSSL 15:117db924cf7c 6054
wolfSSL 15:117db924cf7c 6055 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 6056 ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 15:117db924cf7c 6057 if (ret != 0)
wolfSSL 15:117db924cf7c 6058 return ret;
wolfSSL 15:117db924cf7c 6059 #endif
wolfSSL 15:117db924cf7c 6060 }
wolfSSL 15:117db924cf7c 6061
wolfSSL 15:117db924cf7c 6062 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6063 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6064 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6065 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 15:117db924cf7c 6066 ssl->options.handShakeDone = 1;
wolfSSL 15:117db924cf7c 6067 }
wolfSSL 15:117db924cf7c 6068 #endif
wolfSSL 15:117db924cf7c 6069 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6070 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6071 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6072 }
wolfSSL 15:117db924cf7c 6073 #endif
wolfSSL 15:117db924cf7c 6074
wolfSSL 15:117db924cf7c 6075 if ((ret = SendBuffered(ssl)) != 0)
wolfSSL 15:117db924cf7c 6076 return ret;
wolfSSL 15:117db924cf7c 6077
wolfSSL 15:117db924cf7c 6078 WOLFSSL_LEAVE("SendTls13Finished", ret);
wolfSSL 15:117db924cf7c 6079 WOLFSSL_END(WC_FUNC_FINISHED_SEND);
wolfSSL 15:117db924cf7c 6080
wolfSSL 15:117db924cf7c 6081 return ret;
wolfSSL 15:117db924cf7c 6082 }
wolfSSL 15:117db924cf7c 6083
wolfSSL 15:117db924cf7c 6084 /* handle generation TLS v1.3 key_update (24) */
wolfSSL 15:117db924cf7c 6085 /* Send the TLS v1.3 KeyUpdate message.
wolfSSL 15:117db924cf7c 6086 *
wolfSSL 15:117db924cf7c 6087 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6088 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6089 */
wolfSSL 15:117db924cf7c 6090 static int SendTls13KeyUpdate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6091 {
wolfSSL 15:117db924cf7c 6092 int sendSz;
wolfSSL 15:117db924cf7c 6093 byte* input;
wolfSSL 15:117db924cf7c 6094 byte* output;
wolfSSL 15:117db924cf7c 6095 int ret;
wolfSSL 15:117db924cf7c 6096 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6097 int outputSz;
wolfSSL 15:117db924cf7c 6098 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6099
wolfSSL 15:117db924cf7c 6100 WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND);
wolfSSL 15:117db924cf7c 6101 WOLFSSL_ENTER("SendTls13KeyUpdate");
wolfSSL 15:117db924cf7c 6102
wolfSSL 15:117db924cf7c 6103 outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6104 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6105 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 15:117db924cf7c 6106 return ret;
wolfSSL 15:117db924cf7c 6107
wolfSSL 15:117db924cf7c 6108 /* get output buffer */
wolfSSL 15:117db924cf7c 6109 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6110 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6111 input = output + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 6112
wolfSSL 15:117db924cf7c 6113 AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
wolfSSL 15:117db924cf7c 6114
wolfSSL 15:117db924cf7c 6115 /* If:
wolfSSL 15:117db924cf7c 6116 * 1. I haven't sent a KeyUpdate requesting a response and
wolfSSL 15:117db924cf7c 6117 * 2. This isn't responding to peer KeyUpdate requiring a response then,
wolfSSL 15:117db924cf7c 6118 * I want a response.
wolfSSL 15:117db924cf7c 6119 */
wolfSSL 15:117db924cf7c 6120 ssl->keys.updateResponseReq = output[i++] =
wolfSSL 15:117db924cf7c 6121 !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
wolfSSL 15:117db924cf7c 6122 /* Sent response, no longer need to respond. */
wolfSSL 15:117db924cf7c 6123 ssl->keys.keyUpdateRespond = 0;
wolfSSL 15:117db924cf7c 6124
wolfSSL 15:117db924cf7c 6125 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6126 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 15:117db924cf7c 6127 headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
wolfSSL 15:117db924cf7c 6128 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6129 return BUILD_MSG_ERROR;
wolfSSL 15:117db924cf7c 6130
wolfSSL 15:117db924cf7c 6131 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6132 if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate");
wolfSSL 15:117db924cf7c 6133 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 6134 AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 6135 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 6136 }
wolfSSL 15:117db924cf7c 6137 #endif
wolfSSL 15:117db924cf7c 6138
wolfSSL 15:117db924cf7c 6139 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6140
wolfSSL 15:117db924cf7c 6141 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 6142 if (ret != 0 && ret != WANT_WRITE)
wolfSSL 15:117db924cf7c 6143 return ret;
wolfSSL 15:117db924cf7c 6144
wolfSSL 15:117db924cf7c 6145 /* Future traffic uses new encryption keys. */
wolfSSL 15:117db924cf7c 6146 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6147 != 0)
wolfSSL 15:117db924cf7c 6148 return ret;
wolfSSL 15:117db924cf7c 6149 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6150 return ret;
wolfSSL 15:117db924cf7c 6151
wolfSSL 15:117db924cf7c 6152 WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
wolfSSL 15:117db924cf7c 6153 WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND);
wolfSSL 15:117db924cf7c 6154
wolfSSL 15:117db924cf7c 6155 return ret;
wolfSSL 15:117db924cf7c 6156 }
wolfSSL 15:117db924cf7c 6157
wolfSSL 15:117db924cf7c 6158 /* handle processing TLS v1.3 key_update (24) */
wolfSSL 15:117db924cf7c 6159 /* Parse and handle a TLS v1.3 KeyUpdate message.
wolfSSL 15:117db924cf7c 6160 *
wolfSSL 15:117db924cf7c 6161 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6162 * input The message buffer.
wolfSSL 15:117db924cf7c 6163 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 6164 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 6165 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 6166 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6167 */
wolfSSL 15:117db924cf7c 6168 static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 6169 word32 totalSz)
wolfSSL 15:117db924cf7c 6170 {
wolfSSL 15:117db924cf7c 6171 int ret;
wolfSSL 15:117db924cf7c 6172 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 6173
wolfSSL 15:117db924cf7c 6174 WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO);
wolfSSL 15:117db924cf7c 6175 WOLFSSL_ENTER("DoTls13KeyUpdate");
wolfSSL 15:117db924cf7c 6176
wolfSSL 15:117db924cf7c 6177 /* check against totalSz */
wolfSSL 15:117db924cf7c 6178 if (OPAQUE8_LEN != totalSz)
wolfSSL 15:117db924cf7c 6179 return BUFFER_E;
wolfSSL 15:117db924cf7c 6180
wolfSSL 15:117db924cf7c 6181 switch (input[i]) {
wolfSSL 15:117db924cf7c 6182 case update_not_requested:
wolfSSL 15:117db924cf7c 6183 /* This message in response to any oustanding request. */
wolfSSL 15:117db924cf7c 6184 ssl->keys.keyUpdateRespond = 0;
wolfSSL 15:117db924cf7c 6185 ssl->keys.updateResponseReq = 0;
wolfSSL 15:117db924cf7c 6186 break;
wolfSSL 15:117db924cf7c 6187 case update_requested:
wolfSSL 15:117db924cf7c 6188 /* New key update requiring a response. */
wolfSSL 15:117db924cf7c 6189 ssl->keys.keyUpdateRespond = 1;
wolfSSL 15:117db924cf7c 6190 break;
wolfSSL 15:117db924cf7c 6191 default:
wolfSSL 15:117db924cf7c 6192 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 6193 break;
wolfSSL 15:117db924cf7c 6194 }
wolfSSL 15:117db924cf7c 6195
wolfSSL 15:117db924cf7c 6196 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 6197 *inOutIdx += totalSz;
wolfSSL 15:117db924cf7c 6198 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6199 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6200
wolfSSL 15:117db924cf7c 6201 /* Future traffic uses new decryption keys. */
wolfSSL 15:117db924cf7c 6202 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6203 != 0) {
wolfSSL 15:117db924cf7c 6204 return ret;
wolfSSL 15:117db924cf7c 6205 }
wolfSSL 15:117db924cf7c 6206 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6207 return ret;
wolfSSL 15:117db924cf7c 6208
wolfSSL 15:117db924cf7c 6209 if (ssl->keys.keyUpdateRespond)
wolfSSL 15:117db924cf7c 6210 return SendTls13KeyUpdate(ssl);
wolfSSL 15:117db924cf7c 6211
wolfSSL 15:117db924cf7c 6212 WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
wolfSSL 15:117db924cf7c 6213 WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO);
wolfSSL 15:117db924cf7c 6214
wolfSSL 15:117db924cf7c 6215 return 0;
wolfSSL 15:117db924cf7c 6216 }
wolfSSL 15:117db924cf7c 6217
wolfSSL 15:117db924cf7c 6218 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6219 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6220 /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
wolfSSL 15:117db924cf7c 6221 * more early application data.
wolfSSL 15:117db924cf7c 6222 * The encryption key now changes to the pre-calculated handshake key.
wolfSSL 15:117db924cf7c 6223 *
wolfSSL 15:117db924cf7c 6224 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6225 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6226 */
wolfSSL 15:117db924cf7c 6227 static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6228 {
wolfSSL 15:117db924cf7c 6229 byte* output;
wolfSSL 15:117db924cf7c 6230 int ret;
wolfSSL 15:117db924cf7c 6231 int sendSz;
wolfSSL 15:117db924cf7c 6232 word32 length;
wolfSSL 15:117db924cf7c 6233 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6234
wolfSSL 15:117db924cf7c 6235 WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND);
wolfSSL 15:117db924cf7c 6236 WOLFSSL_ENTER("SendTls13EndOfEarlyData");
wolfSSL 15:117db924cf7c 6237
wolfSSL 15:117db924cf7c 6238 length = 0;
wolfSSL 15:117db924cf7c 6239 sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6240
wolfSSL 15:117db924cf7c 6241 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6242 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 6243 return ret;
wolfSSL 15:117db924cf7c 6244
wolfSSL 15:117db924cf7c 6245 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 6246 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6247 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6248
wolfSSL 15:117db924cf7c 6249 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 6250 AddTls13Headers(output, length, end_of_early_data, ssl);
wolfSSL 15:117db924cf7c 6251
wolfSSL 15:117db924cf7c 6252 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6253 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 6254 idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 6255 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6256 return sendSz;
wolfSSL 15:117db924cf7c 6257
wolfSSL 15:117db924cf7c 6258 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6259
wolfSSL 15:117db924cf7c 6260 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6261 return ret;
wolfSSL 15:117db924cf7c 6262
wolfSSL 15:117db924cf7c 6263 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 6264 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 6265
wolfSSL 15:117db924cf7c 6266 WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
wolfSSL 15:117db924cf7c 6267 WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND);
wolfSSL 15:117db924cf7c 6268
wolfSSL 15:117db924cf7c 6269 return ret;
wolfSSL 15:117db924cf7c 6270 }
wolfSSL 15:117db924cf7c 6271 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 6272
wolfSSL 15:117db924cf7c 6273 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6274 /* handle processing of TLS 1.3 end_of_early_data (5) */
wolfSSL 15:117db924cf7c 6275 /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
wolfSSL 15:117db924cf7c 6276 * no more early application data.
wolfSSL 15:117db924cf7c 6277 * The decryption key now changes to the pre-calculated handshake key.
wolfSSL 15:117db924cf7c 6278 *
wolfSSL 15:117db924cf7c 6279 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6280 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6281 */
wolfSSL 15:117db924cf7c 6282 static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 6283 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 6284 {
wolfSSL 15:117db924cf7c 6285 int ret;
wolfSSL 15:117db924cf7c 6286 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 6287
wolfSSL 15:117db924cf7c 6288 (void)input;
wolfSSL 15:117db924cf7c 6289
wolfSSL 15:117db924cf7c 6290 WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO);
wolfSSL 15:117db924cf7c 6291 WOLFSSL_ENTER("DoTls13EndOfEarlyData");
wolfSSL 15:117db924cf7c 6292
wolfSSL 15:117db924cf7c 6293 if ((*inOutIdx - begin) != size)
wolfSSL 15:117db924cf7c 6294 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6295
wolfSSL 15:117db924cf7c 6296 if (ssl->earlyData == no_early_data) {
wolfSSL 15:117db924cf7c 6297 WOLFSSL_MSG("EndOfEarlyData recieved unexpectedly");
wolfSSL 15:117db924cf7c 6298 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 6299 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6300 }
wolfSSL 15:117db924cf7c 6301
wolfSSL 15:117db924cf7c 6302 ssl->earlyData = done_early_data;
wolfSSL 15:117db924cf7c 6303
wolfSSL 15:117db924cf7c 6304 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6305 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6306
wolfSSL 15:117db924cf7c 6307 ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
wolfSSL 15:117db924cf7c 6308
wolfSSL 15:117db924cf7c 6309 WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret);
wolfSSL 15:117db924cf7c 6310 WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO);
wolfSSL 15:117db924cf7c 6311
wolfSSL 15:117db924cf7c 6312 return ret;
wolfSSL 15:117db924cf7c 6313 }
wolfSSL 15:117db924cf7c 6314 #endif /* !NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 6315 #endif /* WOLFSSL_EARLY_DATA */
wolfSSL 15:117db924cf7c 6316
wolfSSL 15:117db924cf7c 6317 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6318 /* Handle a New Session Ticket handshake message.
wolfSSL 15:117db924cf7c 6319 * Message contains the information required to perform resumption.
wolfSSL 15:117db924cf7c 6320 *
wolfSSL 15:117db924cf7c 6321 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6322 * input The message buffer.
wolfSSL 15:117db924cf7c 6323 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 6324 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 6325 * size The length of the current handshake message.
wolfSSL 15:117db924cf7c 6326 * retuns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6327 */
wolfSSL 15:117db924cf7c 6328 static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 6329 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 6330 {
wolfSSL 15:117db924cf7c 6331 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 6332 int ret;
wolfSSL 15:117db924cf7c 6333 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 6334 word32 lifetime;
wolfSSL 15:117db924cf7c 6335 word32 ageAdd;
wolfSSL 15:117db924cf7c 6336 word16 length;
wolfSSL 15:117db924cf7c 6337 word32 now;
wolfSSL 15:117db924cf7c 6338 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6339 const byte* nonce;
wolfSSL 15:117db924cf7c 6340 byte nonceLength;
wolfSSL 15:117db924cf7c 6341 #endif
wolfSSL 15:117db924cf7c 6342
wolfSSL 15:117db924cf7c 6343 WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
wolfSSL 15:117db924cf7c 6344 WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 6345
wolfSSL 15:117db924cf7c 6346 /* Lifetime hint. */
wolfSSL 15:117db924cf7c 6347 if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
wolfSSL 15:117db924cf7c 6348 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6349 ato32(input + *inOutIdx, &lifetime);
wolfSSL 15:117db924cf7c 6350 *inOutIdx += SESSION_HINT_SZ;
wolfSSL 15:117db924cf7c 6351 if (lifetime > MAX_LIFETIME)
wolfSSL 15:117db924cf7c 6352 return SERVER_HINT_ERROR;
wolfSSL 15:117db924cf7c 6353
wolfSSL 15:117db924cf7c 6354 /* Age add. */
wolfSSL 15:117db924cf7c 6355 if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
wolfSSL 15:117db924cf7c 6356 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6357 ato32(input + *inOutIdx, &ageAdd);
wolfSSL 15:117db924cf7c 6358 *inOutIdx += SESSION_ADD_SZ;
wolfSSL 15:117db924cf7c 6359
wolfSSL 15:117db924cf7c 6360 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6361 /* Ticket nonce. */
wolfSSL 15:117db924cf7c 6362 if ((*inOutIdx - begin) + 1 > size)
wolfSSL 15:117db924cf7c 6363 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6364 nonceLength = input[*inOutIdx];
wolfSSL 15:117db924cf7c 6365 if (nonceLength > MAX_TICKET_NONCE_SZ) {
wolfSSL 15:117db924cf7c 6366 WOLFSSL_MSG("Nonce length not supported");
wolfSSL 15:117db924cf7c 6367 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 6368 }
wolfSSL 15:117db924cf7c 6369 *inOutIdx += 1;
wolfSSL 15:117db924cf7c 6370 if ((*inOutIdx - begin) + nonceLength > size)
wolfSSL 15:117db924cf7c 6371 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6372 nonce = input + *inOutIdx;
wolfSSL 15:117db924cf7c 6373 *inOutIdx += nonceLength;
wolfSSL 15:117db924cf7c 6374 #endif
wolfSSL 15:117db924cf7c 6375
wolfSSL 15:117db924cf7c 6376 /* Ticket length. */
wolfSSL 15:117db924cf7c 6377 if ((*inOutIdx - begin) + LENGTH_SZ > size)
wolfSSL 15:117db924cf7c 6378 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6379 ato16(input + *inOutIdx, &length);
wolfSSL 15:117db924cf7c 6380 *inOutIdx += LENGTH_SZ;
wolfSSL 15:117db924cf7c 6381 if ((*inOutIdx - begin) + length > size)
wolfSSL 15:117db924cf7c 6382 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6383
wolfSSL 15:117db924cf7c 6384 if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
wolfSSL 15:117db924cf7c 6385 return ret;
wolfSSL 15:117db924cf7c 6386 *inOutIdx += length;
wolfSSL 15:117db924cf7c 6387
wolfSSL 15:117db924cf7c 6388 now = TimeNowInMilliseconds();
wolfSSL 15:117db924cf7c 6389 if (now == (word32)GETTIME_ERROR)
wolfSSL 15:117db924cf7c 6390 return now;
wolfSSL 15:117db924cf7c 6391 /* Copy in ticket data (server identity). */
wolfSSL 15:117db924cf7c 6392 ssl->timeout = lifetime;
wolfSSL 15:117db924cf7c 6393 ssl->session.timeout = lifetime;
wolfSSL 15:117db924cf7c 6394 ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 6395 ssl->session.cipherSuite = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 6396 ssl->session.ticketSeen = now;
wolfSSL 15:117db924cf7c 6397 ssl->session.ticketAdd = ageAdd;
wolfSSL 15:117db924cf7c 6398 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6399 ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 6400 #endif
wolfSSL 15:117db924cf7c 6401 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6402 ssl->session.ticketNonce.len = nonceLength;
wolfSSL 15:117db924cf7c 6403 if (nonceLength > 0)
wolfSSL 15:117db924cf7c 6404 XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength);
wolfSSL 15:117db924cf7c 6405 #endif
wolfSSL 15:117db924cf7c 6406 ssl->session.namedGroup = ssl->namedGroup;
wolfSSL 15:117db924cf7c 6407
wolfSSL 15:117db924cf7c 6408 if ((*inOutIdx - begin) + EXTS_SZ > size)
wolfSSL 15:117db924cf7c 6409 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6410 ato16(input + *inOutIdx, &length);
wolfSSL 15:117db924cf7c 6411 *inOutIdx += EXTS_SZ;
wolfSSL 15:117db924cf7c 6412 if ((*inOutIdx - begin) + length != size)
wolfSSL 15:117db924cf7c 6413 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6414 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6415 ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
wolfSSL 15:117db924cf7c 6416 NULL);
wolfSSL 15:117db924cf7c 6417 if (ret != 0)
wolfSSL 15:117db924cf7c 6418 return ret;
wolfSSL 15:117db924cf7c 6419 #endif
wolfSSL 15:117db924cf7c 6420 *inOutIdx += length;
wolfSSL 15:117db924cf7c 6421
wolfSSL 15:117db924cf7c 6422 #ifndef NO_SESSION_CACHE
wolfSSL 15:117db924cf7c 6423 AddSession(ssl);
wolfSSL 15:117db924cf7c 6424 #endif
wolfSSL 15:117db924cf7c 6425
wolfSSL 15:117db924cf7c 6426 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6427 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6428
wolfSSL 15:117db924cf7c 6429 ssl->expect_session_ticket = 0;
wolfSSL 15:117db924cf7c 6430 #else
wolfSSL 15:117db924cf7c 6431 (void)ssl;
wolfSSL 15:117db924cf7c 6432 (void)input;
wolfSSL 15:117db924cf7c 6433
wolfSSL 15:117db924cf7c 6434 WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 6435
wolfSSL 15:117db924cf7c 6436 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6437 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 6438
wolfSSL 15:117db924cf7c 6439 WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
wolfSSL 15:117db924cf7c 6440 WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
wolfSSL 15:117db924cf7c 6441
wolfSSL 15:117db924cf7c 6442 return 0;
wolfSSL 15:117db924cf7c 6443 }
wolfSSL 15:117db924cf7c 6444 #endif /* NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 6445
wolfSSL 15:117db924cf7c 6446 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6447 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 6448
wolfSSL 15:117db924cf7c 6449 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 6450 /* Offset of the MAC size in the finished message. */
wolfSSL 15:117db924cf7c 6451 #define FINISHED_MSG_SIZE_OFFSET 3
wolfSSL 15:117db924cf7c 6452
wolfSSL 15:117db924cf7c 6453 /* Calculate the resumption secret which includes the unseen client finished
wolfSSL 15:117db924cf7c 6454 * message.
wolfSSL 15:117db924cf7c 6455 *
wolfSSL 15:117db924cf7c 6456 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6457 * retuns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6458 */
wolfSSL 15:117db924cf7c 6459 static int ExpectedResumptionSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6460 {
wolfSSL 15:117db924cf7c 6461 int ret;
wolfSSL 15:117db924cf7c 6462 word32 finishedSz = 0;
wolfSSL 15:117db924cf7c 6463 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 6464 Digest digest;
wolfSSL 15:117db924cf7c 6465 static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
wolfSSL 15:117db924cf7c 6466
wolfSSL 15:117db924cf7c 6467 /* Copy the running hash so we cna restore it after. */
wolfSSL 15:117db924cf7c 6468 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 6469 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 6470 case sha256_mac:
wolfSSL 15:117db924cf7c 6471 ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
wolfSSL 15:117db924cf7c 6472 if (ret != 0)
wolfSSL 15:117db924cf7c 6473 return ret;
wolfSSL 15:117db924cf7c 6474 break;
wolfSSL 15:117db924cf7c 6475 #endif
wolfSSL 15:117db924cf7c 6476 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 6477 case sha384_mac:
wolfSSL 15:117db924cf7c 6478 ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
wolfSSL 15:117db924cf7c 6479 if (ret != 0)
wolfSSL 15:117db924cf7c 6480 return ret;
wolfSSL 15:117db924cf7c 6481 break;
wolfSSL 15:117db924cf7c 6482 #endif
wolfSSL 15:117db924cf7c 6483 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 6484 case sha512_mac:
wolfSSL 15:117db924cf7c 6485 ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
wolfSSL 15:117db924cf7c 6486 if (ret != 0)
wolfSSL 15:117db924cf7c 6487 return ret;
wolfSSL 15:117db924cf7c 6488 break;
wolfSSL 15:117db924cf7c 6489 #endif
wolfSSL 15:117db924cf7c 6490 }
wolfSSL 15:117db924cf7c 6491
wolfSSL 15:117db924cf7c 6492 /* Generate the Client's Finished message and hash it. */
wolfSSL 15:117db924cf7c 6493 ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
wolfSSL 15:117db924cf7c 6494 &finishedSz);
wolfSSL 15:117db924cf7c 6495 if (ret != 0)
wolfSSL 15:117db924cf7c 6496 return ret;
wolfSSL 15:117db924cf7c 6497 header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
wolfSSL 15:117db924cf7c 6498 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6499 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 6500 static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
wolfSSL 15:117db924cf7c 6501 ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
wolfSSL 15:117db924cf7c 6502 if (ret != 0)
wolfSSL 15:117db924cf7c 6503 return ret;
wolfSSL 15:117db924cf7c 6504 }
wolfSSL 15:117db924cf7c 6505 #endif
wolfSSL 15:117db924cf7c 6506 if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL 15:117db924cf7c 6507 return ret;
wolfSSL 15:117db924cf7c 6508 if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0)
wolfSSL 15:117db924cf7c 6509 return ret;
wolfSSL 15:117db924cf7c 6510
wolfSSL 15:117db924cf7c 6511 if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
wolfSSL 15:117db924cf7c 6512 return ret;
wolfSSL 15:117db924cf7c 6513
wolfSSL 15:117db924cf7c 6514 /* Restore the hash inline with currently seen messages. */
wolfSSL 15:117db924cf7c 6515 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 6516 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 6517 case sha256_mac:
wolfSSL 15:117db924cf7c 6518 ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
wolfSSL 15:117db924cf7c 6519 if (ret != 0)
wolfSSL 15:117db924cf7c 6520 return ret;
wolfSSL 15:117db924cf7c 6521 break;
wolfSSL 15:117db924cf7c 6522 #endif
wolfSSL 15:117db924cf7c 6523 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 6524 case sha384_mac:
wolfSSL 15:117db924cf7c 6525 ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
wolfSSL 15:117db924cf7c 6526 if (ret != 0)
wolfSSL 15:117db924cf7c 6527 return ret;
wolfSSL 15:117db924cf7c 6528 break;
wolfSSL 15:117db924cf7c 6529 #endif
wolfSSL 15:117db924cf7c 6530 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 6531 case sha512_mac:
wolfSSL 15:117db924cf7c 6532 ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384);
wolfSSL 15:117db924cf7c 6533 if (ret != 0)
wolfSSL 15:117db924cf7c 6534 return ret;
wolfSSL 15:117db924cf7c 6535 break;
wolfSSL 15:117db924cf7c 6536 #endif
wolfSSL 15:117db924cf7c 6537 }
wolfSSL 15:117db924cf7c 6538
wolfSSL 15:117db924cf7c 6539 return ret;
wolfSSL 15:117db924cf7c 6540 }
wolfSSL 15:117db924cf7c 6541 #endif
wolfSSL 15:117db924cf7c 6542
wolfSSL 15:117db924cf7c 6543 /* Send New Session Ticket handshake message.
wolfSSL 15:117db924cf7c 6544 * Message contains the information required to perform resumption.
wolfSSL 15:117db924cf7c 6545 *
wolfSSL 15:117db924cf7c 6546 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6547 * retuns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6548 */
wolfSSL 15:117db924cf7c 6549 static int SendTls13NewSessionTicket(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6550 {
wolfSSL 15:117db924cf7c 6551 byte* output;
wolfSSL 15:117db924cf7c 6552 int ret;
wolfSSL 15:117db924cf7c 6553 int sendSz;
wolfSSL 15:117db924cf7c 6554 word16 extSz;
wolfSSL 15:117db924cf7c 6555 word32 length;
wolfSSL 15:117db924cf7c 6556 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6557
wolfSSL 15:117db924cf7c 6558 WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND);
wolfSSL 15:117db924cf7c 6559 WOLFSSL_ENTER("SendTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 6560
wolfSSL 15:117db924cf7c 6561 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 6562 if (!ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 6563 if ((ret = ExpectedResumptionSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 6564 return ret;
wolfSSL 15:117db924cf7c 6565 }
wolfSSL 15:117db924cf7c 6566 #endif
wolfSSL 15:117db924cf7c 6567
wolfSSL 15:117db924cf7c 6568 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6569 /* Start ticket nonce at 0 and go up to 255. */
wolfSSL 15:117db924cf7c 6570 if (ssl->session.ticketNonce.len == 0) {
wolfSSL 15:117db924cf7c 6571 ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ;
wolfSSL 15:117db924cf7c 6572 ssl->session.ticketNonce.data[0] = 0;
wolfSSL 15:117db924cf7c 6573 }
wolfSSL 15:117db924cf7c 6574 else
wolfSSL 15:117db924cf7c 6575 ssl->session.ticketNonce.data[0]++;
wolfSSL 15:117db924cf7c 6576 #endif
wolfSSL 15:117db924cf7c 6577
wolfSSL 15:117db924cf7c 6578 if (!ssl->options.noTicketTls13) {
wolfSSL 15:117db924cf7c 6579 if ((ret = CreateTicket(ssl)) != 0)
wolfSSL 15:117db924cf7c 6580 return ret;
wolfSSL 15:117db924cf7c 6581 }
wolfSSL 15:117db924cf7c 6582
wolfSSL 15:117db924cf7c 6583 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6584 ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 6585 if (ssl->session.maxEarlyDataSz > 0)
wolfSSL 15:117db924cf7c 6586 TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
wolfSSL 15:117db924cf7c 6587 extSz = 0;
wolfSSL 15:117db924cf7c 6588 ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
wolfSSL 15:117db924cf7c 6589 if (ret != 0)
wolfSSL 15:117db924cf7c 6590 return ret;
wolfSSL 15:117db924cf7c 6591 #else
wolfSSL 15:117db924cf7c 6592 extSz = EXTS_SZ;
wolfSSL 15:117db924cf7c 6593 #endif
wolfSSL 15:117db924cf7c 6594
wolfSSL 15:117db924cf7c 6595 /* Lifetime | Age Add | Ticket | Extensions */
wolfSSL 15:117db924cf7c 6596 length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
wolfSSL 15:117db924cf7c 6597 ssl->session.ticketLen + extSz;
wolfSSL 15:117db924cf7c 6598 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6599 /* Nonce */
wolfSSL 15:117db924cf7c 6600 length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
wolfSSL 15:117db924cf7c 6601 #endif
wolfSSL 15:117db924cf7c 6602 sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6603
wolfSSL 15:117db924cf7c 6604 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6605 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 6606 return ret;
wolfSSL 15:117db924cf7c 6607
wolfSSL 15:117db924cf7c 6608 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 6609 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6610 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6611
wolfSSL 15:117db924cf7c 6612 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 6613 AddTls13Headers(output, length, session_ticket, ssl);
wolfSSL 15:117db924cf7c 6614
wolfSSL 15:117db924cf7c 6615 /* Lifetime hint */
wolfSSL 15:117db924cf7c 6616 c32toa(ssl->ctx->ticketHint, output + idx);
wolfSSL 15:117db924cf7c 6617 idx += SESSION_HINT_SZ;
wolfSSL 15:117db924cf7c 6618 /* Age add - obfuscator */
wolfSSL 15:117db924cf7c 6619 c32toa(ssl->session.ticketAdd, output + idx);
wolfSSL 15:117db924cf7c 6620 idx += SESSION_ADD_SZ;
wolfSSL 15:117db924cf7c 6621
wolfSSL 15:117db924cf7c 6622 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6623 output[idx++] = ssl->session.ticketNonce.len;
wolfSSL 15:117db924cf7c 6624 output[idx++] = ssl->session.ticketNonce.data[0];
wolfSSL 15:117db924cf7c 6625 #endif
wolfSSL 15:117db924cf7c 6626
wolfSSL 15:117db924cf7c 6627 /* length */
wolfSSL 15:117db924cf7c 6628 c16toa(ssl->session.ticketLen, output + idx);
wolfSSL 15:117db924cf7c 6629 idx += LENGTH_SZ;
wolfSSL 15:117db924cf7c 6630 /* ticket */
wolfSSL 15:117db924cf7c 6631 XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
wolfSSL 15:117db924cf7c 6632 idx += ssl->session.ticketLen;
wolfSSL 15:117db924cf7c 6633
wolfSSL 15:117db924cf7c 6634 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6635 extSz = 0;
wolfSSL 15:117db924cf7c 6636 ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz);
wolfSSL 15:117db924cf7c 6637 if (ret != 0)
wolfSSL 15:117db924cf7c 6638 return ret;
wolfSSL 15:117db924cf7c 6639 idx += extSz;
wolfSSL 15:117db924cf7c 6640 #else
wolfSSL 15:117db924cf7c 6641 /* No extension support - empty extensions. */
wolfSSL 15:117db924cf7c 6642 c16toa(0, output + idx);
wolfSSL 15:117db924cf7c 6643 idx += EXTS_SZ;
wolfSSL 15:117db924cf7c 6644 #endif
wolfSSL 15:117db924cf7c 6645
wolfSSL 15:117db924cf7c 6646 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 6647
wolfSSL 15:117db924cf7c 6648 #ifndef NO_SESSION_CACHE
wolfSSL 15:117db924cf7c 6649 AddSession(ssl);
wolfSSL 15:117db924cf7c 6650 #endif
wolfSSL 15:117db924cf7c 6651
wolfSSL 15:117db924cf7c 6652 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6653 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 6654 idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
wolfSSL 15:117db924cf7c 6655 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6656 return sendSz;
wolfSSL 15:117db924cf7c 6657
wolfSSL 15:117db924cf7c 6658 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6659
wolfSSL 15:117db924cf7c 6660 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 6661 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 6662
wolfSSL 15:117db924cf7c 6663 WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
wolfSSL 15:117db924cf7c 6664 WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND);
wolfSSL 15:117db924cf7c 6665
wolfSSL 15:117db924cf7c 6666 return ret;
wolfSSL 15:117db924cf7c 6667 }
wolfSSL 15:117db924cf7c 6668 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 6669 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 6670
wolfSSL 15:117db924cf7c 6671 /* Make sure no duplicates, no fast forward, or other problems
wolfSSL 15:117db924cf7c 6672 *
wolfSSL 15:117db924cf7c 6673 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6674 * type Type of handshake message received.
wolfSSL 15:117db924cf7c 6675 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6676 */
wolfSSL 15:117db924cf7c 6677 static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
wolfSSL 15:117db924cf7c 6678 {
wolfSSL 15:117db924cf7c 6679 /* verify not a duplicate, mark received, check state */
wolfSSL 15:117db924cf7c 6680 switch (type) {
wolfSSL 15:117db924cf7c 6681
wolfSSL 15:117db924cf7c 6682 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6683 case client_hello:
wolfSSL 15:117db924cf7c 6684 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6685 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6686 WOLFSSL_MSG("ClientHello received by client");
wolfSSL 15:117db924cf7c 6687 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6688 }
wolfSSL 15:117db924cf7c 6689 #endif
wolfSSL 15:117db924cf7c 6690 if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 6691 WOLFSSL_MSG("ClientHello received out of order");
wolfSSL 15:117db924cf7c 6692 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6693 }
wolfSSL 15:117db924cf7c 6694 if (ssl->msgsReceived.got_client_hello == 2) {
wolfSSL 15:117db924cf7c 6695 WOLFSSL_MSG("Too many ClientHello received");
wolfSSL 15:117db924cf7c 6696 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6697 }
wolfSSL 15:117db924cf7c 6698 ssl->msgsReceived.got_client_hello++;
wolfSSL 15:117db924cf7c 6699
wolfSSL 15:117db924cf7c 6700 break;
wolfSSL 15:117db924cf7c 6701 #endif
wolfSSL 15:117db924cf7c 6702
wolfSSL 15:117db924cf7c 6703 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6704 case server_hello:
wolfSSL 15:117db924cf7c 6705 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6706 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6707 WOLFSSL_MSG("ServerHello received by server");
wolfSSL 15:117db924cf7c 6708 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6709 }
wolfSSL 15:117db924cf7c 6710 #endif
wolfSSL 15:117db924cf7c 6711 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6712 if (ssl->msgsReceived.got_server_hello) {
wolfSSL 15:117db924cf7c 6713 WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL 15:117db924cf7c 6714 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6715 }
wolfSSL 15:117db924cf7c 6716 ssl->msgsReceived.got_server_hello = 1;
wolfSSL 15:117db924cf7c 6717 #else
wolfSSL 15:117db924cf7c 6718 if (ssl->msgsReceived.got_server_hello == 2) {
wolfSSL 15:117db924cf7c 6719 WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL 15:117db924cf7c 6720 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6721 }
wolfSSL 15:117db924cf7c 6722 ssl->msgsReceived.got_server_hello++;
wolfSSL 15:117db924cf7c 6723 #endif
wolfSSL 15:117db924cf7c 6724
wolfSSL 15:117db924cf7c 6725 break;
wolfSSL 15:117db924cf7c 6726 #endif
wolfSSL 15:117db924cf7c 6727
wolfSSL 15:117db924cf7c 6728 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6729 case session_ticket:
wolfSSL 15:117db924cf7c 6730 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6731 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6732 WOLFSSL_MSG("NewSessionTicket received by server");
wolfSSL 15:117db924cf7c 6733 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6734 }
wolfSSL 15:117db924cf7c 6735 #endif
wolfSSL 15:117db924cf7c 6736 if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6737 WOLFSSL_MSG("NewSessionTicket received out of order");
wolfSSL 15:117db924cf7c 6738 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6739 }
wolfSSL 15:117db924cf7c 6740 ssl->msgsReceived.got_session_ticket = 1;
wolfSSL 15:117db924cf7c 6741
wolfSSL 15:117db924cf7c 6742 break;
wolfSSL 15:117db924cf7c 6743 #endif
wolfSSL 15:117db924cf7c 6744
wolfSSL 15:117db924cf7c 6745 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6746 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6747 case end_of_early_data:
wolfSSL 15:117db924cf7c 6748 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6749 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6750 WOLFSSL_MSG("EndOfEarlyData received by client");
wolfSSL 15:117db924cf7c 6751 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6752 }
wolfSSL 15:117db924cf7c 6753 #endif
wolfSSL 15:117db924cf7c 6754 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6755 WOLFSSL_MSG("EndOfEarlyData received out of order");
wolfSSL 15:117db924cf7c 6756 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6757 }
wolfSSL 15:117db924cf7c 6758 if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6759 WOLFSSL_MSG("EndOfEarlyData received out of order");
wolfSSL 15:117db924cf7c 6760 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6761 }
wolfSSL 15:117db924cf7c 6762 if (ssl->msgsReceived.got_end_of_early_data == 1) {
wolfSSL 15:117db924cf7c 6763 WOLFSSL_MSG("Too many EndOfEarlyData received");
wolfSSL 15:117db924cf7c 6764 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6765 }
wolfSSL 15:117db924cf7c 6766 ssl->msgsReceived.got_end_of_early_data++;
wolfSSL 15:117db924cf7c 6767
wolfSSL 15:117db924cf7c 6768 break;
wolfSSL 15:117db924cf7c 6769 #endif
wolfSSL 15:117db924cf7c 6770 #endif
wolfSSL 15:117db924cf7c 6771
wolfSSL 15:117db924cf7c 6772 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6773 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6774 case hello_retry_request:
wolfSSL 15:117db924cf7c 6775 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6776 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6777 WOLFSSL_MSG("HelloRetryRequest received by server");
wolfSSL 15:117db924cf7c 6778 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6779 }
wolfSSL 15:117db924cf7c 6780 #endif
wolfSSL 15:117db924cf7c 6781 if (ssl->options.clientState > CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6782 WOLFSSL_MSG("HelloRetryRequest received out of order");
wolfSSL 15:117db924cf7c 6783 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6784 }
wolfSSL 15:117db924cf7c 6785 if (ssl->msgsReceived.got_hello_retry_request) {
wolfSSL 15:117db924cf7c 6786 WOLFSSL_MSG("Duplicate HelloRetryRequest received");
wolfSSL 15:117db924cf7c 6787 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6788 }
wolfSSL 15:117db924cf7c 6789 ssl->msgsReceived.got_hello_retry_request = 1;
wolfSSL 15:117db924cf7c 6790
wolfSSL 15:117db924cf7c 6791 break;
wolfSSL 15:117db924cf7c 6792 #endif
wolfSSL 15:117db924cf7c 6793 #endif
wolfSSL 15:117db924cf7c 6794
wolfSSL 15:117db924cf7c 6795 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6796 case encrypted_extensions:
wolfSSL 15:117db924cf7c 6797 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6798 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6799 WOLFSSL_MSG("EncryptedExtensions received by server");
wolfSSL 15:117db924cf7c 6800 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6801 }
wolfSSL 15:117db924cf7c 6802 #endif
wolfSSL 15:117db924cf7c 6803 if (ssl->options.serverState != SERVER_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 6804 WOLFSSL_MSG("EncryptedExtensions received out of order");
wolfSSL 15:117db924cf7c 6805 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6806 }
wolfSSL 15:117db924cf7c 6807 if (ssl->msgsReceived.got_encrypted_extensions) {
wolfSSL 15:117db924cf7c 6808 WOLFSSL_MSG("Duplicate EncryptedExtensions received");
wolfSSL 15:117db924cf7c 6809 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6810 }
wolfSSL 15:117db924cf7c 6811 ssl->msgsReceived.got_encrypted_extensions = 1;
wolfSSL 15:117db924cf7c 6812
wolfSSL 15:117db924cf7c 6813 break;
wolfSSL 15:117db924cf7c 6814 #endif
wolfSSL 15:117db924cf7c 6815
wolfSSL 15:117db924cf7c 6816 case certificate:
wolfSSL 15:117db924cf7c 6817 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6818 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 6819 ssl->options.serverState !=
wolfSSL 15:117db924cf7c 6820 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 6821 WOLFSSL_MSG("Certificate received out of order - Client");
wolfSSL 15:117db924cf7c 6822 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6823 }
wolfSSL 15:117db924cf7c 6824 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 6825 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 6826 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 6827 ssl->options.serverState == SERVER_CERT_COMPLETE &&
wolfSSL 15:117db924cf7c 6828 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 6829 WOLFSSL_MSG("Certificate received while using PSK");
wolfSSL 15:117db924cf7c 6830 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 6831 }
wolfSSL 15:117db924cf7c 6832 #endif
wolfSSL 15:117db924cf7c 6833 #endif
wolfSSL 15:117db924cf7c 6834 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6835 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 6836 ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6837 WOLFSSL_MSG("Certificate received out of order - Server");
wolfSSL 15:117db924cf7c 6838 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6839 }
wolfSSL 15:117db924cf7c 6840 #endif
wolfSSL 15:117db924cf7c 6841 if (ssl->msgsReceived.got_certificate) {
wolfSSL 15:117db924cf7c 6842 WOLFSSL_MSG("Duplicate Certificate received");
wolfSSL 15:117db924cf7c 6843 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6844 }
wolfSSL 15:117db924cf7c 6845 ssl->msgsReceived.got_certificate = 1;
wolfSSL 15:117db924cf7c 6846
wolfSSL 15:117db924cf7c 6847 break;
wolfSSL 15:117db924cf7c 6848
wolfSSL 15:117db924cf7c 6849 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6850 case certificate_request:
wolfSSL 15:117db924cf7c 6851 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6852 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6853 WOLFSSL_MSG("CertificateRequest received by server");
wolfSSL 15:117db924cf7c 6854 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6855 }
wolfSSL 15:117db924cf7c 6856 #endif
wolfSSL 15:117db924cf7c 6857 #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 6858 if (ssl->options.serverState !=
wolfSSL 15:117db924cf7c 6859 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 6860 WOLFSSL_MSG("CertificateRequest received out of order");
wolfSSL 15:117db924cf7c 6861 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6862 }
wolfSSL 15:117db924cf7c 6863 #else
wolfSSL 15:117db924cf7c 6864 if (ssl->options.serverState !=
wolfSSL 15:117db924cf7c 6865 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
wolfSSL 15:117db924cf7c 6866 (ssl->options.serverState != SERVER_FINISHED_COMPLETE ||
wolfSSL 15:117db924cf7c 6867 ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) {
wolfSSL 15:117db924cf7c 6868 WOLFSSL_MSG("CertificateRequest received out of order");
wolfSSL 15:117db924cf7c 6869 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6870 }
wolfSSL 15:117db924cf7c 6871 #endif
wolfSSL 15:117db924cf7c 6872 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 6873 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 6874 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 6875 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
wolfSSL 15:117db924cf7c 6876 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 6877 WOLFSSL_MSG("CertificateRequset received while using PSK");
wolfSSL 15:117db924cf7c 6878 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 6879 }
wolfSSL 15:117db924cf7c 6880 #endif
wolfSSL 15:117db924cf7c 6881 #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 6882 if (ssl->msgsReceived.got_certificate_request) {
wolfSSL 15:117db924cf7c 6883 WOLFSSL_MSG("Duplicate CertificateRequest received");
wolfSSL 15:117db924cf7c 6884 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6885 }
wolfSSL 15:117db924cf7c 6886 #endif
wolfSSL 15:117db924cf7c 6887 ssl->msgsReceived.got_certificate_request = 1;
wolfSSL 15:117db924cf7c 6888
wolfSSL 15:117db924cf7c 6889 break;
wolfSSL 15:117db924cf7c 6890 #endif
wolfSSL 15:117db924cf7c 6891
wolfSSL 15:117db924cf7c 6892 case certificate_verify:
wolfSSL 15:117db924cf7c 6893 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6894 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6895 if (ssl->options.serverState != SERVER_CERT_COMPLETE) {
wolfSSL 15:117db924cf7c 6896 WOLFSSL_MSG("No Cert before CertVerify");
wolfSSL 15:117db924cf7c 6897 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6898 }
wolfSSL 15:117db924cf7c 6899 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 6900 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 6901 if (ssl->options.serverState == SERVER_CERT_COMPLETE &&
wolfSSL 15:117db924cf7c 6902 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 6903 WOLFSSL_MSG("CertificateVerify received while using PSK");
wolfSSL 15:117db924cf7c 6904 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 6905 }
wolfSSL 15:117db924cf7c 6906 #endif
wolfSSL 15:117db924cf7c 6907 }
wolfSSL 15:117db924cf7c 6908 #endif
wolfSSL 15:117db924cf7c 6909 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6910 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6911 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6912 WOLFSSL_MSG("CertificateVerify received out of order");
wolfSSL 15:117db924cf7c 6913 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6914 }
wolfSSL 15:117db924cf7c 6915 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 6916 WOLFSSL_MSG("CertificateVerify before ClientHello done");
wolfSSL 15:117db924cf7c 6917 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6918 }
wolfSSL 15:117db924cf7c 6919 if (!ssl->msgsReceived.got_certificate) {
wolfSSL 15:117db924cf7c 6920 WOLFSSL_MSG("No Cert before CertificateVerify");
wolfSSL 15:117db924cf7c 6921 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6922 }
wolfSSL 15:117db924cf7c 6923 }
wolfSSL 15:117db924cf7c 6924 #endif
wolfSSL 15:117db924cf7c 6925 if (ssl->msgsReceived.got_certificate_verify) {
wolfSSL 15:117db924cf7c 6926 WOLFSSL_MSG("Duplicate CertificateVerify received");
wolfSSL 15:117db924cf7c 6927 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6928 }
wolfSSL 15:117db924cf7c 6929 ssl->msgsReceived.got_certificate_verify = 1;
wolfSSL 15:117db924cf7c 6930
wolfSSL 15:117db924cf7c 6931 break;
wolfSSL 15:117db924cf7c 6932
wolfSSL 15:117db924cf7c 6933 case finished:
wolfSSL 15:117db924cf7c 6934 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6935 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6936 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 6937 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 6938 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6939 }
wolfSSL 15:117db924cf7c 6940 if (ssl->options.serverState <
wolfSSL 15:117db924cf7c 6941 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 6942 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 6943 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6944 }
wolfSSL 15:117db924cf7c 6945 }
wolfSSL 15:117db924cf7c 6946 #endif
wolfSSL 15:117db924cf7c 6947 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6948 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6949 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 6950 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 6951 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6952 }
wolfSSL 15:117db924cf7c 6953 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 6954 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 6955 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6956 }
wolfSSL 15:117db924cf7c 6957 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6958 if (ssl->earlyData == process_early_data) {
wolfSSL 15:117db924cf7c 6959 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6960 }
wolfSSL 15:117db924cf7c 6961 #endif
wolfSSL 15:117db924cf7c 6962 }
wolfSSL 15:117db924cf7c 6963 #endif
wolfSSL 15:117db924cf7c 6964 if (ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 6965 WOLFSSL_MSG("Duplicate Finished received");
wolfSSL 15:117db924cf7c 6966 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 6967 }
wolfSSL 15:117db924cf7c 6968 ssl->msgsReceived.got_finished = 1;
wolfSSL 15:117db924cf7c 6969
wolfSSL 15:117db924cf7c 6970 break;
wolfSSL 15:117db924cf7c 6971
wolfSSL 15:117db924cf7c 6972 case key_update:
wolfSSL 15:117db924cf7c 6973 if (!ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 6974 WOLFSSL_MSG("No KeyUpdate before Finished");
wolfSSL 15:117db924cf7c 6975 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6976 }
wolfSSL 15:117db924cf7c 6977 break;
wolfSSL 15:117db924cf7c 6978
wolfSSL 15:117db924cf7c 6979 default:
wolfSSL 15:117db924cf7c 6980 WOLFSSL_MSG("Unknown message type");
wolfSSL 15:117db924cf7c 6981 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 6982 }
wolfSSL 15:117db924cf7c 6983
wolfSSL 15:117db924cf7c 6984 return 0;
wolfSSL 15:117db924cf7c 6985 }
wolfSSL 15:117db924cf7c 6986
wolfSSL 15:117db924cf7c 6987 /* Handle a type of handshake message that has been received.
wolfSSL 15:117db924cf7c 6988 *
wolfSSL 15:117db924cf7c 6989 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6990 * input The message buffer.
wolfSSL 15:117db924cf7c 6991 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 15:117db924cf7c 6992 * On exit, the index into the buffer of the next message.
wolfSSL 15:117db924cf7c 6993 * size The length of the current handshake message.
wolfSSL 15:117db924cf7c 6994 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 6995 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6996 */
wolfSSL 15:117db924cf7c 6997 int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 6998 byte type, word32 size, word32 totalSz)
wolfSSL 15:117db924cf7c 6999 {
wolfSSL 15:117db924cf7c 7000 int ret = 0;
wolfSSL 15:117db924cf7c 7001 word32 inIdx = *inOutIdx;
wolfSSL 15:117db924cf7c 7002
wolfSSL 15:117db924cf7c 7003 (void)totalSz;
wolfSSL 15:117db924cf7c 7004
wolfSSL 15:117db924cf7c 7005 WOLFSSL_ENTER("DoTls13HandShakeMsgType");
wolfSSL 15:117db924cf7c 7006
wolfSSL 15:117db924cf7c 7007 /* make sure can read the message */
wolfSSL 15:117db924cf7c 7008 if (*inOutIdx + size > totalSz)
wolfSSL 15:117db924cf7c 7009 return INCOMPLETE_DATA;
wolfSSL 15:117db924cf7c 7010
wolfSSL 15:117db924cf7c 7011 /* sanity check msg received */
wolfSSL 15:117db924cf7c 7012 if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
wolfSSL 15:117db924cf7c 7013 WOLFSSL_MSG("Sanity Check on handshake message type received failed");
wolfSSL 15:117db924cf7c 7014 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7015 return ret;
wolfSSL 15:117db924cf7c 7016 }
wolfSSL 15:117db924cf7c 7017
wolfSSL 15:117db924cf7c 7018 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 7019 /* add name later, add on record and handshake header part back on */
wolfSSL 15:117db924cf7c 7020 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 7021 int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7022 AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add,
wolfSSL 15:117db924cf7c 7023 size + add, READ_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 7024 AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 7025 }
wolfSSL 15:117db924cf7c 7026 #endif
wolfSSL 15:117db924cf7c 7027
wolfSSL 15:117db924cf7c 7028 if (ssl->options.handShakeState == HANDSHAKE_DONE &&
wolfSSL 15:117db924cf7c 7029 type != session_ticket && type != certificate_request &&
wolfSSL 15:117db924cf7c 7030 type != certificate && type != key_update) {
wolfSSL 15:117db924cf7c 7031 WOLFSSL_MSG("HandShake message after handshake complete");
wolfSSL 15:117db924cf7c 7032 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7033 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7034 }
wolfSSL 15:117db924cf7c 7035
wolfSSL 15:117db924cf7c 7036 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 7037 ssl->options.serverState == NULL_STATE &&
wolfSSL 15:117db924cf7c 7038 type != server_hello && type != hello_retry_request) {
wolfSSL 15:117db924cf7c 7039 WOLFSSL_MSG("First server message not server hello");
wolfSSL 15:117db924cf7c 7040 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7041 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7042 }
wolfSSL 15:117db924cf7c 7043
wolfSSL 15:117db924cf7c 7044 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 7045 ssl->options.clientState == NULL_STATE && type != client_hello) {
wolfSSL 15:117db924cf7c 7046 WOLFSSL_MSG("First client message not client hello");
wolfSSL 15:117db924cf7c 7047 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7048 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7049 }
wolfSSL 15:117db924cf7c 7050
wolfSSL 15:117db924cf7c 7051 /* above checks handshake state */
wolfSSL 15:117db924cf7c 7052 switch (type) {
wolfSSL 15:117db924cf7c 7053 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7054 /* Messages only recieved by client. */
wolfSSL 15:117db924cf7c 7055 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7056 case hello_retry_request:
wolfSSL 15:117db924cf7c 7057 WOLFSSL_MSG("processing hello rety request");
wolfSSL 15:117db924cf7c 7058 ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7059 break;
wolfSSL 15:117db924cf7c 7060 #endif
wolfSSL 15:117db924cf7c 7061
wolfSSL 15:117db924cf7c 7062 case server_hello:
wolfSSL 15:117db924cf7c 7063 WOLFSSL_MSG("processing server hello");
wolfSSL 15:117db924cf7c 7064 ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type);
wolfSSL 15:117db924cf7c 7065 break;
wolfSSL 15:117db924cf7c 7066
wolfSSL 15:117db924cf7c 7067 case encrypted_extensions:
wolfSSL 15:117db924cf7c 7068 WOLFSSL_MSG("processing encrypted extensions");
wolfSSL 15:117db924cf7c 7069 ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7070 break;
wolfSSL 15:117db924cf7c 7071
wolfSSL 15:117db924cf7c 7072 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7073 case certificate_request:
wolfSSL 15:117db924cf7c 7074 WOLFSSL_MSG("processing certificate request");
wolfSSL 15:117db924cf7c 7075 ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7076 break;
wolfSSL 15:117db924cf7c 7077 #endif
wolfSSL 15:117db924cf7c 7078
wolfSSL 15:117db924cf7c 7079 case session_ticket:
wolfSSL 15:117db924cf7c 7080 WOLFSSL_MSG("processing new session ticket");
wolfSSL 15:117db924cf7c 7081 ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7082 break;
wolfSSL 15:117db924cf7c 7083 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 7084
wolfSSL 15:117db924cf7c 7085 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7086 /* Messages only recieved by server. */
wolfSSL 15:117db924cf7c 7087 case client_hello:
wolfSSL 15:117db924cf7c 7088 WOLFSSL_MSG("processing client hello");
wolfSSL 15:117db924cf7c 7089 ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7090 break;
wolfSSL 15:117db924cf7c 7091
wolfSSL 15:117db924cf7c 7092 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7093 case end_of_early_data:
wolfSSL 15:117db924cf7c 7094 WOLFSSL_MSG("processing end of early data");
wolfSSL 15:117db924cf7c 7095 ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7096 break;
wolfSSL 15:117db924cf7c 7097 #endif
wolfSSL 15:117db924cf7c 7098 #endif /* !NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 7099
wolfSSL 15:117db924cf7c 7100 /* Messages recieved by both client and server. */
wolfSSL 15:117db924cf7c 7101 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7102 case certificate:
wolfSSL 15:117db924cf7c 7103 WOLFSSL_MSG("processing certificate");
wolfSSL 15:117db924cf7c 7104 ret = DoTls13Certificate(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7105 break;
wolfSSL 15:117db924cf7c 7106 #endif
wolfSSL 15:117db924cf7c 7107
wolfSSL 15:117db924cf7c 7108 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
wolfSSL 15:117db924cf7c 7109 case certificate_verify:
wolfSSL 15:117db924cf7c 7110 WOLFSSL_MSG("processing certificate verify");
wolfSSL 15:117db924cf7c 7111 ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7112 break;
wolfSSL 15:117db924cf7c 7113 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 7114
wolfSSL 15:117db924cf7c 7115 case finished:
wolfSSL 15:117db924cf7c 7116 WOLFSSL_MSG("processing finished");
wolfSSL 15:117db924cf7c 7117 ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
wolfSSL 15:117db924cf7c 7118 break;
wolfSSL 15:117db924cf7c 7119
wolfSSL 15:117db924cf7c 7120 case key_update:
wolfSSL 15:117db924cf7c 7121 WOLFSSL_MSG("processing finished");
wolfSSL 15:117db924cf7c 7122 ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7123 break;
wolfSSL 15:117db924cf7c 7124
wolfSSL 15:117db924cf7c 7125 default:
wolfSSL 15:117db924cf7c 7126 WOLFSSL_MSG("Unknown handshake message type");
wolfSSL 15:117db924cf7c 7127 ret = UNKNOWN_HANDSHAKE_TYPE;
wolfSSL 15:117db924cf7c 7128 break;
wolfSSL 15:117db924cf7c 7129 }
wolfSSL 15:117db924cf7c 7130
wolfSSL 15:117db924cf7c 7131 /* reset error */
wolfSSL 15:117db924cf7c 7132 if (ret == 0 && ssl->error == WC_PENDING_E)
wolfSSL 15:117db924cf7c 7133 ssl->error = 0;
wolfSSL 15:117db924cf7c 7134
wolfSSL 15:117db924cf7c 7135 if (ret == 0 && type != client_hello && type != session_ticket &&
wolfSSL 15:117db924cf7c 7136 type != key_update) {
wolfSSL 15:117db924cf7c 7137 ret = HashInput(ssl, input + inIdx, size);
wolfSSL 15:117db924cf7c 7138 }
wolfSSL 15:117db924cf7c 7139
wolfSSL 15:117db924cf7c 7140 if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA)
wolfSSL 15:117db924cf7c 7141 SendAlert(ssl, alert_fatal, decode_error);
wolfSSL 15:117db924cf7c 7142 else if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR ||
wolfSSL 15:117db924cf7c 7143 ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA ||
wolfSSL 15:117db924cf7c 7144 ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) {
wolfSSL 15:117db924cf7c 7145 SendAlert(ssl, alert_fatal, illegal_parameter);
wolfSSL 15:117db924cf7c 7146 }
wolfSSL 15:117db924cf7c 7147
wolfSSL 15:117db924cf7c 7148 if (ssl->options.tls1_3) {
wolfSSL 15:117db924cf7c 7149 /* Need to hash input message before deriving secrets. */
wolfSSL 15:117db924cf7c 7150 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7151 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7152 if (type == server_hello) {
wolfSSL 15:117db924cf7c 7153 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7154 return ret;
wolfSSL 15:117db924cf7c 7155 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7156 return ret;
wolfSSL 15:117db924cf7c 7157
wolfSSL 15:117db924cf7c 7158 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 15:117db924cf7c 7159 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL 15:117db924cf7c 7160 return ret;
wolfSSL 15:117db924cf7c 7161 }
wolfSSL 15:117db924cf7c 7162 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7163 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 7164 return ret;
wolfSSL 15:117db924cf7c 7165 #else
wolfSSL 15:117db924cf7c 7166 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 7167 return ret;
wolfSSL 15:117db924cf7c 7168 #endif
wolfSSL 15:117db924cf7c 7169 }
wolfSSL 15:117db924cf7c 7170
wolfSSL 15:117db924cf7c 7171 if (type == finished) {
wolfSSL 15:117db924cf7c 7172 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7173 return ret;
wolfSSL 15:117db924cf7c 7174 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7175 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 15:117db924cf7c 7176 ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 7177 ssl->earlyData == no_early_data)) != 0) {
wolfSSL 15:117db924cf7c 7178 return ret;
wolfSSL 15:117db924cf7c 7179 }
wolfSSL 15:117db924cf7c 7180 #else
wolfSSL 15:117db924cf7c 7181 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 15:117db924cf7c 7182 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL 15:117db924cf7c 7183 return ret;
wolfSSL 15:117db924cf7c 7184 }
wolfSSL 15:117db924cf7c 7185 #endif
wolfSSL 15:117db924cf7c 7186 }
wolfSSL 15:117db924cf7c 7187 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 7188 if (type == certificate_request &&
wolfSSL 15:117db924cf7c 7189 ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL 15:117db924cf7c 7190 /* reset handshake states */
wolfSSL 15:117db924cf7c 7191 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7192 ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 7193 ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7194
wolfSSL 15:117db924cf7c 7195 if (wolfSSL_connect_TLSv13(ssl) != SSL_SUCCESS)
wolfSSL 15:117db924cf7c 7196 ret = POST_HAND_AUTH_ERROR;
wolfSSL 15:117db924cf7c 7197 }
wolfSSL 15:117db924cf7c 7198 #endif
wolfSSL 15:117db924cf7c 7199 }
wolfSSL 15:117db924cf7c 7200 #endif /* NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 7201
wolfSSL 15:117db924cf7c 7202 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7203 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7204 if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
wolfSSL 15:117db924cf7c 7205 ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 15:117db924cf7c 7206 if (ret != 0)
wolfSSL 15:117db924cf7c 7207 return ret;
wolfSSL 15:117db924cf7c 7208 }
wolfSSL 15:117db924cf7c 7209 #endif
wolfSSL 15:117db924cf7c 7210 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 7211 }
wolfSSL 15:117db924cf7c 7212
wolfSSL 15:117db924cf7c 7213 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 7214 /* if async, offset index so this msg will be processed again */
wolfSSL 15:117db924cf7c 7215 if (ret == WC_PENDING_E && *inOutIdx > 0) {
wolfSSL 15:117db924cf7c 7216 *inOutIdx -= HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7217 }
wolfSSL 15:117db924cf7c 7218 #endif
wolfSSL 15:117db924cf7c 7219
wolfSSL 15:117db924cf7c 7220 WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
wolfSSL 15:117db924cf7c 7221 return ret;
wolfSSL 15:117db924cf7c 7222 }
wolfSSL 15:117db924cf7c 7223
wolfSSL 15:117db924cf7c 7224
wolfSSL 15:117db924cf7c 7225 /* Handle a handshake message that has been received.
wolfSSL 15:117db924cf7c 7226 *
wolfSSL 15:117db924cf7c 7227 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7228 * input The message buffer.
wolfSSL 15:117db924cf7c 7229 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 15:117db924cf7c 7230 * On exit, the index into the buffer of the next message.
wolfSSL 15:117db924cf7c 7231 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 7232 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 7233 */
wolfSSL 15:117db924cf7c 7234 int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 7235 word32 totalSz)
wolfSSL 15:117db924cf7c 7236 {
wolfSSL 15:117db924cf7c 7237 int ret = 0;
wolfSSL 15:117db924cf7c 7238 word32 inputLength;
wolfSSL 15:117db924cf7c 7239
wolfSSL 15:117db924cf7c 7240 WOLFSSL_ENTER("DoTls13HandShakeMsg()");
wolfSSL 15:117db924cf7c 7241
wolfSSL 15:117db924cf7c 7242 if (ssl->arrays == NULL) {
wolfSSL 15:117db924cf7c 7243 byte type;
wolfSSL 15:117db924cf7c 7244 word32 size;
wolfSSL 15:117db924cf7c 7245
wolfSSL 15:117db924cf7c 7246 if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
wolfSSL 15:117db924cf7c 7247 return PARSE_ERROR;
wolfSSL 15:117db924cf7c 7248
wolfSSL 15:117db924cf7c 7249 return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 15:117db924cf7c 7250 totalSz);
wolfSSL 15:117db924cf7c 7251 }
wolfSSL 15:117db924cf7c 7252
wolfSSL 15:117db924cf7c 7253 inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7254
wolfSSL 15:117db924cf7c 7255 /* If there is a pending fragmented handshake message,
wolfSSL 15:117db924cf7c 7256 * pending message size will be non-zero. */
wolfSSL 15:117db924cf7c 7257 if (ssl->arrays->pendingMsgSz == 0) {
wolfSSL 15:117db924cf7c 7258 byte type;
wolfSSL 15:117db924cf7c 7259 word32 size;
wolfSSL 15:117db924cf7c 7260
wolfSSL 15:117db924cf7c 7261 if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
wolfSSL 15:117db924cf7c 7262 return PARSE_ERROR;
wolfSSL 15:117db924cf7c 7263
wolfSSL 15:117db924cf7c 7264 /* Cap the maximum size of a handshake message to something reasonable.
wolfSSL 15:117db924cf7c 7265 * By default is the maximum size of a certificate message assuming
wolfSSL 15:117db924cf7c 7266 * nine 2048-bit RSA certificates in the chain. */
wolfSSL 15:117db924cf7c 7267 if (size > MAX_HANDSHAKE_SZ) {
wolfSSL 15:117db924cf7c 7268 WOLFSSL_MSG("Handshake message too large");
wolfSSL 15:117db924cf7c 7269 return HANDSHAKE_SIZE_ERROR;
wolfSSL 15:117db924cf7c 7270 }
wolfSSL 15:117db924cf7c 7271
wolfSSL 15:117db924cf7c 7272 /* size is the size of the certificate message payload */
wolfSSL 15:117db924cf7c 7273 if (inputLength - HANDSHAKE_HEADER_SZ < size) {
wolfSSL 15:117db924cf7c 7274 ssl->arrays->pendingMsgType = type;
wolfSSL 15:117db924cf7c 7275 ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7276 ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7277 ssl->heap,
wolfSSL 15:117db924cf7c 7278 DYNAMIC_TYPE_ARRAYS);
wolfSSL 15:117db924cf7c 7279 if (ssl->arrays->pendingMsg == NULL)
wolfSSL 15:117db924cf7c 7280 return MEMORY_E;
wolfSSL 15:117db924cf7c 7281 XMEMCPY(ssl->arrays->pendingMsg,
wolfSSL 15:117db924cf7c 7282 input + *inOutIdx - HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7283 inputLength);
wolfSSL 15:117db924cf7c 7284 ssl->arrays->pendingMsgOffset = inputLength;
wolfSSL 15:117db924cf7c 7285 *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7286 return 0;
wolfSSL 15:117db924cf7c 7287 }
wolfSSL 15:117db924cf7c 7288
wolfSSL 15:117db924cf7c 7289 ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 15:117db924cf7c 7290 totalSz);
wolfSSL 15:117db924cf7c 7291 }
wolfSSL 15:117db924cf7c 7292 else {
wolfSSL 15:117db924cf7c 7293 if (inputLength + ssl->arrays->pendingMsgOffset >
wolfSSL 15:117db924cf7c 7294 ssl->arrays->pendingMsgSz) {
wolfSSL 15:117db924cf7c 7295 inputLength = ssl->arrays->pendingMsgSz -
wolfSSL 15:117db924cf7c 7296 ssl->arrays->pendingMsgOffset;
wolfSSL 15:117db924cf7c 7297 }
wolfSSL 15:117db924cf7c 7298 XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
wolfSSL 15:117db924cf7c 7299 input + *inOutIdx, inputLength);
wolfSSL 15:117db924cf7c 7300 ssl->arrays->pendingMsgOffset += inputLength;
wolfSSL 15:117db924cf7c 7301 *inOutIdx += inputLength + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7302
wolfSSL 15:117db924cf7c 7303 if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
wolfSSL 15:117db924cf7c 7304 {
wolfSSL 15:117db924cf7c 7305 word32 idx = 0;
wolfSSL 15:117db924cf7c 7306 ret = DoTls13HandShakeMsgType(ssl,
wolfSSL 15:117db924cf7c 7307 ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7308 &idx, ssl->arrays->pendingMsgType,
wolfSSL 15:117db924cf7c 7309 ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7310 ssl->arrays->pendingMsgSz);
wolfSSL 15:117db924cf7c 7311 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 7312 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 7313 /* setup to process fragment again */
wolfSSL 15:117db924cf7c 7314 ssl->arrays->pendingMsgOffset -= inputLength;
wolfSSL 15:117db924cf7c 7315 *inOutIdx -= inputLength + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7316 }
wolfSSL 15:117db924cf7c 7317 else
wolfSSL 15:117db924cf7c 7318 #endif
wolfSSL 15:117db924cf7c 7319 {
wolfSSL 15:117db924cf7c 7320 XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
wolfSSL 15:117db924cf7c 7321 ssl->arrays->pendingMsg = NULL;
wolfSSL 15:117db924cf7c 7322 ssl->arrays->pendingMsgSz = 0;
wolfSSL 15:117db924cf7c 7323 }
wolfSSL 15:117db924cf7c 7324 }
wolfSSL 15:117db924cf7c 7325 }
wolfSSL 15:117db924cf7c 7326
wolfSSL 15:117db924cf7c 7327 WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
wolfSSL 15:117db924cf7c 7328 return ret;
wolfSSL 15:117db924cf7c 7329 }
wolfSSL 15:117db924cf7c 7330
wolfSSL 15:117db924cf7c 7331 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7332
wolfSSL 15:117db924cf7c 7333 /* The client connecting to the server.
wolfSSL 15:117db924cf7c 7334 * The protocol version is expecting to be TLS v1.3.
wolfSSL 15:117db924cf7c 7335 * If the server downgrades, and older versions of the protocol are compiled
wolfSSL 15:117db924cf7c 7336 * in, the client will fallback to wolfSSL_connect().
wolfSSL 15:117db924cf7c 7337 * Please see note at top of README if you get an error from connect.
wolfSSL 15:117db924cf7c 7338 *
wolfSSL 15:117db924cf7c 7339 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7340 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
wolfSSL 15:117db924cf7c 7341 * unrecoverable error occurs and 0 otherwise.
wolfSSL 15:117db924cf7c 7342 * For more error information use wolfSSL_get_error().
wolfSSL 15:117db924cf7c 7343 */
wolfSSL 15:117db924cf7c 7344 int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7345 {
wolfSSL 15:117db924cf7c 7346 WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
wolfSSL 15:117db924cf7c 7347
wolfSSL 15:117db924cf7c 7348 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 7349 errno = 0;
wolfSSL 15:117db924cf7c 7350 #endif
wolfSSL 15:117db924cf7c 7351
wolfSSL 15:117db924cf7c 7352 if (ssl->options.side != WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7353 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 15:117db924cf7c 7354 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7355 }
wolfSSL 15:117db924cf7c 7356
wolfSSL 15:117db924cf7c 7357 if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL 15:117db924cf7c 7358 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 15:117db924cf7c 7359 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 15:117db924cf7c 7360 * fragment, fragOffset is zero again, and the state can be
wolfSSL 15:117db924cf7c 7361 * advanced. */
wolfSSL 15:117db924cf7c 7362 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 7363 ssl->options.connectState++;
wolfSSL 15:117db924cf7c 7364 WOLFSSL_MSG("connect state: "
wolfSSL 15:117db924cf7c 7365 "Advanced from last buffered fragment send");
wolfSSL 15:117db924cf7c 7366 }
wolfSSL 15:117db924cf7c 7367 else {
wolfSSL 15:117db924cf7c 7368 WOLFSSL_MSG("connect state: "
wolfSSL 15:117db924cf7c 7369 "Not advanced, more fragments to send");
wolfSSL 15:117db924cf7c 7370 }
wolfSSL 15:117db924cf7c 7371 }
wolfSSL 15:117db924cf7c 7372 else {
wolfSSL 15:117db924cf7c 7373 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7374 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7375 }
wolfSSL 15:117db924cf7c 7376 }
wolfSSL 15:117db924cf7c 7377
wolfSSL 15:117db924cf7c 7378 switch (ssl->options.connectState) {
wolfSSL 15:117db924cf7c 7379
wolfSSL 15:117db924cf7c 7380 case CONNECT_BEGIN:
wolfSSL 15:117db924cf7c 7381 /* Always send client hello first. */
wolfSSL 15:117db924cf7c 7382 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7383 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7384 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7385 }
wolfSSL 15:117db924cf7c 7386
wolfSSL 15:117db924cf7c 7387 ssl->options.connectState = CLIENT_HELLO_SENT;
wolfSSL 15:117db924cf7c 7388 WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
wolfSSL 15:117db924cf7c 7389 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7390 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 7391 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 7392 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 7393 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7394 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7395 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7396 }
wolfSSL 15:117db924cf7c 7397 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 7398 #endif
wolfSSL 15:117db924cf7c 7399 ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7400 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7401 }
wolfSSL 15:117db924cf7c 7402 #endif
wolfSSL 15:117db924cf7c 7403 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7404
wolfSSL 15:117db924cf7c 7405 case CLIENT_HELLO_SENT:
wolfSSL 15:117db924cf7c 7406 /* Get the response/s from the server. */
wolfSSL 15:117db924cf7c 7407 while (ssl->options.serverState <
wolfSSL 15:117db924cf7c 7408 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 7409 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 7410 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7411 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7412 }
wolfSSL 15:117db924cf7c 7413 }
wolfSSL 15:117db924cf7c 7414
wolfSSL 15:117db924cf7c 7415 ssl->options.connectState = HELLO_AGAIN;
wolfSSL 15:117db924cf7c 7416 WOLFSSL_MSG("connect state: HELLO_AGAIN");
wolfSSL 15:117db924cf7c 7417 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7418
wolfSSL 15:117db924cf7c 7419 case HELLO_AGAIN:
wolfSSL 15:117db924cf7c 7420 if (ssl->options.certOnly)
wolfSSL 15:117db924cf7c 7421 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7422
wolfSSL 15:117db924cf7c 7423 if (!ssl->options.tls1_3) {
wolfSSL 15:117db924cf7c 7424 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 7425 if (ssl->options.downgrade)
wolfSSL 15:117db924cf7c 7426 return wolfSSL_connect(ssl);
wolfSSL 15:117db924cf7c 7427 #endif
wolfSSL 15:117db924cf7c 7428
wolfSSL 15:117db924cf7c 7429 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 7430 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 7431 }
wolfSSL 15:117db924cf7c 7432
wolfSSL 15:117db924cf7c 7433 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 7434 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 7435 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 7436 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 7437 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 7438 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7439 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7440 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7441 }
wolfSSL 15:117db924cf7c 7442 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 7443 }
wolfSSL 15:117db924cf7c 7444 #endif
wolfSSL 15:117db924cf7c 7445 /* Try again with different security parameters. */
wolfSSL 15:117db924cf7c 7446 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7447 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7448 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7449 }
wolfSSL 15:117db924cf7c 7450 }
wolfSSL 15:117db924cf7c 7451
wolfSSL 15:117db924cf7c 7452 ssl->options.connectState = HELLO_AGAIN_REPLY;
wolfSSL 15:117db924cf7c 7453 WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
wolfSSL 15:117db924cf7c 7454 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7455
wolfSSL 15:117db924cf7c 7456 case HELLO_AGAIN_REPLY:
wolfSSL 15:117db924cf7c 7457 /* Get the response/s from the server. */
wolfSSL 15:117db924cf7c 7458 while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7459 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 7460 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7461 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7462 }
wolfSSL 15:117db924cf7c 7463 }
wolfSSL 15:117db924cf7c 7464
wolfSSL 15:117db924cf7c 7465 ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 7466 WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 7467 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7468
wolfSSL 15:117db924cf7c 7469 case FIRST_REPLY_DONE:
wolfSSL 15:117db924cf7c 7470 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7471 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 7472 if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7473 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7474 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7475 }
wolfSSL 15:117db924cf7c 7476 WOLFSSL_MSG("sent: end_of_early_data");
wolfSSL 15:117db924cf7c 7477 }
wolfSSL 15:117db924cf7c 7478 #endif
wolfSSL 15:117db924cf7c 7479
wolfSSL 15:117db924cf7c 7480 ssl->options.connectState = FIRST_REPLY_FIRST;
wolfSSL 15:117db924cf7c 7481 WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
wolfSSL 15:117db924cf7c 7482 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7483
wolfSSL 15:117db924cf7c 7484 case FIRST_REPLY_FIRST:
wolfSSL 15:117db924cf7c 7485 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 7486 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 7487 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 7488 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7489 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7490 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7491 }
wolfSSL 15:117db924cf7c 7492 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 7493 }
wolfSSL 15:117db924cf7c 7494 #endif
wolfSSL 15:117db924cf7c 7495
wolfSSL 15:117db924cf7c 7496 ssl->options.connectState = FIRST_REPLY_SECOND;
wolfSSL 15:117db924cf7c 7497 WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
wolfSSL 15:117db924cf7c 7498 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7499
wolfSSL 15:117db924cf7c 7500 case FIRST_REPLY_SECOND:
wolfSSL 15:117db924cf7c 7501 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7502 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 7503 ssl->error = SendTls13Certificate(ssl);
wolfSSL 15:117db924cf7c 7504 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 7505 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7506 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7507 }
wolfSSL 15:117db924cf7c 7508 WOLFSSL_MSG("sent: certificate");
wolfSSL 15:117db924cf7c 7509 }
wolfSSL 15:117db924cf7c 7510 #endif
wolfSSL 15:117db924cf7c 7511
wolfSSL 15:117db924cf7c 7512 ssl->options.connectState = FIRST_REPLY_THIRD;
wolfSSL 15:117db924cf7c 7513 WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
wolfSSL 15:117db924cf7c 7514 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7515
wolfSSL 15:117db924cf7c 7516 case FIRST_REPLY_THIRD:
wolfSSL 15:117db924cf7c 7517 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7518 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 7519 ssl->error = SendTls13CertificateVerify(ssl);
wolfSSL 15:117db924cf7c 7520 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 7521 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7522 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7523 }
wolfSSL 15:117db924cf7c 7524 WOLFSSL_MSG("sent: certificate verify");
wolfSSL 15:117db924cf7c 7525 }
wolfSSL 15:117db924cf7c 7526 #endif
wolfSSL 15:117db924cf7c 7527
wolfSSL 15:117db924cf7c 7528 ssl->options.connectState = FIRST_REPLY_FOURTH;
wolfSSL 15:117db924cf7c 7529 WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH");
wolfSSL 15:117db924cf7c 7530 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7531
wolfSSL 15:117db924cf7c 7532 case FIRST_REPLY_FOURTH:
wolfSSL 15:117db924cf7c 7533 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7534 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7535 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7536 }
wolfSSL 15:117db924cf7c 7537 WOLFSSL_MSG("sent: finished");
wolfSSL 15:117db924cf7c 7538
wolfSSL 15:117db924cf7c 7539 ssl->options.connectState = FINISHED_DONE;
wolfSSL 15:117db924cf7c 7540 WOLFSSL_MSG("connect state: FINISHED_DONE");
wolfSSL 15:117db924cf7c 7541 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7542
wolfSSL 15:117db924cf7c 7543 case FINISHED_DONE:
wolfSSL 15:117db924cf7c 7544 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 15:117db924cf7c 7545 if (ssl->hsDoneCb != NULL) {
wolfSSL 15:117db924cf7c 7546 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 15:117db924cf7c 7547 if (cbret < 0) {
wolfSSL 15:117db924cf7c 7548 ssl->error = cbret;
wolfSSL 15:117db924cf7c 7549 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 15:117db924cf7c 7550 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7551 }
wolfSSL 15:117db924cf7c 7552 }
wolfSSL 15:117db924cf7c 7553 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 15:117db924cf7c 7554
wolfSSL 15:117db924cf7c 7555 WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS);
wolfSSL 15:117db924cf7c 7556 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7557
wolfSSL 15:117db924cf7c 7558 default:
wolfSSL 15:117db924cf7c 7559 WOLFSSL_MSG("Unknown connect state ERROR");
wolfSSL 15:117db924cf7c 7560 return WOLFSSL_FATAL_ERROR; /* unknown connect state */
wolfSSL 15:117db924cf7c 7561 }
wolfSSL 15:117db924cf7c 7562 }
wolfSSL 15:117db924cf7c 7563 #endif
wolfSSL 15:117db924cf7c 7564
wolfSSL 15:117db924cf7c 7565 #if defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 15:117db924cf7c 7566 /* Send a cookie with the HelloRetryRequest to avoid storing state.
wolfSSL 15:117db924cf7c 7567 *
wolfSSL 15:117db924cf7c 7568 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 7569 * secret Secret to use when generating integrity check for cookie.
wolfSSL 15:117db924cf7c 7570 * A value of NULL indicates to generate a new random secret.
wolfSSL 15:117db924cf7c 7571 * secretSz Size of secret data in bytes.
wolfSSL 15:117db924cf7c 7572 * Use a value of 0 to indicate use of default size.
wolfSSL 15:117db924cf7c 7573 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
wolfSSL 15:117db924cf7c 7574 * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
wolfSSL 15:117db924cf7c 7575 */
wolfSSL 15:117db924cf7c 7576 int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
wolfSSL 15:117db924cf7c 7577 unsigned int secretSz)
wolfSSL 15:117db924cf7c 7578 {
wolfSSL 15:117db924cf7c 7579 int ret;
wolfSSL 15:117db924cf7c 7580
wolfSSL 15:117db924cf7c 7581 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7582 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7583 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7584 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 7585 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7586
wolfSSL 15:117db924cf7c 7587 if (secretSz == 0) {
wolfSSL 15:117db924cf7c 7588 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 7589 secretSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 7590 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 7591 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 7592 secretSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 7593 #endif /* NO_SHA256 */
wolfSSL 15:117db924cf7c 7594 }
wolfSSL 15:117db924cf7c 7595
wolfSSL 15:117db924cf7c 7596 if (secretSz != ssl->buffers.tls13CookieSecret.length) {
wolfSSL 15:117db924cf7c 7597 byte* newSecret;
wolfSSL 15:117db924cf7c 7598
wolfSSL 15:117db924cf7c 7599 if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
wolfSSL 15:117db924cf7c 7600 ForceZero(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 7601 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 7602 XFREE(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 7603 ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL 15:117db924cf7c 7604 }
wolfSSL 15:117db924cf7c 7605
wolfSSL 15:117db924cf7c 7606 newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
wolfSSL 15:117db924cf7c 7607 DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL 15:117db924cf7c 7608 if (newSecret == NULL) {
wolfSSL 15:117db924cf7c 7609 ssl->buffers.tls13CookieSecret.buffer = NULL;
wolfSSL 15:117db924cf7c 7610 ssl->buffers.tls13CookieSecret.length = 0;
wolfSSL 15:117db924cf7c 7611 WOLFSSL_MSG("couldn't allocate new cookie secret");
wolfSSL 15:117db924cf7c 7612 return MEMORY_ERROR;
wolfSSL 15:117db924cf7c 7613 }
wolfSSL 15:117db924cf7c 7614 ssl->buffers.tls13CookieSecret.buffer = newSecret;
wolfSSL 15:117db924cf7c 7615 ssl->buffers.tls13CookieSecret.length = secretSz;
wolfSSL 15:117db924cf7c 7616 }
wolfSSL 15:117db924cf7c 7617
wolfSSL 15:117db924cf7c 7618 /* If the supplied secret is NULL, randomly generate a new secret. */
wolfSSL 15:117db924cf7c 7619 if (secret == NULL) {
wolfSSL 15:117db924cf7c 7620 ret = wc_RNG_GenerateBlock(ssl->rng,
wolfSSL 15:117db924cf7c 7621 ssl->buffers.tls13CookieSecret.buffer, secretSz);
wolfSSL 15:117db924cf7c 7622 if (ret < 0)
wolfSSL 15:117db924cf7c 7623 return ret;
wolfSSL 15:117db924cf7c 7624 }
wolfSSL 15:117db924cf7c 7625 else
wolfSSL 15:117db924cf7c 7626 XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
wolfSSL 15:117db924cf7c 7627
wolfSSL 15:117db924cf7c 7628 ssl->options.sendCookie = 1;
wolfSSL 15:117db924cf7c 7629
wolfSSL 15:117db924cf7c 7630 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7631 #else
wolfSSL 15:117db924cf7c 7632 (void)secret;
wolfSSL 15:117db924cf7c 7633 (void)secretSz;
wolfSSL 15:117db924cf7c 7634
wolfSSL 15:117db924cf7c 7635 ret = SIDE_ERROR;
wolfSSL 15:117db924cf7c 7636 #endif
wolfSSL 15:117db924cf7c 7637
wolfSSL 15:117db924cf7c 7638 return ret;
wolfSSL 15:117db924cf7c 7639 }
wolfSSL 15:117db924cf7c 7640 #endif
wolfSSL 15:117db924cf7c 7641
wolfSSL 15:117db924cf7c 7642 /* Create a key share entry from group.
wolfSSL 15:117db924cf7c 7643 * Generates a key pair.
wolfSSL 15:117db924cf7c 7644 *
wolfSSL 15:117db924cf7c 7645 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7646 * group The named group.
wolfSSL 15:117db924cf7c 7647 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 7648 */
wolfSSL 15:117db924cf7c 7649 int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
wolfSSL 15:117db924cf7c 7650 {
wolfSSL 15:117db924cf7c 7651 int ret;
wolfSSL 15:117db924cf7c 7652
wolfSSL 15:117db924cf7c 7653 if (ssl == NULL)
wolfSSL 15:117db924cf7c 7654 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7655
wolfSSL 15:117db924cf7c 7656 ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
wolfSSL 15:117db924cf7c 7657 if (ret != 0)
wolfSSL 15:117db924cf7c 7658 return ret;
wolfSSL 15:117db924cf7c 7659
wolfSSL 15:117db924cf7c 7660 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7661 }
wolfSSL 15:117db924cf7c 7662
wolfSSL 15:117db924cf7c 7663 /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
wolfSSL 15:117db924cf7c 7664 *
wolfSSL 15:117db924cf7c 7665 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7666 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 7667 */
wolfSSL 15:117db924cf7c 7668 int wolfSSL_NoKeyShares(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7669 {
wolfSSL 15:117db924cf7c 7670 int ret;
wolfSSL 15:117db924cf7c 7671
wolfSSL 15:117db924cf7c 7672 if (ssl == NULL)
wolfSSL 15:117db924cf7c 7673 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7674 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 7675 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7676
wolfSSL 15:117db924cf7c 7677 ret = TLSX_KeyShare_Empty(ssl);
wolfSSL 15:117db924cf7c 7678 if (ret != 0)
wolfSSL 15:117db924cf7c 7679 return ret;
wolfSSL 15:117db924cf7c 7680
wolfSSL 15:117db924cf7c 7681 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7682 }
wolfSSL 15:117db924cf7c 7683
wolfSSL 15:117db924cf7c 7684 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 15:117db924cf7c 7685 *
wolfSSL 15:117db924cf7c 7686 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 7687 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 15:117db924cf7c 7688 */
wolfSSL 15:117db924cf7c 7689 int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 7690 {
wolfSSL 15:117db924cf7c 7691 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 7692 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7693 if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 7694 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7695
wolfSSL 15:117db924cf7c 7696 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 7697 ctx->noTicketTls13 = 1;
wolfSSL 15:117db924cf7c 7698 #endif
wolfSSL 15:117db924cf7c 7699
wolfSSL 15:117db924cf7c 7700 return 0;
wolfSSL 15:117db924cf7c 7701 }
wolfSSL 15:117db924cf7c 7702
wolfSSL 15:117db924cf7c 7703 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 15:117db924cf7c 7704 *
wolfSSL 15:117db924cf7c 7705 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7706 * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
wolfSSL 15:117db924cf7c 7707 * a client and 0 on success.
wolfSSL 15:117db924cf7c 7708 */
wolfSSL 15:117db924cf7c 7709 int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7710 {
wolfSSL 15:117db924cf7c 7711 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7712 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7713 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 7714 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7715
wolfSSL 15:117db924cf7c 7716 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 7717 ssl->options.noTicketTls13 = 1;
wolfSSL 15:117db924cf7c 7718 #endif
wolfSSL 15:117db924cf7c 7719
wolfSSL 15:117db924cf7c 7720 return 0;
wolfSSL 15:117db924cf7c 7721 }
wolfSSL 15:117db924cf7c 7722
wolfSSL 15:117db924cf7c 7723 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 15:117db924cf7c 7724 *
wolfSSL 15:117db924cf7c 7725 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 7726 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 15:117db924cf7c 7727 */
wolfSSL 15:117db924cf7c 7728 int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 7729 {
wolfSSL 15:117db924cf7c 7730 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 7731 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7732
wolfSSL 15:117db924cf7c 7733 ctx->noPskDheKe = 1;
wolfSSL 15:117db924cf7c 7734
wolfSSL 15:117db924cf7c 7735 return 0;
wolfSSL 15:117db924cf7c 7736 }
wolfSSL 15:117db924cf7c 7737
wolfSSL 15:117db924cf7c 7738 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 15:117db924cf7c 7739 *
wolfSSL 15:117db924cf7c 7740 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7741 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
wolfSSL 15:117db924cf7c 7742 * success.
wolfSSL 15:117db924cf7c 7743 */
wolfSSL 15:117db924cf7c 7744 int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7745 {
wolfSSL 15:117db924cf7c 7746 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7747 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7748
wolfSSL 15:117db924cf7c 7749 ssl->options.noPskDheKe = 1;
wolfSSL 15:117db924cf7c 7750
wolfSSL 15:117db924cf7c 7751 return 0;
wolfSSL 15:117db924cf7c 7752 }
wolfSSL 15:117db924cf7c 7753
wolfSSL 15:117db924cf7c 7754 /* Update the keys for encryption and decryption.
wolfSSL 15:117db924cf7c 7755 * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
wolfSSL 15:117db924cf7c 7756 * calling wolfSSL_write() will have the message sent when ready.
wolfSSL 15:117db924cf7c 7757 *
wolfSSL 15:117db924cf7c 7758 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7759 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 7760 * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
wolfSSL 15:117db924cf7c 7761 * WOLFSSL_SUCCESS on success and otherwise failure.
wolfSSL 15:117db924cf7c 7762 */
wolfSSL 15:117db924cf7c 7763 int wolfSSL_update_keys(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7764 {
wolfSSL 15:117db924cf7c 7765 int ret;
wolfSSL 15:117db924cf7c 7766
wolfSSL 15:117db924cf7c 7767 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7768 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7769
wolfSSL 15:117db924cf7c 7770 ret = SendTls13KeyUpdate(ssl);
wolfSSL 15:117db924cf7c 7771 if (ret == WANT_WRITE)
wolfSSL 15:117db924cf7c 7772 ret = WOLFSSL_ERROR_WANT_WRITE;
wolfSSL 15:117db924cf7c 7773 else if (ret == 0)
wolfSSL 15:117db924cf7c 7774 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7775 return ret;
wolfSSL 15:117db924cf7c 7776 }
wolfSSL 15:117db924cf7c 7777
wolfSSL 15:117db924cf7c 7778 #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL 15:117db924cf7c 7779 /* Allow post-handshake authentication in TLS v1.3 connections.
wolfSSL 15:117db924cf7c 7780 *
wolfSSL 15:117db924cf7c 7781 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 7782 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and
wolfSSL 15:117db924cf7c 7783 * 0 on success.
wolfSSL 15:117db924cf7c 7784 */
wolfSSL 15:117db924cf7c 7785 int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 7786 {
wolfSSL 15:117db924cf7c 7787 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 7788 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7789 if (ctx->method->side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 7790 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7791
wolfSSL 15:117db924cf7c 7792 ctx->postHandshakeAuth = 1;
wolfSSL 15:117db924cf7c 7793
wolfSSL 15:117db924cf7c 7794 return 0;
wolfSSL 15:117db924cf7c 7795 }
wolfSSL 15:117db924cf7c 7796
wolfSSL 15:117db924cf7c 7797 /* Allow post-handshake authentication in TLS v1.3 connection.
wolfSSL 15:117db924cf7c 7798 *
wolfSSL 15:117db924cf7c 7799 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7800 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 7801 * SIDE_ERROR when not a client and 0 on success.
wolfSSL 15:117db924cf7c 7802 */
wolfSSL 15:117db924cf7c 7803 int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7804 {
wolfSSL 15:117db924cf7c 7805 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7806 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7807 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 7808 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7809
wolfSSL 15:117db924cf7c 7810 ssl->options.postHandshakeAuth = 1;
wolfSSL 15:117db924cf7c 7811
wolfSSL 15:117db924cf7c 7812 return 0;
wolfSSL 15:117db924cf7c 7813 }
wolfSSL 15:117db924cf7c 7814
wolfSSL 15:117db924cf7c 7815 /* Request a certificate of the client.
wolfSSL 15:117db924cf7c 7816 * Can be called any time after handshake completion.
wolfSSL 15:117db924cf7c 7817 * A maximum of 256 requests can be sent on a connection.
wolfSSL 15:117db924cf7c 7818 *
wolfSSL 15:117db924cf7c 7819 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 7820 */
wolfSSL 15:117db924cf7c 7821 int wolfSSL_request_certificate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7822 {
wolfSSL 15:117db924cf7c 7823 int ret;
wolfSSL 15:117db924cf7c 7824 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7825 CertReqCtx* certReqCtx;
wolfSSL 15:117db924cf7c 7826 #endif
wolfSSL 15:117db924cf7c 7827
wolfSSL 15:117db924cf7c 7828 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7829 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7830 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7831 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 7832 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7833 if (ssl->options.handShakeState != HANDSHAKE_DONE)
wolfSSL 15:117db924cf7c 7834 return NOT_READY_ERROR;
wolfSSL 15:117db924cf7c 7835 if (!ssl->options.postHandshakeAuth)
wolfSSL 15:117db924cf7c 7836 return POST_HAND_AUTH_ERROR;
wolfSSL 15:117db924cf7c 7837
wolfSSL 15:117db924cf7c 7838 certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
wolfSSL 15:117db924cf7c 7839 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 7840 if (certReqCtx == NULL)
wolfSSL 15:117db924cf7c 7841 return MEMORY_E;
wolfSSL 15:117db924cf7c 7842 XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
wolfSSL 15:117db924cf7c 7843 certReqCtx->next = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 7844 certReqCtx->len = 1;
wolfSSL 15:117db924cf7c 7845 if (certReqCtx->next != NULL)
wolfSSL 15:117db924cf7c 7846 certReqCtx->ctx = certReqCtx->next->ctx + 1;
wolfSSL 15:117db924cf7c 7847 ssl->certReqCtx = certReqCtx;
wolfSSL 15:117db924cf7c 7848
wolfSSL 15:117db924cf7c 7849 ssl->msgsReceived.got_certificate = 0;
wolfSSL 15:117db924cf7c 7850 ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL 15:117db924cf7c 7851 ssl->msgsReceived.got_finished = 0;
wolfSSL 15:117db924cf7c 7852
wolfSSL 15:117db924cf7c 7853 ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
wolfSSL 15:117db924cf7c 7854 if (ret == WANT_WRITE)
wolfSSL 15:117db924cf7c 7855 ret = WOLFSSL_ERROR_WANT_WRITE;
wolfSSL 15:117db924cf7c 7856 else if (ret == 0)
wolfSSL 15:117db924cf7c 7857 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7858 #else
wolfSSL 15:117db924cf7c 7859 ret = SIDE_ERROR;
wolfSSL 15:117db924cf7c 7860 #endif
wolfSSL 15:117db924cf7c 7861
wolfSSL 15:117db924cf7c 7862 return ret;
wolfSSL 15:117db924cf7c 7863 }
wolfSSL 15:117db924cf7c 7864 #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
wolfSSL 15:117db924cf7c 7865
wolfSSL 15:117db924cf7c 7866 #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
wolfSSL 15:117db924cf7c 7867 /* Get the preferred key exchange group.
wolfSSL 15:117db924cf7c 7868 *
wolfSSL 15:117db924cf7c 7869 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7870 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3,
wolfSSL 15:117db924cf7c 7871 * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete
wolfSSL 15:117db924cf7c 7872 * and group number on success.
wolfSSL 15:117db924cf7c 7873 */
wolfSSL 15:117db924cf7c 7874 int wolfSSL_preferred_group(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7875 {
wolfSSL 15:117db924cf7c 7876 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7877 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7878 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7879 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 7880 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7881 if (ssl->options.handShakeState != HANDSHAKE_DONE)
wolfSSL 15:117db924cf7c 7882 return NOT_READY_ERROR;
wolfSSL 15:117db924cf7c 7883
wolfSSL 15:117db924cf7c 7884 /* Return supported groups only. */
wolfSSL 15:117db924cf7c 7885 return TLSX_SupportedCurve_Preferred(ssl, 1);
wolfSSL 15:117db924cf7c 7886 #else
wolfSSL 15:117db924cf7c 7887 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 7888 #endif
wolfSSL 15:117db924cf7c 7889 }
wolfSSL 15:117db924cf7c 7890 #endif
wolfSSL 15:117db924cf7c 7891
wolfSSL 15:117db924cf7c 7892 /* Sets the key exchange groups in rank order on a context.
wolfSSL 15:117db924cf7c 7893 *
wolfSSL 15:117db924cf7c 7894 * ctx SSL/TLS context object.
wolfSSL 15:117db924cf7c 7895 * groups Array of groups.
wolfSSL 15:117db924cf7c 7896 * count Number of groups in array.
wolfSSL 15:117db924cf7c 7897 * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or
wolfSSL 15:117db924cf7c 7898 * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
wolfSSL 15:117db924cf7c 7899 */
wolfSSL 15:117db924cf7c 7900 int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
wolfSSL 15:117db924cf7c 7901 {
wolfSSL 15:117db924cf7c 7902 int i;
wolfSSL 15:117db924cf7c 7903
wolfSSL 15:117db924cf7c 7904 if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
wolfSSL 15:117db924cf7c 7905 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7906 if (!IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 7907 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7908
wolfSSL 15:117db924cf7c 7909 for (i = 0; i < count; i++)
wolfSSL 15:117db924cf7c 7910 ctx->group[i] = (word16)groups[i];
wolfSSL 15:117db924cf7c 7911 ctx->numGroups = (byte)count;
wolfSSL 15:117db924cf7c 7912
wolfSSL 15:117db924cf7c 7913 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7914 }
wolfSSL 15:117db924cf7c 7915
wolfSSL 15:117db924cf7c 7916 /* Sets the key exchange groups in rank order.
wolfSSL 15:117db924cf7c 7917 *
wolfSSL 15:117db924cf7c 7918 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 7919 * groups Array of groups.
wolfSSL 15:117db924cf7c 7920 * count Number of groups in array.
wolfSSL 15:117db924cf7c 7921 * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or
wolfSSL 15:117db924cf7c 7922 * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
wolfSSL 15:117db924cf7c 7923 */
wolfSSL 15:117db924cf7c 7924 int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
wolfSSL 15:117db924cf7c 7925 {
wolfSSL 15:117db924cf7c 7926 int i;
wolfSSL 15:117db924cf7c 7927
wolfSSL 15:117db924cf7c 7928 if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
wolfSSL 15:117db924cf7c 7929 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7930 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 7931 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7932
wolfSSL 15:117db924cf7c 7933 for (i = 0; i < count; i++)
wolfSSL 15:117db924cf7c 7934 ssl->group[i] = (word16)groups[i];
wolfSSL 15:117db924cf7c 7935 ssl->numGroups = (byte)count;
wolfSSL 15:117db924cf7c 7936
wolfSSL 15:117db924cf7c 7937 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7938 }
wolfSSL 15:117db924cf7c 7939
wolfSSL 15:117db924cf7c 7940 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7941 /* The server accepting a connection from a client.
wolfSSL 15:117db924cf7c 7942 * The protocol version is expecting to be TLS v1.3.
wolfSSL 15:117db924cf7c 7943 * If the client downgrades, and older versions of the protocol are compiled
wolfSSL 15:117db924cf7c 7944 * in, the server will fallback to wolfSSL_accept().
wolfSSL 15:117db924cf7c 7945 * Please see note at top of README if you get an error from accept.
wolfSSL 15:117db924cf7c 7946 *
wolfSSL 15:117db924cf7c 7947 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7948 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
wolfSSL 15:117db924cf7c 7949 * unrecoverable error occurs and 0 otherwise.
wolfSSL 15:117db924cf7c 7950 * For more error information use wolfSSL_get_error().
wolfSSL 15:117db924cf7c 7951 */
wolfSSL 15:117db924cf7c 7952 int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7953 {
wolfSSL 15:117db924cf7c 7954 word16 havePSK = 0;
wolfSSL 15:117db924cf7c 7955 WOLFSSL_ENTER("SSL_accept_TLSv13()");
wolfSSL 15:117db924cf7c 7956
wolfSSL 15:117db924cf7c 7957 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 7958 errno = 0;
wolfSSL 15:117db924cf7c 7959 #endif
wolfSSL 15:117db924cf7c 7960
wolfSSL 15:117db924cf7c 7961 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7962 havePSK = ssl->options.havePSK;
wolfSSL 15:117db924cf7c 7963 #endif
wolfSSL 15:117db924cf7c 7964 (void)havePSK;
wolfSSL 15:117db924cf7c 7965
wolfSSL 15:117db924cf7c 7966 if (ssl->options.side != WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7967 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 15:117db924cf7c 7968 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7969 }
wolfSSL 15:117db924cf7c 7970
wolfSSL 15:117db924cf7c 7971 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7972 /* allow no private key if using PK callbacks and CB is set */
wolfSSL 15:117db924cf7c 7973 if (!havePSK) {
wolfSSL 15:117db924cf7c 7974 if (!ssl->buffers.certificate ||
wolfSSL 15:117db924cf7c 7975 !ssl->buffers.certificate->buffer) {
wolfSSL 15:117db924cf7c 7976
wolfSSL 15:117db924cf7c 7977 WOLFSSL_MSG("accept error: server cert required");
wolfSSL 15:117db924cf7c 7978 WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
wolfSSL 15:117db924cf7c 7979 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7980 }
wolfSSL 15:117db924cf7c 7981
wolfSSL 15:117db924cf7c 7982 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 7983 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
wolfSSL 15:117db924cf7c 7984 WOLFSSL_MSG("Using PK for server private key");
wolfSSL 15:117db924cf7c 7985 }
wolfSSL 15:117db924cf7c 7986 else
wolfSSL 15:117db924cf7c 7987 #endif
wolfSSL 15:117db924cf7c 7988 if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
wolfSSL 15:117db924cf7c 7989 WOLFSSL_MSG("accept error: server key required");
wolfSSL 15:117db924cf7c 7990 WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
wolfSSL 15:117db924cf7c 7991 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7992 }
wolfSSL 15:117db924cf7c 7993 }
wolfSSL 15:117db924cf7c 7994 #endif
wolfSSL 15:117db924cf7c 7995
wolfSSL 15:117db924cf7c 7996 if (ssl->buffers.outputBuffer.length > 0) {
wolfSSL 15:117db924cf7c 7997 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 15:117db924cf7c 7998 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 15:117db924cf7c 7999 * fragment, fragOffset is zero again, and the state can be
wolfSSL 15:117db924cf7c 8000 * advanced. */
wolfSSL 15:117db924cf7c 8001 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 8002 ssl->options.acceptState++;
wolfSSL 15:117db924cf7c 8003 WOLFSSL_MSG("accept state: "
wolfSSL 15:117db924cf7c 8004 "Advanced from last buffered fragment send");
wolfSSL 15:117db924cf7c 8005 }
wolfSSL 15:117db924cf7c 8006 else {
wolfSSL 15:117db924cf7c 8007 WOLFSSL_MSG("accept state: "
wolfSSL 15:117db924cf7c 8008 "Not advanced, more fragments to send");
wolfSSL 15:117db924cf7c 8009 }
wolfSSL 15:117db924cf7c 8010 }
wolfSSL 15:117db924cf7c 8011 else {
wolfSSL 15:117db924cf7c 8012 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8013 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8014 }
wolfSSL 15:117db924cf7c 8015 }
wolfSSL 15:117db924cf7c 8016
wolfSSL 15:117db924cf7c 8017 switch (ssl->options.acceptState) {
wolfSSL 15:117db924cf7c 8018
wolfSSL 15:117db924cf7c 8019 case TLS13_ACCEPT_BEGIN :
wolfSSL 15:117db924cf7c 8020 /* get client_hello */
wolfSSL 15:117db924cf7c 8021 while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8022 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8023 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8024 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8025 }
wolfSSL 15:117db924cf7c 8026 }
wolfSSL 15:117db924cf7c 8027
wolfSSL 15:117db924cf7c 8028 ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE;
wolfSSL 15:117db924cf7c 8029 WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
wolfSSL 15:117db924cf7c 8030 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8031
wolfSSL 15:117db924cf7c 8032 case TLS13_ACCEPT_CLIENT_HELLO_DONE :
wolfSSL 15:117db924cf7c 8033 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 8034 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8035 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8036 if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8037 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8038 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8039 }
wolfSSL 15:117db924cf7c 8040 }
wolfSSL 15:117db924cf7c 8041
wolfSSL 15:117db924cf7c 8042 ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 8043 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 8044 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8045
wolfSSL 15:117db924cf7c 8046 case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL 15:117db924cf7c 8047 #else
wolfSSL 15:117db924cf7c 8048 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8049 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8050 if ((ssl->error = SendTls13ServerHello(ssl,
wolfSSL 15:117db924cf7c 8051 hello_retry_request)) != 0) {
wolfSSL 15:117db924cf7c 8052 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8053 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8054 }
wolfSSL 15:117db924cf7c 8055 }
wolfSSL 15:117db924cf7c 8056
wolfSSL 15:117db924cf7c 8057 ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE;
wolfSSL 15:117db924cf7c 8058 WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
wolfSSL 15:117db924cf7c 8059 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8060
wolfSSL 15:117db924cf7c 8061 case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL 15:117db924cf7c 8062 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 8063 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8064 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8065 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8066 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8067 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8068 }
wolfSSL 15:117db924cf7c 8069 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 8070 }
wolfSSL 15:117db924cf7c 8071 #endif
wolfSSL 15:117db924cf7c 8072 ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 8073 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 8074 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8075 #endif
wolfSSL 15:117db924cf7c 8076
wolfSSL 15:117db924cf7c 8077 case TLS13_ACCEPT_FIRST_REPLY_DONE :
wolfSSL 15:117db924cf7c 8078 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8079 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8080 ssl->options.clientState = NULL_STATE;
wolfSSL 15:117db924cf7c 8081 while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8082 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8083 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8084 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8085 }
wolfSSL 15:117db924cf7c 8086 }
wolfSSL 15:117db924cf7c 8087 }
wolfSSL 15:117db924cf7c 8088
wolfSSL 15:117db924cf7c 8089 ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;
wolfSSL 15:117db924cf7c 8090 WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
wolfSSL 15:117db924cf7c 8091 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8092
wolfSSL 15:117db924cf7c 8093 case TLS13_ACCEPT_SECOND_REPLY_DONE :
wolfSSL 15:117db924cf7c 8094 if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) {
wolfSSL 15:117db924cf7c 8095 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8096 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8097 }
wolfSSL 15:117db924cf7c 8098 ssl->options.acceptState = TLS13_SERVER_HELLO_SENT;
wolfSSL 15:117db924cf7c 8099 WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
wolfSSL 15:117db924cf7c 8100 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8101
wolfSSL 15:117db924cf7c 8102 case TLS13_SERVER_HELLO_SENT :
wolfSSL 15:117db924cf7c 8103 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 8104 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 8105 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 8106 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8107 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8108 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8109 }
wolfSSL 15:117db924cf7c 8110 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 8111 }
wolfSSL 15:117db924cf7c 8112 #endif
wolfSSL 15:117db924cf7c 8113
wolfSSL 15:117db924cf7c 8114 ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE;
wolfSSL 15:117db924cf7c 8115 WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
wolfSSL 15:117db924cf7c 8116 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8117
wolfSSL 15:117db924cf7c 8118 case TLS13_ACCEPT_THIRD_REPLY_DONE :
wolfSSL 15:117db924cf7c 8119 if (!ssl->options.noPskDheKe) {
wolfSSL 15:117db924cf7c 8120 ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
wolfSSL 15:117db924cf7c 8121 if (ssl->error != 0)
wolfSSL 15:117db924cf7c 8122 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8123 }
wolfSSL 15:117db924cf7c 8124
wolfSSL 15:117db924cf7c 8125 if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8126 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8127 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8128 }
wolfSSL 15:117db924cf7c 8129 ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT;
wolfSSL 15:117db924cf7c 8130 WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
wolfSSL 15:117db924cf7c 8131 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8132
wolfSSL 15:117db924cf7c 8133 case TLS13_SERVER_EXTENSIONS_SENT :
wolfSSL 15:117db924cf7c 8134 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8135 if (!ssl->options.resuming) {
wolfSSL 15:117db924cf7c 8136 if (ssl->options.verifyPeer) {
wolfSSL 15:117db924cf7c 8137 ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
wolfSSL 15:117db924cf7c 8138 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 8139 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8140 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8141 }
wolfSSL 15:117db924cf7c 8142 }
wolfSSL 15:117db924cf7c 8143 }
wolfSSL 15:117db924cf7c 8144 #endif
wolfSSL 15:117db924cf7c 8145 ssl->options.acceptState = TLS13_CERT_REQ_SENT;
wolfSSL 15:117db924cf7c 8146 WOLFSSL_MSG("accept state CERT_REQ_SENT");
wolfSSL 15:117db924cf7c 8147 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8148
wolfSSL 15:117db924cf7c 8149 case TLS13_CERT_REQ_SENT :
wolfSSL 15:117db924cf7c 8150 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8151 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8152 if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8153 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8154 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8155 }
wolfSSL 15:117db924cf7c 8156 }
wolfSSL 15:117db924cf7c 8157 #endif
wolfSSL 15:117db924cf7c 8158 ssl->options.acceptState = TLS13_CERT_SENT;
wolfSSL 15:117db924cf7c 8159 WOLFSSL_MSG("accept state CERT_SENT");
wolfSSL 15:117db924cf7c 8160 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8161
wolfSSL 15:117db924cf7c 8162 case TLS13_CERT_SENT :
wolfSSL 15:117db924cf7c 8163 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8164 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8165 if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8166 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8167 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8168 }
wolfSSL 15:117db924cf7c 8169 }
wolfSSL 15:117db924cf7c 8170 #endif
wolfSSL 15:117db924cf7c 8171 ssl->options.acceptState = TLS13_CERT_VERIFY_SENT;
wolfSSL 15:117db924cf7c 8172 WOLFSSL_MSG("accept state CERT_VERIFY_SENT");
wolfSSL 15:117db924cf7c 8173 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8174
wolfSSL 15:117db924cf7c 8175 case TLS13_CERT_VERIFY_SENT :
wolfSSL 15:117db924cf7c 8176 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8177 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8178 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8179 }
wolfSSL 15:117db924cf7c 8180
wolfSSL 15:117db924cf7c 8181 ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT;
wolfSSL 15:117db924cf7c 8182 WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT");
wolfSSL 15:117db924cf7c 8183 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 8184 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 8185 ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 8186 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8187 }
wolfSSL 15:117db924cf7c 8188 #endif
wolfSSL 15:117db924cf7c 8189 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8190
wolfSSL 15:117db924cf7c 8191 case TLS13_ACCEPT_FINISHED_SENT :
wolfSSL 15:117db924cf7c 8192 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8193 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 8194 if (!ssl->options.resuming && !ssl->options.verifyPeer &&
wolfSSL 15:117db924cf7c 8195 !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL 15:117db924cf7c 8196 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8197 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8198 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8199 }
wolfSSL 15:117db924cf7c 8200 }
wolfSSL 15:117db924cf7c 8201 #endif
wolfSSL 15:117db924cf7c 8202 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 8203 ssl->options.acceptState = TLS13_PRE_TICKET_SENT;
wolfSSL 15:117db924cf7c 8204 WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL 15:117db924cf7c 8205 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8206
wolfSSL 15:117db924cf7c 8207 case TLS13_PRE_TICKET_SENT :
wolfSSL 15:117db924cf7c 8208 while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
wolfSSL 15:117db924cf7c 8209 if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8210 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8211 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8212 }
wolfSSL 15:117db924cf7c 8213
wolfSSL 15:117db924cf7c 8214 ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE;
wolfSSL 15:117db924cf7c 8215 WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
wolfSSL 15:117db924cf7c 8216 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8217
wolfSSL 15:117db924cf7c 8218 case TLS13_ACCEPT_FINISHED_DONE :
wolfSSL 15:117db924cf7c 8219 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8220 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 8221 if (!ssl->options.verifyPeer) {
wolfSSL 15:117db924cf7c 8222 }
wolfSSL 15:117db924cf7c 8223 else
wolfSSL 15:117db924cf7c 8224 #endif
wolfSSL 15:117db924cf7c 8225 if (!ssl->options.resuming &&
wolfSSL 15:117db924cf7c 8226 !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL 15:117db924cf7c 8227 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8228 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8229 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8230 }
wolfSSL 15:117db924cf7c 8231 }
wolfSSL 15:117db924cf7c 8232 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 8233 ssl->options.acceptState = TLS13_TICKET_SENT;
wolfSSL 15:117db924cf7c 8234 WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL 15:117db924cf7c 8235 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8236
wolfSSL 15:117db924cf7c 8237 case TLS13_TICKET_SENT :
wolfSSL 15:117db924cf7c 8238 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 15:117db924cf7c 8239 if (ssl->hsDoneCb) {
wolfSSL 15:117db924cf7c 8240 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 15:117db924cf7c 8241 if (cbret < 0) {
wolfSSL 15:117db924cf7c 8242 ssl->error = cbret;
wolfSSL 15:117db924cf7c 8243 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 15:117db924cf7c 8244 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8245 }
wolfSSL 15:117db924cf7c 8246 }
wolfSSL 15:117db924cf7c 8247 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 15:117db924cf7c 8248
wolfSSL 15:117db924cf7c 8249 WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS);
wolfSSL 15:117db924cf7c 8250 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8251
wolfSSL 15:117db924cf7c 8252 default :
wolfSSL 15:117db924cf7c 8253 WOLFSSL_MSG("Unknown accept state ERROR");
wolfSSL 15:117db924cf7c 8254 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8255 }
wolfSSL 15:117db924cf7c 8256 }
wolfSSL 15:117db924cf7c 8257 #endif
wolfSSL 15:117db924cf7c 8258
wolfSSL 15:117db924cf7c 8259 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 8260 /* Sets the maximum amount of early data that can be seen by server when using
wolfSSL 15:117db924cf7c 8261 * session tickets for resumption.
wolfSSL 15:117db924cf7c 8262 * A value of zero indicates no early data is to be sent by client using session
wolfSSL 15:117db924cf7c 8263 * tickets.
wolfSSL 15:117db924cf7c 8264 *
wolfSSL 15:117db924cf7c 8265 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 8266 * sz Maximum size of the early data.
wolfSSL 15:117db924cf7c 8267 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
wolfSSL 15:117db924cf7c 8268 * 0 on success.
wolfSSL 15:117db924cf7c 8269 */
wolfSSL 15:117db924cf7c 8270 int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
wolfSSL 15:117db924cf7c 8271 {
wolfSSL 15:117db924cf7c 8272 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8273 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8274 if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8275 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8276
wolfSSL 15:117db924cf7c 8277 ctx->maxEarlyDataSz = sz;
wolfSSL 15:117db924cf7c 8278
wolfSSL 15:117db924cf7c 8279 return 0;
wolfSSL 15:117db924cf7c 8280 }
wolfSSL 15:117db924cf7c 8281
wolfSSL 15:117db924cf7c 8282 /* Sets the maximum amount of early data that can be seen by server when using
wolfSSL 15:117db924cf7c 8283 * session tickets for resumption.
wolfSSL 15:117db924cf7c 8284 * A value of zero indicates no early data is to be sent by client using session
wolfSSL 15:117db924cf7c 8285 * tickets.
wolfSSL 15:117db924cf7c 8286 *
wolfSSL 15:117db924cf7c 8287 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8288 * sz Maximum size of the early data.
wolfSSL 15:117db924cf7c 8289 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 8290 * SIDE_ERROR when not a server and 0 on success.
wolfSSL 15:117db924cf7c 8291 */
wolfSSL 15:117db924cf7c 8292 int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
wolfSSL 15:117db924cf7c 8293 {
wolfSSL 15:117db924cf7c 8294 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8295 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8296 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8297 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8298
wolfSSL 15:117db924cf7c 8299 ssl->options.maxEarlyDataSz = sz;
wolfSSL 15:117db924cf7c 8300
wolfSSL 15:117db924cf7c 8301 return 0;
wolfSSL 15:117db924cf7c 8302 }
wolfSSL 15:117db924cf7c 8303
wolfSSL 15:117db924cf7c 8304 /* Write early data to the server.
wolfSSL 15:117db924cf7c 8305 *
wolfSSL 15:117db924cf7c 8306 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8307 * data Early data to write
wolfSSL 15:117db924cf7c 8308 * sz The size of the eary data in bytes.
wolfSSL 15:117db924cf7c 8309 * outSz The number of early data bytes written.
wolfSSL 15:117db924cf7c 8310 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL 15:117db924cf7c 8311 * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL 15:117db924cf7c 8312 * early data bytes written.
wolfSSL 15:117db924cf7c 8313 */
wolfSSL 15:117db924cf7c 8314 int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
wolfSSL 15:117db924cf7c 8315 {
wolfSSL 15:117db924cf7c 8316 int ret = 0;
wolfSSL 15:117db924cf7c 8317
wolfSSL 15:117db924cf7c 8318 WOLFSSL_ENTER("SSL_write_early_data()");
wolfSSL 15:117db924cf7c 8319
wolfSSL 15:117db924cf7c 8320 if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
wolfSSL 15:117db924cf7c 8321 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8322 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8323 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8324
wolfSSL 15:117db924cf7c 8325 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 8326 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8327 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8328
wolfSSL 15:117db924cf7c 8329 if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL 15:117db924cf7c 8330 ssl->earlyData = expecting_early_data;
wolfSSL 15:117db924cf7c 8331 ret = wolfSSL_connect_TLSv13(ssl);
wolfSSL 15:117db924cf7c 8332 if (ret <= 0)
wolfSSL 15:117db924cf7c 8333 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8334 }
wolfSSL 15:117db924cf7c 8335 if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8336 ret = SendData(ssl, data, sz);
wolfSSL 15:117db924cf7c 8337 if (ret > 0)
wolfSSL 15:117db924cf7c 8338 *outSz = ret;
wolfSSL 15:117db924cf7c 8339 }
wolfSSL 15:117db924cf7c 8340 #else
wolfSSL 15:117db924cf7c 8341 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8342 #endif
wolfSSL 15:117db924cf7c 8343
wolfSSL 15:117db924cf7c 8344 WOLFSSL_LEAVE("SSL_write_early_data()", ret);
wolfSSL 15:117db924cf7c 8345
wolfSSL 15:117db924cf7c 8346 if (ret < 0)
wolfSSL 15:117db924cf7c 8347 ret = WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8348 return ret;
wolfSSL 15:117db924cf7c 8349 }
wolfSSL 15:117db924cf7c 8350
wolfSSL 15:117db924cf7c 8351 /* Read the any early data from the client.
wolfSSL 15:117db924cf7c 8352 *
wolfSSL 15:117db924cf7c 8353 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8354 * data Buffer to put the early data into.
wolfSSL 15:117db924cf7c 8355 * sz The size of the buffer in bytes.
wolfSSL 15:117db924cf7c 8356 * outSz The number of early data bytes read.
wolfSSL 15:117db924cf7c 8357 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL 15:117db924cf7c 8358 * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL 15:117db924cf7c 8359 * early data bytes read.
wolfSSL 15:117db924cf7c 8360 */
wolfSSL 15:117db924cf7c 8361 int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
wolfSSL 15:117db924cf7c 8362 {
wolfSSL 15:117db924cf7c 8363 int ret = 0;
wolfSSL 15:117db924cf7c 8364
wolfSSL 15:117db924cf7c 8365 WOLFSSL_ENTER("wolfSSL_read_early_data()");
wolfSSL 15:117db924cf7c 8366
wolfSSL 15:117db924cf7c 8367
wolfSSL 15:117db924cf7c 8368 if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
wolfSSL 15:117db924cf7c 8369 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8370 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8371 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8372
wolfSSL 15:117db924cf7c 8373 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 8374 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8375 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8376
wolfSSL 15:117db924cf7c 8377 if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL 15:117db924cf7c 8378 ssl->earlyData = expecting_early_data;
wolfSSL 15:117db924cf7c 8379 ret = wolfSSL_accept_TLSv13(ssl);
wolfSSL 15:117db924cf7c 8380 if (ret <= 0)
wolfSSL 15:117db924cf7c 8381 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8382 }
wolfSSL 15:117db924cf7c 8383 if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 8384 ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
wolfSSL 15:117db924cf7c 8385 if (ret > 0)
wolfSSL 15:117db924cf7c 8386 *outSz = ret;
wolfSSL 15:117db924cf7c 8387 if (ssl->error == ZERO_RETURN)
wolfSSL 15:117db924cf7c 8388 ssl->error = WOLFSSL_ERROR_NONE;
wolfSSL 15:117db924cf7c 8389 }
wolfSSL 15:117db924cf7c 8390 else
wolfSSL 15:117db924cf7c 8391 ret = 0;
wolfSSL 15:117db924cf7c 8392 #else
wolfSSL 15:117db924cf7c 8393 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8394 #endif
wolfSSL 15:117db924cf7c 8395
wolfSSL 15:117db924cf7c 8396 WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret);
wolfSSL 15:117db924cf7c 8397
wolfSSL 15:117db924cf7c 8398 if (ret < 0)
wolfSSL 15:117db924cf7c 8399 ret = WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8400 return ret;
wolfSSL 15:117db924cf7c 8401 }
wolfSSL 15:117db924cf7c 8402 #endif
wolfSSL 15:117db924cf7c 8403
wolfSSL 15:117db924cf7c 8404 #undef ERROR_OUT
wolfSSL 15:117db924cf7c 8405
wolfSSL 15:117db924cf7c 8406 #endif /* !WOLFCRYPT_ONLY */
wolfSSL 15:117db924cf7c 8407
wolfSSL 15:117db924cf7c 8408 #endif /* WOLFSSL_TLS13 */
wolfSSL 15:117db924cf7c 8409