wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/tls13.c@17:a5f916481144, 2020-06-05 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 05 00:11:07 2020 +0000
Revision:
17:a5f916481144
Parent:
16:8e0d178b1d1e 
wolfSSL 4.4.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* tls13.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 16:8e0d178b1d1e 3 * Copyright (C) 2006-2020 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23 /*
wolfSSL 15:117db924cf7c 24 * BUILD_GCM
wolfSSL 15:117db924cf7c 25 * Enables AES-GCM ciphersuites.
wolfSSL 15:117db924cf7c 26 * HAVE_AESCCM
wolfSSL 15:117db924cf7c 27 * Enables AES-CCM ciphersuites.
wolfSSL 15:117db924cf7c 28 * HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 29 * Enables session tickets - required for TLS 1.3 resumption.
wolfSSL 15:117db924cf7c 30 * NO_PSK
wolfSSL 15:117db924cf7c 31 * Do not enable Pre-Shared Keys.
wolfSSL 15:117db924cf7c 32 * TLS13_SUPPORTS_EXPORTERS
wolfSSL 16:8e0d178b1d1e 33 * Guard to compile out any code for exporter keys.
wolfSSL 15:117db924cf7c 34 * Feature not supported yet.
wolfSSL 15:117db924cf7c 35 * WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 36 * Enables the use of asynchronous cryptographic operations.
wolfSSL 15:117db924cf7c 37 * This is available for ciphers and certificates.
wolfSSL 15:117db924cf7c 38 * HAVE_CHACHA && HAVE_POLY1305
wolfSSL 15:117db924cf7c 39 * Enables use of CHACHA20-POLY1305 ciphersuites.
wolfSSL 15:117db924cf7c 40 * WOLFSSL_DEBUG_TLS
wolfSSL 16:8e0d178b1d1e 41 * Writes out details of TLS 1.3 protocol including handshake message buffers
wolfSSL 15:117db924cf7c 42 * and key generation input and output.
wolfSSL 15:117db924cf7c 43 * WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 44 * Allow 0-RTT Handshake using Early Data extensions and handshake message
wolfSSL 16:8e0d178b1d1e 45 * WOLFSSL_EARLY_DATA_GROUP
wolfSSL 16:8e0d178b1d1e 46 * Group EarlyData message with ClientHello when sending
wolfSSL 15:117db924cf7c 47 * WOLFSSL_NO_SERVER_GROUPS_EXT
wolfSSL 15:117db924cf7c 48 * Do not send the server's groups in an extension when the server's top
wolfSSL 15:117db924cf7c 49 * preference is not in client's list.
wolfSSL 15:117db924cf7c 50 * WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 51 * Allow TLS v1.3 code to perform post-handshake authentication of the
wolfSSL 15:117db924cf7c 52 * client.
wolfSSL 15:117db924cf7c 53 * WOLFSSL_SEND_HRR_COOKIE
wolfSSL 15:117db924cf7c 54 * Send a cookie in hello_retry_request message to enable stateless tracking
wolfSSL 15:117db924cf7c 55 * of ClientHello replies.
wolfSSL 15:117db924cf7c 56 * WOLFSSL_TLS13
wolfSSL 15:117db924cf7c 57 * Enable TLS 1.3 protocol implementation.
wolfSSL 15:117db924cf7c 58 * WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 59 * Conform with Draft 18 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 60 * WOLFSSL_TLS13_DRAFT_22
wolfSSL 15:117db924cf7c 61 * Conform with Draft 22 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 62 * WOLFSSL_TLS13_DRAFT_23
wolfSSL 15:117db924cf7c 63 * Conform with Draft 23 of the TLS v1.3 specification.
wolfSSL 15:117db924cf7c 64 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 16:8e0d178b1d1e 65 * Enable middlebox compatibility in the TLS 1.3 handshake.
wolfSSL 15:117db924cf7c 66 * This includes sending ChangeCipherSpec before encrypted messages and
wolfSSL 15:117db924cf7c 67 * including a session id.
wolfSSL 15:117db924cf7c 68 * WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 69 * Allow generation of SHA-512 digests in handshake - no ciphersuite
wolfSSL 15:117db924cf7c 70 * requires SHA-512 at this time.
wolfSSL 15:117db924cf7c 71 * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 72 * Allow a NewSessionTicket message to be sent by server before Client's
wolfSSL 15:117db924cf7c 73 * Finished message.
wolfSSL 15:117db924cf7c 74 * See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note).
wolfSSL 15:117db924cf7c 75 */
wolfSSL 15:117db924cf7c 76
wolfSSL 15:117db924cf7c 77 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 78 #include <config.h>
wolfSSL 15:117db924cf7c 79 #endif
wolfSSL 15:117db924cf7c 80
wolfSSL 15:117db924cf7c 81 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 82
wolfSSL 15:117db924cf7c 83 #ifdef WOLFSSL_TLS13
wolfSSL 15:117db924cf7c 84 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 85 #include <wolfssl/wolfcrypt/wc_port.h>
wolfSSL 15:117db924cf7c 86 #endif
wolfSSL 15:117db924cf7c 87
wolfSSL 15:117db924cf7c 88 #ifndef WOLFCRYPT_ONLY
wolfSSL 15:117db924cf7c 89
wolfSSL 15:117db924cf7c 90 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 91 #include <errno.h>
wolfSSL 15:117db924cf7c 92 #endif
wolfSSL 15:117db924cf7c 93
wolfSSL 15:117db924cf7c 94 #include <wolfssl/internal.h>
wolfSSL 15:117db924cf7c 95 #include <wolfssl/error-ssl.h>
wolfSSL 15:117db924cf7c 96 #include <wolfssl/wolfcrypt/asn.h>
wolfSSL 15:117db924cf7c 97 #include <wolfssl/wolfcrypt/dh.h>
wolfSSL 15:117db924cf7c 98 #ifdef NO_INLINE
wolfSSL 15:117db924cf7c 99 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 15:117db924cf7c 100 #else
wolfSSL 15:117db924cf7c 101 #define WOLFSSL_MISC_INCLUDED
wolfSSL 15:117db924cf7c 102 #include <wolfcrypt/src/misc.c>
wolfSSL 15:117db924cf7c 103 #endif
wolfSSL 15:117db924cf7c 104
wolfSSL 15:117db924cf7c 105 #ifdef HAVE_NTRU
wolfSSL 15:117db924cf7c 106 #include "libntruencrypt/ntru_crypto.h"
wolfSSL 15:117db924cf7c 107 #endif
wolfSSL 15:117db924cf7c 108
wolfSSL 15:117db924cf7c 109 #ifdef __sun
wolfSSL 15:117db924cf7c 110 #include <sys/filio.h>
wolfSSL 15:117db924cf7c 111 #endif
wolfSSL 15:117db924cf7c 112
wolfSSL 15:117db924cf7c 113 #ifndef TRUE
wolfSSL 15:117db924cf7c 114 #define TRUE 1
wolfSSL 15:117db924cf7c 115 #endif
wolfSSL 15:117db924cf7c 116 #ifndef FALSE
wolfSSL 15:117db924cf7c 117 #define FALSE 0
wolfSSL 15:117db924cf7c 118 #endif
wolfSSL 15:117db924cf7c 119
wolfSSL 15:117db924cf7c 120 #ifndef HAVE_HKDF
wolfSSL 15:117db924cf7c 121 #error The build option HAVE_HKDF is required for TLS 1.3
wolfSSL 15:117db924cf7c 122 #endif
wolfSSL 15:117db924cf7c 123
wolfSSL 16:8e0d178b1d1e 124 #ifndef HAVE_TLS_EXTENSIONS
wolfSSL 16:8e0d178b1d1e 125 #ifndef _MSC_VER
wolfSSL 16:8e0d178b1d1e 126 #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
wolfSSL 16:8e0d178b1d1e 127 #else
wolfSSL 16:8e0d178b1d1e 128 #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
wolfSSL 16:8e0d178b1d1e 129 #endif
wolfSSL 16:8e0d178b1d1e 130 #endif
wolfSSL 16:8e0d178b1d1e 131
wolfSSL 15:117db924cf7c 132
wolfSSL 15:117db924cf7c 133 /* Set ret to error value and jump to label.
wolfSSL 15:117db924cf7c 134 *
wolfSSL 15:117db924cf7c 135 * err The error value to set.
wolfSSL 15:117db924cf7c 136 * eLabel The label to jump to.
wolfSSL 15:117db924cf7c 137 */
wolfSSL 15:117db924cf7c 138 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
wolfSSL 15:117db924cf7c 139
wolfSSL 15:117db924cf7c 140
wolfSSL 15:117db924cf7c 141 /* Extract data using HMAC, salt and input.
wolfSSL 15:117db924cf7c 142 * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
wolfSSL 15:117db924cf7c 143 *
wolfSSL 15:117db924cf7c 144 * prk The generated pseudorandom key.
wolfSSL 15:117db924cf7c 145 * salt The salt.
wolfSSL 15:117db924cf7c 146 * saltLen The length of the salt.
wolfSSL 15:117db924cf7c 147 * ikm The input keying material.
wolfSSL 15:117db924cf7c 148 * ikmLen The length of the input keying material.
wolfSSL 15:117db924cf7c 149 * mac The type of digest to use.
wolfSSL 15:117db924cf7c 150 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 151 */
wolfSSL 15:117db924cf7c 152 static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
wolfSSL 15:117db924cf7c 153 byte* ikm, int ikmLen, int mac)
wolfSSL 15:117db924cf7c 154 {
wolfSSL 15:117db924cf7c 155 int ret;
wolfSSL 15:117db924cf7c 156 int hash = 0;
wolfSSL 15:117db924cf7c 157 int len = 0;
wolfSSL 15:117db924cf7c 158
wolfSSL 15:117db924cf7c 159 switch (mac) {
wolfSSL 15:117db924cf7c 160 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 161 case sha256_mac:
wolfSSL 15:117db924cf7c 162 hash = WC_SHA256;
wolfSSL 15:117db924cf7c 163 len = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 164 break;
wolfSSL 15:117db924cf7c 165 #endif
wolfSSL 15:117db924cf7c 166
wolfSSL 15:117db924cf7c 167 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 168 case sha384_mac:
wolfSSL 15:117db924cf7c 169 hash = WC_SHA384;
wolfSSL 15:117db924cf7c 170 len = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 171 break;
wolfSSL 15:117db924cf7c 172 #endif
wolfSSL 15:117db924cf7c 173
wolfSSL 15:117db924cf7c 174 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 175 case sha512_mac:
wolfSSL 15:117db924cf7c 176 hash = WC_SHA512;
wolfSSL 15:117db924cf7c 177 len = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 178 break;
wolfSSL 15:117db924cf7c 179 #endif
wolfSSL 15:117db924cf7c 180 }
wolfSSL 15:117db924cf7c 181
wolfSSL 15:117db924cf7c 182 /* When length is 0 then use zeroed data of digest length. */
wolfSSL 15:117db924cf7c 183 if (ikmLen == 0) {
wolfSSL 15:117db924cf7c 184 ikmLen = len;
wolfSSL 15:117db924cf7c 185 XMEMSET(ikm, 0, len);
wolfSSL 15:117db924cf7c 186 }
wolfSSL 15:117db924cf7c 187
wolfSSL 15:117db924cf7c 188 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 189 WOLFSSL_MSG(" Salt");
wolfSSL 15:117db924cf7c 190 WOLFSSL_BUFFER(salt, saltLen);
wolfSSL 15:117db924cf7c 191 WOLFSSL_MSG(" IKM");
wolfSSL 15:117db924cf7c 192 WOLFSSL_BUFFER(ikm, ikmLen);
wolfSSL 15:117db924cf7c 193 #endif
wolfSSL 15:117db924cf7c 194
wolfSSL 15:117db924cf7c 195 ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
wolfSSL 15:117db924cf7c 196
wolfSSL 15:117db924cf7c 197 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 198 WOLFSSL_MSG(" PRK");
wolfSSL 15:117db924cf7c 199 WOLFSSL_BUFFER(prk, len);
wolfSSL 15:117db924cf7c 200 #endif
wolfSSL 15:117db924cf7c 201
wolfSSL 15:117db924cf7c 202 return ret;
wolfSSL 15:117db924cf7c 203 }
wolfSSL 15:117db924cf7c 204
wolfSSL 15:117db924cf7c 205 /* Expand data using HMAC, salt and label and info.
wolfSSL 15:117db924cf7c 206 * TLS v1.3 defines this function.
wolfSSL 15:117db924cf7c 207 *
wolfSSL 15:117db924cf7c 208 * okm The generated pseudorandom key - output key material.
wolfSSL 15:117db924cf7c 209 * okmLen The length of generated pseudorandom key - output key material.
wolfSSL 15:117db924cf7c 210 * prk The salt - pseudo-random key.
wolfSSL 15:117db924cf7c 211 * prkLen The length of the salt - pseudo-random key.
wolfSSL 15:117db924cf7c 212 * protocol The TLS protocol label.
wolfSSL 15:117db924cf7c 213 * protocolLen The length of the TLS protocol label.
wolfSSL 15:117db924cf7c 214 * info The information to expand.
wolfSSL 15:117db924cf7c 215 * infoLen The length of the information.
wolfSSL 15:117db924cf7c 216 * digest The type of digest to use.
wolfSSL 15:117db924cf7c 217 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 218 */
wolfSSL 15:117db924cf7c 219 static int HKDF_Expand_Label(byte* okm, word32 okmLen,
wolfSSL 15:117db924cf7c 220 const byte* prk, word32 prkLen,
wolfSSL 15:117db924cf7c 221 const byte* protocol, word32 protocolLen,
wolfSSL 15:117db924cf7c 222 const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 223 const byte* info, word32 infoLen,
wolfSSL 15:117db924cf7c 224 int digest)
wolfSSL 15:117db924cf7c 225 {
wolfSSL 15:117db924cf7c 226 int ret = 0;
wolfSSL 15:117db924cf7c 227 int idx = 0;
wolfSSL 15:117db924cf7c 228 byte data[MAX_HKDF_LABEL_SZ];
wolfSSL 15:117db924cf7c 229
wolfSSL 15:117db924cf7c 230 /* Output length. */
wolfSSL 15:117db924cf7c 231 data[idx++] = (byte)(okmLen >> 8);
wolfSSL 15:117db924cf7c 232 data[idx++] = (byte)okmLen;
wolfSSL 15:117db924cf7c 233 /* Length of protocol | label. */
wolfSSL 15:117db924cf7c 234 data[idx++] = (byte)(protocolLen + labelLen);
wolfSSL 15:117db924cf7c 235 /* Protocol */
wolfSSL 15:117db924cf7c 236 XMEMCPY(&data[idx], protocol, protocolLen);
wolfSSL 15:117db924cf7c 237 idx += protocolLen;
wolfSSL 15:117db924cf7c 238 /* Label */
wolfSSL 15:117db924cf7c 239 XMEMCPY(&data[idx], label, labelLen);
wolfSSL 15:117db924cf7c 240 idx += labelLen;
wolfSSL 15:117db924cf7c 241 /* Length of hash of messages */
wolfSSL 15:117db924cf7c 242 data[idx++] = (byte)infoLen;
wolfSSL 15:117db924cf7c 243 /* Hash of messages */
wolfSSL 15:117db924cf7c 244 XMEMCPY(&data[idx], info, infoLen);
wolfSSL 15:117db924cf7c 245 idx += infoLen;
wolfSSL 15:117db924cf7c 246
wolfSSL 15:117db924cf7c 247 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 248 WOLFSSL_MSG(" PRK");
wolfSSL 15:117db924cf7c 249 WOLFSSL_BUFFER(prk, prkLen);
wolfSSL 15:117db924cf7c 250 WOLFSSL_MSG(" Info");
wolfSSL 15:117db924cf7c 251 WOLFSSL_BUFFER(data, idx);
wolfSSL 15:117db924cf7c 252 #endif
wolfSSL 15:117db924cf7c 253
wolfSSL 15:117db924cf7c 254 ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
wolfSSL 15:117db924cf7c 255
wolfSSL 15:117db924cf7c 256 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 257 WOLFSSL_MSG(" OKM");
wolfSSL 15:117db924cf7c 258 WOLFSSL_BUFFER(okm, okmLen);
wolfSSL 15:117db924cf7c 259 #endif
wolfSSL 15:117db924cf7c 260
wolfSSL 15:117db924cf7c 261 ForceZero(data, idx);
wolfSSL 15:117db924cf7c 262
wolfSSL 15:117db924cf7c 263 return ret;
wolfSSL 15:117db924cf7c 264 }
wolfSSL 15:117db924cf7c 265
wolfSSL 15:117db924cf7c 266 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 267 /* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL 15:117db924cf7c 268 #define TLS13_PROTOCOL_LABEL_SZ 9
wolfSSL 15:117db924cf7c 269 /* The protocol label for TLS v1.3. */
wolfSSL 15:117db924cf7c 270 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
wolfSSL 15:117db924cf7c 271 #else
wolfSSL 15:117db924cf7c 272 /* Size of the TLS v1.3 label use when deriving keys. */
wolfSSL 15:117db924cf7c 273 #define TLS13_PROTOCOL_LABEL_SZ 6
wolfSSL 15:117db924cf7c 274 /* The protocol label for TLS v1.3. */
wolfSSL 15:117db924cf7c 275 static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
wolfSSL 15:117db924cf7c 276 #endif
wolfSSL 15:117db924cf7c 277
wolfSSL 15:117db924cf7c 278 #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \
wolfSSL 15:117db924cf7c 279 !defined(NO_PSK)
wolfSSL 15:117db924cf7c 280 /* Derive a key from a message.
wolfSSL 15:117db924cf7c 281 *
wolfSSL 15:117db924cf7c 282 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 283 * output The buffer to hold the derived key.
wolfSSL 15:117db924cf7c 284 * outputLen The length of the derived key.
wolfSSL 15:117db924cf7c 285 * secret The secret used to derive the key (HMAC secret).
wolfSSL 15:117db924cf7c 286 * label The label used to distinguish the context.
wolfSSL 15:117db924cf7c 287 * labelLen The length of the label.
wolfSSL 15:117db924cf7c 288 * msg The message data to derive key from.
wolfSSL 15:117db924cf7c 289 * msgLen The length of the message data to derive key from.
wolfSSL 15:117db924cf7c 290 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 15:117db924cf7c 291 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 292 */
wolfSSL 15:117db924cf7c 293 static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 15:117db924cf7c 294 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 295 byte* msg, int msgLen, int hashAlgo)
wolfSSL 15:117db924cf7c 296 {
wolfSSL 15:117db924cf7c 297 byte hash[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 298 Digest digest;
wolfSSL 15:117db924cf7c 299 word32 hashSz = 0;
wolfSSL 15:117db924cf7c 300 const byte* protocol;
wolfSSL 15:117db924cf7c 301 word32 protocolLen;
wolfSSL 15:117db924cf7c 302 int digestAlg = -1;
wolfSSL 15:117db924cf7c 303 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 304
wolfSSL 15:117db924cf7c 305 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 306 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 307 case sha256_mac:
wolfSSL 15:117db924cf7c 308 ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 309 if (ret == 0) {
wolfSSL 15:117db924cf7c 310 ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
wolfSSL 15:117db924cf7c 311 if (ret == 0)
wolfSSL 15:117db924cf7c 312 ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL 15:117db924cf7c 313 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 314 }
wolfSSL 15:117db924cf7c 315 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 316 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 317 break;
wolfSSL 15:117db924cf7c 318 #endif
wolfSSL 15:117db924cf7c 319 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 320 case sha384_mac:
wolfSSL 15:117db924cf7c 321 ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 322 if (ret == 0) {
wolfSSL 15:117db924cf7c 323 ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
wolfSSL 15:117db924cf7c 324 if (ret == 0)
wolfSSL 15:117db924cf7c 325 ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL 15:117db924cf7c 326 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 327 }
wolfSSL 15:117db924cf7c 328 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 329 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 330 break;
wolfSSL 15:117db924cf7c 331 #endif
wolfSSL 15:117db924cf7c 332 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 333 case sha512_mac:
wolfSSL 15:117db924cf7c 334 ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
wolfSSL 15:117db924cf7c 335 if (ret == 0) {
wolfSSL 15:117db924cf7c 336 ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
wolfSSL 15:117db924cf7c 337 if (ret == 0)
wolfSSL 15:117db924cf7c 338 ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL 15:117db924cf7c 339 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 340 }
wolfSSL 15:117db924cf7c 341 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 342 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 343 break;
wolfSSL 15:117db924cf7c 344 #endif
wolfSSL 15:117db924cf7c 345 default:
wolfSSL 15:117db924cf7c 346 digestAlg = -1;
wolfSSL 15:117db924cf7c 347 break;
wolfSSL 15:117db924cf7c 348 }
wolfSSL 15:117db924cf7c 349
wolfSSL 15:117db924cf7c 350 if (digestAlg < 0)
wolfSSL 15:117db924cf7c 351 return HASH_TYPE_E;
wolfSSL 15:117db924cf7c 352
wolfSSL 15:117db924cf7c 353 if (ret != 0)
wolfSSL 15:117db924cf7c 354 return ret;
wolfSSL 15:117db924cf7c 355
wolfSSL 15:117db924cf7c 356 switch (ssl->version.minor) {
wolfSSL 15:117db924cf7c 357 case TLSv1_3_MINOR:
wolfSSL 15:117db924cf7c 358 protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 359 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 360 break;
wolfSSL 15:117db924cf7c 361
wolfSSL 15:117db924cf7c 362 default:
wolfSSL 15:117db924cf7c 363 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 364 }
wolfSSL 15:117db924cf7c 365 if (outputLen == -1)
wolfSSL 15:117db924cf7c 366 outputLen = hashSz;
wolfSSL 15:117db924cf7c 367
wolfSSL 15:117db924cf7c 368 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 15:117db924cf7c 369 protocol, protocolLen, label, labelLen,
wolfSSL 15:117db924cf7c 370 hash, hashSz, digestAlg);
wolfSSL 15:117db924cf7c 371 }
wolfSSL 15:117db924cf7c 372 #endif
wolfSSL 15:117db924cf7c 373
wolfSSL 15:117db924cf7c 374 /* Derive a key.
wolfSSL 15:117db924cf7c 375 *
wolfSSL 15:117db924cf7c 376 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 377 * output The buffer to hold the derived key.
wolfSSL 15:117db924cf7c 378 * outputLen The length of the derived key.
wolfSSL 15:117db924cf7c 379 * secret The secret used to derive the key (HMAC secret).
wolfSSL 15:117db924cf7c 380 * label The label used to distinguish the context.
wolfSSL 15:117db924cf7c 381 * labelLen The length of the label.
wolfSSL 15:117db924cf7c 382 * hashAlgo The hash algorithm to use in the HMAC.
wolfSSL 15:117db924cf7c 383 * includeMsgs Whether to include a hash of the handshake messages so far.
wolfSSL 15:117db924cf7c 384 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 385 */
wolfSSL 15:117db924cf7c 386 static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
wolfSSL 15:117db924cf7c 387 const byte* secret, const byte* label, word32 labelLen,
wolfSSL 15:117db924cf7c 388 int hashAlgo, int includeMsgs)
wolfSSL 15:117db924cf7c 389 {
wolfSSL 15:117db924cf7c 390 int ret = 0;
wolfSSL 15:117db924cf7c 391 byte hash[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 392 word32 hashSz = 0;
wolfSSL 15:117db924cf7c 393 word32 hashOutSz = 0;
wolfSSL 15:117db924cf7c 394 const byte* protocol;
wolfSSL 15:117db924cf7c 395 word32 protocolLen;
wolfSSL 15:117db924cf7c 396 int digestAlg = 0;
wolfSSL 15:117db924cf7c 397
wolfSSL 15:117db924cf7c 398 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 399 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 400 case sha256_mac:
wolfSSL 15:117db924cf7c 401 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 402 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 403 if (includeMsgs)
wolfSSL 15:117db924cf7c 404 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 405 break;
wolfSSL 15:117db924cf7c 406 #endif
wolfSSL 15:117db924cf7c 407
wolfSSL 15:117db924cf7c 408 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 409 case sha384_mac:
wolfSSL 15:117db924cf7c 410 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 411 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 412 if (includeMsgs)
wolfSSL 15:117db924cf7c 413 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 414 break;
wolfSSL 15:117db924cf7c 415 #endif
wolfSSL 15:117db924cf7c 416
wolfSSL 15:117db924cf7c 417 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 418 case sha512_mac:
wolfSSL 15:117db924cf7c 419 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 420 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 421 if (includeMsgs)
wolfSSL 15:117db924cf7c 422 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 423 break;
wolfSSL 15:117db924cf7c 424 #endif
wolfSSL 15:117db924cf7c 425 }
wolfSSL 15:117db924cf7c 426 if (ret != 0)
wolfSSL 15:117db924cf7c 427 return ret;
wolfSSL 15:117db924cf7c 428
wolfSSL 15:117db924cf7c 429 /* Only one protocol version defined at this time. */
wolfSSL 15:117db924cf7c 430 protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 431 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 432
wolfSSL 15:117db924cf7c 433 if (outputLen == -1)
wolfSSL 15:117db924cf7c 434 outputLen = hashSz;
wolfSSL 15:117db924cf7c 435 if (includeMsgs)
wolfSSL 15:117db924cf7c 436 hashOutSz = hashSz;
wolfSSL 15:117db924cf7c 437
wolfSSL 15:117db924cf7c 438 return HKDF_Expand_Label(output, outputLen, secret, hashSz,
wolfSSL 15:117db924cf7c 439 protocol, protocolLen, label, labelLen,
wolfSSL 15:117db924cf7c 440 hash, hashOutSz, digestAlg);
wolfSSL 15:117db924cf7c 441 }
wolfSSL 15:117db924cf7c 442
wolfSSL 15:117db924cf7c 443 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 444 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 445 /* The length of the binder key label. */
wolfSSL 15:117db924cf7c 446 #define BINDER_KEY_LABEL_SZ 23
wolfSSL 15:117db924cf7c 447 /* The binder key label. */
wolfSSL 15:117db924cf7c 448 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 449 "external psk binder key";
wolfSSL 15:117db924cf7c 450 #else
wolfSSL 15:117db924cf7c 451 /* The length of the binder key label. */
wolfSSL 15:117db924cf7c 452 #define BINDER_KEY_LABEL_SZ 10
wolfSSL 15:117db924cf7c 453 /* The binder key label. */
wolfSSL 15:117db924cf7c 454 static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 455 "ext binder";
wolfSSL 15:117db924cf7c 456 #endif
wolfSSL 15:117db924cf7c 457 /* Derive the binder key.
wolfSSL 15:117db924cf7c 458 *
wolfSSL 15:117db924cf7c 459 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 460 * key The derived key.
wolfSSL 15:117db924cf7c 461 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 462 */
wolfSSL 15:117db924cf7c 463 static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 464 {
wolfSSL 15:117db924cf7c 465 WOLFSSL_MSG("Derive Binder Key");
wolfSSL 15:117db924cf7c 466 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 467 binderKeyLabel, BINDER_KEY_LABEL_SZ,
wolfSSL 15:117db924cf7c 468 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 469 }
wolfSSL 15:117db924cf7c 470 #endif /* !NO_PSK */
wolfSSL 15:117db924cf7c 471
wolfSSL 15:117db924cf7c 472 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 473 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 474 /* The length of the binder key resume label. */
wolfSSL 15:117db924cf7c 475 #define BINDER_KEY_RESUME_LABEL_SZ 25
wolfSSL 15:117db924cf7c 476 /* The binder key resume label. */
wolfSSL 15:117db924cf7c 477 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 478 "resumption psk binder key";
wolfSSL 15:117db924cf7c 479 #else
wolfSSL 15:117db924cf7c 480 /* The length of the binder key resume label. */
wolfSSL 15:117db924cf7c 481 #define BINDER_KEY_RESUME_LABEL_SZ 10
wolfSSL 15:117db924cf7c 482 /* The binder key resume label. */
wolfSSL 15:117db924cf7c 483 static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 484 "res binder";
wolfSSL 15:117db924cf7c 485 #endif
wolfSSL 15:117db924cf7c 486 /* Derive the binder resumption key.
wolfSSL 15:117db924cf7c 487 *
wolfSSL 15:117db924cf7c 488 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 489 * key The derived key.
wolfSSL 15:117db924cf7c 490 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 491 */
wolfSSL 15:117db924cf7c 492 static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 493 {
wolfSSL 15:117db924cf7c 494 WOLFSSL_MSG("Derive Binder Key - Resumption");
wolfSSL 15:117db924cf7c 495 return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 496 binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
wolfSSL 15:117db924cf7c 497 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 498 }
wolfSSL 15:117db924cf7c 499 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 500
wolfSSL 15:117db924cf7c 501 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 502 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 503 /* The length of the early traffic label. */
wolfSSL 15:117db924cf7c 504 #define EARLY_TRAFFIC_LABEL_SZ 27
wolfSSL 15:117db924cf7c 505 /* The early traffic label. */
wolfSSL 15:117db924cf7c 506 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 507 "client early traffic secret";
wolfSSL 15:117db924cf7c 508 #else
wolfSSL 15:117db924cf7c 509 /* The length of the early traffic label. */
wolfSSL 15:117db924cf7c 510 #define EARLY_TRAFFIC_LABEL_SZ 11
wolfSSL 15:117db924cf7c 511 /* The early traffic label. */
wolfSSL 15:117db924cf7c 512 static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 513 "c e traffic";
wolfSSL 15:117db924cf7c 514 #endif
wolfSSL 15:117db924cf7c 515 /* Derive the early traffic key.
wolfSSL 15:117db924cf7c 516 *
wolfSSL 15:117db924cf7c 517 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 518 * key The derived key.
wolfSSL 15:117db924cf7c 519 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 520 */
wolfSSL 15:117db924cf7c 521 static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 522 {
wolfSSL 16:8e0d178b1d1e 523 int ret;
wolfSSL 15:117db924cf7c 524 WOLFSSL_MSG("Derive Early Traffic Secret");
wolfSSL 16:8e0d178b1d1e 525 ret = DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 16:8e0d178b1d1e 526 earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 527 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 528 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 529 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 530 ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
wolfSSL 16:8e0d178b1d1e 531 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 532 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 533 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 534 }
wolfSSL 16:8e0d178b1d1e 535 }
wolfSSL 16:8e0d178b1d1e 536 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 537 return ret;
wolfSSL 15:117db924cf7c 538 }
wolfSSL 15:117db924cf7c 539
wolfSSL 15:117db924cf7c 540 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 15:117db924cf7c 541 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 542 /* The length of the early exporter label. */
wolfSSL 15:117db924cf7c 543 #define EARLY_EXPORTER_LABEL_SZ 28
wolfSSL 15:117db924cf7c 544 /* The early exporter label. */
wolfSSL 15:117db924cf7c 545 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 546 "early exporter master secret";
wolfSSL 15:117db924cf7c 547 #else
wolfSSL 15:117db924cf7c 548 /* The length of the early exporter label. */
wolfSSL 15:117db924cf7c 549 #define EARLY_EXPORTER_LABEL_SZ 12
wolfSSL 15:117db924cf7c 550 /* The early exporter label. */
wolfSSL 15:117db924cf7c 551 static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 552 "e exp master";
wolfSSL 15:117db924cf7c 553 #endif
wolfSSL 15:117db924cf7c 554 /* Derive the early exporter key.
wolfSSL 15:117db924cf7c 555 *
wolfSSL 15:117db924cf7c 556 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 557 * key The derived key.
wolfSSL 15:117db924cf7c 558 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 559 */
wolfSSL 15:117db924cf7c 560 static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 561 {
wolfSSL 16:8e0d178b1d1e 562 int ret;
wolfSSL 15:117db924cf7c 563 WOLFSSL_MSG("Derive Early Exporter Secret");
wolfSSL 16:8e0d178b1d1e 564 ret = DeriveKey(ssl, key, -1, ssl->arrays->secret,
wolfSSL 16:8e0d178b1d1e 565 earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 566 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 567 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 568 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 569 ret = ssl->tls13SecretCb(ssl, EARLY_EXPORTER_SECRET, key
wolfSSL 16:8e0d178b1d1e 570 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 571 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 572 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 573 }
wolfSSL 16:8e0d178b1d1e 574 }
wolfSSL 16:8e0d178b1d1e 575 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 576 return ret;
wolfSSL 15:117db924cf7c 577 }
wolfSSL 15:117db924cf7c 578 #endif
wolfSSL 15:117db924cf7c 579 #endif
wolfSSL 15:117db924cf7c 580
wolfSSL 15:117db924cf7c 581 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 16:8e0d178b1d1e 582 /* The length of the client handshake label. */
wolfSSL 15:117db924cf7c 583 #define CLIENT_HANDSHAKE_LABEL_SZ 31
wolfSSL 16:8e0d178b1d1e 584 /* The client handshake label. */
wolfSSL 15:117db924cf7c 585 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 586 "client handshake traffic secret";
wolfSSL 15:117db924cf7c 587 #else
wolfSSL 16:8e0d178b1d1e 588 /* The length of the client handshake label. */
wolfSSL 15:117db924cf7c 589 #define CLIENT_HANDSHAKE_LABEL_SZ 12
wolfSSL 16:8e0d178b1d1e 590 /* The client handshake label. */
wolfSSL 15:117db924cf7c 591 static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 592 "c hs traffic";
wolfSSL 15:117db924cf7c 593 #endif
wolfSSL 15:117db924cf7c 594 /* Derive the client handshake key.
wolfSSL 15:117db924cf7c 595 *
wolfSSL 15:117db924cf7c 596 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 597 * key The derived key.
wolfSSL 15:117db924cf7c 598 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 599 */
wolfSSL 15:117db924cf7c 600 static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 601 {
wolfSSL 16:8e0d178b1d1e 602 int ret;
wolfSSL 15:117db924cf7c 603 WOLFSSL_MSG("Derive Client Handshake Secret");
wolfSSL 16:8e0d178b1d1e 604 ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 605 clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 606 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 607 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 608 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 609 ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
wolfSSL 16:8e0d178b1d1e 610 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 611 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 612 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 613 }
wolfSSL 16:8e0d178b1d1e 614 }
wolfSSL 16:8e0d178b1d1e 615 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 616 return ret;
wolfSSL 15:117db924cf7c 617 }
wolfSSL 15:117db924cf7c 618
wolfSSL 15:117db924cf7c 619 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 620 /* The length of the server handshake label. */
wolfSSL 15:117db924cf7c 621 #define SERVER_HANDSHAKE_LABEL_SZ 31
wolfSSL 15:117db924cf7c 622 /* The server handshake label. */
wolfSSL 15:117db924cf7c 623 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 624 "server handshake traffic secret";
wolfSSL 15:117db924cf7c 625 #else
wolfSSL 15:117db924cf7c 626 /* The length of the server handshake label. */
wolfSSL 15:117db924cf7c 627 #define SERVER_HANDSHAKE_LABEL_SZ 12
wolfSSL 15:117db924cf7c 628 /* The server handshake label. */
wolfSSL 15:117db924cf7c 629 static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 630 "s hs traffic";
wolfSSL 15:117db924cf7c 631 #endif
wolfSSL 15:117db924cf7c 632 /* Derive the server handshake key.
wolfSSL 15:117db924cf7c 633 *
wolfSSL 15:117db924cf7c 634 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 635 * key The derived key.
wolfSSL 15:117db924cf7c 636 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 637 */
wolfSSL 15:117db924cf7c 638 static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 639 {
wolfSSL 16:8e0d178b1d1e 640 int ret;
wolfSSL 15:117db924cf7c 641 WOLFSSL_MSG("Derive Server Handshake Secret");
wolfSSL 16:8e0d178b1d1e 642 ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 643 serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 644 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 645 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 646 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 647 ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
wolfSSL 16:8e0d178b1d1e 648 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 649 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 650 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 651 }
wolfSSL 16:8e0d178b1d1e 652 }
wolfSSL 16:8e0d178b1d1e 653 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 654 return ret;
wolfSSL 15:117db924cf7c 655 }
wolfSSL 15:117db924cf7c 656
wolfSSL 15:117db924cf7c 657 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 658 /* The length of the client application traffic label. */
wolfSSL 15:117db924cf7c 659 #define CLIENT_APP_LABEL_SZ 33
wolfSSL 15:117db924cf7c 660 /* The client application traffic label. */
wolfSSL 15:117db924cf7c 661 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 662 "client application traffic secret";
wolfSSL 15:117db924cf7c 663 #else
wolfSSL 15:117db924cf7c 664 /* The length of the client application traffic label. */
wolfSSL 15:117db924cf7c 665 #define CLIENT_APP_LABEL_SZ 12
wolfSSL 15:117db924cf7c 666 /* The client application traffic label. */
wolfSSL 15:117db924cf7c 667 static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 668 "c ap traffic";
wolfSSL 15:117db924cf7c 669 #endif
wolfSSL 15:117db924cf7c 670 /* Derive the client application traffic key.
wolfSSL 15:117db924cf7c 671 *
wolfSSL 15:117db924cf7c 672 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 673 * key The derived key.
wolfSSL 15:117db924cf7c 674 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 675 */
wolfSSL 15:117db924cf7c 676 static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 677 {
wolfSSL 16:8e0d178b1d1e 678 int ret;
wolfSSL 15:117db924cf7c 679 WOLFSSL_MSG("Derive Client Traffic Secret");
wolfSSL 16:8e0d178b1d1e 680 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 16:8e0d178b1d1e 681 clientAppLabel, CLIENT_APP_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 682 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 683 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 684 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 685 ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key,
wolfSSL 16:8e0d178b1d1e 686 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 687 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 688 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 689 }
wolfSSL 16:8e0d178b1d1e 690 }
wolfSSL 16:8e0d178b1d1e 691 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 692 return ret;
wolfSSL 15:117db924cf7c 693 }
wolfSSL 15:117db924cf7c 694
wolfSSL 15:117db924cf7c 695 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 696 /* The length of the server application traffic label. */
wolfSSL 15:117db924cf7c 697 #define SERVER_APP_LABEL_SZ 33
wolfSSL 15:117db924cf7c 698 /* The server application traffic label. */
wolfSSL 15:117db924cf7c 699 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 700 "server application traffic secret";
wolfSSL 15:117db924cf7c 701 #else
wolfSSL 15:117db924cf7c 702 /* The length of the server application traffic label. */
wolfSSL 15:117db924cf7c 703 #define SERVER_APP_LABEL_SZ 12
wolfSSL 15:117db924cf7c 704 /* The server application traffic label. */
wolfSSL 15:117db924cf7c 705 static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 706 "s ap traffic";
wolfSSL 15:117db924cf7c 707 #endif
wolfSSL 15:117db924cf7c 708 /* Derive the server application traffic key.
wolfSSL 15:117db924cf7c 709 *
wolfSSL 15:117db924cf7c 710 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 711 * key The derived key.
wolfSSL 15:117db924cf7c 712 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 713 */
wolfSSL 15:117db924cf7c 714 static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 715 {
wolfSSL 16:8e0d178b1d1e 716 int ret;
wolfSSL 15:117db924cf7c 717 WOLFSSL_MSG("Derive Server Traffic Secret");
wolfSSL 16:8e0d178b1d1e 718 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 16:8e0d178b1d1e 719 serverAppLabel, SERVER_APP_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 720 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 721 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 722 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 723 ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key,
wolfSSL 16:8e0d178b1d1e 724 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 725 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 726 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 727 }
wolfSSL 16:8e0d178b1d1e 728 }
wolfSSL 16:8e0d178b1d1e 729 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 730 return ret;
wolfSSL 15:117db924cf7c 731 }
wolfSSL 15:117db924cf7c 732
wolfSSL 15:117db924cf7c 733 #ifdef TLS13_SUPPORTS_EXPORTERS
wolfSSL 15:117db924cf7c 734 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 735 /* The length of the exporter master secret label. */
wolfSSL 15:117db924cf7c 736 #define EXPORTER_MASTER_LABEL_SZ 22
wolfSSL 15:117db924cf7c 737 /* The exporter master secret label. */
wolfSSL 15:117db924cf7c 738 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 739 "exporter master secret";
wolfSSL 15:117db924cf7c 740 #else
wolfSSL 15:117db924cf7c 741 /* The length of the exporter master secret label. */
wolfSSL 15:117db924cf7c 742 #define EXPORTER_MASTER_LABEL_SZ 10
wolfSSL 15:117db924cf7c 743 /* The exporter master secret label. */
wolfSSL 15:117db924cf7c 744 static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 745 "exp master";
wolfSSL 15:117db924cf7c 746 #endif
wolfSSL 15:117db924cf7c 747 /* Derive the exporter secret.
wolfSSL 15:117db924cf7c 748 *
wolfSSL 15:117db924cf7c 749 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 750 * key The derived key.
wolfSSL 15:117db924cf7c 751 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 752 */
wolfSSL 15:117db924cf7c 753 static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 754 {
wolfSSL 16:8e0d178b1d1e 755 int ret;
wolfSSL 15:117db924cf7c 756 WOLFSSL_MSG("Derive Exporter Secret");
wolfSSL 16:8e0d178b1d1e 757 ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 16:8e0d178b1d1e 758 exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
wolfSSL 16:8e0d178b1d1e 759 ssl->specs.mac_algorithm, 1);
wolfSSL 16:8e0d178b1d1e 760 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 761 if (ret == 0 && ssl->tls13SecretCb != NULL) {
wolfSSL 16:8e0d178b1d1e 762 ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key,
wolfSSL 16:8e0d178b1d1e 763 ssl->specs.hash_size, ssl->tls13SecretCtx);
wolfSSL 16:8e0d178b1d1e 764 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 765 return TLS13_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 766 }
wolfSSL 16:8e0d178b1d1e 767 }
wolfSSL 16:8e0d178b1d1e 768 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 16:8e0d178b1d1e 769 return ret;
wolfSSL 15:117db924cf7c 770 }
wolfSSL 15:117db924cf7c 771 #endif
wolfSSL 15:117db924cf7c 772
wolfSSL 15:117db924cf7c 773 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 774 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 775 /* The length of the resumption master secret label. */
wolfSSL 15:117db924cf7c 776 #define RESUME_MASTER_LABEL_SZ 24
wolfSSL 15:117db924cf7c 777 /* The resumption master secret label. */
wolfSSL 15:117db924cf7c 778 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 779 "resumption master secret";
wolfSSL 15:117db924cf7c 780 #else
wolfSSL 15:117db924cf7c 781 /* The length of the resumption master secret label. */
wolfSSL 15:117db924cf7c 782 #define RESUME_MASTER_LABEL_SZ 10
wolfSSL 15:117db924cf7c 783 /* The resumption master secret label. */
wolfSSL 15:117db924cf7c 784 static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 785 "res master";
wolfSSL 15:117db924cf7c 786 #endif
wolfSSL 15:117db924cf7c 787 /* Derive the resumption secret.
wolfSSL 15:117db924cf7c 788 *
wolfSSL 15:117db924cf7c 789 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 790 * key The derived key.
wolfSSL 15:117db924cf7c 791 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 792 */
wolfSSL 15:117db924cf7c 793 static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
wolfSSL 15:117db924cf7c 794 {
wolfSSL 15:117db924cf7c 795 WOLFSSL_MSG("Derive Resumption Secret");
wolfSSL 15:117db924cf7c 796 return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 797 resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
wolfSSL 15:117db924cf7c 798 ssl->specs.mac_algorithm, 1);
wolfSSL 15:117db924cf7c 799 }
wolfSSL 15:117db924cf7c 800 #endif
wolfSSL 15:117db924cf7c 801
wolfSSL 15:117db924cf7c 802 /* Length of the finished label. */
wolfSSL 15:117db924cf7c 803 #define FINISHED_LABEL_SZ 8
wolfSSL 15:117db924cf7c 804 /* Finished label for generating finished key. */
wolfSSL 15:117db924cf7c 805 static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
wolfSSL 15:117db924cf7c 806 /* Derive the finished secret.
wolfSSL 15:117db924cf7c 807 *
wolfSSL 15:117db924cf7c 808 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 809 * key The key to use with the HMAC.
wolfSSL 15:117db924cf7c 810 * secret The derived secret.
wolfSSL 15:117db924cf7c 811 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 812 */
wolfSSL 15:117db924cf7c 813 static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
wolfSSL 15:117db924cf7c 814 {
wolfSSL 15:117db924cf7c 815 WOLFSSL_MSG("Derive Finished Secret");
wolfSSL 15:117db924cf7c 816 return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
wolfSSL 15:117db924cf7c 817 ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 818 }
wolfSSL 15:117db924cf7c 819
wolfSSL 15:117db924cf7c 820 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 821 /* The length of the application traffic label. */
wolfSSL 15:117db924cf7c 822 #define APP_TRAFFIC_LABEL_SZ 26
wolfSSL 15:117db924cf7c 823 /* The application traffic label. */
wolfSSL 15:117db924cf7c 824 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 825 "application traffic secret";
wolfSSL 15:117db924cf7c 826 #else
wolfSSL 15:117db924cf7c 827 /* The length of the application traffic label. */
wolfSSL 15:117db924cf7c 828 #define APP_TRAFFIC_LABEL_SZ 11
wolfSSL 15:117db924cf7c 829 /* The application traffic label. */
wolfSSL 15:117db924cf7c 830 static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 831 "traffic upd";
wolfSSL 15:117db924cf7c 832 #endif
wolfSSL 15:117db924cf7c 833 /* Update the traffic secret.
wolfSSL 15:117db924cf7c 834 *
wolfSSL 15:117db924cf7c 835 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 836 * secret The previous secret and derived secret.
wolfSSL 15:117db924cf7c 837 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 838 */
wolfSSL 15:117db924cf7c 839 static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
wolfSSL 15:117db924cf7c 840 {
wolfSSL 15:117db924cf7c 841 WOLFSSL_MSG("Derive New Application Traffic Secret");
wolfSSL 15:117db924cf7c 842 return DeriveKey(ssl, secret, -1, secret,
wolfSSL 15:117db924cf7c 843 appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
wolfSSL 15:117db924cf7c 844 ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 845 }
wolfSSL 15:117db924cf7c 846
wolfSSL 15:117db924cf7c 847 /* Derive the early secret using HKDF Extract.
wolfSSL 15:117db924cf7c 848 *
wolfSSL 15:117db924cf7c 849 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 850 */
wolfSSL 15:117db924cf7c 851 static int DeriveEarlySecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 852 {
wolfSSL 15:117db924cf7c 853 WOLFSSL_MSG("Derive Early Secret");
wolfSSL 15:117db924cf7c 854 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 855 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 15:117db924cf7c 856 ssl->arrays->psk_key, ssl->arrays->psk_keySz,
wolfSSL 15:117db924cf7c 857 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 858 #else
wolfSSL 15:117db924cf7c 859 return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
wolfSSL 15:117db924cf7c 860 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 861 #endif
wolfSSL 15:117db924cf7c 862 }
wolfSSL 15:117db924cf7c 863
wolfSSL 15:117db924cf7c 864 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 865 /* The length of the derived label. */
wolfSSL 15:117db924cf7c 866 #define DERIVED_LABEL_SZ 7
wolfSSL 15:117db924cf7c 867 /* The derived label. */
wolfSSL 15:117db924cf7c 868 static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
wolfSSL 15:117db924cf7c 869 "derived";
wolfSSL 15:117db924cf7c 870 #endif
wolfSSL 15:117db924cf7c 871 /* Derive the handshake secret using HKDF Extract.
wolfSSL 15:117db924cf7c 872 *
wolfSSL 15:117db924cf7c 873 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 874 */
wolfSSL 15:117db924cf7c 875 static int DeriveHandshakeSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 876 {
wolfSSL 15:117db924cf7c 877 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 878 WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL 15:117db924cf7c 879 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 880 ssl->arrays->secret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 881 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL 15:117db924cf7c 882 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 883 #else
wolfSSL 15:117db924cf7c 884 byte key[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 885 int ret;
wolfSSL 15:117db924cf7c 886
wolfSSL 15:117db924cf7c 887 WOLFSSL_MSG("Derive Handshake Secret");
wolfSSL 15:117db924cf7c 888
wolfSSL 15:117db924cf7c 889 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
wolfSSL 15:117db924cf7c 890 derivedLabel, DERIVED_LABEL_SZ,
wolfSSL 15:117db924cf7c 891 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 892 if (ret != 0)
wolfSSL 15:117db924cf7c 893 return ret;
wolfSSL 15:117db924cf7c 894
wolfSSL 15:117db924cf7c 895 return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 896 key, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 897 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
wolfSSL 15:117db924cf7c 898 ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 899 #endif
wolfSSL 15:117db924cf7c 900 }
wolfSSL 15:117db924cf7c 901
wolfSSL 15:117db924cf7c 902 /* Derive the master secret using HKDF Extract.
wolfSSL 15:117db924cf7c 903 *
wolfSSL 15:117db924cf7c 904 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 905 */
wolfSSL 15:117db924cf7c 906 static int DeriveMasterSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 907 {
wolfSSL 15:117db924cf7c 908 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 909 WOLFSSL_MSG("Derive Master Secret");
wolfSSL 15:117db924cf7c 910 return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 911 ssl->arrays->preMasterSecret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 912 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 913 #else
wolfSSL 15:117db924cf7c 914 byte key[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 915 int ret;
wolfSSL 15:117db924cf7c 916
wolfSSL 15:117db924cf7c 917 WOLFSSL_MSG("Derive Master Secret");
wolfSSL 15:117db924cf7c 918
wolfSSL 15:117db924cf7c 919 ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
wolfSSL 15:117db924cf7c 920 derivedLabel, DERIVED_LABEL_SZ,
wolfSSL 15:117db924cf7c 921 NULL, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 922 if (ret != 0)
wolfSSL 15:117db924cf7c 923 return ret;
wolfSSL 15:117db924cf7c 924
wolfSSL 15:117db924cf7c 925 return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
wolfSSL 15:117db924cf7c 926 key, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 927 ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
wolfSSL 15:117db924cf7c 928 #endif
wolfSSL 15:117db924cf7c 929 }
wolfSSL 15:117db924cf7c 930
wolfSSL 15:117db924cf7c 931 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 932 #if defined(HAVE_SESSION_TICKET)
wolfSSL 15:117db924cf7c 933 /* Length of the resumption label. */
wolfSSL 15:117db924cf7c 934 #define RESUMPTION_LABEL_SZ 10
wolfSSL 16:8e0d178b1d1e 935 /* Resumption label for generating PSK associated with the ticket. */
wolfSSL 15:117db924cf7c 936 static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption";
wolfSSL 16:8e0d178b1d1e 937 /* Derive the PSK associated with the ticket.
wolfSSL 15:117db924cf7c 938 *
wolfSSL 15:117db924cf7c 939 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 940 * nonce The nonce to derive with.
wolfSSL 15:117db924cf7c 941 * nonceLen The length of the nonce to derive with.
wolfSSL 15:117db924cf7c 942 * secret The derived secret.
wolfSSL 15:117db924cf7c 943 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 944 */
wolfSSL 15:117db924cf7c 945 static int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen,
wolfSSL 15:117db924cf7c 946 byte* secret)
wolfSSL 15:117db924cf7c 947 {
wolfSSL 15:117db924cf7c 948 int digestAlg;
wolfSSL 15:117db924cf7c 949 /* Only one protocol version defined at this time. */
wolfSSL 15:117db924cf7c 950 const byte* protocol = tls13ProtocolLabel;
wolfSSL 15:117db924cf7c 951 word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ;
wolfSSL 15:117db924cf7c 952
wolfSSL 15:117db924cf7c 953 WOLFSSL_MSG("Derive Resumption PSK");
wolfSSL 15:117db924cf7c 954
wolfSSL 15:117db924cf7c 955 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 956 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 957 case sha256_mac:
wolfSSL 15:117db924cf7c 958 digestAlg = WC_SHA256;
wolfSSL 15:117db924cf7c 959 break;
wolfSSL 15:117db924cf7c 960 #endif
wolfSSL 15:117db924cf7c 961
wolfSSL 15:117db924cf7c 962 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 963 case sha384_mac:
wolfSSL 15:117db924cf7c 964 digestAlg = WC_SHA384;
wolfSSL 15:117db924cf7c 965 break;
wolfSSL 15:117db924cf7c 966 #endif
wolfSSL 15:117db924cf7c 967
wolfSSL 15:117db924cf7c 968 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 969 case sha512_mac:
wolfSSL 15:117db924cf7c 970 digestAlg = WC_SHA512;
wolfSSL 15:117db924cf7c 971 break;
wolfSSL 15:117db924cf7c 972 #endif
wolfSSL 15:117db924cf7c 973
wolfSSL 15:117db924cf7c 974 default:
wolfSSL 15:117db924cf7c 975 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 976 }
wolfSSL 15:117db924cf7c 977
wolfSSL 15:117db924cf7c 978 return HKDF_Expand_Label(secret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 979 ssl->session.masterSecret, ssl->specs.hash_size,
wolfSSL 15:117db924cf7c 980 protocol, protocolLen, resumptionLabel,
wolfSSL 15:117db924cf7c 981 RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
wolfSSL 15:117db924cf7c 982 }
wolfSSL 15:117db924cf7c 983 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 984 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 985
wolfSSL 15:117db924cf7c 986
wolfSSL 15:117db924cf7c 987 /* Calculate the HMAC of message data to this point.
wolfSSL 15:117db924cf7c 988 *
wolfSSL 15:117db924cf7c 989 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 990 * key The HMAC key.
wolfSSL 15:117db924cf7c 991 * hash The hash result - verify data.
wolfSSL 15:117db924cf7c 992 * returns length of verify data generated.
wolfSSL 15:117db924cf7c 993 */
wolfSSL 15:117db924cf7c 994 static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
wolfSSL 15:117db924cf7c 995 word32* pHashSz)
wolfSSL 15:117db924cf7c 996 {
wolfSSL 15:117db924cf7c 997 Hmac verifyHmac;
wolfSSL 15:117db924cf7c 998 int hashType = WC_SHA256;
wolfSSL 15:117db924cf7c 999 int hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 1000 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 1001
wolfSSL 15:117db924cf7c 1002 /* Get the hash of the previous handshake messages. */
wolfSSL 15:117db924cf7c 1003 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 1004 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 1005 case sha256_mac:
wolfSSL 15:117db924cf7c 1006 hashType = WC_SHA256;
wolfSSL 15:117db924cf7c 1007 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 1008 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 1009 break;
wolfSSL 15:117db924cf7c 1010 #endif /* !NO_SHA256 */
wolfSSL 15:117db924cf7c 1011 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 1012 case sha384_mac:
wolfSSL 15:117db924cf7c 1013 hashType = WC_SHA384;
wolfSSL 15:117db924cf7c 1014 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 1015 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 1016 break;
wolfSSL 15:117db924cf7c 1017 #endif /* WOLFSSL_SHA384 */
wolfSSL 15:117db924cf7c 1018 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 1019 case sha512_mac:
wolfSSL 15:117db924cf7c 1020 hashType = WC_SHA512;
wolfSSL 15:117db924cf7c 1021 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 1022 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 1023 break;
wolfSSL 15:117db924cf7c 1024 #endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL 15:117db924cf7c 1025 }
wolfSSL 15:117db924cf7c 1026 if (ret != 0)
wolfSSL 15:117db924cf7c 1027 return ret;
wolfSSL 15:117db924cf7c 1028
wolfSSL 15:117db924cf7c 1029 /* Calculate the verify data. */
wolfSSL 15:117db924cf7c 1030 ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId);
wolfSSL 15:117db924cf7c 1031 if (ret == 0) {
wolfSSL 15:117db924cf7c 1032 ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
wolfSSL 15:117db924cf7c 1033 if (ret == 0)
wolfSSL 15:117db924cf7c 1034 ret = wc_HmacUpdate(&verifyHmac, hash, hashSz);
wolfSSL 15:117db924cf7c 1035 if (ret == 0)
wolfSSL 15:117db924cf7c 1036 ret = wc_HmacFinal(&verifyHmac, hash);
wolfSSL 15:117db924cf7c 1037 wc_HmacFree(&verifyHmac);
wolfSSL 15:117db924cf7c 1038 }
wolfSSL 15:117db924cf7c 1039
wolfSSL 15:117db924cf7c 1040 if (pHashSz)
wolfSSL 15:117db924cf7c 1041 *pHashSz = hashSz;
wolfSSL 15:117db924cf7c 1042
wolfSSL 15:117db924cf7c 1043 return ret;
wolfSSL 15:117db924cf7c 1044 }
wolfSSL 15:117db924cf7c 1045
wolfSSL 15:117db924cf7c 1046 /* The length of the label to use when deriving keys. */
wolfSSL 15:117db924cf7c 1047 #define WRITE_KEY_LABEL_SZ 3
wolfSSL 15:117db924cf7c 1048 /* The length of the label to use when deriving IVs. */
wolfSSL 15:117db924cf7c 1049 #define WRITE_IV_LABEL_SZ 2
wolfSSL 15:117db924cf7c 1050 /* The label to use when deriving keys. */
wolfSSL 15:117db924cf7c 1051 static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
wolfSSL 15:117db924cf7c 1052 /* The label to use when deriving IVs. */
wolfSSL 15:117db924cf7c 1053 static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
wolfSSL 15:117db924cf7c 1054
wolfSSL 15:117db924cf7c 1055 /* Derive the keys and IVs for TLS v1.3.
wolfSSL 15:117db924cf7c 1056 *
wolfSSL 15:117db924cf7c 1057 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1058 * sercret early_data_key when deriving the key and IV for encrypting early
wolfSSL 15:117db924cf7c 1059 * data application data and end_of_early_data messages.
wolfSSL 15:117db924cf7c 1060 * handshake_key when deriving keys and IVs for encrypting handshake
wolfSSL 15:117db924cf7c 1061 * messages.
wolfSSL 15:117db924cf7c 1062 * traffic_key when deriving first keys and IVs for encrypting
wolfSSL 15:117db924cf7c 1063 * traffic messages.
wolfSSL 15:117db924cf7c 1064 * update_traffic_key when deriving next keys and IVs for encrypting
wolfSSL 15:117db924cf7c 1065 * traffic messages.
wolfSSL 15:117db924cf7c 1066 * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
wolfSSL 15:117db924cf7c 1067 * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
wolfSSL 15:117db924cf7c 1068 * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
wolfSSL 15:117db924cf7c 1069 * store 1 indicates to derive the keys and IVs from derived secret and
wolfSSL 15:117db924cf7c 1070 * store ready for provisioning.
wolfSSL 15:117db924cf7c 1071 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1072 */
wolfSSL 15:117db924cf7c 1073 static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
wolfSSL 15:117db924cf7c 1074 {
wolfSSL 15:117db924cf7c 1075 int ret = BAD_FUNC_ARG; /* Assume failure */
wolfSSL 15:117db924cf7c 1076 int i = 0;
wolfSSL 15:117db924cf7c 1077 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1078 byte* key_dig;
wolfSSL 15:117db924cf7c 1079 #else
wolfSSL 15:117db924cf7c 1080 byte key_dig[MAX_PRF_DIG];
wolfSSL 15:117db924cf7c 1081 #endif
wolfSSL 15:117db924cf7c 1082 int provision;
wolfSSL 15:117db924cf7c 1083
wolfSSL 15:117db924cf7c 1084 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1085 key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL 15:117db924cf7c 1086 if (key_dig == NULL)
wolfSSL 15:117db924cf7c 1087 return MEMORY_E;
wolfSSL 15:117db924cf7c 1088 #endif
wolfSSL 15:117db924cf7c 1089
wolfSSL 15:117db924cf7c 1090 if (side == ENCRYPT_AND_DECRYPT_SIDE) {
wolfSSL 15:117db924cf7c 1091 provision = PROVISION_CLIENT_SERVER;
wolfSSL 15:117db924cf7c 1092 }
wolfSSL 15:117db924cf7c 1093 else {
wolfSSL 15:117db924cf7c 1094 provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
wolfSSL 15:117db924cf7c 1095 (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
wolfSSL 15:117db924cf7c 1096 PROVISION_SERVER;
wolfSSL 15:117db924cf7c 1097 }
wolfSSL 15:117db924cf7c 1098
wolfSSL 15:117db924cf7c 1099 /* Derive the appropriate secret to use in the HKDF. */
wolfSSL 15:117db924cf7c 1100 switch (secret) {
wolfSSL 15:117db924cf7c 1101 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 1102 case early_data_key:
wolfSSL 16:8e0d178b1d1e 1103 ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret);
wolfSSL 15:117db924cf7c 1104 if (ret != 0)
wolfSSL 15:117db924cf7c 1105 goto end;
wolfSSL 15:117db924cf7c 1106 break;
wolfSSL 15:117db924cf7c 1107 #endif
wolfSSL 15:117db924cf7c 1108
wolfSSL 15:117db924cf7c 1109 case handshake_key:
wolfSSL 15:117db924cf7c 1110 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1111 ret = DeriveClientHandshakeSecret(ssl,
wolfSSL 16:8e0d178b1d1e 1112 ssl->clientSecret);
wolfSSL 15:117db924cf7c 1113 if (ret != 0)
wolfSSL 15:117db924cf7c 1114 goto end;
wolfSSL 15:117db924cf7c 1115 }
wolfSSL 15:117db924cf7c 1116 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1117 ret = DeriveServerHandshakeSecret(ssl,
wolfSSL 16:8e0d178b1d1e 1118 ssl->serverSecret);
wolfSSL 15:117db924cf7c 1119 if (ret != 0)
wolfSSL 15:117db924cf7c 1120 goto end;
wolfSSL 15:117db924cf7c 1121 }
wolfSSL 15:117db924cf7c 1122 break;
wolfSSL 15:117db924cf7c 1123
wolfSSL 15:117db924cf7c 1124 case traffic_key:
wolfSSL 15:117db924cf7c 1125 if (provision & PROVISION_CLIENT) {
wolfSSL 16:8e0d178b1d1e 1126 ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret);
wolfSSL 15:117db924cf7c 1127 if (ret != 0)
wolfSSL 15:117db924cf7c 1128 goto end;
wolfSSL 15:117db924cf7c 1129 }
wolfSSL 15:117db924cf7c 1130 if (provision & PROVISION_SERVER) {
wolfSSL 16:8e0d178b1d1e 1131 ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret);
wolfSSL 15:117db924cf7c 1132 if (ret != 0)
wolfSSL 15:117db924cf7c 1133 goto end;
wolfSSL 15:117db924cf7c 1134 }
wolfSSL 15:117db924cf7c 1135 break;
wolfSSL 15:117db924cf7c 1136
wolfSSL 15:117db924cf7c 1137 case update_traffic_key:
wolfSSL 15:117db924cf7c 1138 if (provision & PROVISION_CLIENT) {
wolfSSL 16:8e0d178b1d1e 1139 ret = DeriveTrafficSecret(ssl, ssl->clientSecret);
wolfSSL 15:117db924cf7c 1140 if (ret != 0)
wolfSSL 15:117db924cf7c 1141 goto end;
wolfSSL 15:117db924cf7c 1142 }
wolfSSL 15:117db924cf7c 1143 if (provision & PROVISION_SERVER) {
wolfSSL 16:8e0d178b1d1e 1144 ret = DeriveTrafficSecret(ssl, ssl->serverSecret);
wolfSSL 15:117db924cf7c 1145 if (ret != 0)
wolfSSL 15:117db924cf7c 1146 goto end;
wolfSSL 15:117db924cf7c 1147 }
wolfSSL 15:117db924cf7c 1148 break;
wolfSSL 15:117db924cf7c 1149 }
wolfSSL 15:117db924cf7c 1150
wolfSSL 15:117db924cf7c 1151 if (!store)
wolfSSL 15:117db924cf7c 1152 goto end;
wolfSSL 15:117db924cf7c 1153
wolfSSL 15:117db924cf7c 1154 /* Key data = client key | server key | client IV | server IV */
wolfSSL 15:117db924cf7c 1155
wolfSSL 15:117db924cf7c 1156 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1157 /* Derive the client key. */
wolfSSL 15:117db924cf7c 1158 WOLFSSL_MSG("Derive Client Key");
wolfSSL 15:117db924cf7c 1159 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL 16:8e0d178b1d1e 1160 ssl->clientSecret, writeKeyLabel,
wolfSSL 15:117db924cf7c 1161 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1162 if (ret != 0)
wolfSSL 15:117db924cf7c 1163 goto end;
wolfSSL 15:117db924cf7c 1164 i += ssl->specs.key_size;
wolfSSL 15:117db924cf7c 1165 }
wolfSSL 15:117db924cf7c 1166
wolfSSL 15:117db924cf7c 1167 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1168 /* Derive the server key. */
wolfSSL 15:117db924cf7c 1169 WOLFSSL_MSG("Derive Server Key");
wolfSSL 15:117db924cf7c 1170 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
wolfSSL 16:8e0d178b1d1e 1171 ssl->serverSecret, writeKeyLabel,
wolfSSL 15:117db924cf7c 1172 WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1173 if (ret != 0)
wolfSSL 15:117db924cf7c 1174 goto end;
wolfSSL 15:117db924cf7c 1175 i += ssl->specs.key_size;
wolfSSL 15:117db924cf7c 1176 }
wolfSSL 15:117db924cf7c 1177
wolfSSL 15:117db924cf7c 1178 if (provision & PROVISION_CLIENT) {
wolfSSL 15:117db924cf7c 1179 /* Derive the client IV. */
wolfSSL 15:117db924cf7c 1180 WOLFSSL_MSG("Derive Client IV");
wolfSSL 15:117db924cf7c 1181 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL 16:8e0d178b1d1e 1182 ssl->clientSecret, writeIVLabel,
wolfSSL 15:117db924cf7c 1183 WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1184 if (ret != 0)
wolfSSL 15:117db924cf7c 1185 goto end;
wolfSSL 15:117db924cf7c 1186 i += ssl->specs.iv_size;
wolfSSL 15:117db924cf7c 1187 }
wolfSSL 15:117db924cf7c 1188
wolfSSL 15:117db924cf7c 1189 if (provision & PROVISION_SERVER) {
wolfSSL 15:117db924cf7c 1190 /* Derive the server IV. */
wolfSSL 15:117db924cf7c 1191 WOLFSSL_MSG("Derive Server IV");
wolfSSL 15:117db924cf7c 1192 ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
wolfSSL 16:8e0d178b1d1e 1193 ssl->serverSecret, writeIVLabel,
wolfSSL 15:117db924cf7c 1194 WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
wolfSSL 15:117db924cf7c 1195 if (ret != 0)
wolfSSL 15:117db924cf7c 1196 goto end;
wolfSSL 15:117db924cf7c 1197 }
wolfSSL 15:117db924cf7c 1198
wolfSSL 15:117db924cf7c 1199 /* Store keys and IVs but don't activate them. */
wolfSSL 15:117db924cf7c 1200 ret = StoreKeys(ssl, key_dig, provision);
wolfSSL 15:117db924cf7c 1201
wolfSSL 15:117db924cf7c 1202 end:
wolfSSL 15:117db924cf7c 1203 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 15:117db924cf7c 1204 XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
wolfSSL 15:117db924cf7c 1205 #endif
wolfSSL 15:117db924cf7c 1206
wolfSSL 15:117db924cf7c 1207 return ret;
wolfSSL 15:117db924cf7c 1208 }
wolfSSL 15:117db924cf7c 1209
wolfSSL 15:117db924cf7c 1210 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 1211 #if defined(USER_TICKS)
wolfSSL 15:117db924cf7c 1212 #if 0
wolfSSL 15:117db924cf7c 1213 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1214 {
wolfSSL 15:117db924cf7c 1215 /*
wolfSSL 15:117db924cf7c 1216 write your own clock tick function if don't want gettimeofday()
wolfSSL 15:117db924cf7c 1217 needs millisecond accuracy but doesn't have to correlated to EPOCH
wolfSSL 15:117db924cf7c 1218 */
wolfSSL 15:117db924cf7c 1219 }
wolfSSL 15:117db924cf7c 1220 #endif
wolfSSL 15:117db924cf7c 1221
wolfSSL 15:117db924cf7c 1222 #elif defined(TIME_OVERRIDES)
wolfSSL 15:117db924cf7c 1223 #ifndef HAVE_TIME_T_TYPE
wolfSSL 15:117db924cf7c 1224 typedef long time_t;
wolfSSL 15:117db924cf7c 1225 #endif
wolfSSL 15:117db924cf7c 1226 extern time_t XTIME(time_t * timer);
wolfSSL 15:117db924cf7c 1227
wolfSSL 15:117db924cf7c 1228 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1229 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1230 * sending.
wolfSSL 15:117db924cf7c 1231 *
wolfSSL 15:117db924cf7c 1232 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1233 */
wolfSSL 15:117db924cf7c 1234 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1235 {
wolfSSL 15:117db924cf7c 1236 return (word32) XTIME(0) * 1000;
wolfSSL 15:117db924cf7c 1237 }
wolfSSL 16:8e0d178b1d1e 1238
wolfSSL 16:8e0d178b1d1e 1239 #elif defined(XTIME_MS)
wolfSSL 16:8e0d178b1d1e 1240 word32 TimeNowInMilliseconds(void)
wolfSSL 16:8e0d178b1d1e 1241 {
wolfSSL 16:8e0d178b1d1e 1242 return (word32)XTIME_MS(0);
wolfSSL 16:8e0d178b1d1e 1243 }
wolfSSL 16:8e0d178b1d1e 1244
wolfSSL 15:117db924cf7c 1245 #elif defined(USE_WINDOWS_API)
wolfSSL 15:117db924cf7c 1246 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1247 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1248 * sending.
wolfSSL 15:117db924cf7c 1249 *
wolfSSL 15:117db924cf7c 1250 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1251 */
wolfSSL 15:117db924cf7c 1252 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1253 {
wolfSSL 15:117db924cf7c 1254 static int init = 0;
wolfSSL 15:117db924cf7c 1255 static LARGE_INTEGER freq;
wolfSSL 15:117db924cf7c 1256 LARGE_INTEGER count;
wolfSSL 15:117db924cf7c 1257
wolfSSL 15:117db924cf7c 1258 if (!init) {
wolfSSL 15:117db924cf7c 1259 QueryPerformanceFrequency(&freq);
wolfSSL 15:117db924cf7c 1260 init = 1;
wolfSSL 15:117db924cf7c 1261 }
wolfSSL 15:117db924cf7c 1262
wolfSSL 15:117db924cf7c 1263 QueryPerformanceCounter(&count);
wolfSSL 15:117db924cf7c 1264
wolfSSL 15:117db924cf7c 1265 return (word32)(count.QuadPart / (freq.QuadPart / 1000));
wolfSSL 15:117db924cf7c 1266 }
wolfSSL 15:117db924cf7c 1267
wolfSSL 15:117db924cf7c 1268 #elif defined(HAVE_RTP_SYS)
wolfSSL 15:117db924cf7c 1269 #include "rtptime.h"
wolfSSL 15:117db924cf7c 1270
wolfSSL 15:117db924cf7c 1271 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1272 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1273 * sending.
wolfSSL 15:117db924cf7c 1274 *
wolfSSL 15:117db924cf7c 1275 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1276 */
wolfSSL 15:117db924cf7c 1277 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1278 {
wolfSSL 15:117db924cf7c 1279 return (word32)rtp_get_system_sec() * 1000;
wolfSSL 15:117db924cf7c 1280 }
wolfSSL 16:8e0d178b1d1e 1281 #elif defined(WOLFSSL_DEOS)
wolfSSL 16:8e0d178b1d1e 1282 word32 TimeNowInMilliseconds(void)
wolfSSL 16:8e0d178b1d1e 1283 {
wolfSSL 16:8e0d178b1d1e 1284 const uint32_t systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
wolfSSL 16:8e0d178b1d1e 1285 uint32_t *systemTickPtr = systemTickPointer();
wolfSSL 16:8e0d178b1d1e 1286
wolfSSL 16:8e0d178b1d1e 1287 return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000;
wolfSSL 16:8e0d178b1d1e 1288 }
wolfSSL 15:117db924cf7c 1289 #elif defined(MICRIUM)
wolfSSL 15:117db924cf7c 1290 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1291 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1292 * sending.
wolfSSL 15:117db924cf7c 1293 *
wolfSSL 15:117db924cf7c 1294 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1295 */
wolfSSL 15:117db924cf7c 1296 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1297 {
wolfSSL 15:117db924cf7c 1298 OS_TICK ticks = 0;
wolfSSL 15:117db924cf7c 1299 OS_ERR err;
wolfSSL 15:117db924cf7c 1300
wolfSSL 15:117db924cf7c 1301 ticks = OSTimeGet(&err);
wolfSSL 15:117db924cf7c 1302
wolfSSL 15:117db924cf7c 1303 return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
wolfSSL 15:117db924cf7c 1304 }
wolfSSL 15:117db924cf7c 1305 #elif defined(MICROCHIP_TCPIP_V5)
wolfSSL 15:117db924cf7c 1306 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1307 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1308 * sending.
wolfSSL 15:117db924cf7c 1309 *
wolfSSL 15:117db924cf7c 1310 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1311 */
wolfSSL 15:117db924cf7c 1312 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1313 {
wolfSSL 15:117db924cf7c 1314 return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
wolfSSL 15:117db924cf7c 1315 }
wolfSSL 15:117db924cf7c 1316 #elif defined(MICROCHIP_TCPIP)
wolfSSL 15:117db924cf7c 1317 #if defined(MICROCHIP_MPLAB_HARMONY)
wolfSSL 15:117db924cf7c 1318 #include <system/tmr/sys_tmr.h>
wolfSSL 15:117db924cf7c 1319
wolfSSL 15:117db924cf7c 1320 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1321 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1322 * sending.
wolfSSL 15:117db924cf7c 1323 *
wolfSSL 15:117db924cf7c 1324 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1325 */
wolfSSL 15:117db924cf7c 1326 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1327 {
wolfSSL 15:117db924cf7c 1328 return (word32)(SYS_TMR_TickCountGet() /
wolfSSL 15:117db924cf7c 1329 (SYS_TMR_TickCounterFrequencyGet() / 1000));
wolfSSL 15:117db924cf7c 1330 }
wolfSSL 15:117db924cf7c 1331 #else
wolfSSL 15:117db924cf7c 1332 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1333 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1334 * sending.
wolfSSL 15:117db924cf7c 1335 *
wolfSSL 15:117db924cf7c 1336 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1337 */
wolfSSL 15:117db924cf7c 1338 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1339 {
wolfSSL 15:117db924cf7c 1340 return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
wolfSSL 15:117db924cf7c 1341 }
wolfSSL 15:117db924cf7c 1342
wolfSSL 15:117db924cf7c 1343 #endif
wolfSSL 15:117db924cf7c 1344
wolfSSL 15:117db924cf7c 1345 #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
wolfSSL 15:117db924cf7c 1346 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1347 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1348 * sending.
wolfSSL 15:117db924cf7c 1349 *
wolfSSL 15:117db924cf7c 1350 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1351 */
wolfSSL 15:117db924cf7c 1352 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1353 {
wolfSSL 15:117db924cf7c 1354 TIME_STRUCT mqxTime;
wolfSSL 15:117db924cf7c 1355
wolfSSL 15:117db924cf7c 1356 _time_get_elapsed(&mqxTime);
wolfSSL 15:117db924cf7c 1357
wolfSSL 15:117db924cf7c 1358 return (word32) mqxTime.SECONDS * 1000;
wolfSSL 15:117db924cf7c 1359 }
wolfSSL 15:117db924cf7c 1360 #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
wolfSSL 15:117db924cf7c 1361 #include "include/task.h"
wolfSSL 15:117db924cf7c 1362
wolfSSL 15:117db924cf7c 1363 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1364 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1365 * sending.
wolfSSL 15:117db924cf7c 1366 *
wolfSSL 15:117db924cf7c 1367 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1368 */
wolfSSL 15:117db924cf7c 1369 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1370 {
wolfSSL 15:117db924cf7c 1371 return (unsigned int)(((float)xTaskGetTickCount()) /
wolfSSL 15:117db924cf7c 1372 (configTICK_RATE_HZ / 1000));
wolfSSL 15:117db924cf7c 1373 }
wolfSSL 15:117db924cf7c 1374 #elif defined(FREESCALE_KSDK_BM)
wolfSSL 15:117db924cf7c 1375 #include "lwip/sys.h" /* lwIP */
wolfSSL 15:117db924cf7c 1376
wolfSSL 15:117db924cf7c 1377 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1378 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1379 * sending.
wolfSSL 15:117db924cf7c 1380 *
wolfSSL 15:117db924cf7c 1381 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1382 */
wolfSSL 15:117db924cf7c 1383 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1384 {
wolfSSL 15:117db924cf7c 1385 return sys_now();
wolfSSL 15:117db924cf7c 1386 }
wolfSSL 15:117db924cf7c 1387 #elif defined(WOLFSSL_TIRTOS)
wolfSSL 15:117db924cf7c 1388 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1389 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1390 * sending.
wolfSSL 15:117db924cf7c 1391 *
wolfSSL 15:117db924cf7c 1392 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1393 */
wolfSSL 15:117db924cf7c 1394 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1395 {
wolfSSL 15:117db924cf7c 1396 return (word32) Seconds_get() * 1000;
wolfSSL 15:117db924cf7c 1397 }
wolfSSL 15:117db924cf7c 1398 #elif defined(WOLFSSL_UTASKER)
wolfSSL 15:117db924cf7c 1399 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1400 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1401 * sending.
wolfSSL 15:117db924cf7c 1402 *
wolfSSL 15:117db924cf7c 1403 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1404 */
wolfSSL 15:117db924cf7c 1405 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1406 {
wolfSSL 15:117db924cf7c 1407 return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
wolfSSL 15:117db924cf7c 1408 }
wolfSSL 15:117db924cf7c 1409 #else
wolfSSL 15:117db924cf7c 1410 /* The time in milliseconds.
wolfSSL 15:117db924cf7c 1411 * Used for tickets to represent difference between when first seen and when
wolfSSL 15:117db924cf7c 1412 * sending.
wolfSSL 15:117db924cf7c 1413 *
wolfSSL 15:117db924cf7c 1414 * returns the time in milliseconds as a 32-bit value.
wolfSSL 15:117db924cf7c 1415 */
wolfSSL 15:117db924cf7c 1416 word32 TimeNowInMilliseconds(void)
wolfSSL 15:117db924cf7c 1417 {
wolfSSL 15:117db924cf7c 1418 struct timeval now;
wolfSSL 15:117db924cf7c 1419
wolfSSL 15:117db924cf7c 1420 if (gettimeofday(&now, 0) < 0)
wolfSSL 15:117db924cf7c 1421 return GETTIME_ERROR;
wolfSSL 15:117db924cf7c 1422 /* Convert to milliseconds number. */
wolfSSL 15:117db924cf7c 1423 return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
wolfSSL 15:117db924cf7c 1424 }
wolfSSL 15:117db924cf7c 1425 #endif
wolfSSL 15:117db924cf7c 1426 #endif /* HAVE_SESSION_TICKET || !NO_PSK */
wolfSSL 15:117db924cf7c 1427
wolfSSL 15:117db924cf7c 1428
wolfSSL 15:117db924cf7c 1429 #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \
wolfSSL 15:117db924cf7c 1430 !defined(NO_PSK))
wolfSSL 15:117db924cf7c 1431 /* Add input to all handshake hashes.
wolfSSL 15:117db924cf7c 1432 *
wolfSSL 15:117db924cf7c 1433 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1434 * input The data to hash.
wolfSSL 15:117db924cf7c 1435 * sz The size of the data to hash.
wolfSSL 15:117db924cf7c 1436 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1437 */
wolfSSL 15:117db924cf7c 1438 static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
wolfSSL 15:117db924cf7c 1439 {
wolfSSL 15:117db924cf7c 1440 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 1441
wolfSSL 15:117db924cf7c 1442 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 1443 ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
wolfSSL 15:117db924cf7c 1444 if (ret != 0)
wolfSSL 15:117db924cf7c 1445 return ret;
wolfSSL 15:117db924cf7c 1446 #endif
wolfSSL 15:117db924cf7c 1447 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 1448 ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
wolfSSL 15:117db924cf7c 1449 if (ret != 0)
wolfSSL 15:117db924cf7c 1450 return ret;
wolfSSL 15:117db924cf7c 1451 #endif
wolfSSL 15:117db924cf7c 1452 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 1453 ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
wolfSSL 15:117db924cf7c 1454 if (ret != 0)
wolfSSL 15:117db924cf7c 1455 return ret;
wolfSSL 15:117db924cf7c 1456 #endif
wolfSSL 15:117db924cf7c 1457
wolfSSL 15:117db924cf7c 1458 return ret;
wolfSSL 15:117db924cf7c 1459 }
wolfSSL 15:117db924cf7c 1460 #endif
wolfSSL 15:117db924cf7c 1461
wolfSSL 15:117db924cf7c 1462 /* Extract the handshake header information.
wolfSSL 15:117db924cf7c 1463 *
wolfSSL 15:117db924cf7c 1464 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1465 * input The buffer holding the message data.
wolfSSL 15:117db924cf7c 1466 * inOutIdx On entry, the index into the buffer of the handshake data.
wolfSSL 16:8e0d178b1d1e 1467 * On exit, the start of the handshake data.
wolfSSL 15:117db924cf7c 1468 * type Type of handshake message.
wolfSSL 15:117db924cf7c 1469 * size The length of the handshake message data.
wolfSSL 15:117db924cf7c 1470 * totalSz The total size of data in the buffer.
wolfSSL 15:117db924cf7c 1471 * returns BUFFER_E if there is not enough input data and 0 on success.
wolfSSL 15:117db924cf7c 1472 */
wolfSSL 15:117db924cf7c 1473 static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 1474 byte* type, word32* size, word32 totalSz)
wolfSSL 15:117db924cf7c 1475 {
wolfSSL 15:117db924cf7c 1476 const byte* ptr = input + *inOutIdx;
wolfSSL 15:117db924cf7c 1477 (void)ssl;
wolfSSL 15:117db924cf7c 1478
wolfSSL 15:117db924cf7c 1479 *inOutIdx += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1480 if (*inOutIdx > totalSz)
wolfSSL 15:117db924cf7c 1481 return BUFFER_E;
wolfSSL 15:117db924cf7c 1482
wolfSSL 15:117db924cf7c 1483 *type = ptr[0];
wolfSSL 15:117db924cf7c 1484 c24to32(&ptr[1], size);
wolfSSL 15:117db924cf7c 1485
wolfSSL 15:117db924cf7c 1486 return 0;
wolfSSL 15:117db924cf7c 1487 }
wolfSSL 15:117db924cf7c 1488
wolfSSL 15:117db924cf7c 1489 /* Add record layer header to message.
wolfSSL 15:117db924cf7c 1490 *
wolfSSL 15:117db924cf7c 1491 * output The buffer to write the record layer header into.
wolfSSL 15:117db924cf7c 1492 * length The length of the record data.
wolfSSL 15:117db924cf7c 1493 * type The type of record message.
wolfSSL 15:117db924cf7c 1494 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1495 */
wolfSSL 15:117db924cf7c 1496 static void AddTls13RecordHeader(byte* output, word32 length, byte type,
wolfSSL 15:117db924cf7c 1497 WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1498 {
wolfSSL 15:117db924cf7c 1499 RecordLayerHeader* rl;
wolfSSL 15:117db924cf7c 1500
wolfSSL 15:117db924cf7c 1501 rl = (RecordLayerHeader*)output;
wolfSSL 15:117db924cf7c 1502 rl->type = type;
wolfSSL 15:117db924cf7c 1503 rl->pvMajor = ssl->version.major;
wolfSSL 15:117db924cf7c 1504 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 1505 rl->pvMinor = TLSv1_MINOR;
wolfSSL 15:117db924cf7c 1506 #else
wolfSSL 16:8e0d178b1d1e 1507 /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */
wolfSSL 15:117db924cf7c 1508 rl->pvMinor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 1509 #endif
wolfSSL 15:117db924cf7c 1510 c16toa((word16)length, rl->length);
wolfSSL 15:117db924cf7c 1511 }
wolfSSL 15:117db924cf7c 1512
wolfSSL 15:117db924cf7c 1513 /* Add handshake header to message.
wolfSSL 15:117db924cf7c 1514 *
wolfSSL 16:8e0d178b1d1e 1515 * output The buffer to write the handshake header into.
wolfSSL 15:117db924cf7c 1516 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1517 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1518 * fragLength The length of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1519 * type The type of handshake message.
wolfSSL 15:117db924cf7c 1520 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1521 */
wolfSSL 15:117db924cf7c 1522 static void AddTls13HandShakeHeader(byte* output, word32 length,
wolfSSL 15:117db924cf7c 1523 word32 fragOffset, word32 fragLength,
wolfSSL 15:117db924cf7c 1524 byte type, WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1525 {
wolfSSL 15:117db924cf7c 1526 HandShakeHeader* hs;
wolfSSL 15:117db924cf7c 1527 (void)fragOffset;
wolfSSL 15:117db924cf7c 1528 (void)fragLength;
wolfSSL 15:117db924cf7c 1529 (void)ssl;
wolfSSL 15:117db924cf7c 1530
wolfSSL 15:117db924cf7c 1531 /* handshake header */
wolfSSL 15:117db924cf7c 1532 hs = (HandShakeHeader*)output;
wolfSSL 15:117db924cf7c 1533 hs->type = type;
wolfSSL 15:117db924cf7c 1534 c32to24(length, hs->length);
wolfSSL 15:117db924cf7c 1535 }
wolfSSL 15:117db924cf7c 1536
wolfSSL 15:117db924cf7c 1537
wolfSSL 15:117db924cf7c 1538 /* Add both record layer and handshake header to message.
wolfSSL 15:117db924cf7c 1539 *
wolfSSL 15:117db924cf7c 1540 * output The buffer to write the headers into.
wolfSSL 15:117db924cf7c 1541 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1542 * type The type of record layer message.
wolfSSL 15:117db924cf7c 1543 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1544 */
wolfSSL 15:117db924cf7c 1545 static void AddTls13Headers(byte* output, word32 length, byte type,
wolfSSL 15:117db924cf7c 1546 WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1547 {
wolfSSL 15:117db924cf7c 1548 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1549 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 1550
wolfSSL 15:117db924cf7c 1551 AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
wolfSSL 15:117db924cf7c 1552 AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
wolfSSL 15:117db924cf7c 1553 }
wolfSSL 15:117db924cf7c 1554
wolfSSL 15:117db924cf7c 1555
wolfSSL 15:117db924cf7c 1556 #ifndef NO_CERTS
wolfSSL 16:8e0d178b1d1e 1557 /* Add both record layer and fragment handshake header to message.
wolfSSL 15:117db924cf7c 1558 *
wolfSSL 15:117db924cf7c 1559 * output The buffer to write the headers into.
wolfSSL 15:117db924cf7c 1560 * fragOffset The offset of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1561 * fragLength The length of the fragment data. (DTLS)
wolfSSL 15:117db924cf7c 1562 * length The length of the handshake data.
wolfSSL 15:117db924cf7c 1563 * type The type of record layer message.
wolfSSL 15:117db924cf7c 1564 * ssl The SSL/TLS object. (DTLS)
wolfSSL 15:117db924cf7c 1565 */
wolfSSL 15:117db924cf7c 1566 static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
wolfSSL 15:117db924cf7c 1567 word32 length, byte type, WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 1568 {
wolfSSL 15:117db924cf7c 1569 word32 lengthAdj = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 1570 word32 outputAdj = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 1571 (void)fragSz;
wolfSSL 15:117db924cf7c 1572
wolfSSL 15:117db924cf7c 1573 AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
wolfSSL 15:117db924cf7c 1574 AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
wolfSSL 15:117db924cf7c 1575 type, ssl);
wolfSSL 15:117db924cf7c 1576 }
wolfSSL 15:117db924cf7c 1577 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 1578
wolfSSL 15:117db924cf7c 1579 /* Write the sequence number into the buffer.
wolfSSL 15:117db924cf7c 1580 * No DTLS v1.3 support.
wolfSSL 15:117db924cf7c 1581 *
wolfSSL 15:117db924cf7c 1582 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1583 * verifyOrder Which set of sequence numbers to use.
wolfSSL 15:117db924cf7c 1584 * out The buffer to write into.
wolfSSL 15:117db924cf7c 1585 */
wolfSSL 15:117db924cf7c 1586 static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
wolfSSL 15:117db924cf7c 1587 {
wolfSSL 15:117db924cf7c 1588 word32 seq[2] = {0, 0};
wolfSSL 15:117db924cf7c 1589
wolfSSL 15:117db924cf7c 1590 if (verifyOrder) {
wolfSSL 15:117db924cf7c 1591 seq[0] = ssl->keys.peer_sequence_number_hi;
wolfSSL 15:117db924cf7c 1592 seq[1] = ssl->keys.peer_sequence_number_lo++;
wolfSSL 15:117db924cf7c 1593 /* handle rollover */
wolfSSL 15:117db924cf7c 1594 if (seq[1] > ssl->keys.peer_sequence_number_lo)
wolfSSL 15:117db924cf7c 1595 ssl->keys.peer_sequence_number_hi++;
wolfSSL 15:117db924cf7c 1596 }
wolfSSL 15:117db924cf7c 1597 else {
wolfSSL 15:117db924cf7c 1598 seq[0] = ssl->keys.sequence_number_hi;
wolfSSL 15:117db924cf7c 1599 seq[1] = ssl->keys.sequence_number_lo++;
wolfSSL 15:117db924cf7c 1600 /* handle rollover */
wolfSSL 15:117db924cf7c 1601 if (seq[1] > ssl->keys.sequence_number_lo)
wolfSSL 15:117db924cf7c 1602 ssl->keys.sequence_number_hi++;
wolfSSL 15:117db924cf7c 1603 }
wolfSSL 15:117db924cf7c 1604
wolfSSL 15:117db924cf7c 1605 c32toa(seq[0], out);
wolfSSL 15:117db924cf7c 1606 c32toa(seq[1], out + OPAQUE32_LEN);
wolfSSL 15:117db924cf7c 1607 }
wolfSSL 15:117db924cf7c 1608
wolfSSL 15:117db924cf7c 1609 /* Build the nonce for TLS v1.3 encryption and decryption.
wolfSSL 15:117db924cf7c 1610 *
wolfSSL 15:117db924cf7c 1611 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1612 * nonce The nonce data to use when encrypting or decrypting.
wolfSSL 15:117db924cf7c 1613 * iv The derived IV.
wolfSSL 15:117db924cf7c 1614 * order The side on which the message is to be or was sent.
wolfSSL 15:117db924cf7c 1615 */
wolfSSL 15:117db924cf7c 1616 static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
wolfSSL 15:117db924cf7c 1617 int order)
wolfSSL 15:117db924cf7c 1618 {
wolfSSL 15:117db924cf7c 1619 int i;
wolfSSL 15:117db924cf7c 1620
wolfSSL 15:117db924cf7c 1621 /* The nonce is the IV with the sequence XORed into the last bytes. */
wolfSSL 15:117db924cf7c 1622 WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
wolfSSL 15:117db924cf7c 1623 for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
wolfSSL 15:117db924cf7c 1624 nonce[i] = iv[i];
wolfSSL 15:117db924cf7c 1625 for (; i < AEAD_NONCE_SZ; i++)
wolfSSL 15:117db924cf7c 1626 nonce[i] ^= iv[i];
wolfSSL 15:117db924cf7c 1627 }
wolfSSL 15:117db924cf7c 1628
wolfSSL 15:117db924cf7c 1629 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1630 /* Encrypt with ChaCha20 and create authenication tag with Poly1305.
wolfSSL 15:117db924cf7c 1631 *
wolfSSL 15:117db924cf7c 1632 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1633 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 15:117db924cf7c 1634 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1635 * input The data to encrypt.
wolfSSL 15:117db924cf7c 1636 * sz The number of bytes to encrypt.
wolfSSL 15:117db924cf7c 1637 * nonce The nonce to use with ChaCha20.
wolfSSL 15:117db924cf7c 1638 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1639 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1640 * tag The authentication tag buffer.
wolfSSL 15:117db924cf7c 1641 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1642 */
wolfSSL 15:117db924cf7c 1643 static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
wolfSSL 15:117db924cf7c 1644 const byte* input, word16 sz, byte* nonce,
wolfSSL 15:117db924cf7c 1645 const byte* aad, word16 aadSz, byte* tag)
wolfSSL 15:117db924cf7c 1646 {
wolfSSL 15:117db924cf7c 1647 int ret = 0;
wolfSSL 15:117db924cf7c 1648 byte poly[CHACHA20_256_KEY_SIZE];
wolfSSL 15:117db924cf7c 1649
wolfSSL 15:117db924cf7c 1650 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 15:117db924cf7c 1651 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 15:117db924cf7c 1652
wolfSSL 15:117db924cf7c 1653 /* Set the nonce for ChaCha and get Poly1305 key. */
wolfSSL 15:117db924cf7c 1654 ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
wolfSSL 15:117db924cf7c 1655 if (ret != 0)
wolfSSL 15:117db924cf7c 1656 return ret;
wolfSSL 15:117db924cf7c 1657 /* Create Poly1305 key using ChaCha20 keystream. */
wolfSSL 15:117db924cf7c 1658 ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1659 if (ret != 0)
wolfSSL 15:117db924cf7c 1660 return ret;
wolfSSL 16:8e0d178b1d1e 1661 ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1);
wolfSSL 16:8e0d178b1d1e 1662 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 1663 return ret;
wolfSSL 15:117db924cf7c 1664 /* Encrypt the plain text. */
wolfSSL 15:117db924cf7c 1665 ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
wolfSSL 15:117db924cf7c 1666 if (ret != 0) {
wolfSSL 15:117db924cf7c 1667 ForceZero(poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1668 return ret;
wolfSSL 15:117db924cf7c 1669 }
wolfSSL 15:117db924cf7c 1670
wolfSSL 15:117db924cf7c 1671 /* Set key for Poly1305. */
wolfSSL 15:117db924cf7c 1672 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1673 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 15:117db924cf7c 1674 if (ret != 0)
wolfSSL 15:117db924cf7c 1675 return ret;
wolfSSL 15:117db924cf7c 1676 /* Add authentication code of encrypted data to end. */
wolfSSL 15:117db924cf7c 1677 ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, output, sz,
wolfSSL 15:117db924cf7c 1678 tag, POLY1305_AUTH_SZ);
wolfSSL 15:117db924cf7c 1679
wolfSSL 15:117db924cf7c 1680 return ret;
wolfSSL 15:117db924cf7c 1681 }
wolfSSL 15:117db924cf7c 1682 #endif
wolfSSL 15:117db924cf7c 1683
wolfSSL 16:8e0d178b1d1e 1684 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 1685 /* Create authenication tag and copy data over input.
wolfSSL 16:8e0d178b1d1e 1686 *
wolfSSL 16:8e0d178b1d1e 1687 * ssl The SSL/TLS object.
wolfSSL 16:8e0d178b1d1e 1688 * output The buffer to copy data into.
wolfSSL 16:8e0d178b1d1e 1689 * May be the same pointer as input.
wolfSSL 16:8e0d178b1d1e 1690 * input The data.
wolfSSL 16:8e0d178b1d1e 1691 * sz The number of bytes of data.
wolfSSL 16:8e0d178b1d1e 1692 * nonce The nonce to use with authentication.
wolfSSL 16:8e0d178b1d1e 1693 * aad The additional authentication data.
wolfSSL 16:8e0d178b1d1e 1694 * aadSz The size of the addition authentication data.
wolfSSL 16:8e0d178b1d1e 1695 * tag The authentication tag buffer.
wolfSSL 16:8e0d178b1d1e 1696 * returns 0 on success, otherwise failure.
wolfSSL 16:8e0d178b1d1e 1697 */
wolfSSL 16:8e0d178b1d1e 1698 static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output,
wolfSSL 16:8e0d178b1d1e 1699 const byte* input, word16 sz,
wolfSSL 16:8e0d178b1d1e 1700 const byte* nonce,
wolfSSL 16:8e0d178b1d1e 1701 const byte* aad, word16 aadSz, byte* tag)
wolfSSL 16:8e0d178b1d1e 1702 {
wolfSSL 16:8e0d178b1d1e 1703 int ret;
wolfSSL 16:8e0d178b1d1e 1704
wolfSSL 16:8e0d178b1d1e 1705 /* HMAC: nonce | aad | input */
wolfSSL 16:8e0d178b1d1e 1706 ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, HMAC_NONCE_SZ);
wolfSSL 16:8e0d178b1d1e 1707 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 1708 ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 1709 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 1710 ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz);
wolfSSL 16:8e0d178b1d1e 1711 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 1712 ret = wc_HmacFinal(ssl->encrypt.hmac, tag);
wolfSSL 16:8e0d178b1d1e 1713 /* Copy the input to output if not the same buffer */
wolfSSL 16:8e0d178b1d1e 1714 if (ret == 0 && output != input)
wolfSSL 16:8e0d178b1d1e 1715 XMEMCPY(output, input, sz);
wolfSSL 16:8e0d178b1d1e 1716
wolfSSL 16:8e0d178b1d1e 1717 return ret;
wolfSSL 16:8e0d178b1d1e 1718 }
wolfSSL 16:8e0d178b1d1e 1719 #endif
wolfSSL 16:8e0d178b1d1e 1720
wolfSSL 15:117db924cf7c 1721 /* Encrypt data for TLS v1.3.
wolfSSL 15:117db924cf7c 1722 *
wolfSSL 15:117db924cf7c 1723 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1724 * output The buffer to write encrypted data and authentication tag into.
wolfSSL 15:117db924cf7c 1725 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1726 * input The record header and data to encrypt.
wolfSSL 15:117db924cf7c 1727 * sz The number of bytes to encrypt.
wolfSSL 15:117db924cf7c 1728 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1729 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1730 * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL 15:117db924cf7c 1731 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1732 */
wolfSSL 15:117db924cf7c 1733 static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
wolfSSL 15:117db924cf7c 1734 word16 sz, const byte* aad, word16 aadSz, int asyncOkay)
wolfSSL 15:117db924cf7c 1735 {
wolfSSL 15:117db924cf7c 1736 int ret = 0;
wolfSSL 15:117db924cf7c 1737 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1738 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 1739 word32 nonceSz = 0;
wolfSSL 15:117db924cf7c 1740 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1741 WC_ASYNC_DEV* asyncDev = NULL;
wolfSSL 15:117db924cf7c 1742 word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
wolfSSL 15:117db924cf7c 1743 #endif
wolfSSL 15:117db924cf7c 1744
wolfSSL 15:117db924cf7c 1745 WOLFSSL_ENTER("EncryptTls13");
wolfSSL 15:117db924cf7c 1746
wolfSSL 15:117db924cf7c 1747 (void)output;
wolfSSL 15:117db924cf7c 1748 (void)input;
wolfSSL 15:117db924cf7c 1749 (void)sz;
wolfSSL 15:117db924cf7c 1750 (void)dataSz;
wolfSSL 15:117db924cf7c 1751 (void)macSz;
wolfSSL 15:117db924cf7c 1752 (void)asyncOkay;
wolfSSL 15:117db924cf7c 1753 (void)nonceSz;
wolfSSL 15:117db924cf7c 1754
wolfSSL 15:117db924cf7c 1755 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1756 if (ssl->error == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1757 ssl->error = 0; /* clear async */
wolfSSL 15:117db924cf7c 1758 }
wolfSSL 15:117db924cf7c 1759 #endif
wolfSSL 15:117db924cf7c 1760
wolfSSL 15:117db924cf7c 1761 switch (ssl->encrypt.state) {
wolfSSL 15:117db924cf7c 1762 case CIPHER_STATE_BEGIN:
wolfSSL 15:117db924cf7c 1763 {
wolfSSL 15:117db924cf7c 1764 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 1765 WOLFSSL_MSG("Data to encrypt");
wolfSSL 15:117db924cf7c 1766 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 15:117db924cf7c 1767 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \
wolfSSL 15:117db924cf7c 1768 !defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 1769 WOLFSSL_MSG("Additional Authentication Data");
wolfSSL 15:117db924cf7c 1770 WOLFSSL_BUFFER(aad, aadSz);
wolfSSL 15:117db924cf7c 1771 #endif
wolfSSL 15:117db924cf7c 1772 #endif
wolfSSL 15:117db924cf7c 1773
wolfSSL 16:8e0d178b1d1e 1774 #ifdef CIPHER_NONCE
wolfSSL 15:117db924cf7c 1775 if (ssl->encrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1776 ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL 15:117db924cf7c 1777 ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL 15:117db924cf7c 1778 if (ssl->encrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 1779 return MEMORY_E;
wolfSSL 15:117db924cf7c 1780
wolfSSL 15:117db924cf7c 1781 BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
wolfSSL 15:117db924cf7c 1782 CUR_ORDER);
wolfSSL 16:8e0d178b1d1e 1783 #endif
wolfSSL 15:117db924cf7c 1784
wolfSSL 15:117db924cf7c 1785 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 1786 ssl->encrypt.state = CIPHER_STATE_DO;
wolfSSL 15:117db924cf7c 1787 }
wolfSSL 15:117db924cf7c 1788 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1789
wolfSSL 15:117db924cf7c 1790 case CIPHER_STATE_DO:
wolfSSL 15:117db924cf7c 1791 {
wolfSSL 15:117db924cf7c 1792 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 15:117db924cf7c 1793 #ifdef BUILD_AESGCM
wolfSSL 15:117db924cf7c 1794 case wolfssl_aes_gcm:
wolfSSL 15:117db924cf7c 1795 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1796 /* initialize event */
wolfSSL 15:117db924cf7c 1797 asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL 15:117db924cf7c 1798 ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1799 if (ret != 0)
wolfSSL 15:117db924cf7c 1800 break;
wolfSSL 15:117db924cf7c 1801 #endif
wolfSSL 15:117db924cf7c 1802
wolfSSL 15:117db924cf7c 1803 nonceSz = AESGCM_NONCE_SZ;
wolfSSL 16:8e0d178b1d1e 1804 #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
wolfSSL 16:8e0d178b1d1e 1805 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
wolfSSL 15:117db924cf7c 1806 ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1807 dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1808 output + dataSz, macSz, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 1809 #else
wolfSSL 16:8e0d178b1d1e 1810 ret = wc_AesGcmSetExtIV(ssl->encrypt.aes,
wolfSSL 16:8e0d178b1d1e 1811 ssl->encrypt.nonce, nonceSz);
wolfSSL 16:8e0d178b1d1e 1812 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1813 ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output,
wolfSSL 16:8e0d178b1d1e 1814 input, dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 16:8e0d178b1d1e 1815 output + dataSz, macSz, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 1816 }
wolfSSL 16:8e0d178b1d1e 1817 #endif
wolfSSL 15:117db924cf7c 1818 break;
wolfSSL 15:117db924cf7c 1819 #endif
wolfSSL 15:117db924cf7c 1820
wolfSSL 15:117db924cf7c 1821 #ifdef HAVE_AESCCM
wolfSSL 15:117db924cf7c 1822 case wolfssl_aes_ccm:
wolfSSL 15:117db924cf7c 1823 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1824 /* initialize event */
wolfSSL 15:117db924cf7c 1825 asyncDev = &ssl->encrypt.aes->asyncDev;
wolfSSL 15:117db924cf7c 1826 ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1827 if (ret != 0)
wolfSSL 15:117db924cf7c 1828 break;
wolfSSL 15:117db924cf7c 1829 #endif
wolfSSL 15:117db924cf7c 1830
wolfSSL 15:117db924cf7c 1831 nonceSz = AESCCM_NONCE_SZ;
wolfSSL 16:8e0d178b1d1e 1832 #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
wolfSSL 16:8e0d178b1d1e 1833 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
wolfSSL 15:117db924cf7c 1834 ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
wolfSSL 15:117db924cf7c 1835 dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 1836 output + dataSz, macSz, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 1837 #else
wolfSSL 16:8e0d178b1d1e 1838 ret = wc_AesCcmSetNonce(ssl->encrypt.aes,
wolfSSL 16:8e0d178b1d1e 1839 ssl->encrypt.nonce, nonceSz);
wolfSSL 16:8e0d178b1d1e 1840 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1841 ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output,
wolfSSL 16:8e0d178b1d1e 1842 input, dataSz, ssl->encrypt.nonce, nonceSz,
wolfSSL 16:8e0d178b1d1e 1843 output + dataSz, macSz, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 1844 }
wolfSSL 16:8e0d178b1d1e 1845 #endif
wolfSSL 15:117db924cf7c 1846 break;
wolfSSL 15:117db924cf7c 1847 #endif
wolfSSL 15:117db924cf7c 1848
wolfSSL 15:117db924cf7c 1849 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1850 case wolfssl_chacha:
wolfSSL 15:117db924cf7c 1851 ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
wolfSSL 15:117db924cf7c 1852 ssl->encrypt.nonce, aad, aadSz, output + dataSz);
wolfSSL 15:117db924cf7c 1853 break;
wolfSSL 15:117db924cf7c 1854 #endif
wolfSSL 15:117db924cf7c 1855
wolfSSL 16:8e0d178b1d1e 1856 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 1857 case wolfssl_cipher_null:
wolfSSL 16:8e0d178b1d1e 1858 ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz,
wolfSSL 16:8e0d178b1d1e 1859 ssl->encrypt.nonce, aad, aadSz, output + dataSz);
wolfSSL 16:8e0d178b1d1e 1860 break;
wolfSSL 16:8e0d178b1d1e 1861 #endif
wolfSSL 16:8e0d178b1d1e 1862
wolfSSL 15:117db924cf7c 1863 default:
wolfSSL 15:117db924cf7c 1864 WOLFSSL_MSG("wolfSSL Encrypt programming error");
wolfSSL 15:117db924cf7c 1865 return ENCRYPT_ERROR;
wolfSSL 15:117db924cf7c 1866 }
wolfSSL 15:117db924cf7c 1867
wolfSSL 15:117db924cf7c 1868 /* Advance state */
wolfSSL 15:117db924cf7c 1869 ssl->encrypt.state = CIPHER_STATE_END;
wolfSSL 15:117db924cf7c 1870
wolfSSL 15:117db924cf7c 1871 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 1872 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 1873 /* if async is not okay, then block */
wolfSSL 15:117db924cf7c 1874 if (!asyncOkay) {
wolfSSL 15:117db924cf7c 1875 ret = wc_AsyncWait(ret, asyncDev, event_flags);
wolfSSL 15:117db924cf7c 1876 }
wolfSSL 15:117db924cf7c 1877 else {
wolfSSL 15:117db924cf7c 1878 /* If pending, then leave and return will resume below */
wolfSSL 15:117db924cf7c 1879 return wolfSSL_AsyncPush(ssl, asyncDev);
wolfSSL 15:117db924cf7c 1880 }
wolfSSL 15:117db924cf7c 1881 }
wolfSSL 15:117db924cf7c 1882 #endif
wolfSSL 15:117db924cf7c 1883 }
wolfSSL 15:117db924cf7c 1884 FALL_THROUGH;
wolfSSL 15:117db924cf7c 1885
wolfSSL 15:117db924cf7c 1886 case CIPHER_STATE_END:
wolfSSL 15:117db924cf7c 1887 {
wolfSSL 16:8e0d178b1d1e 1888 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 16:8e0d178b1d1e 1889 #ifdef CIPHER_NONCE
wolfSSL 15:117db924cf7c 1890 WOLFSSL_MSG("Nonce");
wolfSSL 15:117db924cf7c 1891 WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
wolfSSL 16:8e0d178b1d1e 1892 #endif
wolfSSL 15:117db924cf7c 1893 WOLFSSL_MSG("Encrypted data");
wolfSSL 15:117db924cf7c 1894 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 15:117db924cf7c 1895 WOLFSSL_MSG("Authentication Tag");
wolfSSL 15:117db924cf7c 1896 WOLFSSL_BUFFER(output + dataSz, macSz);
wolfSSL 16:8e0d178b1d1e 1897 #endif
wolfSSL 16:8e0d178b1d1e 1898
wolfSSL 16:8e0d178b1d1e 1899 #ifdef CIPHER_NONCE
wolfSSL 15:117db924cf7c 1900 ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
wolfSSL 16:8e0d178b1d1e 1901 #endif
wolfSSL 15:117db924cf7c 1902
wolfSSL 15:117db924cf7c 1903 break;
wolfSSL 15:117db924cf7c 1904 }
wolfSSL 15:117db924cf7c 1905 }
wolfSSL 15:117db924cf7c 1906
wolfSSL 15:117db924cf7c 1907 /* Reset state */
wolfSSL 15:117db924cf7c 1908 ssl->encrypt.state = CIPHER_STATE_BEGIN;
wolfSSL 15:117db924cf7c 1909
wolfSSL 15:117db924cf7c 1910 return ret;
wolfSSL 15:117db924cf7c 1911 }
wolfSSL 15:117db924cf7c 1912
wolfSSL 15:117db924cf7c 1913 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 1914 /* Decrypt with ChaCha20 and check authenication tag with Poly1305.
wolfSSL 15:117db924cf7c 1915 *
wolfSSL 15:117db924cf7c 1916 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 1917 * output The buffer to write decrypted data into.
wolfSSL 15:117db924cf7c 1918 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 1919 * input The data to decrypt.
wolfSSL 15:117db924cf7c 1920 * sz The number of bytes to decrypt.
wolfSSL 15:117db924cf7c 1921 * nonce The nonce to use with ChaCha20.
wolfSSL 15:117db924cf7c 1922 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 1923 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 1924 * tagIn The authentication tag data from packet.
wolfSSL 15:117db924cf7c 1925 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 1926 */
wolfSSL 15:117db924cf7c 1927 static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
wolfSSL 15:117db924cf7c 1928 const byte* input, word16 sz, byte* nonce,
wolfSSL 15:117db924cf7c 1929 const byte* aad, word16 aadSz,
wolfSSL 15:117db924cf7c 1930 const byte* tagIn)
wolfSSL 15:117db924cf7c 1931 {
wolfSSL 15:117db924cf7c 1932 int ret;
wolfSSL 15:117db924cf7c 1933 byte tag[POLY1305_AUTH_SZ];
wolfSSL 15:117db924cf7c 1934 byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
wolfSSL 15:117db924cf7c 1935
wolfSSL 15:117db924cf7c 1936 /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
wolfSSL 15:117db924cf7c 1937 XMEMSET(poly, 0, sizeof(poly));
wolfSSL 15:117db924cf7c 1938
wolfSSL 15:117db924cf7c 1939 /* Set nonce and get Poly1305 key. */
wolfSSL 15:117db924cf7c 1940 ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
wolfSSL 15:117db924cf7c 1941 if (ret != 0)
wolfSSL 15:117db924cf7c 1942 return ret;
wolfSSL 15:117db924cf7c 1943 /* Use ChaCha20 keystream to get Poly1305 key for tag. */
wolfSSL 15:117db924cf7c 1944 ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1945 if (ret != 0)
wolfSSL 15:117db924cf7c 1946 return ret;
wolfSSL 16:8e0d178b1d1e 1947 ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1);
wolfSSL 16:8e0d178b1d1e 1948 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 1949 return ret;
wolfSSL 15:117db924cf7c 1950
wolfSSL 15:117db924cf7c 1951 /* Set key for Poly1305. */
wolfSSL 15:117db924cf7c 1952 ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
wolfSSL 15:117db924cf7c 1953 ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
wolfSSL 15:117db924cf7c 1954 if (ret != 0)
wolfSSL 15:117db924cf7c 1955 return ret;
wolfSSL 15:117db924cf7c 1956 /* Generate authentication tag for encrypted data. */
wolfSSL 15:117db924cf7c 1957 if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz,
wolfSSL 15:117db924cf7c 1958 (byte*)input, sz, tag, sizeof(tag))) != 0) {
wolfSSL 15:117db924cf7c 1959 return ret;
wolfSSL 15:117db924cf7c 1960 }
wolfSSL 15:117db924cf7c 1961
wolfSSL 15:117db924cf7c 1962 /* Check tag sent along with packet. */
wolfSSL 15:117db924cf7c 1963 if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
wolfSSL 15:117db924cf7c 1964 WOLFSSL_MSG("MAC did not match");
wolfSSL 15:117db924cf7c 1965 return VERIFY_MAC_ERROR;
wolfSSL 15:117db924cf7c 1966 }
wolfSSL 15:117db924cf7c 1967
wolfSSL 15:117db924cf7c 1968 /* If the tag was good decrypt message. */
wolfSSL 15:117db924cf7c 1969 ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
wolfSSL 15:117db924cf7c 1970
wolfSSL 15:117db924cf7c 1971 return ret;
wolfSSL 15:117db924cf7c 1972 }
wolfSSL 15:117db924cf7c 1973 #endif
wolfSSL 15:117db924cf7c 1974
wolfSSL 16:8e0d178b1d1e 1975 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 1976 /* Check HMAC tag and copy over input.
wolfSSL 16:8e0d178b1d1e 1977 *
wolfSSL 16:8e0d178b1d1e 1978 * ssl The SSL/TLS object.
wolfSSL 16:8e0d178b1d1e 1979 * output The buffer to copy data into.
wolfSSL 16:8e0d178b1d1e 1980 * May be the same pointer as input.
wolfSSL 16:8e0d178b1d1e 1981 * input The data.
wolfSSL 16:8e0d178b1d1e 1982 * sz The number of bytes of data.
wolfSSL 16:8e0d178b1d1e 1983 * nonce The nonce to use with authentication.
wolfSSL 16:8e0d178b1d1e 1984 * aad The additional authentication data.
wolfSSL 16:8e0d178b1d1e 1985 * aadSz The size of the addition authentication data.
wolfSSL 16:8e0d178b1d1e 1986 * tagIn The authentication tag data from packet.
wolfSSL 16:8e0d178b1d1e 1987 * returns 0 on success, otherwise failure.
wolfSSL 16:8e0d178b1d1e 1988 */
wolfSSL 16:8e0d178b1d1e 1989 static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
wolfSSL 16:8e0d178b1d1e 1990 const byte* input, word16 sz,
wolfSSL 16:8e0d178b1d1e 1991 const byte* nonce,
wolfSSL 16:8e0d178b1d1e 1992 const byte* aad, word16 aadSz,
wolfSSL 16:8e0d178b1d1e 1993 const byte* tagIn)
wolfSSL 16:8e0d178b1d1e 1994 {
wolfSSL 16:8e0d178b1d1e 1995 int ret;
wolfSSL 16:8e0d178b1d1e 1996 byte hmac[WC_MAX_DIGEST_SIZE];
wolfSSL 16:8e0d178b1d1e 1997
wolfSSL 16:8e0d178b1d1e 1998 /* HMAC: nonce | aad | input */
wolfSSL 16:8e0d178b1d1e 1999 ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, HMAC_NONCE_SZ);
wolfSSL 16:8e0d178b1d1e 2000 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 2001 ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz);
wolfSSL 16:8e0d178b1d1e 2002 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 2003 ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz);
wolfSSL 16:8e0d178b1d1e 2004 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 2005 ret = wc_HmacFinal(ssl->decrypt.hmac, hmac);
wolfSSL 16:8e0d178b1d1e 2006 /* Check authentication tag matches */
wolfSSL 16:8e0d178b1d1e 2007 if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0)
wolfSSL 16:8e0d178b1d1e 2008 ret = DECRYPT_ERROR;
wolfSSL 16:8e0d178b1d1e 2009 /* Copy the input to output if not the same buffer */
wolfSSL 16:8e0d178b1d1e 2010 if (ret == 0 && output != input)
wolfSSL 16:8e0d178b1d1e 2011 XMEMCPY(output, input, sz);
wolfSSL 16:8e0d178b1d1e 2012
wolfSSL 16:8e0d178b1d1e 2013 return ret;
wolfSSL 16:8e0d178b1d1e 2014 }
wolfSSL 16:8e0d178b1d1e 2015 #endif
wolfSSL 16:8e0d178b1d1e 2016
wolfSSL 15:117db924cf7c 2017 /* Decrypt data for TLS v1.3.
wolfSSL 15:117db924cf7c 2018 *
wolfSSL 15:117db924cf7c 2019 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2020 * output The buffer to write decrypted data into.
wolfSSL 15:117db924cf7c 2021 * May be the same pointer as input.
wolfSSL 15:117db924cf7c 2022 * input The data to decrypt and authentication tag.
wolfSSL 15:117db924cf7c 2023 * sz The length of the encrypted data plus authentication tag.
wolfSSL 15:117db924cf7c 2024 * aad The additional authentication data.
wolfSSL 15:117db924cf7c 2025 * aadSz The size of the addition authentication data.
wolfSSL 15:117db924cf7c 2026 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 2027 */
wolfSSL 15:117db924cf7c 2028 int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
wolfSSL 15:117db924cf7c 2029 const byte* aad, word16 aadSz)
wolfSSL 15:117db924cf7c 2030 {
wolfSSL 15:117db924cf7c 2031 int ret = 0;
wolfSSL 15:117db924cf7c 2032 word16 dataSz = sz - ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2033 word16 macSz = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2034 word32 nonceSz = 0;
wolfSSL 15:117db924cf7c 2035
wolfSSL 15:117db924cf7c 2036 WOLFSSL_ENTER("DecryptTls13");
wolfSSL 15:117db924cf7c 2037
wolfSSL 15:117db924cf7c 2038 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2039 ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
wolfSSL 15:117db924cf7c 2040 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 2041 /* check for still pending */
wolfSSL 15:117db924cf7c 2042 if (ret == WC_PENDING_E)
wolfSSL 15:117db924cf7c 2043 return ret;
wolfSSL 15:117db924cf7c 2044
wolfSSL 15:117db924cf7c 2045 ssl->error = 0; /* clear async */
wolfSSL 15:117db924cf7c 2046
wolfSSL 15:117db924cf7c 2047 /* let failures through so CIPHER_STATE_END logic is run */
wolfSSL 15:117db924cf7c 2048 }
wolfSSL 15:117db924cf7c 2049 else
wolfSSL 15:117db924cf7c 2050 #endif
wolfSSL 15:117db924cf7c 2051 {
wolfSSL 15:117db924cf7c 2052 /* Reset state */
wolfSSL 15:117db924cf7c 2053 ret = 0;
wolfSSL 15:117db924cf7c 2054 ssl->decrypt.state = CIPHER_STATE_BEGIN;
wolfSSL 15:117db924cf7c 2055 }
wolfSSL 15:117db924cf7c 2056
wolfSSL 15:117db924cf7c 2057 (void)output;
wolfSSL 15:117db924cf7c 2058 (void)input;
wolfSSL 15:117db924cf7c 2059 (void)sz;
wolfSSL 15:117db924cf7c 2060 (void)dataSz;
wolfSSL 15:117db924cf7c 2061 (void)macSz;
wolfSSL 15:117db924cf7c 2062 (void)nonceSz;
wolfSSL 15:117db924cf7c 2063
wolfSSL 15:117db924cf7c 2064 switch (ssl->decrypt.state) {
wolfSSL 15:117db924cf7c 2065 case CIPHER_STATE_BEGIN:
wolfSSL 15:117db924cf7c 2066 {
wolfSSL 15:117db924cf7c 2067 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 2068 WOLFSSL_MSG("Data to decrypt");
wolfSSL 15:117db924cf7c 2069 WOLFSSL_BUFFER(input, dataSz);
wolfSSL 15:117db924cf7c 2070 #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \
wolfSSL 15:117db924cf7c 2071 !defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 2072 WOLFSSL_MSG("Additional Authentication Data");
wolfSSL 15:117db924cf7c 2073 WOLFSSL_BUFFER(aad, aadSz);
wolfSSL 15:117db924cf7c 2074 #endif
wolfSSL 15:117db924cf7c 2075 WOLFSSL_MSG("Authentication tag");
wolfSSL 15:117db924cf7c 2076 WOLFSSL_BUFFER(input + dataSz, macSz);
wolfSSL 15:117db924cf7c 2077 #endif
wolfSSL 15:117db924cf7c 2078
wolfSSL 16:8e0d178b1d1e 2079 #ifdef CIPHER_NONCE
wolfSSL 15:117db924cf7c 2080 if (ssl->decrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 2081 ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
wolfSSL 15:117db924cf7c 2082 ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
wolfSSL 15:117db924cf7c 2083 if (ssl->decrypt.nonce == NULL)
wolfSSL 15:117db924cf7c 2084 return MEMORY_E;
wolfSSL 15:117db924cf7c 2085
wolfSSL 15:117db924cf7c 2086 BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
wolfSSL 15:117db924cf7c 2087 PEER_ORDER);
wolfSSL 16:8e0d178b1d1e 2088 #endif
wolfSSL 15:117db924cf7c 2089
wolfSSL 15:117db924cf7c 2090 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 2091 ssl->decrypt.state = CIPHER_STATE_DO;
wolfSSL 15:117db924cf7c 2092 }
wolfSSL 15:117db924cf7c 2093 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2094
wolfSSL 15:117db924cf7c 2095 case CIPHER_STATE_DO:
wolfSSL 15:117db924cf7c 2096 {
wolfSSL 15:117db924cf7c 2097 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 15:117db924cf7c 2098 #ifdef BUILD_AESGCM
wolfSSL 15:117db924cf7c 2099 case wolfssl_aes_gcm:
wolfSSL 15:117db924cf7c 2100 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2101 /* initialize event */
wolfSSL 15:117db924cf7c 2102 ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL 15:117db924cf7c 2103 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 15:117db924cf7c 2104 if (ret != 0)
wolfSSL 15:117db924cf7c 2105 break;
wolfSSL 15:117db924cf7c 2106 #endif
wolfSSL 15:117db924cf7c 2107
wolfSSL 15:117db924cf7c 2108 nonceSz = AESGCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 2109 ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL 15:117db924cf7c 2110 dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 2111 input + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 2112 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2113 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 2114 ret = wolfSSL_AsyncPush(ssl,
wolfSSL 15:117db924cf7c 2115 &ssl->decrypt.aes->asyncDev);
wolfSSL 15:117db924cf7c 2116 }
wolfSSL 15:117db924cf7c 2117 #endif
wolfSSL 15:117db924cf7c 2118 break;
wolfSSL 15:117db924cf7c 2119 #endif
wolfSSL 15:117db924cf7c 2120
wolfSSL 15:117db924cf7c 2121 #ifdef HAVE_AESCCM
wolfSSL 15:117db924cf7c 2122 case wolfssl_aes_ccm:
wolfSSL 15:117db924cf7c 2123 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2124 /* initialize event */
wolfSSL 15:117db924cf7c 2125 ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
wolfSSL 15:117db924cf7c 2126 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 15:117db924cf7c 2127 if (ret != 0)
wolfSSL 15:117db924cf7c 2128 break;
wolfSSL 15:117db924cf7c 2129 #endif
wolfSSL 15:117db924cf7c 2130
wolfSSL 15:117db924cf7c 2131 nonceSz = AESCCM_NONCE_SZ;
wolfSSL 15:117db924cf7c 2132 ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
wolfSSL 15:117db924cf7c 2133 dataSz, ssl->decrypt.nonce, nonceSz,
wolfSSL 15:117db924cf7c 2134 input + dataSz, macSz, aad, aadSz);
wolfSSL 15:117db924cf7c 2135 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2136 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 2137 ret = wolfSSL_AsyncPush(ssl,
wolfSSL 15:117db924cf7c 2138 &ssl->decrypt.aes->asyncDev);
wolfSSL 15:117db924cf7c 2139 }
wolfSSL 15:117db924cf7c 2140 #endif
wolfSSL 15:117db924cf7c 2141 break;
wolfSSL 15:117db924cf7c 2142 #endif
wolfSSL 15:117db924cf7c 2143
wolfSSL 15:117db924cf7c 2144 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 2145 case wolfssl_chacha:
wolfSSL 15:117db924cf7c 2146 ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
wolfSSL 15:117db924cf7c 2147 ssl->decrypt.nonce, aad, aadSz, input + dataSz);
wolfSSL 15:117db924cf7c 2148 break;
wolfSSL 15:117db924cf7c 2149 #endif
wolfSSL 15:117db924cf7c 2150
wolfSSL 16:8e0d178b1d1e 2151 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 2152 case wolfssl_cipher_null:
wolfSSL 16:8e0d178b1d1e 2153 ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz,
wolfSSL 16:8e0d178b1d1e 2154 ssl->decrypt.nonce, aad, aadSz, input + dataSz);
wolfSSL 16:8e0d178b1d1e 2155 break;
wolfSSL 16:8e0d178b1d1e 2156 #endif
wolfSSL 15:117db924cf7c 2157 default:
wolfSSL 15:117db924cf7c 2158 WOLFSSL_MSG("wolfSSL Decrypt programming error");
wolfSSL 15:117db924cf7c 2159 return DECRYPT_ERROR;
wolfSSL 15:117db924cf7c 2160 }
wolfSSL 15:117db924cf7c 2161
wolfSSL 15:117db924cf7c 2162 /* Advance state */
wolfSSL 15:117db924cf7c 2163 ssl->decrypt.state = CIPHER_STATE_END;
wolfSSL 15:117db924cf7c 2164
wolfSSL 15:117db924cf7c 2165 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2166 /* If pending, leave now */
wolfSSL 15:117db924cf7c 2167 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 2168 return ret;
wolfSSL 15:117db924cf7c 2169 }
wolfSSL 15:117db924cf7c 2170 #endif
wolfSSL 15:117db924cf7c 2171 }
wolfSSL 15:117db924cf7c 2172 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2173
wolfSSL 15:117db924cf7c 2174 case CIPHER_STATE_END:
wolfSSL 15:117db924cf7c 2175 {
wolfSSL 15:117db924cf7c 2176 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 16:8e0d178b1d1e 2177 #ifdef CIPHER_NONCE
wolfSSL 16:8e0d178b1d1e 2178 WOLFSSL_MSG("Nonce");
wolfSSL 16:8e0d178b1d1e 2179 WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
wolfSSL 16:8e0d178b1d1e 2180 #endif
wolfSSL 16:8e0d178b1d1e 2181 WOLFSSL_MSG("Decrypted data");
wolfSSL 16:8e0d178b1d1e 2182 WOLFSSL_BUFFER(output, dataSz);
wolfSSL 15:117db924cf7c 2183 #endif
wolfSSL 15:117db924cf7c 2184
wolfSSL 16:8e0d178b1d1e 2185 #ifdef CIPHER_NONCE
wolfSSL 15:117db924cf7c 2186 ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
wolfSSL 16:8e0d178b1d1e 2187 #endif
wolfSSL 15:117db924cf7c 2188
wolfSSL 15:117db924cf7c 2189 break;
wolfSSL 15:117db924cf7c 2190 }
wolfSSL 15:117db924cf7c 2191 }
wolfSSL 15:117db924cf7c 2192
wolfSSL 15:117db924cf7c 2193 #ifndef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2194 if (ret < 0) {
wolfSSL 15:117db924cf7c 2195 SendAlert(ssl, alert_fatal, bad_record_mac);
wolfSSL 15:117db924cf7c 2196 ret = VERIFY_MAC_ERROR;
wolfSSL 15:117db924cf7c 2197 }
wolfSSL 15:117db924cf7c 2198 #endif
wolfSSL 15:117db924cf7c 2199
wolfSSL 15:117db924cf7c 2200 return ret;
wolfSSL 15:117db924cf7c 2201 }
wolfSSL 15:117db924cf7c 2202
wolfSSL 15:117db924cf7c 2203 /* Persistable BuildTls13Message arguments */
wolfSSL 15:117db924cf7c 2204 typedef struct BuildMsg13Args {
wolfSSL 15:117db924cf7c 2205 word32 sz;
wolfSSL 15:117db924cf7c 2206 word32 idx;
wolfSSL 15:117db924cf7c 2207 word32 headerSz;
wolfSSL 15:117db924cf7c 2208 word16 size;
wolfSSL 15:117db924cf7c 2209 } BuildMsg13Args;
wolfSSL 15:117db924cf7c 2210
wolfSSL 15:117db924cf7c 2211 static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 2212 {
wolfSSL 15:117db924cf7c 2213 BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
wolfSSL 15:117db924cf7c 2214
wolfSSL 15:117db924cf7c 2215 (void)ssl;
wolfSSL 15:117db924cf7c 2216 (void)args;
wolfSSL 15:117db924cf7c 2217
wolfSSL 15:117db924cf7c 2218 /* no allocations in BuildTls13Message */
wolfSSL 15:117db924cf7c 2219 }
wolfSSL 15:117db924cf7c 2220
wolfSSL 15:117db924cf7c 2221 /* Build SSL Message, encrypted.
wolfSSL 15:117db924cf7c 2222 * TLS v1.3 encryption is AEAD only.
wolfSSL 15:117db924cf7c 2223 *
wolfSSL 15:117db924cf7c 2224 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2225 * output The buffer to write record message to.
wolfSSL 15:117db924cf7c 2226 * outSz Size of the buffer being written into.
wolfSSL 15:117db924cf7c 2227 * input The record data to encrypt (excluding record header).
wolfSSL 15:117db924cf7c 2228 * inSz The size of the record data.
wolfSSL 15:117db924cf7c 2229 * type The recorder header content type.
wolfSSL 15:117db924cf7c 2230 * hashOutput Whether to hash the unencrypted record data.
wolfSSL 15:117db924cf7c 2231 * sizeOnly Only want the size of the record message.
wolfSSL 15:117db924cf7c 2232 * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
wolfSSL 15:117db924cf7c 2233 * returns the size of the encrypted record message or negative value on error.
wolfSSL 15:117db924cf7c 2234 */
wolfSSL 15:117db924cf7c 2235 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
wolfSSL 15:117db924cf7c 2236 int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
wolfSSL 15:117db924cf7c 2237 {
wolfSSL 15:117db924cf7c 2238 int ret = 0;
wolfSSL 15:117db924cf7c 2239 BuildMsg13Args* args;
wolfSSL 15:117db924cf7c 2240 BuildMsg13Args lcl_args;
wolfSSL 15:117db924cf7c 2241 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2242 args = (BuildMsg13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 2243 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 2244 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 2245 #endif
wolfSSL 15:117db924cf7c 2246
wolfSSL 15:117db924cf7c 2247 WOLFSSL_ENTER("BuildTls13Message");
wolfSSL 15:117db924cf7c 2248
wolfSSL 15:117db924cf7c 2249 ret = WC_NOT_PENDING_E;
wolfSSL 15:117db924cf7c 2250 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2251 if (asyncOkay) {
wolfSSL 15:117db924cf7c 2252 ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
wolfSSL 15:117db924cf7c 2253 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 2254 /* Check for error */
wolfSSL 15:117db924cf7c 2255 if (ret < 0)
wolfSSL 15:117db924cf7c 2256 goto exit_buildmsg;
wolfSSL 15:117db924cf7c 2257 }
wolfSSL 15:117db924cf7c 2258 }
wolfSSL 15:117db924cf7c 2259 else
wolfSSL 15:117db924cf7c 2260 #endif
wolfSSL 15:117db924cf7c 2261 {
wolfSSL 15:117db924cf7c 2262 args = &lcl_args;
wolfSSL 15:117db924cf7c 2263 }
wolfSSL 15:117db924cf7c 2264
wolfSSL 15:117db924cf7c 2265 /* Reset state */
wolfSSL 15:117db924cf7c 2266 if (ret == WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 2267 ret = 0;
wolfSSL 15:117db924cf7c 2268 ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL 15:117db924cf7c 2269 XMEMSET(args, 0, sizeof(BuildMsg13Args));
wolfSSL 15:117db924cf7c 2270
wolfSSL 15:117db924cf7c 2271 args->sz = RECORD_HEADER_SZ + inSz;
wolfSSL 15:117db924cf7c 2272 args->idx = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2273 args->headerSz = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2274 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2275 ssl->async.freeArgs = FreeBuildMsg13Args;
wolfSSL 15:117db924cf7c 2276 #endif
wolfSSL 15:117db924cf7c 2277 }
wolfSSL 15:117db924cf7c 2278
wolfSSL 15:117db924cf7c 2279 switch (ssl->options.buildMsgState) {
wolfSSL 15:117db924cf7c 2280 case BUILD_MSG_BEGIN:
wolfSSL 15:117db924cf7c 2281 {
wolfSSL 15:117db924cf7c 2282 /* catch mistaken sizeOnly parameter */
wolfSSL 15:117db924cf7c 2283 if (sizeOnly) {
wolfSSL 15:117db924cf7c 2284 if (output || input) {
wolfSSL 15:117db924cf7c 2285 WOLFSSL_MSG("BuildTls13Message with sizeOnly "
wolfSSL 15:117db924cf7c 2286 "doesn't need input or output");
wolfSSL 15:117db924cf7c 2287 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2288 }
wolfSSL 15:117db924cf7c 2289 }
wolfSSL 15:117db924cf7c 2290 else if (output == NULL || input == NULL) {
wolfSSL 15:117db924cf7c 2291 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2292 }
wolfSSL 15:117db924cf7c 2293
wolfSSL 15:117db924cf7c 2294 /* Record layer content type at the end of record data. */
wolfSSL 15:117db924cf7c 2295 args->sz++;
wolfSSL 15:117db924cf7c 2296 /* Authentication data at the end. */
wolfSSL 15:117db924cf7c 2297 args->sz += ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2298
wolfSSL 15:117db924cf7c 2299 if (sizeOnly)
wolfSSL 15:117db924cf7c 2300 return args->sz;
wolfSSL 15:117db924cf7c 2301
wolfSSL 15:117db924cf7c 2302 if (args->sz > (word32)outSz) {
wolfSSL 15:117db924cf7c 2303 WOLFSSL_MSG("Oops, want to write past output buffer size");
wolfSSL 15:117db924cf7c 2304 return BUFFER_E;
wolfSSL 15:117db924cf7c 2305 }
wolfSSL 15:117db924cf7c 2306
wolfSSL 15:117db924cf7c 2307 /* Record data length. */
wolfSSL 15:117db924cf7c 2308 args->size = (word16)(args->sz - args->headerSz);
wolfSSL 15:117db924cf7c 2309 /* Write/update the record header with the new size.
wolfSSL 15:117db924cf7c 2310 * Always have the content type as application data for encrypted
wolfSSL 15:117db924cf7c 2311 * messages in TLS v1.3.
wolfSSL 15:117db924cf7c 2312 */
wolfSSL 15:117db924cf7c 2313 AddTls13RecordHeader(output, args->size, application_data, ssl);
wolfSSL 15:117db924cf7c 2314
wolfSSL 15:117db924cf7c 2315 /* TLS v1.3 can do in place encryption. */
wolfSSL 15:117db924cf7c 2316 if (input != output + args->idx)
wolfSSL 15:117db924cf7c 2317 XMEMCPY(output + args->idx, input, inSz);
wolfSSL 15:117db924cf7c 2318 args->idx += inSz;
wolfSSL 15:117db924cf7c 2319
wolfSSL 15:117db924cf7c 2320 ssl->options.buildMsgState = BUILD_MSG_HASH;
wolfSSL 15:117db924cf7c 2321 }
wolfSSL 15:117db924cf7c 2322 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2323
wolfSSL 15:117db924cf7c 2324 case BUILD_MSG_HASH:
wolfSSL 15:117db924cf7c 2325 {
wolfSSL 15:117db924cf7c 2326 if (hashOutput) {
wolfSSL 15:117db924cf7c 2327 ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
wolfSSL 15:117db924cf7c 2328 if (ret != 0)
wolfSSL 15:117db924cf7c 2329 goto exit_buildmsg;
wolfSSL 15:117db924cf7c 2330 }
wolfSSL 15:117db924cf7c 2331
wolfSSL 16:8e0d178b1d1e 2332 /* The real record content type goes at the end of the data. */
wolfSSL 16:8e0d178b1d1e 2333 output[args->idx++] = (byte)type;
wolfSSL 16:8e0d178b1d1e 2334
wolfSSL 15:117db924cf7c 2335 ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
wolfSSL 15:117db924cf7c 2336 }
wolfSSL 15:117db924cf7c 2337 FALL_THROUGH;
wolfSSL 15:117db924cf7c 2338
wolfSSL 15:117db924cf7c 2339 case BUILD_MSG_ENCRYPT:
wolfSSL 15:117db924cf7c 2340 {
wolfSSL 15:117db924cf7c 2341 #ifdef ATOMIC_USER
wolfSSL 15:117db924cf7c 2342 if (ssl->ctx->MacEncryptCb) {
wolfSSL 15:117db924cf7c 2343 /* User Record Layer Callback handling */
wolfSSL 15:117db924cf7c 2344 byte* mac = output + args->idx;
wolfSSL 15:117db924cf7c 2345 output += args->headerSz;
wolfSSL 15:117db924cf7c 2346
wolfSSL 15:117db924cf7c 2347 ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
wolfSSL 15:117db924cf7c 2348 output, output, args->size, ssl->MacEncryptCtx);
wolfSSL 15:117db924cf7c 2349 }
wolfSSL 15:117db924cf7c 2350 else
wolfSSL 15:117db924cf7c 2351 #endif
wolfSSL 15:117db924cf7c 2352 {
wolfSSL 15:117db924cf7c 2353 #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22) || \
wolfSSL 15:117db924cf7c 2354 defined(WOLFSSL_TLS13_DRAFT_23)
wolfSSL 15:117db924cf7c 2355 output += args->headerSz;
wolfSSL 15:117db924cf7c 2356 ret = EncryptTls13(ssl, output, output, args->size, NULL, 0,
wolfSSL 15:117db924cf7c 2357 asyncOkay);
wolfSSL 15:117db924cf7c 2358 #else
wolfSSL 15:117db924cf7c 2359 const byte* aad = output;
wolfSSL 15:117db924cf7c 2360 output += args->headerSz;
wolfSSL 15:117db924cf7c 2361 ret = EncryptTls13(ssl, output, output, args->size, aad,
wolfSSL 15:117db924cf7c 2362 RECORD_HEADER_SZ, asyncOkay);
wolfSSL 15:117db924cf7c 2363 #endif
wolfSSL 15:117db924cf7c 2364 }
wolfSSL 15:117db924cf7c 2365 break;
wolfSSL 15:117db924cf7c 2366 }
wolfSSL 15:117db924cf7c 2367 }
wolfSSL 15:117db924cf7c 2368
wolfSSL 15:117db924cf7c 2369 exit_buildmsg:
wolfSSL 15:117db924cf7c 2370
wolfSSL 15:117db924cf7c 2371 WOLFSSL_LEAVE("BuildTls13Message", ret);
wolfSSL 15:117db924cf7c 2372
wolfSSL 15:117db924cf7c 2373 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 2374 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 2375 return ret;
wolfSSL 15:117db924cf7c 2376 }
wolfSSL 15:117db924cf7c 2377 #endif
wolfSSL 15:117db924cf7c 2378
wolfSSL 15:117db924cf7c 2379 /* make sure build message state is reset */
wolfSSL 15:117db924cf7c 2380 ssl->options.buildMsgState = BUILD_MSG_BEGIN;
wolfSSL 15:117db924cf7c 2381
wolfSSL 15:117db924cf7c 2382 /* return sz on success */
wolfSSL 15:117db924cf7c 2383 if (ret == 0)
wolfSSL 15:117db924cf7c 2384 ret = args->sz;
wolfSSL 15:117db924cf7c 2385
wolfSSL 15:117db924cf7c 2386 /* Final cleanup */
wolfSSL 15:117db924cf7c 2387 FreeBuildMsg13Args(ssl, args);
wolfSSL 16:8e0d178b1d1e 2388 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 2389 ssl->async.freeArgs = NULL;
wolfSSL 16:8e0d178b1d1e 2390 #endif
wolfSSL 15:117db924cf7c 2391
wolfSSL 15:117db924cf7c 2392 return ret;
wolfSSL 15:117db924cf7c 2393 }
wolfSSL 15:117db924cf7c 2394
wolfSSL 15:117db924cf7c 2395 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2396 /* Find the cipher suite in the suites set in the SSL.
wolfSSL 15:117db924cf7c 2397 *
wolfSSL 15:117db924cf7c 2398 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2399 * suite Cipher suite to look for.
wolfSSL 15:117db924cf7c 2400 * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise.
wolfSSL 15:117db924cf7c 2401 */
wolfSSL 16:8e0d178b1d1e 2402 static int FindSuiteSSL(WOLFSSL* ssl, byte* suite)
wolfSSL 15:117db924cf7c 2403 {
wolfSSL 16:8e0d178b1d1e 2404 word16 i;
wolfSSL 15:117db924cf7c 2405
wolfSSL 15:117db924cf7c 2406 for (i = 0; i < ssl->suites->suiteSz; i += 2) {
wolfSSL 15:117db924cf7c 2407 if (ssl->suites->suites[i+0] == suite[0] &&
wolfSSL 15:117db924cf7c 2408 ssl->suites->suites[i+1] == suite[1]) {
wolfSSL 15:117db924cf7c 2409 return 1;
wolfSSL 15:117db924cf7c 2410 }
wolfSSL 15:117db924cf7c 2411 }
wolfSSL 15:117db924cf7c 2412
wolfSSL 15:117db924cf7c 2413 return 0;
wolfSSL 15:117db924cf7c 2414 }
wolfSSL 15:117db924cf7c 2415 #endif
wolfSSL 15:117db924cf7c 2416
wolfSSL 15:117db924cf7c 2417 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2418 #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
wolfSSL 15:117db924cf7c 2419 /* Create Cookie extension using the hash of the first ClientHello.
wolfSSL 15:117db924cf7c 2420 *
wolfSSL 15:117db924cf7c 2421 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2422 * hash The hash data.
wolfSSL 15:117db924cf7c 2423 * hashSz The size of the hash data in bytes.
wolfSSL 15:117db924cf7c 2424 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 2425 */
wolfSSL 15:117db924cf7c 2426 static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz)
wolfSSL 15:117db924cf7c 2427 {
wolfSSL 15:117db924cf7c 2428 int ret;
wolfSSL 16:8e0d178b1d1e 2429 byte mac[WC_MAX_DIGEST_SIZE] = {0};
wolfSSL 15:117db924cf7c 2430 Hmac cookieHmac;
wolfSSL 16:8e0d178b1d1e 2431 byte cookieType = 0;
wolfSSL 16:8e0d178b1d1e 2432 byte macSz = 0;
wolfSSL 15:117db924cf7c 2433
wolfSSL 15:117db924cf7c 2434 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 2435 cookieType = SHA;
wolfSSL 15:117db924cf7c 2436 macSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 2437 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 2438 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 2439 cookieType = WC_SHA256;
wolfSSL 15:117db924cf7c 2440 macSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 2441 #endif /* NO_SHA256 */
wolfSSL 16:8e0d178b1d1e 2442 XMEMSET(&cookieHmac, 0, sizeof(Hmac));
wolfSSL 15:117db924cf7c 2443
wolfSSL 15:117db924cf7c 2444 ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL 15:117db924cf7c 2445 ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 2446 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 2447 if (ret != 0)
wolfSSL 15:117db924cf7c 2448 return ret;
wolfSSL 15:117db924cf7c 2449 if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0)
wolfSSL 15:117db924cf7c 2450 return ret;
wolfSSL 15:117db924cf7c 2451 if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL 15:117db924cf7c 2452 return ret;
wolfSSL 15:117db924cf7c 2453
wolfSSL 15:117db924cf7c 2454 /* The cookie data is the hash and the integrity check. */
wolfSSL 15:117db924cf7c 2455 return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1);
wolfSSL 15:117db924cf7c 2456 }
wolfSSL 15:117db924cf7c 2457 #endif
wolfSSL 15:117db924cf7c 2458
wolfSSL 16:8e0d178b1d1e 2459 /* Restart the handshake hash with a hash of the previous messages.
wolfSSL 15:117db924cf7c 2460 *
wolfSSL 15:117db924cf7c 2461 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2462 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 2463 */
wolfSSL 15:117db924cf7c 2464 static int RestartHandshakeHash(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 2465 {
wolfSSL 15:117db924cf7c 2466 int ret;
wolfSSL 15:117db924cf7c 2467 Hashes hashes;
wolfSSL 16:8e0d178b1d1e 2468 byte header[HANDSHAKE_HEADER_SZ] = {0};
wolfSSL 15:117db924cf7c 2469 byte* hash = NULL;
wolfSSL 15:117db924cf7c 2470 byte hashSz = 0;
wolfSSL 15:117db924cf7c 2471
wolfSSL 15:117db924cf7c 2472 ret = BuildCertHashes(ssl, &hashes);
wolfSSL 15:117db924cf7c 2473 if (ret != 0)
wolfSSL 15:117db924cf7c 2474 return ret;
wolfSSL 15:117db924cf7c 2475 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 2476 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 2477 case sha256_mac:
wolfSSL 15:117db924cf7c 2478 hash = hashes.sha256;
wolfSSL 15:117db924cf7c 2479 break;
wolfSSL 15:117db924cf7c 2480 #endif
wolfSSL 15:117db924cf7c 2481 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 2482 case sha384_mac:
wolfSSL 15:117db924cf7c 2483 hash = hashes.sha384;
wolfSSL 15:117db924cf7c 2484 break;
wolfSSL 15:117db924cf7c 2485 #endif
wolfSSL 15:117db924cf7c 2486 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 2487 case sha512_mac:
wolfSSL 15:117db924cf7c 2488 hash = hashes.sha512;
wolfSSL 15:117db924cf7c 2489 break;
wolfSSL 15:117db924cf7c 2490 #endif
wolfSSL 15:117db924cf7c 2491 }
wolfSSL 15:117db924cf7c 2492 hashSz = ssl->specs.hash_size;
wolfSSL 16:8e0d178b1d1e 2493
wolfSSL 16:8e0d178b1d1e 2494 /* check hash */
wolfSSL 16:8e0d178b1d1e 2495 if (hash == NULL && hashSz > 0)
wolfSSL 16:8e0d178b1d1e 2496 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2497
wolfSSL 15:117db924cf7c 2498 AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL 15:117db924cf7c 2499
wolfSSL 15:117db924cf7c 2500 WOLFSSL_MSG("Restart Hash");
wolfSSL 15:117db924cf7c 2501 WOLFSSL_BUFFER(hash, hashSz);
wolfSSL 15:117db924cf7c 2502
wolfSSL 15:117db924cf7c 2503 #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
wolfSSL 15:117db924cf7c 2504 if (ssl->options.sendCookie) {
wolfSSL 15:117db924cf7c 2505 byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
wolfSSL 15:117db924cf7c 2506 TLSX* ext;
wolfSSL 15:117db924cf7c 2507 word32 idx = 0;
wolfSSL 15:117db924cf7c 2508
wolfSSL 15:117db924cf7c 2509 /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
wolfSSL 15:117db924cf7c 2510 cookie[idx++] = hashSz;
wolfSSL 16:8e0d178b1d1e 2511 if (hash)
wolfSSL 16:8e0d178b1d1e 2512 XMEMCPY(cookie + idx, hash, hashSz);
wolfSSL 15:117db924cf7c 2513 idx += hashSz;
wolfSSL 15:117db924cf7c 2514 cookie[idx++] = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 2515 cookie[idx++] = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 2516 if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) {
wolfSSL 15:117db924cf7c 2517 KeyShareEntry* kse = (KeyShareEntry*)ext->data;
wolfSSL 15:117db924cf7c 2518 c16toa(kse->group, cookie + idx);
wolfSSL 15:117db924cf7c 2519 idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2520 }
wolfSSL 15:117db924cf7c 2521 return CreateCookie(ssl, cookie, idx);
wolfSSL 15:117db924cf7c 2522 }
wolfSSL 15:117db924cf7c 2523 #endif
wolfSSL 15:117db924cf7c 2524
wolfSSL 15:117db924cf7c 2525 ret = InitHandshakeHashes(ssl);
wolfSSL 15:117db924cf7c 2526 if (ret != 0)
wolfSSL 15:117db924cf7c 2527 return ret;
wolfSSL 15:117db924cf7c 2528 ret = HashOutputRaw(ssl, header, sizeof(header));
wolfSSL 15:117db924cf7c 2529 if (ret != 0)
wolfSSL 15:117db924cf7c 2530 return ret;
wolfSSL 15:117db924cf7c 2531 return HashOutputRaw(ssl, hash, hashSz);
wolfSSL 15:117db924cf7c 2532 }
wolfSSL 15:117db924cf7c 2533
wolfSSL 15:117db924cf7c 2534 /* The value in the random field of a ServerHello to indicate
wolfSSL 15:117db924cf7c 2535 * HelloRetryRequest.
wolfSSL 15:117db924cf7c 2536 */
wolfSSL 15:117db924cf7c 2537 static byte helloRetryRequestRandom[] = {
wolfSSL 15:117db924cf7c 2538 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
wolfSSL 15:117db924cf7c 2539 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
wolfSSL 15:117db924cf7c 2540 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
wolfSSL 15:117db924cf7c 2541 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
wolfSSL 15:117db924cf7c 2542 };
wolfSSL 15:117db924cf7c 2543 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 2544
wolfSSL 15:117db924cf7c 2545 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 2546 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2547 /* Setup pre-shared key based on the details in the extension data.
wolfSSL 15:117db924cf7c 2548 *
wolfSSL 15:117db924cf7c 2549 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 2550 * psk Pre-shared key extension data.
wolfSSL 15:117db924cf7c 2551 * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
wolfSSL 15:117db924cf7c 2552 * other negative value on failure.
wolfSSL 15:117db924cf7c 2553 */
wolfSSL 15:117db924cf7c 2554 static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
wolfSSL 15:117db924cf7c 2555 {
wolfSSL 15:117db924cf7c 2556 int ret;
wolfSSL 15:117db924cf7c 2557 byte suite[2];
wolfSSL 15:117db924cf7c 2558
wolfSSL 16:8e0d178b1d1e 2559 if (psk == NULL)
wolfSSL 16:8e0d178b1d1e 2560 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2561
wolfSSL 15:117db924cf7c 2562 suite[0] = psk->cipherSuite0;
wolfSSL 15:117db924cf7c 2563 suite[1] = psk->cipherSuite;
wolfSSL 16:8e0d178b1d1e 2564 if (!FindSuiteSSL(ssl, suite))
wolfSSL 15:117db924cf7c 2565 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2566
wolfSSL 15:117db924cf7c 2567 ssl->options.cipherSuite0 = psk->cipherSuite0;
wolfSSL 15:117db924cf7c 2568 ssl->options.cipherSuite = psk->cipherSuite;
wolfSSL 15:117db924cf7c 2569 if ((ret = SetCipherSpecs(ssl)) != 0)
wolfSSL 15:117db924cf7c 2570 return ret;
wolfSSL 15:117db924cf7c 2571
wolfSSL 15:117db924cf7c 2572 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2573 if (psk->resumption) {
wolfSSL 15:117db924cf7c 2574 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2575 if (ssl->session.maxEarlyDataSz == 0)
wolfSSL 15:117db924cf7c 2576 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2577 #endif
wolfSSL 15:117db924cf7c 2578 /* Resumption PSK is master secret. */
wolfSSL 15:117db924cf7c 2579 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 2580 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2581 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 2582 ssl->arrays->psk_keySz);
wolfSSL 15:117db924cf7c 2583 #else
wolfSSL 15:117db924cf7c 2584 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
wolfSSL 15:117db924cf7c 2585 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
wolfSSL 15:117db924cf7c 2586 return ret;
wolfSSL 15:117db924cf7c 2587 }
wolfSSL 15:117db924cf7c 2588 #endif
wolfSSL 15:117db924cf7c 2589 }
wolfSSL 15:117db924cf7c 2590 #endif
wolfSSL 15:117db924cf7c 2591 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 2592 if (!psk->resumption) {
wolfSSL 16:8e0d178b1d1e 2593 #ifndef WOLFSSL_PSK_ONE_ID
wolfSSL 16:8e0d178b1d1e 2594 const char* cipherName = NULL;
wolfSSL 16:8e0d178b1d1e 2595 byte cipherSuite0 = TLS13_BYTE, cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
wolfSSL 16:8e0d178b1d1e 2596
wolfSSL 15:117db924cf7c 2597 /* Get the pre-shared key. */
wolfSSL 16:8e0d178b1d1e 2598 if (ssl->options.client_psk_tls13_cb != NULL) {
wolfSSL 16:8e0d178b1d1e 2599 ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl,
wolfSSL 16:8e0d178b1d1e 2600 (char *)psk->identity, ssl->arrays->client_identity,
wolfSSL 16:8e0d178b1d1e 2601 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
wolfSSL 16:8e0d178b1d1e 2602 &cipherName);
wolfSSL 16:8e0d178b1d1e 2603 if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
wolfSSL 16:8e0d178b1d1e 2604 &cipherSuite) != 0) {
wolfSSL 16:8e0d178b1d1e 2605 return PSK_KEY_ERROR;
wolfSSL 16:8e0d178b1d1e 2606 }
wolfSSL 16:8e0d178b1d1e 2607 }
wolfSSL 16:8e0d178b1d1e 2608 else {
wolfSSL 16:8e0d178b1d1e 2609 ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
wolfSSL 16:8e0d178b1d1e 2610 (char *)psk->identity, ssl->arrays->client_identity,
wolfSSL 16:8e0d178b1d1e 2611 MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
wolfSSL 16:8e0d178b1d1e 2612 }
wolfSSL 15:117db924cf7c 2613 if (ssl->arrays->psk_keySz == 0 ||
wolfSSL 16:8e0d178b1d1e 2614 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
wolfSSL 15:117db924cf7c 2615 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2616 }
wolfSSL 16:8e0d178b1d1e 2617
wolfSSL 16:8e0d178b1d1e 2618 if (psk->cipherSuite0 != cipherSuite0 ||
wolfSSL 16:8e0d178b1d1e 2619 psk->cipherSuite != cipherSuite) {
wolfSSL 15:117db924cf7c 2620 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 2621 }
wolfSSL 16:8e0d178b1d1e 2622 #else
wolfSSL 16:8e0d178b1d1e 2623 /* PSK information loaded during setting of default TLS extensions. */
wolfSSL 16:8e0d178b1d1e 2624 #endif
wolfSSL 16:8e0d178b1d1e 2625 }
wolfSSL 16:8e0d178b1d1e 2626 #endif
wolfSSL 16:8e0d178b1d1e 2627
wolfSSL 16:8e0d178b1d1e 2628 if (ssl->options.noPskDheKe)
wolfSSL 16:8e0d178b1d1e 2629 ssl->arrays->preMasterSz = 0;
wolfSSL 15:117db924cf7c 2630
wolfSSL 15:117db924cf7c 2631 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 2632 return DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 2633 }
wolfSSL 15:117db924cf7c 2634
wolfSSL 15:117db924cf7c 2635 /* Derive and write the binders into the ClientHello in space left when
wolfSSL 15:117db924cf7c 2636 * writing the Pre-Shared Key extension.
wolfSSL 15:117db924cf7c 2637 *
wolfSSL 15:117db924cf7c 2638 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2639 * output The buffer containing the ClientHello.
wolfSSL 15:117db924cf7c 2640 * idx The index at the end of the completed ClientHello.
wolfSSL 15:117db924cf7c 2641 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2642 */
wolfSSL 15:117db924cf7c 2643 static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
wolfSSL 15:117db924cf7c 2644 {
wolfSSL 15:117db924cf7c 2645 int ret;
wolfSSL 15:117db924cf7c 2646 TLSX* ext;
wolfSSL 15:117db924cf7c 2647 PreSharedKey* current;
wolfSSL 15:117db924cf7c 2648 byte binderKey[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 2649 word16 len;
wolfSSL 15:117db924cf7c 2650
wolfSSL 15:117db924cf7c 2651 WOLFSSL_ENTER("WritePSKBinders");
wolfSSL 15:117db924cf7c 2652
wolfSSL 15:117db924cf7c 2653 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 2654 if (ext == NULL)
wolfSSL 15:117db924cf7c 2655 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 2656
wolfSSL 15:117db924cf7c 2657 /* Get the size of the binders to determine where to write binders. */
wolfSSL 16:8e0d178b1d1e 2658 ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL 16:8e0d178b1d1e 2659 client_hello, &len);
wolfSSL 16:8e0d178b1d1e 2660 if (ret < 0)
wolfSSL 16:8e0d178b1d1e 2661 return ret;
wolfSSL 16:8e0d178b1d1e 2662 idx -= len;
wolfSSL 15:117db924cf7c 2663
wolfSSL 15:117db924cf7c 2664 /* Hash truncated ClientHello - up to binders. */
wolfSSL 15:117db924cf7c 2665 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 15:117db924cf7c 2666 if (ret != 0)
wolfSSL 15:117db924cf7c 2667 return ret;
wolfSSL 15:117db924cf7c 2668
wolfSSL 15:117db924cf7c 2669 current = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 2670 /* Calculate the binder for each identity based on previous handshake data.
wolfSSL 15:117db924cf7c 2671 */
wolfSSL 15:117db924cf7c 2672 while (current != NULL) {
wolfSSL 15:117db924cf7c 2673 if ((ret = SetupPskKey(ssl, current)) != 0)
wolfSSL 15:117db924cf7c 2674 return ret;
wolfSSL 15:117db924cf7c 2675
wolfSSL 15:117db924cf7c 2676 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2677 if (current->resumption)
wolfSSL 15:117db924cf7c 2678 ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 15:117db924cf7c 2679 #endif
wolfSSL 15:117db924cf7c 2680 #ifndef NO_PSK
wolfSSL 15:117db924cf7c 2681 if (!current->resumption)
wolfSSL 15:117db924cf7c 2682 ret = DeriveBinderKey(ssl, binderKey);
wolfSSL 15:117db924cf7c 2683 #endif
wolfSSL 15:117db924cf7c 2684 if (ret != 0)
wolfSSL 15:117db924cf7c 2685 return ret;
wolfSSL 15:117db924cf7c 2686
wolfSSL 15:117db924cf7c 2687 /* Derive the Finished message secret. */
wolfSSL 15:117db924cf7c 2688 ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL 15:117db924cf7c 2689 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 2690 if (ret != 0)
wolfSSL 15:117db924cf7c 2691 return ret;
wolfSSL 15:117db924cf7c 2692
wolfSSL 15:117db924cf7c 2693 /* Build the HMAC of the handshake message data = binder. */
wolfSSL 15:117db924cf7c 2694 ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
wolfSSL 15:117db924cf7c 2695 current->binder, &current->binderLen);
wolfSSL 15:117db924cf7c 2696 if (ret != 0)
wolfSSL 15:117db924cf7c 2697 return ret;
wolfSSL 15:117db924cf7c 2698
wolfSSL 15:117db924cf7c 2699 current = current->next;
wolfSSL 15:117db924cf7c 2700 }
wolfSSL 15:117db924cf7c 2701
wolfSSL 15:117db924cf7c 2702 /* Data entered into extension, now write to message. */
wolfSSL 16:8e0d178b1d1e 2703 ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
wolfSSL 16:8e0d178b1d1e 2704 client_hello, &len);
wolfSSL 16:8e0d178b1d1e 2705 if (ret < 0)
wolfSSL 16:8e0d178b1d1e 2706 return ret;
wolfSSL 15:117db924cf7c 2707
wolfSSL 15:117db924cf7c 2708 /* Hash binders to complete the hash of the ClientHello. */
wolfSSL 15:117db924cf7c 2709 ret = HashOutputRaw(ssl, output + idx, len);
wolfSSL 15:117db924cf7c 2710 if (ret < 0)
wolfSSL 15:117db924cf7c 2711 return ret;
wolfSSL 15:117db924cf7c 2712
wolfSSL 15:117db924cf7c 2713 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2714 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 2715 if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0)
wolfSSL 15:117db924cf7c 2716 return ret;
wolfSSL 15:117db924cf7c 2717
wolfSSL 15:117db924cf7c 2718 /* Derive early data encryption key. */
wolfSSL 15:117db924cf7c 2719 ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
wolfSSL 15:117db924cf7c 2720 if (ret != 0)
wolfSSL 15:117db924cf7c 2721 return ret;
wolfSSL 15:117db924cf7c 2722 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 2723 return ret;
wolfSSL 15:117db924cf7c 2724 }
wolfSSL 15:117db924cf7c 2725 #endif
wolfSSL 15:117db924cf7c 2726
wolfSSL 15:117db924cf7c 2727 WOLFSSL_LEAVE("WritePSKBinders", ret);
wolfSSL 15:117db924cf7c 2728
wolfSSL 15:117db924cf7c 2729 return ret;
wolfSSL 15:117db924cf7c 2730 }
wolfSSL 15:117db924cf7c 2731 #endif
wolfSSL 15:117db924cf7c 2732
wolfSSL 15:117db924cf7c 2733 /* handle generation of TLS 1.3 client_hello (1) */
wolfSSL 15:117db924cf7c 2734 /* Send a ClientHello message to the server.
wolfSSL 15:117db924cf7c 2735 * Include the information required to start a handshake with servers using
wolfSSL 15:117db924cf7c 2736 * protocol versions less than TLS v1.3.
wolfSSL 15:117db924cf7c 2737 * Only a client will send this message.
wolfSSL 15:117db924cf7c 2738 *
wolfSSL 15:117db924cf7c 2739 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2740 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2741 */
wolfSSL 15:117db924cf7c 2742 int SendTls13ClientHello(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 2743 {
wolfSSL 15:117db924cf7c 2744 byte* output;
wolfSSL 15:117db924cf7c 2745 word16 length;
wolfSSL 15:117db924cf7c 2746 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 2747 int sendSz;
wolfSSL 15:117db924cf7c 2748 int ret;
wolfSSL 15:117db924cf7c 2749
wolfSSL 15:117db924cf7c 2750 WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
wolfSSL 15:117db924cf7c 2751 WOLFSSL_ENTER("SendTls13ClientHello");
wolfSSL 15:117db924cf7c 2752
wolfSSL 15:117db924cf7c 2753 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 2754 if (ssl->options.resuming &&
wolfSSL 15:117db924cf7c 2755 (ssl->session.version.major != ssl->version.major ||
wolfSSL 15:117db924cf7c 2756 ssl->session.version.minor != ssl->version.minor)) {
wolfSSL 15:117db924cf7c 2757 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 2758 if (ssl->session.version.major == ssl->version.major &&
wolfSSL 15:117db924cf7c 2759 ssl->session.version.minor < ssl->version.minor) {
wolfSSL 15:117db924cf7c 2760 /* Cannot resume with a different protocol version. */
wolfSSL 15:117db924cf7c 2761 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 2762 ssl->version.major = ssl->session.version.major;
wolfSSL 15:117db924cf7c 2763 ssl->version.minor = ssl->session.version.minor;
wolfSSL 15:117db924cf7c 2764 return SendClientHello(ssl);
wolfSSL 15:117db924cf7c 2765 }
wolfSSL 15:117db924cf7c 2766 else
wolfSSL 15:117db924cf7c 2767 #endif
wolfSSL 15:117db924cf7c 2768 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 2769 }
wolfSSL 15:117db924cf7c 2770 #endif
wolfSSL 15:117db924cf7c 2771
wolfSSL 15:117db924cf7c 2772 if (ssl->suites == NULL) {
wolfSSL 15:117db924cf7c 2773 WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
wolfSSL 15:117db924cf7c 2774 return SUITES_ERROR;
wolfSSL 15:117db924cf7c 2775 }
wolfSSL 15:117db924cf7c 2776
wolfSSL 15:117db924cf7c 2777 /* Version | Random | Session Id | Cipher Suites | Compression */
wolfSSL 15:117db924cf7c 2778 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
wolfSSL 15:117db924cf7c 2779 SUITE_LEN + COMP_LEN + ENUM_LEN;
wolfSSL 15:117db924cf7c 2780 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2781 #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 2782 length += ID_LEN;
wolfSSL 15:117db924cf7c 2783 #else
wolfSSL 15:117db924cf7c 2784 if (ssl->session.sessionIDSz > 0)
wolfSSL 15:117db924cf7c 2785 length += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 2786 #endif
wolfSSL 15:117db924cf7c 2787 #endif
wolfSSL 15:117db924cf7c 2788
wolfSSL 15:117db924cf7c 2789 /* Auto populate extensions supported unless user defined. */
wolfSSL 15:117db924cf7c 2790 if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
wolfSSL 15:117db924cf7c 2791 return ret;
wolfSSL 15:117db924cf7c 2792 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 2793 #ifndef NO_PSK
wolfSSL 16:8e0d178b1d1e 2794 if (!ssl->options.resuming &&
wolfSSL 16:8e0d178b1d1e 2795 ssl->options.client_psk_tls13_cb == NULL &&
wolfSSL 16:8e0d178b1d1e 2796 ssl->options.client_psk_cb == NULL)
wolfSSL 15:117db924cf7c 2797 #else
wolfSSL 15:117db924cf7c 2798 if (!ssl->options.resuming)
wolfSSL 15:117db924cf7c 2799 #endif
wolfSSL 15:117db924cf7c 2800 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2801 if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
wolfSSL 15:117db924cf7c 2802 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 2803 if (ssl->earlyData == no_early_data)
wolfSSL 15:117db924cf7c 2804 TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap);
wolfSSL 15:117db924cf7c 2805 if (ssl->earlyData != no_early_data &&
wolfSSL 15:117db924cf7c 2806 (ret = TLSX_EarlyData_Use(ssl, 0)) < 0) {
wolfSSL 15:117db924cf7c 2807 return ret;
wolfSSL 15:117db924cf7c 2808 }
wolfSSL 15:117db924cf7c 2809 #endif
wolfSSL 15:117db924cf7c 2810 /* Include length of TLS extensions. */
wolfSSL 15:117db924cf7c 2811 ret = TLSX_GetRequestSize(ssl, client_hello, &length);
wolfSSL 15:117db924cf7c 2812 if (ret != 0)
wolfSSL 15:117db924cf7c 2813 return ret;
wolfSSL 15:117db924cf7c 2814
wolfSSL 15:117db924cf7c 2815 /* Total message size. */
wolfSSL 15:117db924cf7c 2816 sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 2817
wolfSSL 15:117db924cf7c 2818 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 2819 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 2820 return ret;
wolfSSL 15:117db924cf7c 2821
wolfSSL 15:117db924cf7c 2822 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 2823 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 2824 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 2825
wolfSSL 15:117db924cf7c 2826 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 2827 AddTls13Headers(output, length, client_hello, ssl);
wolfSSL 15:117db924cf7c 2828
wolfSSL 15:117db924cf7c 2829 /* Protocol version - negotiation now in extension: supported_versions. */
wolfSSL 15:117db924cf7c 2830 output[idx++] = SSLv3_MAJOR;
wolfSSL 15:117db924cf7c 2831 output[idx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 2832 /* Keep for downgrade. */
wolfSSL 15:117db924cf7c 2833 ssl->chVersion = ssl->version;
wolfSSL 15:117db924cf7c 2834
wolfSSL 15:117db924cf7c 2835 /* Client Random */
wolfSSL 15:117db924cf7c 2836 if (ssl->options.connectState == CONNECT_BEGIN) {
wolfSSL 15:117db924cf7c 2837 ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 2838 if (ret != 0)
wolfSSL 15:117db924cf7c 2839 return ret;
wolfSSL 15:117db924cf7c 2840
wolfSSL 15:117db924cf7c 2841 /* Store random for possible second ClientHello. */
wolfSSL 15:117db924cf7c 2842 XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 2843 }
wolfSSL 15:117db924cf7c 2844 else
wolfSSL 15:117db924cf7c 2845 XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 2846 idx += RAN_LEN;
wolfSSL 15:117db924cf7c 2847
wolfSSL 15:117db924cf7c 2848 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2849 /* TLS v1.3 does not use session id - 0 length. */
wolfSSL 15:117db924cf7c 2850 output[idx++] = 0;
wolfSSL 15:117db924cf7c 2851 #else
wolfSSL 15:117db924cf7c 2852 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 2853 /* Session resumption for old versions of protocol. */
wolfSSL 15:117db924cf7c 2854 output[idx++] = ID_LEN;
wolfSSL 15:117db924cf7c 2855 XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 2856 idx += ID_LEN;
wolfSSL 15:117db924cf7c 2857 }
wolfSSL 15:117db924cf7c 2858 else {
wolfSSL 15:117db924cf7c 2859 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 2860 output[idx++] = ID_LEN;
wolfSSL 15:117db924cf7c 2861 XMEMCPY(output + idx, ssl->arrays->clientRandom, ID_LEN);
wolfSSL 15:117db924cf7c 2862 idx += ID_LEN;
wolfSSL 15:117db924cf7c 2863 #else
wolfSSL 15:117db924cf7c 2864 /* TLS v1.3 does not use session id - 0 length. */
wolfSSL 15:117db924cf7c 2865 output[idx++] = 0;
wolfSSL 15:117db924cf7c 2866 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
wolfSSL 15:117db924cf7c 2867 }
wolfSSL 15:117db924cf7c 2868 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 2869
wolfSSL 15:117db924cf7c 2870 /* Cipher suites */
wolfSSL 15:117db924cf7c 2871 c16toa(ssl->suites->suiteSz, output + idx);
wolfSSL 15:117db924cf7c 2872 idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2873 XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
wolfSSL 15:117db924cf7c 2874 idx += ssl->suites->suiteSz;
wolfSSL 15:117db924cf7c 2875
wolfSSL 15:117db924cf7c 2876 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 2877 output[idx++] = COMP_LEN;
wolfSSL 15:117db924cf7c 2878 output[idx++] = NO_COMPRESSION;
wolfSSL 15:117db924cf7c 2879
wolfSSL 15:117db924cf7c 2880 /* Write out extensions for a request. */
wolfSSL 15:117db924cf7c 2881 length = 0;
wolfSSL 15:117db924cf7c 2882 ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &length);
wolfSSL 15:117db924cf7c 2883 if (ret != 0)
wolfSSL 15:117db924cf7c 2884 return ret;
wolfSSL 15:117db924cf7c 2885 idx += length;
wolfSSL 15:117db924cf7c 2886
wolfSSL 15:117db924cf7c 2887 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 2888 /* Resumption has a specific set of extensions and binder is calculated
wolfSSL 15:117db924cf7c 2889 * for each identity.
wolfSSL 15:117db924cf7c 2890 */
wolfSSL 15:117db924cf7c 2891 if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY))
wolfSSL 15:117db924cf7c 2892 ret = WritePSKBinders(ssl, output, idx);
wolfSSL 15:117db924cf7c 2893 else
wolfSSL 15:117db924cf7c 2894 #endif
wolfSSL 15:117db924cf7c 2895 ret = HashOutput(ssl, output, idx, 0);
wolfSSL 15:117db924cf7c 2896 if (ret != 0)
wolfSSL 15:117db924cf7c 2897 return ret;
wolfSSL 15:117db924cf7c 2898
wolfSSL 15:117db924cf7c 2899 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 2900
wolfSSL 15:117db924cf7c 2901 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 2902 if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
wolfSSL 15:117db924cf7c 2903 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 2904 AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 2905 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 2906 }
wolfSSL 15:117db924cf7c 2907 #endif
wolfSSL 15:117db924cf7c 2908
wolfSSL 15:117db924cf7c 2909 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 2910
wolfSSL 16:8e0d178b1d1e 2911 #ifdef WOLFSSL_EARLY_DATA_GROUP
wolfSSL 16:8e0d178b1d1e 2912 if (ssl->earlyData == no_early_data)
wolfSSL 16:8e0d178b1d1e 2913 #endif
wolfSSL 16:8e0d178b1d1e 2914 ret = SendBuffered(ssl);
wolfSSL 16:8e0d178b1d1e 2915
wolfSSL 15:117db924cf7c 2916
wolfSSL 15:117db924cf7c 2917 WOLFSSL_LEAVE("SendTls13ClientHello", ret);
wolfSSL 15:117db924cf7c 2918 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
wolfSSL 15:117db924cf7c 2919
wolfSSL 15:117db924cf7c 2920 return ret;
wolfSSL 15:117db924cf7c 2921 }
wolfSSL 15:117db924cf7c 2922
wolfSSL 15:117db924cf7c 2923 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 2924 /* handle rocessing of TLS 1.3 hello_retry_request (6) */
wolfSSL 15:117db924cf7c 2925 /* Parse and handle a HelloRetryRequest message.
wolfSSL 15:117db924cf7c 2926 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 2927 *
wolfSSL 15:117db924cf7c 2928 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2929 * input The message buffer.
wolfSSL 15:117db924cf7c 2930 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 2931 * HelloRetryRequest.
wolfSSL 15:117db924cf7c 2932 * On exit, the index of byte after the HelloRetryRequest message.
wolfSSL 15:117db924cf7c 2933 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 2934 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 2935 */
wolfSSL 15:117db924cf7c 2936 static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 2937 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 2938 {
wolfSSL 15:117db924cf7c 2939 int ret;
wolfSSL 15:117db924cf7c 2940 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 2941 word32 i = begin;
wolfSSL 15:117db924cf7c 2942 word16 totalExtSz;
wolfSSL 15:117db924cf7c 2943 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 2944
wolfSSL 15:117db924cf7c 2945 WOLFSSL_ENTER("DoTls13HelloRetryRequest");
wolfSSL 15:117db924cf7c 2946
wolfSSL 15:117db924cf7c 2947 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 2948 if (ssl->hsInfoOn) AddPacketName(ssl, "HelloRetryRequest");
wolfSSL 15:117db924cf7c 2949 if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 2950 #endif
wolfSSL 15:117db924cf7c 2951
wolfSSL 15:117db924cf7c 2952 /* Version info and length field of extension data. */
wolfSSL 15:117db924cf7c 2953 if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 2954 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2955
wolfSSL 15:117db924cf7c 2956 /* Protocol version. */
wolfSSL 15:117db924cf7c 2957 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 2958 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2959 ret = CheckVersion(ssl, pv);
wolfSSL 15:117db924cf7c 2960 if (ret != 0)
wolfSSL 15:117db924cf7c 2961 return ret;
wolfSSL 15:117db924cf7c 2962
wolfSSL 15:117db924cf7c 2963 /* Length of extension data. */
wolfSSL 15:117db924cf7c 2964 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 2965 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 2966 if (totalExtSz == 0) {
wolfSSL 15:117db924cf7c 2967 WOLFSSL_MSG("HelloRetryRequest must contain extensions");
wolfSSL 15:117db924cf7c 2968 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 2969 }
wolfSSL 15:117db924cf7c 2970
wolfSSL 15:117db924cf7c 2971 /* Extension data. */
wolfSSL 15:117db924cf7c 2972 if (i - begin + totalExtSz > totalSz)
wolfSSL 15:117db924cf7c 2973 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 2974 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 15:117db924cf7c 2975 hello_retry_request, NULL)) != 0)
wolfSSL 15:117db924cf7c 2976 return ret;
wolfSSL 15:117db924cf7c 2977 /* The KeyShare extension parsing fails when not valid. */
wolfSSL 15:117db924cf7c 2978
wolfSSL 15:117db924cf7c 2979 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 2980 *inOutIdx = i + totalExtSz;
wolfSSL 15:117db924cf7c 2981
wolfSSL 15:117db924cf7c 2982 ssl->options.tls1_3 = 1;
wolfSSL 15:117db924cf7c 2983 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 2984
wolfSSL 15:117db924cf7c 2985 WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);
wolfSSL 15:117db924cf7c 2986
wolfSSL 15:117db924cf7c 2987 return ret;
wolfSSL 15:117db924cf7c 2988 }
wolfSSL 15:117db924cf7c 2989 #endif
wolfSSL 15:117db924cf7c 2990
wolfSSL 15:117db924cf7c 2991
wolfSSL 15:117db924cf7c 2992 /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
wolfSSL 15:117db924cf7c 2993 /* Handle the ServerHello message from the server.
wolfSSL 15:117db924cf7c 2994 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 2995 *
wolfSSL 15:117db924cf7c 2996 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 2997 * input The message buffer.
wolfSSL 15:117db924cf7c 2998 * inOutIdx On entry, the index into the message buffer of ServerHello.
wolfSSL 15:117db924cf7c 2999 * On exit, the index of byte after the ServerHello message.
wolfSSL 15:117db924cf7c 3000 * helloSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 3001 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3002 */
wolfSSL 15:117db924cf7c 3003 int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 3004 word32 helloSz, byte* extMsgType)
wolfSSL 15:117db924cf7c 3005 {
wolfSSL 15:117db924cf7c 3006 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 3007 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 3008 word32 begin = i;
wolfSSL 15:117db924cf7c 3009 int ret;
wolfSSL 15:117db924cf7c 3010 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3011 byte sessIdSz;
wolfSSL 15:117db924cf7c 3012 const byte* sessId;
wolfSSL 15:117db924cf7c 3013 byte b;
wolfSSL 16:8e0d178b1d1e 3014 int foundVersion;
wolfSSL 15:117db924cf7c 3015 #endif
wolfSSL 15:117db924cf7c 3016 word16 totalExtSz;
wolfSSL 15:117db924cf7c 3017 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 3018 TLSX* ext;
wolfSSL 15:117db924cf7c 3019 PreSharedKey* psk = NULL;
wolfSSL 15:117db924cf7c 3020 #endif
wolfSSL 15:117db924cf7c 3021
wolfSSL 15:117db924cf7c 3022 WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
wolfSSL 15:117db924cf7c 3023 WOLFSSL_ENTER("DoTls13ServerHello");
wolfSSL 15:117db924cf7c 3024
wolfSSL 15:117db924cf7c 3025 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3026 if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
wolfSSL 15:117db924cf7c 3027 if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3028 #endif
wolfSSL 15:117db924cf7c 3029
wolfSSL 15:117db924cf7c 3030 /* Protocol version length check. */
wolfSSL 15:117db924cf7c 3031 if (OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 3032 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3033
wolfSSL 15:117db924cf7c 3034 /* Protocol version */
wolfSSL 15:117db924cf7c 3035 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 3036 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3037 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3038 ret = CheckVersion(ssl, pv);
wolfSSL 15:117db924cf7c 3039 if (ret != 0)
wolfSSL 15:117db924cf7c 3040 return ret;
wolfSSL 15:117db924cf7c 3041 if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
wolfSSL 15:117db924cf7c 3042 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3043 if (ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3044 ssl->version = pv;
wolfSSL 15:117db924cf7c 3045 return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL 15:117db924cf7c 3046 }
wolfSSL 15:117db924cf7c 3047 #endif
wolfSSL 15:117db924cf7c 3048
wolfSSL 15:117db924cf7c 3049 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 3050 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3051 }
wolfSSL 15:117db924cf7c 3052 #else
wolfSSL 15:117db924cf7c 3053 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3054 if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR &&
wolfSSL 15:117db924cf7c 3055 ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 3056 /* Force client hello version 1.2 to work for static RSA. */
wolfSSL 15:117db924cf7c 3057 ssl->chVersion.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3058 ssl->version.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3059 return DoServerHello(ssl, input, inOutIdx, helloSz);
wolfSSL 15:117db924cf7c 3060 }
wolfSSL 15:117db924cf7c 3061 #endif
wolfSSL 15:117db924cf7c 3062 if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR)
wolfSSL 15:117db924cf7c 3063 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 3064 #endif
wolfSSL 15:117db924cf7c 3065
wolfSSL 15:117db924cf7c 3066 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3067 /* Random length check */
wolfSSL 15:117db924cf7c 3068 if ((i - begin) + RAN_LEN > helloSz)
wolfSSL 15:117db924cf7c 3069 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3070 #else
wolfSSL 15:117db924cf7c 3071 /* Random and session id length check */
wolfSSL 15:117db924cf7c 3072 if ((i - begin) + RAN_LEN + ENUM_LEN > helloSz)
wolfSSL 15:117db924cf7c 3073 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3074
wolfSSL 15:117db924cf7c 3075 if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0)
wolfSSL 15:117db924cf7c 3076 *extMsgType = hello_retry_request;
wolfSSL 15:117db924cf7c 3077 #endif
wolfSSL 15:117db924cf7c 3078
wolfSSL 15:117db924cf7c 3079 /* Server random - keep for debugging. */
wolfSSL 15:117db924cf7c 3080 XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
wolfSSL 15:117db924cf7c 3081 i += RAN_LEN;
wolfSSL 15:117db924cf7c 3082
wolfSSL 15:117db924cf7c 3083 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3084 /* Session id */
wolfSSL 15:117db924cf7c 3085 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 3086 if ((i - begin) + sessIdSz > helloSz)
wolfSSL 15:117db924cf7c 3087 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3088 sessId = input + i;
wolfSSL 15:117db924cf7c 3089 i += sessIdSz;
wolfSSL 15:117db924cf7c 3090 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 3091 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 3092
wolfSSL 15:117db924cf7c 3093 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3094 /* Ciphersuite check */
wolfSSL 15:117db924cf7c 3095 if ((i - begin) + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 3096 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3097 #else
wolfSSL 15:117db924cf7c 3098 /* Ciphersuite and compression check */
wolfSSL 15:117db924cf7c 3099 if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 3100 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3101 #endif
wolfSSL 15:117db924cf7c 3102
wolfSSL 15:117db924cf7c 3103 /* Set the cipher suite from the message. */
wolfSSL 15:117db924cf7c 3104 ssl->options.cipherSuite0 = input[i++];
wolfSSL 15:117db924cf7c 3105 ssl->options.cipherSuite = input[i++];
wolfSSL 15:117db924cf7c 3106
wolfSSL 15:117db924cf7c 3107 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3108 /* Compression */
wolfSSL 15:117db924cf7c 3109 b = input[i++];
wolfSSL 15:117db924cf7c 3110 if (b != 0) {
wolfSSL 15:117db924cf7c 3111 WOLFSSL_MSG("Must be no compression types in list");
wolfSSL 15:117db924cf7c 3112 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3113 }
wolfSSL 15:117db924cf7c 3114 #endif
wolfSSL 15:117db924cf7c 3115
wolfSSL 15:117db924cf7c 3116 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3117 if ((i - begin) + OPAQUE16_LEN > helloSz) {
wolfSSL 15:117db924cf7c 3118 if (!ssl->options.downgrade)
wolfSSL 15:117db924cf7c 3119 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3120 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3121 ssl->version.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3122 #endif
wolfSSL 15:117db924cf7c 3123 ssl->options.haveEMS = 0;
wolfSSL 15:117db924cf7c 3124 }
wolfSSL 15:117db924cf7c 3125 if ((i - begin) < helloSz)
wolfSSL 15:117db924cf7c 3126 #endif
wolfSSL 15:117db924cf7c 3127 {
wolfSSL 15:117db924cf7c 3128 /* Get extension length and length check. */
wolfSSL 15:117db924cf7c 3129 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 3130 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3131 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 3132 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3133 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 15:117db924cf7c 3134 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3135
wolfSSL 15:117db924cf7c 3136 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 16:8e0d178b1d1e 3137 /* Need to negotiate version first. */
wolfSSL 16:8e0d178b1d1e 3138 if ((ret = TLSX_ParseVersion(ssl, (byte*)input + i, totalExtSz,
wolfSSL 16:8e0d178b1d1e 3139 *extMsgType, &foundVersion))) {
wolfSSL 16:8e0d178b1d1e 3140 return ret;
wolfSSL 16:8e0d178b1d1e 3141 }
wolfSSL 16:8e0d178b1d1e 3142 if (!foundVersion) {
wolfSSL 16:8e0d178b1d1e 3143 if (!ssl->options.downgrade) {
wolfSSL 16:8e0d178b1d1e 3144 WOLFSSL_MSG("Server trying to downgrade to version less than "
wolfSSL 16:8e0d178b1d1e 3145 "TLS v1.3");
wolfSSL 16:8e0d178b1d1e 3146 return VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 3147 }
wolfSSL 16:8e0d178b1d1e 3148
wolfSSL 16:8e0d178b1d1e 3149 if (pv.minor < ssl->options.minDowngrade)
wolfSSL 16:8e0d178b1d1e 3150 return VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 3151 ssl->version.minor = pv.minor;
wolfSSL 16:8e0d178b1d1e 3152 }
wolfSSL 16:8e0d178b1d1e 3153 #endif
wolfSSL 16:8e0d178b1d1e 3154
wolfSSL 15:117db924cf7c 3155 /* Parse and handle extensions. */
wolfSSL 15:117db924cf7c 3156 ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, *extMsgType,
wolfSSL 15:117db924cf7c 3157 NULL);
wolfSSL 15:117db924cf7c 3158 if (ret != 0)
wolfSSL 15:117db924cf7c 3159 return ret;
wolfSSL 15:117db924cf7c 3160
wolfSSL 15:117db924cf7c 3161 i += totalExtSz;
wolfSSL 15:117db924cf7c 3162 }
wolfSSL 15:117db924cf7c 3163 *inOutIdx = i;
wolfSSL 15:117db924cf7c 3164
wolfSSL 15:117db924cf7c 3165 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 3166
wolfSSL 15:117db924cf7c 3167 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 15:117db924cf7c 3168 if (ssl->sessionSecretCb != NULL) {
wolfSSL 15:117db924cf7c 3169 int secretSz = SECRET_LEN;
wolfSSL 15:117db924cf7c 3170 ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 3171 &secretSz, ssl->sessionSecretCtx);
wolfSSL 16:8e0d178b1d1e 3172 if (ret != 0 || secretSz != SECRET_LEN) {
wolfSSL 15:117db924cf7c 3173 return SESSION_SECRET_CB_E;
wolfSSL 16:8e0d178b1d1e 3174 }
wolfSSL 15:117db924cf7c 3175 }
wolfSSL 15:117db924cf7c 3176 #endif /* HAVE_SECRET_CALLBACK */
wolfSSL 15:117db924cf7c 3177
wolfSSL 15:117db924cf7c 3178 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3179 /* Version only negotiated in extensions for TLS v1.3.
wolfSSL 15:117db924cf7c 3180 * Only now do we know how to deal with session id.
wolfSSL 15:117db924cf7c 3181 */
wolfSSL 15:117db924cf7c 3182 if (!IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 15:117db924cf7c 3183 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 3184 ssl->arrays->sessionIDSz = sessIdSz;
wolfSSL 15:117db924cf7c 3185
wolfSSL 15:117db924cf7c 3186 if (ssl->arrays->sessionIDSz > ID_LEN) {
wolfSSL 15:117db924cf7c 3187 WOLFSSL_MSG("Invalid session ID size");
wolfSSL 15:117db924cf7c 3188 ssl->arrays->sessionIDSz = 0;
wolfSSL 15:117db924cf7c 3189 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3190 }
wolfSSL 15:117db924cf7c 3191 else if (ssl->arrays->sessionIDSz) {
wolfSSL 15:117db924cf7c 3192 XMEMCPY(ssl->arrays->sessionID, sessId, ssl->arrays->sessionIDSz);
wolfSSL 15:117db924cf7c 3193 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 3194 }
wolfSSL 15:117db924cf7c 3195
wolfSSL 15:117db924cf7c 3196 /* Force client hello version 1.2 to work for static RSA. */
wolfSSL 15:117db924cf7c 3197 ssl->chVersion.minor = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3198 /* Complete TLS v1.2 processing of ServerHello. */
wolfSSL 15:117db924cf7c 3199 ret = CompleteServerHello(ssl);
wolfSSL 15:117db924cf7c 3200 #else
wolfSSL 15:117db924cf7c 3201 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 3202 ret = VERSION_ERROR;
wolfSSL 15:117db924cf7c 3203 #endif
wolfSSL 15:117db924cf7c 3204
wolfSSL 15:117db924cf7c 3205 WOLFSSL_LEAVE("DoTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 3206
wolfSSL 15:117db924cf7c 3207 return ret;
wolfSSL 15:117db924cf7c 3208 }
wolfSSL 15:117db924cf7c 3209
wolfSSL 15:117db924cf7c 3210 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 3211 if (sessIdSz == 0)
wolfSSL 15:117db924cf7c 3212 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3213 if (ssl->session.sessionIDSz != 0) {
wolfSSL 15:117db924cf7c 3214 if (ssl->session.sessionIDSz != sessIdSz ||
wolfSSL 15:117db924cf7c 3215 XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0) {
wolfSSL 15:117db924cf7c 3216 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3217 }
wolfSSL 15:117db924cf7c 3218 }
wolfSSL 15:117db924cf7c 3219 else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0)
wolfSSL 15:117db924cf7c 3220 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3221 #else
wolfSSL 15:117db924cf7c 3222 if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 &&
wolfSSL 15:117db924cf7c 3223 XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) {
wolfSSL 15:117db924cf7c 3224 WOLFSSL_MSG("Server sent different session id");
wolfSSL 15:117db924cf7c 3225 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3226 }
wolfSSL 15:117db924cf7c 3227 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
wolfSSL 15:117db924cf7c 3228 #endif
wolfSSL 15:117db924cf7c 3229
wolfSSL 15:117db924cf7c 3230 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 3231 if (ret != 0)
wolfSSL 15:117db924cf7c 3232 return ret;
wolfSSL 16:8e0d178b1d1e 3233 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 3234 if (ssl->options.cipherSuite0 == ECC_BYTE &&
wolfSSL 16:8e0d178b1d1e 3235 (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
wolfSSL 16:8e0d178b1d1e 3236 ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
wolfSSL 16:8e0d178b1d1e 3237 ;
wolfSSL 16:8e0d178b1d1e 3238 }
wolfSSL 16:8e0d178b1d1e 3239 else
wolfSSL 16:8e0d178b1d1e 3240 #endif
wolfSSL 16:8e0d178b1d1e 3241 /* Check that the negotiated ciphersuite matches protocol version. */
wolfSSL 16:8e0d178b1d1e 3242 if (ssl->options.cipherSuite0 != TLS13_BYTE) {
wolfSSL 16:8e0d178b1d1e 3243 WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet");
wolfSSL 16:8e0d178b1d1e 3244 return INVALID_PARAMETER;
wolfSSL 16:8e0d178b1d1e 3245 }
wolfSSL 15:117db924cf7c 3246
wolfSSL 15:117db924cf7c 3247 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 3248 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3249 if (*extMsgType == server_hello)
wolfSSL 15:117db924cf7c 3250 #endif
wolfSSL 15:117db924cf7c 3251 {
wolfSSL 15:117db924cf7c 3252 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 3253 if (ext != NULL)
wolfSSL 15:117db924cf7c 3254 psk = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 3255 while (psk != NULL && !psk->chosen)
wolfSSL 15:117db924cf7c 3256 psk = psk->next;
wolfSSL 15:117db924cf7c 3257 if (psk == NULL) {
wolfSSL 15:117db924cf7c 3258 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3259 ssl->arrays->psk_keySz = 0;
wolfSSL 15:117db924cf7c 3260 XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
wolfSSL 15:117db924cf7c 3261 }
wolfSSL 15:117db924cf7c 3262 else if ((ret = SetupPskKey(ssl, psk)) != 0)
wolfSSL 15:117db924cf7c 3263 return ret;
wolfSSL 15:117db924cf7c 3264 }
wolfSSL 15:117db924cf7c 3265 #endif
wolfSSL 15:117db924cf7c 3266
wolfSSL 15:117db924cf7c 3267 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3268 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 3269 #else
wolfSSL 15:117db924cf7c 3270 if (*extMsgType == server_hello) {
wolfSSL 15:117db924cf7c 3271 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 3272 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 3273 }
wolfSSL 15:117db924cf7c 3274 else {
wolfSSL 15:117db924cf7c 3275 ssl->options.tls1_3 = 1;
wolfSSL 15:117db924cf7c 3276 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 3277
wolfSSL 15:117db924cf7c 3278 ret = RestartHandshakeHash(ssl);
wolfSSL 15:117db924cf7c 3279 }
wolfSSL 15:117db924cf7c 3280 #endif
wolfSSL 15:117db924cf7c 3281
wolfSSL 15:117db924cf7c 3282 WOLFSSL_LEAVE("DoTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 3283 WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
wolfSSL 15:117db924cf7c 3284
wolfSSL 15:117db924cf7c 3285 return ret;
wolfSSL 15:117db924cf7c 3286 }
wolfSSL 15:117db924cf7c 3287
wolfSSL 15:117db924cf7c 3288 /* handle processing TLS 1.3 encrypted_extensions (8) */
wolfSSL 15:117db924cf7c 3289 /* Parse and handle an EncryptedExtensions message.
wolfSSL 15:117db924cf7c 3290 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 3291 *
wolfSSL 15:117db924cf7c 3292 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3293 * input The message buffer.
wolfSSL 15:117db924cf7c 3294 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 3295 * EncryptedExtensions.
wolfSSL 15:117db924cf7c 3296 * On exit, the index of byte after the EncryptedExtensions
wolfSSL 15:117db924cf7c 3297 * message.
wolfSSL 15:117db924cf7c 3298 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 3299 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3300 */
wolfSSL 15:117db924cf7c 3301 static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 3302 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 3303 {
wolfSSL 15:117db924cf7c 3304 int ret;
wolfSSL 15:117db924cf7c 3305 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 3306 word32 i = begin;
wolfSSL 15:117db924cf7c 3307 word16 totalExtSz;
wolfSSL 15:117db924cf7c 3308
wolfSSL 15:117db924cf7c 3309 WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
wolfSSL 15:117db924cf7c 3310 WOLFSSL_ENTER("DoTls13EncryptedExtensions");
wolfSSL 15:117db924cf7c 3311
wolfSSL 15:117db924cf7c 3312 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3313 if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions");
wolfSSL 15:117db924cf7c 3314 if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3315 #endif
wolfSSL 15:117db924cf7c 3316
wolfSSL 15:117db924cf7c 3317 /* Length field of extension data. */
wolfSSL 15:117db924cf7c 3318 if (totalSz < i - begin + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3319 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3320 ato16(&input[i], &totalExtSz);
wolfSSL 15:117db924cf7c 3321 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3322
wolfSSL 15:117db924cf7c 3323 /* Extension data. */
wolfSSL 15:117db924cf7c 3324 if (i - begin + totalExtSz > totalSz)
wolfSSL 15:117db924cf7c 3325 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3326 if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
wolfSSL 15:117db924cf7c 3327 encrypted_extensions, NULL)))
wolfSSL 15:117db924cf7c 3328 return ret;
wolfSSL 15:117db924cf7c 3329
wolfSSL 15:117db924cf7c 3330 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 3331 *inOutIdx = i + totalExtSz;
wolfSSL 15:117db924cf7c 3332
wolfSSL 15:117db924cf7c 3333 /* Always encrypted. */
wolfSSL 15:117db924cf7c 3334 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 3335
wolfSSL 15:117db924cf7c 3336 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3337 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 3338 TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL 15:117db924cf7c 3339 if (ext == NULL || !ext->val)
wolfSSL 15:117db924cf7c 3340 ssl->earlyData = no_early_data;
wolfSSL 15:117db924cf7c 3341 }
wolfSSL 15:117db924cf7c 3342 #endif
wolfSSL 15:117db924cf7c 3343
wolfSSL 15:117db924cf7c 3344 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3345 if (ssl->earlyData == no_early_data) {
wolfSSL 15:117db924cf7c 3346 ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY);
wolfSSL 15:117db924cf7c 3347 if (ret != 0)
wolfSSL 15:117db924cf7c 3348 return ret;
wolfSSL 15:117db924cf7c 3349 }
wolfSSL 15:117db924cf7c 3350 #endif
wolfSSL 15:117db924cf7c 3351
wolfSSL 15:117db924cf7c 3352 ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL 15:117db924cf7c 3353
wolfSSL 15:117db924cf7c 3354 WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
wolfSSL 15:117db924cf7c 3355 WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
wolfSSL 15:117db924cf7c 3356
wolfSSL 15:117db924cf7c 3357 return ret;
wolfSSL 15:117db924cf7c 3358 }
wolfSSL 15:117db924cf7c 3359
wolfSSL 15:117db924cf7c 3360 /* handle processing TLS v1.3 certificate_request (13) */
wolfSSL 15:117db924cf7c 3361 /* Handle a TLS v1.3 CertificateRequest message.
wolfSSL 15:117db924cf7c 3362 * This message is always encrypted.
wolfSSL 15:117db924cf7c 3363 * Only a client will receive this message.
wolfSSL 15:117db924cf7c 3364 *
wolfSSL 15:117db924cf7c 3365 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3366 * input The message buffer.
wolfSSL 15:117db924cf7c 3367 * inOutIdx On entry, the index into the message buffer of CertificateRequest.
wolfSSL 15:117db924cf7c 3368 * On exit, the index of byte after the CertificateRequest message.
wolfSSL 15:117db924cf7c 3369 * size The length of the current handshake message.
wolfSSL 15:117db924cf7c 3370 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3371 */
wolfSSL 15:117db924cf7c 3372 static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 3373 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 3374 {
wolfSSL 15:117db924cf7c 3375 word16 len;
wolfSSL 15:117db924cf7c 3376 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 3377 int ret = 0;
wolfSSL 15:117db924cf7c 3378 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3379 Suites peerSuites;
wolfSSL 15:117db924cf7c 3380 #endif
wolfSSL 15:117db924cf7c 3381 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 3382 CertReqCtx* certReqCtx;
wolfSSL 15:117db924cf7c 3383 #endif
wolfSSL 15:117db924cf7c 3384
wolfSSL 15:117db924cf7c 3385 WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
wolfSSL 15:117db924cf7c 3386 WOLFSSL_ENTER("DoTls13CertificateRequest");
wolfSSL 15:117db924cf7c 3387
wolfSSL 16:8e0d178b1d1e 3388 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 16:8e0d178b1d1e 3389 XMEMSET(&peerSuites, 0, sizeof(Suites));
wolfSSL 16:8e0d178b1d1e 3390 #endif
wolfSSL 15:117db924cf7c 3391 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 3392 if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest");
wolfSSL 15:117db924cf7c 3393 if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 3394 #endif
wolfSSL 15:117db924cf7c 3395
wolfSSL 15:117db924cf7c 3396 if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
wolfSSL 15:117db924cf7c 3397 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3398
wolfSSL 15:117db924cf7c 3399 /* Length of the request context. */
wolfSSL 15:117db924cf7c 3400 len = input[(*inOutIdx)++];
wolfSSL 15:117db924cf7c 3401 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3402 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3403 if (ssl->options.connectState < FINISHED_DONE && len > 0)
wolfSSL 15:117db924cf7c 3404 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3405
wolfSSL 15:117db924cf7c 3406 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 3407 /* CertReqCtx has one byte at end for context value.
wolfSSL 15:117db924cf7c 3408 * Increase size to handle other implementations sending more than one byte.
wolfSSL 15:117db924cf7c 3409 * That is, allocate extra space, over one byte, to hold the context value.
wolfSSL 15:117db924cf7c 3410 */
wolfSSL 15:117db924cf7c 3411 certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
wolfSSL 15:117db924cf7c 3412 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 3413 if (certReqCtx == NULL)
wolfSSL 15:117db924cf7c 3414 return MEMORY_E;
wolfSSL 15:117db924cf7c 3415 certReqCtx->next = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 3416 certReqCtx->len = len;
wolfSSL 15:117db924cf7c 3417 XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
wolfSSL 15:117db924cf7c 3418 ssl->certReqCtx = certReqCtx;
wolfSSL 15:117db924cf7c 3419 #endif
wolfSSL 15:117db924cf7c 3420 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3421
wolfSSL 15:117db924cf7c 3422 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3423 /* Signature and hash algorithms. */
wolfSSL 15:117db924cf7c 3424 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3425 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3426 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3427 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3428 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3429 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 3430 if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 &&
wolfSSL 16:8e0d178b1d1e 3431 ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
wolfSSL 16:8e0d178b1d1e 3432 ssl->buffers.key && ssl->buffers.key->buffer) {
wolfSSL 16:8e0d178b1d1e 3433 return INVALID_PARAMETER;
wolfSSL 16:8e0d178b1d1e 3434 }
wolfSSL 15:117db924cf7c 3435 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3436
wolfSSL 15:117db924cf7c 3437 /* Length of certificate authority data. */
wolfSSL 15:117db924cf7c 3438 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3439 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3440 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3441 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3442 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3443 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3444
wolfSSL 15:117db924cf7c 3445 /* Certificate authorities. */
wolfSSL 15:117db924cf7c 3446 while (len) {
wolfSSL 15:117db924cf7c 3447 word16 dnSz;
wolfSSL 15:117db924cf7c 3448
wolfSSL 15:117db924cf7c 3449 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3450 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3451
wolfSSL 15:117db924cf7c 3452 ato16(input + *inOutIdx, &dnSz);
wolfSSL 15:117db924cf7c 3453 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3454
wolfSSL 15:117db924cf7c 3455 if ((*inOutIdx - begin) + dnSz > size)
wolfSSL 15:117db924cf7c 3456 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3457
wolfSSL 15:117db924cf7c 3458 *inOutIdx += dnSz;
wolfSSL 15:117db924cf7c 3459 len -= OPAQUE16_LEN + dnSz;
wolfSSL 15:117db924cf7c 3460 }
wolfSSL 15:117db924cf7c 3461
wolfSSL 15:117db924cf7c 3462 /* Certificate extensions */
wolfSSL 15:117db924cf7c 3463 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3464 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3465 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3466 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3467 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3468 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3469 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3470 #else
wolfSSL 15:117db924cf7c 3471 /* TODO: Add support for more extensions:
wolfSSL 15:117db924cf7c 3472 * signed_certificate_timestamp, certificate_authorities, oid_filters.
wolfSSL 15:117db924cf7c 3473 */
wolfSSL 15:117db924cf7c 3474 /* Certificate extensions */
wolfSSL 15:117db924cf7c 3475 if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
wolfSSL 15:117db924cf7c 3476 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3477 ato16(input + *inOutIdx, &len);
wolfSSL 15:117db924cf7c 3478 *inOutIdx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 3479 if ((*inOutIdx - begin) + len > size)
wolfSSL 15:117db924cf7c 3480 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 3481 if (len == 0)
wolfSSL 15:117db924cf7c 3482 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 3483 if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len,
wolfSSL 15:117db924cf7c 3484 certificate_request, &peerSuites))) {
wolfSSL 15:117db924cf7c 3485 return ret;
wolfSSL 15:117db924cf7c 3486 }
wolfSSL 15:117db924cf7c 3487 *inOutIdx += len;
wolfSSL 15:117db924cf7c 3488 #endif
wolfSSL 15:117db924cf7c 3489
wolfSSL 15:117db924cf7c 3490 if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
wolfSSL 16:8e0d178b1d1e 3491 ((ssl->buffers.key && ssl->buffers.key->buffer)
wolfSSL 16:8e0d178b1d1e 3492 #ifdef HAVE_PK_CALLBACKS
wolfSSL 16:8e0d178b1d1e 3493 || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
wolfSSL 16:8e0d178b1d1e 3494 #endif
wolfSSL 16:8e0d178b1d1e 3495 )) {
wolfSSL 16:8e0d178b1d1e 3496 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 16:8e0d178b1d1e 3497 if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo,
wolfSSL 16:8e0d178b1d1e 3498 peerSuites.hashSigAlgoSz) != 0) {
wolfSSL 16:8e0d178b1d1e 3499 return INVALID_PARAMETER;
wolfSSL 16:8e0d178b1d1e 3500 }
wolfSSL 16:8e0d178b1d1e 3501 #endif
wolfSSL 15:117db924cf7c 3502 ssl->options.sendVerify = SEND_CERT;
wolfSSL 16:8e0d178b1d1e 3503 }
wolfSSL 16:8e0d178b1d1e 3504 else {
wolfSSL 15:117db924cf7c 3505 ssl->options.sendVerify = SEND_BLANK_CERT;
wolfSSL 16:8e0d178b1d1e 3506 }
wolfSSL 15:117db924cf7c 3507
wolfSSL 15:117db924cf7c 3508 /* This message is always encrypted so add encryption padding. */
wolfSSL 15:117db924cf7c 3509 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 3510
wolfSSL 15:117db924cf7c 3511 WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
wolfSSL 15:117db924cf7c 3512 WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
wolfSSL 15:117db924cf7c 3513
wolfSSL 15:117db924cf7c 3514 return ret;
wolfSSL 15:117db924cf7c 3515 }
wolfSSL 15:117db924cf7c 3516
wolfSSL 15:117db924cf7c 3517 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 3518
wolfSSL 15:117db924cf7c 3519 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 3520 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 3521 /* Refine list of supported cipher suites to those common to server and client.
wolfSSL 15:117db924cf7c 3522 *
wolfSSL 15:117db924cf7c 3523 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3524 * peerSuites The peer's advertised list of supported cipher suites.
wolfSSL 15:117db924cf7c 3525 */
wolfSSL 15:117db924cf7c 3526 static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)
wolfSSL 15:117db924cf7c 3527 {
wolfSSL 15:117db924cf7c 3528 byte suites[WOLFSSL_MAX_SUITE_SZ];
wolfSSL 15:117db924cf7c 3529 int suiteSz = 0;
wolfSSL 16:8e0d178b1d1e 3530 word16 i, j;
wolfSSL 16:8e0d178b1d1e 3531
wolfSSL 16:8e0d178b1d1e 3532 XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);
wolfSSL 15:117db924cf7c 3533
wolfSSL 15:117db924cf7c 3534 for (i = 0; i < ssl->suites->suiteSz; i += 2) {
wolfSSL 15:117db924cf7c 3535 for (j = 0; j < peerSuites->suiteSz; j += 2) {
wolfSSL 15:117db924cf7c 3536 if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&
wolfSSL 15:117db924cf7c 3537 ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {
wolfSSL 15:117db924cf7c 3538 suites[suiteSz++] = peerSuites->suites[j+0];
wolfSSL 15:117db924cf7c 3539 suites[suiteSz++] = peerSuites->suites[j+1];
wolfSSL 15:117db924cf7c 3540 }
wolfSSL 15:117db924cf7c 3541 }
wolfSSL 15:117db924cf7c 3542 }
wolfSSL 15:117db924cf7c 3543
wolfSSL 15:117db924cf7c 3544 ssl->suites->suiteSz = suiteSz;
wolfSSL 15:117db924cf7c 3545 XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));
wolfSSL 15:117db924cf7c 3546 }
wolfSSL 15:117db924cf7c 3547
wolfSSL 15:117db924cf7c 3548 /* Handle any Pre-Shared Key (PSK) extension.
wolfSSL 15:117db924cf7c 3549 * Must do this in ClientHello as it requires a hash of the truncated message.
wolfSSL 15:117db924cf7c 3550 * Don't know size of binders until Pre-Shared Key extension has been parsed.
wolfSSL 15:117db924cf7c 3551 *
wolfSSL 15:117db924cf7c 3552 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 3553 * input The ClientHello message.
wolfSSL 15:117db924cf7c 3554 * helloSz The size of the ClientHello message (including binders if present).
wolfSSL 15:117db924cf7c 3555 * usingPSK Indicates handshake is using Pre-Shared Keys.
wolfSSL 15:117db924cf7c 3556 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 3557 */
wolfSSL 15:117db924cf7c 3558 static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
wolfSSL 15:117db924cf7c 3559 int* usingPSK)
wolfSSL 15:117db924cf7c 3560 {
wolfSSL 15:117db924cf7c 3561 int ret;
wolfSSL 15:117db924cf7c 3562 TLSX* ext;
wolfSSL 15:117db924cf7c 3563 word16 bindersLen;
wolfSSL 15:117db924cf7c 3564 PreSharedKey* current;
wolfSSL 15:117db924cf7c 3565 byte binderKey[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 3566 byte binder[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 3567 word32 binderLen;
wolfSSL 15:117db924cf7c 3568 word16 modes;
wolfSSL 15:117db924cf7c 3569 byte suite[2];
wolfSSL 15:117db924cf7c 3570 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3571 int pskCnt = 0;
wolfSSL 15:117db924cf7c 3572 TLSX* extEarlyData;
wolfSSL 15:117db924cf7c 3573 #endif
wolfSSL 16:8e0d178b1d1e 3574 #ifndef NO_PSK
wolfSSL 16:8e0d178b1d1e 3575 const char* cipherName = NULL;
wolfSSL 16:8e0d178b1d1e 3576 byte cipherSuite0 = TLS13_BYTE;
wolfSSL 16:8e0d178b1d1e 3577 byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
wolfSSL 16:8e0d178b1d1e 3578 #endif
wolfSSL 15:117db924cf7c 3579
wolfSSL 15:117db924cf7c 3580 WOLFSSL_ENTER("DoPreSharedKeys");
wolfSSL 15:117db924cf7c 3581
wolfSSL 15:117db924cf7c 3582 ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
wolfSSL 15:117db924cf7c 3583 if (ext == NULL) {
wolfSSL 16:8e0d178b1d1e 3584 /* Hash data up to binders for deriving binders in PSK extension. */
wolfSSL 16:8e0d178b1d1e 3585 ret = HashInput(ssl, input, helloSz);
wolfSSL 16:8e0d178b1d1e 3586 return ret;
wolfSSL 15:117db924cf7c 3587 }
wolfSSL 15:117db924cf7c 3588
wolfSSL 15:117db924cf7c 3589 /* Extensions pushed on stack/list and PSK must be last. */
wolfSSL 15:117db924cf7c 3590 if (ssl->extensions != ext)
wolfSSL 15:117db924cf7c 3591 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3592
wolfSSL 15:117db924cf7c 3593 /* Assume we are going to resume with a pre-shared key. */
wolfSSL 15:117db924cf7c 3594 ssl->options.resuming = 1;
wolfSSL 15:117db924cf7c 3595
wolfSSL 15:117db924cf7c 3596 /* Find the pre-shared key extension and calculate hash of truncated
wolfSSL 15:117db924cf7c 3597 * ClientHello for binders.
wolfSSL 15:117db924cf7c 3598 */
wolfSSL 16:8e0d178b1d1e 3599 ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
wolfSSL 16:8e0d178b1d1e 3600 client_hello, &bindersLen);
wolfSSL 16:8e0d178b1d1e 3601 if (ret < 0)
wolfSSL 16:8e0d178b1d1e 3602 return ret;
wolfSSL 15:117db924cf7c 3603
wolfSSL 15:117db924cf7c 3604 /* Hash data up to binders for deriving binders in PSK extension. */
wolfSSL 15:117db924cf7c 3605 ret = HashInput(ssl, input, helloSz - bindersLen);
wolfSSL 15:117db924cf7c 3606 if (ret != 0)
wolfSSL 15:117db924cf7c 3607 return ret;
wolfSSL 15:117db924cf7c 3608
wolfSSL 15:117db924cf7c 3609 /* Look through all client's pre-shared keys for a match. */
wolfSSL 15:117db924cf7c 3610 current = (PreSharedKey*)ext->data;
wolfSSL 15:117db924cf7c 3611 while (current != NULL) {
wolfSSL 15:117db924cf7c 3612 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3613 pskCnt++;
wolfSSL 15:117db924cf7c 3614 #endif
wolfSSL 15:117db924cf7c 3615
wolfSSL 15:117db924cf7c 3616 #ifndef NO_PSK
wolfSSL 16:8e0d178b1d1e 3617 if (current->identityLen > MAX_PSK_ID_LEN) {
wolfSSL 16:8e0d178b1d1e 3618 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 3619 }
wolfSSL 15:117db924cf7c 3620 XMEMCPY(ssl->arrays->client_identity, current->identity,
wolfSSL 15:117db924cf7c 3621 current->identityLen);
wolfSSL 15:117db924cf7c 3622 ssl->arrays->client_identity[current->identityLen] = '\0';
wolfSSL 15:117db924cf7c 3623 #endif
wolfSSL 15:117db924cf7c 3624
wolfSSL 15:117db924cf7c 3625 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 3626 /* Decode the identity. */
wolfSSL 15:117db924cf7c 3627 if ((ret = DoClientTicket(ssl, current->identity, current->identityLen))
wolfSSL 15:117db924cf7c 3628 == WOLFSSL_TICKET_RET_OK) {
wolfSSL 15:117db924cf7c 3629 word32 now;
wolfSSL 15:117db924cf7c 3630 int diff;
wolfSSL 15:117db924cf7c 3631
wolfSSL 15:117db924cf7c 3632 now = TimeNowInMilliseconds();
wolfSSL 15:117db924cf7c 3633 if (now == (word32)GETTIME_ERROR)
wolfSSL 15:117db924cf7c 3634 return now;
wolfSSL 15:117db924cf7c 3635 diff = now - ssl->session.ticketSeen;
wolfSSL 15:117db924cf7c 3636 diff -= current->ticketAge - ssl->session.ticketAdd;
wolfSSL 15:117db924cf7c 3637 /* Check session and ticket age timeout.
wolfSSL 15:117db924cf7c 3638 * Allow +/- 1000 milliseconds on ticket age.
wolfSSL 15:117db924cf7c 3639 */
wolfSSL 15:117db924cf7c 3640 if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
wolfSSL 15:117db924cf7c 3641 diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
wolfSSL 15:117db924cf7c 3642 /* Invalid difference, fallback to full handshake. */
wolfSSL 15:117db924cf7c 3643 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3644 break;
wolfSSL 15:117db924cf7c 3645 }
wolfSSL 15:117db924cf7c 3646
wolfSSL 15:117db924cf7c 3647 /* Check whether resumption is possible based on suites in SSL and
wolfSSL 15:117db924cf7c 3648 * ciphersuite in ticket.
wolfSSL 15:117db924cf7c 3649 */
wolfSSL 15:117db924cf7c 3650 suite[0] = ssl->session.cipherSuite0;
wolfSSL 15:117db924cf7c 3651 suite[1] = ssl->session.cipherSuite;
wolfSSL 16:8e0d178b1d1e 3652 if (!FindSuiteSSL(ssl, suite)) {
wolfSSL 15:117db924cf7c 3653 current = current->next;
wolfSSL 15:117db924cf7c 3654 continue;
wolfSSL 15:117db924cf7c 3655 }
wolfSSL 15:117db924cf7c 3656
wolfSSL 15:117db924cf7c 3657 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3658 ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 3659 #endif
wolfSSL 15:117db924cf7c 3660 /* Use the same cipher suite as before and set up for use. */
wolfSSL 15:117db924cf7c 3661 ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
wolfSSL 15:117db924cf7c 3662 ssl->options.cipherSuite = ssl->session.cipherSuite;
wolfSSL 15:117db924cf7c 3663 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 3664 if (ret != 0)
wolfSSL 15:117db924cf7c 3665 return ret;
wolfSSL 15:117db924cf7c 3666
wolfSSL 15:117db924cf7c 3667 /* Resumption PSK is resumption master secret. */
wolfSSL 15:117db924cf7c 3668 ssl->arrays->psk_keySz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 3669 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3670 XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
wolfSSL 15:117db924cf7c 3671 ssl->arrays->psk_keySz);
wolfSSL 15:117db924cf7c 3672 #else
wolfSSL 15:117db924cf7c 3673 if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
wolfSSL 15:117db924cf7c 3674 ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
wolfSSL 15:117db924cf7c 3675 return ret;
wolfSSL 15:117db924cf7c 3676 }
wolfSSL 15:117db924cf7c 3677 #endif
wolfSSL 15:117db924cf7c 3678
wolfSSL 15:117db924cf7c 3679 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 3680 ret = DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 3681 if (ret != 0)
wolfSSL 15:117db924cf7c 3682 return ret;
wolfSSL 15:117db924cf7c 3683 /* Derive the binder key to use to with HMAC. */
wolfSSL 15:117db924cf7c 3684 ret = DeriveBinderKeyResume(ssl, binderKey);
wolfSSL 15:117db924cf7c 3685 if (ret != 0)
wolfSSL 15:117db924cf7c 3686 return ret;
wolfSSL 15:117db924cf7c 3687 }
wolfSSL 15:117db924cf7c 3688 else
wolfSSL 15:117db924cf7c 3689 #endif
wolfSSL 15:117db924cf7c 3690 #ifndef NO_PSK
wolfSSL 16:8e0d178b1d1e 3691 if ((ssl->options.server_psk_tls13_cb != NULL &&
wolfSSL 16:8e0d178b1d1e 3692 (ssl->arrays->psk_keySz = ssl->options.server_psk_tls13_cb(ssl,
wolfSSL 15:117db924cf7c 3693 ssl->arrays->client_identity, ssl->arrays->psk_key,
wolfSSL 16:8e0d178b1d1e 3694 MAX_PSK_KEY_LEN, &cipherName)) != 0 &&
wolfSSL 16:8e0d178b1d1e 3695 GetCipherSuiteFromName(cipherName, &cipherSuite0,
wolfSSL 16:8e0d178b1d1e 3696 &cipherSuite) == 0) ||
wolfSSL 16:8e0d178b1d1e 3697 (ssl->options.server_psk_cb != NULL &&
wolfSSL 16:8e0d178b1d1e 3698 (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
wolfSSL 16:8e0d178b1d1e 3699 ssl->arrays->client_identity, ssl->arrays->psk_key,
wolfSSL 16:8e0d178b1d1e 3700 MAX_PSK_KEY_LEN)) != 0)) {
wolfSSL 15:117db924cf7c 3701 if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
wolfSSL 15:117db924cf7c 3702 return PSK_KEY_ERROR;
wolfSSL 16:8e0d178b1d1e 3703
wolfSSL 16:8e0d178b1d1e 3704 /* Check whether PSK ciphersuite is in SSL. */
wolfSSL 16:8e0d178b1d1e 3705 suite[0] = cipherSuite0;
wolfSSL 16:8e0d178b1d1e 3706 suite[1] = cipherSuite;
wolfSSL 16:8e0d178b1d1e 3707 if (!FindSuiteSSL(ssl, suite)) {
wolfSSL 15:117db924cf7c 3708 current = current->next;
wolfSSL 15:117db924cf7c 3709 continue;
wolfSSL 15:117db924cf7c 3710 }
wolfSSL 15:117db924cf7c 3711
wolfSSL 15:117db924cf7c 3712 /* Default to ciphersuite if cb doesn't specify. */
wolfSSL 15:117db924cf7c 3713 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 3714
wolfSSL 15:117db924cf7c 3715 /* PSK age is always zero. */
wolfSSL 15:117db924cf7c 3716 if (current->ticketAge != ssl->session.ticketAdd)
wolfSSL 15:117db924cf7c 3717 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3718
wolfSSL 16:8e0d178b1d1e 3719 /* Set PSK ciphersuite into SSL. */
wolfSSL 16:8e0d178b1d1e 3720 ssl->options.cipherSuite0 = cipherSuite0;
wolfSSL 16:8e0d178b1d1e 3721 ssl->options.cipherSuite = cipherSuite;
wolfSSL 15:117db924cf7c 3722 ret = SetCipherSpecs(ssl);
wolfSSL 15:117db924cf7c 3723 if (ret != 0)
wolfSSL 15:117db924cf7c 3724 return ret;
wolfSSL 15:117db924cf7c 3725
wolfSSL 15:117db924cf7c 3726 /* Derive the early secret using the PSK. */
wolfSSL 15:117db924cf7c 3727 ret = DeriveEarlySecret(ssl);
wolfSSL 15:117db924cf7c 3728 if (ret != 0)
wolfSSL 15:117db924cf7c 3729 return ret;
wolfSSL 15:117db924cf7c 3730 /* Derive the binder key to use to with HMAC. */
wolfSSL 15:117db924cf7c 3731 ret = DeriveBinderKey(ssl, binderKey);
wolfSSL 15:117db924cf7c 3732 if (ret != 0)
wolfSSL 15:117db924cf7c 3733 return ret;
wolfSSL 15:117db924cf7c 3734 }
wolfSSL 15:117db924cf7c 3735 else
wolfSSL 15:117db924cf7c 3736 #endif
wolfSSL 15:117db924cf7c 3737 {
wolfSSL 15:117db924cf7c 3738 current = current->next;
wolfSSL 15:117db924cf7c 3739 continue;
wolfSSL 15:117db924cf7c 3740 }
wolfSSL 15:117db924cf7c 3741
wolfSSL 15:117db924cf7c 3742 ssl->options.sendVerify = 0;
wolfSSL 15:117db924cf7c 3743
wolfSSL 15:117db924cf7c 3744 /* Derive the Finished message secret. */
wolfSSL 15:117db924cf7c 3745 ret = DeriveFinishedSecret(ssl, binderKey,
wolfSSL 15:117db924cf7c 3746 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 3747 if (ret != 0)
wolfSSL 15:117db924cf7c 3748 return ret;
wolfSSL 15:117db924cf7c 3749
wolfSSL 15:117db924cf7c 3750 /* Derive the binder and compare with the one in the extension. */
wolfSSL 15:117db924cf7c 3751 ret = BuildTls13HandshakeHmac(ssl,
wolfSSL 15:117db924cf7c 3752 ssl->keys.client_write_MAC_secret, binder, &binderLen);
wolfSSL 15:117db924cf7c 3753 if (ret != 0)
wolfSSL 15:117db924cf7c 3754 return ret;
wolfSSL 15:117db924cf7c 3755 if (binderLen != current->binderLen ||
wolfSSL 15:117db924cf7c 3756 XMEMCMP(binder, current->binder, binderLen) != 0) {
wolfSSL 15:117db924cf7c 3757 return BAD_BINDER;
wolfSSL 15:117db924cf7c 3758 }
wolfSSL 15:117db924cf7c 3759
wolfSSL 15:117db924cf7c 3760 /* This PSK works, no need to try any more. */
wolfSSL 15:117db924cf7c 3761 current->chosen = 1;
wolfSSL 15:117db924cf7c 3762 ext->resp = 1;
wolfSSL 15:117db924cf7c 3763 break;
wolfSSL 15:117db924cf7c 3764 }
wolfSSL 15:117db924cf7c 3765
wolfSSL 16:8e0d178b1d1e 3766 /* Hash the rest of the ClientHello. */
wolfSSL 16:8e0d178b1d1e 3767 ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
wolfSSL 16:8e0d178b1d1e 3768 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 3769 return ret;
wolfSSL 16:8e0d178b1d1e 3770
wolfSSL 15:117db924cf7c 3771 if (current == NULL) {
wolfSSL 15:117db924cf7c 3772 #ifdef WOLFSSL_PSK_ID_PROTECTION
wolfSSL 15:117db924cf7c 3773 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 3774 if (ssl->buffers.certChainCnt != 0)
wolfSSL 15:117db924cf7c 3775 return 0;
wolfSSL 15:117db924cf7c 3776 #endif
wolfSSL 15:117db924cf7c 3777 return BAD_BINDER;
wolfSSL 15:117db924cf7c 3778 #else
wolfSSL 15:117db924cf7c 3779 return 0;
wolfSSL 15:117db924cf7c 3780 #endif
wolfSSL 15:117db924cf7c 3781 }
wolfSSL 15:117db924cf7c 3782
wolfSSL 15:117db924cf7c 3783 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 3784 extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
wolfSSL 15:117db924cf7c 3785 if (extEarlyData != NULL) {
wolfSSL 15:117db924cf7c 3786 if (ssl->earlyData != no_early_data && current == ext->data) {
wolfSSL 15:117db924cf7c 3787 extEarlyData->resp = 1;
wolfSSL 15:117db924cf7c 3788
wolfSSL 15:117db924cf7c 3789 /* Derive early data decryption key. */
wolfSSL 15:117db924cf7c 3790 ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1);
wolfSSL 15:117db924cf7c 3791 if (ret != 0)
wolfSSL 15:117db924cf7c 3792 return ret;
wolfSSL 15:117db924cf7c 3793 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 3794 return ret;
wolfSSL 15:117db924cf7c 3795
wolfSSL 15:117db924cf7c 3796 ssl->earlyData = process_early_data;
wolfSSL 15:117db924cf7c 3797 }
wolfSSL 15:117db924cf7c 3798 else
wolfSSL 15:117db924cf7c 3799 extEarlyData->resp = 0;
wolfSSL 15:117db924cf7c 3800 }
wolfSSL 15:117db924cf7c 3801 #endif
wolfSSL 15:117db924cf7c 3802
wolfSSL 15:117db924cf7c 3803 /* Get the PSK key exchange modes the client wants to negotiate. */
wolfSSL 15:117db924cf7c 3804 ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
wolfSSL 15:117db924cf7c 3805 if (ext == NULL)
wolfSSL 15:117db924cf7c 3806 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 3807 modes = ext->val;
wolfSSL 15:117db924cf7c 3808
wolfSSL 15:117db924cf7c 3809 ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
wolfSSL 15:117db924cf7c 3810 /* Use (EC)DHE for forward-security if possible. */
wolfSSL 15:117db924cf7c 3811 if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
wolfSSL 15:117db924cf7c 3812 ext != NULL) {
wolfSSL 15:117db924cf7c 3813 /* Only use named group used in last session. */
wolfSSL 15:117db924cf7c 3814 ssl->namedGroup = ssl->session.namedGroup;
wolfSSL 15:117db924cf7c 3815
wolfSSL 15:117db924cf7c 3816 /* Pick key share and Generate a new key if not present. */
wolfSSL 15:117db924cf7c 3817 ret = TLSX_KeyShare_Establish(ssl);
wolfSSL 15:117db924cf7c 3818 if (ret == KEY_SHARE_ERROR) {
wolfSSL 15:117db924cf7c 3819 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 3820 ret = 0;
wolfSSL 15:117db924cf7c 3821 }
wolfSSL 15:117db924cf7c 3822 else if (ret < 0)
wolfSSL 15:117db924cf7c 3823 return ret;
wolfSSL 15:117db924cf7c 3824
wolfSSL 15:117db924cf7c 3825 /* Send new public key to client. */
wolfSSL 15:117db924cf7c 3826 ext->resp = 1;
wolfSSL 15:117db924cf7c 3827 }
wolfSSL 15:117db924cf7c 3828 else {
wolfSSL 15:117db924cf7c 3829 if ((modes & (1 << PSK_KE)) == 0)
wolfSSL 15:117db924cf7c 3830 return PSK_KEY_ERROR;
wolfSSL 15:117db924cf7c 3831 ssl->options.noPskDheKe = 1;
wolfSSL 16:8e0d178b1d1e 3832 ssl->arrays->preMasterSz = 0;
wolfSSL 15:117db924cf7c 3833 }
wolfSSL 15:117db924cf7c 3834
wolfSSL 15:117db924cf7c 3835 *usingPSK = 1;
wolfSSL 15:117db924cf7c 3836
wolfSSL 15:117db924cf7c 3837 WOLFSSL_LEAVE("DoPreSharedKeys", ret);
wolfSSL 15:117db924cf7c 3838
wolfSSL 15:117db924cf7c 3839 return ret;
wolfSSL 15:117db924cf7c 3840 }
wolfSSL 15:117db924cf7c 3841 #endif
wolfSSL 15:117db924cf7c 3842
wolfSSL 15:117db924cf7c 3843 #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 15:117db924cf7c 3844 /* Check that the Cookie data's integrity.
wolfSSL 15:117db924cf7c 3845 *
wolfSSL 15:117db924cf7c 3846 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3847 * cookie The cookie data - hash and MAC.
wolfSSL 15:117db924cf7c 3848 * cookieSz The length of the cookie data in bytes.
wolfSSL 15:117db924cf7c 3849 * returns Length of the hash on success, otherwise failure.
wolfSSL 15:117db924cf7c 3850 */
wolfSSL 15:117db924cf7c 3851 static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
wolfSSL 15:117db924cf7c 3852 {
wolfSSL 15:117db924cf7c 3853 int ret;
wolfSSL 16:8e0d178b1d1e 3854 byte mac[WC_MAX_DIGEST_SIZE] = {0};
wolfSSL 15:117db924cf7c 3855 Hmac cookieHmac;
wolfSSL 16:8e0d178b1d1e 3856 byte cookieType = 0;
wolfSSL 16:8e0d178b1d1e 3857 byte macSz = 0;
wolfSSL 15:117db924cf7c 3858
wolfSSL 15:117db924cf7c 3859 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 3860 cookieType = SHA;
wolfSSL 15:117db924cf7c 3861 macSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 3862 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 3863 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 3864 cookieType = WC_SHA256;
wolfSSL 15:117db924cf7c 3865 macSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 3866 #endif /* NO_SHA256 */
wolfSSL 15:117db924cf7c 3867
wolfSSL 15:117db924cf7c 3868 if (cookieSz < ssl->specs.hash_size + macSz)
wolfSSL 15:117db924cf7c 3869 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3870 cookieSz -= macSz;
wolfSSL 16:8e0d178b1d1e 3871 XMEMSET(&cookieHmac, 0, sizeof(Hmac));
wolfSSL 15:117db924cf7c 3872
wolfSSL 15:117db924cf7c 3873 ret = wc_HmacSetKey(&cookieHmac, cookieType,
wolfSSL 15:117db924cf7c 3874 ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 3875 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 3876 if (ret != 0)
wolfSSL 15:117db924cf7c 3877 return ret;
wolfSSL 15:117db924cf7c 3878 if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0)
wolfSSL 15:117db924cf7c 3879 return ret;
wolfSSL 15:117db924cf7c 3880 if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
wolfSSL 15:117db924cf7c 3881 return ret;
wolfSSL 15:117db924cf7c 3882
wolfSSL 15:117db924cf7c 3883 if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
wolfSSL 15:117db924cf7c 3884 return HRR_COOKIE_ERROR;
wolfSSL 15:117db924cf7c 3885 return cookieSz;
wolfSSL 15:117db924cf7c 3886 }
wolfSSL 15:117db924cf7c 3887
wolfSSL 15:117db924cf7c 3888 /* Length of the KeyShare Extension */
wolfSSL 15:117db924cf7c 3889 #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3890 /* Length of the Supported Vresions Extension */
wolfSSL 15:117db924cf7c 3891 #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3892 /* Length of the Cookie Extension excluding cookie data */
wolfSSL 15:117db924cf7c 3893 #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3894 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3895 /* PV | CipherSuite | Ext Len */
wolfSSL 15:117db924cf7c 3896 #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3897 /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */
wolfSSL 15:117db924cf7c 3898 #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
wolfSSL 15:117db924cf7c 3899 HRR_BODY_SZ + \
wolfSSL 15:117db924cf7c 3900 HRR_KEY_SHARE_SZ + \
wolfSSL 15:117db924cf7c 3901 HRR_COOKIE_HDR_SZ)
wolfSSL 15:117db924cf7c 3902 #else
wolfSSL 15:117db924cf7c 3903 /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */
wolfSSL 15:117db924cf7c 3904 #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \
wolfSSL 15:117db924cf7c 3905 SUITE_LEN + COMP_LEN + OPAQUE16_LEN)
wolfSSL 15:117db924cf7c 3906 /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */
wolfSSL 15:117db924cf7c 3907 #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
wolfSSL 15:117db924cf7c 3908 HRR_BODY_SZ + \
wolfSSL 15:117db924cf7c 3909 HRR_KEY_SHARE_SZ + \
wolfSSL 15:117db924cf7c 3910 HRR_VERSIONS_SZ + \
wolfSSL 15:117db924cf7c 3911 HRR_COOKIE_HDR_SZ)
wolfSSL 15:117db924cf7c 3912 #endif
wolfSSL 15:117db924cf7c 3913
wolfSSL 16:8e0d178b1d1e 3914 /* Restart the handshake hash from the cookie value.
wolfSSL 15:117db924cf7c 3915 *
wolfSSL 15:117db924cf7c 3916 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 3917 * cookie Cookie data from client.
wolfSSL 15:117db924cf7c 3918 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 3919 */
wolfSSL 15:117db924cf7c 3920 static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
wolfSSL 15:117db924cf7c 3921 {
wolfSSL 16:8e0d178b1d1e 3922 byte header[HANDSHAKE_HEADER_SZ] = {0};
wolfSSL 16:8e0d178b1d1e 3923 byte hrr[MAX_HRR_SZ] = {0};
wolfSSL 15:117db924cf7c 3924 int hrrIdx;
wolfSSL 15:117db924cf7c 3925 word32 idx;
wolfSSL 15:117db924cf7c 3926 byte hashSz;
wolfSSL 15:117db924cf7c 3927 byte* cookieData;
wolfSSL 15:117db924cf7c 3928 byte cookieDataSz;
wolfSSL 15:117db924cf7c 3929 word16 length;
wolfSSL 15:117db924cf7c 3930 int keyShareExt = 0;
wolfSSL 15:117db924cf7c 3931 int ret;
wolfSSL 15:117db924cf7c 3932
wolfSSL 15:117db924cf7c 3933 cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len);
wolfSSL 15:117db924cf7c 3934 if (ret < 0)
wolfSSL 15:117db924cf7c 3935 return ret;
wolfSSL 15:117db924cf7c 3936 hashSz = cookie->data;
wolfSSL 15:117db924cf7c 3937 cookieData = &cookie->data;
wolfSSL 15:117db924cf7c 3938 idx = OPAQUE8_LEN;
wolfSSL 15:117db924cf7c 3939
wolfSSL 15:117db924cf7c 3940 /* Restart handshake hash with synthetic message hash. */
wolfSSL 15:117db924cf7c 3941 AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
wolfSSL 15:117db924cf7c 3942 if ((ret = InitHandshakeHashes(ssl)) != 0)
wolfSSL 15:117db924cf7c 3943 return ret;
wolfSSL 15:117db924cf7c 3944 if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL 15:117db924cf7c 3945 return ret;
wolfSSL 15:117db924cf7c 3946 if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0)
wolfSSL 15:117db924cf7c 3947 return ret;
wolfSSL 15:117db924cf7c 3948
wolfSSL 15:117db924cf7c 3949 /* Reconstruct the HelloRetryMessage for handshake hash. */
wolfSSL 15:117db924cf7c 3950 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3951 length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;
wolfSSL 15:117db924cf7c 3952 #else
wolfSSL 15:117db924cf7c 3953 length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz +
wolfSSL 15:117db924cf7c 3954 HRR_COOKIE_HDR_SZ + cookie->len;
wolfSSL 15:117db924cf7c 3955 length += HRR_VERSIONS_SZ;
wolfSSL 15:117db924cf7c 3956 #endif
wolfSSL 15:117db924cf7c 3957 if (cookieDataSz > hashSz + OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 3958 keyShareExt = 1;
wolfSSL 15:117db924cf7c 3959 length += HRR_KEY_SHARE_SZ;
wolfSSL 15:117db924cf7c 3960 }
wolfSSL 15:117db924cf7c 3961 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 3962 AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl);
wolfSSL 15:117db924cf7c 3963
wolfSSL 15:117db924cf7c 3964 idx += hashSz;
wolfSSL 15:117db924cf7c 3965 hrrIdx = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 3966 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 3967 hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 3968 hrr[hrrIdx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 3969 /* Cipher Suite */
wolfSSL 15:117db924cf7c 3970 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3971 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3972
wolfSSL 15:117db924cf7c 3973 /* Extensions' length */
wolfSSL 15:117db924cf7c 3974 length -= HRR_BODY_SZ;
wolfSSL 15:117db924cf7c 3975 c16toa(length, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 3976 hrrIdx += 2;
wolfSSL 15:117db924cf7c 3977 #else
wolfSSL 15:117db924cf7c 3978 AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl);
wolfSSL 15:117db924cf7c 3979
wolfSSL 15:117db924cf7c 3980 idx += hashSz;
wolfSSL 15:117db924cf7c 3981 hrrIdx = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 3982
wolfSSL 15:117db924cf7c 3983 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 3984 hrr[hrrIdx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 3985 hrr[hrrIdx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 3986
wolfSSL 15:117db924cf7c 3987 /* HelloRetryRequest message has fixed value for random. */
wolfSSL 15:117db924cf7c 3988 XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 3989 hrrIdx += RAN_LEN;
wolfSSL 15:117db924cf7c 3990
wolfSSL 15:117db924cf7c 3991 hrr[hrrIdx++] = ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 3992 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 3993 XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 3994 hrrIdx += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 3995 }
wolfSSL 15:117db924cf7c 3996
wolfSSL 15:117db924cf7c 3997 /* Cipher Suite */
wolfSSL 15:117db924cf7c 3998 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 3999 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 4000
wolfSSL 15:117db924cf7c 4001 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 4002 hrr[hrrIdx++] = 0;
wolfSSL 15:117db924cf7c 4003
wolfSSL 15:117db924cf7c 4004 /* Extensions' length */
wolfSSL 15:117db924cf7c 4005 length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 4006 c16toa(length, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4007 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4008
wolfSSL 15:117db924cf7c 4009 #endif
wolfSSL 15:117db924cf7c 4010 /* Optional KeyShare Extension */
wolfSSL 15:117db924cf7c 4011 if (keyShareExt) {
wolfSSL 15:117db924cf7c 4012 c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4013 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4014 c16toa(OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4015 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4016 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 4017 hrr[hrrIdx++] = cookieData[idx++];
wolfSSL 15:117db924cf7c 4018 }
wolfSSL 15:117db924cf7c 4019 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4020 c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4021 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4022 c16toa(OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4023 hrrIdx += 2;
wolfSSL 16:8e0d178b1d1e 4024 #ifdef WOLFSSL_TLS13_DRAFT
wolfSSL 16:8e0d178b1d1e 4025 hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
wolfSSL 16:8e0d178b1d1e 4026 hrr[hrrIdx++] = TLS_DRAFT_MINOR;
wolfSSL 16:8e0d178b1d1e 4027 #else
wolfSSL 15:117db924cf7c 4028 hrr[hrrIdx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 4029 hrr[hrrIdx++] = ssl->version.minor;
wolfSSL 15:117db924cf7c 4030 #endif
wolfSSL 15:117db924cf7c 4031 #endif
wolfSSL 15:117db924cf7c 4032 /* Mandatory Cookie Extension */
wolfSSL 15:117db924cf7c 4033 c16toa(TLSX_COOKIE, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4034 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4035 c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4036 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4037 c16toa(cookie->len, hrr + hrrIdx);
wolfSSL 15:117db924cf7c 4038 hrrIdx += 2;
wolfSSL 15:117db924cf7c 4039
wolfSSL 15:117db924cf7c 4040 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 4041 WOLFSSL_MSG("Reconstucted HelloRetryRequest");
wolfSSL 15:117db924cf7c 4042 WOLFSSL_BUFFER(hrr, hrrIdx);
wolfSSL 15:117db924cf7c 4043 WOLFSSL_MSG("Cookie");
wolfSSL 15:117db924cf7c 4044 WOLFSSL_BUFFER(cookieData, cookie->len);
wolfSSL 15:117db924cf7c 4045 #endif
wolfSSL 15:117db924cf7c 4046
wolfSSL 15:117db924cf7c 4047 if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0)
wolfSSL 15:117db924cf7c 4048 return ret;
wolfSSL 15:117db924cf7c 4049 return HashOutputRaw(ssl, cookieData, cookie->len);
wolfSSL 15:117db924cf7c 4050 }
wolfSSL 15:117db924cf7c 4051 #endif
wolfSSL 15:117db924cf7c 4052
wolfSSL 16:8e0d178b1d1e 4053 /* Do SupportedVersion extension for TLS v1.3+ otherwise it is not.
wolfSSL 16:8e0d178b1d1e 4054 *
wolfSSL 16:8e0d178b1d1e 4055 * ssl The SSL/TLS object.
wolfSSL 16:8e0d178b1d1e 4056 * input The message buffer.
wolfSSL 16:8e0d178b1d1e 4057 * i The index into the message buffer of ClientHello.
wolfSSL 16:8e0d178b1d1e 4058 * helloSz The length of the current handshake message.
wolfSSL 16:8e0d178b1d1e 4059 * returns 0 on success and otherwise failure.
wolfSSL 16:8e0d178b1d1e 4060 */
wolfSSL 16:8e0d178b1d1e 4061 static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i,
wolfSSL 16:8e0d178b1d1e 4062 word32 helloSz, int* wantDowngrade)
wolfSSL 16:8e0d178b1d1e 4063 {
wolfSSL 16:8e0d178b1d1e 4064 int ret;
wolfSSL 16:8e0d178b1d1e 4065 byte b;
wolfSSL 16:8e0d178b1d1e 4066 word16 suiteSz;
wolfSSL 16:8e0d178b1d1e 4067 word16 totalExtSz;
wolfSSL 16:8e0d178b1d1e 4068 int foundVersion = 0;
wolfSSL 16:8e0d178b1d1e 4069
wolfSSL 16:8e0d178b1d1e 4070 /* Client random */
wolfSSL 16:8e0d178b1d1e 4071 i += RAN_LEN;
wolfSSL 16:8e0d178b1d1e 4072 /* Session id - not used in TLS v1.3 */
wolfSSL 16:8e0d178b1d1e 4073 b = input[i++];
wolfSSL 16:8e0d178b1d1e 4074 if (i + b > helloSz) {
wolfSSL 16:8e0d178b1d1e 4075 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4076 }
wolfSSL 16:8e0d178b1d1e 4077 i += b;
wolfSSL 16:8e0d178b1d1e 4078 /* Cipher suites */
wolfSSL 16:8e0d178b1d1e 4079 if (i + OPAQUE16_LEN > helloSz)
wolfSSL 16:8e0d178b1d1e 4080 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4081 ato16(input + i, &suiteSz);
wolfSSL 16:8e0d178b1d1e 4082 i += OPAQUE16_LEN;
wolfSSL 16:8e0d178b1d1e 4083 if (i + suiteSz + 1 > helloSz)
wolfSSL 16:8e0d178b1d1e 4084 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4085 i += suiteSz;
wolfSSL 16:8e0d178b1d1e 4086 /* Compression */
wolfSSL 16:8e0d178b1d1e 4087 b = input[i++];
wolfSSL 16:8e0d178b1d1e 4088 if (i + b > helloSz)
wolfSSL 16:8e0d178b1d1e 4089 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4090 i += b;
wolfSSL 16:8e0d178b1d1e 4091
wolfSSL 16:8e0d178b1d1e 4092 /* TLS 1.3 must have extensions */
wolfSSL 16:8e0d178b1d1e 4093 if (i < helloSz) {
wolfSSL 16:8e0d178b1d1e 4094 if (i + OPAQUE16_LEN > helloSz)
wolfSSL 16:8e0d178b1d1e 4095 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4096 ato16(&input[i], &totalExtSz);
wolfSSL 16:8e0d178b1d1e 4097 i += OPAQUE16_LEN;
wolfSSL 16:8e0d178b1d1e 4098 if (totalExtSz != helloSz - i)
wolfSSL 16:8e0d178b1d1e 4099 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4100
wolfSSL 16:8e0d178b1d1e 4101 /* Need to negotiate version first. */
wolfSSL 16:8e0d178b1d1e 4102 if ((ret = TLSX_ParseVersion(ssl, (byte*)input + i, totalExtSz,
wolfSSL 16:8e0d178b1d1e 4103 client_hello, &foundVersion))) {
wolfSSL 16:8e0d178b1d1e 4104 return ret;
wolfSSL 16:8e0d178b1d1e 4105 }
wolfSSL 16:8e0d178b1d1e 4106 }
wolfSSL 16:8e0d178b1d1e 4107 *wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version);
wolfSSL 16:8e0d178b1d1e 4108
wolfSSL 16:8e0d178b1d1e 4109 return 0;
wolfSSL 16:8e0d178b1d1e 4110 }
wolfSSL 16:8e0d178b1d1e 4111
wolfSSL 15:117db924cf7c 4112 /* Handle a ClientHello handshake message.
wolfSSL 15:117db924cf7c 4113 * If the protocol version in the message is not TLS v1.3 or higher, use
wolfSSL 15:117db924cf7c 4114 * DoClientHello()
wolfSSL 15:117db924cf7c 4115 * Only a server will receive this message.
wolfSSL 15:117db924cf7c 4116 *
wolfSSL 15:117db924cf7c 4117 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4118 * input The message buffer.
wolfSSL 15:117db924cf7c 4119 * inOutIdx On entry, the index into the message buffer of ClientHello.
wolfSSL 15:117db924cf7c 4120 * On exit, the index of byte after the ClientHello message and
wolfSSL 15:117db924cf7c 4121 * padding.
wolfSSL 15:117db924cf7c 4122 * helloSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 4123 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 4124 */
wolfSSL 15:117db924cf7c 4125 int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 4126 word32 helloSz)
wolfSSL 15:117db924cf7c 4127 {
wolfSSL 15:117db924cf7c 4128 int ret = VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 4129 byte b = 0;
wolfSSL 15:117db924cf7c 4130 ProtocolVersion pv;
wolfSSL 15:117db924cf7c 4131 Suites clSuites;
wolfSSL 15:117db924cf7c 4132 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 4133 word32 begin = i;
wolfSSL 15:117db924cf7c 4134 word16 totalExtSz = 0;
wolfSSL 15:117db924cf7c 4135 int usingPSK = 0;
wolfSSL 16:8e0d178b1d1e 4136 byte sessIdSz = 0;
wolfSSL 16:8e0d178b1d1e 4137 int wantDowngrade = 0;
wolfSSL 15:117db924cf7c 4138
wolfSSL 15:117db924cf7c 4139 WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
wolfSSL 15:117db924cf7c 4140 WOLFSSL_ENTER("DoTls13ClientHello");
wolfSSL 15:117db924cf7c 4141
wolfSSL 16:8e0d178b1d1e 4142 XMEMSET(&pv, 0, sizeof(ProtocolVersion));
wolfSSL 16:8e0d178b1d1e 4143 XMEMSET(&clSuites, 0, sizeof(Suites));
wolfSSL 16:8e0d178b1d1e 4144
wolfSSL 15:117db924cf7c 4145 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4146 if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
wolfSSL 15:117db924cf7c 4147 if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 4148 #endif
wolfSSL 15:117db924cf7c 4149
wolfSSL 15:117db924cf7c 4150 /* protocol version, random and session id length check */
wolfSSL 15:117db924cf7c 4151 if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 4152 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4153
wolfSSL 15:117db924cf7c 4154 /* Protocol version */
wolfSSL 15:117db924cf7c 4155 XMEMCPY(&pv, input + i, OPAQUE16_LEN);
wolfSSL 15:117db924cf7c 4156 ssl->chVersion = pv; /* store */
wolfSSL 15:117db924cf7c 4157 i += OPAQUE16_LEN;
wolfSSL 16:8e0d178b1d1e 4158 if (pv.major < SSLv3_MAJOR) {
wolfSSL 16:8e0d178b1d1e 4159 WOLFSSL_MSG("Legacy version field contains unsupported value");
wolfSSL 16:8e0d178b1d1e 4160 #ifdef WOLFSSL_MYSQL_COMPATIBLE
wolfSSL 16:8e0d178b1d1e 4161 SendAlert(ssl, alert_fatal, wc_protocol_version);
wolfSSL 16:8e0d178b1d1e 4162 #else
wolfSSL 16:8e0d178b1d1e 4163 SendAlert(ssl, alert_fatal, protocol_version);
wolfSSL 16:8e0d178b1d1e 4164 #endif
wolfSSL 16:8e0d178b1d1e 4165 return INVALID_PARAMETER;
wolfSSL 16:8e0d178b1d1e 4166 }
wolfSSL 15:117db924cf7c 4167 /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
wolfSSL 16:8e0d178b1d1e 4168 if (pv.major > SSLv3_MAJOR || (pv.major == SSLv3_MAJOR &&
wolfSSL 16:8e0d178b1d1e 4169 pv.minor >= TLSv1_3_MINOR)) {
wolfSSL 16:8e0d178b1d1e 4170 pv.major = SSLv3_MAJOR;
wolfSSL 15:117db924cf7c 4171 pv.minor = TLSv1_2_MINOR;
wolfSSL 16:8e0d178b1d1e 4172 wantDowngrade = 1;
wolfSSL 16:8e0d178b1d1e 4173 ssl->version.minor = pv.minor;
wolfSSL 16:8e0d178b1d1e 4174 }
wolfSSL 16:8e0d178b1d1e 4175 /* Legacy version must be [ SSLv3_MAJOR, TLSv1_2_MINOR ] for TLS v1.3 */
wolfSSL 16:8e0d178b1d1e 4176 else if (pv.major == SSLv3_MAJOR && pv.minor < TLSv1_2_MINOR) {
wolfSSL 16:8e0d178b1d1e 4177 wantDowngrade = 1;
wolfSSL 16:8e0d178b1d1e 4178 ssl->version.minor = pv.minor;
wolfSSL 16:8e0d178b1d1e 4179 }
wolfSSL 16:8e0d178b1d1e 4180 else {
wolfSSL 16:8e0d178b1d1e 4181 ret = DoTls13SupportedVersions(ssl, input + begin, i - begin, helloSz,
wolfSSL 16:8e0d178b1d1e 4182 &wantDowngrade);
wolfSSL 16:8e0d178b1d1e 4183 if (ret < 0)
wolfSSL 16:8e0d178b1d1e 4184 return ret;
wolfSSL 16:8e0d178b1d1e 4185 }
wolfSSL 16:8e0d178b1d1e 4186 if (wantDowngrade) {
wolfSSL 15:117db924cf7c 4187 #ifndef WOLFSSL_NO_TLS12
wolfSSL 16:8e0d178b1d1e 4188 if (!ssl->options.downgrade) {
wolfSSL 16:8e0d178b1d1e 4189 WOLFSSL_MSG("Client trying to connect with lesser version than "
wolfSSL 16:8e0d178b1d1e 4190 "TLS v1.3");
wolfSSL 16:8e0d178b1d1e 4191 return VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 4192 }
wolfSSL 16:8e0d178b1d1e 4193
wolfSSL 16:8e0d178b1d1e 4194 if (pv.minor < ssl->options.minDowngrade)
wolfSSL 16:8e0d178b1d1e 4195 return VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 4196
wolfSSL 16:8e0d178b1d1e 4197 if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
wolfSSL 16:8e0d178b1d1e 4198 return ret;
wolfSSL 15:117db924cf7c 4199 return DoClientHello(ssl, input, inOutIdx, helloSz);
wolfSSL 16:8e0d178b1d1e 4200 #else
wolfSSL 16:8e0d178b1d1e 4201 WOLFSSL_MSG("Client trying to connect with lesser version than "
wolfSSL 16:8e0d178b1d1e 4202 "TLS v1.3");
wolfSSL 16:8e0d178b1d1e 4203 return VERSION_ERROR;
wolfSSL 16:8e0d178b1d1e 4204 #endif
wolfSSL 16:8e0d178b1d1e 4205 }
wolfSSL 15:117db924cf7c 4206
wolfSSL 15:117db924cf7c 4207 /* Client random */
wolfSSL 15:117db924cf7c 4208 XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
wolfSSL 15:117db924cf7c 4209 i += RAN_LEN;
wolfSSL 15:117db924cf7c 4210
wolfSSL 15:117db924cf7c 4211 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 4212 WOLFSSL_MSG("client random");
wolfSSL 15:117db924cf7c 4213 WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 4214 #endif
wolfSSL 15:117db924cf7c 4215
wolfSSL 15:117db924cf7c 4216 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4217 /* Session id - empty in TLS v1.3 */
wolfSSL 15:117db924cf7c 4218 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 4219 if (sessIdSz > 0 && !ssl->options.downgrade) {
wolfSSL 15:117db924cf7c 4220 WOLFSSL_MSG("Client sent session id - not supported");
wolfSSL 15:117db924cf7c 4221 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4222 }
wolfSSL 15:117db924cf7c 4223 #else
wolfSSL 15:117db924cf7c 4224 sessIdSz = input[i++];
wolfSSL 15:117db924cf7c 4225 if (sessIdSz != ID_LEN && sessIdSz != 0)
wolfSSL 15:117db924cf7c 4226 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 4227 #endif
wolfSSL 16:8e0d178b1d1e 4228
wolfSSL 16:8e0d178b1d1e 4229 if (sessIdSz + i > helloSz) {
wolfSSL 16:8e0d178b1d1e 4230 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4231 }
wolfSSL 16:8e0d178b1d1e 4232
wolfSSL 15:117db924cf7c 4233 ssl->session.sessionIDSz = sessIdSz;
wolfSSL 15:117db924cf7c 4234 if (sessIdSz == ID_LEN) {
wolfSSL 15:117db924cf7c 4235 XMEMCPY(ssl->session.sessionID, input + i, sessIdSz);
wolfSSL 15:117db924cf7c 4236 i += ID_LEN;
wolfSSL 15:117db924cf7c 4237 }
wolfSSL 15:117db924cf7c 4238
wolfSSL 15:117db924cf7c 4239 /* Cipher suites */
wolfSSL 15:117db924cf7c 4240 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 15:117db924cf7c 4241 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4242 ato16(&input[i], &clSuites.suiteSz);
wolfSSL 15:117db924cf7c 4243 i += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 4244 /* suites and compression length check */
wolfSSL 15:117db924cf7c 4245 if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
wolfSSL 15:117db924cf7c 4246 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4247 if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
wolfSSL 15:117db924cf7c 4248 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4249 XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
wolfSSL 15:117db924cf7c 4250 i += clSuites.suiteSz;
wolfSSL 15:117db924cf7c 4251 clSuites.hashSigAlgoSz = 0;
wolfSSL 15:117db924cf7c 4252
wolfSSL 16:8e0d178b1d1e 4253 #ifdef HAVE_SERVER_RENEGOTIATION_INFO
wolfSSL 16:8e0d178b1d1e 4254 ret = FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
wolfSSL 16:8e0d178b1d1e 4255 if (ret == SUITES_ERROR)
wolfSSL 16:8e0d178b1d1e 4256 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4257 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 4258 TLSX* extension;
wolfSSL 16:8e0d178b1d1e 4259
wolfSSL 16:8e0d178b1d1e 4260 /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
wolfSSL 16:8e0d178b1d1e 4261 ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap);
wolfSSL 16:8e0d178b1d1e 4262 if (ret != WOLFSSL_SUCCESS)
wolfSSL 16:8e0d178b1d1e 4263 return ret;
wolfSSL 16:8e0d178b1d1e 4264
wolfSSL 16:8e0d178b1d1e 4265 extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
wolfSSL 16:8e0d178b1d1e 4266 if (extension) {
wolfSSL 16:8e0d178b1d1e 4267 ssl->secure_renegotiation = (SecureRenegotiation*)extension->data;
wolfSSL 16:8e0d178b1d1e 4268 ssl->secure_renegotiation->enabled = 1;
wolfSSL 16:8e0d178b1d1e 4269 }
wolfSSL 16:8e0d178b1d1e 4270 }
wolfSSL 16:8e0d178b1d1e 4271 #endif /* HAVE_SERVER_RENEGOTIATION_INFO */
wolfSSL 16:8e0d178b1d1e 4272
wolfSSL 15:117db924cf7c 4273 /* Compression */
wolfSSL 15:117db924cf7c 4274 b = input[i++];
wolfSSL 15:117db924cf7c 4275 if ((i - begin) + b > helloSz)
wolfSSL 15:117db924cf7c 4276 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 4277 if (b != COMP_LEN) {
wolfSSL 15:117db924cf7c 4278 WOLFSSL_MSG("Must be one compression type in list");
wolfSSL 15:117db924cf7c 4279 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 4280 }
wolfSSL 15:117db924cf7c 4281 b = input[i++];
wolfSSL 15:117db924cf7c 4282 if (b != NO_COMPRESSION) {
wolfSSL 15:117db924cf7c 4283 WOLFSSL_MSG("Must be no compression type in list");
wolfSSL 15:117db924cf7c 4284 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 4285 }
wolfSSL 15:117db924cf7c 4286
wolfSSL 16:8e0d178b1d1e 4287 /* Extensions */
wolfSSL 16:8e0d178b1d1e 4288 if ((i - begin) == helloSz)
wolfSSL 16:8e0d178b1d1e 4289 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4290 if ((i - begin) + OPAQUE16_LEN > helloSz)
wolfSSL 16:8e0d178b1d1e 4291 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4292
wolfSSL 16:8e0d178b1d1e 4293 ato16(&input[i], &totalExtSz);
wolfSSL 16:8e0d178b1d1e 4294 i += OPAQUE16_LEN;
wolfSSL 16:8e0d178b1d1e 4295 if ((i - begin) + totalExtSz > helloSz)
wolfSSL 16:8e0d178b1d1e 4296 return BUFFER_ERROR;
wolfSSL 16:8e0d178b1d1e 4297
wolfSSL 16:8e0d178b1d1e 4298 /* Auto populate extensions supported unless user defined. */
wolfSSL 16:8e0d178b1d1e 4299 if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
wolfSSL 16:8e0d178b1d1e 4300 return ret;
wolfSSL 16:8e0d178b1d1e 4301
wolfSSL 16:8e0d178b1d1e 4302 /* Parse extensions */
wolfSSL 16:8e0d178b1d1e 4303 if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
wolfSSL 15:117db924cf7c 4304 &clSuites))) {
wolfSSL 16:8e0d178b1d1e 4305 return ret;
wolfSSL 16:8e0d178b1d1e 4306 }
wolfSSL 15:117db924cf7c 4307
wolfSSL 15:117db924cf7c 4308 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
wolfSSL 15:117db924cf7c 4309 defined(WOLFSSL_HAPROXY)
wolfSSL 15:117db924cf7c 4310 if ((ret = SNI_Callback(ssl)) != 0)
wolfSSL 15:117db924cf7c 4311 return ret;
wolfSSL 15:117db924cf7c 4312 ssl->options.side = WOLFSSL_SERVER_END;
wolfSSL 15:117db924cf7c 4313 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
wolfSSL 15:117db924cf7c 4314
wolfSSL 15:117db924cf7c 4315 i += totalExtSz;
wolfSSL 15:117db924cf7c 4316 *inOutIdx = i;
wolfSSL 15:117db924cf7c 4317
wolfSSL 15:117db924cf7c 4318 ssl->options.sendVerify = SEND_CERT;
wolfSSL 15:117db924cf7c 4319
wolfSSL 15:117db924cf7c 4320 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 4321 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 4322
wolfSSL 15:117db924cf7c 4323 #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 16:8e0d178b1d1e 4324 if (ssl->options.sendCookie &&
wolfSSL 15:117db924cf7c 4325 ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 16:8e0d178b1d1e 4326 TLSX* ext;
wolfSSL 16:8e0d178b1d1e 4327
wolfSSL 16:8e0d178b1d1e 4328 if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL)
wolfSSL 16:8e0d178b1d1e 4329 return HRR_COOKIE_ERROR;
wolfSSL 16:8e0d178b1d1e 4330 /* Ensure the cookie came from client and isn't the one in the
wolfSSL 16:8e0d178b1d1e 4331 * response - HelloRetryRequest.
wolfSSL 16:8e0d178b1d1e 4332 */
wolfSSL 16:8e0d178b1d1e 4333 if (ext->resp == 1)
wolfSSL 16:8e0d178b1d1e 4334 return HRR_COOKIE_ERROR;
wolfSSL 16:8e0d178b1d1e 4335 ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
wolfSSL 16:8e0d178b1d1e 4336 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 4337 return ret;
wolfSSL 16:8e0d178b1d1e 4338 }
wolfSSL 16:8e0d178b1d1e 4339 #endif
wolfSSL 16:8e0d178b1d1e 4340
wolfSSL 16:8e0d178b1d1e 4341 #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
wolfSSL 16:8e0d178b1d1e 4342 defined(HAVE_TLS_EXTENSIONS)
wolfSSL 16:8e0d178b1d1e 4343 if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY) != NULL) {
wolfSSL 15:117db924cf7c 4344 /* Refine list for PSK processing. */
wolfSSL 15:117db924cf7c 4345 RefineSuites(ssl, &clSuites);
wolfSSL 15:117db924cf7c 4346
wolfSSL 15:117db924cf7c 4347 /* Process the Pre-Shared Key extension if present. */
wolfSSL 15:117db924cf7c 4348 ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
wolfSSL 15:117db924cf7c 4349 if (ret != 0)
wolfSSL 15:117db924cf7c 4350 return ret;
wolfSSL 16:8e0d178b1d1e 4351 }
wolfSSL 16:8e0d178b1d1e 4352 else
wolfSSL 16:8e0d178b1d1e 4353 #endif
wolfSSL 16:8e0d178b1d1e 4354 {
wolfSSL 16:8e0d178b1d1e 4355 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 16:8e0d178b1d1e 4356 ssl->earlyData = no_early_data;
wolfSSL 16:8e0d178b1d1e 4357 #endif
wolfSSL 16:8e0d178b1d1e 4358 if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
wolfSSL 15:117db924cf7c 4359 return ret;
wolfSSL 16:8e0d178b1d1e 4360
wolfSSL 16:8e0d178b1d1e 4361 }
wolfSSL 16:8e0d178b1d1e 4362
wolfSSL 16:8e0d178b1d1e 4363 if (!usingPSK) {
wolfSSL 16:8e0d178b1d1e 4364 if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
wolfSSL 16:8e0d178b1d1e 4365 WOLFSSL_MSG("Client did not send a KeyShare extension");
wolfSSL 16:8e0d178b1d1e 4366 SendAlert(ssl, alert_fatal, missing_extension);
wolfSSL 16:8e0d178b1d1e 4367 return INCOMPLETE_DATA;
wolfSSL 16:8e0d178b1d1e 4368 }
wolfSSL 16:8e0d178b1d1e 4369 if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) {
wolfSSL 16:8e0d178b1d1e 4370 WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
wolfSSL 16:8e0d178b1d1e 4371 SendAlert(ssl, alert_fatal, missing_extension);
wolfSSL 16:8e0d178b1d1e 4372 return INCOMPLETE_DATA;
wolfSSL 16:8e0d178b1d1e 4373 }
wolfSSL 16:8e0d178b1d1e 4374
wolfSSL 16:8e0d178b1d1e 4375 if ((ret = MatchSuite(ssl, &clSuites)) < 0) {
wolfSSL 16:8e0d178b1d1e 4376 WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
wolfSSL 16:8e0d178b1d1e 4377 SendAlert(ssl, alert_fatal, handshake_failure);
wolfSSL 15:117db924cf7c 4378 return ret;
wolfSSL 15:117db924cf7c 4379 }
wolfSSL 16:8e0d178b1d1e 4380
wolfSSL 16:8e0d178b1d1e 4381 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 4382 if (ssl->options.cipherSuite0 == ECC_BYTE &&
wolfSSL 16:8e0d178b1d1e 4383 (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
wolfSSL 16:8e0d178b1d1e 4384 ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
wolfSSL 16:8e0d178b1d1e 4385 ;
wolfSSL 15:117db924cf7c 4386 }
wolfSSL 16:8e0d178b1d1e 4387 else
wolfSSL 16:8e0d178b1d1e 4388 #endif
wolfSSL 15:117db924cf7c 4389 /* Check that the negotiated ciphersuite matches protocol version. */
wolfSSL 16:8e0d178b1d1e 4390 if (ssl->options.cipherSuite0 != TLS13_BYTE) {
wolfSSL 16:8e0d178b1d1e 4391 WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
wolfSSL 16:8e0d178b1d1e 4392 "TLS v1.3");
wolfSSL 16:8e0d178b1d1e 4393 SendAlert(ssl, alert_fatal, handshake_failure);
wolfSSL 16:8e0d178b1d1e 4394 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 4395 }
wolfSSL 15:117db924cf7c 4396
wolfSSL 15:117db924cf7c 4397 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 4398 if (ssl->options.resuming) {
wolfSSL 15:117db924cf7c 4399 ssl->options.resuming = 0;
wolfSSL 15:117db924cf7c 4400 XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
wolfSSL 15:117db924cf7c 4401 }
wolfSSL 15:117db924cf7c 4402 #endif
wolfSSL 15:117db924cf7c 4403
wolfSSL 16:8e0d178b1d1e 4404 /* Derive early secret for handshake secret. */
wolfSSL 16:8e0d178b1d1e 4405 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 16:8e0d178b1d1e 4406 return ret;
wolfSSL 15:117db924cf7c 4407 }
wolfSSL 15:117db924cf7c 4408
wolfSSL 15:117db924cf7c 4409 WOLFSSL_LEAVE("DoTls13ClientHello", ret);
wolfSSL 15:117db924cf7c 4410 WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
wolfSSL 15:117db924cf7c 4411
wolfSSL 15:117db924cf7c 4412 return ret;
wolfSSL 15:117db924cf7c 4413 }
wolfSSL 15:117db924cf7c 4414
wolfSSL 15:117db924cf7c 4415 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4416 /* handle generation of TLS 1.3 hello_retry_request (6) */
wolfSSL 15:117db924cf7c 4417 /* Send the HelloRetryRequest message to indicate the negotiated protocol
wolfSSL 15:117db924cf7c 4418 * version and security parameters the server is willing to use.
wolfSSL 15:117db924cf7c 4419 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4420 *
wolfSSL 15:117db924cf7c 4421 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4422 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4423 */
wolfSSL 15:117db924cf7c 4424 int SendTls13HelloRetryRequest(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 4425 {
wolfSSL 15:117db924cf7c 4426 int ret;
wolfSSL 15:117db924cf7c 4427 byte* output;
wolfSSL 15:117db924cf7c 4428 word32 length;
wolfSSL 15:117db924cf7c 4429 word16 len;
wolfSSL 15:117db924cf7c 4430 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4431 int sendSz;
wolfSSL 15:117db924cf7c 4432
wolfSSL 15:117db924cf7c 4433 WOLFSSL_ENTER("SendTls13HelloRetryRequest");
wolfSSL 15:117db924cf7c 4434
wolfSSL 15:117db924cf7c 4435 /* Get the length of the extensions that will be written. */
wolfSSL 15:117db924cf7c 4436 len = 0;
wolfSSL 15:117db924cf7c 4437 ret = TLSX_GetResponseSize(ssl, hello_retry_request, &len);
wolfSSL 15:117db924cf7c 4438 /* There must be extensions sent to indicate what client needs to do. */
wolfSSL 15:117db924cf7c 4439 if (ret != 0)
wolfSSL 15:117db924cf7c 4440 return MISSING_HANDSHAKE_DATA;
wolfSSL 15:117db924cf7c 4441
wolfSSL 15:117db924cf7c 4442 /* Protocol version + Extensions */
wolfSSL 15:117db924cf7c 4443 length = OPAQUE16_LEN + len;
wolfSSL 15:117db924cf7c 4444 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4445
wolfSSL 15:117db924cf7c 4446 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4447 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4448 return ret;
wolfSSL 15:117db924cf7c 4449
wolfSSL 15:117db924cf7c 4450 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4451 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4452 ssl->buffers.outputBuffer.length;
wolfSSL 16:8e0d178b1d1e 4453 /* Add record and handshake headers. */
wolfSSL 15:117db924cf7c 4454 AddTls13Headers(output, length, hello_retry_request, ssl);
wolfSSL 15:117db924cf7c 4455
wolfSSL 15:117db924cf7c 4456 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 4457 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 4458 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 4459
wolfSSL 15:117db924cf7c 4460 /* Add TLS extensions. */
wolfSSL 15:117db924cf7c 4461 ret = TLSX_WriteResponse(ssl, output + idx, hello_retry_request, NULL);
wolfSSL 15:117db924cf7c 4462 if (ret != 0)
wolfSSL 15:117db924cf7c 4463 return ret;
wolfSSL 15:117db924cf7c 4464 idx += len;
wolfSSL 15:117db924cf7c 4465
wolfSSL 15:117db924cf7c 4466 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4467 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4468 AddPacketName(ssl, "HelloRetryRequest");
wolfSSL 15:117db924cf7c 4469 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4470 AddPacketInfo(ssl, "HelloRetryRequest", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 4471 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4472 }
wolfSSL 15:117db924cf7c 4473 #endif
wolfSSL 15:117db924cf7c 4474 if ((ret = HashOutput(ssl, output, idx, 0)) != 0)
wolfSSL 15:117db924cf7c 4475 return ret;
wolfSSL 15:117db924cf7c 4476
wolfSSL 15:117db924cf7c 4477 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4478
wolfSSL 15:117db924cf7c 4479 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4480 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4481
wolfSSL 15:117db924cf7c 4482 WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);
wolfSSL 15:117db924cf7c 4483
wolfSSL 15:117db924cf7c 4484 return ret;
wolfSSL 15:117db924cf7c 4485 }
wolfSSL 15:117db924cf7c 4486 #endif /* WOLFSSL_TLS13_DRAFT_18 */
wolfSSL 15:117db924cf7c 4487
wolfSSL 15:117db924cf7c 4488 /* Send TLS v1.3 ServerHello message to client.
wolfSSL 15:117db924cf7c 4489 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4490 *
wolfSSL 15:117db924cf7c 4491 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4492 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4493 */
wolfSSL 15:117db924cf7c 4494 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4495 static
wolfSSL 15:117db924cf7c 4496 #endif
wolfSSL 15:117db924cf7c 4497 /* handle generation of TLS 1.3 server_hello (2) */
wolfSSL 15:117db924cf7c 4498 int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
wolfSSL 15:117db924cf7c 4499 {
wolfSSL 15:117db924cf7c 4500 int ret;
wolfSSL 15:117db924cf7c 4501 byte* output;
wolfSSL 15:117db924cf7c 4502 word16 length;
wolfSSL 15:117db924cf7c 4503 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4504 int sendSz;
wolfSSL 15:117db924cf7c 4505
wolfSSL 15:117db924cf7c 4506 WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
wolfSSL 15:117db924cf7c 4507 WOLFSSL_ENTER("SendTls13ServerHello");
wolfSSL 15:117db924cf7c 4508
wolfSSL 15:117db924cf7c 4509 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4510 if (extMsgType == hello_retry_request) {
wolfSSL 16:8e0d178b1d1e 4511 WOLFSSL_MSG("wolfSSL Doing HelloRetryRequest");
wolfSSL 15:117db924cf7c 4512 if ((ret = RestartHandshakeHash(ssl)) < 0)
wolfSSL 15:117db924cf7c 4513 return ret;
wolfSSL 15:117db924cf7c 4514 }
wolfSSL 15:117db924cf7c 4515 #endif
wolfSSL 15:117db924cf7c 4516
wolfSSL 15:117db924cf7c 4517 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4518 /* Protocol version, server random, cipher suite and extensions. */
wolfSSL 15:117db924cf7c 4519 length = VERSION_SZ + RAN_LEN + SUITE_LEN;
wolfSSL 15:117db924cf7c 4520 ret = TLSX_GetResponseSize(ssl, server_hello, &length);
wolfSSL 15:117db924cf7c 4521 if (ret != 0)
wolfSSL 15:117db924cf7c 4522 return ret;
wolfSSL 15:117db924cf7c 4523 #else
wolfSSL 15:117db924cf7c 4524 /* Protocol version, server random, session id, cipher suite, compression
wolfSSL 15:117db924cf7c 4525 * and extensions.
wolfSSL 15:117db924cf7c 4526 */
wolfSSL 15:117db924cf7c 4527 length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz +
wolfSSL 15:117db924cf7c 4528 SUITE_LEN + COMP_LEN;
wolfSSL 15:117db924cf7c 4529 ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
wolfSSL 15:117db924cf7c 4530 if (ret != 0)
wolfSSL 15:117db924cf7c 4531 return ret;
wolfSSL 15:117db924cf7c 4532 #endif
wolfSSL 15:117db924cf7c 4533 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4534
wolfSSL 15:117db924cf7c 4535 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4536 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4537 return ret;
wolfSSL 15:117db924cf7c 4538
wolfSSL 15:117db924cf7c 4539 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4540 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4541 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4542
wolfSSL 15:117db924cf7c 4543 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4544 AddTls13Headers(output, length, server_hello, ssl);
wolfSSL 15:117db924cf7c 4545
wolfSSL 15:117db924cf7c 4546 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4547 /* The negotiated protocol version. */
wolfSSL 15:117db924cf7c 4548 output[idx++] = TLS_DRAFT_MAJOR;
wolfSSL 15:117db924cf7c 4549 output[idx++] = TLS_DRAFT_MINOR;
wolfSSL 15:117db924cf7c 4550 #else
wolfSSL 15:117db924cf7c 4551 /* The protocol version must be TLS v1.2 for middleboxes. */
wolfSSL 15:117db924cf7c 4552 output[idx++] = ssl->version.major;
wolfSSL 15:117db924cf7c 4553 output[idx++] = TLSv1_2_MINOR;
wolfSSL 15:117db924cf7c 4554 #endif
wolfSSL 15:117db924cf7c 4555
wolfSSL 15:117db924cf7c 4556 if (extMsgType == server_hello) {
wolfSSL 15:117db924cf7c 4557 /* Generate server random. */
wolfSSL 15:117db924cf7c 4558 if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
wolfSSL 15:117db924cf7c 4559 return ret;
wolfSSL 15:117db924cf7c 4560 }
wolfSSL 15:117db924cf7c 4561 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4562 else {
wolfSSL 15:117db924cf7c 4563 /* HelloRetryRequest message has fixed value for random. */
wolfSSL 15:117db924cf7c 4564 XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 4565 }
wolfSSL 15:117db924cf7c 4566 #endif
wolfSSL 15:117db924cf7c 4567 /* Store in SSL for debugging. */
wolfSSL 15:117db924cf7c 4568 XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
wolfSSL 15:117db924cf7c 4569 idx += RAN_LEN;
wolfSSL 15:117db924cf7c 4570
wolfSSL 15:117db924cf7c 4571 #ifdef WOLFSSL_DEBUG_TLS
wolfSSL 15:117db924cf7c 4572 WOLFSSL_MSG("Server random");
wolfSSL 15:117db924cf7c 4573 WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 4574 #endif
wolfSSL 15:117db924cf7c 4575
wolfSSL 15:117db924cf7c 4576 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4577 output[idx++] = ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 4578 if (ssl->session.sessionIDSz > 0) {
wolfSSL 15:117db924cf7c 4579 XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
wolfSSL 15:117db924cf7c 4580 idx += ssl->session.sessionIDSz;
wolfSSL 15:117db924cf7c 4581 }
wolfSSL 15:117db924cf7c 4582 #endif
wolfSSL 15:117db924cf7c 4583
wolfSSL 15:117db924cf7c 4584 /* Chosen cipher suite */
wolfSSL 15:117db924cf7c 4585 output[idx++] = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 4586 output[idx++] = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 4587
wolfSSL 15:117db924cf7c 4588 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4589 /* Compression not supported in TLS v1.3. */
wolfSSL 15:117db924cf7c 4590 output[idx++] = 0;
wolfSSL 15:117db924cf7c 4591 #endif
wolfSSL 15:117db924cf7c 4592
wolfSSL 15:117db924cf7c 4593 /* Extensions */
wolfSSL 15:117db924cf7c 4594 ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL);
wolfSSL 15:117db924cf7c 4595 if (ret != 0)
wolfSSL 15:117db924cf7c 4596 return ret;
wolfSSL 15:117db924cf7c 4597
wolfSSL 15:117db924cf7c 4598 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4599
wolfSSL 15:117db924cf7c 4600 if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
wolfSSL 15:117db924cf7c 4601 return ret;
wolfSSL 15:117db924cf7c 4602
wolfSSL 15:117db924cf7c 4603 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4604 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4605 AddPacketName(ssl, "ServerHello");
wolfSSL 15:117db924cf7c 4606 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4607 AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 4608 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4609 }
wolfSSL 15:117db924cf7c 4610 #endif
wolfSSL 15:117db924cf7c 4611
wolfSSL 15:117db924cf7c 4612 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4613 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 4614 #else
wolfSSL 15:117db924cf7c 4615 if (extMsgType == server_hello)
wolfSSL 15:117db924cf7c 4616 ssl->options.serverState = SERVER_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 4617 #endif
wolfSSL 15:117db924cf7c 4618
wolfSSL 16:8e0d178b1d1e 4619 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4620 if (!ssl->options.groupMessages)
wolfSSL 16:8e0d178b1d1e 4621 #else
wolfSSL 16:8e0d178b1d1e 4622 if (!ssl->options.groupMessages || extMsgType != server_hello)
wolfSSL 16:8e0d178b1d1e 4623 #endif
wolfSSL 15:117db924cf7c 4624 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4625
wolfSSL 15:117db924cf7c 4626 WOLFSSL_LEAVE("SendTls13ServerHello", ret);
wolfSSL 15:117db924cf7c 4627 WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
wolfSSL 15:117db924cf7c 4628
wolfSSL 15:117db924cf7c 4629 return ret;
wolfSSL 15:117db924cf7c 4630 }
wolfSSL 15:117db924cf7c 4631
wolfSSL 15:117db924cf7c 4632 /* handle generation of TLS 1.3 encrypted_extensions (8) */
wolfSSL 15:117db924cf7c 4633 /* Send the rest of the extensions encrypted under the handshake key.
wolfSSL 15:117db924cf7c 4634 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 4635 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4636 *
wolfSSL 15:117db924cf7c 4637 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4638 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4639 */
wolfSSL 15:117db924cf7c 4640 static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 4641 {
wolfSSL 15:117db924cf7c 4642 int ret;
wolfSSL 15:117db924cf7c 4643 byte* output;
wolfSSL 15:117db924cf7c 4644 word16 length = 0;
wolfSSL 15:117db924cf7c 4645 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4646 int sendSz;
wolfSSL 15:117db924cf7c 4647
wolfSSL 15:117db924cf7c 4648 WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
wolfSSL 15:117db924cf7c 4649 WOLFSSL_ENTER("SendTls13EncryptedExtensions");
wolfSSL 15:117db924cf7c 4650
wolfSSL 15:117db924cf7c 4651 ssl->keys.encryptionOn = 1;
wolfSSL 15:117db924cf7c 4652
wolfSSL 15:117db924cf7c 4653 #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT
wolfSSL 15:117db924cf7c 4654 if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
wolfSSL 15:117db924cf7c 4655 return ret;
wolfSSL 15:117db924cf7c 4656 #endif
wolfSSL 15:117db924cf7c 4657
wolfSSL 15:117db924cf7c 4658 /* Derive the handshake secret now that we are at first message to be
wolfSSL 15:117db924cf7c 4659 * encrypted under the keys.
wolfSSL 15:117db924cf7c 4660 */
wolfSSL 15:117db924cf7c 4661 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 4662 return ret;
wolfSSL 15:117db924cf7c 4663 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 15:117db924cf7c 4664 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
wolfSSL 15:117db924cf7c 4665 return ret;
wolfSSL 15:117db924cf7c 4666
wolfSSL 15:117db924cf7c 4667 /* Setup encrypt/decrypt keys for following messages. */
wolfSSL 15:117db924cf7c 4668 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 4669 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 4670 return ret;
wolfSSL 15:117db924cf7c 4671 if (ssl->earlyData != process_early_data) {
wolfSSL 15:117db924cf7c 4672 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 4673 return ret;
wolfSSL 15:117db924cf7c 4674 }
wolfSSL 15:117db924cf7c 4675 #else
wolfSSL 15:117db924cf7c 4676 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 4677 return ret;
wolfSSL 15:117db924cf7c 4678 #endif
wolfSSL 15:117db924cf7c 4679
wolfSSL 15:117db924cf7c 4680 ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length);
wolfSSL 15:117db924cf7c 4681 if (ret != 0)
wolfSSL 15:117db924cf7c 4682 return ret;
wolfSSL 15:117db924cf7c 4683
wolfSSL 15:117db924cf7c 4684 sendSz = idx + length;
wolfSSL 15:117db924cf7c 4685 /* Encryption always on. */
wolfSSL 15:117db924cf7c 4686 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4687
wolfSSL 15:117db924cf7c 4688 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4689 ret = CheckAvailableSize(ssl, sendSz);
wolfSSL 15:117db924cf7c 4690 if (ret != 0)
wolfSSL 15:117db924cf7c 4691 return ret;
wolfSSL 15:117db924cf7c 4692
wolfSSL 15:117db924cf7c 4693 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4694 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4695 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4696
wolfSSL 15:117db924cf7c 4697 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4698 AddTls13Headers(output, length, encrypted_extensions, ssl);
wolfSSL 15:117db924cf7c 4699
wolfSSL 15:117db924cf7c 4700 ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL);
wolfSSL 15:117db924cf7c 4701 if (ret != 0)
wolfSSL 15:117db924cf7c 4702 return ret;
wolfSSL 15:117db924cf7c 4703 idx += length;
wolfSSL 15:117db924cf7c 4704
wolfSSL 15:117db924cf7c 4705 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4706 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4707 AddPacketName(ssl, "EncryptedExtensions");
wolfSSL 15:117db924cf7c 4708 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4709 AddPacketInfo(ssl, "EncryptedExtensions", handshake, output,
wolfSSL 15:117db924cf7c 4710 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4711 }
wolfSSL 15:117db924cf7c 4712 #endif
wolfSSL 15:117db924cf7c 4713
wolfSSL 15:117db924cf7c 4714 /* This handshake message is always encrypted. */
wolfSSL 15:117db924cf7c 4715 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 4716 idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 4717 if (sendSz < 0)
wolfSSL 15:117db924cf7c 4718 return sendSz;
wolfSSL 15:117db924cf7c 4719
wolfSSL 15:117db924cf7c 4720 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4721
wolfSSL 15:117db924cf7c 4722 ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
wolfSSL 15:117db924cf7c 4723
wolfSSL 15:117db924cf7c 4724 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4725 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4726
wolfSSL 15:117db924cf7c 4727 WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
wolfSSL 15:117db924cf7c 4728 WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
wolfSSL 15:117db924cf7c 4729
wolfSSL 15:117db924cf7c 4730 return ret;
wolfSSL 15:117db924cf7c 4731 }
wolfSSL 15:117db924cf7c 4732
wolfSSL 15:117db924cf7c 4733 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 4734 /* handle generation TLS v1.3 certificate_request (13) */
wolfSSL 15:117db924cf7c 4735 /* Send the TLS v1.3 CertificateRequest message.
wolfSSL 15:117db924cf7c 4736 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 4737 * Only a server will send this message.
wolfSSL 15:117db924cf7c 4738 *
wolfSSL 15:117db924cf7c 4739 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 4740 * reqCtx Request context.
wolfSSL 15:117db924cf7c 4741 * reqCtxLen Length of context. 0 when sending as part of handshake.
wolfSSL 15:117db924cf7c 4742 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 4743 */
wolfSSL 15:117db924cf7c 4744 static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
wolfSSL 15:117db924cf7c 4745 int reqCtxLen)
wolfSSL 15:117db924cf7c 4746 {
wolfSSL 15:117db924cf7c 4747 byte* output;
wolfSSL 15:117db924cf7c 4748 int ret;
wolfSSL 15:117db924cf7c 4749 int sendSz;
wolfSSL 15:117db924cf7c 4750 word32 i;
wolfSSL 15:117db924cf7c 4751 word16 reqSz;
wolfSSL 15:117db924cf7c 4752 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4753 TLSX* ext;
wolfSSL 15:117db924cf7c 4754 #endif
wolfSSL 15:117db924cf7c 4755
wolfSSL 15:117db924cf7c 4756 WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
wolfSSL 15:117db924cf7c 4757 WOLFSSL_ENTER("SendTls13CertificateRequest");
wolfSSL 15:117db924cf7c 4758
wolfSSL 15:117db924cf7c 4759 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 4760 InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz);
wolfSSL 15:117db924cf7c 4761
wolfSSL 15:117db924cf7c 4762 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 4763 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4764 reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4765 reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
wolfSSL 15:117db924cf7c 4766
wolfSSL 15:117db924cf7c 4767 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
wolfSSL 15:117db924cf7c 4768 /* Always encrypted and make room for padding. */
wolfSSL 15:117db924cf7c 4769 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4770
wolfSSL 15:117db924cf7c 4771 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4772 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4773 return ret;
wolfSSL 15:117db924cf7c 4774
wolfSSL 15:117db924cf7c 4775 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4776 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4777 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4778
wolfSSL 15:117db924cf7c 4779 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4780 AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL 15:117db924cf7c 4781
wolfSSL 15:117db924cf7c 4782 /* Certificate request context. */
wolfSSL 15:117db924cf7c 4783 output[i++] = reqCtxLen;
wolfSSL 15:117db924cf7c 4784 if (reqCtxLen != 0) {
wolfSSL 15:117db924cf7c 4785 XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL 15:117db924cf7c 4786 i += reqCtxLen;
wolfSSL 15:117db924cf7c 4787 }
wolfSSL 15:117db924cf7c 4788
wolfSSL 15:117db924cf7c 4789 /* supported hash/sig */
wolfSSL 15:117db924cf7c 4790 c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
wolfSSL 15:117db924cf7c 4791 i += LENGTH_SZ;
wolfSSL 15:117db924cf7c 4792
wolfSSL 15:117db924cf7c 4793 XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
wolfSSL 15:117db924cf7c 4794 i += ssl->suites->hashSigAlgoSz;
wolfSSL 15:117db924cf7c 4795
wolfSSL 15:117db924cf7c 4796 /* Certificate authorities not supported yet - empty buffer. */
wolfSSL 15:117db924cf7c 4797 c16toa(0, &output[i]);
wolfSSL 15:117db924cf7c 4798 i += REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4799
wolfSSL 15:117db924cf7c 4800 /* Certificate extensions. */
wolfSSL 15:117db924cf7c 4801 c16toa(0, &output[i]); /* auth's */
wolfSSL 15:117db924cf7c 4802 i += REQ_HEADER_SZ;
wolfSSL 15:117db924cf7c 4803 #else
wolfSSL 15:117db924cf7c 4804 ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS);
wolfSSL 15:117db924cf7c 4805 if (ext == NULL)
wolfSSL 15:117db924cf7c 4806 return EXT_MISSING;
wolfSSL 15:117db924cf7c 4807 ext->resp = 0;
wolfSSL 15:117db924cf7c 4808
wolfSSL 15:117db924cf7c 4809 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 4810 reqSz = (word16)(OPAQUE8_LEN + reqCtxLen);
wolfSSL 15:117db924cf7c 4811 ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz);
wolfSSL 15:117db924cf7c 4812 if (ret != 0)
wolfSSL 15:117db924cf7c 4813 return ret;
wolfSSL 15:117db924cf7c 4814
wolfSSL 15:117db924cf7c 4815 sendSz = i + reqSz;
wolfSSL 15:117db924cf7c 4816 /* Always encrypted and make room for padding. */
wolfSSL 15:117db924cf7c 4817 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 4818
wolfSSL 15:117db924cf7c 4819 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 4820 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 4821 return ret;
wolfSSL 15:117db924cf7c 4822
wolfSSL 15:117db924cf7c 4823 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 4824 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 4825 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 4826
wolfSSL 15:117db924cf7c 4827 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 4828 AddTls13Headers(output, reqSz, certificate_request, ssl);
wolfSSL 15:117db924cf7c 4829
wolfSSL 15:117db924cf7c 4830 /* Certificate request context. */
wolfSSL 15:117db924cf7c 4831 output[i++] = (byte)reqCtxLen;
wolfSSL 15:117db924cf7c 4832 if (reqCtxLen != 0) {
wolfSSL 15:117db924cf7c 4833 XMEMCPY(output + i, reqCtx, reqCtxLen);
wolfSSL 15:117db924cf7c 4834 i += reqCtxLen;
wolfSSL 15:117db924cf7c 4835 }
wolfSSL 15:117db924cf7c 4836
wolfSSL 15:117db924cf7c 4837 /* Certificate extensions. */
wolfSSL 15:117db924cf7c 4838 reqSz = 0;
wolfSSL 15:117db924cf7c 4839 ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz);
wolfSSL 15:117db924cf7c 4840 if (ret != 0)
wolfSSL 15:117db924cf7c 4841 return ret;
wolfSSL 15:117db924cf7c 4842 i += reqSz;
wolfSSL 15:117db924cf7c 4843 #endif
wolfSSL 15:117db924cf7c 4844
wolfSSL 15:117db924cf7c 4845 /* Always encrypted. */
wolfSSL 15:117db924cf7c 4846 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 4847 i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 4848 if (sendSz < 0)
wolfSSL 15:117db924cf7c 4849 return sendSz;
wolfSSL 15:117db924cf7c 4850
wolfSSL 15:117db924cf7c 4851 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 4852 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 4853 AddPacketName(ssl, "CertificateRequest");
wolfSSL 15:117db924cf7c 4854 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 4855 AddPacketInfo(ssl, "CertificateRequest", handshake, output,
wolfSSL 15:117db924cf7c 4856 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 4857 }
wolfSSL 15:117db924cf7c 4858 #endif
wolfSSL 15:117db924cf7c 4859
wolfSSL 15:117db924cf7c 4860 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 4861 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 4862 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 4863
wolfSSL 15:117db924cf7c 4864 WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
wolfSSL 15:117db924cf7c 4865 WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
wolfSSL 15:117db924cf7c 4866
wolfSSL 15:117db924cf7c 4867 return ret;
wolfSSL 15:117db924cf7c 4868 }
wolfSSL 15:117db924cf7c 4869 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 4870 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 4871
wolfSSL 15:117db924cf7c 4872 #ifndef NO_CERTS
wolfSSL 16:8e0d178b1d1e 4873 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
wolfSSL 16:8e0d178b1d1e 4874 defined(HAVE_ED448)
wolfSSL 15:117db924cf7c 4875 /* Encode the signature algorithm into buffer.
wolfSSL 15:117db924cf7c 4876 *
wolfSSL 15:117db924cf7c 4877 * hashalgo The hash algorithm.
wolfSSL 15:117db924cf7c 4878 * hsType The signature type.
wolfSSL 15:117db924cf7c 4879 * output The buffer to encode into.
wolfSSL 15:117db924cf7c 4880 */
wolfSSL 15:117db924cf7c 4881 static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
wolfSSL 15:117db924cf7c 4882 {
wolfSSL 15:117db924cf7c 4883 switch (hsType) {
wolfSSL 15:117db924cf7c 4884 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 4885 case ecc_dsa_sa_algo:
wolfSSL 15:117db924cf7c 4886 output[0] = hashAlgo;
wolfSSL 15:117db924cf7c 4887 output[1] = ecc_dsa_sa_algo;
wolfSSL 15:117db924cf7c 4888 break;
wolfSSL 15:117db924cf7c 4889 #endif
wolfSSL 15:117db924cf7c 4890 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 4891 /* ED25519: 0x0807 */
wolfSSL 15:117db924cf7c 4892 case ed25519_sa_algo:
wolfSSL 15:117db924cf7c 4893 output[0] = ED25519_SA_MAJOR;
wolfSSL 15:117db924cf7c 4894 output[1] = ED25519_SA_MINOR;
wolfSSL 15:117db924cf7c 4895 (void)hashAlgo;
wolfSSL 15:117db924cf7c 4896 break;
wolfSSL 15:117db924cf7c 4897 #endif
wolfSSL 16:8e0d178b1d1e 4898 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 4899 /* ED448: 0x0808 */
wolfSSL 16:8e0d178b1d1e 4900 case ed448_sa_algo:
wolfSSL 16:8e0d178b1d1e 4901 output[0] = ED448_SA_MAJOR;
wolfSSL 16:8e0d178b1d1e 4902 output[1] = ED448_SA_MINOR;
wolfSSL 16:8e0d178b1d1e 4903 (void)hashAlgo;
wolfSSL 16:8e0d178b1d1e 4904 break;
wolfSSL 16:8e0d178b1d1e 4905 #endif
wolfSSL 15:117db924cf7c 4906 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 4907 /* PSS signatures: 0x080[4-6] */
wolfSSL 15:117db924cf7c 4908 case rsa_pss_sa_algo:
wolfSSL 15:117db924cf7c 4909 output[0] = rsa_pss_sa_algo;
wolfSSL 15:117db924cf7c 4910 output[1] = hashAlgo;
wolfSSL 15:117db924cf7c 4911 break;
wolfSSL 15:117db924cf7c 4912 #endif
wolfSSL 15:117db924cf7c 4913 }
wolfSSL 15:117db924cf7c 4914 }
wolfSSL 15:117db924cf7c 4915
wolfSSL 15:117db924cf7c 4916 /* Decode the signature algorithm.
wolfSSL 15:117db924cf7c 4917 *
wolfSSL 15:117db924cf7c 4918 * input The encoded signature algorithm.
wolfSSL 15:117db924cf7c 4919 * hashalgo The hash algorithm.
wolfSSL 16:8e0d178b1d1e 4920 * hsType The signature type.
wolfSSL 16:8e0d178b1d1e 4921 * returns INVALID_PARAMETER if not recognized and 0 otherwise.
wolfSSL 15:117db924cf7c 4922 */
wolfSSL 16:8e0d178b1d1e 4923 static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
wolfSSL 16:8e0d178b1d1e 4924 byte* hsType)
wolfSSL 15:117db924cf7c 4925 {
wolfSSL 16:8e0d178b1d1e 4926 int ret = 0;
wolfSSL 16:8e0d178b1d1e 4927
wolfSSL 15:117db924cf7c 4928 switch (input[0]) {
wolfSSL 15:117db924cf7c 4929 case NEW_SA_MAJOR:
wolfSSL 15:117db924cf7c 4930 /* PSS signatures: 0x080[4-6] */
wolfSSL 16:8e0d178b1d1e 4931 if (input[1] >= sha256_mac && input[1] <= sha512_mac) {
wolfSSL 15:117db924cf7c 4932 *hsType = input[0];
wolfSSL 15:117db924cf7c 4933 *hashAlgo = input[1];
wolfSSL 15:117db924cf7c 4934 }
wolfSSL 15:117db924cf7c 4935 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 4936 /* ED25519: 0x0807 */
wolfSSL 16:8e0d178b1d1e 4937 else if (input[1] == ED25519_SA_MINOR) {
wolfSSL 15:117db924cf7c 4938 *hsType = ed25519_sa_algo;
wolfSSL 15:117db924cf7c 4939 /* Hash performed as part of sign/verify operation. */
wolfSSL 15:117db924cf7c 4940 *hashAlgo = sha512_mac;
wolfSSL 15:117db924cf7c 4941 }
wolfSSL 15:117db924cf7c 4942 #endif
wolfSSL 16:8e0d178b1d1e 4943 #ifdef HAVE_ED448
wolfSSL 15:117db924cf7c 4944 /* ED448: 0x0808 */
wolfSSL 16:8e0d178b1d1e 4945 else if (input[1] == ED448_SA_MINOR) {
wolfSSL 16:8e0d178b1d1e 4946 *hsType = ed448_sa_algo;
wolfSSL 16:8e0d178b1d1e 4947 /* Hash performed as part of sign/verify operation. */
wolfSSL 16:8e0d178b1d1e 4948 *hashAlgo = sha512_mac;
wolfSSL 16:8e0d178b1d1e 4949 }
wolfSSL 16:8e0d178b1d1e 4950 #endif
wolfSSL 16:8e0d178b1d1e 4951 else
wolfSSL 16:8e0d178b1d1e 4952 ret = INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 4953 break;
wolfSSL 15:117db924cf7c 4954 default:
wolfSSL 15:117db924cf7c 4955 *hashAlgo = input[0];
wolfSSL 15:117db924cf7c 4956 *hsType = input[1];
wolfSSL 15:117db924cf7c 4957 break;
wolfSSL 15:117db924cf7c 4958 }
wolfSSL 16:8e0d178b1d1e 4959
wolfSSL 16:8e0d178b1d1e 4960 return ret;
wolfSSL 15:117db924cf7c 4961 }
wolfSSL 15:117db924cf7c 4962
wolfSSL 15:117db924cf7c 4963 /* Get the hash of the messages so far.
wolfSSL 15:117db924cf7c 4964 *
wolfSSL 15:117db924cf7c 4965 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 4966 * hash The buffer to write the hash to.
wolfSSL 15:117db924cf7c 4967 * returns the length of the hash.
wolfSSL 15:117db924cf7c 4968 */
wolfSSL 15:117db924cf7c 4969 static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
wolfSSL 15:117db924cf7c 4970 {
wolfSSL 15:117db924cf7c 4971 int ret = 0;
wolfSSL 15:117db924cf7c 4972 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 4973 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 4974 case sha256_mac:
wolfSSL 15:117db924cf7c 4975 ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
wolfSSL 15:117db924cf7c 4976 if (ret == 0)
wolfSSL 15:117db924cf7c 4977 ret = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4978 break;
wolfSSL 15:117db924cf7c 4979 #endif /* !NO_SHA256 */
wolfSSL 15:117db924cf7c 4980 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 4981 case sha384_mac:
wolfSSL 15:117db924cf7c 4982 ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
wolfSSL 15:117db924cf7c 4983 if (ret == 0)
wolfSSL 15:117db924cf7c 4984 ret = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4985 break;
wolfSSL 15:117db924cf7c 4986 #endif /* WOLFSSL_SHA384 */
wolfSSL 15:117db924cf7c 4987 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 4988 case sha512_mac:
wolfSSL 15:117db924cf7c 4989 ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
wolfSSL 15:117db924cf7c 4990 if (ret == 0)
wolfSSL 15:117db924cf7c 4991 ret = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 4992 break;
wolfSSL 15:117db924cf7c 4993 #endif /* WOLFSSL_TLS13_SHA512 */
wolfSSL 15:117db924cf7c 4994 }
wolfSSL 15:117db924cf7c 4995 return ret;
wolfSSL 15:117db924cf7c 4996 }
wolfSSL 15:117db924cf7c 4997
wolfSSL 15:117db924cf7c 4998 /* The length of the certificate verification label - client and server. */
wolfSSL 15:117db924cf7c 4999 #define CERT_VFY_LABEL_SZ 34
wolfSSL 15:117db924cf7c 5000 /* The server certificate verification label. */
wolfSSL 15:117db924cf7c 5001 static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 15:117db924cf7c 5002 "TLS 1.3, server CertificateVerify";
wolfSSL 15:117db924cf7c 5003 /* The client certificate verification label. */
wolfSSL 15:117db924cf7c 5004 static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
wolfSSL 15:117db924cf7c 5005 "TLS 1.3, client CertificateVerify";
wolfSSL 15:117db924cf7c 5006
wolfSSL 15:117db924cf7c 5007 /* The number of prefix bytes for signature data. */
wolfSSL 15:117db924cf7c 5008 #define SIGNING_DATA_PREFIX_SZ 64
wolfSSL 15:117db924cf7c 5009 /* The prefix byte in the signature data. */
wolfSSL 15:117db924cf7c 5010 #define SIGNING_DATA_PREFIX_BYTE 0x20
wolfSSL 15:117db924cf7c 5011 /* Maximum length of the signature data. */
wolfSSL 15:117db924cf7c 5012 #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
wolfSSL 15:117db924cf7c 5013 CERT_VFY_LABEL_SZ + \
wolfSSL 15:117db924cf7c 5014 WC_MAX_DIGEST_SIZE)
wolfSSL 15:117db924cf7c 5015
wolfSSL 15:117db924cf7c 5016 /* Create the signature data for TLS v1.3 certificate verification.
wolfSSL 15:117db924cf7c 5017 *
wolfSSL 15:117db924cf7c 5018 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5019 * sigData The signature data.
wolfSSL 15:117db924cf7c 5020 * sigDataSz The length of the signature data.
wolfSSL 15:117db924cf7c 5021 * check Indicates this is a check not create.
wolfSSL 15:117db924cf7c 5022 */
wolfSSL 15:117db924cf7c 5023 static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
wolfSSL 15:117db924cf7c 5024 int check)
wolfSSL 15:117db924cf7c 5025 {
wolfSSL 15:117db924cf7c 5026 word16 idx;
wolfSSL 15:117db924cf7c 5027 int side = ssl->options.side;
wolfSSL 15:117db924cf7c 5028 int ret;
wolfSSL 15:117db924cf7c 5029
wolfSSL 15:117db924cf7c 5030 /* Signature Data = Prefix | Label | Handshake Hash */
wolfSSL 15:117db924cf7c 5031 XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
wolfSSL 15:117db924cf7c 5032 idx = SIGNING_DATA_PREFIX_SZ;
wolfSSL 15:117db924cf7c 5033
wolfSSL 15:117db924cf7c 5034 if ((side == WOLFSSL_SERVER_END && check) ||
wolfSSL 15:117db924cf7c 5035 (side == WOLFSSL_CLIENT_END && !check)) {
wolfSSL 15:117db924cf7c 5036 XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 15:117db924cf7c 5037 }
wolfSSL 15:117db924cf7c 5038 if ((side == WOLFSSL_CLIENT_END && check) ||
wolfSSL 15:117db924cf7c 5039 (side == WOLFSSL_SERVER_END && !check)) {
wolfSSL 15:117db924cf7c 5040 XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
wolfSSL 15:117db924cf7c 5041 }
wolfSSL 15:117db924cf7c 5042 idx += CERT_VFY_LABEL_SZ;
wolfSSL 15:117db924cf7c 5043
wolfSSL 15:117db924cf7c 5044 ret = GetMsgHash(ssl, &sigData[idx]);
wolfSSL 15:117db924cf7c 5045 if (ret < 0)
wolfSSL 15:117db924cf7c 5046 return ret;
wolfSSL 15:117db924cf7c 5047
wolfSSL 15:117db924cf7c 5048 *sigDataSz = (word16)(idx + ret);
wolfSSL 15:117db924cf7c 5049 ret = 0;
wolfSSL 15:117db924cf7c 5050
wolfSSL 15:117db924cf7c 5051 return ret;
wolfSSL 15:117db924cf7c 5052 }
wolfSSL 15:117db924cf7c 5053
wolfSSL 15:117db924cf7c 5054 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5055 /* Encode the PKCS #1.5 RSA signature.
wolfSSL 15:117db924cf7c 5056 *
wolfSSL 15:117db924cf7c 5057 * sig The buffer to place the encoded signature into.
wolfSSL 15:117db924cf7c 5058 * sigData The data to be signed.
wolfSSL 15:117db924cf7c 5059 * sigDataSz The size of the data to be signed.
wolfSSL 15:117db924cf7c 5060 * hashAlgo The hash algorithm to use when signing.
wolfSSL 15:117db924cf7c 5061 * returns the length of the encoded signature or negative on error.
wolfSSL 15:117db924cf7c 5062 */
wolfSSL 15:117db924cf7c 5063 static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
wolfSSL 15:117db924cf7c 5064 int sigAlgo, int hashAlgo)
wolfSSL 15:117db924cf7c 5065 {
wolfSSL 15:117db924cf7c 5066 Digest digest;
wolfSSL 15:117db924cf7c 5067 int hashSz = 0;
wolfSSL 15:117db924cf7c 5068 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 5069 byte* hash;
wolfSSL 15:117db924cf7c 5070
wolfSSL 15:117db924cf7c 5071 (void)sigAlgo;
wolfSSL 15:117db924cf7c 5072
wolfSSL 15:117db924cf7c 5073 hash = sig;
wolfSSL 15:117db924cf7c 5074
wolfSSL 15:117db924cf7c 5075 /* Digest the signature data. */
wolfSSL 15:117db924cf7c 5076 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 5077 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 5078 case sha256_mac:
wolfSSL 15:117db924cf7c 5079 ret = wc_InitSha256(&digest.sha256);
wolfSSL 15:117db924cf7c 5080 if (ret == 0) {
wolfSSL 15:117db924cf7c 5081 ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5082 if (ret == 0)
wolfSSL 15:117db924cf7c 5083 ret = wc_Sha256Final(&digest.sha256, hash);
wolfSSL 15:117db924cf7c 5084 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 5085 }
wolfSSL 15:117db924cf7c 5086 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5087 break;
wolfSSL 15:117db924cf7c 5088 #endif
wolfSSL 15:117db924cf7c 5089 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 5090 case sha384_mac:
wolfSSL 15:117db924cf7c 5091 ret = wc_InitSha384(&digest.sha384);
wolfSSL 15:117db924cf7c 5092 if (ret == 0) {
wolfSSL 15:117db924cf7c 5093 ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5094 if (ret == 0)
wolfSSL 15:117db924cf7c 5095 ret = wc_Sha384Final(&digest.sha384, hash);
wolfSSL 15:117db924cf7c 5096 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 5097 }
wolfSSL 15:117db924cf7c 5098 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5099 break;
wolfSSL 15:117db924cf7c 5100 #endif
wolfSSL 15:117db924cf7c 5101 #ifdef WOLFSSL_SHA512
wolfSSL 15:117db924cf7c 5102 case sha512_mac:
wolfSSL 15:117db924cf7c 5103 ret = wc_InitSha512(&digest.sha512);
wolfSSL 15:117db924cf7c 5104 if (ret == 0) {
wolfSSL 15:117db924cf7c 5105 ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5106 if (ret == 0)
wolfSSL 15:117db924cf7c 5107 ret = wc_Sha512Final(&digest.sha512, hash);
wolfSSL 15:117db924cf7c 5108 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 5109 }
wolfSSL 15:117db924cf7c 5110 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5111 break;
wolfSSL 15:117db924cf7c 5112 #endif
wolfSSL 15:117db924cf7c 5113 }
wolfSSL 15:117db924cf7c 5114
wolfSSL 15:117db924cf7c 5115 if (ret != 0)
wolfSSL 15:117db924cf7c 5116 return ret;
wolfSSL 15:117db924cf7c 5117
wolfSSL 15:117db924cf7c 5118 return hashSz;
wolfSSL 15:117db924cf7c 5119 }
wolfSSL 15:117db924cf7c 5120 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5121
wolfSSL 15:117db924cf7c 5122 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5123 /* Encode the ECC signature.
wolfSSL 15:117db924cf7c 5124 *
wolfSSL 15:117db924cf7c 5125 * sigData The data to be signed.
wolfSSL 15:117db924cf7c 5126 * sigDataSz The size of the data to be signed.
wolfSSL 15:117db924cf7c 5127 * hashAlgo The hash algorithm to use when signing.
wolfSSL 15:117db924cf7c 5128 * returns the length of the encoded signature or negative on error.
wolfSSL 15:117db924cf7c 5129 */
wolfSSL 15:117db924cf7c 5130 static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
wolfSSL 15:117db924cf7c 5131 {
wolfSSL 15:117db924cf7c 5132 Digest digest;
wolfSSL 15:117db924cf7c 5133 int hashSz = 0;
wolfSSL 15:117db924cf7c 5134 int ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 5135
wolfSSL 15:117db924cf7c 5136 /* Digest the signature data. */
wolfSSL 15:117db924cf7c 5137 switch (hashAlgo) {
wolfSSL 15:117db924cf7c 5138 #ifndef NO_WOLFSSL_SHA256
wolfSSL 15:117db924cf7c 5139 case sha256_mac:
wolfSSL 15:117db924cf7c 5140 ret = wc_InitSha256(&digest.sha256);
wolfSSL 15:117db924cf7c 5141 if (ret == 0) {
wolfSSL 15:117db924cf7c 5142 ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5143 if (ret == 0)
wolfSSL 15:117db924cf7c 5144 ret = wc_Sha256Final(&digest.sha256, sigData);
wolfSSL 15:117db924cf7c 5145 wc_Sha256Free(&digest.sha256);
wolfSSL 15:117db924cf7c 5146 }
wolfSSL 15:117db924cf7c 5147 hashSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5148 break;
wolfSSL 15:117db924cf7c 5149 #endif
wolfSSL 15:117db924cf7c 5150 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 5151 case sha384_mac:
wolfSSL 15:117db924cf7c 5152 ret = wc_InitSha384(&digest.sha384);
wolfSSL 15:117db924cf7c 5153 if (ret == 0) {
wolfSSL 15:117db924cf7c 5154 ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5155 if (ret == 0)
wolfSSL 15:117db924cf7c 5156 ret = wc_Sha384Final(&digest.sha384, sigData);
wolfSSL 15:117db924cf7c 5157 wc_Sha384Free(&digest.sha384);
wolfSSL 15:117db924cf7c 5158 }
wolfSSL 15:117db924cf7c 5159 hashSz = WC_SHA384_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5160 break;
wolfSSL 15:117db924cf7c 5161 #endif
wolfSSL 15:117db924cf7c 5162 #ifdef WOLFSSL_SHA512
wolfSSL 15:117db924cf7c 5163 case sha512_mac:
wolfSSL 15:117db924cf7c 5164 ret = wc_InitSha512(&digest.sha512);
wolfSSL 15:117db924cf7c 5165 if (ret == 0) {
wolfSSL 15:117db924cf7c 5166 ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
wolfSSL 15:117db924cf7c 5167 if (ret == 0)
wolfSSL 15:117db924cf7c 5168 ret = wc_Sha512Final(&digest.sha512, sigData);
wolfSSL 15:117db924cf7c 5169 wc_Sha512Free(&digest.sha512);
wolfSSL 15:117db924cf7c 5170 }
wolfSSL 15:117db924cf7c 5171 hashSz = WC_SHA512_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5172 break;
wolfSSL 15:117db924cf7c 5173 #endif
wolfSSL 15:117db924cf7c 5174 }
wolfSSL 15:117db924cf7c 5175
wolfSSL 15:117db924cf7c 5176 if (ret != 0)
wolfSSL 15:117db924cf7c 5177 return ret;
wolfSSL 15:117db924cf7c 5178
wolfSSL 15:117db924cf7c 5179 return hashSz;
wolfSSL 15:117db924cf7c 5180 }
wolfSSL 15:117db924cf7c 5181 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5182
wolfSSL 15:117db924cf7c 5183 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5184 /* Check that the decrypted signature matches the encoded signature
wolfSSL 15:117db924cf7c 5185 * based on the digest of the signature data.
wolfSSL 15:117db924cf7c 5186 *
wolfSSL 15:117db924cf7c 5187 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5188 * sigAlgo The signature algorithm used to generate signature.
wolfSSL 15:117db924cf7c 5189 * hashAlgo The hash algorithm used to generate signature.
wolfSSL 15:117db924cf7c 5190 * decSig The decrypted signature.
wolfSSL 15:117db924cf7c 5191 * decSigSz The size of the decrypted signature.
wolfSSL 15:117db924cf7c 5192 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 5193 */
wolfSSL 15:117db924cf7c 5194 static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
wolfSSL 15:117db924cf7c 5195 byte* decSig, word32 decSigSz)
wolfSSL 15:117db924cf7c 5196 {
wolfSSL 15:117db924cf7c 5197 int ret = 0;
wolfSSL 15:117db924cf7c 5198 byte sigData[MAX_SIG_DATA_SZ];
wolfSSL 15:117db924cf7c 5199 word16 sigDataSz;
wolfSSL 15:117db924cf7c 5200 word32 sigSz;
wolfSSL 15:117db924cf7c 5201
wolfSSL 15:117db924cf7c 5202 ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
wolfSSL 15:117db924cf7c 5203 if (ret != 0)
wolfSSL 15:117db924cf7c 5204 return ret;
wolfSSL 15:117db924cf7c 5205
wolfSSL 15:117db924cf7c 5206 if (sigAlgo == rsa_pss_sa_algo) {
wolfSSL 15:117db924cf7c 5207 enum wc_HashType hashType = WC_HASH_TYPE_NONE;
wolfSSL 15:117db924cf7c 5208
wolfSSL 15:117db924cf7c 5209 ret = ConvertHashPss(hashAlgo, &hashType, NULL);
wolfSSL 15:117db924cf7c 5210 if (ret < 0)
wolfSSL 15:117db924cf7c 5211 return ret;
wolfSSL 15:117db924cf7c 5212
wolfSSL 15:117db924cf7c 5213 /* PSS signature can be done in-place */
wolfSSL 15:117db924cf7c 5214 ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
wolfSSL 15:117db924cf7c 5215 sigAlgo, hashAlgo);
wolfSSL 15:117db924cf7c 5216 if (ret < 0)
wolfSSL 15:117db924cf7c 5217 return ret;
wolfSSL 15:117db924cf7c 5218 sigSz = ret;
wolfSSL 15:117db924cf7c 5219
wolfSSL 15:117db924cf7c 5220 ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
wolfSSL 15:117db924cf7c 5221 hashType);
wolfSSL 15:117db924cf7c 5222 }
wolfSSL 15:117db924cf7c 5223
wolfSSL 15:117db924cf7c 5224 return ret;
wolfSSL 15:117db924cf7c 5225 }
wolfSSL 15:117db924cf7c 5226 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5227 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 5228
wolfSSL 15:117db924cf7c 5229 /* Get the next certificate from the list for writing into the TLS v1.3
wolfSSL 15:117db924cf7c 5230 * Certificate message.
wolfSSL 15:117db924cf7c 5231 *
wolfSSL 15:117db924cf7c 5232 * data The certificate list.
wolfSSL 15:117db924cf7c 5233 * length The length of the certificate data in the list.
wolfSSL 15:117db924cf7c 5234 * idx The index of the next certificate.
wolfSSL 15:117db924cf7c 5235 * returns the length of the certificate data. 0 indicates no more certificates
wolfSSL 15:117db924cf7c 5236 * in the list.
wolfSSL 15:117db924cf7c 5237 */
wolfSSL 15:117db924cf7c 5238 static word32 NextCert(byte* data, word32 length, word32* idx)
wolfSSL 15:117db924cf7c 5239 {
wolfSSL 15:117db924cf7c 5240 word32 len;
wolfSSL 15:117db924cf7c 5241
wolfSSL 15:117db924cf7c 5242 /* Is index at end of list. */
wolfSSL 15:117db924cf7c 5243 if (*idx == length)
wolfSSL 15:117db924cf7c 5244 return 0;
wolfSSL 15:117db924cf7c 5245
wolfSSL 15:117db924cf7c 5246 /* Length of the current ASN.1 encoded certificate. */
wolfSSL 15:117db924cf7c 5247 c24to32(data + *idx, &len);
wolfSSL 15:117db924cf7c 5248 /* Include the length field. */
wolfSSL 15:117db924cf7c 5249 len += 3;
wolfSSL 15:117db924cf7c 5250
wolfSSL 15:117db924cf7c 5251 /* Move index to next certificate and return the current certificate's
wolfSSL 15:117db924cf7c 5252 * length.
wolfSSL 15:117db924cf7c 5253 */
wolfSSL 15:117db924cf7c 5254 *idx += len;
wolfSSL 15:117db924cf7c 5255 return len;
wolfSSL 15:117db924cf7c 5256 }
wolfSSL 15:117db924cf7c 5257
wolfSSL 15:117db924cf7c 5258 /* Add certificate data and empty extension to output up to the fragment size.
wolfSSL 15:117db924cf7c 5259 *
wolfSSL 15:117db924cf7c 5260 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 5261 * cert The certificate data to write out.
wolfSSL 15:117db924cf7c 5262 * len The length of the certificate data.
wolfSSL 15:117db924cf7c 5263 * extSz Length of the extension data with the certificate.
wolfSSL 15:117db924cf7c 5264 * idx The start of the certificate data to write out.
wolfSSL 15:117db924cf7c 5265 * fragSz The maximum size of this fragment.
wolfSSL 15:117db924cf7c 5266 * output The buffer to write to.
wolfSSL 15:117db924cf7c 5267 * returns the number of bytes written.
wolfSSL 15:117db924cf7c 5268 */
wolfSSL 15:117db924cf7c 5269 static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz,
wolfSSL 15:117db924cf7c 5270 word32 idx, word32 fragSz, byte* output)
wolfSSL 15:117db924cf7c 5271 {
wolfSSL 15:117db924cf7c 5272 word32 i = 0;
wolfSSL 15:117db924cf7c 5273 word32 copySz = min(len - idx, fragSz);
wolfSSL 15:117db924cf7c 5274
wolfSSL 15:117db924cf7c 5275 if (idx < len) {
wolfSSL 15:117db924cf7c 5276 XMEMCPY(output, cert + idx, copySz);
wolfSSL 15:117db924cf7c 5277 i = copySz;
wolfSSL 15:117db924cf7c 5278 if (copySz == fragSz)
wolfSSL 15:117db924cf7c 5279 return i;
wolfSSL 15:117db924cf7c 5280 }
wolfSSL 15:117db924cf7c 5281 copySz = len + extSz - idx - i;
wolfSSL 15:117db924cf7c 5282
wolfSSL 15:117db924cf7c 5283 if (extSz == OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 5284 if (copySz <= fragSz) {
wolfSSL 15:117db924cf7c 5285 /* Empty extension */
wolfSSL 15:117db924cf7c 5286 output[i++] = 0;
wolfSSL 15:117db924cf7c 5287 output[i++] = 0;
wolfSSL 15:117db924cf7c 5288 }
wolfSSL 15:117db924cf7c 5289 }
wolfSSL 15:117db924cf7c 5290 else {
wolfSSL 15:117db924cf7c 5291 byte* certExts = ssl->buffers.certExts->buffer + idx + i - len;
wolfSSL 15:117db924cf7c 5292 /* Put out as much of the extensions' data as will fit in fragment. */
wolfSSL 15:117db924cf7c 5293 if (copySz > fragSz - i)
wolfSSL 15:117db924cf7c 5294 copySz = fragSz - i;
wolfSSL 15:117db924cf7c 5295 XMEMCPY(output + i, certExts, copySz);
wolfSSL 15:117db924cf7c 5296 i += copySz;
wolfSSL 15:117db924cf7c 5297 }
wolfSSL 15:117db924cf7c 5298
wolfSSL 15:117db924cf7c 5299 return i;
wolfSSL 15:117db924cf7c 5300 }
wolfSSL 15:117db924cf7c 5301
wolfSSL 15:117db924cf7c 5302 /* handle generation TLS v1.3 certificate (11) */
wolfSSL 15:117db924cf7c 5303 /* Send the certificate for this end and any CAs that help with validation.
wolfSSL 15:117db924cf7c 5304 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 5305 *
wolfSSL 15:117db924cf7c 5306 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5307 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 5308 */
wolfSSL 15:117db924cf7c 5309 static int SendTls13Certificate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 5310 {
wolfSSL 15:117db924cf7c 5311 int ret = 0;
wolfSSL 15:117db924cf7c 5312 word32 certSz, certChainSz, headerSz, listSz, payloadSz;
wolfSSL 15:117db924cf7c 5313 word16 extSz = 0;
wolfSSL 15:117db924cf7c 5314 word32 length, maxFragment;
wolfSSL 15:117db924cf7c 5315 word32 len = 0;
wolfSSL 15:117db924cf7c 5316 word32 idx = 0;
wolfSSL 15:117db924cf7c 5317 word32 offset = OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 5318 byte* p = NULL;
wolfSSL 15:117db924cf7c 5319 byte certReqCtxLen = 0;
wolfSSL 15:117db924cf7c 5320 byte* certReqCtx = NULL;
wolfSSL 15:117db924cf7c 5321
wolfSSL 15:117db924cf7c 5322 WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
wolfSSL 15:117db924cf7c 5323 WOLFSSL_ENTER("SendTls13Certificate");
wolfSSL 15:117db924cf7c 5324
wolfSSL 15:117db924cf7c 5325 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 5326 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL 15:117db924cf7c 5327 certReqCtxLen = ssl->certReqCtx->len;
wolfSSL 15:117db924cf7c 5328 certReqCtx = &ssl->certReqCtx->ctx;
wolfSSL 15:117db924cf7c 5329 }
wolfSSL 15:117db924cf7c 5330 #endif
wolfSSL 15:117db924cf7c 5331
wolfSSL 15:117db924cf7c 5332 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 15:117db924cf7c 5333 certSz = 0;
wolfSSL 15:117db924cf7c 5334 certChainSz = 0;
wolfSSL 15:117db924cf7c 5335 headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5336 length = headerSz;
wolfSSL 15:117db924cf7c 5337 listSz = 0;
wolfSSL 15:117db924cf7c 5338 }
wolfSSL 15:117db924cf7c 5339 else {
wolfSSL 15:117db924cf7c 5340 if (!ssl->buffers.certificate) {
wolfSSL 15:117db924cf7c 5341 WOLFSSL_MSG("Send Cert missing certificate buffer");
wolfSSL 15:117db924cf7c 5342 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 5343 }
wolfSSL 15:117db924cf7c 5344 /* Certificate Data */
wolfSSL 15:117db924cf7c 5345 certSz = ssl->buffers.certificate->length;
wolfSSL 15:117db924cf7c 5346 /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
wolfSSL 15:117db924cf7c 5347 headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
wolfSSL 15:117db924cf7c 5348 CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5349
wolfSSL 15:117db924cf7c 5350 ret = TLSX_GetResponseSize(ssl, certificate, &extSz);
wolfSSL 15:117db924cf7c 5351 if (ret < 0)
wolfSSL 15:117db924cf7c 5352 return ret;
wolfSSL 15:117db924cf7c 5353
wolfSSL 15:117db924cf7c 5354 /* Create extensions' data if none already present. */
wolfSSL 15:117db924cf7c 5355 if (extSz > OPAQUE16_LEN && ssl->buffers.certExts == NULL) {
wolfSSL 15:117db924cf7c 5356 ret = AllocDer(&ssl->buffers.certExts, extSz, CERT_TYPE, ssl->heap);
wolfSSL 15:117db924cf7c 5357 if (ret < 0)
wolfSSL 15:117db924cf7c 5358 return ret;
wolfSSL 15:117db924cf7c 5359
wolfSSL 16:8e0d178b1d1e 5360 extSz = 0;
wolfSSL 15:117db924cf7c 5361 ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer,
wolfSSL 15:117db924cf7c 5362 certificate, &extSz);
wolfSSL 15:117db924cf7c 5363 if (ret < 0)
wolfSSL 15:117db924cf7c 5364 return ret;
wolfSSL 15:117db924cf7c 5365 }
wolfSSL 15:117db924cf7c 5366
wolfSSL 15:117db924cf7c 5367 /* Length of message data with one certificate and extensions. */
wolfSSL 15:117db924cf7c 5368 length = headerSz + certSz + extSz;
wolfSSL 15:117db924cf7c 5369 /* Length of list data with one certificate and extensions. */
wolfSSL 15:117db924cf7c 5370 listSz = CERT_HEADER_SZ + certSz + extSz;
wolfSSL 15:117db924cf7c 5371
wolfSSL 15:117db924cf7c 5372 /* Send rest of chain if sending cert (chain has leading size/s). */
wolfSSL 15:117db924cf7c 5373 if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
wolfSSL 15:117db924cf7c 5374 p = ssl->buffers.certChain->buffer;
wolfSSL 15:117db924cf7c 5375 /* Chain length including extensions. */
wolfSSL 15:117db924cf7c 5376 certChainSz = ssl->buffers.certChain->length +
wolfSSL 15:117db924cf7c 5377 OPAQUE16_LEN * ssl->buffers.certChainCnt;
wolfSSL 15:117db924cf7c 5378 length += certChainSz;
wolfSSL 15:117db924cf7c 5379 listSz += certChainSz;
wolfSSL 15:117db924cf7c 5380 }
wolfSSL 15:117db924cf7c 5381 else
wolfSSL 15:117db924cf7c 5382 certChainSz = 0;
wolfSSL 15:117db924cf7c 5383 }
wolfSSL 15:117db924cf7c 5384
wolfSSL 15:117db924cf7c 5385 payloadSz = length;
wolfSSL 15:117db924cf7c 5386
wolfSSL 15:117db924cf7c 5387 if (ssl->fragOffset != 0)
wolfSSL 15:117db924cf7c 5388 length -= (ssl->fragOffset + headerSz);
wolfSSL 15:117db924cf7c 5389
wolfSSL 15:117db924cf7c 5390 maxFragment = wolfSSL_GetMaxRecordSize(ssl, MAX_RECORD_SIZE);
wolfSSL 15:117db924cf7c 5391
wolfSSL 15:117db924cf7c 5392 while (length > 0 && ret == 0) {
wolfSSL 15:117db924cf7c 5393 byte* output = NULL;
wolfSSL 15:117db924cf7c 5394 word32 fragSz = 0;
wolfSSL 15:117db924cf7c 5395 word32 i = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 5396 int sendSz = RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 5397
wolfSSL 15:117db924cf7c 5398 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 5399 if (headerSz + certSz + extSz + certChainSz <=
wolfSSL 15:117db924cf7c 5400 maxFragment - HANDSHAKE_HEADER_SZ) {
wolfSSL 15:117db924cf7c 5401 fragSz = headerSz + certSz + extSz + certChainSz;
wolfSSL 15:117db924cf7c 5402 }
wolfSSL 15:117db924cf7c 5403 else
wolfSSL 15:117db924cf7c 5404 fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5405
wolfSSL 15:117db924cf7c 5406 sendSz += fragSz + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5407 i += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5408 }
wolfSSL 15:117db924cf7c 5409 else {
wolfSSL 15:117db924cf7c 5410 fragSz = min(length, maxFragment);
wolfSSL 15:117db924cf7c 5411 sendSz += fragSz;
wolfSSL 15:117db924cf7c 5412 }
wolfSSL 15:117db924cf7c 5413
wolfSSL 15:117db924cf7c 5414 sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 5415
wolfSSL 15:117db924cf7c 5416 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 5417 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 5418 return ret;
wolfSSL 15:117db924cf7c 5419
wolfSSL 15:117db924cf7c 5420 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 5421 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 5422 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 5423
wolfSSL 15:117db924cf7c 5424 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 5425 AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
wolfSSL 15:117db924cf7c 5426
wolfSSL 15:117db924cf7c 5427 /* Request context. */
wolfSSL 15:117db924cf7c 5428 output[i++] = certReqCtxLen;
wolfSSL 15:117db924cf7c 5429 if (certReqCtxLen > 0) {
wolfSSL 15:117db924cf7c 5430 XMEMCPY(output + i, certReqCtx, certReqCtxLen);
wolfSSL 15:117db924cf7c 5431 i += certReqCtxLen;
wolfSSL 15:117db924cf7c 5432 }
wolfSSL 15:117db924cf7c 5433 length -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL 15:117db924cf7c 5434 fragSz -= OPAQUE8_LEN + certReqCtxLen;
wolfSSL 15:117db924cf7c 5435 /* Certificate list length. */
wolfSSL 15:117db924cf7c 5436 c32to24(listSz, output + i);
wolfSSL 15:117db924cf7c 5437 i += CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5438 length -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5439 fragSz -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5440 /* Leaf certificate data length. */
wolfSSL 15:117db924cf7c 5441 if (certSz > 0) {
wolfSSL 15:117db924cf7c 5442 c32to24(certSz, output + i);
wolfSSL 15:117db924cf7c 5443 i += CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5444 length -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5445 fragSz -= CERT_HEADER_SZ;
wolfSSL 15:117db924cf7c 5446 }
wolfSSL 15:117db924cf7c 5447 }
wolfSSL 15:117db924cf7c 5448 else
wolfSSL 15:117db924cf7c 5449 AddTls13RecordHeader(output, fragSz, handshake, ssl);
wolfSSL 15:117db924cf7c 5450
wolfSSL 15:117db924cf7c 5451 if (certSz > 0 && ssl->fragOffset < certSz + extSz) {
wolfSSL 15:117db924cf7c 5452 /* Put in the leaf certificate with extensions. */
wolfSSL 15:117db924cf7c 5453 word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
wolfSSL 15:117db924cf7c 5454 certSz, extSz, ssl->fragOffset, fragSz, output + i);
wolfSSL 15:117db924cf7c 5455 i += copySz;
wolfSSL 15:117db924cf7c 5456 ssl->fragOffset += copySz;
wolfSSL 15:117db924cf7c 5457 length -= copySz;
wolfSSL 15:117db924cf7c 5458 fragSz -= copySz;
wolfSSL 15:117db924cf7c 5459 if (ssl->fragOffset == certSz + extSz)
wolfSSL 15:117db924cf7c 5460 FreeDer(&ssl->buffers.certExts);
wolfSSL 15:117db924cf7c 5461 }
wolfSSL 15:117db924cf7c 5462 if (certChainSz > 0 && fragSz > 0) {
wolfSSL 15:117db924cf7c 5463 /* Put in the CA certificates with empty extensions. */
wolfSSL 15:117db924cf7c 5464 while (fragSz > 0) {
wolfSSL 15:117db924cf7c 5465 word32 l;
wolfSSL 15:117db924cf7c 5466
wolfSSL 15:117db924cf7c 5467 if (offset == len + OPAQUE16_LEN) {
wolfSSL 15:117db924cf7c 5468 /* Find next CA certificate to write out. */
wolfSSL 15:117db924cf7c 5469 offset = 0;
wolfSSL 15:117db924cf7c 5470 /* Point to the start of current cert in chain buffer. */
wolfSSL 15:117db924cf7c 5471 p = ssl->buffers.certChain->buffer + idx;
wolfSSL 15:117db924cf7c 5472 len = NextCert(ssl->buffers.certChain->buffer,
wolfSSL 15:117db924cf7c 5473 ssl->buffers.certChain->length, &idx);
wolfSSL 15:117db924cf7c 5474 if (len == 0)
wolfSSL 15:117db924cf7c 5475 break;
wolfSSL 15:117db924cf7c 5476 }
wolfSSL 15:117db924cf7c 5477
wolfSSL 15:117db924cf7c 5478 /* Write out certificate and empty extension. */
wolfSSL 15:117db924cf7c 5479 l = AddCertExt(ssl, p, len, OPAQUE16_LEN, offset, fragSz,
wolfSSL 15:117db924cf7c 5480 output + i);
wolfSSL 15:117db924cf7c 5481 i += l;
wolfSSL 15:117db924cf7c 5482 ssl->fragOffset += l;
wolfSSL 15:117db924cf7c 5483 length -= l;
wolfSSL 15:117db924cf7c 5484 fragSz -= l;
wolfSSL 15:117db924cf7c 5485 offset += l;
wolfSSL 15:117db924cf7c 5486 }
wolfSSL 15:117db924cf7c 5487 }
wolfSSL 15:117db924cf7c 5488
wolfSSL 15:117db924cf7c 5489 if ((int)i - RECORD_HEADER_SZ < 0) {
wolfSSL 15:117db924cf7c 5490 WOLFSSL_MSG("Send Cert bad inputSz");
wolfSSL 15:117db924cf7c 5491 return BUFFER_E;
wolfSSL 15:117db924cf7c 5492 }
wolfSSL 15:117db924cf7c 5493
wolfSSL 15:117db924cf7c 5494 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 5495 sendSz = BuildTls13Message(ssl, output, sendSz,
wolfSSL 15:117db924cf7c 5496 output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 5497 i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 5498 if (sendSz < 0)
wolfSSL 15:117db924cf7c 5499 return sendSz;
wolfSSL 15:117db924cf7c 5500
wolfSSL 15:117db924cf7c 5501 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5502 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 5503 AddPacketName(ssl, "Certificate");
wolfSSL 15:117db924cf7c 5504 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 5505 AddPacketInfo(ssl, "Certificate", handshake, output,
wolfSSL 15:117db924cf7c 5506 sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 5507 }
wolfSSL 15:117db924cf7c 5508 #endif
wolfSSL 15:117db924cf7c 5509
wolfSSL 15:117db924cf7c 5510 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 5511 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 5512 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 5513 }
wolfSSL 15:117db924cf7c 5514
wolfSSL 15:117db924cf7c 5515 if (ret != WANT_WRITE) {
wolfSSL 15:117db924cf7c 5516 /* Clean up the fragment offset. */
wolfSSL 15:117db924cf7c 5517 ssl->fragOffset = 0;
wolfSSL 15:117db924cf7c 5518 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 5519 ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL 15:117db924cf7c 5520 }
wolfSSL 15:117db924cf7c 5521
wolfSSL 15:117db924cf7c 5522 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 5523 if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
wolfSSL 15:117db924cf7c 5524 CertReqCtx* ctx = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 5525 ssl->certReqCtx = ssl->certReqCtx->next;
wolfSSL 15:117db924cf7c 5526 XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 5527 }
wolfSSL 15:117db924cf7c 5528 #endif
wolfSSL 15:117db924cf7c 5529
wolfSSL 15:117db924cf7c 5530 WOLFSSL_LEAVE("SendTls13Certificate", ret);
wolfSSL 15:117db924cf7c 5531 WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
wolfSSL 15:117db924cf7c 5532
wolfSSL 15:117db924cf7c 5533 return ret;
wolfSSL 15:117db924cf7c 5534 }
wolfSSL 15:117db924cf7c 5535
wolfSSL 15:117db924cf7c 5536 typedef struct Scv13Args {
wolfSSL 15:117db924cf7c 5537 byte* output; /* not allocated */
wolfSSL 15:117db924cf7c 5538 byte* verify; /* not allocated */
wolfSSL 15:117db924cf7c 5539 word32 idx;
wolfSSL 15:117db924cf7c 5540 word32 sigLen;
wolfSSL 15:117db924cf7c 5541 int sendSz;
wolfSSL 15:117db924cf7c 5542 word16 length;
wolfSSL 15:117db924cf7c 5543
wolfSSL 15:117db924cf7c 5544 byte sigAlgo;
wolfSSL 15:117db924cf7c 5545 byte* sigData;
wolfSSL 15:117db924cf7c 5546 word16 sigDataSz;
wolfSSL 15:117db924cf7c 5547 } Scv13Args;
wolfSSL 15:117db924cf7c 5548
wolfSSL 15:117db924cf7c 5549 static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 5550 {
wolfSSL 15:117db924cf7c 5551 Scv13Args* args = (Scv13Args*)pArgs;
wolfSSL 15:117db924cf7c 5552
wolfSSL 15:117db924cf7c 5553 (void)ssl;
wolfSSL 15:117db924cf7c 5554
wolfSSL 15:117db924cf7c 5555 if (args->sigData) {
wolfSSL 15:117db924cf7c 5556 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5557 args->sigData = NULL;
wolfSSL 15:117db924cf7c 5558 }
wolfSSL 15:117db924cf7c 5559 }
wolfSSL 15:117db924cf7c 5560
wolfSSL 15:117db924cf7c 5561 /* handle generation TLS v1.3 certificate_verify (15) */
wolfSSL 15:117db924cf7c 5562 /* Send the TLS v1.3 CertificateVerify message.
wolfSSL 15:117db924cf7c 5563 * A hash of all the message so far is used.
wolfSSL 15:117db924cf7c 5564 * The signed data is:
wolfSSL 15:117db924cf7c 5565 * 0x20 * 64 | context string | 0x00 | hash of messages
wolfSSL 15:117db924cf7c 5566 * This message is always encrypted in TLS v1.3.
wolfSSL 15:117db924cf7c 5567 *
wolfSSL 15:117db924cf7c 5568 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5569 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 5570 */
wolfSSL 15:117db924cf7c 5571 static int SendTls13CertificateVerify(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 5572 {
wolfSSL 15:117db924cf7c 5573 int ret = 0;
wolfSSL 15:117db924cf7c 5574 buffer* sig = &ssl->buffers.sig;
wolfSSL 15:117db924cf7c 5575 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5576 Scv13Args* args = (Scv13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 5577 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 5578 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 5579 #else
wolfSSL 15:117db924cf7c 5580 Scv13Args args[1];
wolfSSL 15:117db924cf7c 5581 #endif
wolfSSL 15:117db924cf7c 5582
wolfSSL 15:117db924cf7c 5583 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
wolfSSL 15:117db924cf7c 5584 WOLFSSL_ENTER("SendTls13CertificateVerify");
wolfSSL 15:117db924cf7c 5585
wolfSSL 15:117db924cf7c 5586 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5587 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 15:117db924cf7c 5588 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 5589 /* Check for error */
wolfSSL 15:117db924cf7c 5590 if (ret < 0)
wolfSSL 15:117db924cf7c 5591 goto exit_scv;
wolfSSL 15:117db924cf7c 5592 }
wolfSSL 15:117db924cf7c 5593 else
wolfSSL 15:117db924cf7c 5594 #endif
wolfSSL 15:117db924cf7c 5595 {
wolfSSL 15:117db924cf7c 5596 /* Reset state */
wolfSSL 15:117db924cf7c 5597 ret = 0;
wolfSSL 15:117db924cf7c 5598 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 15:117db924cf7c 5599 XMEMSET(args, 0, sizeof(Scv13Args));
wolfSSL 15:117db924cf7c 5600 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5601 ssl->async.freeArgs = FreeScv13Args;
wolfSSL 15:117db924cf7c 5602 #endif
wolfSSL 15:117db924cf7c 5603 }
wolfSSL 15:117db924cf7c 5604
wolfSSL 15:117db924cf7c 5605 switch(ssl->options.asyncState)
wolfSSL 15:117db924cf7c 5606 {
wolfSSL 15:117db924cf7c 5607 case TLS_ASYNC_BEGIN:
wolfSSL 15:117db924cf7c 5608 {
wolfSSL 15:117db924cf7c 5609 if (ssl->options.sendVerify == SEND_BLANK_CERT) {
wolfSSL 15:117db924cf7c 5610 return 0; /* sent blank cert, can't verify */
wolfSSL 15:117db924cf7c 5611 }
wolfSSL 15:117db924cf7c 5612
wolfSSL 16:8e0d178b1d1e 5613 args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 5614 /* Always encrypted. */
wolfSSL 15:117db924cf7c 5615 args->sendSz += MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 5616
wolfSSL 15:117db924cf7c 5617 /* check for available size */
wolfSSL 15:117db924cf7c 5618 if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
wolfSSL 15:117db924cf7c 5619 goto exit_scv;
wolfSSL 15:117db924cf7c 5620 }
wolfSSL 15:117db924cf7c 5621
wolfSSL 15:117db924cf7c 5622 /* get output buffer */
wolfSSL 15:117db924cf7c 5623 args->output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 5624 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 5625
wolfSSL 15:117db924cf7c 5626 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5627 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 15:117db924cf7c 5628 } /* case TLS_ASYNC_BEGIN */
wolfSSL 15:117db924cf7c 5629 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5630
wolfSSL 15:117db924cf7c 5631 case TLS_ASYNC_BUILD:
wolfSSL 15:117db924cf7c 5632 {
wolfSSL 15:117db924cf7c 5633 /* idx is used to track verify pointer offset to output */
wolfSSL 15:117db924cf7c 5634 args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 5635 args->verify =
wolfSSL 15:117db924cf7c 5636 &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
wolfSSL 15:117db924cf7c 5637
wolfSSL 15:117db924cf7c 5638 if (ssl->buffers.key == NULL) {
wolfSSL 15:117db924cf7c 5639 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5640 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
wolfSSL 15:117db924cf7c 5641 args->length = GetPrivateKeySigSize(ssl);
wolfSSL 15:117db924cf7c 5642 else
wolfSSL 15:117db924cf7c 5643 #endif
wolfSSL 15:117db924cf7c 5644 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
wolfSSL 15:117db924cf7c 5645 }
wolfSSL 15:117db924cf7c 5646 else {
wolfSSL 15:117db924cf7c 5647 ret = DecodePrivateKey(ssl, &args->length);
wolfSSL 15:117db924cf7c 5648 if (ret != 0)
wolfSSL 15:117db924cf7c 5649 goto exit_scv;
wolfSSL 15:117db924cf7c 5650 }
wolfSSL 15:117db924cf7c 5651
wolfSSL 15:117db924cf7c 5652 if (args->length <= 0) {
wolfSSL 15:117db924cf7c 5653 ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
wolfSSL 15:117db924cf7c 5654 }
wolfSSL 15:117db924cf7c 5655
wolfSSL 15:117db924cf7c 5656 /* Add signature algorithm. */
wolfSSL 15:117db924cf7c 5657 if (ssl->hsType == DYNAMIC_TYPE_RSA)
wolfSSL 15:117db924cf7c 5658 args->sigAlgo = rsa_pss_sa_algo;
wolfSSL 15:117db924cf7c 5659 else if (ssl->hsType == DYNAMIC_TYPE_ECC)
wolfSSL 15:117db924cf7c 5660 args->sigAlgo = ecc_dsa_sa_algo;
wolfSSL 15:117db924cf7c 5661 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5662 else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
wolfSSL 15:117db924cf7c 5663 args->sigAlgo = ed25519_sa_algo;
wolfSSL 15:117db924cf7c 5664 #endif
wolfSSL 16:8e0d178b1d1e 5665 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 5666 else if (ssl->hsType == DYNAMIC_TYPE_ED448)
wolfSSL 16:8e0d178b1d1e 5667 args->sigAlgo = ed448_sa_algo;
wolfSSL 16:8e0d178b1d1e 5668 #endif
wolfSSL 15:117db924cf7c 5669 EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify);
wolfSSL 15:117db924cf7c 5670
wolfSSL 16:8e0d178b1d1e 5671 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 16:8e0d178b1d1e 5672 int sigLen = MAX_SIG_DATA_SZ;
wolfSSL 16:8e0d178b1d1e 5673 if (args->length > MAX_SIG_DATA_SZ)
wolfSSL 16:8e0d178b1d1e 5674 sigLen = args->length;
wolfSSL 16:8e0d178b1d1e 5675 args->sigData = (byte*)XMALLOC(sigLen, ssl->heap,
wolfSSL 16:8e0d178b1d1e 5676 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 16:8e0d178b1d1e 5677 }
wolfSSL 16:8e0d178b1d1e 5678 else {
wolfSSL 16:8e0d178b1d1e 5679 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 16:8e0d178b1d1e 5680 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 16:8e0d178b1d1e 5681 }
wolfSSL 16:8e0d178b1d1e 5682 if (args->sigData == NULL) {
wolfSSL 16:8e0d178b1d1e 5683 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 16:8e0d178b1d1e 5684 }
wolfSSL 16:8e0d178b1d1e 5685
wolfSSL 15:117db924cf7c 5686 /* Create the data to be signed. */
wolfSSL 15:117db924cf7c 5687 ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
wolfSSL 15:117db924cf7c 5688 if (ret != 0)
wolfSSL 15:117db924cf7c 5689 goto exit_scv;
wolfSSL 15:117db924cf7c 5690
wolfSSL 15:117db924cf7c 5691 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5692 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 15:117db924cf7c 5693 /* build encoded signature buffer */
wolfSSL 16:8e0d178b1d1e 5694 sig->length = WC_MAX_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 5695 sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
wolfSSL 16:8e0d178b1d1e 5696 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5697 if (sig->buffer == NULL) {
wolfSSL 15:117db924cf7c 5698 ERROR_OUT(MEMORY_E, exit_scv);
wolfSSL 15:117db924cf7c 5699 }
wolfSSL 15:117db924cf7c 5700
wolfSSL 15:117db924cf7c 5701 ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
wolfSSL 15:117db924cf7c 5702 args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo);
wolfSSL 15:117db924cf7c 5703 if (ret < 0)
wolfSSL 15:117db924cf7c 5704 goto exit_scv;
wolfSSL 15:117db924cf7c 5705 sig->length = ret;
wolfSSL 15:117db924cf7c 5706 ret = 0;
wolfSSL 15:117db924cf7c 5707
wolfSSL 15:117db924cf7c 5708 /* Maximum size of RSA Signature. */
wolfSSL 15:117db924cf7c 5709 args->sigLen = args->length;
wolfSSL 15:117db924cf7c 5710 }
wolfSSL 15:117db924cf7c 5711 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5712 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5713 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 15:117db924cf7c 5714 sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
wolfSSL 15:117db924cf7c 5715 VERIFY_HEADER;
wolfSSL 15:117db924cf7c 5716 ret = CreateECCEncodedSig(args->sigData,
wolfSSL 15:117db924cf7c 5717 args->sigDataSz, ssl->suites->hashAlgo);
wolfSSL 15:117db924cf7c 5718 if (ret < 0)
wolfSSL 15:117db924cf7c 5719 goto exit_scv;
wolfSSL 15:117db924cf7c 5720 args->sigDataSz = (word16)ret;
wolfSSL 15:117db924cf7c 5721 ret = 0;
wolfSSL 15:117db924cf7c 5722 }
wolfSSL 15:117db924cf7c 5723 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5724 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5725 if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL 15:117db924cf7c 5726 ret = Ed25519CheckPubKey(ssl);
wolfSSL 15:117db924cf7c 5727 if (ret < 0) {
wolfSSL 15:117db924cf7c 5728 ERROR_OUT(ret, exit_scv);
wolfSSL 15:117db924cf7c 5729 }
wolfSSL 15:117db924cf7c 5730 sig->length = ED25519_SIG_SIZE;
wolfSSL 15:117db924cf7c 5731 }
wolfSSL 16:8e0d178b1d1e 5732 #endif /* HAVE_ED25519 */
wolfSSL 16:8e0d178b1d1e 5733 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 5734 if (ssl->hsType == DYNAMIC_TYPE_ED448) {
wolfSSL 16:8e0d178b1d1e 5735 ret = Ed448CheckPubKey(ssl);
wolfSSL 16:8e0d178b1d1e 5736 if (ret < 0) {
wolfSSL 16:8e0d178b1d1e 5737 ERROR_OUT(ret, exit_scv);
wolfSSL 16:8e0d178b1d1e 5738 }
wolfSSL 16:8e0d178b1d1e 5739 sig->length = ED448_SIG_SIZE;
wolfSSL 16:8e0d178b1d1e 5740 }
wolfSSL 16:8e0d178b1d1e 5741 #endif /* HAVE_ED448 */
wolfSSL 15:117db924cf7c 5742
wolfSSL 15:117db924cf7c 5743 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5744 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 15:117db924cf7c 5745 } /* case TLS_ASYNC_BUILD */
wolfSSL 15:117db924cf7c 5746 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5747
wolfSSL 15:117db924cf7c 5748 case TLS_ASYNC_DO:
wolfSSL 15:117db924cf7c 5749 {
wolfSSL 15:117db924cf7c 5750 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 5751 if (ssl->hsType == DYNAMIC_TYPE_ECC) {
wolfSSL 16:8e0d178b1d1e 5752
wolfSSL 15:117db924cf7c 5753 ret = EccSign(ssl, args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5754 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 16:8e0d178b1d1e 5755 (word32*)&sig->length, (ecc_key*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5756 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5757 ssl->buffers.key
wolfSSL 15:117db924cf7c 5758 #else
wolfSSL 15:117db924cf7c 5759 NULL
wolfSSL 15:117db924cf7c 5760 #endif
wolfSSL 15:117db924cf7c 5761 );
wolfSSL 15:117db924cf7c 5762 args->length = (word16)sig->length;
wolfSSL 15:117db924cf7c 5763 }
wolfSSL 15:117db924cf7c 5764 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 5765 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 5766 if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
wolfSSL 15:117db924cf7c 5767 ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 5768 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 16:8e0d178b1d1e 5769 (word32*)&sig->length, (ed25519_key*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5770 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 5771 ssl->buffers.key
wolfSSL 15:117db924cf7c 5772 #else
wolfSSL 15:117db924cf7c 5773 NULL
wolfSSL 15:117db924cf7c 5774 #endif
wolfSSL 15:117db924cf7c 5775 );
wolfSSL 16:8e0d178b1d1e 5776 args->length = (word16)sig->length;
wolfSSL 16:8e0d178b1d1e 5777 }
wolfSSL 16:8e0d178b1d1e 5778 #endif
wolfSSL 16:8e0d178b1d1e 5779 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 5780 if (ssl->hsType == DYNAMIC_TYPE_ED448) {
wolfSSL 16:8e0d178b1d1e 5781 ret = Ed448Sign(ssl, args->sigData, args->sigDataSz,
wolfSSL 16:8e0d178b1d1e 5782 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 16:8e0d178b1d1e 5783 (word32*)&sig->length, (ed448_key*)ssl->hsKey,
wolfSSL 16:8e0d178b1d1e 5784 #ifdef HAVE_PK_CALLBACKS
wolfSSL 16:8e0d178b1d1e 5785 ssl->buffers.key
wolfSSL 16:8e0d178b1d1e 5786 #else
wolfSSL 16:8e0d178b1d1e 5787 NULL
wolfSSL 16:8e0d178b1d1e 5788 #endif
wolfSSL 16:8e0d178b1d1e 5789 );
wolfSSL 16:8e0d178b1d1e 5790 args->length = (word16)sig->length;
wolfSSL 15:117db924cf7c 5791 }
wolfSSL 15:117db924cf7c 5792 #endif
wolfSSL 15:117db924cf7c 5793 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5794 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 16:8e0d178b1d1e 5795 ret = RsaSign(ssl, sig->buffer, (word32)sig->length,
wolfSSL 15:117db924cf7c 5796 args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
wolfSSL 15:117db924cf7c 5797 args->sigAlgo, ssl->suites->hashAlgo,
wolfSSL 15:117db924cf7c 5798 (RsaKey*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5799 ssl->buffers.key
wolfSSL 15:117db924cf7c 5800 );
wolfSSL 16:8e0d178b1d1e 5801 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 5802 args->length = (word16)args->sigLen;
wolfSSL 16:8e0d178b1d1e 5803
wolfSSL 16:8e0d178b1d1e 5804 XMEMCPY(args->sigData,
wolfSSL 16:8e0d178b1d1e 5805 args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
wolfSSL 16:8e0d178b1d1e 5806 args->sigLen);
wolfSSL 16:8e0d178b1d1e 5807 }
wolfSSL 15:117db924cf7c 5808 }
wolfSSL 15:117db924cf7c 5809 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5810
wolfSSL 15:117db924cf7c 5811 /* Check for error */
wolfSSL 15:117db924cf7c 5812 if (ret != 0) {
wolfSSL 15:117db924cf7c 5813 goto exit_scv;
wolfSSL 15:117db924cf7c 5814 }
wolfSSL 15:117db924cf7c 5815
wolfSSL 15:117db924cf7c 5816 /* Add signature length. */
wolfSSL 15:117db924cf7c 5817 c16toa(args->length, args->verify + HASH_SIG_SIZE);
wolfSSL 15:117db924cf7c 5818
wolfSSL 15:117db924cf7c 5819 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5820 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 15:117db924cf7c 5821 } /* case TLS_ASYNC_DO */
wolfSSL 15:117db924cf7c 5822 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5823
wolfSSL 15:117db924cf7c 5824 case TLS_ASYNC_VERIFY:
wolfSSL 15:117db924cf7c 5825 {
wolfSSL 15:117db924cf7c 5826 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 5827 if (ssl->hsType == DYNAMIC_TYPE_RSA) {
wolfSSL 15:117db924cf7c 5828 /* check for signature faults */
wolfSSL 16:8e0d178b1d1e 5829 ret = VerifyRsaSign(ssl, args->sigData, args->sigLen,
wolfSSL 16:8e0d178b1d1e 5830 sig->buffer, (word32)sig->length, args->sigAlgo,
wolfSSL 15:117db924cf7c 5831 ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey,
wolfSSL 15:117db924cf7c 5832 ssl->buffers.key
wolfSSL 15:117db924cf7c 5833 );
wolfSSL 15:117db924cf7c 5834 }
wolfSSL 15:117db924cf7c 5835 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 5836
wolfSSL 15:117db924cf7c 5837 /* Check for error */
wolfSSL 15:117db924cf7c 5838 if (ret != 0) {
wolfSSL 15:117db924cf7c 5839 goto exit_scv;
wolfSSL 15:117db924cf7c 5840 }
wolfSSL 15:117db924cf7c 5841
wolfSSL 15:117db924cf7c 5842 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5843 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 15:117db924cf7c 5844 } /* case TLS_ASYNC_VERIFY */
wolfSSL 15:117db924cf7c 5845 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5846
wolfSSL 15:117db924cf7c 5847 case TLS_ASYNC_FINALIZE:
wolfSSL 15:117db924cf7c 5848 {
wolfSSL 15:117db924cf7c 5849 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 5850 AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
wolfSSL 15:117db924cf7c 5851 VERIFY_HEADER, certificate_verify, ssl);
wolfSSL 15:117db924cf7c 5852
wolfSSL 15:117db924cf7c 5853 args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
wolfSSL 15:117db924cf7c 5854 args->length + HASH_SIG_SIZE + VERIFY_HEADER;
wolfSSL 15:117db924cf7c 5855
wolfSSL 15:117db924cf7c 5856 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 5857 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 15:117db924cf7c 5858 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 15:117db924cf7c 5859 FALL_THROUGH;
wolfSSL 15:117db924cf7c 5860
wolfSSL 15:117db924cf7c 5861 case TLS_ASYNC_END:
wolfSSL 15:117db924cf7c 5862 {
wolfSSL 15:117db924cf7c 5863 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 5864 ret = BuildTls13Message(ssl, args->output,
wolfSSL 15:117db924cf7c 5865 MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
wolfSSL 15:117db924cf7c 5866 args->output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 5867 args->sendSz - RECORD_HEADER_SZ, handshake,
wolfSSL 15:117db924cf7c 5868 1, 0, 0);
wolfSSL 15:117db924cf7c 5869
wolfSSL 15:117db924cf7c 5870 if (ret < 0) {
wolfSSL 15:117db924cf7c 5871 goto exit_scv;
wolfSSL 15:117db924cf7c 5872 }
wolfSSL 15:117db924cf7c 5873 else {
wolfSSL 15:117db924cf7c 5874 args->sendSz = ret;
wolfSSL 15:117db924cf7c 5875 ret = 0;
wolfSSL 15:117db924cf7c 5876 }
wolfSSL 15:117db924cf7c 5877
wolfSSL 15:117db924cf7c 5878 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 5879 if (ssl->hsInfoOn)
wolfSSL 15:117db924cf7c 5880 AddPacketName(ssl, "CertificateVerify");
wolfSSL 15:117db924cf7c 5881 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 5882 AddPacketInfo(ssl, "CertificateVerify", handshake,
wolfSSL 15:117db924cf7c 5883 args->output, args->sendSz, WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 5884 }
wolfSSL 15:117db924cf7c 5885 #endif
wolfSSL 15:117db924cf7c 5886
wolfSSL 15:117db924cf7c 5887 ssl->buffers.outputBuffer.length += args->sendSz;
wolfSSL 15:117db924cf7c 5888
wolfSSL 15:117db924cf7c 5889 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 5890 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 5891 break;
wolfSSL 15:117db924cf7c 5892 }
wolfSSL 15:117db924cf7c 5893 default:
wolfSSL 15:117db924cf7c 5894 ret = INPUT_CASE_ERROR;
wolfSSL 15:117db924cf7c 5895 } /* switch(ssl->options.asyncState) */
wolfSSL 15:117db924cf7c 5896
wolfSSL 15:117db924cf7c 5897 exit_scv:
wolfSSL 15:117db924cf7c 5898
wolfSSL 15:117db924cf7c 5899 WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
wolfSSL 15:117db924cf7c 5900 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
wolfSSL 15:117db924cf7c 5901
wolfSSL 15:117db924cf7c 5902 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 5903 /* Handle async operation */
wolfSSL 15:117db924cf7c 5904 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 5905 return ret;
wolfSSL 15:117db924cf7c 5906 }
wolfSSL 15:117db924cf7c 5907 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 5908
wolfSSL 15:117db924cf7c 5909 /* Final cleanup */
wolfSSL 15:117db924cf7c 5910 FreeScv13Args(ssl, args);
wolfSSL 15:117db924cf7c 5911 FreeKeyExchange(ssl);
wolfSSL 15:117db924cf7c 5912
wolfSSL 15:117db924cf7c 5913 return ret;
wolfSSL 15:117db924cf7c 5914 }
wolfSSL 15:117db924cf7c 5915
wolfSSL 15:117db924cf7c 5916 /* handle processing TLS v1.3 certificate (11) */
wolfSSL 15:117db924cf7c 5917 /* Parse and handle a TLS v1.3 Certificate message.
wolfSSL 15:117db924cf7c 5918 *
wolfSSL 15:117db924cf7c 5919 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5920 * input The message buffer.
wolfSSL 15:117db924cf7c 5921 * inOutIdx On entry, the index into the message buffer of Certificate.
wolfSSL 15:117db924cf7c 5922 * On exit, the index of byte after the Certificate message.
wolfSSL 15:117db924cf7c 5923 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 5924 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 5925 */
wolfSSL 15:117db924cf7c 5926 static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 5927 word32 totalSz)
wolfSSL 15:117db924cf7c 5928 {
wolfSSL 15:117db924cf7c 5929 int ret;
wolfSSL 15:117db924cf7c 5930
wolfSSL 15:117db924cf7c 5931 WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
wolfSSL 15:117db924cf7c 5932 WOLFSSL_ENTER("DoTls13Certificate");
wolfSSL 15:117db924cf7c 5933
wolfSSL 15:117db924cf7c 5934 ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
wolfSSL 15:117db924cf7c 5935 if (ret == 0) {
wolfSSL 15:117db924cf7c 5936 #if !defined(NO_WOLFSSL_CLIENT)
wolfSSL 15:117db924cf7c 5937 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 5938 ssl->options.serverState = SERVER_CERT_COMPLETE;
wolfSSL 15:117db924cf7c 5939 #endif
wolfSSL 15:117db924cf7c 5940 #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL 15:117db924cf7c 5941 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 5942 ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL 15:117db924cf7c 5943 /* reset handshake states */
wolfSSL 15:117db924cf7c 5944 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5945 ssl->options.acceptState = TICKET_SENT;
wolfSSL 15:117db924cf7c 5946 ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 5947 }
wolfSSL 15:117db924cf7c 5948 #endif
wolfSSL 15:117db924cf7c 5949 }
wolfSSL 15:117db924cf7c 5950
wolfSSL 15:117db924cf7c 5951 WOLFSSL_LEAVE("DoTls13Certificate", ret);
wolfSSL 15:117db924cf7c 5952 WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
wolfSSL 15:117db924cf7c 5953
wolfSSL 15:117db924cf7c 5954 return ret;
wolfSSL 15:117db924cf7c 5955 }
wolfSSL 15:117db924cf7c 5956
wolfSSL 16:8e0d178b1d1e 5957 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
wolfSSL 16:8e0d178b1d1e 5958 defined(HAVE_ED448)
wolfSSL 15:117db924cf7c 5959
wolfSSL 15:117db924cf7c 5960 typedef struct Dcv13Args {
wolfSSL 15:117db924cf7c 5961 byte* output; /* not allocated */
wolfSSL 15:117db924cf7c 5962 word32 sendSz;
wolfSSL 15:117db924cf7c 5963 word16 sz;
wolfSSL 15:117db924cf7c 5964 word32 sigSz;
wolfSSL 15:117db924cf7c 5965 word32 idx;
wolfSSL 15:117db924cf7c 5966 word32 begin;
wolfSSL 15:117db924cf7c 5967 byte hashAlgo;
wolfSSL 15:117db924cf7c 5968 byte sigAlgo;
wolfSSL 15:117db924cf7c 5969
wolfSSL 15:117db924cf7c 5970 byte* sigData;
wolfSSL 15:117db924cf7c 5971 word16 sigDataSz;
wolfSSL 15:117db924cf7c 5972 } Dcv13Args;
wolfSSL 15:117db924cf7c 5973
wolfSSL 15:117db924cf7c 5974 static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
wolfSSL 15:117db924cf7c 5975 {
wolfSSL 15:117db924cf7c 5976 Dcv13Args* args = (Dcv13Args*)pArgs;
wolfSSL 15:117db924cf7c 5977
wolfSSL 15:117db924cf7c 5978 if (args->sigData != NULL) {
wolfSSL 15:117db924cf7c 5979 XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 5980 args->sigData = NULL;
wolfSSL 15:117db924cf7c 5981 }
wolfSSL 15:117db924cf7c 5982
wolfSSL 15:117db924cf7c 5983 (void)ssl;
wolfSSL 15:117db924cf7c 5984 }
wolfSSL 15:117db924cf7c 5985
wolfSSL 15:117db924cf7c 5986 /* handle processing TLS v1.3 certificate_verify (15) */
wolfSSL 15:117db924cf7c 5987 /* Parse and handle a TLS v1.3 CertificateVerify message.
wolfSSL 15:117db924cf7c 5988 *
wolfSSL 15:117db924cf7c 5989 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 5990 * input The message buffer.
wolfSSL 15:117db924cf7c 5991 * inOutIdx On entry, the index into the message buffer of
wolfSSL 15:117db924cf7c 5992 * CertificateVerify.
wolfSSL 15:117db924cf7c 5993 * On exit, the index of byte after the CertificateVerify message.
wolfSSL 15:117db924cf7c 5994 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 5995 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 5996 */
wolfSSL 15:117db924cf7c 5997 static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
wolfSSL 15:117db924cf7c 5998 word32* inOutIdx, word32 totalSz)
wolfSSL 15:117db924cf7c 5999 {
wolfSSL 15:117db924cf7c 6000 int ret = 0;
wolfSSL 15:117db924cf7c 6001 buffer* sig = &ssl->buffers.sig;
wolfSSL 15:117db924cf7c 6002 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 6003 Dcv13Args* args = (Dcv13Args*)ssl->async.args;
wolfSSL 15:117db924cf7c 6004 typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
wolfSSL 15:117db924cf7c 6005 (void)sizeof(args_test);
wolfSSL 15:117db924cf7c 6006 #else
wolfSSL 15:117db924cf7c 6007 Dcv13Args args[1];
wolfSSL 15:117db924cf7c 6008 #endif
wolfSSL 15:117db924cf7c 6009
wolfSSL 15:117db924cf7c 6010 WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
wolfSSL 15:117db924cf7c 6011 WOLFSSL_ENTER("DoTls13CertificateVerify");
wolfSSL 15:117db924cf7c 6012
wolfSSL 15:117db924cf7c 6013 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 6014 ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
wolfSSL 15:117db924cf7c 6015 if (ret != WC_NOT_PENDING_E) {
wolfSSL 15:117db924cf7c 6016 /* Check for error */
wolfSSL 15:117db924cf7c 6017 if (ret < 0)
wolfSSL 15:117db924cf7c 6018 goto exit_dcv;
wolfSSL 15:117db924cf7c 6019 }
wolfSSL 15:117db924cf7c 6020 else
wolfSSL 15:117db924cf7c 6021 #endif
wolfSSL 15:117db924cf7c 6022 {
wolfSSL 15:117db924cf7c 6023 /* Reset state */
wolfSSL 15:117db924cf7c 6024 ret = 0;
wolfSSL 15:117db924cf7c 6025 ssl->options.asyncState = TLS_ASYNC_BEGIN;
wolfSSL 15:117db924cf7c 6026 XMEMSET(args, 0, sizeof(Dcv13Args));
wolfSSL 15:117db924cf7c 6027 args->hashAlgo = sha_mac;
wolfSSL 15:117db924cf7c 6028 args->sigAlgo = anonymous_sa_algo;
wolfSSL 15:117db924cf7c 6029 args->idx = *inOutIdx;
wolfSSL 15:117db924cf7c 6030 args->begin = *inOutIdx;
wolfSSL 15:117db924cf7c 6031 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 6032 ssl->async.freeArgs = FreeDcv13Args;
wolfSSL 15:117db924cf7c 6033 #endif
wolfSSL 15:117db924cf7c 6034 }
wolfSSL 15:117db924cf7c 6035
wolfSSL 15:117db924cf7c 6036 switch(ssl->options.asyncState)
wolfSSL 15:117db924cf7c 6037 {
wolfSSL 15:117db924cf7c 6038 case TLS_ASYNC_BEGIN:
wolfSSL 15:117db924cf7c 6039 {
wolfSSL 15:117db924cf7c 6040 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6041 if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify");
wolfSSL 15:117db924cf7c 6042 if (ssl->toInfoOn) AddLateName("CertificateVerify",
wolfSSL 15:117db924cf7c 6043 &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 6044 #endif
wolfSSL 15:117db924cf7c 6045
wolfSSL 15:117db924cf7c 6046 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 6047 ssl->options.asyncState = TLS_ASYNC_BUILD;
wolfSSL 15:117db924cf7c 6048 } /* case TLS_ASYNC_BEGIN */
wolfSSL 15:117db924cf7c 6049 FALL_THROUGH;
wolfSSL 15:117db924cf7c 6050
wolfSSL 15:117db924cf7c 6051 case TLS_ASYNC_BUILD:
wolfSSL 15:117db924cf7c 6052 {
wolfSSL 15:117db924cf7c 6053 /* Signature algorithm. */
wolfSSL 15:117db924cf7c 6054 if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
wolfSSL 15:117db924cf7c 6055 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 6056 }
wolfSSL 16:8e0d178b1d1e 6057 ret = DecodeTls13SigAlg(input + args->idx, &args->hashAlgo,
wolfSSL 16:8e0d178b1d1e 6058 &args->sigAlgo);
wolfSSL 16:8e0d178b1d1e 6059 if (ret < 0)
wolfSSL 16:8e0d178b1d1e 6060 goto exit_dcv;
wolfSSL 15:117db924cf7c 6061 args->idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 6062
wolfSSL 15:117db924cf7c 6063 /* Signature length. */
wolfSSL 15:117db924cf7c 6064 if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
wolfSSL 15:117db924cf7c 6065 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 6066 }
wolfSSL 15:117db924cf7c 6067 ato16(input + args->idx, &args->sz);
wolfSSL 15:117db924cf7c 6068 args->idx += OPAQUE16_LEN;
wolfSSL 15:117db924cf7c 6069
wolfSSL 15:117db924cf7c 6070 /* Signature data. */
wolfSSL 15:117db924cf7c 6071 if ((args->idx - args->begin) + args->sz > totalSz ||
wolfSSL 15:117db924cf7c 6072 args->sz > ENCRYPT_LEN) {
wolfSSL 15:117db924cf7c 6073 ERROR_OUT(BUFFER_ERROR, exit_dcv);
wolfSSL 15:117db924cf7c 6074 }
wolfSSL 15:117db924cf7c 6075
wolfSSL 15:117db924cf7c 6076 /* Check for public key of required type. */
wolfSSL 15:117db924cf7c 6077 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 6078 if (args->sigAlgo == ed25519_sa_algo &&
wolfSSL 15:117db924cf7c 6079 !ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 6080 WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
wolfSSL 15:117db924cf7c 6081 }
wolfSSL 15:117db924cf7c 6082 #endif
wolfSSL 16:8e0d178b1d1e 6083 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 6084 if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
wolfSSL 16:8e0d178b1d1e 6085 WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
wolfSSL 16:8e0d178b1d1e 6086 }
wolfSSL 16:8e0d178b1d1e 6087 #endif
wolfSSL 15:117db924cf7c 6088 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 6089 if (args->sigAlgo == ecc_dsa_sa_algo &&
wolfSSL 15:117db924cf7c 6090 !ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 6091 WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
wolfSSL 15:117db924cf7c 6092 }
wolfSSL 15:117db924cf7c 6093 #endif
wolfSSL 15:117db924cf7c 6094 #ifndef NO_RSA
wolfSSL 16:8e0d178b1d1e 6095 if (args->sigAlgo == rsa_sa_algo) {
wolfSSL 16:8e0d178b1d1e 6096 WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
wolfSSL 16:8e0d178b1d1e 6097 ERROR_OUT(INVALID_PARAMETER, exit_dcv);
wolfSSL 16:8e0d178b1d1e 6098 }
wolfSSL 16:8e0d178b1d1e 6099 if (args->sigAlgo == rsa_pss_sa_algo &&
wolfSSL 15:117db924cf7c 6100 (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
wolfSSL 15:117db924cf7c 6101 WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
wolfSSL 15:117db924cf7c 6102 }
wolfSSL 15:117db924cf7c 6103 #endif
wolfSSL 15:117db924cf7c 6104
wolfSSL 15:117db924cf7c 6105 sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
wolfSSL 15:117db924cf7c 6106 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 6107 if (sig->buffer == NULL) {
wolfSSL 15:117db924cf7c 6108 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 6109 }
wolfSSL 15:117db924cf7c 6110 sig->length = args->sz;
wolfSSL 15:117db924cf7c 6111 XMEMCPY(sig->buffer, input + args->idx, args->sz);
wolfSSL 15:117db924cf7c 6112
wolfSSL 15:117db924cf7c 6113 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 6114 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 6115 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 15:117db924cf7c 6116
wolfSSL 15:117db924cf7c 6117 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 16:8e0d178b1d1e 6118 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 6119 if (args->sigData == NULL) {
wolfSSL 15:117db924cf7c 6120 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 6121 }
wolfSSL 15:117db924cf7c 6122
wolfSSL 15:117db924cf7c 6123 ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 15:117db924cf7c 6124 if (ret != 0)
wolfSSL 15:117db924cf7c 6125 goto exit_dcv;
wolfSSL 15:117db924cf7c 6126 ret = CreateECCEncodedSig(args->sigData,
wolfSSL 15:117db924cf7c 6127 args->sigDataSz, args->hashAlgo);
wolfSSL 15:117db924cf7c 6128 if (ret < 0)
wolfSSL 15:117db924cf7c 6129 goto exit_dcv;
wolfSSL 15:117db924cf7c 6130 args->sigDataSz = (word16)ret;
wolfSSL 15:117db924cf7c 6131 ret = 0;
wolfSSL 15:117db924cf7c 6132 }
wolfSSL 15:117db924cf7c 6133 #endif
wolfSSL 15:117db924cf7c 6134 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 6135 if (ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 6136 WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL 15:117db924cf7c 6137
wolfSSL 15:117db924cf7c 6138 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 16:8e0d178b1d1e 6139 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 15:117db924cf7c 6140 if (args->sigData == NULL) {
wolfSSL 15:117db924cf7c 6141 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 15:117db924cf7c 6142 }
wolfSSL 15:117db924cf7c 6143
wolfSSL 15:117db924cf7c 6144 CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 15:117db924cf7c 6145 ret = 0;
wolfSSL 15:117db924cf7c 6146 }
wolfSSL 15:117db924cf7c 6147 #endif
wolfSSL 16:8e0d178b1d1e 6148 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 6149 if (ssl->peerEd448KeyPresent) {
wolfSSL 16:8e0d178b1d1e 6150 WOLFSSL_MSG("Doing ED448 peer cert verify");
wolfSSL 16:8e0d178b1d1e 6151
wolfSSL 16:8e0d178b1d1e 6152 args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
wolfSSL 16:8e0d178b1d1e 6153 DYNAMIC_TYPE_SIGNATURE);
wolfSSL 16:8e0d178b1d1e 6154 if (args->sigData == NULL) {
wolfSSL 16:8e0d178b1d1e 6155 ERROR_OUT(MEMORY_E, exit_dcv);
wolfSSL 16:8e0d178b1d1e 6156 }
wolfSSL 16:8e0d178b1d1e 6157
wolfSSL 16:8e0d178b1d1e 6158 CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
wolfSSL 16:8e0d178b1d1e 6159 ret = 0;
wolfSSL 16:8e0d178b1d1e 6160 }
wolfSSL 16:8e0d178b1d1e 6161 #endif
wolfSSL 15:117db924cf7c 6162
wolfSSL 15:117db924cf7c 6163 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 6164 ssl->options.asyncState = TLS_ASYNC_DO;
wolfSSL 15:117db924cf7c 6165 } /* case TLS_ASYNC_BUILD */
wolfSSL 15:117db924cf7c 6166 FALL_THROUGH;
wolfSSL 15:117db924cf7c 6167
wolfSSL 15:117db924cf7c 6168 case TLS_ASYNC_DO:
wolfSSL 15:117db924cf7c 6169 {
wolfSSL 15:117db924cf7c 6170 #ifndef NO_RSA
wolfSSL 16:8e0d178b1d1e 6171 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
wolfSSL 15:117db924cf7c 6172 WOLFSSL_MSG("Doing RSA peer cert verify");
wolfSSL 15:117db924cf7c 6173
wolfSSL 16:8e0d178b1d1e 6174 ret = RsaVerify(ssl, sig->buffer, (word32)sig->length, &args->output,
wolfSSL 15:117db924cf7c 6175 args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
wolfSSL 15:117db924cf7c 6176 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 6177 &ssl->buffers.peerRsaKey
wolfSSL 15:117db924cf7c 6178 #else
wolfSSL 15:117db924cf7c 6179 NULL
wolfSSL 15:117db924cf7c 6180 #endif
wolfSSL 15:117db924cf7c 6181 );
wolfSSL 15:117db924cf7c 6182 if (ret >= 0) {
wolfSSL 15:117db924cf7c 6183 args->sendSz = ret;
wolfSSL 15:117db924cf7c 6184 ret = 0;
wolfSSL 15:117db924cf7c 6185 }
wolfSSL 15:117db924cf7c 6186 }
wolfSSL 15:117db924cf7c 6187 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 6188 #ifdef HAVE_ECC
wolfSSL 15:117db924cf7c 6189 if (ssl->peerEccDsaKeyPresent) {
wolfSSL 15:117db924cf7c 6190 WOLFSSL_MSG("Doing ECC peer cert verify");
wolfSSL 15:117db924cf7c 6191
wolfSSL 15:117db924cf7c 6192 ret = EccVerify(ssl, input + args->idx, args->sz,
wolfSSL 15:117db924cf7c 6193 args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 6194 ssl->peerEccDsaKey,
wolfSSL 15:117db924cf7c 6195 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 6196 &ssl->buffers.peerEccDsaKey
wolfSSL 15:117db924cf7c 6197 #else
wolfSSL 15:117db924cf7c 6198 NULL
wolfSSL 15:117db924cf7c 6199 #endif
wolfSSL 15:117db924cf7c 6200 );
wolfSSL 16:8e0d178b1d1e 6201
wolfSSL 16:8e0d178b1d1e 6202 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 6203 FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
wolfSSL 16:8e0d178b1d1e 6204 ssl->peerEccDsaKeyPresent = 0;
wolfSSL 16:8e0d178b1d1e 6205 }
wolfSSL 15:117db924cf7c 6206 }
wolfSSL 15:117db924cf7c 6207 #endif /* HAVE_ECC */
wolfSSL 15:117db924cf7c 6208 #ifdef HAVE_ED25519
wolfSSL 15:117db924cf7c 6209 if (ssl->peerEd25519KeyPresent) {
wolfSSL 15:117db924cf7c 6210 WOLFSSL_MSG("Doing ED25519 peer cert verify");
wolfSSL 15:117db924cf7c 6211
wolfSSL 15:117db924cf7c 6212 ret = Ed25519Verify(ssl, input + args->idx, args->sz,
wolfSSL 15:117db924cf7c 6213 args->sigData, args->sigDataSz,
wolfSSL 15:117db924cf7c 6214 ssl->peerEd25519Key,
wolfSSL 15:117db924cf7c 6215 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 6216 &ssl->buffers.peerEd25519Key
wolfSSL 15:117db924cf7c 6217 #else
wolfSSL 15:117db924cf7c 6218 NULL
wolfSSL 15:117db924cf7c 6219 #endif
wolfSSL 15:117db924cf7c 6220 );
wolfSSL 16:8e0d178b1d1e 6221
wolfSSL 16:8e0d178b1d1e 6222 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 6223 FreeKey(ssl, DYNAMIC_TYPE_ED25519,
wolfSSL 16:8e0d178b1d1e 6224 (void**)&ssl->peerEd25519Key);
wolfSSL 16:8e0d178b1d1e 6225 ssl->peerEd25519KeyPresent = 0;
wolfSSL 16:8e0d178b1d1e 6226 }
wolfSSL 16:8e0d178b1d1e 6227 }
wolfSSL 16:8e0d178b1d1e 6228 #endif
wolfSSL 16:8e0d178b1d1e 6229 #ifdef HAVE_ED448
wolfSSL 16:8e0d178b1d1e 6230 if (ssl->peerEd448KeyPresent) {
wolfSSL 16:8e0d178b1d1e 6231 WOLFSSL_MSG("Doing ED448 peer cert verify");
wolfSSL 16:8e0d178b1d1e 6232
wolfSSL 16:8e0d178b1d1e 6233 ret = Ed448Verify(ssl, input + args->idx, args->sz,
wolfSSL 16:8e0d178b1d1e 6234 args->sigData, args->sigDataSz,
wolfSSL 16:8e0d178b1d1e 6235 ssl->peerEd448Key,
wolfSSL 16:8e0d178b1d1e 6236 #ifdef HAVE_PK_CALLBACKS
wolfSSL 16:8e0d178b1d1e 6237 &ssl->buffers.peerEd448Key
wolfSSL 16:8e0d178b1d1e 6238 #else
wolfSSL 16:8e0d178b1d1e 6239 NULL
wolfSSL 16:8e0d178b1d1e 6240 #endif
wolfSSL 16:8e0d178b1d1e 6241 );
wolfSSL 16:8e0d178b1d1e 6242
wolfSSL 16:8e0d178b1d1e 6243 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 6244 FreeKey(ssl, DYNAMIC_TYPE_ED448,
wolfSSL 16:8e0d178b1d1e 6245 (void**)&ssl->peerEd448Key);
wolfSSL 16:8e0d178b1d1e 6246 ssl->peerEd448KeyPresent = 0;
wolfSSL 16:8e0d178b1d1e 6247 }
wolfSSL 15:117db924cf7c 6248 }
wolfSSL 15:117db924cf7c 6249 #endif
wolfSSL 15:117db924cf7c 6250
wolfSSL 15:117db924cf7c 6251 /* Check for error */
wolfSSL 15:117db924cf7c 6252 if (ret != 0) {
wolfSSL 15:117db924cf7c 6253 goto exit_dcv;
wolfSSL 15:117db924cf7c 6254 }
wolfSSL 15:117db924cf7c 6255
wolfSSL 15:117db924cf7c 6256 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 6257 ssl->options.asyncState = TLS_ASYNC_VERIFY;
wolfSSL 15:117db924cf7c 6258 } /* case TLS_ASYNC_DO */
wolfSSL 15:117db924cf7c 6259 FALL_THROUGH;
wolfSSL 15:117db924cf7c 6260
wolfSSL 15:117db924cf7c 6261 case TLS_ASYNC_VERIFY:
wolfSSL 15:117db924cf7c 6262 {
wolfSSL 15:117db924cf7c 6263 #ifndef NO_RSA
wolfSSL 15:117db924cf7c 6264 if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
wolfSSL 15:117db924cf7c 6265 ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
wolfSSL 15:117db924cf7c 6266 args->output, args->sendSz);
wolfSSL 15:117db924cf7c 6267 if (ret != 0)
wolfSSL 15:117db924cf7c 6268 goto exit_dcv;
wolfSSL 16:8e0d178b1d1e 6269
wolfSSL 16:8e0d178b1d1e 6270 FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
wolfSSL 16:8e0d178b1d1e 6271 ssl->peerRsaKeyPresent = 0;
wolfSSL 15:117db924cf7c 6272 }
wolfSSL 15:117db924cf7c 6273 #endif /* !NO_RSA */
wolfSSL 15:117db924cf7c 6274
wolfSSL 15:117db924cf7c 6275 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 6276 ssl->options.asyncState = TLS_ASYNC_FINALIZE;
wolfSSL 15:117db924cf7c 6277 } /* case TLS_ASYNC_VERIFY */
wolfSSL 15:117db924cf7c 6278 FALL_THROUGH;
wolfSSL 15:117db924cf7c 6279
wolfSSL 15:117db924cf7c 6280 case TLS_ASYNC_FINALIZE:
wolfSSL 15:117db924cf7c 6281 {
wolfSSL 15:117db924cf7c 6282 ssl->options.havePeerVerify = 1;
wolfSSL 15:117db924cf7c 6283
wolfSSL 15:117db924cf7c 6284 /* Set final index */
wolfSSL 15:117db924cf7c 6285 args->idx += args->sz;
wolfSSL 15:117db924cf7c 6286 *inOutIdx = args->idx;
wolfSSL 15:117db924cf7c 6287
wolfSSL 15:117db924cf7c 6288 /* Encryption is always on: add padding */
wolfSSL 15:117db924cf7c 6289 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6290
wolfSSL 15:117db924cf7c 6291 /* Advance state and proceed */
wolfSSL 15:117db924cf7c 6292 ssl->options.asyncState = TLS_ASYNC_END;
wolfSSL 15:117db924cf7c 6293 } /* case TLS_ASYNC_FINALIZE */
wolfSSL 15:117db924cf7c 6294
wolfSSL 15:117db924cf7c 6295 case TLS_ASYNC_END:
wolfSSL 15:117db924cf7c 6296 {
wolfSSL 15:117db924cf7c 6297 break;
wolfSSL 15:117db924cf7c 6298 }
wolfSSL 15:117db924cf7c 6299 default:
wolfSSL 15:117db924cf7c 6300 ret = INPUT_CASE_ERROR;
wolfSSL 15:117db924cf7c 6301 } /* switch(ssl->options.asyncState) */
wolfSSL 15:117db924cf7c 6302
wolfSSL 15:117db924cf7c 6303 exit_dcv:
wolfSSL 15:117db924cf7c 6304
wolfSSL 15:117db924cf7c 6305 WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
wolfSSL 15:117db924cf7c 6306 WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
wolfSSL 15:117db924cf7c 6307
wolfSSL 15:117db924cf7c 6308 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 6309 /* Handle async operation */
wolfSSL 15:117db924cf7c 6310 if (ret == WC_PENDING_E) {
wolfSSL 16:8e0d178b1d1e 6311 /* Mark message as not received so it can process again */
wolfSSL 15:117db924cf7c 6312 ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL 15:117db924cf7c 6313
wolfSSL 15:117db924cf7c 6314 return ret;
wolfSSL 15:117db924cf7c 6315 }
wolfSSL 15:117db924cf7c 6316 else
wolfSSL 15:117db924cf7c 6317 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 16:8e0d178b1d1e 6318 if (ret != 0 && ret != INVALID_PARAMETER)
wolfSSL 15:117db924cf7c 6319 SendAlert(ssl, alert_fatal, decrypt_error);
wolfSSL 15:117db924cf7c 6320
wolfSSL 15:117db924cf7c 6321 /* Final cleanup */
wolfSSL 15:117db924cf7c 6322 FreeDcv13Args(ssl, args);
wolfSSL 15:117db924cf7c 6323 FreeKeyExchange(ssl);
wolfSSL 15:117db924cf7c 6324
wolfSSL 15:117db924cf7c 6325 return ret;
wolfSSL 15:117db924cf7c 6326 }
wolfSSL 15:117db924cf7c 6327 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 6328
wolfSSL 15:117db924cf7c 6329 /* Parse and handle a TLS v1.3 Finished message.
wolfSSL 15:117db924cf7c 6330 *
wolfSSL 15:117db924cf7c 6331 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6332 * input The message buffer.
wolfSSL 15:117db924cf7c 6333 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 6334 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 6335 * size Length of message data.
wolfSSL 15:117db924cf7c 6336 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 6337 * sniff Indicates whether we are sniffing packets.
wolfSSL 15:117db924cf7c 6338 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6339 */
wolfSSL 15:117db924cf7c 6340 static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 6341 word32 size, word32 totalSz, int sniff)
wolfSSL 15:117db924cf7c 6342 {
wolfSSL 15:117db924cf7c 6343 int ret;
wolfSSL 15:117db924cf7c 6344 word32 finishedSz = 0;
wolfSSL 15:117db924cf7c 6345 byte* secret;
wolfSSL 15:117db924cf7c 6346 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 6347
wolfSSL 15:117db924cf7c 6348 WOLFSSL_START(WC_FUNC_FINISHED_DO);
wolfSSL 15:117db924cf7c 6349 WOLFSSL_ENTER("DoTls13Finished");
wolfSSL 15:117db924cf7c 6350
wolfSSL 15:117db924cf7c 6351 /* check against totalSz */
wolfSSL 15:117db924cf7c 6352 if (*inOutIdx + size + ssl->keys.padSz > totalSz)
wolfSSL 15:117db924cf7c 6353 return BUFFER_E;
wolfSSL 15:117db924cf7c 6354
wolfSSL 15:117db924cf7c 6355 if (ssl->options.handShakeDone) {
wolfSSL 16:8e0d178b1d1e 6356 ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
wolfSSL 15:117db924cf7c 6357 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 6358 if (ret != 0)
wolfSSL 15:117db924cf7c 6359 return ret;
wolfSSL 15:117db924cf7c 6360
wolfSSL 15:117db924cf7c 6361 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 6362 }
wolfSSL 15:117db924cf7c 6363 else if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6364 /* All the handshake messages have been received to calculate
wolfSSL 15:117db924cf7c 6365 * client and server finished keys.
wolfSSL 15:117db924cf7c 6366 */
wolfSSL 16:8e0d178b1d1e 6367 ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
wolfSSL 15:117db924cf7c 6368 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 6369 if (ret != 0)
wolfSSL 15:117db924cf7c 6370 return ret;
wolfSSL 15:117db924cf7c 6371
wolfSSL 16:8e0d178b1d1e 6372 ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
wolfSSL 15:117db924cf7c 6373 ssl->keys.server_write_MAC_secret);
wolfSSL 15:117db924cf7c 6374 if (ret != 0)
wolfSSL 15:117db924cf7c 6375 return ret;
wolfSSL 15:117db924cf7c 6376
wolfSSL 15:117db924cf7c 6377 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 15:117db924cf7c 6378 }
wolfSSL 15:117db924cf7c 6379 else
wolfSSL 15:117db924cf7c 6380 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 6381
wolfSSL 15:117db924cf7c 6382 ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
wolfSSL 15:117db924cf7c 6383 if (ret != 0)
wolfSSL 15:117db924cf7c 6384 return ret;
wolfSSL 15:117db924cf7c 6385 if (size != finishedSz)
wolfSSL 15:117db924cf7c 6386 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6387
wolfSSL 15:117db924cf7c 6388 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6389 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
wolfSSL 15:117db924cf7c 6390 if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 6391 #endif
wolfSSL 15:117db924cf7c 6392
wolfSSL 15:117db924cf7c 6393 if (sniff == NO_SNIFF) {
wolfSSL 15:117db924cf7c 6394 /* Actually check verify data. */
wolfSSL 15:117db924cf7c 6395 if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
wolfSSL 15:117db924cf7c 6396 WOLFSSL_MSG("Verify finished error on hashes");
wolfSSL 15:117db924cf7c 6397 SendAlert(ssl, alert_fatal, decrypt_error);
wolfSSL 15:117db924cf7c 6398 return VERIFY_FINISHED_ERROR;
wolfSSL 15:117db924cf7c 6399 }
wolfSSL 15:117db924cf7c 6400 }
wolfSSL 15:117db924cf7c 6401
wolfSSL 15:117db924cf7c 6402 /* Force input exhaustion at ProcessReply by consuming padSz. */
wolfSSL 15:117db924cf7c 6403 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6404
wolfSSL 15:117db924cf7c 6405 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 6406 !ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 6407 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6408 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 6409 if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
wolfSSL 15:117db924cf7c 6410 return ret;
wolfSSL 15:117db924cf7c 6411 }
wolfSSL 15:117db924cf7c 6412 #endif
wolfSSL 15:117db924cf7c 6413 /* Setup keys for application data messages from client. */
wolfSSL 15:117db924cf7c 6414 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6415 return ret;
wolfSSL 15:117db924cf7c 6416 }
wolfSSL 15:117db924cf7c 6417
wolfSSL 15:117db924cf7c 6418 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6419 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 6420 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6421 #endif
wolfSSL 15:117db924cf7c 6422 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6423 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6424 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6425 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 15:117db924cf7c 6426 ssl->options.handShakeDone = 1;
wolfSSL 15:117db924cf7c 6427 }
wolfSSL 15:117db924cf7c 6428 #endif
wolfSSL 15:117db924cf7c 6429
wolfSSL 15:117db924cf7c 6430 WOLFSSL_LEAVE("DoTls13Finished", 0);
wolfSSL 15:117db924cf7c 6431 WOLFSSL_END(WC_FUNC_FINISHED_DO);
wolfSSL 15:117db924cf7c 6432
wolfSSL 15:117db924cf7c 6433 return 0;
wolfSSL 15:117db924cf7c 6434 }
wolfSSL 15:117db924cf7c 6435 #endif /* NO_CERTS */
wolfSSL 15:117db924cf7c 6436
wolfSSL 15:117db924cf7c 6437 /* Send the TLS v1.3 Finished message.
wolfSSL 15:117db924cf7c 6438 *
wolfSSL 15:117db924cf7c 6439 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6440 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6441 */
wolfSSL 15:117db924cf7c 6442 static int SendTls13Finished(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6443 {
wolfSSL 15:117db924cf7c 6444 int sendSz;
wolfSSL 15:117db924cf7c 6445 int finishedSz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 6446 byte* input;
wolfSSL 15:117db924cf7c 6447 byte* output;
wolfSSL 15:117db924cf7c 6448 int ret;
wolfSSL 15:117db924cf7c 6449 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6450 int outputSz;
wolfSSL 15:117db924cf7c 6451 byte* secret;
wolfSSL 15:117db924cf7c 6452
wolfSSL 15:117db924cf7c 6453 WOLFSSL_START(WC_FUNC_FINISHED_SEND);
wolfSSL 15:117db924cf7c 6454 WOLFSSL_ENTER("SendTls13Finished");
wolfSSL 15:117db924cf7c 6455
wolfSSL 15:117db924cf7c 6456 outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6457 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6458 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 15:117db924cf7c 6459 return ret;
wolfSSL 15:117db924cf7c 6460
wolfSSL 15:117db924cf7c 6461 /* get output buffer */
wolfSSL 15:117db924cf7c 6462 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6463 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6464 input = output + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 6465
wolfSSL 15:117db924cf7c 6466 AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
wolfSSL 15:117db924cf7c 6467
wolfSSL 15:117db924cf7c 6468 /* make finished hashes */
wolfSSL 15:117db924cf7c 6469 if (ssl->options.handShakeDone) {
wolfSSL 16:8e0d178b1d1e 6470 ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
wolfSSL 15:117db924cf7c 6471 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 6472 if (ret != 0)
wolfSSL 15:117db924cf7c 6473 return ret;
wolfSSL 15:117db924cf7c 6474
wolfSSL 15:117db924cf7c 6475 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 6476 }
wolfSSL 15:117db924cf7c 6477 else if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 6478 secret = ssl->keys.client_write_MAC_secret;
wolfSSL 15:117db924cf7c 6479 else {
wolfSSL 15:117db924cf7c 6480 /* All the handshake messages have been done to calculate client and
wolfSSL 15:117db924cf7c 6481 * server finished keys.
wolfSSL 15:117db924cf7c 6482 */
wolfSSL 16:8e0d178b1d1e 6483 ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
wolfSSL 15:117db924cf7c 6484 ssl->keys.client_write_MAC_secret);
wolfSSL 15:117db924cf7c 6485 if (ret != 0)
wolfSSL 15:117db924cf7c 6486 return ret;
wolfSSL 15:117db924cf7c 6487
wolfSSL 16:8e0d178b1d1e 6488 ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
wolfSSL 15:117db924cf7c 6489 ssl->keys.server_write_MAC_secret);
wolfSSL 15:117db924cf7c 6490 if (ret != 0)
wolfSSL 15:117db924cf7c 6491 return ret;
wolfSSL 15:117db924cf7c 6492
wolfSSL 15:117db924cf7c 6493 secret = ssl->keys.server_write_MAC_secret;
wolfSSL 15:117db924cf7c 6494 }
wolfSSL 15:117db924cf7c 6495 ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
wolfSSL 15:117db924cf7c 6496 if (ret != 0)
wolfSSL 15:117db924cf7c 6497 return ret;
wolfSSL 15:117db924cf7c 6498
wolfSSL 15:117db924cf7c 6499 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6500 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 15:117db924cf7c 6501 headerSz + finishedSz, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 6502 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6503 return BUILD_MSG_ERROR;
wolfSSL 15:117db924cf7c 6504
wolfSSL 15:117db924cf7c 6505 #ifndef NO_SESSION_CACHE
wolfSSL 16:8e0d178b1d1e 6506 if (!ssl->options.resuming && (ssl->options.side == WOLFSSL_SERVER_END ||
wolfSSL 16:8e0d178b1d1e 6507 (ssl->options.side == WOLFSSL_SERVER_END && ssl->arrays != NULL))) {
wolfSSL 15:117db924cf7c 6508 AddSession(ssl); /* just try */
wolfSSL 16:8e0d178b1d1e 6509 }
wolfSSL 16:8e0d178b1d1e 6510 #endif
wolfSSL 15:117db924cf7c 6511
wolfSSL 15:117db924cf7c 6512 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6513 if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
wolfSSL 15:117db924cf7c 6514 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 6515 AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 6516 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 6517 }
wolfSSL 15:117db924cf7c 6518 #endif
wolfSSL 15:117db924cf7c 6519
wolfSSL 15:117db924cf7c 6520 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6521
wolfSSL 15:117db924cf7c 6522 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6523 /* Can send application data now. */
wolfSSL 15:117db924cf7c 6524 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 6525 return ret;
wolfSSL 15:117db924cf7c 6526 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6527 if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6528 != 0) {
wolfSSL 15:117db924cf7c 6529 return ret;
wolfSSL 15:117db924cf7c 6530 }
wolfSSL 15:117db924cf7c 6531 if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
wolfSSL 15:117db924cf7c 6532 ssl->earlyData == no_early_data)) != 0) {
wolfSSL 15:117db924cf7c 6533 return ret;
wolfSSL 15:117db924cf7c 6534 }
wolfSSL 15:117db924cf7c 6535 #else
wolfSSL 15:117db924cf7c 6536 if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 6537 1)) != 0) {
wolfSSL 15:117db924cf7c 6538 return ret;
wolfSSL 15:117db924cf7c 6539 }
wolfSSL 15:117db924cf7c 6540 #endif
wolfSSL 15:117db924cf7c 6541 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6542 return ret;
wolfSSL 15:117db924cf7c 6543 }
wolfSSL 15:117db924cf7c 6544
wolfSSL 15:117db924cf7c 6545 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 6546 !ssl->options.handShakeDone) {
wolfSSL 15:117db924cf7c 6547 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6548 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 6549 if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 6550 1)) != 0) {
wolfSSL 15:117db924cf7c 6551 return ret;
wolfSSL 15:117db924cf7c 6552 }
wolfSSL 15:117db924cf7c 6553 }
wolfSSL 15:117db924cf7c 6554 #endif
wolfSSL 15:117db924cf7c 6555 /* Setup keys for application data messages. */
wolfSSL 15:117db924cf7c 6556 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 6557 return ret;
wolfSSL 15:117db924cf7c 6558
wolfSSL 15:117db924cf7c 6559 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 6560 ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 15:117db924cf7c 6561 if (ret != 0)
wolfSSL 15:117db924cf7c 6562 return ret;
wolfSSL 15:117db924cf7c 6563 #endif
wolfSSL 15:117db924cf7c 6564 }
wolfSSL 15:117db924cf7c 6565
wolfSSL 15:117db924cf7c 6566 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6567 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 6568 ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6569 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 15:117db924cf7c 6570 ssl->options.handShakeDone = 1;
wolfSSL 15:117db924cf7c 6571 }
wolfSSL 15:117db924cf7c 6572 #endif
wolfSSL 15:117db924cf7c 6573 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6574 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 6575 ssl->options.serverState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 6576 }
wolfSSL 15:117db924cf7c 6577 #endif
wolfSSL 15:117db924cf7c 6578
wolfSSL 15:117db924cf7c 6579 if ((ret = SendBuffered(ssl)) != 0)
wolfSSL 15:117db924cf7c 6580 return ret;
wolfSSL 15:117db924cf7c 6581
wolfSSL 15:117db924cf7c 6582 WOLFSSL_LEAVE("SendTls13Finished", ret);
wolfSSL 15:117db924cf7c 6583 WOLFSSL_END(WC_FUNC_FINISHED_SEND);
wolfSSL 15:117db924cf7c 6584
wolfSSL 15:117db924cf7c 6585 return ret;
wolfSSL 15:117db924cf7c 6586 }
wolfSSL 15:117db924cf7c 6587
wolfSSL 15:117db924cf7c 6588 /* handle generation TLS v1.3 key_update (24) */
wolfSSL 15:117db924cf7c 6589 /* Send the TLS v1.3 KeyUpdate message.
wolfSSL 15:117db924cf7c 6590 *
wolfSSL 15:117db924cf7c 6591 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6592 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6593 */
wolfSSL 15:117db924cf7c 6594 static int SendTls13KeyUpdate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6595 {
wolfSSL 15:117db924cf7c 6596 int sendSz;
wolfSSL 15:117db924cf7c 6597 byte* input;
wolfSSL 15:117db924cf7c 6598 byte* output;
wolfSSL 15:117db924cf7c 6599 int ret;
wolfSSL 15:117db924cf7c 6600 int headerSz = HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6601 int outputSz;
wolfSSL 15:117db924cf7c 6602 word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6603
wolfSSL 15:117db924cf7c 6604 WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND);
wolfSSL 15:117db924cf7c 6605 WOLFSSL_ENTER("SendTls13KeyUpdate");
wolfSSL 15:117db924cf7c 6606
wolfSSL 15:117db924cf7c 6607 outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6608 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6609 if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
wolfSSL 15:117db924cf7c 6610 return ret;
wolfSSL 15:117db924cf7c 6611
wolfSSL 15:117db924cf7c 6612 /* get output buffer */
wolfSSL 15:117db924cf7c 6613 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6614 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6615 input = output + RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 6616
wolfSSL 15:117db924cf7c 6617 AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
wolfSSL 15:117db924cf7c 6618
wolfSSL 15:117db924cf7c 6619 /* If:
wolfSSL 15:117db924cf7c 6620 * 1. I haven't sent a KeyUpdate requesting a response and
wolfSSL 15:117db924cf7c 6621 * 2. This isn't responding to peer KeyUpdate requiring a response then,
wolfSSL 15:117db924cf7c 6622 * I want a response.
wolfSSL 15:117db924cf7c 6623 */
wolfSSL 15:117db924cf7c 6624 ssl->keys.updateResponseReq = output[i++] =
wolfSSL 15:117db924cf7c 6625 !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
wolfSSL 15:117db924cf7c 6626 /* Sent response, no longer need to respond. */
wolfSSL 15:117db924cf7c 6627 ssl->keys.keyUpdateRespond = 0;
wolfSSL 15:117db924cf7c 6628
wolfSSL 15:117db924cf7c 6629 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6630 sendSz = BuildTls13Message(ssl, output, outputSz, input,
wolfSSL 15:117db924cf7c 6631 headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
wolfSSL 15:117db924cf7c 6632 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6633 return BUILD_MSG_ERROR;
wolfSSL 15:117db924cf7c 6634
wolfSSL 15:117db924cf7c 6635 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 6636 if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate");
wolfSSL 15:117db924cf7c 6637 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 6638 AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz,
wolfSSL 15:117db924cf7c 6639 WRITE_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 6640 }
wolfSSL 15:117db924cf7c 6641 #endif
wolfSSL 15:117db924cf7c 6642
wolfSSL 15:117db924cf7c 6643 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6644
wolfSSL 15:117db924cf7c 6645 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 6646 if (ret != 0 && ret != WANT_WRITE)
wolfSSL 15:117db924cf7c 6647 return ret;
wolfSSL 15:117db924cf7c 6648
wolfSSL 15:117db924cf7c 6649 /* Future traffic uses new encryption keys. */
wolfSSL 15:117db924cf7c 6650 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6651 != 0)
wolfSSL 15:117db924cf7c 6652 return ret;
wolfSSL 15:117db924cf7c 6653 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6654 return ret;
wolfSSL 15:117db924cf7c 6655
wolfSSL 15:117db924cf7c 6656 WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
wolfSSL 15:117db924cf7c 6657 WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND);
wolfSSL 15:117db924cf7c 6658
wolfSSL 15:117db924cf7c 6659 return ret;
wolfSSL 15:117db924cf7c 6660 }
wolfSSL 15:117db924cf7c 6661
wolfSSL 15:117db924cf7c 6662 /* handle processing TLS v1.3 key_update (24) */
wolfSSL 15:117db924cf7c 6663 /* Parse and handle a TLS v1.3 KeyUpdate message.
wolfSSL 15:117db924cf7c 6664 *
wolfSSL 15:117db924cf7c 6665 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6666 * input The message buffer.
wolfSSL 15:117db924cf7c 6667 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 6668 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 6669 * totalSz The length of the current handshake message.
wolfSSL 15:117db924cf7c 6670 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6671 */
wolfSSL 15:117db924cf7c 6672 static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 6673 word32 totalSz)
wolfSSL 15:117db924cf7c 6674 {
wolfSSL 15:117db924cf7c 6675 int ret;
wolfSSL 15:117db924cf7c 6676 word32 i = *inOutIdx;
wolfSSL 15:117db924cf7c 6677
wolfSSL 15:117db924cf7c 6678 WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO);
wolfSSL 15:117db924cf7c 6679 WOLFSSL_ENTER("DoTls13KeyUpdate");
wolfSSL 15:117db924cf7c 6680
wolfSSL 15:117db924cf7c 6681 /* check against totalSz */
wolfSSL 15:117db924cf7c 6682 if (OPAQUE8_LEN != totalSz)
wolfSSL 15:117db924cf7c 6683 return BUFFER_E;
wolfSSL 15:117db924cf7c 6684
wolfSSL 15:117db924cf7c 6685 switch (input[i]) {
wolfSSL 15:117db924cf7c 6686 case update_not_requested:
wolfSSL 16:8e0d178b1d1e 6687 /* This message in response to any outstanding request. */
wolfSSL 15:117db924cf7c 6688 ssl->keys.keyUpdateRespond = 0;
wolfSSL 15:117db924cf7c 6689 ssl->keys.updateResponseReq = 0;
wolfSSL 15:117db924cf7c 6690 break;
wolfSSL 15:117db924cf7c 6691 case update_requested:
wolfSSL 15:117db924cf7c 6692 /* New key update requiring a response. */
wolfSSL 15:117db924cf7c 6693 ssl->keys.keyUpdateRespond = 1;
wolfSSL 15:117db924cf7c 6694 break;
wolfSSL 15:117db924cf7c 6695 default:
wolfSSL 15:117db924cf7c 6696 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 6697 }
wolfSSL 15:117db924cf7c 6698
wolfSSL 15:117db924cf7c 6699 /* Move index to byte after message. */
wolfSSL 15:117db924cf7c 6700 *inOutIdx += totalSz;
wolfSSL 15:117db924cf7c 6701 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6702 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6703
wolfSSL 15:117db924cf7c 6704 /* Future traffic uses new decryption keys. */
wolfSSL 15:117db924cf7c 6705 if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
wolfSSL 15:117db924cf7c 6706 != 0) {
wolfSSL 15:117db924cf7c 6707 return ret;
wolfSSL 15:117db924cf7c 6708 }
wolfSSL 15:117db924cf7c 6709 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6710 return ret;
wolfSSL 15:117db924cf7c 6711
wolfSSL 15:117db924cf7c 6712 if (ssl->keys.keyUpdateRespond)
wolfSSL 15:117db924cf7c 6713 return SendTls13KeyUpdate(ssl);
wolfSSL 15:117db924cf7c 6714
wolfSSL 15:117db924cf7c 6715 WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
wolfSSL 15:117db924cf7c 6716 WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO);
wolfSSL 15:117db924cf7c 6717
wolfSSL 15:117db924cf7c 6718 return 0;
wolfSSL 15:117db924cf7c 6719 }
wolfSSL 15:117db924cf7c 6720
wolfSSL 15:117db924cf7c 6721 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6722 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6723 /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
wolfSSL 15:117db924cf7c 6724 * more early application data.
wolfSSL 15:117db924cf7c 6725 * The encryption key now changes to the pre-calculated handshake key.
wolfSSL 15:117db924cf7c 6726 *
wolfSSL 15:117db924cf7c 6727 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6728 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6729 */
wolfSSL 15:117db924cf7c 6730 static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6731 {
wolfSSL 15:117db924cf7c 6732 byte* output;
wolfSSL 15:117db924cf7c 6733 int ret;
wolfSSL 15:117db924cf7c 6734 int sendSz;
wolfSSL 15:117db924cf7c 6735 word32 length;
wolfSSL 15:117db924cf7c 6736 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 6737
wolfSSL 15:117db924cf7c 6738 WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND);
wolfSSL 15:117db924cf7c 6739 WOLFSSL_ENTER("SendTls13EndOfEarlyData");
wolfSSL 15:117db924cf7c 6740
wolfSSL 15:117db924cf7c 6741 length = 0;
wolfSSL 15:117db924cf7c 6742 sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 6743
wolfSSL 15:117db924cf7c 6744 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 6745 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 6746 return ret;
wolfSSL 15:117db924cf7c 6747
wolfSSL 15:117db924cf7c 6748 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 6749 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 6750 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 6751
wolfSSL 15:117db924cf7c 6752 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 6753 AddTls13Headers(output, length, end_of_early_data, ssl);
wolfSSL 15:117db924cf7c 6754
wolfSSL 15:117db924cf7c 6755 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 6756 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 6757 idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
wolfSSL 15:117db924cf7c 6758 if (sendSz < 0)
wolfSSL 15:117db924cf7c 6759 return sendSz;
wolfSSL 15:117db924cf7c 6760
wolfSSL 15:117db924cf7c 6761 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 6762
wolfSSL 15:117db924cf7c 6763 if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 6764 return ret;
wolfSSL 15:117db924cf7c 6765
wolfSSL 15:117db924cf7c 6766 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 6767 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 6768
wolfSSL 15:117db924cf7c 6769 WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
wolfSSL 15:117db924cf7c 6770 WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND);
wolfSSL 15:117db924cf7c 6771
wolfSSL 15:117db924cf7c 6772 return ret;
wolfSSL 15:117db924cf7c 6773 }
wolfSSL 15:117db924cf7c 6774 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 6775
wolfSSL 15:117db924cf7c 6776 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6777 /* handle processing of TLS 1.3 end_of_early_data (5) */
wolfSSL 15:117db924cf7c 6778 /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
wolfSSL 15:117db924cf7c 6779 * no more early application data.
wolfSSL 15:117db924cf7c 6780 * The decryption key now changes to the pre-calculated handshake key.
wolfSSL 15:117db924cf7c 6781 *
wolfSSL 15:117db924cf7c 6782 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6783 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 6784 */
wolfSSL 15:117db924cf7c 6785 static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 6786 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 6787 {
wolfSSL 15:117db924cf7c 6788 int ret;
wolfSSL 15:117db924cf7c 6789 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 6790
wolfSSL 15:117db924cf7c 6791 (void)input;
wolfSSL 15:117db924cf7c 6792
wolfSSL 15:117db924cf7c 6793 WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO);
wolfSSL 15:117db924cf7c 6794 WOLFSSL_ENTER("DoTls13EndOfEarlyData");
wolfSSL 15:117db924cf7c 6795
wolfSSL 15:117db924cf7c 6796 if ((*inOutIdx - begin) != size)
wolfSSL 15:117db924cf7c 6797 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6798
wolfSSL 15:117db924cf7c 6799 if (ssl->earlyData == no_early_data) {
wolfSSL 16:8e0d178b1d1e 6800 WOLFSSL_MSG("EndOfEarlyData received unexpectedly");
wolfSSL 15:117db924cf7c 6801 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 6802 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 6803 }
wolfSSL 15:117db924cf7c 6804
wolfSSL 15:117db924cf7c 6805 ssl->earlyData = done_early_data;
wolfSSL 15:117db924cf7c 6806
wolfSSL 15:117db924cf7c 6807 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6808 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6809
wolfSSL 15:117db924cf7c 6810 ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
wolfSSL 15:117db924cf7c 6811
wolfSSL 15:117db924cf7c 6812 WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret);
wolfSSL 15:117db924cf7c 6813 WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO);
wolfSSL 15:117db924cf7c 6814
wolfSSL 15:117db924cf7c 6815 return ret;
wolfSSL 15:117db924cf7c 6816 }
wolfSSL 15:117db924cf7c 6817 #endif /* !NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 6818 #endif /* WOLFSSL_EARLY_DATA */
wolfSSL 15:117db924cf7c 6819
wolfSSL 15:117db924cf7c 6820 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 6821 /* Handle a New Session Ticket handshake message.
wolfSSL 15:117db924cf7c 6822 * Message contains the information required to perform resumption.
wolfSSL 15:117db924cf7c 6823 *
wolfSSL 15:117db924cf7c 6824 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 6825 * input The message buffer.
wolfSSL 15:117db924cf7c 6826 * inOutIdx On entry, the index into the message buffer of Finished.
wolfSSL 15:117db924cf7c 6827 * On exit, the index of byte after the Finished message and padding.
wolfSSL 15:117db924cf7c 6828 * size The length of the current handshake message.
wolfSSL 16:8e0d178b1d1e 6829 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6830 */
wolfSSL 15:117db924cf7c 6831 static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
wolfSSL 15:117db924cf7c 6832 word32* inOutIdx, word32 size)
wolfSSL 15:117db924cf7c 6833 {
wolfSSL 15:117db924cf7c 6834 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 6835 int ret;
wolfSSL 15:117db924cf7c 6836 word32 begin = *inOutIdx;
wolfSSL 15:117db924cf7c 6837 word32 lifetime;
wolfSSL 15:117db924cf7c 6838 word32 ageAdd;
wolfSSL 15:117db924cf7c 6839 word16 length;
wolfSSL 15:117db924cf7c 6840 word32 now;
wolfSSL 15:117db924cf7c 6841 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6842 const byte* nonce;
wolfSSL 15:117db924cf7c 6843 byte nonceLength;
wolfSSL 15:117db924cf7c 6844 #endif
wolfSSL 15:117db924cf7c 6845
wolfSSL 15:117db924cf7c 6846 WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
wolfSSL 15:117db924cf7c 6847 WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 6848
wolfSSL 15:117db924cf7c 6849 /* Lifetime hint. */
wolfSSL 15:117db924cf7c 6850 if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
wolfSSL 15:117db924cf7c 6851 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6852 ato32(input + *inOutIdx, &lifetime);
wolfSSL 15:117db924cf7c 6853 *inOutIdx += SESSION_HINT_SZ;
wolfSSL 15:117db924cf7c 6854 if (lifetime > MAX_LIFETIME)
wolfSSL 15:117db924cf7c 6855 return SERVER_HINT_ERROR;
wolfSSL 15:117db924cf7c 6856
wolfSSL 15:117db924cf7c 6857 /* Age add. */
wolfSSL 15:117db924cf7c 6858 if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
wolfSSL 15:117db924cf7c 6859 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6860 ato32(input + *inOutIdx, &ageAdd);
wolfSSL 15:117db924cf7c 6861 *inOutIdx += SESSION_ADD_SZ;
wolfSSL 15:117db924cf7c 6862
wolfSSL 15:117db924cf7c 6863 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6864 /* Ticket nonce. */
wolfSSL 15:117db924cf7c 6865 if ((*inOutIdx - begin) + 1 > size)
wolfSSL 15:117db924cf7c 6866 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6867 nonceLength = input[*inOutIdx];
wolfSSL 15:117db924cf7c 6868 if (nonceLength > MAX_TICKET_NONCE_SZ) {
wolfSSL 15:117db924cf7c 6869 WOLFSSL_MSG("Nonce length not supported");
wolfSSL 15:117db924cf7c 6870 return INVALID_PARAMETER;
wolfSSL 15:117db924cf7c 6871 }
wolfSSL 15:117db924cf7c 6872 *inOutIdx += 1;
wolfSSL 15:117db924cf7c 6873 if ((*inOutIdx - begin) + nonceLength > size)
wolfSSL 15:117db924cf7c 6874 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6875 nonce = input + *inOutIdx;
wolfSSL 15:117db924cf7c 6876 *inOutIdx += nonceLength;
wolfSSL 15:117db924cf7c 6877 #endif
wolfSSL 15:117db924cf7c 6878
wolfSSL 15:117db924cf7c 6879 /* Ticket length. */
wolfSSL 15:117db924cf7c 6880 if ((*inOutIdx - begin) + LENGTH_SZ > size)
wolfSSL 15:117db924cf7c 6881 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6882 ato16(input + *inOutIdx, &length);
wolfSSL 15:117db924cf7c 6883 *inOutIdx += LENGTH_SZ;
wolfSSL 15:117db924cf7c 6884 if ((*inOutIdx - begin) + length > size)
wolfSSL 15:117db924cf7c 6885 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6886
wolfSSL 15:117db924cf7c 6887 if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
wolfSSL 15:117db924cf7c 6888 return ret;
wolfSSL 15:117db924cf7c 6889 *inOutIdx += length;
wolfSSL 15:117db924cf7c 6890
wolfSSL 15:117db924cf7c 6891 now = TimeNowInMilliseconds();
wolfSSL 15:117db924cf7c 6892 if (now == (word32)GETTIME_ERROR)
wolfSSL 15:117db924cf7c 6893 return now;
wolfSSL 15:117db924cf7c 6894 /* Copy in ticket data (server identity). */
wolfSSL 15:117db924cf7c 6895 ssl->timeout = lifetime;
wolfSSL 15:117db924cf7c 6896 ssl->session.timeout = lifetime;
wolfSSL 15:117db924cf7c 6897 ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
wolfSSL 15:117db924cf7c 6898 ssl->session.cipherSuite = ssl->options.cipherSuite;
wolfSSL 15:117db924cf7c 6899 ssl->session.ticketSeen = now;
wolfSSL 15:117db924cf7c 6900 ssl->session.ticketAdd = ageAdd;
wolfSSL 15:117db924cf7c 6901 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6902 ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 6903 #endif
wolfSSL 15:117db924cf7c 6904 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 6905 ssl->session.ticketNonce.len = nonceLength;
wolfSSL 15:117db924cf7c 6906 if (nonceLength > 0)
wolfSSL 15:117db924cf7c 6907 XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength);
wolfSSL 15:117db924cf7c 6908 #endif
wolfSSL 15:117db924cf7c 6909 ssl->session.namedGroup = ssl->namedGroup;
wolfSSL 15:117db924cf7c 6910
wolfSSL 15:117db924cf7c 6911 if ((*inOutIdx - begin) + EXTS_SZ > size)
wolfSSL 15:117db924cf7c 6912 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6913 ato16(input + *inOutIdx, &length);
wolfSSL 15:117db924cf7c 6914 *inOutIdx += EXTS_SZ;
wolfSSL 15:117db924cf7c 6915 if ((*inOutIdx - begin) + length != size)
wolfSSL 15:117db924cf7c 6916 return BUFFER_ERROR;
wolfSSL 15:117db924cf7c 6917 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 6918 ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
wolfSSL 15:117db924cf7c 6919 NULL);
wolfSSL 15:117db924cf7c 6920 if (ret != 0)
wolfSSL 15:117db924cf7c 6921 return ret;
wolfSSL 15:117db924cf7c 6922 #endif
wolfSSL 15:117db924cf7c 6923 *inOutIdx += length;
wolfSSL 15:117db924cf7c 6924
wolfSSL 15:117db924cf7c 6925 #ifndef NO_SESSION_CACHE
wolfSSL 15:117db924cf7c 6926 AddSession(ssl);
wolfSSL 15:117db924cf7c 6927 #endif
wolfSSL 15:117db924cf7c 6928
wolfSSL 15:117db924cf7c 6929 /* Always encrypted. */
wolfSSL 15:117db924cf7c 6930 *inOutIdx += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6931
wolfSSL 15:117db924cf7c 6932 ssl->expect_session_ticket = 0;
wolfSSL 15:117db924cf7c 6933 #else
wolfSSL 15:117db924cf7c 6934 (void)ssl;
wolfSSL 15:117db924cf7c 6935 (void)input;
wolfSSL 15:117db924cf7c 6936
wolfSSL 15:117db924cf7c 6937 WOLFSSL_ENTER("DoTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 6938
wolfSSL 15:117db924cf7c 6939 *inOutIdx += size + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 6940 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 6941
wolfSSL 15:117db924cf7c 6942 WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
wolfSSL 15:117db924cf7c 6943 WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
wolfSSL 15:117db924cf7c 6944
wolfSSL 15:117db924cf7c 6945 return 0;
wolfSSL 15:117db924cf7c 6946 }
wolfSSL 15:117db924cf7c 6947 #endif /* NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 6948
wolfSSL 15:117db924cf7c 6949 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 6950 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 6951
wolfSSL 15:117db924cf7c 6952 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 6953 /* Offset of the MAC size in the finished message. */
wolfSSL 15:117db924cf7c 6954 #define FINISHED_MSG_SIZE_OFFSET 3
wolfSSL 15:117db924cf7c 6955
wolfSSL 15:117db924cf7c 6956 /* Calculate the resumption secret which includes the unseen client finished
wolfSSL 15:117db924cf7c 6957 * message.
wolfSSL 15:117db924cf7c 6958 *
wolfSSL 15:117db924cf7c 6959 * ssl The SSL/TLS object.
wolfSSL 16:8e0d178b1d1e 6960 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 6961 */
wolfSSL 15:117db924cf7c 6962 static int ExpectedResumptionSecret(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 6963 {
wolfSSL 15:117db924cf7c 6964 int ret;
wolfSSL 15:117db924cf7c 6965 word32 finishedSz = 0;
wolfSSL 15:117db924cf7c 6966 byte mac[WC_MAX_DIGEST_SIZE];
wolfSSL 15:117db924cf7c 6967 Digest digest;
wolfSSL 15:117db924cf7c 6968 static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
wolfSSL 15:117db924cf7c 6969
wolfSSL 16:8e0d178b1d1e 6970 /* Copy the running hash so we can restore it after. */
wolfSSL 15:117db924cf7c 6971 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 6972 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 6973 case sha256_mac:
wolfSSL 15:117db924cf7c 6974 ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
wolfSSL 15:117db924cf7c 6975 if (ret != 0)
wolfSSL 15:117db924cf7c 6976 return ret;
wolfSSL 15:117db924cf7c 6977 break;
wolfSSL 15:117db924cf7c 6978 #endif
wolfSSL 15:117db924cf7c 6979 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 6980 case sha384_mac:
wolfSSL 15:117db924cf7c 6981 ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
wolfSSL 15:117db924cf7c 6982 if (ret != 0)
wolfSSL 15:117db924cf7c 6983 return ret;
wolfSSL 15:117db924cf7c 6984 break;
wolfSSL 15:117db924cf7c 6985 #endif
wolfSSL 15:117db924cf7c 6986 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 6987 case sha512_mac:
wolfSSL 15:117db924cf7c 6988 ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
wolfSSL 15:117db924cf7c 6989 if (ret != 0)
wolfSSL 15:117db924cf7c 6990 return ret;
wolfSSL 15:117db924cf7c 6991 break;
wolfSSL 15:117db924cf7c 6992 #endif
wolfSSL 15:117db924cf7c 6993 }
wolfSSL 15:117db924cf7c 6994
wolfSSL 15:117db924cf7c 6995 /* Generate the Client's Finished message and hash it. */
wolfSSL 15:117db924cf7c 6996 ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
wolfSSL 15:117db924cf7c 6997 &finishedSz);
wolfSSL 15:117db924cf7c 6998 if (ret != 0)
wolfSSL 15:117db924cf7c 6999 return ret;
wolfSSL 15:117db924cf7c 7000 header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
wolfSSL 15:117db924cf7c 7001 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7002 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 7003 static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
wolfSSL 15:117db924cf7c 7004 ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
wolfSSL 15:117db924cf7c 7005 if (ret != 0)
wolfSSL 15:117db924cf7c 7006 return ret;
wolfSSL 15:117db924cf7c 7007 }
wolfSSL 15:117db924cf7c 7008 #endif
wolfSSL 15:117db924cf7c 7009 if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0)
wolfSSL 15:117db924cf7c 7010 return ret;
wolfSSL 15:117db924cf7c 7011 if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0)
wolfSSL 15:117db924cf7c 7012 return ret;
wolfSSL 15:117db924cf7c 7013
wolfSSL 15:117db924cf7c 7014 if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
wolfSSL 15:117db924cf7c 7015 return ret;
wolfSSL 15:117db924cf7c 7016
wolfSSL 15:117db924cf7c 7017 /* Restore the hash inline with currently seen messages. */
wolfSSL 15:117db924cf7c 7018 switch (ssl->specs.mac_algorithm) {
wolfSSL 15:117db924cf7c 7019 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 7020 case sha256_mac:
wolfSSL 15:117db924cf7c 7021 ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
wolfSSL 15:117db924cf7c 7022 if (ret != 0)
wolfSSL 15:117db924cf7c 7023 return ret;
wolfSSL 15:117db924cf7c 7024 break;
wolfSSL 15:117db924cf7c 7025 #endif
wolfSSL 15:117db924cf7c 7026 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 7027 case sha384_mac:
wolfSSL 15:117db924cf7c 7028 ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
wolfSSL 15:117db924cf7c 7029 if (ret != 0)
wolfSSL 15:117db924cf7c 7030 return ret;
wolfSSL 15:117db924cf7c 7031 break;
wolfSSL 15:117db924cf7c 7032 #endif
wolfSSL 15:117db924cf7c 7033 #ifdef WOLFSSL_TLS13_SHA512
wolfSSL 15:117db924cf7c 7034 case sha512_mac:
wolfSSL 15:117db924cf7c 7035 ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384);
wolfSSL 15:117db924cf7c 7036 if (ret != 0)
wolfSSL 15:117db924cf7c 7037 return ret;
wolfSSL 15:117db924cf7c 7038 break;
wolfSSL 15:117db924cf7c 7039 #endif
wolfSSL 15:117db924cf7c 7040 }
wolfSSL 15:117db924cf7c 7041
wolfSSL 15:117db924cf7c 7042 return ret;
wolfSSL 15:117db924cf7c 7043 }
wolfSSL 15:117db924cf7c 7044 #endif
wolfSSL 15:117db924cf7c 7045
wolfSSL 15:117db924cf7c 7046 /* Send New Session Ticket handshake message.
wolfSSL 15:117db924cf7c 7047 * Message contains the information required to perform resumption.
wolfSSL 15:117db924cf7c 7048 *
wolfSSL 15:117db924cf7c 7049 * ssl The SSL/TLS object.
wolfSSL 16:8e0d178b1d1e 7050 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 7051 */
wolfSSL 15:117db924cf7c 7052 static int SendTls13NewSessionTicket(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7053 {
wolfSSL 15:117db924cf7c 7054 byte* output;
wolfSSL 15:117db924cf7c 7055 int ret;
wolfSSL 15:117db924cf7c 7056 int sendSz;
wolfSSL 15:117db924cf7c 7057 word16 extSz;
wolfSSL 15:117db924cf7c 7058 word32 length;
wolfSSL 15:117db924cf7c 7059 word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7060
wolfSSL 15:117db924cf7c 7061 WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND);
wolfSSL 15:117db924cf7c 7062 WOLFSSL_ENTER("SendTls13NewSessionTicket");
wolfSSL 15:117db924cf7c 7063
wolfSSL 15:117db924cf7c 7064 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 7065 if (!ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 7066 if ((ret = ExpectedResumptionSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7067 return ret;
wolfSSL 15:117db924cf7c 7068 }
wolfSSL 15:117db924cf7c 7069 #endif
wolfSSL 15:117db924cf7c 7070
wolfSSL 15:117db924cf7c 7071 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7072 /* Start ticket nonce at 0 and go up to 255. */
wolfSSL 15:117db924cf7c 7073 if (ssl->session.ticketNonce.len == 0) {
wolfSSL 15:117db924cf7c 7074 ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ;
wolfSSL 15:117db924cf7c 7075 ssl->session.ticketNonce.data[0] = 0;
wolfSSL 15:117db924cf7c 7076 }
wolfSSL 15:117db924cf7c 7077 else
wolfSSL 15:117db924cf7c 7078 ssl->session.ticketNonce.data[0]++;
wolfSSL 15:117db924cf7c 7079 #endif
wolfSSL 15:117db924cf7c 7080
wolfSSL 15:117db924cf7c 7081 if (!ssl->options.noTicketTls13) {
wolfSSL 15:117db924cf7c 7082 if ((ret = CreateTicket(ssl)) != 0)
wolfSSL 15:117db924cf7c 7083 return ret;
wolfSSL 15:117db924cf7c 7084 }
wolfSSL 15:117db924cf7c 7085
wolfSSL 15:117db924cf7c 7086 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7087 ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
wolfSSL 15:117db924cf7c 7088 if (ssl->session.maxEarlyDataSz > 0)
wolfSSL 15:117db924cf7c 7089 TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
wolfSSL 15:117db924cf7c 7090 extSz = 0;
wolfSSL 15:117db924cf7c 7091 ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
wolfSSL 15:117db924cf7c 7092 if (ret != 0)
wolfSSL 15:117db924cf7c 7093 return ret;
wolfSSL 15:117db924cf7c 7094 #else
wolfSSL 15:117db924cf7c 7095 extSz = EXTS_SZ;
wolfSSL 15:117db924cf7c 7096 #endif
wolfSSL 15:117db924cf7c 7097
wolfSSL 15:117db924cf7c 7098 /* Lifetime | Age Add | Ticket | Extensions */
wolfSSL 15:117db924cf7c 7099 length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
wolfSSL 15:117db924cf7c 7100 ssl->session.ticketLen + extSz;
wolfSSL 15:117db924cf7c 7101 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7102 /* Nonce */
wolfSSL 15:117db924cf7c 7103 length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
wolfSSL 15:117db924cf7c 7104 #endif
wolfSSL 15:117db924cf7c 7105 sendSz = idx + length + MAX_MSG_EXTRA;
wolfSSL 15:117db924cf7c 7106
wolfSSL 15:117db924cf7c 7107 /* Check buffers are big enough and grow if needed. */
wolfSSL 15:117db924cf7c 7108 if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
wolfSSL 15:117db924cf7c 7109 return ret;
wolfSSL 15:117db924cf7c 7110
wolfSSL 15:117db924cf7c 7111 /* Get position in output buffer to write new message to. */
wolfSSL 15:117db924cf7c 7112 output = ssl->buffers.outputBuffer.buffer +
wolfSSL 15:117db924cf7c 7113 ssl->buffers.outputBuffer.length;
wolfSSL 15:117db924cf7c 7114
wolfSSL 15:117db924cf7c 7115 /* Put the record and handshake headers on. */
wolfSSL 15:117db924cf7c 7116 AddTls13Headers(output, length, session_ticket, ssl);
wolfSSL 15:117db924cf7c 7117
wolfSSL 15:117db924cf7c 7118 /* Lifetime hint */
wolfSSL 15:117db924cf7c 7119 c32toa(ssl->ctx->ticketHint, output + idx);
wolfSSL 15:117db924cf7c 7120 idx += SESSION_HINT_SZ;
wolfSSL 15:117db924cf7c 7121 /* Age add - obfuscator */
wolfSSL 15:117db924cf7c 7122 c32toa(ssl->session.ticketAdd, output + idx);
wolfSSL 15:117db924cf7c 7123 idx += SESSION_ADD_SZ;
wolfSSL 15:117db924cf7c 7124
wolfSSL 15:117db924cf7c 7125 #ifndef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7126 output[idx++] = ssl->session.ticketNonce.len;
wolfSSL 15:117db924cf7c 7127 output[idx++] = ssl->session.ticketNonce.data[0];
wolfSSL 15:117db924cf7c 7128 #endif
wolfSSL 15:117db924cf7c 7129
wolfSSL 15:117db924cf7c 7130 /* length */
wolfSSL 15:117db924cf7c 7131 c16toa(ssl->session.ticketLen, output + idx);
wolfSSL 15:117db924cf7c 7132 idx += LENGTH_SZ;
wolfSSL 15:117db924cf7c 7133 /* ticket */
wolfSSL 15:117db924cf7c 7134 XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
wolfSSL 15:117db924cf7c 7135 idx += ssl->session.ticketLen;
wolfSSL 15:117db924cf7c 7136
wolfSSL 15:117db924cf7c 7137 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7138 extSz = 0;
wolfSSL 15:117db924cf7c 7139 ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz);
wolfSSL 15:117db924cf7c 7140 if (ret != 0)
wolfSSL 15:117db924cf7c 7141 return ret;
wolfSSL 15:117db924cf7c 7142 idx += extSz;
wolfSSL 15:117db924cf7c 7143 #else
wolfSSL 15:117db924cf7c 7144 /* No extension support - empty extensions. */
wolfSSL 15:117db924cf7c 7145 c16toa(0, output + idx);
wolfSSL 15:117db924cf7c 7146 idx += EXTS_SZ;
wolfSSL 15:117db924cf7c 7147 #endif
wolfSSL 15:117db924cf7c 7148
wolfSSL 15:117db924cf7c 7149 ssl->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 7150
wolfSSL 15:117db924cf7c 7151 #ifndef NO_SESSION_CACHE
wolfSSL 15:117db924cf7c 7152 AddSession(ssl);
wolfSSL 15:117db924cf7c 7153 #endif
wolfSSL 15:117db924cf7c 7154
wolfSSL 15:117db924cf7c 7155 /* This message is always encrypted. */
wolfSSL 15:117db924cf7c 7156 sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 7157 idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
wolfSSL 15:117db924cf7c 7158 if (sendSz < 0)
wolfSSL 15:117db924cf7c 7159 return sendSz;
wolfSSL 15:117db924cf7c 7160
wolfSSL 15:117db924cf7c 7161 ssl->buffers.outputBuffer.length += sendSz;
wolfSSL 15:117db924cf7c 7162
wolfSSL 15:117db924cf7c 7163 if (!ssl->options.groupMessages)
wolfSSL 15:117db924cf7c 7164 ret = SendBuffered(ssl);
wolfSSL 15:117db924cf7c 7165
wolfSSL 15:117db924cf7c 7166 WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
wolfSSL 15:117db924cf7c 7167 WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND);
wolfSSL 15:117db924cf7c 7168
wolfSSL 15:117db924cf7c 7169 return ret;
wolfSSL 15:117db924cf7c 7170 }
wolfSSL 15:117db924cf7c 7171 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 7172 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 7173
wolfSSL 15:117db924cf7c 7174 /* Make sure no duplicates, no fast forward, or other problems
wolfSSL 15:117db924cf7c 7175 *
wolfSSL 15:117db924cf7c 7176 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7177 * type Type of handshake message received.
wolfSSL 15:117db924cf7c 7178 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 7179 */
wolfSSL 15:117db924cf7c 7180 static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
wolfSSL 15:117db924cf7c 7181 {
wolfSSL 15:117db924cf7c 7182 /* verify not a duplicate, mark received, check state */
wolfSSL 15:117db924cf7c 7183 switch (type) {
wolfSSL 15:117db924cf7c 7184
wolfSSL 15:117db924cf7c 7185 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7186 case client_hello:
wolfSSL 15:117db924cf7c 7187 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7188 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7189 WOLFSSL_MSG("ClientHello received by client");
wolfSSL 15:117db924cf7c 7190 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7191 }
wolfSSL 15:117db924cf7c 7192 #endif
wolfSSL 15:117db924cf7c 7193 if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 7194 WOLFSSL_MSG("ClientHello received out of order");
wolfSSL 15:117db924cf7c 7195 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7196 }
wolfSSL 15:117db924cf7c 7197 if (ssl->msgsReceived.got_client_hello == 2) {
wolfSSL 15:117db924cf7c 7198 WOLFSSL_MSG("Too many ClientHello received");
wolfSSL 15:117db924cf7c 7199 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7200 }
wolfSSL 15:117db924cf7c 7201 ssl->msgsReceived.got_client_hello++;
wolfSSL 15:117db924cf7c 7202
wolfSSL 15:117db924cf7c 7203 break;
wolfSSL 15:117db924cf7c 7204 #endif
wolfSSL 15:117db924cf7c 7205
wolfSSL 15:117db924cf7c 7206 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7207 case server_hello:
wolfSSL 15:117db924cf7c 7208 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7209 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7210 WOLFSSL_MSG("ServerHello received by server");
wolfSSL 15:117db924cf7c 7211 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7212 }
wolfSSL 15:117db924cf7c 7213 #endif
wolfSSL 15:117db924cf7c 7214 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7215 if (ssl->msgsReceived.got_server_hello) {
wolfSSL 15:117db924cf7c 7216 WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL 15:117db924cf7c 7217 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7218 }
wolfSSL 15:117db924cf7c 7219 ssl->msgsReceived.got_server_hello = 1;
wolfSSL 15:117db924cf7c 7220 #else
wolfSSL 15:117db924cf7c 7221 if (ssl->msgsReceived.got_server_hello == 2) {
wolfSSL 15:117db924cf7c 7222 WOLFSSL_MSG("Duplicate ServerHello received");
wolfSSL 15:117db924cf7c 7223 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7224 }
wolfSSL 15:117db924cf7c 7225 ssl->msgsReceived.got_server_hello++;
wolfSSL 15:117db924cf7c 7226 #endif
wolfSSL 15:117db924cf7c 7227
wolfSSL 15:117db924cf7c 7228 break;
wolfSSL 15:117db924cf7c 7229 #endif
wolfSSL 15:117db924cf7c 7230
wolfSSL 15:117db924cf7c 7231 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7232 case session_ticket:
wolfSSL 15:117db924cf7c 7233 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7234 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7235 WOLFSSL_MSG("NewSessionTicket received by server");
wolfSSL 15:117db924cf7c 7236 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7237 }
wolfSSL 15:117db924cf7c 7238 #endif
wolfSSL 15:117db924cf7c 7239 if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7240 WOLFSSL_MSG("NewSessionTicket received out of order");
wolfSSL 15:117db924cf7c 7241 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7242 }
wolfSSL 15:117db924cf7c 7243 ssl->msgsReceived.got_session_ticket = 1;
wolfSSL 15:117db924cf7c 7244
wolfSSL 15:117db924cf7c 7245 break;
wolfSSL 15:117db924cf7c 7246 #endif
wolfSSL 15:117db924cf7c 7247
wolfSSL 15:117db924cf7c 7248 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7249 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7250 case end_of_early_data:
wolfSSL 15:117db924cf7c 7251 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7252 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7253 WOLFSSL_MSG("EndOfEarlyData received by client");
wolfSSL 15:117db924cf7c 7254 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7255 }
wolfSSL 15:117db924cf7c 7256 #endif
wolfSSL 15:117db924cf7c 7257 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7258 WOLFSSL_MSG("EndOfEarlyData received out of order");
wolfSSL 15:117db924cf7c 7259 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7260 }
wolfSSL 15:117db924cf7c 7261 if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7262 WOLFSSL_MSG("EndOfEarlyData received out of order");
wolfSSL 15:117db924cf7c 7263 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7264 }
wolfSSL 15:117db924cf7c 7265 if (ssl->msgsReceived.got_end_of_early_data == 1) {
wolfSSL 15:117db924cf7c 7266 WOLFSSL_MSG("Too many EndOfEarlyData received");
wolfSSL 15:117db924cf7c 7267 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7268 }
wolfSSL 15:117db924cf7c 7269 ssl->msgsReceived.got_end_of_early_data++;
wolfSSL 15:117db924cf7c 7270
wolfSSL 15:117db924cf7c 7271 break;
wolfSSL 15:117db924cf7c 7272 #endif
wolfSSL 15:117db924cf7c 7273 #endif
wolfSSL 15:117db924cf7c 7274
wolfSSL 15:117db924cf7c 7275 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7276 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7277 case hello_retry_request:
wolfSSL 15:117db924cf7c 7278 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7279 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7280 WOLFSSL_MSG("HelloRetryRequest received by server");
wolfSSL 15:117db924cf7c 7281 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7282 }
wolfSSL 15:117db924cf7c 7283 #endif
wolfSSL 15:117db924cf7c 7284 if (ssl->options.clientState > CLIENT_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7285 WOLFSSL_MSG("HelloRetryRequest received out of order");
wolfSSL 15:117db924cf7c 7286 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7287 }
wolfSSL 15:117db924cf7c 7288 if (ssl->msgsReceived.got_hello_retry_request) {
wolfSSL 15:117db924cf7c 7289 WOLFSSL_MSG("Duplicate HelloRetryRequest received");
wolfSSL 15:117db924cf7c 7290 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7291 }
wolfSSL 15:117db924cf7c 7292 ssl->msgsReceived.got_hello_retry_request = 1;
wolfSSL 15:117db924cf7c 7293
wolfSSL 15:117db924cf7c 7294 break;
wolfSSL 15:117db924cf7c 7295 #endif
wolfSSL 15:117db924cf7c 7296 #endif
wolfSSL 15:117db924cf7c 7297
wolfSSL 15:117db924cf7c 7298 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7299 case encrypted_extensions:
wolfSSL 15:117db924cf7c 7300 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7301 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7302 WOLFSSL_MSG("EncryptedExtensions received by server");
wolfSSL 15:117db924cf7c 7303 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7304 }
wolfSSL 15:117db924cf7c 7305 #endif
wolfSSL 15:117db924cf7c 7306 if (ssl->options.serverState != SERVER_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 7307 WOLFSSL_MSG("EncryptedExtensions received out of order");
wolfSSL 15:117db924cf7c 7308 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7309 }
wolfSSL 15:117db924cf7c 7310 if (ssl->msgsReceived.got_encrypted_extensions) {
wolfSSL 15:117db924cf7c 7311 WOLFSSL_MSG("Duplicate EncryptedExtensions received");
wolfSSL 15:117db924cf7c 7312 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7313 }
wolfSSL 15:117db924cf7c 7314 ssl->msgsReceived.got_encrypted_extensions = 1;
wolfSSL 15:117db924cf7c 7315
wolfSSL 15:117db924cf7c 7316 break;
wolfSSL 15:117db924cf7c 7317 #endif
wolfSSL 15:117db924cf7c 7318
wolfSSL 15:117db924cf7c 7319 case certificate:
wolfSSL 15:117db924cf7c 7320 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7321 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 7322 ssl->options.serverState !=
wolfSSL 15:117db924cf7c 7323 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 7324 WOLFSSL_MSG("Certificate received out of order - Client");
wolfSSL 15:117db924cf7c 7325 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7326 }
wolfSSL 15:117db924cf7c 7327 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7328 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 7329 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 7330 ssl->options.serverState == SERVER_CERT_COMPLETE &&
wolfSSL 15:117db924cf7c 7331 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 7332 WOLFSSL_MSG("Certificate received while using PSK");
wolfSSL 15:117db924cf7c 7333 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 7334 }
wolfSSL 15:117db924cf7c 7335 #endif
wolfSSL 15:117db924cf7c 7336 #endif
wolfSSL 15:117db924cf7c 7337 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7338 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 7339 ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7340 WOLFSSL_MSG("Certificate received out of order - Server");
wolfSSL 15:117db924cf7c 7341 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7342 }
wolfSSL 15:117db924cf7c 7343 #endif
wolfSSL 15:117db924cf7c 7344 if (ssl->msgsReceived.got_certificate) {
wolfSSL 15:117db924cf7c 7345 WOLFSSL_MSG("Duplicate Certificate received");
wolfSSL 15:117db924cf7c 7346 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7347 }
wolfSSL 15:117db924cf7c 7348 ssl->msgsReceived.got_certificate = 1;
wolfSSL 15:117db924cf7c 7349
wolfSSL 15:117db924cf7c 7350 break;
wolfSSL 15:117db924cf7c 7351
wolfSSL 15:117db924cf7c 7352 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7353 case certificate_request:
wolfSSL 15:117db924cf7c 7354 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7355 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7356 WOLFSSL_MSG("CertificateRequest received by server");
wolfSSL 15:117db924cf7c 7357 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7358 }
wolfSSL 15:117db924cf7c 7359 #endif
wolfSSL 15:117db924cf7c 7360 #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 7361 if (ssl->options.serverState !=
wolfSSL 15:117db924cf7c 7362 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 7363 WOLFSSL_MSG("CertificateRequest received out of order");
wolfSSL 15:117db924cf7c 7364 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7365 }
wolfSSL 15:117db924cf7c 7366 #else
wolfSSL 15:117db924cf7c 7367 if (ssl->options.serverState !=
wolfSSL 15:117db924cf7c 7368 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
wolfSSL 15:117db924cf7c 7369 (ssl->options.serverState != SERVER_FINISHED_COMPLETE ||
wolfSSL 15:117db924cf7c 7370 ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) {
wolfSSL 15:117db924cf7c 7371 WOLFSSL_MSG("CertificateRequest received out of order");
wolfSSL 15:117db924cf7c 7372 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7373 }
wolfSSL 15:117db924cf7c 7374 #endif
wolfSSL 15:117db924cf7c 7375 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7376 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 7377 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 7378 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
wolfSSL 15:117db924cf7c 7379 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 7380 WOLFSSL_MSG("CertificateRequset received while using PSK");
wolfSSL 15:117db924cf7c 7381 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 7382 }
wolfSSL 15:117db924cf7c 7383 #endif
wolfSSL 15:117db924cf7c 7384 #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 7385 if (ssl->msgsReceived.got_certificate_request) {
wolfSSL 15:117db924cf7c 7386 WOLFSSL_MSG("Duplicate CertificateRequest received");
wolfSSL 15:117db924cf7c 7387 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7388 }
wolfSSL 15:117db924cf7c 7389 #endif
wolfSSL 15:117db924cf7c 7390 ssl->msgsReceived.got_certificate_request = 1;
wolfSSL 15:117db924cf7c 7391
wolfSSL 15:117db924cf7c 7392 break;
wolfSSL 15:117db924cf7c 7393 #endif
wolfSSL 15:117db924cf7c 7394
wolfSSL 15:117db924cf7c 7395 case certificate_verify:
wolfSSL 15:117db924cf7c 7396 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7397 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7398 if (ssl->options.serverState != SERVER_CERT_COMPLETE) {
wolfSSL 15:117db924cf7c 7399 WOLFSSL_MSG("No Cert before CertVerify");
wolfSSL 15:117db924cf7c 7400 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7401 }
wolfSSL 15:117db924cf7c 7402 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7403 /* Server's authenticating with PSK must not send this. */
wolfSSL 15:117db924cf7c 7404 if (ssl->options.serverState == SERVER_CERT_COMPLETE &&
wolfSSL 15:117db924cf7c 7405 ssl->arrays->psk_keySz != 0) {
wolfSSL 15:117db924cf7c 7406 WOLFSSL_MSG("CertificateVerify received while using PSK");
wolfSSL 15:117db924cf7c 7407 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 7408 }
wolfSSL 15:117db924cf7c 7409 #endif
wolfSSL 15:117db924cf7c 7410 }
wolfSSL 15:117db924cf7c 7411 #endif
wolfSSL 15:117db924cf7c 7412 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7413 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7414 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7415 WOLFSSL_MSG("CertificateVerify received out of order");
wolfSSL 15:117db924cf7c 7416 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7417 }
wolfSSL 15:117db924cf7c 7418 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 7419 WOLFSSL_MSG("CertificateVerify before ClientHello done");
wolfSSL 15:117db924cf7c 7420 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7421 }
wolfSSL 15:117db924cf7c 7422 if (!ssl->msgsReceived.got_certificate) {
wolfSSL 15:117db924cf7c 7423 WOLFSSL_MSG("No Cert before CertificateVerify");
wolfSSL 15:117db924cf7c 7424 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7425 }
wolfSSL 15:117db924cf7c 7426 }
wolfSSL 15:117db924cf7c 7427 #endif
wolfSSL 15:117db924cf7c 7428 if (ssl->msgsReceived.got_certificate_verify) {
wolfSSL 15:117db924cf7c 7429 WOLFSSL_MSG("Duplicate CertificateVerify received");
wolfSSL 15:117db924cf7c 7430 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7431 }
wolfSSL 15:117db924cf7c 7432 ssl->msgsReceived.got_certificate_verify = 1;
wolfSSL 15:117db924cf7c 7433
wolfSSL 15:117db924cf7c 7434 break;
wolfSSL 15:117db924cf7c 7435
wolfSSL 15:117db924cf7c 7436 case finished:
wolfSSL 15:117db924cf7c 7437 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7438 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7439 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 7440 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 7441 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7442 }
wolfSSL 15:117db924cf7c 7443 if (ssl->options.serverState <
wolfSSL 15:117db924cf7c 7444 SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
wolfSSL 15:117db924cf7c 7445 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 7446 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7447 }
wolfSSL 15:117db924cf7c 7448 }
wolfSSL 15:117db924cf7c 7449 #endif
wolfSSL 15:117db924cf7c 7450 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7451 if (ssl->options.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 7452 if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7453 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 7454 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7455 }
wolfSSL 15:117db924cf7c 7456 if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 7457 WOLFSSL_MSG("Finished received out of order");
wolfSSL 15:117db924cf7c 7458 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7459 }
wolfSSL 15:117db924cf7c 7460 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7461 if (ssl->earlyData == process_early_data) {
wolfSSL 15:117db924cf7c 7462 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7463 }
wolfSSL 15:117db924cf7c 7464 #endif
wolfSSL 15:117db924cf7c 7465 }
wolfSSL 15:117db924cf7c 7466 #endif
wolfSSL 15:117db924cf7c 7467 if (ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 7468 WOLFSSL_MSG("Duplicate Finished received");
wolfSSL 15:117db924cf7c 7469 return DUPLICATE_MSG_E;
wolfSSL 15:117db924cf7c 7470 }
wolfSSL 15:117db924cf7c 7471 ssl->msgsReceived.got_finished = 1;
wolfSSL 15:117db924cf7c 7472
wolfSSL 15:117db924cf7c 7473 break;
wolfSSL 15:117db924cf7c 7474
wolfSSL 15:117db924cf7c 7475 case key_update:
wolfSSL 15:117db924cf7c 7476 if (!ssl->msgsReceived.got_finished) {
wolfSSL 15:117db924cf7c 7477 WOLFSSL_MSG("No KeyUpdate before Finished");
wolfSSL 15:117db924cf7c 7478 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7479 }
wolfSSL 15:117db924cf7c 7480 break;
wolfSSL 15:117db924cf7c 7481
wolfSSL 15:117db924cf7c 7482 default:
wolfSSL 15:117db924cf7c 7483 WOLFSSL_MSG("Unknown message type");
wolfSSL 15:117db924cf7c 7484 return SANITY_MSG_E;
wolfSSL 15:117db924cf7c 7485 }
wolfSSL 15:117db924cf7c 7486
wolfSSL 15:117db924cf7c 7487 return 0;
wolfSSL 15:117db924cf7c 7488 }
wolfSSL 15:117db924cf7c 7489
wolfSSL 15:117db924cf7c 7490 /* Handle a type of handshake message that has been received.
wolfSSL 15:117db924cf7c 7491 *
wolfSSL 15:117db924cf7c 7492 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7493 * input The message buffer.
wolfSSL 15:117db924cf7c 7494 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 15:117db924cf7c 7495 * On exit, the index into the buffer of the next message.
wolfSSL 15:117db924cf7c 7496 * size The length of the current handshake message.
wolfSSL 15:117db924cf7c 7497 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 7498 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 7499 */
wolfSSL 15:117db924cf7c 7500 int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 7501 byte type, word32 size, word32 totalSz)
wolfSSL 15:117db924cf7c 7502 {
wolfSSL 15:117db924cf7c 7503 int ret = 0;
wolfSSL 15:117db924cf7c 7504 word32 inIdx = *inOutIdx;
wolfSSL 15:117db924cf7c 7505
wolfSSL 15:117db924cf7c 7506 (void)totalSz;
wolfSSL 15:117db924cf7c 7507
wolfSSL 15:117db924cf7c 7508 WOLFSSL_ENTER("DoTls13HandShakeMsgType");
wolfSSL 15:117db924cf7c 7509
wolfSSL 16:8e0d178b1d1e 7510 /* make sure we can read the message */
wolfSSL 15:117db924cf7c 7511 if (*inOutIdx + size > totalSz)
wolfSSL 15:117db924cf7c 7512 return INCOMPLETE_DATA;
wolfSSL 15:117db924cf7c 7513
wolfSSL 15:117db924cf7c 7514 /* sanity check msg received */
wolfSSL 15:117db924cf7c 7515 if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
wolfSSL 15:117db924cf7c 7516 WOLFSSL_MSG("Sanity Check on handshake message type received failed");
wolfSSL 15:117db924cf7c 7517 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7518 return ret;
wolfSSL 15:117db924cf7c 7519 }
wolfSSL 15:117db924cf7c 7520
wolfSSL 15:117db924cf7c 7521 #ifdef WOLFSSL_CALLBACKS
wolfSSL 15:117db924cf7c 7522 /* add name later, add on record and handshake header part back on */
wolfSSL 15:117db924cf7c 7523 if (ssl->toInfoOn) {
wolfSSL 15:117db924cf7c 7524 int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7525 AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add,
wolfSSL 15:117db924cf7c 7526 size + add, READ_PROTO, ssl->heap);
wolfSSL 15:117db924cf7c 7527 AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
wolfSSL 15:117db924cf7c 7528 }
wolfSSL 15:117db924cf7c 7529 #endif
wolfSSL 15:117db924cf7c 7530
wolfSSL 15:117db924cf7c 7531 if (ssl->options.handShakeState == HANDSHAKE_DONE &&
wolfSSL 15:117db924cf7c 7532 type != session_ticket && type != certificate_request &&
wolfSSL 15:117db924cf7c 7533 type != certificate && type != key_update) {
wolfSSL 15:117db924cf7c 7534 WOLFSSL_MSG("HandShake message after handshake complete");
wolfSSL 15:117db924cf7c 7535 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7536 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7537 }
wolfSSL 15:117db924cf7c 7538
wolfSSL 15:117db924cf7c 7539 if (ssl->options.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 7540 ssl->options.serverState == NULL_STATE &&
wolfSSL 15:117db924cf7c 7541 type != server_hello && type != hello_retry_request) {
wolfSSL 15:117db924cf7c 7542 WOLFSSL_MSG("First server message not server hello");
wolfSSL 15:117db924cf7c 7543 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7544 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7545 }
wolfSSL 15:117db924cf7c 7546
wolfSSL 15:117db924cf7c 7547 if (ssl->options.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 7548 ssl->options.clientState == NULL_STATE && type != client_hello) {
wolfSSL 15:117db924cf7c 7549 WOLFSSL_MSG("First client message not client hello");
wolfSSL 15:117db924cf7c 7550 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7551 return OUT_OF_ORDER_E;
wolfSSL 15:117db924cf7c 7552 }
wolfSSL 15:117db924cf7c 7553
wolfSSL 15:117db924cf7c 7554 /* above checks handshake state */
wolfSSL 15:117db924cf7c 7555 switch (type) {
wolfSSL 15:117db924cf7c 7556 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 16:8e0d178b1d1e 7557 /* Messages only received by client. */
wolfSSL 15:117db924cf7c 7558 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 7559 case hello_retry_request:
wolfSSL 16:8e0d178b1d1e 7560 WOLFSSL_MSG("processing hello retry request");
wolfSSL 15:117db924cf7c 7561 ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7562 break;
wolfSSL 15:117db924cf7c 7563 #endif
wolfSSL 15:117db924cf7c 7564
wolfSSL 15:117db924cf7c 7565 case server_hello:
wolfSSL 15:117db924cf7c 7566 WOLFSSL_MSG("processing server hello");
wolfSSL 15:117db924cf7c 7567 ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type);
wolfSSL 16:8e0d178b1d1e 7568 #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
wolfSSL 16:8e0d178b1d1e 7569 ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
wolfSSL 16:8e0d178b1d1e 7570 (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
wolfSSL 16:8e0d178b1d1e 7571 if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
wolfSSL 16:8e0d178b1d1e 7572 IsAtLeastTLSv1_3(ssl->version)) {
wolfSSL 16:8e0d178b1d1e 7573 ssl->options.cacheMessages = 0;
wolfSSL 16:8e0d178b1d1e 7574 if (ssl->hsHashes->messages != NULL) {
wolfSSL 16:8e0d178b1d1e 7575 XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
wolfSSL 16:8e0d178b1d1e 7576 ssl->hsHashes->messages = NULL;
wolfSSL 16:8e0d178b1d1e 7577 }
wolfSSL 16:8e0d178b1d1e 7578 }
wolfSSL 16:8e0d178b1d1e 7579 #endif
wolfSSL 15:117db924cf7c 7580 break;
wolfSSL 15:117db924cf7c 7581
wolfSSL 15:117db924cf7c 7582 case encrypted_extensions:
wolfSSL 15:117db924cf7c 7583 WOLFSSL_MSG("processing encrypted extensions");
wolfSSL 15:117db924cf7c 7584 ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7585 break;
wolfSSL 15:117db924cf7c 7586
wolfSSL 15:117db924cf7c 7587 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7588 case certificate_request:
wolfSSL 15:117db924cf7c 7589 WOLFSSL_MSG("processing certificate request");
wolfSSL 15:117db924cf7c 7590 ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7591 break;
wolfSSL 15:117db924cf7c 7592 #endif
wolfSSL 15:117db924cf7c 7593
wolfSSL 15:117db924cf7c 7594 case session_ticket:
wolfSSL 15:117db924cf7c 7595 WOLFSSL_MSG("processing new session ticket");
wolfSSL 15:117db924cf7c 7596 ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7597 break;
wolfSSL 15:117db924cf7c 7598 #endif /* !NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 7599
wolfSSL 15:117db924cf7c 7600 #ifndef NO_WOLFSSL_SERVER
wolfSSL 16:8e0d178b1d1e 7601 /* Messages only received by server. */
wolfSSL 15:117db924cf7c 7602 case client_hello:
wolfSSL 15:117db924cf7c 7603 WOLFSSL_MSG("processing client hello");
wolfSSL 15:117db924cf7c 7604 ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7605 break;
wolfSSL 15:117db924cf7c 7606
wolfSSL 15:117db924cf7c 7607 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7608 case end_of_early_data:
wolfSSL 15:117db924cf7c 7609 WOLFSSL_MSG("processing end of early data");
wolfSSL 15:117db924cf7c 7610 ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7611 break;
wolfSSL 15:117db924cf7c 7612 #endif
wolfSSL 15:117db924cf7c 7613 #endif /* !NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 7614
wolfSSL 16:8e0d178b1d1e 7615 /* Messages received by both client and server. */
wolfSSL 15:117db924cf7c 7616 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 7617 case certificate:
wolfSSL 15:117db924cf7c 7618 WOLFSSL_MSG("processing certificate");
wolfSSL 15:117db924cf7c 7619 ret = DoTls13Certificate(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7620 break;
wolfSSL 15:117db924cf7c 7621 #endif
wolfSSL 15:117db924cf7c 7622
wolfSSL 16:8e0d178b1d1e 7623 #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
wolfSSL 16:8e0d178b1d1e 7624 defined(HAVE_ED448)
wolfSSL 15:117db924cf7c 7625 case certificate_verify:
wolfSSL 15:117db924cf7c 7626 WOLFSSL_MSG("processing certificate verify");
wolfSSL 15:117db924cf7c 7627 ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7628 break;
wolfSSL 15:117db924cf7c 7629 #endif /* !NO_RSA || HAVE_ECC */
wolfSSL 15:117db924cf7c 7630
wolfSSL 15:117db924cf7c 7631 case finished:
wolfSSL 15:117db924cf7c 7632 WOLFSSL_MSG("processing finished");
wolfSSL 15:117db924cf7c 7633 ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
wolfSSL 15:117db924cf7c 7634 break;
wolfSSL 15:117db924cf7c 7635
wolfSSL 15:117db924cf7c 7636 case key_update:
wolfSSL 15:117db924cf7c 7637 WOLFSSL_MSG("processing finished");
wolfSSL 15:117db924cf7c 7638 ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
wolfSSL 15:117db924cf7c 7639 break;
wolfSSL 15:117db924cf7c 7640
wolfSSL 15:117db924cf7c 7641 default:
wolfSSL 15:117db924cf7c 7642 WOLFSSL_MSG("Unknown handshake message type");
wolfSSL 15:117db924cf7c 7643 ret = UNKNOWN_HANDSHAKE_TYPE;
wolfSSL 15:117db924cf7c 7644 break;
wolfSSL 15:117db924cf7c 7645 }
wolfSSL 15:117db924cf7c 7646
wolfSSL 15:117db924cf7c 7647 /* reset error */
wolfSSL 15:117db924cf7c 7648 if (ret == 0 && ssl->error == WC_PENDING_E)
wolfSSL 15:117db924cf7c 7649 ssl->error = 0;
wolfSSL 15:117db924cf7c 7650
wolfSSL 15:117db924cf7c 7651 if (ret == 0 && type != client_hello && type != session_ticket &&
wolfSSL 15:117db924cf7c 7652 type != key_update) {
wolfSSL 15:117db924cf7c 7653 ret = HashInput(ssl, input + inIdx, size);
wolfSSL 15:117db924cf7c 7654 }
wolfSSL 16:8e0d178b1d1e 7655 if (ret == 0 && ssl->buffers.inputBuffer.dynamicFlag) {
wolfSSL 16:8e0d178b1d1e 7656 ShrinkInputBuffer(ssl, NO_FORCED_FREE);
wolfSSL 16:8e0d178b1d1e 7657 }
wolfSSL 15:117db924cf7c 7658
wolfSSL 15:117db924cf7c 7659 if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA)
wolfSSL 15:117db924cf7c 7660 SendAlert(ssl, alert_fatal, decode_error);
wolfSSL 15:117db924cf7c 7661 else if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR ||
wolfSSL 15:117db924cf7c 7662 ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA ||
wolfSSL 15:117db924cf7c 7663 ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) {
wolfSSL 15:117db924cf7c 7664 SendAlert(ssl, alert_fatal, illegal_parameter);
wolfSSL 15:117db924cf7c 7665 }
wolfSSL 15:117db924cf7c 7666
wolfSSL 16:8e0d178b1d1e 7667 if (ret == 0 && ssl->options.tls1_3) {
wolfSSL 15:117db924cf7c 7668 /* Need to hash input message before deriving secrets. */
wolfSSL 15:117db924cf7c 7669 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7670 if (ssl->options.side == WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7671 if (type == server_hello) {
wolfSSL 15:117db924cf7c 7672 if ((ret = DeriveEarlySecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7673 return ret;
wolfSSL 15:117db924cf7c 7674 if ((ret = DeriveHandshakeSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7675 return ret;
wolfSSL 15:117db924cf7c 7676
wolfSSL 15:117db924cf7c 7677 if ((ret = DeriveTls13Keys(ssl, handshake_key,
wolfSSL 15:117db924cf7c 7678 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL 15:117db924cf7c 7679 return ret;
wolfSSL 15:117db924cf7c 7680 }
wolfSSL 15:117db924cf7c 7681 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7682 if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
wolfSSL 15:117db924cf7c 7683 return ret;
wolfSSL 15:117db924cf7c 7684 #else
wolfSSL 15:117db924cf7c 7685 if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
wolfSSL 15:117db924cf7c 7686 return ret;
wolfSSL 15:117db924cf7c 7687 #endif
wolfSSL 15:117db924cf7c 7688 }
wolfSSL 15:117db924cf7c 7689
wolfSSL 15:117db924cf7c 7690 if (type == finished) {
wolfSSL 15:117db924cf7c 7691 if ((ret = DeriveMasterSecret(ssl)) != 0)
wolfSSL 15:117db924cf7c 7692 return ret;
wolfSSL 15:117db924cf7c 7693 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7694 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 15:117db924cf7c 7695 ENCRYPT_AND_DECRYPT_SIDE,
wolfSSL 15:117db924cf7c 7696 ssl->earlyData == no_early_data)) != 0) {
wolfSSL 15:117db924cf7c 7697 return ret;
wolfSSL 15:117db924cf7c 7698 }
wolfSSL 15:117db924cf7c 7699 #else
wolfSSL 15:117db924cf7c 7700 if ((ret = DeriveTls13Keys(ssl, traffic_key,
wolfSSL 15:117db924cf7c 7701 ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
wolfSSL 15:117db924cf7c 7702 return ret;
wolfSSL 15:117db924cf7c 7703 }
wolfSSL 15:117db924cf7c 7704 #endif
wolfSSL 15:117db924cf7c 7705 }
wolfSSL 15:117db924cf7c 7706 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
wolfSSL 15:117db924cf7c 7707 if (type == certificate_request &&
wolfSSL 15:117db924cf7c 7708 ssl->options.handShakeState == HANDSHAKE_DONE) {
wolfSSL 15:117db924cf7c 7709 /* reset handshake states */
wolfSSL 15:117db924cf7c 7710 ssl->options.clientState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7711 ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 7712 ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7713
wolfSSL 15:117db924cf7c 7714 if (wolfSSL_connect_TLSv13(ssl) != SSL_SUCCESS)
wolfSSL 15:117db924cf7c 7715 ret = POST_HAND_AUTH_ERROR;
wolfSSL 15:117db924cf7c 7716 }
wolfSSL 15:117db924cf7c 7717 #endif
wolfSSL 15:117db924cf7c 7718 }
wolfSSL 15:117db924cf7c 7719 #endif /* NO_WOLFSSL_CLIENT */
wolfSSL 15:117db924cf7c 7720
wolfSSL 15:117db924cf7c 7721 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 7722 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 7723 if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
wolfSSL 15:117db924cf7c 7724 ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
wolfSSL 15:117db924cf7c 7725 if (ret != 0)
wolfSSL 15:117db924cf7c 7726 return ret;
wolfSSL 15:117db924cf7c 7727 }
wolfSSL 15:117db924cf7c 7728 #endif
wolfSSL 15:117db924cf7c 7729 #endif /* NO_WOLFSSL_SERVER */
wolfSSL 15:117db924cf7c 7730 }
wolfSSL 15:117db924cf7c 7731
wolfSSL 15:117db924cf7c 7732 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 7733 /* if async, offset index so this msg will be processed again */
wolfSSL 15:117db924cf7c 7734 if (ret == WC_PENDING_E && *inOutIdx > 0) {
wolfSSL 15:117db924cf7c 7735 *inOutIdx -= HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7736 }
wolfSSL 15:117db924cf7c 7737 #endif
wolfSSL 15:117db924cf7c 7738
wolfSSL 15:117db924cf7c 7739 WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
wolfSSL 15:117db924cf7c 7740 return ret;
wolfSSL 15:117db924cf7c 7741 }
wolfSSL 15:117db924cf7c 7742
wolfSSL 15:117db924cf7c 7743
wolfSSL 15:117db924cf7c 7744 /* Handle a handshake message that has been received.
wolfSSL 15:117db924cf7c 7745 *
wolfSSL 15:117db924cf7c 7746 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7747 * input The message buffer.
wolfSSL 15:117db924cf7c 7748 * inOutIdx On entry, the index into the buffer of the current message.
wolfSSL 15:117db924cf7c 7749 * On exit, the index into the buffer of the next message.
wolfSSL 15:117db924cf7c 7750 * totalSz Length of remaining data in the message buffer.
wolfSSL 15:117db924cf7c 7751 * returns 0 on success and otherwise failure.
wolfSSL 15:117db924cf7c 7752 */
wolfSSL 15:117db924cf7c 7753 int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
wolfSSL 15:117db924cf7c 7754 word32 totalSz)
wolfSSL 15:117db924cf7c 7755 {
wolfSSL 15:117db924cf7c 7756 int ret = 0;
wolfSSL 15:117db924cf7c 7757 word32 inputLength;
wolfSSL 15:117db924cf7c 7758
wolfSSL 15:117db924cf7c 7759 WOLFSSL_ENTER("DoTls13HandShakeMsg()");
wolfSSL 15:117db924cf7c 7760
wolfSSL 15:117db924cf7c 7761 if (ssl->arrays == NULL) {
wolfSSL 15:117db924cf7c 7762 byte type;
wolfSSL 15:117db924cf7c 7763 word32 size;
wolfSSL 15:117db924cf7c 7764
wolfSSL 16:8e0d178b1d1e 7765 if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
wolfSSL 16:8e0d178b1d1e 7766 totalSz) != 0) {
wolfSSL 16:8e0d178b1d1e 7767 SendAlert(ssl, alert_fatal, unexpected_message);
wolfSSL 15:117db924cf7c 7768 return PARSE_ERROR;
wolfSSL 16:8e0d178b1d1e 7769 }
wolfSSL 15:117db924cf7c 7770
wolfSSL 15:117db924cf7c 7771 return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 15:117db924cf7c 7772 totalSz);
wolfSSL 15:117db924cf7c 7773 }
wolfSSL 15:117db924cf7c 7774
wolfSSL 15:117db924cf7c 7775 inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7776
wolfSSL 15:117db924cf7c 7777 /* If there is a pending fragmented handshake message,
wolfSSL 15:117db924cf7c 7778 * pending message size will be non-zero. */
wolfSSL 15:117db924cf7c 7779 if (ssl->arrays->pendingMsgSz == 0) {
wolfSSL 15:117db924cf7c 7780 byte type;
wolfSSL 15:117db924cf7c 7781 word32 size;
wolfSSL 15:117db924cf7c 7782
wolfSSL 15:117db924cf7c 7783 if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
wolfSSL 15:117db924cf7c 7784 return PARSE_ERROR;
wolfSSL 15:117db924cf7c 7785
wolfSSL 15:117db924cf7c 7786 /* Cap the maximum size of a handshake message to something reasonable.
wolfSSL 15:117db924cf7c 7787 * By default is the maximum size of a certificate message assuming
wolfSSL 15:117db924cf7c 7788 * nine 2048-bit RSA certificates in the chain. */
wolfSSL 15:117db924cf7c 7789 if (size > MAX_HANDSHAKE_SZ) {
wolfSSL 15:117db924cf7c 7790 WOLFSSL_MSG("Handshake message too large");
wolfSSL 15:117db924cf7c 7791 return HANDSHAKE_SIZE_ERROR;
wolfSSL 15:117db924cf7c 7792 }
wolfSSL 15:117db924cf7c 7793
wolfSSL 15:117db924cf7c 7794 /* size is the size of the certificate message payload */
wolfSSL 15:117db924cf7c 7795 if (inputLength - HANDSHAKE_HEADER_SZ < size) {
wolfSSL 15:117db924cf7c 7796 ssl->arrays->pendingMsgType = type;
wolfSSL 15:117db924cf7c 7797 ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7798 ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7799 ssl->heap,
wolfSSL 15:117db924cf7c 7800 DYNAMIC_TYPE_ARRAYS);
wolfSSL 15:117db924cf7c 7801 if (ssl->arrays->pendingMsg == NULL)
wolfSSL 15:117db924cf7c 7802 return MEMORY_E;
wolfSSL 15:117db924cf7c 7803 XMEMCPY(ssl->arrays->pendingMsg,
wolfSSL 15:117db924cf7c 7804 input + *inOutIdx - HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7805 inputLength);
wolfSSL 15:117db924cf7c 7806 ssl->arrays->pendingMsgOffset = inputLength;
wolfSSL 15:117db924cf7c 7807 *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 7808 return 0;
wolfSSL 15:117db924cf7c 7809 }
wolfSSL 15:117db924cf7c 7810
wolfSSL 15:117db924cf7c 7811 ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
wolfSSL 15:117db924cf7c 7812 totalSz);
wolfSSL 15:117db924cf7c 7813 }
wolfSSL 15:117db924cf7c 7814 else {
wolfSSL 15:117db924cf7c 7815 if (inputLength + ssl->arrays->pendingMsgOffset >
wolfSSL 15:117db924cf7c 7816 ssl->arrays->pendingMsgSz) {
wolfSSL 15:117db924cf7c 7817 inputLength = ssl->arrays->pendingMsgSz -
wolfSSL 15:117db924cf7c 7818 ssl->arrays->pendingMsgOffset;
wolfSSL 15:117db924cf7c 7819 }
wolfSSL 15:117db924cf7c 7820 XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
wolfSSL 15:117db924cf7c 7821 input + *inOutIdx, inputLength);
wolfSSL 15:117db924cf7c 7822 ssl->arrays->pendingMsgOffset += inputLength;
wolfSSL 15:117db924cf7c 7823 *inOutIdx += inputLength + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7824
wolfSSL 15:117db924cf7c 7825 if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
wolfSSL 15:117db924cf7c 7826 {
wolfSSL 15:117db924cf7c 7827 word32 idx = 0;
wolfSSL 15:117db924cf7c 7828 ret = DoTls13HandShakeMsgType(ssl,
wolfSSL 15:117db924cf7c 7829 ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7830 &idx, ssl->arrays->pendingMsgType,
wolfSSL 15:117db924cf7c 7831 ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
wolfSSL 15:117db924cf7c 7832 ssl->arrays->pendingMsgSz);
wolfSSL 15:117db924cf7c 7833 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 15:117db924cf7c 7834 if (ret == WC_PENDING_E) {
wolfSSL 15:117db924cf7c 7835 /* setup to process fragment again */
wolfSSL 15:117db924cf7c 7836 ssl->arrays->pendingMsgOffset -= inputLength;
wolfSSL 15:117db924cf7c 7837 *inOutIdx -= inputLength + ssl->keys.padSz;
wolfSSL 15:117db924cf7c 7838 }
wolfSSL 15:117db924cf7c 7839 else
wolfSSL 15:117db924cf7c 7840 #endif
wolfSSL 15:117db924cf7c 7841 {
wolfSSL 15:117db924cf7c 7842 XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
wolfSSL 15:117db924cf7c 7843 ssl->arrays->pendingMsg = NULL;
wolfSSL 15:117db924cf7c 7844 ssl->arrays->pendingMsgSz = 0;
wolfSSL 15:117db924cf7c 7845 }
wolfSSL 15:117db924cf7c 7846 }
wolfSSL 15:117db924cf7c 7847 }
wolfSSL 15:117db924cf7c 7848
wolfSSL 15:117db924cf7c 7849 WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
wolfSSL 15:117db924cf7c 7850 return ret;
wolfSSL 15:117db924cf7c 7851 }
wolfSSL 15:117db924cf7c 7852
wolfSSL 15:117db924cf7c 7853 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 7854
wolfSSL 15:117db924cf7c 7855 /* The client connecting to the server.
wolfSSL 15:117db924cf7c 7856 * The protocol version is expecting to be TLS v1.3.
wolfSSL 15:117db924cf7c 7857 * If the server downgrades, and older versions of the protocol are compiled
wolfSSL 15:117db924cf7c 7858 * in, the client will fallback to wolfSSL_connect().
wolfSSL 15:117db924cf7c 7859 * Please see note at top of README if you get an error from connect.
wolfSSL 15:117db924cf7c 7860 *
wolfSSL 15:117db924cf7c 7861 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 7862 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
wolfSSL 15:117db924cf7c 7863 * unrecoverable error occurs and 0 otherwise.
wolfSSL 15:117db924cf7c 7864 * For more error information use wolfSSL_get_error().
wolfSSL 15:117db924cf7c 7865 */
wolfSSL 15:117db924cf7c 7866 int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 7867 {
wolfSSL 15:117db924cf7c 7868 WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
wolfSSL 15:117db924cf7c 7869
wolfSSL 15:117db924cf7c 7870 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 7871 errno = 0;
wolfSSL 15:117db924cf7c 7872 #endif
wolfSSL 15:117db924cf7c 7873
wolfSSL 15:117db924cf7c 7874 if (ssl->options.side != WOLFSSL_CLIENT_END) {
wolfSSL 15:117db924cf7c 7875 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 15:117db924cf7c 7876 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7877 }
wolfSSL 15:117db924cf7c 7878
wolfSSL 16:8e0d178b1d1e 7879 if (ssl->buffers.outputBuffer.length > 0
wolfSSL 16:8e0d178b1d1e 7880 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 7881 /* do not send buffered or advance state if last error was an
wolfSSL 16:8e0d178b1d1e 7882 async pending operation */
wolfSSL 16:8e0d178b1d1e 7883 && ssl->error != WC_PENDING_E
wolfSSL 16:8e0d178b1d1e 7884 #endif
wolfSSL 16:8e0d178b1d1e 7885 ) {
wolfSSL 15:117db924cf7c 7886 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 15:117db924cf7c 7887 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 15:117db924cf7c 7888 * fragment, fragOffset is zero again, and the state can be
wolfSSL 15:117db924cf7c 7889 * advanced. */
wolfSSL 15:117db924cf7c 7890 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 7891 ssl->options.connectState++;
wolfSSL 15:117db924cf7c 7892 WOLFSSL_MSG("connect state: "
wolfSSL 15:117db924cf7c 7893 "Advanced from last buffered fragment send");
wolfSSL 15:117db924cf7c 7894 }
wolfSSL 15:117db924cf7c 7895 else {
wolfSSL 15:117db924cf7c 7896 WOLFSSL_MSG("connect state: "
wolfSSL 15:117db924cf7c 7897 "Not advanced, more fragments to send");
wolfSSL 15:117db924cf7c 7898 }
wolfSSL 15:117db924cf7c 7899 }
wolfSSL 15:117db924cf7c 7900 else {
wolfSSL 15:117db924cf7c 7901 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7902 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7903 }
wolfSSL 15:117db924cf7c 7904 }
wolfSSL 15:117db924cf7c 7905
wolfSSL 15:117db924cf7c 7906 switch (ssl->options.connectState) {
wolfSSL 15:117db924cf7c 7907
wolfSSL 15:117db924cf7c 7908 case CONNECT_BEGIN:
wolfSSL 15:117db924cf7c 7909 /* Always send client hello first. */
wolfSSL 15:117db924cf7c 7910 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7911 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7912 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7913 }
wolfSSL 15:117db924cf7c 7914
wolfSSL 15:117db924cf7c 7915 ssl->options.connectState = CLIENT_HELLO_SENT;
wolfSSL 15:117db924cf7c 7916 WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
wolfSSL 15:117db924cf7c 7917 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7918 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 7919 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 7920 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 7921 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7922 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7923 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7924 }
wolfSSL 15:117db924cf7c 7925 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 7926 #endif
wolfSSL 15:117db924cf7c 7927 ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
wolfSSL 15:117db924cf7c 7928 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7929 }
wolfSSL 15:117db924cf7c 7930 #endif
wolfSSL 15:117db924cf7c 7931 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7932
wolfSSL 15:117db924cf7c 7933 case CLIENT_HELLO_SENT:
wolfSSL 15:117db924cf7c 7934 /* Get the response/s from the server. */
wolfSSL 15:117db924cf7c 7935 while (ssl->options.serverState <
wolfSSL 15:117db924cf7c 7936 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 7937 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 7938 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7939 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7940 }
wolfSSL 15:117db924cf7c 7941 }
wolfSSL 15:117db924cf7c 7942
wolfSSL 15:117db924cf7c 7943 ssl->options.connectState = HELLO_AGAIN;
wolfSSL 15:117db924cf7c 7944 WOLFSSL_MSG("connect state: HELLO_AGAIN");
wolfSSL 15:117db924cf7c 7945 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7946
wolfSSL 15:117db924cf7c 7947 case HELLO_AGAIN:
wolfSSL 15:117db924cf7c 7948 if (ssl->options.certOnly)
wolfSSL 15:117db924cf7c 7949 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 7950
wolfSSL 15:117db924cf7c 7951 if (!ssl->options.tls1_3) {
wolfSSL 15:117db924cf7c 7952 #ifndef WOLFSSL_NO_TLS12
wolfSSL 15:117db924cf7c 7953 if (ssl->options.downgrade)
wolfSSL 15:117db924cf7c 7954 return wolfSSL_connect(ssl);
wolfSSL 15:117db924cf7c 7955 #endif
wolfSSL 15:117db924cf7c 7956
wolfSSL 15:117db924cf7c 7957 WOLFSSL_MSG("Client using higher version, fatal error");
wolfSSL 15:117db924cf7c 7958 return VERSION_ERROR;
wolfSSL 15:117db924cf7c 7959 }
wolfSSL 15:117db924cf7c 7960
wolfSSL 15:117db924cf7c 7961 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 7962 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 7963 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 7964 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 7965 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 7966 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7967 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7968 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7969 }
wolfSSL 15:117db924cf7c 7970 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 7971 }
wolfSSL 15:117db924cf7c 7972 #endif
wolfSSL 15:117db924cf7c 7973 /* Try again with different security parameters. */
wolfSSL 15:117db924cf7c 7974 if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
wolfSSL 15:117db924cf7c 7975 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7976 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7977 }
wolfSSL 15:117db924cf7c 7978 }
wolfSSL 15:117db924cf7c 7979
wolfSSL 15:117db924cf7c 7980 ssl->options.connectState = HELLO_AGAIN_REPLY;
wolfSSL 15:117db924cf7c 7981 WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
wolfSSL 15:117db924cf7c 7982 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7983
wolfSSL 15:117db924cf7c 7984 case HELLO_AGAIN_REPLY:
wolfSSL 15:117db924cf7c 7985 /* Get the response/s from the server. */
wolfSSL 15:117db924cf7c 7986 while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 7987 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 7988 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 7989 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 7990 }
wolfSSL 15:117db924cf7c 7991 }
wolfSSL 15:117db924cf7c 7992
wolfSSL 15:117db924cf7c 7993 ssl->options.connectState = FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 7994 WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 7995 FALL_THROUGH;
wolfSSL 15:117db924cf7c 7996
wolfSSL 15:117db924cf7c 7997 case FIRST_REPLY_DONE:
wolfSSL 15:117db924cf7c 7998 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 7999 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 8000 if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8001 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8002 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8003 }
wolfSSL 15:117db924cf7c 8004 WOLFSSL_MSG("sent: end_of_early_data");
wolfSSL 15:117db924cf7c 8005 }
wolfSSL 15:117db924cf7c 8006 #endif
wolfSSL 15:117db924cf7c 8007
wolfSSL 15:117db924cf7c 8008 ssl->options.connectState = FIRST_REPLY_FIRST;
wolfSSL 15:117db924cf7c 8009 WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
wolfSSL 15:117db924cf7c 8010 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8011
wolfSSL 15:117db924cf7c 8012 case FIRST_REPLY_FIRST:
wolfSSL 15:117db924cf7c 8013 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 8014 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 8015 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 8016 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8017 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8018 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8019 }
wolfSSL 15:117db924cf7c 8020 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 8021 }
wolfSSL 15:117db924cf7c 8022 #endif
wolfSSL 15:117db924cf7c 8023
wolfSSL 15:117db924cf7c 8024 ssl->options.connectState = FIRST_REPLY_SECOND;
wolfSSL 15:117db924cf7c 8025 WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
wolfSSL 15:117db924cf7c 8026 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8027
wolfSSL 15:117db924cf7c 8028 case FIRST_REPLY_SECOND:
wolfSSL 15:117db924cf7c 8029 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8030 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8031 ssl->error = SendTls13Certificate(ssl);
wolfSSL 15:117db924cf7c 8032 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 8033 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8034 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8035 }
wolfSSL 15:117db924cf7c 8036 WOLFSSL_MSG("sent: certificate");
wolfSSL 15:117db924cf7c 8037 }
wolfSSL 15:117db924cf7c 8038 #endif
wolfSSL 15:117db924cf7c 8039
wolfSSL 15:117db924cf7c 8040 ssl->options.connectState = FIRST_REPLY_THIRD;
wolfSSL 15:117db924cf7c 8041 WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
wolfSSL 15:117db924cf7c 8042 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8043
wolfSSL 15:117db924cf7c 8044 case FIRST_REPLY_THIRD:
wolfSSL 15:117db924cf7c 8045 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8046 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8047 ssl->error = SendTls13CertificateVerify(ssl);
wolfSSL 15:117db924cf7c 8048 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 8049 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8050 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8051 }
wolfSSL 15:117db924cf7c 8052 WOLFSSL_MSG("sent: certificate verify");
wolfSSL 15:117db924cf7c 8053 }
wolfSSL 15:117db924cf7c 8054 #endif
wolfSSL 15:117db924cf7c 8055
wolfSSL 15:117db924cf7c 8056 ssl->options.connectState = FIRST_REPLY_FOURTH;
wolfSSL 15:117db924cf7c 8057 WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH");
wolfSSL 15:117db924cf7c 8058 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8059
wolfSSL 15:117db924cf7c 8060 case FIRST_REPLY_FOURTH:
wolfSSL 15:117db924cf7c 8061 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8062 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8063 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8064 }
wolfSSL 15:117db924cf7c 8065 WOLFSSL_MSG("sent: finished");
wolfSSL 15:117db924cf7c 8066
wolfSSL 15:117db924cf7c 8067 ssl->options.connectState = FINISHED_DONE;
wolfSSL 15:117db924cf7c 8068 WOLFSSL_MSG("connect state: FINISHED_DONE");
wolfSSL 15:117db924cf7c 8069 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8070
wolfSSL 15:117db924cf7c 8071 case FINISHED_DONE:
wolfSSL 15:117db924cf7c 8072 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 15:117db924cf7c 8073 if (ssl->hsDoneCb != NULL) {
wolfSSL 15:117db924cf7c 8074 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 15:117db924cf7c 8075 if (cbret < 0) {
wolfSSL 15:117db924cf7c 8076 ssl->error = cbret;
wolfSSL 15:117db924cf7c 8077 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 15:117db924cf7c 8078 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8079 }
wolfSSL 15:117db924cf7c 8080 }
wolfSSL 15:117db924cf7c 8081 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 15:117db924cf7c 8082
wolfSSL 16:8e0d178b1d1e 8083 if (!ssl->options.keepResources) {
wolfSSL 16:8e0d178b1d1e 8084 FreeHandshakeResources(ssl);
wolfSSL 16:8e0d178b1d1e 8085 }
wolfSSL 16:8e0d178b1d1e 8086
wolfSSL 15:117db924cf7c 8087 WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS);
wolfSSL 15:117db924cf7c 8088 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8089
wolfSSL 15:117db924cf7c 8090 default:
wolfSSL 15:117db924cf7c 8091 WOLFSSL_MSG("Unknown connect state ERROR");
wolfSSL 15:117db924cf7c 8092 return WOLFSSL_FATAL_ERROR; /* unknown connect state */
wolfSSL 15:117db924cf7c 8093 }
wolfSSL 15:117db924cf7c 8094 }
wolfSSL 15:117db924cf7c 8095 #endif
wolfSSL 15:117db924cf7c 8096
wolfSSL 15:117db924cf7c 8097 #if defined(WOLFSSL_SEND_HRR_COOKIE)
wolfSSL 15:117db924cf7c 8098 /* Send a cookie with the HelloRetryRequest to avoid storing state.
wolfSSL 15:117db924cf7c 8099 *
wolfSSL 15:117db924cf7c 8100 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 8101 * secret Secret to use when generating integrity check for cookie.
wolfSSL 15:117db924cf7c 8102 * A value of NULL indicates to generate a new random secret.
wolfSSL 15:117db924cf7c 8103 * secretSz Size of secret data in bytes.
wolfSSL 15:117db924cf7c 8104 * Use a value of 0 to indicate use of default size.
wolfSSL 15:117db924cf7c 8105 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
wolfSSL 15:117db924cf7c 8106 * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
wolfSSL 15:117db924cf7c 8107 */
wolfSSL 15:117db924cf7c 8108 int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
wolfSSL 15:117db924cf7c 8109 unsigned int secretSz)
wolfSSL 15:117db924cf7c 8110 {
wolfSSL 15:117db924cf7c 8111 int ret;
wolfSSL 15:117db924cf7c 8112
wolfSSL 15:117db924cf7c 8113 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8114 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8115 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 8116 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8117 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8118
wolfSSL 15:117db924cf7c 8119 if (secretSz == 0) {
wolfSSL 15:117db924cf7c 8120 #if !defined(NO_SHA) && defined(NO_SHA256)
wolfSSL 15:117db924cf7c 8121 secretSz = WC_SHA_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 8122 #endif /* NO_SHA */
wolfSSL 15:117db924cf7c 8123 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 8124 secretSz = WC_SHA256_DIGEST_SIZE;
wolfSSL 15:117db924cf7c 8125 #endif /* NO_SHA256 */
wolfSSL 15:117db924cf7c 8126 }
wolfSSL 15:117db924cf7c 8127
wolfSSL 15:117db924cf7c 8128 if (secretSz != ssl->buffers.tls13CookieSecret.length) {
wolfSSL 15:117db924cf7c 8129 byte* newSecret;
wolfSSL 15:117db924cf7c 8130
wolfSSL 15:117db924cf7c 8131 if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
wolfSSL 15:117db924cf7c 8132 ForceZero(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 8133 ssl->buffers.tls13CookieSecret.length);
wolfSSL 15:117db924cf7c 8134 XFREE(ssl->buffers.tls13CookieSecret.buffer,
wolfSSL 15:117db924cf7c 8135 ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL 15:117db924cf7c 8136 }
wolfSSL 15:117db924cf7c 8137
wolfSSL 15:117db924cf7c 8138 newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
wolfSSL 15:117db924cf7c 8139 DYNAMIC_TYPE_COOKIE_PWD);
wolfSSL 15:117db924cf7c 8140 if (newSecret == NULL) {
wolfSSL 15:117db924cf7c 8141 ssl->buffers.tls13CookieSecret.buffer = NULL;
wolfSSL 15:117db924cf7c 8142 ssl->buffers.tls13CookieSecret.length = 0;
wolfSSL 15:117db924cf7c 8143 WOLFSSL_MSG("couldn't allocate new cookie secret");
wolfSSL 15:117db924cf7c 8144 return MEMORY_ERROR;
wolfSSL 15:117db924cf7c 8145 }
wolfSSL 15:117db924cf7c 8146 ssl->buffers.tls13CookieSecret.buffer = newSecret;
wolfSSL 15:117db924cf7c 8147 ssl->buffers.tls13CookieSecret.length = secretSz;
wolfSSL 15:117db924cf7c 8148 }
wolfSSL 15:117db924cf7c 8149
wolfSSL 15:117db924cf7c 8150 /* If the supplied secret is NULL, randomly generate a new secret. */
wolfSSL 15:117db924cf7c 8151 if (secret == NULL) {
wolfSSL 15:117db924cf7c 8152 ret = wc_RNG_GenerateBlock(ssl->rng,
wolfSSL 15:117db924cf7c 8153 ssl->buffers.tls13CookieSecret.buffer, secretSz);
wolfSSL 15:117db924cf7c 8154 if (ret < 0)
wolfSSL 15:117db924cf7c 8155 return ret;
wolfSSL 15:117db924cf7c 8156 }
wolfSSL 15:117db924cf7c 8157 else
wolfSSL 15:117db924cf7c 8158 XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
wolfSSL 15:117db924cf7c 8159
wolfSSL 15:117db924cf7c 8160 ssl->options.sendCookie = 1;
wolfSSL 15:117db924cf7c 8161
wolfSSL 15:117db924cf7c 8162 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8163 #else
wolfSSL 15:117db924cf7c 8164 (void)secret;
wolfSSL 15:117db924cf7c 8165 (void)secretSz;
wolfSSL 15:117db924cf7c 8166
wolfSSL 15:117db924cf7c 8167 ret = SIDE_ERROR;
wolfSSL 15:117db924cf7c 8168 #endif
wolfSSL 15:117db924cf7c 8169
wolfSSL 15:117db924cf7c 8170 return ret;
wolfSSL 15:117db924cf7c 8171 }
wolfSSL 15:117db924cf7c 8172 #endif
wolfSSL 15:117db924cf7c 8173
wolfSSL 15:117db924cf7c 8174 /* Create a key share entry from group.
wolfSSL 15:117db924cf7c 8175 * Generates a key pair.
wolfSSL 15:117db924cf7c 8176 *
wolfSSL 15:117db924cf7c 8177 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8178 * group The named group.
wolfSSL 15:117db924cf7c 8179 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 8180 */
wolfSSL 15:117db924cf7c 8181 int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
wolfSSL 15:117db924cf7c 8182 {
wolfSSL 15:117db924cf7c 8183 int ret;
wolfSSL 15:117db924cf7c 8184
wolfSSL 15:117db924cf7c 8185 if (ssl == NULL)
wolfSSL 15:117db924cf7c 8186 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8187
wolfSSL 15:117db924cf7c 8188 ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
wolfSSL 15:117db924cf7c 8189 if (ret != 0)
wolfSSL 15:117db924cf7c 8190 return ret;
wolfSSL 15:117db924cf7c 8191
wolfSSL 15:117db924cf7c 8192 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8193 }
wolfSSL 15:117db924cf7c 8194
wolfSSL 15:117db924cf7c 8195 /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
wolfSSL 15:117db924cf7c 8196 *
wolfSSL 15:117db924cf7c 8197 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8198 * returns 0 on success, otherwise failure.
wolfSSL 15:117db924cf7c 8199 */
wolfSSL 15:117db924cf7c 8200 int wolfSSL_NoKeyShares(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8201 {
wolfSSL 15:117db924cf7c 8202 int ret;
wolfSSL 15:117db924cf7c 8203
wolfSSL 15:117db924cf7c 8204 if (ssl == NULL)
wolfSSL 15:117db924cf7c 8205 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8206 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8207 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8208
wolfSSL 15:117db924cf7c 8209 ret = TLSX_KeyShare_Empty(ssl);
wolfSSL 15:117db924cf7c 8210 if (ret != 0)
wolfSSL 15:117db924cf7c 8211 return ret;
wolfSSL 15:117db924cf7c 8212
wolfSSL 15:117db924cf7c 8213 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8214 }
wolfSSL 15:117db924cf7c 8215
wolfSSL 15:117db924cf7c 8216 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 15:117db924cf7c 8217 *
wolfSSL 15:117db924cf7c 8218 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 8219 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 15:117db924cf7c 8220 */
wolfSSL 15:117db924cf7c 8221 int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 8222 {
wolfSSL 15:117db924cf7c 8223 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8224 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8225 if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8226 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8227
wolfSSL 15:117db924cf7c 8228 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8229 ctx->noTicketTls13 = 1;
wolfSSL 15:117db924cf7c 8230 #endif
wolfSSL 15:117db924cf7c 8231
wolfSSL 15:117db924cf7c 8232 return 0;
wolfSSL 15:117db924cf7c 8233 }
wolfSSL 15:117db924cf7c 8234
wolfSSL 15:117db924cf7c 8235 /* Do not send a ticket after TLS v1.3 handshake for resumption.
wolfSSL 15:117db924cf7c 8236 *
wolfSSL 15:117db924cf7c 8237 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8238 * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
wolfSSL 15:117db924cf7c 8239 * a client and 0 on success.
wolfSSL 15:117db924cf7c 8240 */
wolfSSL 15:117db924cf7c 8241 int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8242 {
wolfSSL 15:117db924cf7c 8243 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8244 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8245 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8246 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8247
wolfSSL 15:117db924cf7c 8248 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8249 ssl->options.noTicketTls13 = 1;
wolfSSL 15:117db924cf7c 8250 #endif
wolfSSL 15:117db924cf7c 8251
wolfSSL 15:117db924cf7c 8252 return 0;
wolfSSL 15:117db924cf7c 8253 }
wolfSSL 15:117db924cf7c 8254
wolfSSL 15:117db924cf7c 8255 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 15:117db924cf7c 8256 *
wolfSSL 15:117db924cf7c 8257 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 8258 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
wolfSSL 15:117db924cf7c 8259 */
wolfSSL 15:117db924cf7c 8260 int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 8261 {
wolfSSL 15:117db924cf7c 8262 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8263 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8264
wolfSSL 15:117db924cf7c 8265 ctx->noPskDheKe = 1;
wolfSSL 15:117db924cf7c 8266
wolfSSL 15:117db924cf7c 8267 return 0;
wolfSSL 15:117db924cf7c 8268 }
wolfSSL 15:117db924cf7c 8269
wolfSSL 15:117db924cf7c 8270 /* Disallow (EC)DHE key exchange when using pre-shared keys.
wolfSSL 15:117db924cf7c 8271 *
wolfSSL 15:117db924cf7c 8272 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8273 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
wolfSSL 15:117db924cf7c 8274 * success.
wolfSSL 15:117db924cf7c 8275 */
wolfSSL 15:117db924cf7c 8276 int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8277 {
wolfSSL 15:117db924cf7c 8278 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8279 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8280
wolfSSL 15:117db924cf7c 8281 ssl->options.noPskDheKe = 1;
wolfSSL 15:117db924cf7c 8282
wolfSSL 15:117db924cf7c 8283 return 0;
wolfSSL 15:117db924cf7c 8284 }
wolfSSL 15:117db924cf7c 8285
wolfSSL 15:117db924cf7c 8286 /* Update the keys for encryption and decryption.
wolfSSL 15:117db924cf7c 8287 * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
wolfSSL 15:117db924cf7c 8288 * calling wolfSSL_write() will have the message sent when ready.
wolfSSL 15:117db924cf7c 8289 *
wolfSSL 15:117db924cf7c 8290 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8291 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 8292 * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
wolfSSL 15:117db924cf7c 8293 * WOLFSSL_SUCCESS on success and otherwise failure.
wolfSSL 15:117db924cf7c 8294 */
wolfSSL 15:117db924cf7c 8295 int wolfSSL_update_keys(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8296 {
wolfSSL 15:117db924cf7c 8297 int ret;
wolfSSL 15:117db924cf7c 8298
wolfSSL 15:117db924cf7c 8299 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8300 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8301
wolfSSL 15:117db924cf7c 8302 ret = SendTls13KeyUpdate(ssl);
wolfSSL 15:117db924cf7c 8303 if (ret == WANT_WRITE)
wolfSSL 15:117db924cf7c 8304 ret = WOLFSSL_ERROR_WANT_WRITE;
wolfSSL 15:117db924cf7c 8305 else if (ret == 0)
wolfSSL 15:117db924cf7c 8306 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8307 return ret;
wolfSSL 15:117db924cf7c 8308 }
wolfSSL 15:117db924cf7c 8309
wolfSSL 15:117db924cf7c 8310 #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
wolfSSL 15:117db924cf7c 8311 /* Allow post-handshake authentication in TLS v1.3 connections.
wolfSSL 15:117db924cf7c 8312 *
wolfSSL 15:117db924cf7c 8313 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 8314 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and
wolfSSL 15:117db924cf7c 8315 * 0 on success.
wolfSSL 15:117db924cf7c 8316 */
wolfSSL 15:117db924cf7c 8317 int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
wolfSSL 15:117db924cf7c 8318 {
wolfSSL 15:117db924cf7c 8319 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8320 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8321 if (ctx->method->side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8322 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8323
wolfSSL 15:117db924cf7c 8324 ctx->postHandshakeAuth = 1;
wolfSSL 15:117db924cf7c 8325
wolfSSL 15:117db924cf7c 8326 return 0;
wolfSSL 15:117db924cf7c 8327 }
wolfSSL 15:117db924cf7c 8328
wolfSSL 15:117db924cf7c 8329 /* Allow post-handshake authentication in TLS v1.3 connection.
wolfSSL 15:117db924cf7c 8330 *
wolfSSL 15:117db924cf7c 8331 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8332 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 8333 * SIDE_ERROR when not a client and 0 on success.
wolfSSL 15:117db924cf7c 8334 */
wolfSSL 15:117db924cf7c 8335 int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8336 {
wolfSSL 15:117db924cf7c 8337 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8338 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8339 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8340 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8341
wolfSSL 15:117db924cf7c 8342 ssl->options.postHandshakeAuth = 1;
wolfSSL 15:117db924cf7c 8343
wolfSSL 15:117db924cf7c 8344 return 0;
wolfSSL 15:117db924cf7c 8345 }
wolfSSL 15:117db924cf7c 8346
wolfSSL 15:117db924cf7c 8347 /* Request a certificate of the client.
wolfSSL 15:117db924cf7c 8348 * Can be called any time after handshake completion.
wolfSSL 15:117db924cf7c 8349 * A maximum of 256 requests can be sent on a connection.
wolfSSL 15:117db924cf7c 8350 *
wolfSSL 15:117db924cf7c 8351 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 8352 */
wolfSSL 15:117db924cf7c 8353 int wolfSSL_request_certificate(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8354 {
wolfSSL 15:117db924cf7c 8355 int ret;
wolfSSL 15:117db924cf7c 8356 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 8357 CertReqCtx* certReqCtx;
wolfSSL 15:117db924cf7c 8358 #endif
wolfSSL 15:117db924cf7c 8359
wolfSSL 15:117db924cf7c 8360 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8361 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8362 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 8363 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8364 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8365 if (ssl->options.handShakeState != HANDSHAKE_DONE)
wolfSSL 15:117db924cf7c 8366 return NOT_READY_ERROR;
wolfSSL 15:117db924cf7c 8367 if (!ssl->options.postHandshakeAuth)
wolfSSL 15:117db924cf7c 8368 return POST_HAND_AUTH_ERROR;
wolfSSL 15:117db924cf7c 8369
wolfSSL 15:117db924cf7c 8370 certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
wolfSSL 15:117db924cf7c 8371 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 8372 if (certReqCtx == NULL)
wolfSSL 15:117db924cf7c 8373 return MEMORY_E;
wolfSSL 15:117db924cf7c 8374 XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
wolfSSL 15:117db924cf7c 8375 certReqCtx->next = ssl->certReqCtx;
wolfSSL 15:117db924cf7c 8376 certReqCtx->len = 1;
wolfSSL 15:117db924cf7c 8377 if (certReqCtx->next != NULL)
wolfSSL 15:117db924cf7c 8378 certReqCtx->ctx = certReqCtx->next->ctx + 1;
wolfSSL 15:117db924cf7c 8379 ssl->certReqCtx = certReqCtx;
wolfSSL 15:117db924cf7c 8380
wolfSSL 15:117db924cf7c 8381 ssl->msgsReceived.got_certificate = 0;
wolfSSL 15:117db924cf7c 8382 ssl->msgsReceived.got_certificate_verify = 0;
wolfSSL 15:117db924cf7c 8383 ssl->msgsReceived.got_finished = 0;
wolfSSL 15:117db924cf7c 8384
wolfSSL 15:117db924cf7c 8385 ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
wolfSSL 15:117db924cf7c 8386 if (ret == WANT_WRITE)
wolfSSL 15:117db924cf7c 8387 ret = WOLFSSL_ERROR_WANT_WRITE;
wolfSSL 15:117db924cf7c 8388 else if (ret == 0)
wolfSSL 15:117db924cf7c 8389 ret = WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8390 #else
wolfSSL 15:117db924cf7c 8391 ret = SIDE_ERROR;
wolfSSL 15:117db924cf7c 8392 #endif
wolfSSL 15:117db924cf7c 8393
wolfSSL 15:117db924cf7c 8394 return ret;
wolfSSL 15:117db924cf7c 8395 }
wolfSSL 15:117db924cf7c 8396 #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
wolfSSL 15:117db924cf7c 8397
wolfSSL 15:117db924cf7c 8398 #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
wolfSSL 15:117db924cf7c 8399 /* Get the preferred key exchange group.
wolfSSL 15:117db924cf7c 8400 *
wolfSSL 15:117db924cf7c 8401 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8402 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3,
wolfSSL 15:117db924cf7c 8403 * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete
wolfSSL 15:117db924cf7c 8404 * and group number on success.
wolfSSL 15:117db924cf7c 8405 */
wolfSSL 15:117db924cf7c 8406 int wolfSSL_preferred_group(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8407 {
wolfSSL 15:117db924cf7c 8408 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8409 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8410 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 8411 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8412 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8413 if (ssl->options.handShakeState != HANDSHAKE_DONE)
wolfSSL 15:117db924cf7c 8414 return NOT_READY_ERROR;
wolfSSL 15:117db924cf7c 8415
wolfSSL 15:117db924cf7c 8416 /* Return supported groups only. */
wolfSSL 15:117db924cf7c 8417 return TLSX_SupportedCurve_Preferred(ssl, 1);
wolfSSL 15:117db924cf7c 8418 #else
wolfSSL 15:117db924cf7c 8419 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8420 #endif
wolfSSL 15:117db924cf7c 8421 }
wolfSSL 15:117db924cf7c 8422 #endif
wolfSSL 15:117db924cf7c 8423
wolfSSL 15:117db924cf7c 8424 /* Sets the key exchange groups in rank order on a context.
wolfSSL 15:117db924cf7c 8425 *
wolfSSL 15:117db924cf7c 8426 * ctx SSL/TLS context object.
wolfSSL 15:117db924cf7c 8427 * groups Array of groups.
wolfSSL 15:117db924cf7c 8428 * count Number of groups in array.
wolfSSL 15:117db924cf7c 8429 * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or
wolfSSL 15:117db924cf7c 8430 * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
wolfSSL 15:117db924cf7c 8431 */
wolfSSL 15:117db924cf7c 8432 int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
wolfSSL 15:117db924cf7c 8433 {
wolfSSL 15:117db924cf7c 8434 int i;
wolfSSL 15:117db924cf7c 8435
wolfSSL 15:117db924cf7c 8436 if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
wolfSSL 15:117db924cf7c 8437 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8438 if (!IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8439 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8440
wolfSSL 15:117db924cf7c 8441 for (i = 0; i < count; i++)
wolfSSL 15:117db924cf7c 8442 ctx->group[i] = (word16)groups[i];
wolfSSL 15:117db924cf7c 8443 ctx->numGroups = (byte)count;
wolfSSL 15:117db924cf7c 8444
wolfSSL 15:117db924cf7c 8445 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8446 }
wolfSSL 15:117db924cf7c 8447
wolfSSL 15:117db924cf7c 8448 /* Sets the key exchange groups in rank order.
wolfSSL 15:117db924cf7c 8449 *
wolfSSL 15:117db924cf7c 8450 * ssl SSL/TLS object.
wolfSSL 15:117db924cf7c 8451 * groups Array of groups.
wolfSSL 15:117db924cf7c 8452 * count Number of groups in array.
wolfSSL 15:117db924cf7c 8453 * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or
wolfSSL 15:117db924cf7c 8454 * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success.
wolfSSL 15:117db924cf7c 8455 */
wolfSSL 15:117db924cf7c 8456 int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
wolfSSL 15:117db924cf7c 8457 {
wolfSSL 15:117db924cf7c 8458 int i;
wolfSSL 15:117db924cf7c 8459
wolfSSL 15:117db924cf7c 8460 if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
wolfSSL 15:117db924cf7c 8461 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8462 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8463 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8464
wolfSSL 15:117db924cf7c 8465 for (i = 0; i < count; i++)
wolfSSL 15:117db924cf7c 8466 ssl->group[i] = (word16)groups[i];
wolfSSL 15:117db924cf7c 8467 ssl->numGroups = (byte)count;
wolfSSL 15:117db924cf7c 8468
wolfSSL 15:117db924cf7c 8469 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8470 }
wolfSSL 15:117db924cf7c 8471
wolfSSL 16:8e0d178b1d1e 8472 #ifndef NO_PSK
wolfSSL 16:8e0d178b1d1e 8473 void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx,
wolfSSL 16:8e0d178b1d1e 8474 wc_psk_client_tls13_callback cb)
wolfSSL 16:8e0d178b1d1e 8475 {
wolfSSL 16:8e0d178b1d1e 8476 WOLFSSL_ENTER("SSL_CTX_set_psk_client_tls13_callback");
wolfSSL 16:8e0d178b1d1e 8477
wolfSSL 16:8e0d178b1d1e 8478 if (ctx == NULL)
wolfSSL 16:8e0d178b1d1e 8479 return;
wolfSSL 16:8e0d178b1d1e 8480
wolfSSL 16:8e0d178b1d1e 8481 ctx->havePSK = 1;
wolfSSL 16:8e0d178b1d1e 8482 ctx->client_psk_tls13_cb = cb;
wolfSSL 16:8e0d178b1d1e 8483 }
wolfSSL 16:8e0d178b1d1e 8484
wolfSSL 16:8e0d178b1d1e 8485
wolfSSL 16:8e0d178b1d1e 8486 void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
wolfSSL 16:8e0d178b1d1e 8487 wc_psk_client_tls13_callback cb)
wolfSSL 16:8e0d178b1d1e 8488 {
wolfSSL 16:8e0d178b1d1e 8489 byte haveRSA = 1;
wolfSSL 16:8e0d178b1d1e 8490 int keySz = 0;
wolfSSL 16:8e0d178b1d1e 8491
wolfSSL 16:8e0d178b1d1e 8492 WOLFSSL_ENTER("SSL_set_psk_client_tls13_callback");
wolfSSL 16:8e0d178b1d1e 8493
wolfSSL 16:8e0d178b1d1e 8494 if (ssl == NULL)
wolfSSL 16:8e0d178b1d1e 8495 return;
wolfSSL 16:8e0d178b1d1e 8496
wolfSSL 16:8e0d178b1d1e 8497 ssl->options.havePSK = 1;
wolfSSL 16:8e0d178b1d1e 8498 ssl->options.client_psk_tls13_cb = cb;
wolfSSL 16:8e0d178b1d1e 8499
wolfSSL 16:8e0d178b1d1e 8500 #ifdef NO_RSA
wolfSSL 16:8e0d178b1d1e 8501 haveRSA = 0;
wolfSSL 16:8e0d178b1d1e 8502 #endif
wolfSSL 16:8e0d178b1d1e 8503 #ifndef NO_CERTS
wolfSSL 16:8e0d178b1d1e 8504 keySz = ssl->buffers.keySz;
wolfSSL 16:8e0d178b1d1e 8505 #endif
wolfSSL 16:8e0d178b1d1e 8506 InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
wolfSSL 16:8e0d178b1d1e 8507 ssl->options.haveDH, ssl->options.haveNTRU,
wolfSSL 16:8e0d178b1d1e 8508 ssl->options.haveECDSAsig, ssl->options.haveECC,
wolfSSL 16:8e0d178b1d1e 8509 ssl->options.haveStaticECC, ssl->options.side);
wolfSSL 16:8e0d178b1d1e 8510 }
wolfSSL 16:8e0d178b1d1e 8511
wolfSSL 16:8e0d178b1d1e 8512
wolfSSL 16:8e0d178b1d1e 8513 void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx,
wolfSSL 16:8e0d178b1d1e 8514 wc_psk_server_tls13_callback cb)
wolfSSL 16:8e0d178b1d1e 8515 {
wolfSSL 16:8e0d178b1d1e 8516 WOLFSSL_ENTER("SSL_CTX_set_psk_server_tls13_callback");
wolfSSL 16:8e0d178b1d1e 8517 if (ctx == NULL)
wolfSSL 16:8e0d178b1d1e 8518 return;
wolfSSL 16:8e0d178b1d1e 8519 ctx->havePSK = 1;
wolfSSL 16:8e0d178b1d1e 8520 ctx->server_psk_tls13_cb = cb;
wolfSSL 16:8e0d178b1d1e 8521 }
wolfSSL 16:8e0d178b1d1e 8522
wolfSSL 16:8e0d178b1d1e 8523
wolfSSL 16:8e0d178b1d1e 8524 void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
wolfSSL 16:8e0d178b1d1e 8525 wc_psk_server_tls13_callback cb)
wolfSSL 16:8e0d178b1d1e 8526 {
wolfSSL 16:8e0d178b1d1e 8527 byte haveRSA = 1;
wolfSSL 16:8e0d178b1d1e 8528 int keySz = 0;
wolfSSL 16:8e0d178b1d1e 8529
wolfSSL 16:8e0d178b1d1e 8530 WOLFSSL_ENTER("SSL_set_psk_server_tls13_callback");
wolfSSL 16:8e0d178b1d1e 8531 if (ssl == NULL)
wolfSSL 16:8e0d178b1d1e 8532 return;
wolfSSL 16:8e0d178b1d1e 8533
wolfSSL 16:8e0d178b1d1e 8534 ssl->options.havePSK = 1;
wolfSSL 16:8e0d178b1d1e 8535 ssl->options.server_psk_tls13_cb = cb;
wolfSSL 16:8e0d178b1d1e 8536
wolfSSL 16:8e0d178b1d1e 8537 #ifdef NO_RSA
wolfSSL 16:8e0d178b1d1e 8538 haveRSA = 0;
wolfSSL 16:8e0d178b1d1e 8539 #endif
wolfSSL 16:8e0d178b1d1e 8540 #ifndef NO_CERTS
wolfSSL 16:8e0d178b1d1e 8541 keySz = ssl->buffers.keySz;
wolfSSL 16:8e0d178b1d1e 8542 #endif
wolfSSL 16:8e0d178b1d1e 8543 InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
wolfSSL 16:8e0d178b1d1e 8544 ssl->options.haveDH, ssl->options.haveNTRU,
wolfSSL 16:8e0d178b1d1e 8545 ssl->options.haveECDSAsig, ssl->options.haveECC,
wolfSSL 16:8e0d178b1d1e 8546 ssl->options.haveStaticECC, ssl->options.side);
wolfSSL 16:8e0d178b1d1e 8547 }
wolfSSL 16:8e0d178b1d1e 8548 #endif
wolfSSL 16:8e0d178b1d1e 8549
wolfSSL 16:8e0d178b1d1e 8550
wolfSSL 15:117db924cf7c 8551 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 8552 /* The server accepting a connection from a client.
wolfSSL 15:117db924cf7c 8553 * The protocol version is expecting to be TLS v1.3.
wolfSSL 15:117db924cf7c 8554 * If the client downgrades, and older versions of the protocol are compiled
wolfSSL 15:117db924cf7c 8555 * in, the server will fallback to wolfSSL_accept().
wolfSSL 15:117db924cf7c 8556 * Please see note at top of README if you get an error from accept.
wolfSSL 15:117db924cf7c 8557 *
wolfSSL 15:117db924cf7c 8558 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8559 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
wolfSSL 15:117db924cf7c 8560 * unrecoverable error occurs and 0 otherwise.
wolfSSL 15:117db924cf7c 8561 * For more error information use wolfSSL_get_error().
wolfSSL 15:117db924cf7c 8562 */
wolfSSL 15:117db924cf7c 8563 int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
wolfSSL 15:117db924cf7c 8564 {
wolfSSL 15:117db924cf7c 8565 word16 havePSK = 0;
wolfSSL 15:117db924cf7c 8566 WOLFSSL_ENTER("SSL_accept_TLSv13()");
wolfSSL 15:117db924cf7c 8567
wolfSSL 15:117db924cf7c 8568 #ifdef HAVE_ERRNO_H
wolfSSL 15:117db924cf7c 8569 errno = 0;
wolfSSL 15:117db924cf7c 8570 #endif
wolfSSL 15:117db924cf7c 8571
wolfSSL 15:117db924cf7c 8572 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
wolfSSL 15:117db924cf7c 8573 havePSK = ssl->options.havePSK;
wolfSSL 15:117db924cf7c 8574 #endif
wolfSSL 15:117db924cf7c 8575 (void)havePSK;
wolfSSL 15:117db924cf7c 8576
wolfSSL 15:117db924cf7c 8577 if (ssl->options.side != WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 8578 WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
wolfSSL 15:117db924cf7c 8579 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8580 }
wolfSSL 15:117db924cf7c 8581
wolfSSL 15:117db924cf7c 8582 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8583 /* allow no private key if using PK callbacks and CB is set */
wolfSSL 15:117db924cf7c 8584 if (!havePSK) {
wolfSSL 15:117db924cf7c 8585 if (!ssl->buffers.certificate ||
wolfSSL 15:117db924cf7c 8586 !ssl->buffers.certificate->buffer) {
wolfSSL 15:117db924cf7c 8587
wolfSSL 15:117db924cf7c 8588 WOLFSSL_MSG("accept error: server cert required");
wolfSSL 15:117db924cf7c 8589 WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
wolfSSL 15:117db924cf7c 8590 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8591 }
wolfSSL 15:117db924cf7c 8592
wolfSSL 15:117db924cf7c 8593 #ifdef HAVE_PK_CALLBACKS
wolfSSL 15:117db924cf7c 8594 if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
wolfSSL 15:117db924cf7c 8595 WOLFSSL_MSG("Using PK for server private key");
wolfSSL 15:117db924cf7c 8596 }
wolfSSL 15:117db924cf7c 8597 else
wolfSSL 15:117db924cf7c 8598 #endif
wolfSSL 15:117db924cf7c 8599 if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
wolfSSL 15:117db924cf7c 8600 WOLFSSL_MSG("accept error: server key required");
wolfSSL 15:117db924cf7c 8601 WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
wolfSSL 15:117db924cf7c 8602 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8603 }
wolfSSL 15:117db924cf7c 8604 }
wolfSSL 15:117db924cf7c 8605 #endif
wolfSSL 15:117db924cf7c 8606
wolfSSL 16:8e0d178b1d1e 8607 if (ssl->buffers.outputBuffer.length > 0
wolfSSL 16:8e0d178b1d1e 8608 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 8609 /* do not send buffered or advance state if last error was an
wolfSSL 16:8e0d178b1d1e 8610 async pending operation */
wolfSSL 16:8e0d178b1d1e 8611 && ssl->error != WC_PENDING_E
wolfSSL 16:8e0d178b1d1e 8612 #endif
wolfSSL 16:8e0d178b1d1e 8613 ) {
wolfSSL 15:117db924cf7c 8614 if ((ssl->error = SendBuffered(ssl)) == 0) {
wolfSSL 15:117db924cf7c 8615 /* fragOffset is non-zero when sending fragments. On the last
wolfSSL 15:117db924cf7c 8616 * fragment, fragOffset is zero again, and the state can be
wolfSSL 15:117db924cf7c 8617 * advanced. */
wolfSSL 15:117db924cf7c 8618 if (ssl->fragOffset == 0) {
wolfSSL 15:117db924cf7c 8619 ssl->options.acceptState++;
wolfSSL 15:117db924cf7c 8620 WOLFSSL_MSG("accept state: "
wolfSSL 15:117db924cf7c 8621 "Advanced from last buffered fragment send");
wolfSSL 15:117db924cf7c 8622 }
wolfSSL 15:117db924cf7c 8623 else {
wolfSSL 15:117db924cf7c 8624 WOLFSSL_MSG("accept state: "
wolfSSL 15:117db924cf7c 8625 "Not advanced, more fragments to send");
wolfSSL 15:117db924cf7c 8626 }
wolfSSL 15:117db924cf7c 8627 }
wolfSSL 15:117db924cf7c 8628 else {
wolfSSL 15:117db924cf7c 8629 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8630 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8631 }
wolfSSL 15:117db924cf7c 8632 }
wolfSSL 15:117db924cf7c 8633
wolfSSL 15:117db924cf7c 8634 switch (ssl->options.acceptState) {
wolfSSL 15:117db924cf7c 8635
wolfSSL 16:8e0d178b1d1e 8636 #ifdef HAVE_SECURE_RENEGOTIATION
wolfSSL 16:8e0d178b1d1e 8637 case TLS13_ACCEPT_BEGIN_RENEG:
wolfSSL 16:8e0d178b1d1e 8638 #endif
wolfSSL 15:117db924cf7c 8639 case TLS13_ACCEPT_BEGIN :
wolfSSL 15:117db924cf7c 8640 /* get client_hello */
wolfSSL 15:117db924cf7c 8641 while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8642 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8643 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8644 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8645 }
wolfSSL 15:117db924cf7c 8646 }
wolfSSL 15:117db924cf7c 8647
wolfSSL 15:117db924cf7c 8648 ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE;
wolfSSL 15:117db924cf7c 8649 WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
wolfSSL 16:8e0d178b1d1e 8650 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 16:8e0d178b1d1e 8651 return wolfSSL_accept(ssl);
wolfSSL 15:117db924cf7c 8652 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8653
wolfSSL 15:117db924cf7c 8654 case TLS13_ACCEPT_CLIENT_HELLO_DONE :
wolfSSL 15:117db924cf7c 8655 #ifdef WOLFSSL_TLS13_DRAFT_18
wolfSSL 15:117db924cf7c 8656 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8657 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8658 if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8659 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8660 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8661 }
wolfSSL 15:117db924cf7c 8662 }
wolfSSL 15:117db924cf7c 8663
wolfSSL 15:117db924cf7c 8664 ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 8665 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 8666 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8667
wolfSSL 15:117db924cf7c 8668 case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL 15:117db924cf7c 8669 #else
wolfSSL 15:117db924cf7c 8670 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8671 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8672 if ((ssl->error = SendTls13ServerHello(ssl,
wolfSSL 15:117db924cf7c 8673 hello_retry_request)) != 0) {
wolfSSL 15:117db924cf7c 8674 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8675 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8676 }
wolfSSL 15:117db924cf7c 8677 }
wolfSSL 15:117db924cf7c 8678
wolfSSL 15:117db924cf7c 8679 ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE;
wolfSSL 15:117db924cf7c 8680 WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
wolfSSL 15:117db924cf7c 8681 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8682
wolfSSL 15:117db924cf7c 8683 case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
wolfSSL 15:117db924cf7c 8684 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
wolfSSL 15:117db924cf7c 8685 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8686 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 15:117db924cf7c 8687 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8688 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8689 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8690 }
wolfSSL 15:117db924cf7c 8691 ssl->options.sentChangeCipher = 1;
wolfSSL 16:8e0d178b1d1e 8692 ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
wolfSSL 15:117db924cf7c 8693 }
wolfSSL 15:117db924cf7c 8694 #endif
wolfSSL 15:117db924cf7c 8695 ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
wolfSSL 15:117db924cf7c 8696 WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
wolfSSL 15:117db924cf7c 8697 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8698 #endif
wolfSSL 15:117db924cf7c 8699
wolfSSL 15:117db924cf7c 8700 case TLS13_ACCEPT_FIRST_REPLY_DONE :
wolfSSL 15:117db924cf7c 8701 if (ssl->options.serverState ==
wolfSSL 15:117db924cf7c 8702 SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
wolfSSL 16:8e0d178b1d1e 8703 ssl->options.clientState = CLIENT_HELLO_RETRY;
wolfSSL 15:117db924cf7c 8704 while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8705 if ((ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8706 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8707 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8708 }
wolfSSL 15:117db924cf7c 8709 }
wolfSSL 15:117db924cf7c 8710 }
wolfSSL 15:117db924cf7c 8711
wolfSSL 15:117db924cf7c 8712 ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;
wolfSSL 15:117db924cf7c 8713 WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
wolfSSL 15:117db924cf7c 8714 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8715
wolfSSL 15:117db924cf7c 8716 case TLS13_ACCEPT_SECOND_REPLY_DONE :
wolfSSL 15:117db924cf7c 8717 if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) {
wolfSSL 15:117db924cf7c 8718 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8719 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8720 }
wolfSSL 15:117db924cf7c 8721 ssl->options.acceptState = TLS13_SERVER_HELLO_SENT;
wolfSSL 15:117db924cf7c 8722 WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
wolfSSL 15:117db924cf7c 8723 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8724
wolfSSL 15:117db924cf7c 8725 case TLS13_SERVER_HELLO_SENT :
wolfSSL 15:117db924cf7c 8726 #if !defined(WOLFSSL_TLS13_DRAFT_18) && \
wolfSSL 15:117db924cf7c 8727 defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
wolfSSL 15:117db924cf7c 8728 if (!ssl->options.sentChangeCipher) {
wolfSSL 15:117db924cf7c 8729 if ((ssl->error = SendChangeCipher(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8730 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8731 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8732 }
wolfSSL 15:117db924cf7c 8733 ssl->options.sentChangeCipher = 1;
wolfSSL 15:117db924cf7c 8734 }
wolfSSL 15:117db924cf7c 8735 #endif
wolfSSL 15:117db924cf7c 8736
wolfSSL 15:117db924cf7c 8737 ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE;
wolfSSL 15:117db924cf7c 8738 WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
wolfSSL 15:117db924cf7c 8739 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8740
wolfSSL 15:117db924cf7c 8741 case TLS13_ACCEPT_THIRD_REPLY_DONE :
wolfSSL 15:117db924cf7c 8742 if (!ssl->options.noPskDheKe) {
wolfSSL 15:117db924cf7c 8743 ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
wolfSSL 15:117db924cf7c 8744 if (ssl->error != 0)
wolfSSL 15:117db924cf7c 8745 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8746 }
wolfSSL 15:117db924cf7c 8747
wolfSSL 15:117db924cf7c 8748 if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8749 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8750 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8751 }
wolfSSL 15:117db924cf7c 8752 ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT;
wolfSSL 15:117db924cf7c 8753 WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
wolfSSL 15:117db924cf7c 8754 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8755
wolfSSL 15:117db924cf7c 8756 case TLS13_SERVER_EXTENSIONS_SENT :
wolfSSL 15:117db924cf7c 8757 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8758 if (!ssl->options.resuming) {
wolfSSL 15:117db924cf7c 8759 if (ssl->options.verifyPeer) {
wolfSSL 15:117db924cf7c 8760 ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
wolfSSL 15:117db924cf7c 8761 if (ssl->error != 0) {
wolfSSL 15:117db924cf7c 8762 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8763 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8764 }
wolfSSL 15:117db924cf7c 8765 }
wolfSSL 15:117db924cf7c 8766 }
wolfSSL 15:117db924cf7c 8767 #endif
wolfSSL 15:117db924cf7c 8768 ssl->options.acceptState = TLS13_CERT_REQ_SENT;
wolfSSL 15:117db924cf7c 8769 WOLFSSL_MSG("accept state CERT_REQ_SENT");
wolfSSL 15:117db924cf7c 8770 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8771
wolfSSL 15:117db924cf7c 8772 case TLS13_CERT_REQ_SENT :
wolfSSL 15:117db924cf7c 8773 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8774 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8775 if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8776 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8777 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8778 }
wolfSSL 15:117db924cf7c 8779 }
wolfSSL 15:117db924cf7c 8780 #endif
wolfSSL 15:117db924cf7c 8781 ssl->options.acceptState = TLS13_CERT_SENT;
wolfSSL 15:117db924cf7c 8782 WOLFSSL_MSG("accept state CERT_SENT");
wolfSSL 15:117db924cf7c 8783 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8784
wolfSSL 15:117db924cf7c 8785 case TLS13_CERT_SENT :
wolfSSL 15:117db924cf7c 8786 #ifndef NO_CERTS
wolfSSL 15:117db924cf7c 8787 if (!ssl->options.resuming && ssl->options.sendVerify) {
wolfSSL 15:117db924cf7c 8788 if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8789 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8790 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8791 }
wolfSSL 15:117db924cf7c 8792 }
wolfSSL 15:117db924cf7c 8793 #endif
wolfSSL 15:117db924cf7c 8794 ssl->options.acceptState = TLS13_CERT_VERIFY_SENT;
wolfSSL 15:117db924cf7c 8795 WOLFSSL_MSG("accept state CERT_VERIFY_SENT");
wolfSSL 15:117db924cf7c 8796 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8797
wolfSSL 15:117db924cf7c 8798 case TLS13_CERT_VERIFY_SENT :
wolfSSL 15:117db924cf7c 8799 if ((ssl->error = SendTls13Finished(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8800 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8801 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8802 }
wolfSSL 15:117db924cf7c 8803
wolfSSL 15:117db924cf7c 8804 ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT;
wolfSSL 15:117db924cf7c 8805 WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT");
wolfSSL 15:117db924cf7c 8806 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 8807 if (ssl->earlyData != no_early_data) {
wolfSSL 15:117db924cf7c 8808 ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
wolfSSL 15:117db924cf7c 8809 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8810 }
wolfSSL 15:117db924cf7c 8811 #endif
wolfSSL 15:117db924cf7c 8812 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8813
wolfSSL 15:117db924cf7c 8814 case TLS13_ACCEPT_FINISHED_SENT :
wolfSSL 15:117db924cf7c 8815 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8816 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 16:8e0d178b1d1e 8817 if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 &&
wolfSSL 16:8e0d178b1d1e 8818 ssl->ctx->ticketEncCb != NULL) {
wolfSSL 15:117db924cf7c 8819 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8820 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8821 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8822 }
wolfSSL 15:117db924cf7c 8823 }
wolfSSL 15:117db924cf7c 8824 #endif
wolfSSL 15:117db924cf7c 8825 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 8826 ssl->options.acceptState = TLS13_PRE_TICKET_SENT;
wolfSSL 15:117db924cf7c 8827 WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL 15:117db924cf7c 8828 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8829
wolfSSL 15:117db924cf7c 8830 case TLS13_PRE_TICKET_SENT :
wolfSSL 15:117db924cf7c 8831 while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
wolfSSL 15:117db924cf7c 8832 if ( (ssl->error = ProcessReply(ssl)) < 0) {
wolfSSL 15:117db924cf7c 8833 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8834 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8835 }
wolfSSL 15:117db924cf7c 8836
wolfSSL 15:117db924cf7c 8837 ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE;
wolfSSL 15:117db924cf7c 8838 WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
wolfSSL 15:117db924cf7c 8839 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8840
wolfSSL 15:117db924cf7c 8841 case TLS13_ACCEPT_FINISHED_DONE :
wolfSSL 15:117db924cf7c 8842 #ifdef HAVE_SESSION_TICKET
wolfSSL 15:117db924cf7c 8843 #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
wolfSSL 15:117db924cf7c 8844 if (!ssl->options.verifyPeer) {
wolfSSL 15:117db924cf7c 8845 }
wolfSSL 15:117db924cf7c 8846 else
wolfSSL 15:117db924cf7c 8847 #endif
wolfSSL 16:8e0d178b1d1e 8848 if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
wolfSSL 15:117db924cf7c 8849 if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
wolfSSL 15:117db924cf7c 8850 WOLFSSL_ERROR(ssl->error);
wolfSSL 15:117db924cf7c 8851 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8852 }
wolfSSL 15:117db924cf7c 8853 }
wolfSSL 15:117db924cf7c 8854 #endif /* HAVE_SESSION_TICKET */
wolfSSL 15:117db924cf7c 8855 ssl->options.acceptState = TLS13_TICKET_SENT;
wolfSSL 15:117db924cf7c 8856 WOLFSSL_MSG("accept state TICKET_SENT");
wolfSSL 15:117db924cf7c 8857 FALL_THROUGH;
wolfSSL 15:117db924cf7c 8858
wolfSSL 15:117db924cf7c 8859 case TLS13_TICKET_SENT :
wolfSSL 15:117db924cf7c 8860 #ifndef NO_HANDSHAKE_DONE_CB
wolfSSL 15:117db924cf7c 8861 if (ssl->hsDoneCb) {
wolfSSL 15:117db924cf7c 8862 int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
wolfSSL 15:117db924cf7c 8863 if (cbret < 0) {
wolfSSL 15:117db924cf7c 8864 ssl->error = cbret;
wolfSSL 15:117db924cf7c 8865 WOLFSSL_MSG("HandShake Done Cb don't continue error");
wolfSSL 15:117db924cf7c 8866 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8867 }
wolfSSL 15:117db924cf7c 8868 }
wolfSSL 15:117db924cf7c 8869 #endif /* NO_HANDSHAKE_DONE_CB */
wolfSSL 15:117db924cf7c 8870
wolfSSL 16:8e0d178b1d1e 8871 if (!ssl->options.keepResources) {
wolfSSL 16:8e0d178b1d1e 8872 FreeHandshakeResources(ssl);
wolfSSL 16:8e0d178b1d1e 8873 }
wolfSSL 16:8e0d178b1d1e 8874
wolfSSL 15:117db924cf7c 8875 WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS);
wolfSSL 15:117db924cf7c 8876 return WOLFSSL_SUCCESS;
wolfSSL 15:117db924cf7c 8877
wolfSSL 15:117db924cf7c 8878 default :
wolfSSL 15:117db924cf7c 8879 WOLFSSL_MSG("Unknown accept state ERROR");
wolfSSL 15:117db924cf7c 8880 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8881 }
wolfSSL 15:117db924cf7c 8882 }
wolfSSL 15:117db924cf7c 8883 #endif
wolfSSL 15:117db924cf7c 8884
wolfSSL 15:117db924cf7c 8885 #ifdef WOLFSSL_EARLY_DATA
wolfSSL 15:117db924cf7c 8886 /* Sets the maximum amount of early data that can be seen by server when using
wolfSSL 15:117db924cf7c 8887 * session tickets for resumption.
wolfSSL 15:117db924cf7c 8888 * A value of zero indicates no early data is to be sent by client using session
wolfSSL 15:117db924cf7c 8889 * tickets.
wolfSSL 15:117db924cf7c 8890 *
wolfSSL 15:117db924cf7c 8891 * ctx The SSL/TLS CTX object.
wolfSSL 15:117db924cf7c 8892 * sz Maximum size of the early data.
wolfSSL 15:117db924cf7c 8893 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
wolfSSL 15:117db924cf7c 8894 * 0 on success.
wolfSSL 15:117db924cf7c 8895 */
wolfSSL 15:117db924cf7c 8896 int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
wolfSSL 15:117db924cf7c 8897 {
wolfSSL 15:117db924cf7c 8898 if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
wolfSSL 15:117db924cf7c 8899 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8900 if (ctx->method->side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8901 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8902
wolfSSL 15:117db924cf7c 8903 ctx->maxEarlyDataSz = sz;
wolfSSL 15:117db924cf7c 8904
wolfSSL 15:117db924cf7c 8905 return 0;
wolfSSL 15:117db924cf7c 8906 }
wolfSSL 15:117db924cf7c 8907
wolfSSL 15:117db924cf7c 8908 /* Sets the maximum amount of early data that can be seen by server when using
wolfSSL 15:117db924cf7c 8909 * session tickets for resumption.
wolfSSL 15:117db924cf7c 8910 * A value of zero indicates no early data is to be sent by client using session
wolfSSL 15:117db924cf7c 8911 * tickets.
wolfSSL 15:117db924cf7c 8912 *
wolfSSL 15:117db924cf7c 8913 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8914 * sz Maximum size of the early data.
wolfSSL 15:117db924cf7c 8915 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
wolfSSL 15:117db924cf7c 8916 * SIDE_ERROR when not a server and 0 on success.
wolfSSL 15:117db924cf7c 8917 */
wolfSSL 15:117db924cf7c 8918 int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
wolfSSL 15:117db924cf7c 8919 {
wolfSSL 15:117db924cf7c 8920 if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8921 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8922 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 8923 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8924
wolfSSL 15:117db924cf7c 8925 ssl->options.maxEarlyDataSz = sz;
wolfSSL 15:117db924cf7c 8926
wolfSSL 15:117db924cf7c 8927 return 0;
wolfSSL 15:117db924cf7c 8928 }
wolfSSL 15:117db924cf7c 8929
wolfSSL 15:117db924cf7c 8930 /* Write early data to the server.
wolfSSL 15:117db924cf7c 8931 *
wolfSSL 15:117db924cf7c 8932 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8933 * data Early data to write
wolfSSL 15:117db924cf7c 8934 * sz The size of the eary data in bytes.
wolfSSL 15:117db924cf7c 8935 * outSz The number of early data bytes written.
wolfSSL 15:117db924cf7c 8936 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL 15:117db924cf7c 8937 * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL 15:117db924cf7c 8938 * early data bytes written.
wolfSSL 15:117db924cf7c 8939 */
wolfSSL 15:117db924cf7c 8940 int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
wolfSSL 15:117db924cf7c 8941 {
wolfSSL 15:117db924cf7c 8942 int ret = 0;
wolfSSL 15:117db924cf7c 8943
wolfSSL 15:117db924cf7c 8944 WOLFSSL_ENTER("SSL_write_early_data()");
wolfSSL 15:117db924cf7c 8945
wolfSSL 15:117db924cf7c 8946 if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
wolfSSL 15:117db924cf7c 8947 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8948 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8949 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8950
wolfSSL 15:117db924cf7c 8951 #ifndef NO_WOLFSSL_CLIENT
wolfSSL 15:117db924cf7c 8952 if (ssl->options.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 8953 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8954
wolfSSL 15:117db924cf7c 8955 if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL 15:117db924cf7c 8956 ssl->earlyData = expecting_early_data;
wolfSSL 15:117db924cf7c 8957 ret = wolfSSL_connect_TLSv13(ssl);
wolfSSL 16:8e0d178b1d1e 8958 if (ret != WOLFSSL_SUCCESS)
wolfSSL 15:117db924cf7c 8959 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8960 }
wolfSSL 15:117db924cf7c 8961 if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
wolfSSL 15:117db924cf7c 8962 ret = SendData(ssl, data, sz);
wolfSSL 15:117db924cf7c 8963 if (ret > 0)
wolfSSL 15:117db924cf7c 8964 *outSz = ret;
wolfSSL 15:117db924cf7c 8965 }
wolfSSL 15:117db924cf7c 8966 #else
wolfSSL 15:117db924cf7c 8967 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 8968 #endif
wolfSSL 15:117db924cf7c 8969
wolfSSL 15:117db924cf7c 8970 WOLFSSL_LEAVE("SSL_write_early_data()", ret);
wolfSSL 15:117db924cf7c 8971
wolfSSL 15:117db924cf7c 8972 if (ret < 0)
wolfSSL 15:117db924cf7c 8973 ret = WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 8974 return ret;
wolfSSL 15:117db924cf7c 8975 }
wolfSSL 15:117db924cf7c 8976
wolfSSL 15:117db924cf7c 8977 /* Read the any early data from the client.
wolfSSL 15:117db924cf7c 8978 *
wolfSSL 15:117db924cf7c 8979 * ssl The SSL/TLS object.
wolfSSL 15:117db924cf7c 8980 * data Buffer to put the early data into.
wolfSSL 15:117db924cf7c 8981 * sz The size of the buffer in bytes.
wolfSSL 15:117db924cf7c 8982 * outSz The number of early data bytes read.
wolfSSL 15:117db924cf7c 8983 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
wolfSSL 15:117db924cf7c 8984 * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
wolfSSL 15:117db924cf7c 8985 * early data bytes read.
wolfSSL 15:117db924cf7c 8986 */
wolfSSL 15:117db924cf7c 8987 int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
wolfSSL 15:117db924cf7c 8988 {
wolfSSL 15:117db924cf7c 8989 int ret = 0;
wolfSSL 15:117db924cf7c 8990
wolfSSL 15:117db924cf7c 8991 WOLFSSL_ENTER("wolfSSL_read_early_data()");
wolfSSL 15:117db924cf7c 8992
wolfSSL 15:117db924cf7c 8993
wolfSSL 15:117db924cf7c 8994 if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
wolfSSL 15:117db924cf7c 8995 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8996 if (!IsAtLeastTLSv1_3(ssl->version))
wolfSSL 15:117db924cf7c 8997 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8998
wolfSSL 15:117db924cf7c 8999 #ifndef NO_WOLFSSL_SERVER
wolfSSL 15:117db924cf7c 9000 if (ssl->options.side == WOLFSSL_CLIENT_END)
wolfSSL 15:117db924cf7c 9001 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 9002
wolfSSL 15:117db924cf7c 9003 if (ssl->options.handShakeState == NULL_STATE) {
wolfSSL 15:117db924cf7c 9004 ssl->earlyData = expecting_early_data;
wolfSSL 15:117db924cf7c 9005 ret = wolfSSL_accept_TLSv13(ssl);
wolfSSL 15:117db924cf7c 9006 if (ret <= 0)
wolfSSL 15:117db924cf7c 9007 return WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 9008 }
wolfSSL 15:117db924cf7c 9009 if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
wolfSSL 15:117db924cf7c 9010 ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
wolfSSL 15:117db924cf7c 9011 if (ret > 0)
wolfSSL 15:117db924cf7c 9012 *outSz = ret;
wolfSSL 15:117db924cf7c 9013 if (ssl->error == ZERO_RETURN)
wolfSSL 15:117db924cf7c 9014 ssl->error = WOLFSSL_ERROR_NONE;
wolfSSL 15:117db924cf7c 9015 }
wolfSSL 15:117db924cf7c 9016 else
wolfSSL 15:117db924cf7c 9017 ret = 0;
wolfSSL 15:117db924cf7c 9018 #else
wolfSSL 15:117db924cf7c 9019 return SIDE_ERROR;
wolfSSL 15:117db924cf7c 9020 #endif
wolfSSL 15:117db924cf7c 9021
wolfSSL 15:117db924cf7c 9022 WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret);
wolfSSL 15:117db924cf7c 9023
wolfSSL 15:117db924cf7c 9024 if (ret < 0)
wolfSSL 15:117db924cf7c 9025 ret = WOLFSSL_FATAL_ERROR;
wolfSSL 15:117db924cf7c 9026 return ret;
wolfSSL 15:117db924cf7c 9027 }
wolfSSL 15:117db924cf7c 9028 #endif
wolfSSL 15:117db924cf7c 9029
wolfSSL 16:8e0d178b1d1e 9030 #ifdef HAVE_SECRET_CALLBACK
wolfSSL 16:8e0d178b1d1e 9031 int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx)
wolfSSL 16:8e0d178b1d1e 9032 {
wolfSSL 16:8e0d178b1d1e 9033 WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb");
wolfSSL 16:8e0d178b1d1e 9034 if (ssl == NULL)
wolfSSL 16:8e0d178b1d1e 9035 return WOLFSSL_FATAL_ERROR;
wolfSSL 16:8e0d178b1d1e 9036
wolfSSL 16:8e0d178b1d1e 9037 ssl->tls13SecretCb = cb;
wolfSSL 16:8e0d178b1d1e 9038 ssl->tls13SecretCtx = ctx;
wolfSSL 16:8e0d178b1d1e 9039
wolfSSL 16:8e0d178b1d1e 9040 return WOLFSSL_SUCCESS;
wolfSSL 16:8e0d178b1d1e 9041 }
wolfSSL 16:8e0d178b1d1e 9042 #endif
wolfSSL 16:8e0d178b1d1e 9043
wolfSSL 15:117db924cf7c 9044 #undef ERROR_OUT
wolfSSL 15:117db924cf7c 9045
wolfSSL 15:117db924cf7c 9046 #endif /* !WOLFCRYPT_ONLY */
wolfSSL 15:117db924cf7c 9047
wolfSSL 15:117db924cf7c 9048 #endif /* WOLFSSL_TLS13 */
wolfSSL 15:117db924cf7c 9049